Investigate alternatives for StrongSwan

[cwayne18]

For several reasons, we'd like to look into replacing StrongSwan in k3s. Let's use this issue track progress and list out the actual work that would be involved with doing this, including investigating what we may use as a replacement (wireguard?)

[brandond]

I would personally like to deprecate it in 1.25 and remove it in 1.26, with the suggestion that anyone using the ipsec flannel backend manually migrate to wireguard-native.

[manuelbuil]

What are the reasons to remove strongswan? I'm not sure if we can really treat wireguard as an "improved" strongswan. Therefore, we could find strongswan users against moving to wireguard

[brandond]

For supportability reasons, we're investigating dropping external components from K3s that are linked against crypto libraries. All of the golang components can be built with goboring/boringssl, but strongswan uses openssl (if I remember correctly).

There's also the fact that wireguard is easier to support since it's all in the kernel, and dropping the strongswan component from k3s-root would save us a decent chunk of size from the shipping binary.

[VestigeJ]

$ k3s -v

k3s version v1.26.0-rc2+k3s1 (fae88176)
go version go1.19.4

=========== k3s config ===========
write-kubeconfig-mode: 644
debug: true
flannel-backend: ipsec

$ k3s server --help | grep flannel-backend

   --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")

$ VERSION=v1.26.0-rc2+k3s1
$ sudo INSTALL_K3S_VERSION=$VERSION INSTALL_K3S_EXEC=server ./install-k3s.sh

[INFO]  Using v1.26.0-rc2+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.26.0-rc2+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.26.0-rc2+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s
Job for k3s.service failed because the control process exited with error code.
See "systemctl status k3s.service" and "journalctl -xeu k3s.service" for details.

journalctl output

Dec 20 17:26:47 ip-172-31-25-246 k3s[3743]: time="2022-12-20T17:26:47Z" level=debug msg="Creating the CNI conf in directory /var/lib/rancher/k3s/agent/etc/cni/net.d"
Dec 20 17:26:47 ip-172-31-25-246 k3s[3743]: time="2022-12-20T17:26:47Z" level=debug msg="Creating the flannel configuration for backend ipsec in file /var/lib/rancher/k3s/agent/etc/flannel/net-conf.json"
Dec 20 17:26:47 ip-172-31-25-246 k3s[3743]: time="2022-12-20T17:26:47Z" level=fatal msg="k3s no longer includes strongswan - please install strongswan's swanctl and charon packages on your host: exec: \"swanctl\": executable file not found in $PATH"
Dec 20 17:26:47 ip-172-31-25-246 systemd[1]: k3s.service: Main process exited, code=exited, status=1/FAILURE