Skip to content

Commit

Permalink
title: Add ipsec tunnel mode to support cross clusters and elastic ip
Browse files Browse the repository at this point in the history
description:
Currently, only cross-cluster communication in non-hostwork mode is supported.
Currently, only cross-cluster communication under ipv4 network mode is supported.

Signed-off-by: GreatLazyMan <[email protected]>
  • Loading branch information
GreatLazyMan committed Jan 18, 2024
1 parent d6754c9 commit 8606e73
Show file tree
Hide file tree
Showing 34 changed files with 1,984 additions and 93 deletions.
2 changes: 1 addition & 1 deletion cluster/images/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@ ARG BINARY

RUN apk add --no-cache ca-certificates
RUN apk update && apk upgrade
RUN apk add ip6tables iptables curl tcpdump busybox-extras
RUN apk add ip6tables iptables ipset curl tcpdump busybox-extras

COPY ${BINARY} /bin/${BINARY}
7 changes: 4 additions & 3 deletions cmd/clusterlink/elector/app/elector.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,10 +126,11 @@ func run(ctx context.Context, opts *options.Options) error {
err := elector.EnsureGateWayRole()
if err != nil {
klog.Errorf("set gateway role failure: %v, retry after 10 sec.", err)
time.Sleep(10 * time.Second)
time.Sleep(3 * time.Second)
} else {
klog.V(4).Info("ensure gateway role success, recheck after 60 sec.")
time.Sleep(60 * time.Second)
timeToRecheck := 3 * time.Second
klog.V(4).Infof("ensure gateway role success, recheck after %d sec.", int(timeToRecheck))
time.Sleep(timeToRecheck)
}
}
}
Expand Down
8 changes: 6 additions & 2 deletions deploy/crds/kosmos.io_clusternodes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ spec:
properties:
clusterName:
type: string
elasticip:
type: string
interfaceName:
type: string
ip:
Expand All @@ -63,11 +65,13 @@ spec:
type: array
type: object
status:
properties:
nodeStatus:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
subresources: {}
12 changes: 12 additions & 0 deletions deploy/crds/kosmos.io_clusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@ spec:
- ip
- ip6
type: object
clusterpodCIDRs:
items:
type: string
type: array
cni:
default: calico
type: string
Expand Down Expand Up @@ -107,9 +111,17 @@ spec:
- nodeName
type: object
type: array
nodeElasticIPMap:
additionalProperties:
type: string
description: NodeElasticIPMap presents mapping between nodename
in kubernetes and elasticIP
type: object
useIPPool:
default: false
type: boolean
useexternalapiserver:
type: boolean
type: object
clusterTreeOptions:
properties:
Expand Down
58 changes: 58 additions & 0 deletions deploy/crds/kosmos.io_nodeconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,18 @@ spec:
- mac
type: object
type: array
ipsetsavoidmasq:
items:
properties:
cidr:
type: string
name:
type: string
required:
- cidr
- name
type: object
type: array
iptables:
items:
properties:
Expand Down Expand Up @@ -122,6 +134,52 @@ spec:
- gw
type: object
type: array
xfrmpolicies:
items:
properties:
dir:
type: integer
leftip:
type: string
leftnet:
type: string
reqid:
type: integer
rightip:
type: string
rightnet:
type: string
required:
- dir
- leftip
- leftnet
- reqid
- rightip
- rightnet
type: object
type: array
xfrmstates:
items:
properties:
PSK:
type: string
leftip:
type: string
reqid:
type: integer
rightip:
type: string
spi:
format: int32
type: integer
required:
- PSK
- leftip
- reqid
- rightip
- spi
type: object
type: array
type: object
status:
properties:
Expand Down
8 changes: 8 additions & 0 deletions pkg/apis/kosmos/v1alpha1/cluster_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,14 @@ type ClusterLinkOptions struct {

// +optional
AutodetectionMethod string `json:"autodetectionMethod,omitempty"`

// NodeElasticIPMap presents mapping between nodename in kubernetes and elasticIP
// +optional
NodeElasticIPMap map[string]string `json:"nodeElasticIPMap,omitempty"`
// +optional
ClusterPodCIDRs []string `json:"clusterpodCIDRs,omitempty"`
// +optional
UseExternalApiserver bool `json:"useexternalapiserver,omitempty"`
}

type ClusterTreeOptions struct {
Expand Down
5 changes: 4 additions & 1 deletion pkg/apis/kosmos/v1alpha1/clusternode_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (

// +genclient
// +genclient:nonNamespaced
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope="Cluster"
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:printcolumn:name="ROLES",type=string,JSONPath=`.spec.roles`
Expand All @@ -33,6 +32,8 @@ type ClusterNodeSpec struct {
// +optional
IP string `json:"ip,omitempty"`
// +optional
ElasticIP string `json:"elasticip,omitempty"`
// +optional
IP6 string `json:"ip6,omitempty"`
// +optional
Roles []Role `json:"roles,omitempty"`
Expand All @@ -41,6 +42,8 @@ type ClusterNodeSpec struct {
}

type ClusterNodeStatus struct {
// +optional
NodeStatus string `json:"nodeStatus,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
Expand Down
14 changes: 14 additions & 0 deletions pkg/apis/kosmos/v1alpha1/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,17 @@ type DeviceType string
const (
VxlanDevice DeviceType = "vxlan"
)

const (
DefaultPSK string = "bfd6224354977084568832b811226b3d6cff6685"
DefaultPSKPreStr = "WelcometoKosmos"
DefaultReqID int = 336
)

type IPSECDirection int

const (
IPSECIn IPSECDirection = 0
IPSECOut IPSECDirection = 1
IPSECFwd IPSECDirection = 2
)
71 changes: 66 additions & 5 deletions pkg/apis/kosmos/v1alpha1/nodeconfig_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,14 @@ type NodeConfig struct {
}

type NodeConfigSpec struct {
Devices []Device `json:"devices,omitempty"`
Routes []Route `json:"routes,omitempty"`
Iptables []Iptables `json:"iptables,omitempty"`
Fdbs []Fdb `json:"fdbs,omitempty"`
Arps []Arp `json:"arps,omitempty"`
Devices []Device `json:"devices,omitempty"`
Routes []Route `json:"routes,omitempty"`
Iptables []Iptables `json:"iptables,omitempty"`
Fdbs []Fdb `json:"fdbs,omitempty"`
Arps []Arp `json:"arps,omitempty"`
XfrmPolicies []XfrmPolicy `json:"xfrmpolicies,omitempty"`
XfrmStates []XfrmState `json:"xfrmstates,omitempty"`
IPsetsAvoidMasqs []IPset `json:"ipsetsavoidmasq,omitempty"`
}

type NodeConfigStatus struct {
Expand Down Expand Up @@ -101,6 +104,64 @@ func (a *Arp) Compare(v Arp) bool {
a.Dev == v.Dev
}

/*
Use this struct like linux command:
ip xfrm policy add src $LeftNet dst $RightNet dir $Dir \
tmpl src $LeftIP dst $RightIP proto esp reqid $ReqID mode tunnel
ip xfrm policy del src $LeftNet dst $RightNet dir $Dir \
tmpl src $LeftIP dst $RightIP proto esp reqid $ReqID mode tunnel
*/
type XfrmPolicy struct {
LeftIP string `json:"leftip"`
LeftNet string `json:"leftnet"`
RightIP string `json:"rightip"`
RightNet string `json:"rightnet"`
ReqID int `json:"reqid"`
Dir int `json:"dir"`
}

func (a *XfrmPolicy) Compare(v XfrmPolicy) bool {
return a.LeftIP == v.LeftIP &&
a.LeftNet == v.LeftNet &&
a.RightNet == v.RightNet &&
a.RightIP == v.RightIP &&
a.ReqID == v.ReqID &&
a.Dir == v.Dir
}

/*
Use this struct like linux command:
ip xfrm state add src $LeftIP dst $RightIP proto esp spi $ID reqid $ID mode tunnel aead 'rfc4106(gcm(aes))' $PSK 128
ip xfrm state del src $LeftIP dst $RightIP proto esp spi $ID reqid $ID mode tunnel aead 'rfc4106(gcm(aes))' $PSK 128
*/
type XfrmState struct {
LeftIP string `json:"leftip"`
RightIP string `json:"rightip"`
ReqID int `json:"reqid"`
SPI uint32 `json:"spi"`
PSK string `json:"PSK"`
}

func (a *XfrmState) Compare(v XfrmState) bool {
return a.LeftIP == v.LeftIP &&
a.RightIP == v.RightIP &&
a.ReqID == v.ReqID &&
a.PSK == v.PSK &&
a.SPI == v.SPI
}

type IPset struct {
CIDR string `json:"cidr"`
Name string `json:"name"`
}

func (a *IPset) Compare(v IPset) bool {
return a.CIDR == v.CIDR &&
a.Name == v.Name
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

