k3s/pkg/agent/flannel/setup.go

package flannel

import (
	"context"
	"fmt"
	"os"
	"path"
	"path/filepath"
	"strings"
	"time"

	"github.com/rancher/k3s/pkg/agent/util"
	"github.com/rancher/k3s/pkg/daemons/config"
	"github.com/sirupsen/logrus"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
)

const (
	cniConf = `{
  "name":"cbr0",
  "cniVersion":"0.3.1",
  "plugins":[
    {
      "type":"flannel",
      "delegate":{
        "hairpinMode":true,
        "forceAddress":true,
        "isDefaultGateway":true
      }
    },
    {
      "type":"portmap",
      "capabilities":{
        "portMappings":true
      }
    }
  ]
}
`

	flannelConf = `{
	"Network": "%CIDR%",
	"Backend": %backend%
}
`

	vxlanBackend = `{
	"Type": "vxlan"
}`

	ipsecBackend = `{
	"Type": "ipsec",
	"UDPEncap": true,
	"PSK": "%psk%"
}`

	wireguardBackend = `{
	"Type": "extension",
	"PreStartupCommand": "wg genkey | tee privatekey | wg pubkey",
	"PostStartupCommand": "export SUBNET_IP=$(echo $SUBNET | cut -d'/' -f 1); ip link del flannel.1 2>/dev/null; echo $PATH >&2; wg-add.sh flannel.1 && wg set flannel.1 listen-port 51820 private-key privatekey && ip addr add $SUBNET_IP/32 dev flannel.1 && ip link set flannel.1 up && ip route add $NETWORK dev flannel.1",
	"ShutdownCommand": "ip link del flannel.1",
	"SubnetAddCommand": "read PUBLICKEY; wg set flannel.1 peer $PUBLICKEY endpoint $PUBLIC_IP:51820 allowed-ips $SUBNET persistent-keepalive 25",
	"SubnetRemoveCommand": "read PUBLICKEY; wg set flannel.1 peer $PUBLICKEY remove"
}`
)

func Prepare(ctx context.Context, nodeConfig *config.Node) error {
	if err := createCNIConf(nodeConfig.AgentConfig.CNIConfDir); err != nil {
		return err
	}

	return createFlannelConf(nodeConfig)
}

func Run(ctx context.Context, nodeConfig *config.Node, nodes v1.NodeInterface) error {
	nodeName := nodeConfig.AgentConfig.NodeName

	for {
		node, err := nodes.Get(nodeName, metav1.GetOptions{})
		if err == nil && node.Spec.PodCIDR != "" {
			break
		}
		if err == nil {
			logrus.Infof("waiting for node %s CIDR not assigned yet", nodeName)
		} else {
			logrus.Infof("waiting for node %s: %v", nodeName, err)
		}
		time.Sleep(2 * time.Second)
	}

	go func() {
		err := flannel(ctx, nodeConfig.FlannelIface, nodeConfig.FlannelConf, nodeConfig.AgentConfig.KubeConfigKubelet)
		logrus.Fatalf("flannel exited: %v", err)
	}()

	return nil
}

func createCNIConf(dir string) error {
	if dir == "" {
		return nil
	}
	p := filepath.Join(dir, "10-flannel.conflist")
	return util.WriteFile(p, cniConf)
}

func createFlannelConf(nodeConfig *config.Node) error {
	if nodeConfig.FlannelConf == "" {
		return nil
	}
	if nodeConfig.FlannelConfOverride {
		logrus.Infof("Using custom flannel conf defined at %s", nodeConfig.FlannelConf)
		return nil
	}
	confJSON := strings.Replace(flannelConf, "%CIDR%", nodeConfig.AgentConfig.ClusterCIDR.String(), -1)

	var backendConf string

	switch nodeConfig.FlannelBackend {
	case config.FlannelBackendVXLAN:
		backendConf = vxlanBackend
	case config.FlannelBackendIPSEC:
		backendConf = strings.Replace(ipsecBackend, "%psk%", nodeConfig.AgentConfig.IPSECPSK, -1)
		if err := setupStrongSwan(nodeConfig); err != nil {
			return err
		}
	case config.FlannelBackendWireguard:
		backendConf = wireguardBackend
	default:
		return fmt.Errorf("Cannot configure unknown flannel backend '%s'", nodeConfig.FlannelBackend)
	}
	confJSON = strings.Replace(confJSON, "%backend%", backendConf, -1)

	return util.WriteFile(nodeConfig.FlannelConf, confJSON)
}

func setupStrongSwan(nodeConfig *config.Node) error {
	// if data dir env is not set point to root
	dataDir := os.Getenv("K3S_DATA_DIR")
	if dataDir == "" {
		dataDir = "/"
	}
	dataDir = path.Join(dataDir, "etc", "strongswan")

	info, err := os.Lstat(nodeConfig.AgentConfig.StrongSwanDir)
	// something exists but is not a symlink, return
	if err == nil && info.Mode()&os.ModeSymlink == 0 {
		return nil
	}
	if err == nil {
		target, err := os.Readlink(nodeConfig.AgentConfig.StrongSwanDir)
		// current link is the same, return
		if err == nil && target == dataDir {
			return nil
		}
	}

