mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Merge pull request #719 from erikwilson/encrypted-network-support
Initial encrypted network support
This commit is contained in:
commit
2ea7a717d9
@ -1,4 +1,5 @@
|
||||
./bin
|
||||
./etc
|
||||
./build/data
|
||||
./build/data.tar.gz
|
||||
./pkg/data/zz_generated_bindata.go
|
||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -11,6 +11,7 @@
|
||||
/.lesshst
|
||||
/*.log
|
||||
/bin
|
||||
/etc
|
||||
/build
|
||||
/data-dir
|
||||
/dist
|
||||
|
2
Vagrantfile
vendored
2
Vagrantfile
vendored
@ -1,4 +1,4 @@
|
||||
BOX = "generic/alpine39"
|
||||
BOX = "generic/alpine310"
|
||||
HOME = File.dirname(__FILE__)
|
||||
PROJECT = File.basename(HOME)
|
||||
MOUNT_TYPE = ENV['MOUNT_TYPE'] || "nfs"
|
||||
|
@ -87,6 +87,9 @@ func stageAndRun(dataDir string, cmd string, args []string) error {
|
||||
if err := os.Setenv("PATH", filepath.Join(dir, "bin")+":"+os.Getenv("PATH")+":"+filepath.Join(dir, "bin/aux")); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.Setenv("K3S_DATA_DIR", dir); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cmd, err = exec.LookPath(cmd)
|
||||
if err != nil {
|
||||
|
3
go.mod
3
go.mod
@ -12,7 +12,7 @@ replace (
|
||||
github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda
|
||||
github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
|
||||
github.com/containernetworking/plugins => github.com/rancher/plugins v0.8.2-k3s.2
|
||||
github.com/coreos/flannel => github.com/ibuildthecloud/flannel v0.10.1-0.20190131215433-823afe66b226
|
||||
github.com/coreos/flannel => github.com/rancher/flannel v0.11.0-k3s.1
|
||||
github.com/coreos/go-systemd => github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7
|
||||
github.com/docker/distribution => github.com/docker/distribution v0.0.0-20190205005809-0d3efadf0154
|
||||
github.com/docker/libnetwork => github.com/docker/libnetwork v0.8.0-dev.2.0.20190624125649-f0e46a78ea34
|
||||
@ -57,6 +57,7 @@ require (
|
||||
github.com/Microsoft/go-winio v0.4.14 // indirect
|
||||
github.com/NYTimes/gziphandler v1.1.1 // indirect
|
||||
github.com/bhendo/go-powershell v0.0.0-20190719160123-219e7fb4e41e // indirect
|
||||
github.com/bronze1man/goStrongswanVici v0.0.0-20190828090544-27d02f80ba40 // indirect
|
||||
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23 // indirect
|
||||
github.com/containerd/cgroups v0.0.0-20190923161937-abd0b19954a6 // indirect
|
||||
github.com/containerd/containerd v1.2.8
|
||||
|
31
go.sum
31
go.sum
@ -1,6 +1,5 @@
|
||||
bitbucket.org/bertimus9/systemstat v0.0.0-20180207000608-0eeff89b0690/go.mod h1:Ulb78X89vxKYgdL24HMTiXYHlyHEvruOj1ZPlqeNEZM=
|
||||
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||
cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg=
|
||||
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||
cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
|
||||
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
|
||||
@ -40,13 +39,11 @@ github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+q
|
||||
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
|
||||
github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
|
||||
github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
|
||||
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 h1:lsxEuwrXEAokXB9qhlbKWPpo3KMLZQ5WB5WLQRW1uq0=
|
||||
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
|
||||
github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
|
||||
github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
|
||||
github.com/OpenPeeDeeP/depguard v0.0.0-20180806142446-a69c782687b2/go.mod h1:7/4sitnI9YlQgTLLk734QlzXT8DuHVnAyztLplQjk+o=
|
||||
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
|
||||
github.com/PuerkitoBio/purell v1.1.0 h1:rmGxhojJlM0tuKtfdvliR84CFHljx9ag64t2xmVkjK4=
|
||||
github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
|
||||
github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
|
||||
github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
|
||||
@ -61,7 +58,6 @@ github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:C
|
||||
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e h1:QEF07wC0T1rKkctt1RINW/+RMTVmiwxETico2l3gxJA=
|
||||
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
|
||||
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
|
||||
github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf h1:eg0MeVzsP1G42dRafH3vf+al2vQIJU0YHX+1Tw87oco=
|
||||
github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
|
||||
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
|
||||
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
|
||||
@ -78,6 +74,8 @@ github.com/bifurcation/mint v0.0.0-20180715133206-93c51c6ce115/go.mod h1:zVt7zX3
|
||||
github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs=
|
||||
github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
