agent

Documentation

Overview

This package contains the agent code used to configure the WireGuard tunnel between nodes. The code supports adding and removing peers at run-time and the peer information is retrieved via the CiliumNode object.

Index

• type Agent
  • func NewAgent(privKeyPath string, sysctl sysctl.Sysctl, jobGroup job.Group, db *statedb.DB, ...) (*Agent, error)
  • func (a *Agent) AllNodeValidateImplementation()
  • func (a *Agent) DeletePeer(nodeName string) error
  • func (a *Agent) Init(ipcache *ipcache.IPCache) error
  • func (a *Agent) InitLocalNodeFromWireGuard(localNode *node.LocalNode)
  • func (a *Agent) Name() string
  • func (a *Agent) NodeAdd(newNode nodeTypes.Node) error
  • func (a *Agent) NodeConfigurationChanged(config datapath.LocalNodeConfiguration) error
  • func (a *Agent) NodeDelete(node nodeTypes.Node) error
  • func (a *Agent) NodeUpdate(_, newNode nodeTypes.Node) error
  • func (a *Agent) NodeValidateImplementation(node nodeTypes.Node) error
  • func (a *Agent) OnIPIdentityCacheChange(modType ipcache.CacheModification, cidrCluster cmtypes.PrefixCluster, ...)
  • func (a *Agent) RestoreFinished(cm *clustermesh.ClusterMesh) error
  • func (a *Agent) Start(cell.HookContext) (err error)
  • func (a *Agent) Status(withPeers bool) (*models.WireguardStatus, error)
  • func (a *Agent) Stop(cell.HookContext) error
  • func (a *Agent) UpdatePeer(nodeName, pubKeyHex string, nodeIPv4, nodeIPv6 net.IP) error

Types

type Agent

type Agent struct {
	lock.RWMutex
	// contains filtered or unexported fields
}

Agent needs to be initialized with Init(). In Init(), the WireGuard tunnel device will be created and the proper routes set. Once RestoreFinished() is called, obsolete keys and peers, as well as stale AllowedIPs are removed. UpdatePeer() inserts or updates the public key of peers discovered via the node manager.

func NewAgent

func NewAgent(privKeyPath string, sysctl sysctl.Sysctl, jobGroup job.Group, db *statedb.DB, mtuTable statedb.Table[mtu.RouteMTU]) (*Agent, error)

NewAgent creates a new WireGuard Agent

func (*Agent) AllNodeValidateImplementation

func (a *Agent) AllNodeValidateImplementation()

AllNodeValidateImplementation is called to validate the implementation of all nodes in the datapath.

func (*Agent) DeletePeer

func (a *Agent) DeletePeer(nodeName string) error

func (*Agent) Init

func (a *Agent) Init(ipcache *ipcache.IPCache) error

Init creates and configures the local WireGuard tunnel device.

func (*Agent) InitLocalNodeFromWireGuard

func (a *Agent) InitLocalNodeFromWireGuard(localNode *node.LocalNode)

InitLocalNodeFromWireGuard configures the fields on the local node. Called from the LocalNodeSynchronizer _before_ the local node is published in the K8s CiliumNode CRD or the kvstore.

This method does the following:

• It sets the local WireGuard public key (to be read by other nodes).
• It reads the local node's labels to determine if the local node wants to opt-out of node-to-node encryption.
• If the local node opts out of node-to-node encryption, we set the localNode.EncryptKey to zero. This indicates to other nodes that they should not encrypt node-to-node traffic with us.

func (*Agent) Name

func (a *Agent) Name() string

func (*Agent) NodeAdd

func (a *Agent) NodeAdd(newNode nodeTypes.Node) error

NodeAdd is called when a node is discovered for the first time.

func (*Agent) NodeConfigurationChanged

func (a *Agent) NodeConfigurationChanged(config datapath.LocalNodeConfiguration) error

NodeConfigurationChanged is called when the local node configuration has changed

func (*Agent) NodeDelete

func (a *Agent) NodeDelete(node nodeTypes.Node) error

NodeDelete is called after a node has been deleted

func (*Agent) NodeUpdate

func (a *Agent) NodeUpdate(_, newNode nodeTypes.Node) error

NmdeUpdate is called when a node definition changes. Both the old and new node definition is provided. NodeUpdate() is never called before NodeAdd() is called for a particular node.

func (*Agent) NodeValidateImplementation

func (a *Agent) NodeValidateImplementation(node nodeTypes.Node) error

NodeValidateImplementation is called to validate the implementation of the node in the datapath. This function is intended to be run on an interval to ensure that the datapath is consistently converged.

func (*Agent) OnIPIdentityCacheChange

func (a *Agent) OnIPIdentityCacheChange(modType ipcache.CacheModification, cidrCluster cmtypes.PrefixCluster, oldHostIP, newHostIP net.IP,
	_ *ipcache.Identity, _ ipcache.Identity, _ uint8, _ *ipcache.K8sMetadata)

OnIPIdentityCacheChange implements ipcache.IPIdentityMappingListener

func (*Agent) RestoreFinished

func (a *Agent) RestoreFinished(cm *clustermesh.ClusterMesh) error

func (*Agent) Start

func (a *Agent) Start(cell.HookContext) (err error)

Start implements cell.HookInterface.

func (*Agent) Status

func (a *Agent) Status(withPeers bool) (*models.WireguardStatus, error)

Status returns the state of the WireGuard tunnel managed by this instance. If withPeers is true, then the details about each connected peer are are populated as well.

func (*Agent) Stop

func (a *Agent) Stop(cell.HookContext) error

Stop implements cell.HookInterface.

func (*Agent) UpdatePeer

func (a *Agent) UpdatePeer(nodeName, pubKeyHex string, nodeIPv4, nodeIPv6 net.IP) error