	// clean up strongswan old link
	os.Remove(nodeConfig.AgentConfig.StrongSwanDir)

	// make new strongswan link
	return os.Symlink(dataDir, nodeConfig.AgentConfig.StrongSwanDir)
}
Initial Commit 2019-01-01 08:23:01 +00:00			`package flannel`

			`import (`
			`"context"`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`"fmt"`
Add strongswan utilities for ipsec 2019-09-06 00:39:18 +00:00			`"os"`
			`"path"`
Continued refactoring 2019-01-09 16:54:15 +00:00			`"path/filepath"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"strings"`
			`"time"`

Continued refactoring 2019-01-09 16:54:15 +00:00			`"github.com/rancher/k3s/pkg/agent/util"`
			`"github.com/rancher/k3s/pkg/daemons/config"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"github.com/sirupsen/logrus"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`v1 "k8s.io/client-go/kubernetes/typed/core/v1"`
Initial Commit 2019-01-01 08:23:01 +00:00			`)`

			`const (`
			cniConf = `{
			`"name":"cbr0",`
			`"cniVersion":"0.3.1",`
			`"plugins":[`
			`{`
			`"type":"flannel",`
			`"delegate":{`
Enable hairpin mode 2019-08-11 05:50:21 +00:00			`"hairpinMode":true,`
Initial Commit 2019-01-01 08:23:01 +00:00			`"forceAddress":true,`
			`"isDefaultGateway":true`
			`}`
			`},`
			`{`
			`"type":"portmap",`
			`"capabilities":{`
			`"portMappings":true`
			`}`
			`}`
			`]`
			`}`
			`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00
			flannelConf = `{
			`"Network": "%CIDR%",`
			`"Backend": %backend%`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
			`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00
			vxlanBackend = `{
			`"Type": "vxlan"`
			}`

			ipsecBackend = `{
			`"Type": "ipsec",`
			`"UDPEncap": true,`
			`"PSK": "%psk%"`
			}`

			wireguardBackend = `{
			`"Type": "extension",`
			`"PreStartupCommand": "wg genkey \| tee privatekey \| wg pubkey",`
Revert "Merge pull request #1190 from erikwilson/wireguard-keepalive" This reverts commit e712cdf7e8fcc00dfb9786e745efcafb5366ca45, reversing changes made to d5929bc8c873a33ecf0c187699dbe6de1d6f2f97. Wireguard docs fail to describe that persistent-keepalive is only valid when peer is set. 2019-12-19 21:41:38 +00:00			`"PostStartupCommand": "export SUBNET_IP=$(echo $SUBNET \| cut -d'/' -f 1); ip link del flannel.1 2>/dev/null; echo $PATH >&2; wg-add.sh flannel.1 && wg set flannel.1 listen-port 51820 private-key privatekey && ip addr add $SUBNET_IP/32 dev flannel.1 && ip link set flannel.1 up && ip route add $NETWORK dev flannel.1",`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`"ShutdownCommand": "ip link del flannel.1",`
Set wireguard persistent-keepalive on wg set peer 2019-12-19 21:54:48 +00:00			`"SubnetAddCommand": "read PUBLICKEY; wg set flannel.1 peer $PUBLICKEY endpoint $PUBLIC_IP:51820 allowed-ips $SUBNET persistent-keepalive 25",`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`"SubnetRemoveCommand": "read PUBLICKEY; wg set flannel.1 peer $PUBLICKEY remove"`
			}`
Initial Commit 2019-01-01 08:23:01 +00:00			`)`

Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`func Prepare(ctx context.Context, nodeConfig *config.Node) error {`
			`if err := createCNIConf(nodeConfig.AgentConfig.CNIConfDir); err != nil {`
Continued refactoring 2019-01-09 16:54:15 +00:00			`return err`
			`}`

Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`return createFlannelConf(nodeConfig)`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`

Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`func Run(ctx context.Context, nodeConfig *config.Node, nodes v1.NodeInterface) error {`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`nodeName := nodeConfig.AgentConfig.NodeName`
Initial Commit 2019-01-01 08:23:01 +00:00
			`for {`
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`node, err := nodes.Get(nodeName, metav1.GetOptions{})`
Initial Commit 2019-01-01 08:23:01 +00:00			`if err == nil && node.Spec.PodCIDR != "" {`
			`break`
			`}`
			`if err == nil {`
			`logrus.Infof("waiting for node %s CIDR not assigned yet", nodeName)`
			`} else {`
			`logrus.Infof("waiting for node %s: %v", nodeName, err)`
			`}`
			`time.Sleep(2 * time.Second)`
			`}`

Continued refactoring 2019-01-09 16:54:15 +00:00			`go func() {`
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`err := flannel(ctx, nodeConfig.FlannelIface, nodeConfig.FlannelConf, nodeConfig.AgentConfig.KubeConfigKubelet)`
fix 'fannel' typo. 2019-02-28 00:56:21 +00:00			`logrus.Fatalf("flannel exited: %v", err)`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}()`
Initial Commit 2019-01-01 08:23:01 +00:00
Refactor tokens, bootstrap, and cli args 2019-10-27 05:53:25 +00:00			`return nil`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`

Continued refactoring 2019-01-09 16:54:15 +00:00			`func createCNIConf(dir string) error {`
			`if dir == "" {`
			`return nil`
			`}`
			`p := filepath.Join(dir, "10-flannel.conflist")`
			`return util.WriteFile(p, cniConf)`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`

Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`func createFlannelConf(nodeConfig *config.Node) error {`
			`if nodeConfig.FlannelConf == "" {`
Continued refactoring 2019-01-09 16:54:15 +00:00			`return nil`
			`}`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`if nodeConfig.FlannelConfOverride {`
			`logrus.Infof("Using custom flannel conf defined at %s", nodeConfig.FlannelConf)`
Add --flannel-conf flag 2019-08-08 05:56:09 +00:00			`return nil`
			`}`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`confJSON := strings.Replace(flannelConf, "%CIDR%", nodeConfig.AgentConfig.ClusterCIDR.String(), -1)`

			`var backendConf string`

			`switch nodeConfig.FlannelBackend {`
			`case config.FlannelBackendVXLAN:`
			`backendConf = vxlanBackend`
			`case config.FlannelBackendIPSEC:`
			`backendConf = strings.Replace(ipsecBackend, "%psk%", nodeConfig.AgentConfig.IPSECPSK, -1)`
Add strongswan utilities for ipsec 2019-09-06 00:39:18 +00:00			`if err := setupStrongSwan(nodeConfig); err != nil {`
			`return err`
			`}`
Add --flannel-backend flag 2019-09-03 23:41:54 +00:00			`case config.FlannelBackendWireguard:`
			`backendConf = wireguardBackend`
			`default:`
			`return fmt.Errorf("Cannot configure unknown flannel backend '%s'", nodeConfig.FlannelBackend)`
			`}`
			`confJSON = strings.Replace(confJSON, "%backend%", backendConf, -1)`

			`return util.WriteFile(nodeConfig.FlannelConf, confJSON)`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Add strongswan utilities for ipsec 2019-09-06 00:39:18 +00:00
			`func setupStrongSwan(nodeConfig *config.Node) error {`
Fallback to /etc/strongswan for config Needed for docker image 2019-10-18 05:38:48 +00:00			`// if data dir env is not set point to root`
Add strongswan utilities for ipsec 2019-09-06 00:39:18 +00:00			`dataDir := os.Getenv("K3S_DATA_DIR")`
			`if dataDir == "" {`
Fallback to /etc/strongswan for config Needed for docker image 2019-10-18 05:38:48 +00:00			`dataDir = "/"`
Add strongswan utilities for ipsec 2019-09-06 00:39:18 +00:00			`}`
			`dataDir = path.Join(dataDir, "etc", "strongswan")`

			`info, err := os.Lstat(nodeConfig.AgentConfig.StrongSwanDir)`
			`// something exists but is not a symlink, return`
			`if err == nil && info.Mode()&os.ModeSymlink == 0 {`
			`return nil`
			`}`
Fallback to /etc/strongswan for config Needed for docker image 2019-10-18 05:38:48 +00:00			`if err == nil {`
			`target, err := os.Readlink(nodeConfig.AgentConfig.StrongSwanDir)`
			`// current link is the same, return`
			`if err == nil && target == dataDir {`
			`return nil`
			`}`
			`}`
Add strongswan utilities for ipsec 2019-09-06 00:39:18 +00:00
			`// clean up strongswan old link`
			`os.Remove(nodeConfig.AgentConfig.StrongSwanDir)`

			`// make new strongswan link`
			`return os.Symlink(dataDir, nodeConfig.AgentConfig.StrongSwanDir)`
			`}`