Network: remapping controller

build/gateway/Dockerfile

@@ -12,7 +12,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$(go env GOARCH) go build -ldflags="-s -w" .
 FROM alpine:3.18
 
 RUN apk update && \
-    apk add iptables bash tcpdump conntrack-tools curl iputils && \
+    apk add nftables bash tcpdump conntrack-tools curl iputils && \
     rm -rf /var/cache/apk/*
 
 COPY --from=goBuilder /tmp/builder/gateway /usr/bin/liqo-gateway

build/gateway/wireguard/Dockerfile

@@ -12,7 +12,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$(go env GOARCH) go build -ldflags="-s -w" .
 FROM alpine:3.18
 
 RUN apk update && \
-    apk add iptables bash wireguard-tools tcpdump conntrack-tools curl iputils && \
+    apk add nftables bash wireguard-tools tcpdump conntrack-tools curl iputils && \
     rm -rf /var/cache/apk/*
 
 COPY --from=goBuilder /tmp/builder/wireguard /usr/bin/liqo-wireguard

cmd/gateway/main.go

@@ -35,7 +35,7 @@ import (
 	"github.com/liqotech/liqo/pkg/gateway"
 	"github.com/liqotech/liqo/pkg/gateway/connection"
 	"github.com/liqotech/liqo/pkg/gateway/connection/conncheck"
-	gwremapping "github.com/liqotech/liqo/pkg/gateway/remapping"
+	"github.com/liqotech/liqo/pkg/gateway/remapping"
 	flagsutils "github.com/liqotech/liqo/pkg/utils/flags"
 	"github.com/liqotech/liqo/pkg/utils/mapper"
 	"github.com/liqotech/liqo/pkg/utils/restcfg"
@@ -45,10 +45,8 @@ var (
 	addToSchemeFunctions = []func(*runtime.Scheme) error{
 		networkingv1alpha1.AddToScheme,
 	}
-	options = connection.NewOptions(
-		gateway.NewOptions(),
-		conncheck.NewOptions(),
-	)
+	connoptions  *connection.Options
+	remapoptions *remapping.Options
 )
 
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;create;update;delete
@@ -65,13 +63,28 @@ func main() {
 	klog.InitFlags(legacyflags)
 	flagsutils.FromFlagToPflag(legacyflags, cmd.Flags())
 
-	gateway.InitFlags(cmd.Flags(), options.GwOptions)
+	defInfaName, err := gateway.GetDefaultInterfaceName()
+	if err != nil {
+		klog.Error(err)
+		os.Exit(1)
+	}
+
+	gwoptions := gateway.NewOptions()
+	connoptions = connection.NewOptions(
+		gwoptions,
+		conncheck.NewOptions(),
+	)
+	remapoptions = remapping.NewOptions(
+		gwoptions, defInfaName,
+	)
+
+	gateway.InitFlags(cmd.Flags(), connoptions.GwOptions)
 	if err := gateway.MarkFlagsRequired(&cmd); err != nil {
 		klog.Error(err)
 		os.Exit(1)
 	}
 
-	connection.InitFlags(cmd.Flags(), options)
+	connection.InitFlags(cmd.Flags(), connoptions)
 
