Add support for pod Wireguard sidecar #44
Conversation
…ured for a wireguard peer.
|
@jodevsa can I get a cursory review on this? My Go is awful, so just want to know I am heading in the right direction |
|
Sure, Can you please elaborate on the use cases of this feature? |
|
Sure, the use case would be to put the individual pods on a WireGuard network for secure communication with services elsewhere in the mesh. See: #27 |
…unctionality for appending to pod spec
Matthew-Beckett
force-pushed
the
feature/add-wireguard-sidecar
branch
from
3cc915e
to
619d53a
Compare
|
@jodevsa can I get some help on why the e2e tests are failing, this code is still unfinished because I had to do some work to improve and fix up the makefile for local development. |
jodevsa
force-pushed
the
main
branch
2 times, most recently
from
2dbc897
to
4bd7537
Compare
|
Hello, @Matthew-Beckett how this would work to route multiple pods to a single wireguard peer interface ? Having this scenario: In order to have another pod (your application) to route its traffic to that network interface, would this PR solve this scenario? As far as I know, you need a multi-homed pod (like using multus) and bridge a dummy interface, otherwise your application pod will not connect or route to another interface (wg0) inside another pod. |
|
Has this been tested? Aren't pods immutable? I believe other projects use admission webhooks to patch pod specs before they're actually created. |
This PR adds a sidecar which can be added to a pod by the controller when the annotation:
vpn.example.com/sidecar-enable: true is set and
vpn.example.com/sidecar-wireguard-ref: is a valid wireguard reference
The wireguard sidecar is automatically configured for the vpn and a peer is created automatically.