Documentation
¶
Overview ¶
Copyright (c) 2020-2022 Tigera, Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Variables
- func BootstrapAndFilterTyphaAddresses(configParams *config.Config, ...) ([]discovery.Typha, error)
- func RemoveWireguardConditionallyOnBootstrap(configParams *config.Config, ...) error
- type Config
- type Metrics
- type Wireguard
- func (w *Wireguard) Apply() (err error)
- func (w *Wireguard) DebugNodes() (nodes []string)
- func (w *Wireguard) Enabled() bool
- func (w *Wireguard) EndpointRemove(name string)
- func (w *Wireguard) EndpointUpdate(name string, ipAddr ip.Addr)
- func (w *Wireguard) EndpointWireguardRemove(name string)
- func (w *Wireguard) EndpointWireguardUpdate(name string, publicKey wgtypes.Key, interfaceAddr ip.Addr)
- func (w *Wireguard) ListeningPort() int
- func (w *Wireguard) OnIfaceStateChanged(ifaceName string, ifIndex int, state ifacemonitor.State)
- func (w *Wireguard) QueueResync()
- func (w *Wireguard) RouteRemove(cidr ip.CIDR)
- func (w *Wireguard) RouteUpdate(name string, cidr ip.CIDR)
Constants ¶
This section is empty.
Variables ¶
var ( ErrUpdateFailed = errors.New("netlink update operation failed") ErrNotSupportedTooManyFailures = errors.New("operation not supported (too many failures)") )
Functions ¶
func BootstrapAndFilterTyphaAddresses ¶
func BootstrapAndFilterTyphaAddresses( configParams *config.Config, getNetlinkHandle func() (netlinkshim.Interface, error), getWireguardHandle func() (netlinkshim.Wireguard, error), calicoClient clientv3.NodesClient, typhas []discovery.Typha, ) ([]discovery.Typha, error)
BootstrapAndFilterTyphaAddresses performs wireguard bootstrap processing and filtering of typha addresses. This is primarily to handle the fact that Host Encryption can cause routing asymmetry due to timing windows. This results in felixes being locked out from typhas.
- If wireguard is disabled then just remove all wireguard configuration from the node (kernel and published key). We do this whether host encryption is enabled or not.
For host encryption only:
- If the published key and the kernel key don't match remove all wireguard configuration from the node.
- If the kernel has no programmed peers then remove all wireguard configuration from the node (since we can't be talking over wireguard yet anyways).
- If a set of typha endpoints has been supplied, filter them to exclude endpoints that we know we cannot reach due to asymmetric routing. This will be the case if this node currently has a published wireguard key and:
- Typha node does not have a public key, but the typha IP address programmed in the kernel as a wireguard peer.
- Typha node has a public key but the key does not match any of the peer keys programmed in the kernel.
-----
Note that if a non-empty slice of typha endpoints has been supplied this will *always* return a non-empty slice of endpoints. In the scenario where all typha addresses would be filtered out, wireguard configuration is removed from the node and then all typha addresses are returned.
func RemoveWireguardConditionallyOnBootstrap ¶
func RemoveWireguardConditionallyOnBootstrap( configParams *config.Config, getNetlinkHandle func() (netlinkshim.Interface, error), calicoClient clientv3.Interface, ) error
RemoveWireguardConditionallyOnBootstrap removes all wireguard configuration based on configuration conditions. This is called as a last resort after failing to connect to typha.
The following wireguard configuration will be removed if HostEncryptionEnabled is true: - The wireguard public key - The wireguard device (which in turn will delete all wireguard routing rules).
It is assumed that BootstrapAndFilterTyphaAddresses was called prior to calling this function.
Types ¶
type Config ¶
type Config struct {
// Wireguard configuration
Enabled bool
EnabledV6 bool
ListeningPort int
ListeningPortV6 int
FirewallMark int
RoutingRulePriority int
RoutingTableIndex int
RoutingTableIndexV6 int
InterfaceName string
InterfaceNameV6 string
MTU int
MTUV6 int
RouteSource string
EncryptHostTraffic bool
PersistentKeepAlive time.Duration
RouteSyncDisabled bool
ThreadedNAPI bool
}
type Metrics ¶
type Metrics struct {
// contains filtered or unexported fields
}
func MustNewWireguardMetrics ¶
func MustNewWireguardMetrics() *Metrics
func NewWireguardMetrics ¶
func (*Metrics) Collect ¶
func (collector *Metrics) Collect(m chan<- prometheus.Metric)
func (*Metrics) Describe ¶
func (collector *Metrics) Describe(d chan<- *prometheus.Desc)
type Wireguard ¶
type Wireguard struct {
// contains filtered or unexported fields
}
func New ¶
func New( hostname string, config *Config, ipVersion uint8, netlinkTimeout time.Duration, deviceRouteProtocol netlink.RouteProtocol, statusCallback func(publicKey wgtypes.Key) error, opRecorder logutils.OpRecorder, featureDetector environment.FeatureDetectorIface, ) *Wireguard
func NewWithShims ¶
func NewWithShims( hostname string, config *Config, ipVersion uint8, newRoutetableNetlink func() (netlinkshim.Interface, error), newRouteRuleNetlink func() (netlinkshim.Interface, error), newWireguardNetlink func() (netlinkshim.Interface, error), newWireguardDevice func() (netlinkshim.Wireguard, error), netlinkTimeout time.Duration, timeShim timeshim.Interface, deviceRouteProtocol netlink.RouteProtocol, statusCallback func(publicKey wgtypes.Key) error, writeProcSys func(path, value string) error, opRecorder logutils.OpRecorder, featureDetector environment.FeatureDetectorIface, ) *Wireguard
NewWithShims is a test constructor, which allows linkClient, arp and time to be replaced by shims.
func (*Wireguard) DebugNodes ¶
DebugNodes returns the set of nodes in the internal cache. Used for testing purposes to test node cleanup.
func (*Wireguard) Enabled ¶
Enabled is a helper method that returns true if wireguard is enabled for this instance's IP version
func (*Wireguard) EndpointRemove ¶
EndpointRemove is called when a wireguard endpoint (a node) is removed. This controls which peers to configure.
func (*Wireguard) EndpointUpdate ¶
EndpointUpdate is called when a wireguard endpoint (a node) is updated. This controls which peers to configure.
func (*Wireguard) EndpointWireguardRemove ¶
EndpointWireguardRemove is called when the wireguard configuration for an endpoint (a node) is removed. This controls the local wireguard interface address and public key, and the peer public keys.
func (*Wireguard) EndpointWireguardUpdate ¶
func (w *Wireguard) EndpointWireguardUpdate(name string, publicKey wgtypes.Key, interfaceAddr ip.Addr)
EndpointWireguardUpdate is called when the wireguard configuration for an endpoint (a node) is updated. This controls the local wireguard interface address and public key, and the peer public keys.
func (*Wireguard) ListeningPort ¶
func (*Wireguard) OnIfaceStateChanged ¶
func (w *Wireguard) OnIfaceStateChanged(ifaceName string, ifIndex int, state ifacemonitor.State)
func (*Wireguard) QueueResync ¶
func (w *Wireguard) QueueResync()
func (*Wireguard) RouteRemove ¶
RouteRemove is called when a route is removed. This controls the wireguard peer allowed IPs. It includes pod and tunnel addresses, and for host encryption will include the host addresses.
Source Files