 	if err := cmd.Execute(); err != nil {
 		klog.Error(err)
@@ -103,37 +116,37 @@ func run(_ *cobra.Command, _ []string) error {
 		Scheme:         scheme,
 		Cache: cache.Options{
 			DefaultNamespaces: map[string]cache.Config{
-				options.GwOptions.Namespace: {},
+				connoptions.GwOptions.Namespace: {},
 			},
 		},
 		Metrics: server.Options{
 			BindAddress: "0", // Metrics are exposed by "connection" container.
 		},
-		HealthProbeBindAddress: options.GwOptions.ProbeAddr,
-		LeaderElection:         options.GwOptions.LeaderElection,
+		HealthProbeBindAddress: connoptions.GwOptions.ProbeAddr,
+		LeaderElection:         connoptions.GwOptions.LeaderElection,
 		LeaderElectionID: fmt.Sprintf(
 			"%s.%s.%s.connections.liqo.io",
-			options.GwOptions.Name, options.GwOptions.Namespace, options.GwOptions.Mode,
+			connoptions.GwOptions.Name, connoptions.GwOptions.Namespace, connoptions.GwOptions.Mode,
 		),
-		LeaderElectionNamespace:       options.GwOptions.Namespace,
+		LeaderElectionNamespace:       connoptions.GwOptions.Namespace,
 		LeaderElectionReleaseOnCancel: true,
 		LeaderElectionResourceLock:    resourcelock.LeasesResourceLock,
-		LeaseDuration:                 &options.GwOptions.LeaderElectionLeaseDuration,
-		RenewDeadline:                 &options.GwOptions.LeaderElectionRenewDeadline,
-		RetryPeriod:                   &options.GwOptions.LeaderElectionRetryPeriod,
+		LeaseDuration:                 &connoptions.GwOptions.LeaderElectionLeaseDuration,
+		RenewDeadline:                 &connoptions.GwOptions.LeaderElectionRenewDeadline,
+		RetryPeriod:                   &connoptions.GwOptions.LeaderElectionRetryPeriod,
 	})
 	if err != nil {
 		return fmt.Errorf("unable to create manager: %w", err)
 	}
 
-	if options.EnableConnectionController {
+	if connoptions.EnableConnectionController {
 		// Setup the connection controller.
 		connr, err := connection.NewConnectionsReconciler(
 			ctx,
 			mgr.GetClient(),
 			mgr.GetScheme(),
 			mgr.GetEventRecorderFor("connection-controller"),
-			options,
+			connoptions,
 		)
 		if err != nil {
 			return fmt.Errorf("unable to create connectioons reconciler: %w", err)
@@ -149,7 +162,8 @@ func run(_ *cobra.Command, _ []string) error {
 		mgr.GetClient(),
 		mgr.GetScheme(),
 		mgr.GetEventRecorderFor("firewall-controller"),
-		gwremapping.ForgeFirewallTargetLabels(options.GwOptions.RemoteClusterID),
+		remapping.ForgeFirewallTargetLabels(connoptions.GwOptions.RemoteClusterID),
+		false,
 	)
 	if err != nil {
 		return fmt.Errorf("unable to create firewall configuration reconciler: %w", err)
@@ -159,6 +173,18 @@ func run(_ *cobra.Command, _ []string) error {
 		return fmt.Errorf("unable to setup firewall configuration reconciler: %w", err)
 	}
 
+	// Setup the configuration controller.
+	cfgr := remapping.NewRemappingReconciler(
+		mgr.GetClient(),
+		mgr.GetScheme(),
+		mgr.GetEventRecorderFor("firewall-controller"),
+		remapoptions,
+	)
+
+	if err := cfgr.SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to setup configuration reconciler: %w", err)
+	}
+
 	// Start the manager.
 	return mgr.Start(ctx)
 }

deployments/liqo/files/liqo-gateway-ClusterRole.yaml

@@ -30,6 +30,25 @@ rules:
   - get
   - list
   - update
+- apiGroups:
+  - networking.liqo.io
+  resources:
+  - configurations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - networking.liqo.io
+  resources:
+  - configurations/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - networking.liqo.io
   resources:
@@ -54,6 +73,8 @@ rules:
   resources:
   - firewallconfigurations
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch

deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml

@@ -38,6 +38,7 @@ spec:
                 - --name={{"{{ .Name }}"}}
                 - --namespace={{"{{ .Namespace }}"}}
                 - --remote-cluster-id={{"{{ .ClusterID }}"}}
+                - --gateway-uid={{"{{ .GatewayUID }}"}}
                 - --mode=client
                 - --metrics-address=:8080
                 - --health-probe-bind-address=:8081
@@ -48,6 +49,11 @@ spec:
                 {{- if gt .Values.networking.gateway.replicas 1.0 }}
                 - --leader-election=true
                 {{- end }}
+                securityContext:
+                  capabilities:
+                    add:
+                    - NET_ADMIN
+                    - NET_RAW
               - name: wireguard
                 image: ghcr.io/liqotech/gateway/wireguard{{ include "liqo.suffix" $templateConfig }}:{{ include "liqo.version" $templateConfig }}
                 imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml

@@ -52,6 +52,7 @@ spec:
                 - --name={{"{{ .Name }}"}}
                 - --namespace={{"{{ .Namespace }}"}}
                 - --remote-cluster-id={{"{{ .ClusterID }}"}}
+                - --gateway-uid={{"{{ .GatewayUID }}"}}
                 - --mode=server
                 - --metrics-address=:8080
                 - --health-probe-bind-address=:8081
@@ -62,6 +63,11 @@ spec:
                 {{- if gt .Values.networking.gateway.replicas 1.0 }}
                 - --leader-election=true
                 {{- end }}
+                securityContext:
+                  capabilities:
+                    add:
+                    - NET_ADMIN
+                    - NET_RAW
               - name: wireguard
                 image: ghcr.io/liqotech/gateway/wireguard{{ include "liqo.suffix" $templateConfig }}:{{ include "liqo.version" $templateConfig }}
                 imagePullPolicy: {{ .Values.pullPolicy }}

pkg/firewall/firewallconfiguration_controller.go

@@ -44,21 +44,24 @@ type FirewallConfigurationReconciler struct {
 	EventsRecorder record.EventRecorder
 	// Labels used to filter the reconciled resources.
 	Labels map[string]string
+	// EnableFinalizer is used to enable the finalizer on the reconciled resources.
+	EnableFinalizer bool
 }
 
 // NewFirewallConfigurationReconciler returns a new FirewallConfigurationReconciler.
 func NewFirewallConfigurationReconciler(cl client.Client, s *runtime.Scheme,
-	er record.EventRecorder, labels map[string]string) (*FirewallConfigurationReconciler, error) {
+	er record.EventRecorder, labels map[string]string, enableFinalizer bool) (*FirewallConfigurationReconciler, error) {
 	nftConnection, err := nftables.New()
 	if err != nil {
 		return nil, fmt.Errorf("unable to create nftables connection: %w", err)
 	}
 	return &FirewallConfigurationReconciler{
-		NftConnection:  nftConnection,
-		Client:         cl,
-		Scheme:         s,
-		EventsRecorder: er,
-		Labels:         labels,
+		NftConnection:   nftConnection,
+		Client:          cl,
+		Scheme:          s,
+		EventsRecorder:  er,
+		Labels:          labels,
+		EnableFinalizer: enableFinalizer,
 	}, nil
 }
 
@@ -87,14 +90,15 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr
 
 	// Manage Finalizers and Table deletion.
 	// In nftables, table deletion automatically delete contained chains and rules.
-	if fwcfg.DeletionTimestamp.IsZero() {
+
+	if fwcfg.DeletionTimestamp.IsZero() && r.EnableFinalizer {
 		if !ctrlutil.ContainsFinalizer(fwcfg, firewallConfigurationsControllerFinalizer) {
 			if err = r.ensureFirewallConfigurationFinalizerPresence(ctx, fwcfg); err != nil {
 				return ctrl.Result{}, err
 			}
 			return ctrl.Result{}, nil
 		}
-	} else {
+	} else if r.EnableFinalizer {
 		if ctrlutil.ContainsFinalizer(fwcfg, firewallConfigurationsControllerFinalizer) {
 			delTable(r.NftConnection, &fwcfg.Spec.Table)
 			if err = r.NftConnection.Flush(); err != nil {

