Add WireGuard tunnels for Antrea Multi-cluster cross-cluster traffic

Signed-off-by: hjiajing <hjiajing@vmware.com>

build/charts/antrea/README.md

@@ -89,6 +89,8 @@ Kubernetes: `>= 1.16.0-0`
 | multicluster.enablePodToPodConnectivity | bool | `false` | Enable Multi-cluster Pod to Pod connectivity. |
 | multicluster.enableStretchedNetworkPolicy | bool | `false` | Enable Multi-cluster NetworkPolicy. Multi-cluster Gateway must be enabled to enable StretchedNetworkPolicy. |
 | multicluster.namespace | string | `""` | The Namespace where Antrea Multi-cluster Controller is running. The default is antrea-agent's Namespace. |
+| multicluster.wireGuard.enable | bool | `false` |  |
+| multicluster.wireGuard.port | int | `51821` |  |
 | noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. |
 | nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. |
 | nodeIPAM.enable | bool | `false` | Enable Node IPAM in Antrea |

build/charts/antrea/conf/antrea-agent.conf

@@ -346,6 +346,12 @@ multicluster:
   enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
 # Enable Pod to Pod connectivity.
   enablePodToPodConnectivity: {{ .enablePodToPodConnectivity }}
+# WireGuard tunnel configuration for cross-cluster traffic.
+  wireGuard:
+    # Enable WireGuard tunnel for cross-cluster traffic.
+    enable: {{ .wireGuard.enable }}
+    # WireGuard tunnel port for cross-cluster traffic.
+    port: {{ .wireGuard.port }}
 {{- end }}
 
 {{- if .Values.featureGates.SecondaryNetwork }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -209,6 +209,7 @@ rules:
     - get
     - list
     - watch
+    - patch
   - apiGroups:
     - multicluster.crd.antrea.io
     resources:

build/charts/antrea/values.yaml

@@ -338,6 +338,12 @@ multicluster:
   enableStretchedNetworkPolicy: false
   # -- Enable Multi-cluster Pod to Pod connectivity.
   enablePodToPodConnectivity: false
+  # WireGuard tunnel configuration for cross-cluster traffic.
+  wireGuard:
+    # Enable WireGuard tunnel for cross-cluster traffic.
+    enable: false
+    # WireGuard tunnel port for cross-cluster traffic.
+    port: 51821
 
 testing:
   ## -- enable code coverage measurement (used when testing Antrea only).

build/yamls/antrea-aks.yml

@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3720,6 +3726,7 @@ rules:
     - get
     - list
     - watch
+    - patch
   - apiGroups:
     - multicluster.crd.antrea.io
     resources:
@@ -4299,7 +4306,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-agent
@@ -4540,7 +4547,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3720,6 +3726,7 @@ rules:
     - get
     - list
     - watch
+    - patch
   - apiGroups:
     - multicluster.crd.antrea.io
     resources:
@@ -4299,7 +4306,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-agent
@@ -4541,7 +4548,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3720,6 +3726,7 @@ rules:
     - get
     - list
     - watch
+    - patch
   - apiGroups:
     - multicluster.crd.antrea.io
     resources:
@@ -4299,7 +4306,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: fca1f2d4967020380202ef0c2394b560055830ee2770e41f791af76b42559659
+        checksum/config: 7aac7ba322070f7138eb5c847bd42b2a2de73a1f86816fa19d0d4db7d67975eb
       labels:
         app: antrea
         component: antrea-agent
@@ -4538,7 +4545,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: fca1f2d4967020380202ef0c2394b560055830ee2770e41f791af76b42559659
+        checksum/config: 7aac7ba322070f7138eb5c847bd42b2a2de73a1f86816fa19d0d4db7d67975eb
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -3255,6 +3255,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3733,6 +3739,7 @@ rules:
     - get
     - list
     - watch
+    - patch
   - apiGroups:
     - multicluster.crd.antrea.io
     resources:
@@ -4312,7 +4319,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ab53bf1e28a67ba5be2b99989a8d28b31d716d79b207a610cd5258ead514eb6b
+        checksum/config: cb5115be05df90e1e576dbea0a75d3802ef5aebe643daf2bba524fe0df2b5bb4
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4597,7 +4604,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ab53bf1e28a67ba5be2b99989a8d28b31d716d79b207a610cd5258ead514eb6b
+        checksum/config: cb5115be05df90e1e576dbea0a75d3802ef5aebe643daf2bba524fe0df2b5bb4
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3720,6 +3726,7 @@ rules:
     - get
     - list
     - watch
+    - patch
   - apiGroups:
     - multicluster.crd.antrea.io
     resources:
@@ -4299,7 +4306,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2c1c5158b6a3ea32eff58bc1e498592e80ebecee07f51b10c722b67afce7b964
+        checksum/config: 8258fefd7715d5e2cb6d1b5fe0b31994d85c890e56a727a5108ba4a99765a9c8
       labels:
         app: antrea
         component: antrea-agent
@@ -4538,7 +4545,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2c1c5158b6a3ea32eff58bc1e498592e80ebecee07f51b10c722b67afce7b964
+        checksum/config: 8258fefd7715d5e2cb6d1b5fe0b31994d85c890e56a727a5108ba4a99765a9c8
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-agent/agent.go

