Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for pod Wireguard sidecar #44

Draft
wants to merge 23 commits into
base: main
Choose a base branch
from
Draft

Add support for pod Wireguard sidecar #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
12f96fd
Add abillity to annotate a pod for a sidecar to be created and config…
Matthew-Beckett Apr 29, 2023
646378b
Add check to ensure wireguard server exists before creating peers
Matthew-Beckett Apr 29, 2023
12e62ba
Add building sidecar to github actions
Matthew-Beckett Apr 29, 2023
5c245e7
Fix unsaved Dockerfile
Matthew-Beckett Apr 29, 2023
39b38dd
Fix invalid path to dependent script for sidecar docker file
Matthew-Beckett Apr 29, 2023
2257465
Merge branch 'feature/support-service-annotations' into feature/add-w…
Matthew-Beckett Apr 29, 2023
a78dc53
Fix up very broken code for wireguard-sidecar controller, add basic f…
Matthew-Beckett May 2, 2023
e6e5438
Re-add config map mounting
Matthew-Beckett May 2, 2023
276287e
Re-add missing update of resources
Matthew-Beckett May 2, 2023
7b55dd6
Merge branch 'main' into feature/add-wireguard-sidecar
Matthew-Beckett May 23, 2023
9b0f2a5
Fix up kustomize generation for new values
Matthew-Beckett May 23, 2023
75df0a1
Add makefile step for loading images into kind
Matthew-Beckett May 23, 2023
3acde10
Add docker build all action
Matthew-Beckett May 23, 2023
696ca64
Add sidecar update to e2e test
Matthew-Beckett May 23, 2023
7bbfb0f
Fix up make e2e test for sidecar
Matthew-Beckett May 23, 2023
7e48d04
Add sidecar to e2e tests suit
Matthew-Beckett May 23, 2023
619d53a
Extend e2e to build images
Matthew-Beckett May 23, 2023
e16cf3c
Remove renamed files which have been merged
Matthew-Beckett May 23, 2023
0dcf94e
Add expects for missing sidecar image property
Matthew-Beckett May 23, 2023
01247a3
Fix invalid var passed into e2e test for sidecar image
Matthew-Beckett May 23, 2023
fe9e6bc
Remove build target from e2e test
Matthew-Beckett May 23, 2023
a8ec652
Add sidecar functionality test to e2e
Matthew-Beckett May 23, 2023
7ecd757
Fix invalid default value for vars in kustomization
Matthew-Beckett May 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 15 additions & 11 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,9 @@ KIND_VERSION ?= v0.19.0


# images
AGENT_IMAGE ?= "agent:dev"
MANAGER_IMAGE ?= "manager:dev"
AGENT_IMAGE ?= "ghcr.io/jodevsa/wireguard-operator/agent:main"
MANAGER_IMAGE ?= "ghcr.io/jodevsa/wireguard-operator/manager:main"
SIDECAR_IMAGE ?= "ghcr.io/jodevsa/wireguard-operator/sidecar:main"

# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
Expand Down Expand Up @@ -123,26 +124,30 @@ build-manager: generate fmt vet ## Build manager binary.
run: manifests generate fmt vet ## Run a controller from your host.
go run ./cmd/manager/main.go



docker-build-agent: ## Build docker image with the manager.
docker build -t ${AGENT_IMAGE} . -f ./images/agent/Dockerfile

docker-build-manager: ## Build docker image with the manager.
docker build -t ${MANAGER_IMAGE} . -f ./images/manager/Dockerfile

docker-build-integration-test: docker-build-manager
docker-build-sidecar: ## Build docker image with the sidecar.
docker build -t ${SIDECAR_IMAGE} . -f ./images/sidecar/Dockerfile

docker-build-all:
$(MAKE) docker-build-agent
$(MAKE) docker-build-manager
${MAKE} docker-build-sidecar

docker-load-kind:
kind load docker-image ${AGENT_IMAGE} ${SIDECAR_IMAGE} ${MANAGER_IMAGE}

