External Network: Wireguard Templates

Makefile

@@ -75,7 +75,7 @@ rbacs: controller-gen
 	$(CONTROLLER_GEN) paths="./cmd/uninstaller" rbac:roleName=liqo-pre-delete output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-pre-delete-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-pre-delete-ClusterRole.yaml
 	$(CONTROLLER_GEN) paths="./cmd/metric-agent" rbac:roleName=liqo-metric-agent output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-metric-agent-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-metric-agent-ClusterRole.yaml
 	$(CONTROLLER_GEN) paths="./cmd/telemetry" rbac:roleName=liqo-telemetry output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-telemetry-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-telemetry-ClusterRole.yaml
-	$(CONTROLLER_GEN) paths="./pkg/gateway/..." rbac:roleName=liqo-gateway output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-gateway-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-gateway-ClusterRole.yaml
+	$(CONTROLLER_GEN) paths="{./pkg/gateway/...,./cmd/gateway/...}" rbac:roleName=liqo-gateway output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-gateway-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' && $(SED_COMMAND) deployments/liqo/files/liqo-gateway-ClusterRole.yaml
 
 # Install gci if not available
 gci:

apis/networking/v1alpha1/gatewayclient_types.go

@@ -56,6 +56,13 @@ type GatewayClientStatus struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:categories=liqo
 // +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Template Kind",type=string,JSONPath=`.spec.clientTemplateRef.kind`, priority=1
+// +kubebuilder:printcolumn:name="Template Name",type=string,JSONPath=`.spec.clientTemplateRef.name`
+// +kubebuilder:printcolumn:name="Template Namespace",type=string,JSONPath=`.spec.clientTemplateRef.namespace`, priority=1
+// +kubebuilder:printcolumn:name="IP",type=string,JSONPath=`.spec.endpoint.addresses[*]`
+// +kubebuilder:printcolumn:name="Port",type=string,JSONPath=`.spec.endpoint.port`
+// +kubebuilder:printcolumn:name="Protocol",type=string,JSONPath=`.spec.endpoint.protocol`, priority=1
+// +kubebuilder:printcolumn:name="MTU",type=integer,JSONPath=`.spec.mtu`, priority=1
 
 // GatewayClient defines a gateway client that needs to point to a remote gateway server.
 type GatewayClient struct {

apis/networking/v1alpha1/gatewayserver_types.go

@@ -79,6 +79,13 @@ type GatewayServerStatus struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:categories=liqo
 // +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Template Kind",type=string,JSONPath=`.spec.serverTemplateRef.kind`, priority=1
+// +kubebuilder:printcolumn:name="Template Name",type=string,JSONPath=`.spec.serverTemplateRef.name`
+// +kubebuilder:printcolumn:name="Template Namespace",type=string,JSONPath=`.spec.serverTemplateRef.namespace`, priority=1
+// +kubebuilder:printcolumn:name="IP",type=string,JSONPath=`.status.endpoint.addresses[*]`
+// +kubebuilder:printcolumn:name="Port",type=string,JSONPath=`.status.endpoint.port`
+// +kubebuilder:printcolumn:name="Protocol",type=string,JSONPath=`.status.endpoint.protocol`, priority=1
+// +kubebuilder:printcolumn:name="MTU",type=integer,JSONPath=`.spec.mtu`, priority=1
 
 // GatewayServer defines a gateway server that remote gateway clients need to point to.
 type GatewayServer struct {

cmd/gateway/main.go

@@ -43,6 +43,9 @@ var (
 	options = gateway.NewOptions()
 )
 
+// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;create;update;delete
+// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete
+
 func main() {
 	var cmd = cobra.Command{
 		Use:  "liqo-gateway",

cmd/gateway/wireguard/main.go

@@ -50,6 +50,9 @@ var (
 	options = wireguard.NewOptions(gateway.NewOptions())
 )
 
+// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;create;update;delete
+// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete
+
 func main() {
 	var cmd = cobra.Command{
 		Use:  "liqo-wireguard",

deployments/liqo/README.md

@@ -114,6 +114,12 @@
 | networkManager.pod.labels | object | `{}` | Labels for the networkManager pod. |
 | networkManager.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the networkManager pod. |
 | networking.clientResources | list | `[{"apiVersion":"networking.liqo.io/v1alpha1","resource":"wggatewayclients"}]` | Set the list of resources that implement the GatewayClient |
+| networking.gateway | object | `{"ping":{"interval":"2s","lossThreshold":5,"updateStatusInterval":"10s"},"replicas":1}` | Set the options for gateway templates |
+| networking.gateway.ping | object | `{"interval":"2s","lossThreshold":5,"updateStatusInterval":"10s"}` | Set the options to configure the gateway ping used to check connection |
+| networking.gateway.ping.interval | string | `"2s"` | Set the interval between two consecutive pings |
+| networking.gateway.ping.lossThreshold | int | `5` | Set the number of consecutive pings that must fail to consider the connection as lost |
+| networking.gateway.ping.updateStatusInterval | string | `"10s"` | Set the interval at which the connection resource status is updated |
+| networking.gateway.replicas | int | `1` | Set the number of replicas for the gateway deployments |
 | networking.internal | bool | `true` | Use the default Liqo network manager. |
 | networking.iptables | object | `{"mode":"nf_tables"}` | Iptables configuration tuning. |
 | networking.iptables.mode | string | `"nf_tables"` | Select the iptables mode to use. Possible values are "legacy" and "nf_tables". |

deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_gatewayclients.yaml

@@ -16,7 +16,33 @@ spec:
     singular: gatewayclient
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.clientTemplateRef.kind
+      name: Template Kind
+      priority: 1
+      type: string
+    - jsonPath: .spec.clientTemplateRef.name
+      name: Template Name
+      type: string
+    - jsonPath: .spec.clientTemplateRef.namespace
+      name: Template Namespace
+      priority: 1
+      type: string
+    - jsonPath: .spec.endpoint.addresses[*]
+      name: IP
+      type: string
+    - jsonPath: .spec.endpoint.port
+      name: Port
+      type: string
+    - jsonPath: .spec.endpoint.protocol
+      name: Protocol
+      priority: 1
+      type: string
+    - jsonPath: .spec.mtu
+      name: MTU
+      priority: 1
+      type: integer
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: GatewayClient defines a gateway client that needs to point to

deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_gatewayservers.yaml

@@ -16,7 +16,33 @@ spec:
     singular: gatewayserver
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.serverTemplateRef.kind
+      name: Template Kind
+      priority: 1
+      type: string
+    - jsonPath: .spec.serverTemplateRef.name
+      name: Template Name
+      type: string
+    - jsonPath: .spec.serverTemplateRef.namespace
+      name: Template Namespace
+      priority: 1
+      type: string
+    - jsonPath: .status.endpoint.addresses[*]
+      name: IP
+      type: string
+    - jsonPath: .status.endpoint.port
+      name: Port
+      type: string
+    - jsonPath: .status.endpoint.protocol
+      name: Protocol
+      priority: 1
+      type: string
+    - jsonPath: .spec.mtu
+      name: MTU
+      priority: 1
+      type: integer
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: GatewayServer defines a gateway server that remote gateway clients

deployments/liqo/files/liqo-gateway-ClusterRole.yaml

@@ -1,4 +1,25 @@
 rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - delete
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:

deployments/liqo/templates/_helpers.tpl

@@ -76,6 +76,36 @@ app.kubernetes.io/component: {{ quote .module }}
 app.kubernetes.io/part-of: {{ quote (include "liqo.name" .) }}
 {{- end }}
 
+{{/*
+Common metadata for Templates
+*/}}
+{{- define "liqo.metadataTemplate" -}}
+name: {{ quote "{{ .Name }}" }}
+namespace: {{ quote "{{ .Namespace }}" }}
+labels:
+{{ include "liqo.labelsTemplate" . | indent 2 }}
+{{- end }}
+
+{{/*
+Common Labels for Templates
+*/}}
+{{- define "liqo.labelsTemplate" -}}
+{{ include "liqo.selectorLabelsTemplate" . }}
+helm.sh/chart: {{ quote (include "liqo.chart" .) }}
+app.kubernetes.io/version: {{ quote (include "liqo.version" .) }}
+app.kubernetes.io/managed-by: {{ quote .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels template, it accepts a dict which contains fields "name" and "module"
+*/}}
+{{- define "liqo.selectorLabelsTemplate" -}}
+app.kubernetes.io/name: {{ quote "{{ .Name }}" }}
+app.kubernetes.io/instance: {{ quote (printf "%s-%s" .Release.Name "{{ .Name }}") }}
+app.kubernetes.io/component: {{ quote .module }}
+app.kubernetes.io/part-of: {{ quote (include "liqo.name" .) }}
+{{- end }}
+
 {{/*
 Create a name prefixed with the chart name, it accepts a dict which contains the field "name".
 */}}

deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml

@@ -0,0 +1,69 @@
+{{- $templateConfig := (merge (dict "name" "wireguard-client" "module" "networking") .) -}}
+
+{{- if .Values.networking.internal }}
+
+apiVersion: networking.liqo.io/v1alpha1
+kind: WgGatewayClientTemplate
+metadata:
+  name: {{ $templateConfig.name  }}
+  labels:
+    {{- include "liqo.labels" $templateConfig | nindent 4 }}
+spec:
+  objectKind:
+    apiVersion: networking.liqo.io/v1alpha1
+    kind: WgGatewayClient
+  template:
+    metadata:
+      {{- include "liqo.metadataTemplate" $templateConfig | nindent 6 }}
+    spec:
+      deployment:
+        metadata:
+          {{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
+        spec:
+          replicas: {{ .Values.networking.gateway.replicas }}
+          selector:
+            matchLabels:
+              {{- include "liqo.labelsTemplate" $templateConfig | nindent 14 }}
+          template:
+            metadata:
+              {{- include "liqo.metadataTemplate" $templateConfig | nindent 14 }}
+            spec:
+              serviceAccount: "{{"{{ .Name }}"}}"
+              serviceAccountName: "{{"{{ .Name }}"}}"
+              containers:
+              - name: gateway
+                image: ghcr.io/liqotech/gateway{{ include "liqo.suffix" $templateConfig }}:{{ include "liqo.version" $templateConfig }}
+                imagePullPolicy: Always
+                args:
+                - --name={{"{{ .Name }}"}}
+                - --namespace={{"{{ .Namespace }}"}}
+                - --remote-cluster-id={{"{{ .ClusterID }}"}}
+                - --mode=client
+                - --metrics-address=:8080
+                - --health-probe-bind-address=:8081
+                - --ping-loss-threshold={{ .Values.networking.gateway.ping.lossThreshold }}
+                - --ping-interval={{ .Values.networking.gateway.ping.interval }}
+                - --ping-update-status-interval={{ .Values.networking.gateway.ping.updateStatusInterval }}
+                {{- if gt .Values.networking.gateway.replicas 1.0 }}
+                - --leader-election=true
+                {{- end }}
+              - name: wireguard
+                image: ghcr.io/liqotech/gateway/wireguard{{ include "liqo.suffix" $templateConfig }}:{{ include "liqo.version" $templateConfig }}
+                imagePullPolicy: Always
+                args:
+                - --name={{"{{ .Name }}"}}
+                - --namespace={{"{{ .Namespace }}"}}
+                - --remote-cluster-id={{"{{ .ClusterID }}"}}
+                - --gateway-uid={{"{{ .GatewayUID }}"}}
+                - --mode=client
+                - --mtu={{"{{ .Spec.MTU }}"}}
+                - --endpoint-address={{"{{ index .Spec.Endpoint.Addresses 0 }}"}}
+                - --endpoint-port={{"{{ .Spec.Endpoint.Port }}"}}
+                - --metrics-address=:8082
+                - --health-probe-bind-address=:8083
+                securityContext:
+                  capabilities:
+                    add:
+                    - NET_ADMIN
+                    - NET_RAW
+{{- end }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml

@@ -0,0 +1,82 @@
+{{- $templateConfig := (merge (dict "name" "wireguard-server" "module" "networking") .) -}}
+
+{{- if .Values.networking.internal }}
+
+apiVersion: networking.liqo.io/v1alpha1
+kind: WgGatewayServerTemplate
+metadata:
+  name: {{ $templateConfig.name  }}
+  labels:
+    {{- include "liqo.labels" $templateConfig | nindent 4 }}
+spec:
+  objectKind:
+    apiVersion: networking.liqo.io/v1alpha1
+    kind: WgGatewayServer
+  template:
+    metadata:
+      {{- include "liqo.metadataTemplate" $templateConfig | nindent 6 }}
+    spec:
+      service:
+        metadata:
+          {{- include "liqo.metadataTemplate" $templateConfig | nindent 12 }}
+        spec:
+          selector:
+            {{- include "liqo.labelsTemplate" $templateConfig | nindent 12 }}
+          type: "{{"{{ .Spec.Endpoint.ServiceType }}"}}"
+          ports:
+          - port: "{{"{{ .Spec.Endpoint.Port }}"}}"
+            protocol: UDP
+            targetPort: "{{"{{ .Spec.Endpoint.Port }}"}}"
+      deployment:
+        metadata:
+          {{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
+        spec:
+          replicas: {{ .Values.networking.gateway.replicas }}
+          selector:
+            matchLabels:
+              {{- include "liqo.labelsTemplate" $templateConfig | nindent 14 }}
+          template:
+            metadata:
+              {{- include "liqo.metadataTemplate" $templateConfig | nindent 14 }}
+            spec:
+              serviceAccount: "{{"{{ .Name }}"}}"
+              serviceAccountName: "{{"{{ .Name }}"}}"
+              containers:
+              - name: gateway
+                image: ghcr.io/liqotech/gateway{{ include "liqo.suffix" $templateConfig }}:{{ include "liqo.version" $templateConfig }}
+                imagePullPolicy: Always
+                args:
+                - --name={{"{{ .Name }}"}}
+                - --namespace={{"{{ .Namespace }}"}}
+                - --remote-cluster-id={{"{{ .ClusterID }}"}}
+                - --mode=server
+                - --metrics-address=:8080
+                - --health-probe-bind-address=:8081
+                - --ping-loss-threshold=5
+                - --ping-interval=2s
+                - --ping-update-status-interval=10s
+                - --ping-loss-threshold={{ .Values.networking.gateway.ping.lossThreshold }}
+                - --ping-interval={{ .Values.networking.gateway.ping.interval }}
+                - --ping-update-status-interval={{ .Values.networking.gateway.ping.updateStatusInterval }}
+                {{- if gt .Values.networking.gateway.replicas 1.0 }}
+                - --leader-election=true
+                {{- end }}
+              - name: wireguard
+                image: ghcr.io/liqotech/gateway/wireguard{{ include "liqo.suffix" $templateConfig }}:{{ include "liqo.version" $templateConfig }}
+                imagePullPolicy: Always
+                args:
+                - --name={{"{{ .Name }}"}}
+                - --namespace={{"{{ .Namespace }}"}}
+                - --remote-cluster-id={{"{{ .ClusterID }}"}}
+                - --gateway-uid={{"{{ .GatewayUID }}"}}
+                - --mode=server
+                - --mtu={{"{{ .Spec.MTU }}"}}
+                - --listen-port={{"{{ .Spec.Endpoint.Port }}"}}
+                - --metrics-address=:8082
+                - --health-probe-bind-address=:8083
+                securityContext:
+                  capabilities:
+                    add:
+                    - NET_ADMIN
+                    - NET_RAW
+{{- end }}

deployments/liqo/values.yaml

@@ -45,6 +45,18 @@ networking:
   clientResources:
     - apiVersion: networking.liqo.io/v1alpha1
       resource: wggatewayclients
+  # -- Set the options for gateway templates
+  gateway:
+    # -- Set the number of replicas for the gateway deployments
+    replicas: 1
+    # -- Set the options to configure the gateway ping used to check connection
+    ping:
+      # -- Set the number of consecutive pings that must fail to consider the connection as lost
+      lossThreshold: 5
+      # -- Set the interval between two consecutive pings
+      interval: 2s
+      # -- Set the interval at which the connection resource status is updated
+      updateStatusInterval: 10s
 
 reflection:
   skip:

pkg/gateway/connection/conncheck/conncheck.go

@@ -91,7 +91,7 @@ func (c *ConnChecker) AddSender(ctx context.Context, clusterID, ip string, updat
 		return fmt.Errorf("failed to init peer: %w", err)
 	}
 
-	klog.Infof("conncheck sender %q added", clusterID, ip)
+	klog.Infof("conncheck sender %q added", clusterID)
 	return nil
 }
 

pkg/gateway/tunnel/wireguard/publickeys_controller.go

@@ -91,13 +91,6 @@ func (r *PublicKeysReconciler) SetupWithManager(mgr ctrl.Manager, src <-chan eve
 func (r *PublicKeysReconciler) Predicates() builder.Predicates {
 	return builder.WithPredicates(
 		predicate.NewPredicateFuncs(func(object client.Object) bool {
-			mode, ok := object.GetLabels()[string(LabelsMode)]
-			if !ok {
-				return false
-			}
-			if mode != string(r.Options.GwOptions.Mode) {
-				return false
-			}
 			id, ok := object.GetLabels()[string(consts.RemoteClusterID)]
 			if !ok {
 				return false