|
||||
github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
|
||||
github.com/bronze1man/goStrongswanVici v0.0.0-20190828090544-27d02f80ba40 h1:udTfdeYqe866Z5mxTaEm5irSJK2vupyxwBOHAYEVtJo=
|
||||
github.com/bronze1man/goStrongswanVici v0.0.0-20190828090544-27d02f80ba40/go.mod h1:fWUtBEPt2yjrr3WFhOqvajM8JSEU8bEeBcoeSCsKRpc=
|
||||
github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
|
||||
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23 h1:D21IyuvjDCshj1/qq+pCNd3VZOAEI9jy6Bi131YlXgI=
|
||||
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
|
||||
@ -121,7 +119,6 @@ github.com/coredns/corefile-migration v1.0.2/go.mod h1:OFwBp/Wc9dJt5cAZzHWMNhK1r
|
||||
github.com/coreos/bbolt v1.3.1-coreos.6 h1:uTXKg9gY70s9jMAKdfljFQcuh4e/BXOM+V+d00KFj3A=
|
||||
github.com/coreos/bbolt v1.3.1-coreos.6/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/etcd v3.3.13+incompatible h1:8F3hqu9fGYLBifCmRCJsicFqDx/D68Rt3q1JMazcgBQ=
|
||||
github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/etcd v3.3.15+incompatible h1:+9RjdC18gMxNQVvSiXvObLu29mOFmkgdsB4cRTlV+EE=
|
||||
github.com/coreos/etcd v3.3.15+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
@ -158,7 +155,6 @@ github.com/dnaeon/go-vcr v1.0.1 h1:r8L/HqC0Hje5AXMu1ooW8oyQyOFv4GxqpL0nRP7SLLY=
|
||||
github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
|
||||
github.com/docker/distribution v0.0.0-20190205005809-0d3efadf0154 h1:C8WBRZDiZn3IZnBlbHVeTWF32XhVGK69Li4GC/3jL9Q=
|
||||
github.com/docker/distribution v0.0.0-20190205005809-0d3efadf0154/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
|
||||
github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0 h1:w3NnFcKR5241cfmQU5ZZAsf0xcpId6mWOupTvJlUX2U=
|
||||
github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
github.com/docker/docker v0.7.3-0.20190731001754-589f1dad8dad h1:Rs3PR4MuVaSoApfaYJQRRJtC5dNBSyvRcTSl9MNWKlw=
|
||||
github.com/docker/docker v0.7.3-0.20190731001754-589f1dad8dad/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
|
||||
@ -168,7 +164,6 @@ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ
|
||||
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
|
||||
github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
|
||||
github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
|
||||
github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
|
||||
github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
|
||||
github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
@ -243,7 +238,6 @@ github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsd
|
||||
github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
|
||||
github.com/go-openapi/spec v0.19.2 h1:SStNd1jRcYtfKCN7R0laGNs80WYYvn5CbBjM2sOmCrE=
|
||||
github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
|
||||
github.com/go-openapi/strfmt v0.17.0 h1:1isAxYf//QDTnVzbLAMrUK++0k1EjeLJU/gTOR0o3Mc=
|
||||
github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
|
||||
github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
|
||||
github.com/go-openapi/strfmt v0.19.0 h1:0Dn9qy1G9+UJfRU7TR8bmdGxb4uifB7HNrJjOnV0yPk=
|
||||
@ -253,7 +247,6 @@ github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/
|
||||
github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
|
||||
github.com/go-openapi/swag v0.19.2 h1:jvO6bCMBEilGwMfHhrd61zIID4oIFdwb76V17SM88dE=
|
||||
github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
|
||||
github.com/go-openapi/validate v0.18.0 h1:PVXYcP1GkTl+XIAJnyJxOmK6CSG5Q1UcvoCvNO++5Kg=
|
||||
github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
|
||||
github.com/go-openapi/validate v0.19.2 h1:ky5l57HjyVRrsJfd2+Ro5Z9PjGuKbsmftwyMtk8H7js=
|
||||
github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
|
||||
@ -282,7 +275,6 @@ github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14j
|
||||
github.com/gogo/googleapis v1.3.0 h1:M695OaDJ5ipWvDPcoAg/YL9c3uORAegkEfBqTQF/fTQ=
|
||||
github.com/gogo/googleapis v1.3.0/go.mod h1:d+q1s/xVJxZGKWwC/6UfPIF33J+G1Tq4GYv9Y+Tg/EU=
|
||||
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||
github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
|
||||
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
|
||||
github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
|
||||
github.com/gogo/protobuf v1.3.0 h1:G8O7TerXerS4F6sx9OV7/nRfJdnXgHZu/S/7F2SN+UE=
|
||||
@ -298,7 +290,6 @@ github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
|
||||
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||
github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
|
||||
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
|
||||
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
@ -343,7 +334,6 @@ github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OI
|
||||
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
|
||||