run-e2e:
AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-image
SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-and-sidecar-image
MANAGER_IMAGE=${MANAGER_IMAGE} $(MAKE) update-manager-image
$(KUSTOMIZE) build config/default > release_it.yaml
$(KUSTOMIZE) build config/e2e > release_it.yaml
git checkout ./config/default/manager_auth_proxy_patch.yaml
git checkout ./config/manager/kustomization.yaml
KUBE_CONFIG=$(HOME)/.kube/config KIND_BIN=${KIND} WIREGUARD_OPERATOR_RELEASE_PATH="../../release_it.yaml" AGENT_IMAGE=${AGENT_IMAGE} MANAGER_IMAGE=${MANAGER_IMAGE} go test ./internal/it/ -v -count=1
KUBE_CONFIG=$(HOME)/.kube/config KIND_BIN=${KIND} WIREGUARD_OPERATOR_RELEASE_PATH="../../release_it.yaml" SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} MANAGER_IMAGE=${MANAGER_IMAGE} go test ./internal/it/ -v -count=1

docker-push: ## Push docker image with the manager.
docker push ${IMG}
Expand All @@ -156,9 +161,9 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
$(KUSTOMIZE) build config/crd | kubectl delete -f -


update-agent-image: kustomize
update-agent-and-sidecar-image: kustomize
## TODO: Simplify later
AGENT_IMAGE=$(AGENT_IMAGE) envsubst < ./config/default/manager_auth_proxy_patch.yaml.template > ./config/default/manager_auth_proxy_patch.yaml
SIDECAR_IMAGE=$(SIDECAR_IMAGE) AGENT_IMAGE=$(AGENT_IMAGE) envsubst < ./config/default/manager_auth_proxy_patch.yaml.template > ./config/default/manager_auth_proxy_patch.yaml

update-manager-image: kustomize
$(info MANAGER_IMAGE: "$(MANAGER_IMAGE)")
Expand All @@ -170,7 +175,6 @@ generate-release-file: kustomize update-agent-image update-manager-image
git checkout ./config/manager/kustomization.yaml

deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
$(KUSTOMIZE) build config/default | kubectl apply -f -

undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
Expand Down
30 changes: 22 additions & 8 deletions cmd/manager/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,11 @@ package main
import (
"flag"
"fmt"
"os"

vpnv1alpha1 "github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1"
"github.com/jodevsa/wireguard-operator/pkg/controllers"
v1 "k8s.io/api/core/v1"
"os"

// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
// to ensure that exec-entrypoint and run can make use of them.
Expand Down Expand Up @@ -50,18 +51,22 @@ func init() {
}

func main() {
var agentImagePullPolicy string
var wgImage string
var wgAgentImagePullPolicy string
var wgSidecarImage string
var wgSidecarImagePullPolicy string
var metricsAddr string
var enableLeaderElection bool
var probeAddr string
var wgImage string
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.StringVar(&wgImage, "agent-image", "", "The image used for wireguard server")
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.StringVar(&agentImagePullPolicy, "agent-image-pull-policy", "IfNotPresent", "Use userspace implementation")
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.StringVar(&wgSidecarImage, "sidecar-image", "ghcr.io/jodevsa/wireguard-operator/sidecar:latest", "The image used for wireguard sidecar")
flag.StringVar(&wgSidecarImagePullPolicy, "sidecar-image-pull-policy", "IfNotPresent", "imagePullPolicy for wireguard sidecar")
flag.StringVar(&wgImage, "agent-image", "ghcr.io/jodevsa/wireguard-operator/agent:latest", "The image used for wireguard server")
flag.StringVar(&wgAgentImagePullPolicy, "agent-image-pull-policy", "IfNotPresent", "Use userspace implementation")
opts := zap.Options{
Development: true,
}
Expand Down Expand Up @@ -92,7 +97,7 @@ func main() {
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
AgentImage: wgImage,
AgentImagePullPolicy: v1.PullPolicy(agentImagePullPolicy),
AgentImagePullPolicy: v1.PullPolicy(wgAgentImagePullPolicy),
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "Wireguard")
os.Exit(1)
Expand All @@ -104,6 +109,15 @@ func main() {
setupLog.Error(err, "unable to create controller", "controller", "WireguardPeer")
os.Exit(1)
}
if err = (&controllers.WireguardSidecarReconciler{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
SidecarImage: wgSidecarImage,
SidecarImagePullPolicy: v1.PullPolicy(wgSidecarImagePullPolicy),
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "WireguardSidecar")
os.Exit(1)
}
//+kubebuilder:scaffold:builder

