Add WireGuard tunnels for Multi-cluster traffic #4606
Conversation
Codecov Report
@@ Coverage Diff @@
## main #4606 +/- ##
==========================================
- Coverage 69.79% 69.60% -0.20%
==========================================
Files 402 403 +1
Lines 59570 59981 +411
==========================================
+ Hits 41579 41747 +168
- Misses 15189 15424 +235
- Partials 2802 2810 +8
*This pull request uses carry forward flags. Click here to find out more.
|
|
@hjiajing please update your PR summary with well-structure sentences, and also include summary in your top commit to help developer to check what does the commit do without checking the PR in the future. |
hjiajing
force-pushed
the
wireguard
branch
2 times, most recently
from
2d4d744
to
5ca2c28
Compare
hjiajing
force-pushed
the
wireguard
branch
5 times, most recently
from
08769ca
to
2154901
Compare
hjiajing
force-pushed
the
wireguard
branch
2 times, most recently
from
014d4ae
to
4ccdccc
Compare
multicluster/controllers/multicluster/member/gateway_controller.go
Outdated
Show resolved
Hide resolved
pkg/agent/openflow/pipeline.go
Outdated
| @@ -377,7 +377,8 @@ var DispositionToString = map[uint32]string{ | |||
| var ( | |||
| // snatPktMarkRange takes an 8-bit range of pkt_mark to store the ID of | |||
| // a SNAT IP. The bit range must match SNATIPMarkMask. | |||
| snatPktMarkRange = &binding.Range{0, 7} | |||
| snatPktMarkRange = &binding.Range{0, 7} | |||
| multiclusterPktMarkRange = &binding.Range{0, 31} | |||
There was a problem hiding this comment.
Better to add a comment for this.
There was a problem hiding this comment.
We do not need this range as the mark is constant. LoadPktMarkRange accepts nil as the second parameter.
There was a problem hiding this comment.
One bit is enough if the mark is constant, like 0x10/0x10.
multicluster/controllers/multicluster/member/gateway_controller.go
Outdated
Show resolved
Hide resolved
hjiajing
force-pushed
the
wireguard
branch
6 times, most recently
from
e25e55c
to
f5fe28f
Compare
pkg/agent/openflow/pipeline.go
Outdated
| @@ -377,7 +377,8 @@ var DispositionToString = map[uint32]string{ | |||
| var ( | |||
| // snatPktMarkRange takes an 8-bit range of pkt_mark to store the ID of | |||
| // a SNAT IP. The bit range must match SNATIPMarkMask. | |||
| snatPktMarkRange = &binding.Range{0, 7} | |||
| snatPktMarkRange = &binding.Range{0, 7} | |||
| multiclusterPktMarkRange = &binding.Range{0, 31} | |||
There was a problem hiding this comment.
We do not need this range as the mark is constant. LoadPktMarkRange accepts nil as the second parameter.
pkg/agent/openflow/multicluster.go
Outdated
|
|
||
| // MulticlusterPktMark is the packet marker used for mark the cross-cluster | ||
| // traffic in Antrea Multi-cluster. | ||
| MulticlusterPktMark uint32 = 0x4d2 |
There was a problem hiding this comment.
I am not sure if 0x4d2 (1234 in decimal) is a meaningful value here. Egress allocates [1,255] for the pkt_mark. So in theory any value above 255 should be OK. But we might want to reservice more bits in case we want to extend the egress feature in the future.
There was a problem hiding this comment.
Done. Just use one bit now.
There was a problem hiding this comment.
Maybe add some description about how the traffic of a Pod is forwarded to another cluster via WireGuard.
A question about the design: why policy-based routing (ip rule, pkt mark and another route table) is used? Is there any possible to implement the target by adding static route in main route table? If we introduce policy-based routing in this PR, do you think we can use policy-based routing in other components of Antrea @jianjuns @tnqn ?
pkg/agent/openflow/pipeline.go
Outdated
| @@ -377,7 +377,8 @@ var DispositionToString = map[uint32]string{ | |||
| var ( | |||
| // snatPktMarkRange takes an 8-bit range of pkt_mark to store the ID of | |||
| // a SNAT IP. The bit range must match SNATIPMarkMask. | |||
| snatPktMarkRange = &binding.Range{0, 7} | |||
| snatPktMarkRange = &binding.Range{0, 7} | |||
| multiclusterPktMarkRange = &binding.Range{0, 31} | |||
There was a problem hiding this comment.
One bit is enough if the mark is constant, like 0x10/0x10.
| } | ||
|
|
||
| func (c *MCRouteController) initializeWireGuardInterface() error { | ||
| c.wireGuardConfig.MTU = c.nodeConfig.NodeMTU - config.WireGuardOverhead - config.GeneveOverhead |
There was a problem hiding this comment.
Why geneve overhead is included?
There was a problem hiding this comment.
+1, @hjiajing you should check current tunnel type in NetworkConfig.
There was a problem hiding this comment.
Thanks for the advice, will do it later.
There was a problem hiding this comment.
We should use NetworkConfig.MTUDeduction in Lan's PR #4407.
There was a problem hiding this comment.
Thanks for reminder, will rebase and fix it .
hjiajing
force-pushed
the
wireguard
branch
3 times, most recently
from
9017a57
to
d979b4e
Compare
|
/test-all |
|
@hjiajing could you check if possible to improve the patch test coverage? |
luolanzone
added
the
action/release-note
|
@hjiajing please resolve the file conflict. |
|
/test-all |
|
/test-e2e |
There was a problem hiding this comment.