pkg/gateway/connection/connections_controller.go

@@ -76,7 +76,7 @@ func (r *ConnectionsReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		}
 		return ctrl.Result{}, fmt.Errorf("unable to get the connection %q: %w", req.NamespacedName, err)
 	}
-	klog.Infof("Reconciling connection %q", req.NamespacedName)
+	klog.V(4).Infof("Reconciling connection %q", req.NamespacedName)
 
 	updateConnection := ForgeUpdateConnectionCallback(ctx, r.Client, r.Options, req)
 

pkg/gateway/flags.go

@@ -29,14 +29,19 @@ func (fn FlagName) String() string {
 }
 
 const (
-	// FlagNameName is the name of the WgGateway resource.
+	// FlagNameName is the name of the Gateway resource.
 	FlagNameName FlagName = "name"
-	// FlagNameNamespace is the namespace WgGateway resource.
+	// FlagNameNamespace is the namespace Gateway resource.
 	FlagNameNamespace FlagName = "namespace"
 	// FlagNameRemoteClusterID is the clusterID of the remote cluster.
 	FlagNameRemoteClusterID FlagName = "remote-cluster-id"
 
-	// FlagNameMode is the mode in which the wireguard interface is configured.
+	// FlagNameGatewayUID is the UID of the Gateway resource.
+	FlagNameGatewayUID FlagName = "gateway-uid"
+	// FlagNameInterfaceName is the name of the tunnel interface.
+	FlagNameInterfaceName FlagName = "interface-name"
+
+	// FlagNameMode is the mode in which the gateway is configured.
 	FlagNameMode FlagName = "mode"
 
 	// FlagNameLeaderElection is the flag to enable leader election.
@@ -60,14 +65,18 @@ var RequiredFlags = []FlagName{
 	FlagNameNamespace,
 	FlagNameRemoteClusterID,
 	FlagNameMode,
+	FlagNameGatewayUID,
 }
 
-// InitFlags initializes the flags for the wireguard tunnel.
+// InitFlags initializes the flags for the gateway.
 func InitFlags(flagset *pflag.FlagSet, opts *Options) {
 	flagset.StringVar(&opts.Name, FlagNameName.String(), "", "Parent gateway name")
 	flagset.StringVar(&opts.Namespace, FlagNameNamespace.String(), "", "Parent gateway namespace")
 	flagset.StringVar(&opts.RemoteClusterID, FlagNameRemoteClusterID.String(), "", "ClusterID of the remote cluster")
 
+	flagset.StringVar(&opts.GatewayUID, FlagNameGatewayUID.String(), "", "Parent gateway resource UID")
+	flagset.StringVar(&opts.TunnelInterfaceName, FlagNameInterfaceName.String(), "liqo-tunnel", "Name for the tunnel interface")
+
 	flagset.Var(&opts.Mode, FlagNameMode.String(), "Parent gateway mode")
 
 	flagset.BoolVar(&opts.LeaderElection, FlagNameLeaderElection.String(), false, "Enable leader election")

pkg/gateway/k8s.go

@@ -0,0 +1,42 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gateway
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	networkingv1alpha1 "github.com/liqotech/liqo/apis/networking/v1alpha1"
+)
+
+// SetOwnerReferenceWithMode sets the owner reference of the object according to the mode.
+func SetOwnerReferenceWithMode(opts *Options, obj metav1.Object, scheme *runtime.Scheme) error {
+	meta := metav1.ObjectMeta{
+		Name:      opts.Name,
+		Namespace: opts.Namespace,
+		UID:       types.UID(opts.GatewayUID),
+	}
+	switch opts.Mode {
+	case ModeServer:
+		return controllerutil.SetOwnerReference(&networkingv1alpha1.GatewayServer{ObjectMeta: meta}, obj, scheme)
+	case ModeClient:
+		return controllerutil.SetOwnerReference(&networkingv1alpha1.GatewayClient{ObjectMeta: meta}, obj, scheme)
+	}
+	return fmt.Errorf("invalid mode %v", opts.Mode)
+}