if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
Expand Down
2 changes: 1 addition & 1 deletion config/default/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ patchesStrategicMerge:
#- webhookcainjection_patch.yaml

# the following config is for teaching kustomize how to do var substitution
vars:
vars: []
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
# objref:
Expand Down
1 change: 1 addition & 0 deletions config/default/manager_auth_proxy_patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ spec:
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
- "--agent-image=ghcr.io/jodevsa/wireguard-operator/agent:main"
- "--sidecar-image=ghcr.io/jodevsa/wireguard-operator/sidecar:main"
1 change: 1 addition & 0 deletions config/default/manager_auth_proxy_patch.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ spec:
- "--metrics-bind-address=127.0.0.1:8080"
- "--leader-elect"
- "--agent-image=${AGENT_IMAGE}"
- "--sidecar-image=${SIDECAR_IMAGE}"
20 changes: 20 additions & 0 deletions config/e2e/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Adds namespace to all resources.
namespace: wireguard-system

# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: wireguard-

# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue

bases:
- ../default

resources:
- sidecar-test-deployment.yaml
- sidecar-test-service.yaml
22 changes: 22 additions & 0 deletions config/e2e/sidecar-test-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes
annotations:
vpn.example.com/enable-sidecar: "true"
vpn.example.com/sidecar-wireguard-ref: abcde12345
spec:
replicas: 1
selector:
matchLabels:
app: hello-kubernetes
template:
metadata:
labels:
app: hello-kubernetes
spec:
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes
ports:
- containerPort: 8080
12 changes: 12 additions & 0 deletions config/e2e/sidecar-test-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes
spec:
selector:
app: hello-kubernetes
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: ClusterIP
8 changes: 8 additions & 0 deletions images/sidecar/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM alpine:latest

RUN apk --no-cache add wireguard-tools iptables

COPY images/sidecar/start-wireguard.sh /
RUN chmod +x /start-wireguard.sh

CMD ["/start-wireguard.sh"]
17 changes: 17 additions & 0 deletions images/sidecar/start-wireguard.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/sh

set -e

# Generate WireGuard keys
umask 077

# Start WireGuard
wg-quick up wg0

# Configure iptables to route traffic over the VPN
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

# Start the main container process
exec "$@"
48 changes: 30 additions & 18 deletions internal/it/suite_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@ package it
import (
"context"
"fmt"
"log"
"os"
"os/exec"
"strings"
"testing"
"time"

"github.com/go-logr/stdr"
"github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1"
. "github.com/onsi/ginkgo"
Expand All @@ -12,17 +19,11 @@ import (
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"log"
"os"
"os/exec"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/envtest"
"sigs.k8s.io/kind/pkg/apis/config/v1alpha4"
kind "sigs.k8s.io/kind/pkg/cluster"
log2 "sigs.k8s.io/kind/pkg/log"
"strings"
"testing"
"time"
//+kubebuilder:scaffold:imports
)

Expand All @@ -34,6 +35,7 @@ var k8sClient client.Client
var testEnv *envtest.Environment
var releasePath string
var agentImage string
var sidecarImage string
var managerImage string
var kindBinary string
var kubeConfigPath string
Expand Down Expand Up @@ -116,12 +118,14 @@ func KubectlApply(resource string, namespace string) (string, error) {
var _ = BeforeSuite(func() {
releasePath = os.Getenv("WIREGUARD_OPERATOR_RELEASE_PATH")
agentImage = os.Getenv("AGENT_IMAGE")
sidecarImage = os.Getenv("SIDECAR_IMAGE")
managerImage = os.Getenv("MANAGER_IMAGE")
kindBinary = os.Getenv("KIND_BIN")
kubeConfigPath = os.Getenv("KUBE_CONFIG")