LGTM overall, a few nits on the test file. @jianjuns could you take a look again? thanks.
multicluster/config/crd/bases/multicluster.crd.antrea.io_gateways.yaml
Outdated
Show resolved
Hide resolved
pkg/agent/route/route_linux.go
Outdated
| LinkIndex: linkIndex, | ||
| } | ||
|
|
||
| return c.netlink.RouteDel(route) |
There was a problem hiding this comment.
It should check the error is not NotFound, otherwise if the route doesn't exist somehow, the caller will keep retrying.
There was a problem hiding this comment.
A check is added, when got "no such process", which means the route does not exist, the function will return nil
hjiajing
force-pushed
the
wireguard
branch
2 times, most recently
from
e02018e
to
0055bef
Compare
|
@tnqns Hi Quan. I have addressed the comments you left, but after I pushed the latest code, some comments disappeared both in the conversation and |
| remoteWireGuardIP := serviceIP.Mask(serviceCIDR.Mask) | ||
| remoteWireGuardNet := &net.IPNet{IP: remoteWireGuardIP, Mask: net.CIDRMask(32, 32)} |
There was a problem hiding this comment.
You mean the value is provided be user, not discovered by program?
| _, serviceCIDR, err := net.ParseCIDR(spec.ServiceCIDR) | ||
| if err != nil { | ||
| klog.Warningf("Failed to get the peer Gateway IP for WireGuard, error: %v", err) | ||
| return nil |
There was a problem hiding this comment.
I think we can now remove the error handling of net.ParseCIDR assuming the CIDR in the spec is either empty or valid. We should validate input before it's accepted and no need to validate it again when consuming it.
| func getLocalGatewayIP(gateway *mcv1alpha1.Gateway, enableWireGuard bool) net.IP { | ||
| if enableWireGuard { | ||
| if gateway.ServiceCIDR == "" { | ||
| klog.InfoS("The ServiceCIDR has not been updated, skip.", "Gateway", klog.KObj(gateway)) |
There was a problem hiding this comment.
| klog.InfoS("The ServiceCIDR has not been updated, skip.", "Gateway", klog.KObj(gateway)) | |
| klog.InfoS("The ServiceCIDR of the Gateway has not been updated, skip it", "Gateway", klog.KObj(gateway)) |
| if err != nil { | ||
| klog.Warningf("Failed to get the local Gateway IP for WireGuard, error: %v", err) | ||
| return nil |
| if cache.Spec.ServiceCIDR == cur.Spec.ServiceCIDR && cache.Spec.WireGuard != nil && cur.Spec.WireGuard != nil && | ||
| cache.Spec.WireGuard.PublicKey == cur.Spec.WireGuard.PublicKey { | ||
| return false | ||
| } | ||
| return true |
There was a problem hiding this comment.
It should return false when both old WireGuard and new WireGuard are nil.
| if cache.Spec.ServiceCIDR == cur.Spec.ServiceCIDR && cache.Spec.WireGuard != nil && cur.Spec.WireGuard != nil && | |
| cache.Spec.WireGuard.PublicKey == cur.Spec.WireGuard.PublicKey { | |
| return false | |
| } | |
| return true | |
| if cache.Spec.ServiceCIDR != cur.Spec.ServiceCIDR { | |
| return true | |
| } | |
| if cache.Spec.WireGuard == nil && cur.Spec.WireGuard == nil { | |
| return false | |
| } | |
| if cache.Spec.WireGuard == nil || cur.Spec.WireGuard == nil { | |
| return true | |
| } | |
| return cache.Spec.WireGuard.PublicKey != cur.Spec.WireGuard.PublicKey |
pkg/agent/route/route_windows.go
Outdated
| } | ||
|
|
||
| func (c *Client) DeleteRouteForLink(dstCIDR *net.IPNet, linkIndex int) error { | ||
| return errors.New("AddRouteForLink is not implemented on Windows") |
There was a problem hiding this comment.
| return errors.New("AddRouteForLink is not implemented on Windows") | |
| return errors.New("DeleteRouteForLink is not implemented on Windows") |
Add a traffic encryption mode for cross-cluster traffic. If WireGuard enabled, corresponding WireGuard configuration will be created on the Gateway Node. And all cross-cluster traffic will go through the WireGuard tunnel to remote Gateway. Signed-off-by: hjiajing <hjiajing@vmware.com>
|
@jianjuns @luolanzone do you have other comments for this one? |
There was a problem hiding this comment.
@jianjuns @luolanzone do you have other comments for this one?
I am good.
|
/test-multicluster-e2e |
|
/test-multicluster-e2e |
…ntrea-io#4606) Add a traffic encryption mode for cross-cluster traffic. If WireGuard is enabled, corresponding WireGuard configuration will be created on the Gateway Node. And all cross-cluster traffic will go through the WireGuard tunnel to remote Gateway. Signed-off-by: hjiajing <hjiajing@vmware.com>
Add WireGuard tunnels mode for Multi-cluster traffic. WireGuard tunnels will be established between member clusters and responsible for all cross-cluster traffic in this mode.
Implementation:
10.10.1.0/24, then the WireGuard interface's IP address is10.10.1.0.