@@ -343,6 +343,8 @@ func run(o *Options) error {
 			mcNamespace,
 			o.config.Multicluster.EnableStretchedNetworkPolicy,
 			o.config.Multicluster.EnablePodToPodConnectivity,
+			o.config.Multicluster.WireGuard,
+			routeClient,
 		)
 	}
 	if enableMulticlusterNP {

multicluster/apis/multicluster/v1alpha1/gateway_types.go

@@ -52,6 +52,8 @@ type ClusterInfo struct {
 	GatewayInfos []GatewayInfo `json:"gatewayInfos,omitempty"`
 	// PodCIDRs is the Pod IP address CIDRs.
 	PodCIDRs []string `json:"podCIDRs,omitempty"`
+	// WireGuard has information of WireGuard tunnel.
+	WireGuard WireGuardConfig `json:"wireGuard,omitempty"`
 }
 
 //+kubebuilder:object:root=true

multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go

@@ -31,6 +31,11 @@ const (
 	PrecedenceExternal = "external"
 )
 
+type WireGuardConfig struct {
+	PublicKey string `json:"publicKey"`
+	Port      int    `json:"port"`
+}
+
 //+kubebuilder:object:root=true
 
 // +kubebuilder:printcolumn:name="Gateway IP Precedence",type=string,JSONPath=`.gatewayIPPrecedence`,description="Precedence of Gateway IP types"

multicluster/build/yamls/antrea-multicluster-leader-global.yml

@@ -387,6 +387,17 @@ spec:
                   serviceCIDR:
                     description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                     type: string
+                  wireGuard:
+                    description: WireGuard has information of WireGuard tunnel.
+                    properties:
+                      port:
+                        type: integer
+                      publicKey:
+                        type: string
+                    required:
+                    - port
+                    - publicKey
+                    type: object
                 type: object
               clusterNetworkPolicy:
                 description: If exported resource is AntreaClusterNetworkPolicy.
@@ -3079,6 +3090,17 @@ spec:
                   serviceCIDR:
                     description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                     type: string
+                  wireGuard:
+                    description: WireGuard has information of WireGuard tunnel.
+                    properties:
+                      port:
+                        type: integer
+                      publicKey:
+                        type: string
+                    required:
+                    - port
+                    - publicKey
+                    type: object
                 type: object
               clusternetworkpolicy:
                 description: If imported resource is AntreaClusterNetworkPolicy.

multicluster/build/yamls/antrea-multicluster-member.yml

@@ -119,6 +119,17 @@ spec:
               serviceCIDR:
                 description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                 type: string
+              wireGuard:
+                description: WireGuard has information of WireGuard tunnel.
+                properties:
+                  port:
+                    type: integer
+                  publicKey:
+                    type: string
+                required:
+                - port
+                - publicKey
+                type: object
             type: object
           status:
             description: ClusterInfoImportStatus defines the observed state of ClusterInfoImport.

multicluster/config/crd/bases/multicluster.crd.antrea.io_clusterinfoimports.yaml

@@ -65,6 +65,17 @@ spec:
               serviceCIDR:
                 description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                 type: string
+              wireGuard:
+                description: WireGuard has information of WireGuard tunnel.
+                properties:
+                  port:
+                    type: integer
+                  publicKey:
+                    type: string
+                required:
+                - port
+                - publicKey
+                type: object
             type: object
           status:
             description: ClusterInfoImportStatus defines the observed state of ClusterInfoImport.

multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml

@@ -82,6 +82,17 @@ spec:
                   serviceCIDR:
                     description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                     type: string
+                  wireGuard:
+                    description: WireGuard has information of WireGuard tunnel.
+                    properties:
+                      port:
+                        type: integer
+                      publicKey:
+                        type: string
+                    required:
+                    - port
+                    - publicKey
+                    type: object
                 type: object
               clusterNetworkPolicy:
                 description: If exported resource is AntreaClusterNetworkPolicy.