Expect(releasePath).NotTo(Equal(""))
Expect(agentImage).NotTo(Equal(""))
Expect(sidecarImage).NotTo(Equal(""))
Expect(releasePath).NotTo(Equal(""))
Expect(managerImage).NotTo(Equal(""))
Expect(kindBinary).NotTo(Equal(""))
Expand Down Expand Up @@ -184,7 +188,13 @@ var _ = BeforeSuite(func() {
cmd = exec.Command(kindBinary, "load", "docker-image", agentImage, "--name", testClusterName)
b, err = cmd.Output()
if err != nil {
log.Error(err, "unable to load local image agent:dev")
log.Error(err, "unable to load local image for agent")
return
}
cmd = exec.Command(kindBinary, "load", "docker-image", sidecarImage, "--name", testClusterName)
b, err = cmd.Output()
if err != nil {
log.Error(err, "unable to load local image for sidecar")
return
}

Expand All @@ -201,17 +211,19 @@ var _ = BeforeSuite(func() {
"namespace/wireguard-system",
"customresourcedefinition.apiextensions.k8s.io/wireguardpeers.vpn.example.com",
"customresourcedefinition.apiextensions.k8s.io/wireguards.vpn.example.com",
"serviceaccount/wireguard-controller-manager",
"role.rbac.authorization.k8s.io/wireguard-leader-election-role",
"clusterrole.rbac.authorization.k8s.io/wireguard-manager-role",
"clusterrole.rbac.authorization.k8s.io/wireguard-metrics-reader",
"clusterrole.rbac.authorization.k8s.io/wireguard-proxy-role",
"rolebinding.rbac.authorization.k8s.io/wireguard-leader-election-rolebinding",
"clusterrolebinding.rbac.authorization.k8s.io/wireguard-manager-rolebinding",
"clusterrolebinding.rbac.authorization.k8s.io/wireguard-proxy-rolebinding",
"configmap/wireguard-manager-config",
"service/wireguard-controller-manager-metrics-service",
"deployment.apps/wireguard-controller-manager",
"serviceaccount/wireguard-wireguard-controller-manager",
"role.rbac.authorization.k8s.io/wireguard-wireguard-leader-election-role",
"clusterrole.rbac.authorization.k8s.io/wireguard-wireguard-manager-role",
"clusterrole.rbac.authorization.k8s.io/wireguard-wireguard-metrics-reader",
"clusterrole.rbac.authorization.k8s.io/wireguard-wireguard-proxy-role",
"rolebinding.rbac.authorization.k8s.io/wireguard-wireguard-leader-election-rolebinding",
"clusterrolebinding.rbac.authorization.k8s.io/wireguard-wireguard-manager-rolebinding",
"clusterrolebinding.rbac.authorization.k8s.io/wireguard-wireguard-proxy-rolebinding",
"configmap/wireguard-wireguard-manager-config",
"service/wireguard-hello-kubernetes",
"service/wireguard-wireguard-controller-manager-metrics-service",
"deployment.apps/wireguard-hello-kubernetes",
"deployment.apps/wireguard-wireguard-controller-manager",
}

Expect(strings.Split(strings.Trim(strings.ReplaceAll(string(b), " created", ""), "\n"), "\n")).To(BeEquivalentTo(expectedResources))
Expand Down
6 changes: 3 additions & 3 deletions pkg/controllers/wireguard_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -632,10 +632,10 @@ func (r *WireguardReconciler) serviceForWireguard(m *v1alpha1.Wireguard, service

dep := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Name: m.Name + "-svc",
Namespace: m.Namespace,
Name: m.Name + "-svc",
Namespace: m.Namespace,
Annotations: m.Spec.ServiceAnnotations,
Labels: labels,
Labels: labels,
},
Spec: corev1.ServiceSpec{
Selector: labels,
Expand Down
Loading