type NodeConfigList struct {
Expand Down
72 changes: 67 additions & 5 deletions pkg/clusterlink/agent-manager/network-manager/network_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,29 @@ func (e *NetworkManager) Diff(oldConfig, newConfig *clusterlinkv1alpha1.NodeConf
createConfig.Routes = createRecord
isSame = false
}
// ipsec:
if flag, deleteRecord, createRecord := compareFunc(oldConfig.XfrmPolicies, newConfig.XfrmPolicies, func(a, b clusterlinkv1alpha1.XfrmPolicy) bool {
return a.Compare(b)
}); !flag {
deleteConfig.XfrmPolicies = deleteRecord
createConfig.XfrmPolicies = createRecord
isSame = false
}
if flag, deleteRecord, createRecord := compareFunc(oldConfig.XfrmStates, newConfig.XfrmStates, func(a, b clusterlinkv1alpha1.XfrmState) bool {
return a.Compare(b)
}); !flag {
deleteConfig.XfrmStates = deleteRecord
createConfig.XfrmStates = createRecord
isSame = false
}
//ipset
if flag, deleteRecord, createRecord := compareFunc(oldConfig.IPsetsAvoidMasqs, newConfig.IPsetsAvoidMasqs, func(a, b clusterlinkv1alpha1.IPset) bool {
return a.Compare(b)
}); !flag {
deleteConfig.IPsetsAvoidMasqs = deleteRecord
createConfig.IPsetsAvoidMasqs = createRecord
isSame = false
}
// iptables:
if flag, deleteRecord, createRecord := compareFunc(oldConfig.Iptables, newConfig.Iptables, func(a, b clusterlinkv1alpha1.Iptables) bool {
return a.Compare(b)
Expand Down Expand Up @@ -188,6 +211,24 @@ func (e *NetworkManager) WriteSys(configDiff *ConfigDiff) error {
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
if config.XfrmPolicies != nil {
if err := e.NetworkInterface.DeleteXfrmPolicies(config.XfrmPolicies); err != nil {
klog.Warning(err)
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
if config.XfrmStates != nil {
if err := e.NetworkInterface.DeleteXfrmStates(config.XfrmStates); err != nil {
klog.Warning(err)
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
if config.IPsetsAvoidMasqs != nil {
if err := e.NetworkInterface.DeleteIPsetsAvoidMasq(config.IPsetsAvoidMasqs); err != nil {
klog.Warning(err)
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
}

if configDiff.createConfig != nil {
Expand Down Expand Up @@ -223,6 +264,24 @@ func (e *NetworkManager) WriteSys(configDiff *ConfigDiff) error {
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
if config.XfrmPolicies != nil {
if err := e.NetworkInterface.AddXfrmPolicies(config.XfrmPolicies); err != nil {
klog.Warning(err)
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
if config.XfrmStates != nil {
if err := e.NetworkInterface.AddXfrmStates(config.XfrmStates); err != nil {
klog.Warning(err)
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
if config.IPsetsAvoidMasqs != nil {
if err := e.NetworkInterface.AddIPsetsAvoidMasq(config.IPsetsAvoidMasqs); err != nil {
klog.Warning(err)
errs = errors.Wrap(err, fmt.Sprint(errs))
}
}
}

return errs
Expand Down Expand Up @@ -254,11 +313,14 @@ func (e *NetworkManager) UpdateFromChecker() NodeConfigSyncStatus {
}

func printNodeConfig(data *clusterlinkv1alpha1.NodeConfigSpec) {
klog.Infof("device: ", data.Devices)
klog.Infof("Arps: ", data.Arps)
klog.Infof("Fdbs: ", data.Fdbs)
klog.Infof("Iptables: ", data.Iptables)
klog.Infof("Routes: ", data.Routes)
klog.Infof("device: %v", data.Devices)
klog.Infof("Arps: %v", data.Arps)
klog.Infof("Fdbs: %v", data.Fdbs)
klog.Infof("Iptables: %v", data.Iptables)
klog.Infof("Routes: %v", data.Routes)
klog.Infof("XfrmPolicys: %v", data.XfrmPolicies)
klog.Infof("XfrmStates: %v", data.XfrmStates)
klog.Infof("IPsetsAvoidMasqs: %v", data.IPsetsAvoidMasqs)
}

func (e *NetworkManager) UpdateSync() NodeConfigSyncStatus {
Expand Down
Loading

0 comments on commit 8606e73

Please sign in to comment.