Add WireGuard tunnels for Multi-cluster traffic

Signed-off-by: hujiajing <hjiajing@vmware.com>
antrea-io · Feb 15, 2023 · 2d4d744 · 2d4d744
1 parent 99f2680
commit 2d4d744
Show file tree

Hide file tree

Showing 34 changed files with 846 additions and 115 deletions.
diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -346,6 +346,12 @@ multicluster:
   enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
 # Enable Pod to Pod connectivity.
   enablePodToPodConnectivity: {{ .enablePodToPodConnectivity }}
+# WireGuard tunnel configuration for cross-cluster traffic.
+  wireGuard:
+    # Enable WireGuard tunnel for cross-cluster traffic.
+    enable: {{ .wireGuard.enable }}
+    # WireGuard tunnel port for cross-cluster traffic.
+    port: {{ .wireGuard.port }}
 {{- end }}
 
 {{- if .Values.featureGates.SecondaryNetwork }}

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -338,6 +338,12 @@ multicluster:
   enableStretchedNetworkPolicy: false
   # -- Enable Multi-cluster Pod to Pod connectivity.
   enablePodToPodConnectivity: false
+  # WireGuard tunnel configuration for cross-cluster traffic.
+  wireGuard:
+    # Enable WireGuard tunnel for cross-cluster traffic.
+    enable: false
+    # WireGuard tunnel port for cross-cluster traffic.
+    port: 51821
 
 testing:
   ## -- enable code coverage measurement (used when testing Antrea only).

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4299,11 +4305,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-<<<<<<< HEAD
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
-=======
-        checksum/config: 5e86a889fca88734845bed60765a31dd090ba17830f29aaecc0b162e83e725ba
->>>>>>> 259c89b1 (Add toggle for Multi-cluster Pod-to-Pod connectivity)
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-agent
@@ -4544,11 +4546,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-<<<<<<< HEAD
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
-=======
-        checksum/config: 5e86a889fca88734845bed60765a31dd090ba17830f29aaecc0b162e83e725ba
->>>>>>> 259c89b1 (Add toggle for Multi-cluster Pod-to-Pod connectivity)
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4299,7 +4305,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-agent
@@ -4541,7 +4547,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: be4d7318350c398a0362a44ff0d4ff779150a303e577ed1e2265aaa75c00546e
+        checksum/config: 17f452e2145fdf9a5b49b1f146dd99d2aac64fe609a33dab72f5c9a66dd5ee13
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4299,11 +4305,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-<<<<<<< HEAD
-        checksum/config: fca1f2d4967020380202ef0c2394b560055830ee2770e41f791af76b42559659
-=======
-        checksum/config: 498f6060a4d4397c8ce36007eebbe29ac4650f30b393a45bdef064db89eff868
->>>>>>> 259c89b1 (Add toggle for Multi-cluster Pod-to-Pod connectivity)
+        checksum/config: 7aac7ba322070f7138eb5c847bd42b2a2de73a1f86816fa19d0d4db7d67975eb
       labels:
         app: antrea
         component: antrea-agent
@@ -4542,11 +4544,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-<<<<<<< HEAD
-        checksum/config: fca1f2d4967020380202ef0c2394b560055830ee2770e41f791af76b42559659
-=======
-        checksum/config: 498f6060a4d4397c8ce36007eebbe29ac4650f30b393a45bdef064db89eff868
->>>>>>> 259c89b1 (Add toggle for Multi-cluster Pod-to-Pod connectivity)
+        checksum/config: 7aac7ba322070f7138eb5c847bd42b2a2de73a1f86816fa19d0d4db7d67975eb
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -3255,6 +3255,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4312,7 +4318,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ab53bf1e28a67ba5be2b99989a8d28b31d716d79b207a610cd5258ead514eb6b
+        checksum/config: cb5115be05df90e1e576dbea0a75d3802ef5aebe643daf2bba524fe0df2b5bb4
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4597,7 +4603,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ab53bf1e28a67ba5be2b99989a8d28b31d716d79b207a610cd5258ead514eb6b
+        checksum/config: cb5115be05df90e1e576dbea0a75d3802ef5aebe643daf2bba524fe0df2b5bb4
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -3242,6 +3242,12 @@ data:
       enableStretchedNetworkPolicy: false
     # Enable Pod to Pod connectivity.
       enablePodToPodConnectivity: false
+    # WireGuard tunnel configuration for cross-cluster traffic.
+      wireGuard:
+        # Enable WireGuard tunnel for cross-cluster traffic.
+        enable: false
+        # WireGuard tunnel port for cross-cluster traffic.
+        port: 51821
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4299,7 +4305,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2c1c5158b6a3ea32eff58bc1e498592e80ebecee07f51b10c722b67afce7b964
+        checksum/config: 8258fefd7715d5e2cb6d1b5fe0b31994d85c890e56a727a5108ba4a99765a9c8
       labels:
         app: antrea
         component: antrea-agent
@@ -4538,7 +4544,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2c1c5158b6a3ea32eff58bc1e498592e80ebecee07f51b10c722b67afce7b964
+        checksum/config: 8258fefd7715d5e2cb6d1b5fe0b31994d85c890e56a727a5108ba4a99765a9c8
       labels:
         app: antrea
         component: antrea-controller

diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go
@@ -343,6 +343,8 @@ func run(o *Options) error {
 			mcNamespace,
 			o.config.Multicluster.EnableStretchedNetworkPolicy,
 			o.config.Multicluster.EnablePodToPodConnectivity,
+			o.config.Multicluster.WireGuard,
+			routeClient,
 		)
 	}
 	if enableMulticlusterNP {

diff --git a/multicluster/apis/multicluster/v1alpha1/gateway_types.go b/multicluster/apis/multicluster/v1alpha1/gateway_types.go
@@ -52,6 +52,8 @@ type ClusterInfo struct {
 	GatewayInfos []GatewayInfo `json:"gatewayInfos,omitempty"`
 	// PodCIDRs is the Pod IP address CIDRs.
 	PodCIDRs []string `json:"podCIDRs,omitempty"`
+	// WireGuard has information of WireGuard tunnel.
+	WireGuard WireGuardConfig `json:"wireGuard,omitempty"`
 }
 
 //+kubebuilder:object:root=true

diff --git a/multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go b/multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go
@@ -31,6 +31,11 @@ const (
 	PrecedenceExternal = "external"
 )
 
+type WireGuardConfig struct {
+	PublicKey string `json:"publicKey"`
+	Port      int    `json:"port"`
+}
+
 //+kubebuilder:object:root=true
 
 // +kubebuilder:printcolumn:name="Gateway IP Precedence",type=string,JSONPath=`.gatewayIPPrecedence`,description="Precedence of Gateway IP types"

diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml
@@ -387,6 +387,17 @@ spec:
                   serviceCIDR:
                     description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                     type: string
+                  wireGuard:
+                    description: WireGuard has information of WireGuard tunnel.
+                    properties:
+                      port:
+                        type: integer
+                      publicKey:
+                        type: string
+                    required:
+                    - port
+                    - publicKey
+                    type: object
                 type: object
               clusterNetworkPolicy:
                 description: If exported resource is AntreaClusterNetworkPolicy.
@@ -3079,6 +3090,17 @@ spec:
                   serviceCIDR:
                     description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                     type: string
+                  wireGuard:
+                    description: WireGuard has information of WireGuard tunnel.
+                    properties:
+                      port:
+                        type: integer
+                      publicKey:
+                        type: string
+                    required:
+                    - port
+                    - publicKey
+                    type: object
                 type: object
               clusternetworkpolicy:
                 description: If imported resource is AntreaClusterNetworkPolicy.

diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml
@@ -119,6 +119,17 @@ spec:
               serviceCIDR:
                 description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                 type: string
+              wireGuard:
+                description: WireGuard has information of WireGuard tunnel.
+                properties:
+                  port:
+                    type: integer
+                  publicKey:
+                    type: string
+                required:
+                - port
+                - publicKey
+                type: object
             type: object
           status:
             description: ClusterInfoImportStatus defines the observed state of ClusterInfoImport.

diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_clusterinfoimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_clusterinfoimports.yaml
@@ -65,6 +65,17 @@ spec:
               serviceCIDR:
                 description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                 type: string
+              wireGuard:
+                description: WireGuard has information of WireGuard tunnel.
+                properties:
+                  port:
+                    type: integer
+                  publicKey:
+                    type: string
+                required:
+                - port
+                - publicKey
+                type: object
             type: object
           status:
             description: ClusterInfoImportStatus defines the observed state of ClusterInfoImport.

diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml
@@ -82,6 +82,17 @@ spec:
                   serviceCIDR:
                     description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                     type: string
+                  wireGuard:
+                    description: WireGuard has information of WireGuard tunnel.
+                    properties:
+                      port:
+                        type: integer
+                      publicKey:
+                        type: string
+                    required:
+                    - port
+                    - publicKey
+                    type: object
                 type: object
               clusterNetworkPolicy:
                 description: If exported resource is AntreaClusterNetworkPolicy.

diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml
@@ -80,6 +80,17 @@ spec:
                   serviceCIDR:
                     description: ServiceCIDR is the IP ranges used by Service ClusterIP.
                     type: string
+                  wireGuard:
+                    description: WireGuard has information of WireGuard tunnel.
+                    properties:
+                      port:
+                        type: integer
+                      publicKey:
+                        type: string
+                    required:
+                    - port
+                    - publicKey
+                    type: object
                 type: object
               clusternetworkpolicy:
                 description: If imported resource is AntreaClusterNetworkPolicy.