github.com/google/tcpproxy v0.0.0-20180808230851-dfa16c61dad2 h1:AtvtonGEH/fZK0XPNNBdB6swgy7Iudfx88wzyIpwqJ8=
|
||||
github.com/google/tcpproxy v0.0.0-20180808230851-dfa16c61dad2/go.mod h1:DavVbd41y+b7ukKDmlnPR4nGYmkWXR6vHUkjQNiHPBs=
|
||||
github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
|
||||
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
|
||||
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
@ -383,8 +373,6 @@ github.com/heketi/tests v0.0.0-20151005000721-f3775cbcefd6/go.mod h1:xGMAM8JLi7U
|
||||
github.com/heketi/utils v0.0.0-20170317161834-435bc5bdfa64/go.mod h1:RYlF4ghFZPPmk2TC5REt5OFwvfb6lzxFWrTWB+qs28s=
|
||||
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
|
||||
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
|
||||
github.com/ibuildthecloud/flannel v0.10.1-0.20190131215433-823afe66b226 h1:XdW09kPx8lMtvPAPVnlIG4H/kTC01x5ADdN1J+KsglM=
|
||||
github.com/ibuildthecloud/flannel v0.10.1-0.20190131215433-823afe66b226/go.mod h1:HCHln+957B/ml+RJJ4fnilxsq7wN5dOnytc3nLQchV4=
|
||||
github.com/ibuildthecloud/kine v0.1.0 h1:nF/wtPm7qECzZeagEyZgy8seFcwpJz8LRF6pc7hYSl0=
|
||||
github.com/ibuildthecloud/kine v0.1.0/go.mod h1:TTWUtUeu7dHQan9BrCtlRbKr9eK7epHqrBFOAae15Bg=
|
||||
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
|
||||
@ -402,7 +390,6 @@ github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht
|
||||
github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
|
||||
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
|
||||
github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||
github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs=
|
||||
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||
github.com/json-iterator/go v1.1.7 h1:KfgG9LzI+pYjr4xvmz/5H4FXjokeP+rlHLhv3iH62Fo=
|
||||
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
|
||||
@ -456,7 +443,6 @@ github.com/magiconair/properties v1.7.6/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP
|
||||
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
|
||||
github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
|
||||
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 h1:2gxZ0XQIU/5z3Z3bUBu+FXuk2pFbkN6tcwi/pjyaDic=
|
||||
github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63 h1:nTT4s92Dgz2HlrB2NaMgvlfqHH39OgMhA7z3PK7PGD4=
|
||||
@ -518,7 +504,6 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20160627004424-a22cb81b2ecd/go.mod h1:o96d
|
||||
github.com/nbutton23/zxcvbn-go v0.0.0-20171102151520-eafdab6b0663/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
|
||||
github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw=
|
||||
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo=
|
||||
@ -573,6 +558,8 @@ github.com/rancher/containerd v1.3.0-k3s.1 h1:8dz25shb4egTLl0nOXQdtllx20LEXsuOs4
|
||||
github.com/rancher/containerd v1.3.0-k3s.1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
|
||||
github.com/rancher/cri-tools v1.16.0-k3s.1 h1:cv/iVFkfvDLfpSqGFwgyQbMKLGRzcXo8AALUsd8s5qE=
|
||||
github.com/rancher/cri-tools v1.16.0-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8=
|
||||
github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8=
|
||||
github.com/rancher/flannel v0.11.0-k3s.1/go.mod h1:Hn4ZV+eq0LhLZP63xZnxdGwXEoRSxs5sxELxu27M3UA=
|
||||
github.com/rancher/helm-controller v0.2.2 h1:MUqisy53/Ay1EYOF2uTCYBbGpgtZLNKKrI01BdxIbQo=
|
||||
github.com/rancher/helm-controller v0.2.2/go.mod h1:0JkL0UjxddNbT4FmLoESarD4Mz8xzA5YlejqJ/U4g+8=
|
||||
github.com/rancher/kubernetes v1.16.0-k3s.1 h1:6ewJ22WFt/3l/7d724XiAXZWbatkzWZ/Q8kMow7Jq4E=
|
||||
@ -677,7 +664,6 @@ github.com/spf13/jwalterweatherman v0.0.0-20180109140146-7c0cea34c8ec/go.mod h1:
|
||||
github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
|
||||
github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
|
||||
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4=
|
||||
github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
|
||||
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
@ -685,7 +671,6 @@ github.com/spf13/viper v1.0.2/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7Sr
|
||||
github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
|
||||
github.com/storageos/go-api v0.0.0-20180912212459-343b3eff91fc/go.mod h1:ZrLn+e0ZuF3Y65PNF6dIwbJPZqfmtCXxFm9ckv0agOY=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
|
||||
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
|
||||
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
|
||||
@ -713,11 +698,9 @@ github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyC
|
||||
github.com/valyala/fasthttp v1.2.0/go.mod h1:4vX61m6KN+xDduDNwXrhIAVZaZaZiQ1luJk8LWSxF3s=
|
||||
github.com/valyala/quicktemplate v1.1.1/go.mod h1:EH+4AkTd43SvgIbQHYu59/cJyxDoOVRUAfrukLPuGJ4=
|
||||
github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
|
||||
github.com/vishvananda/netlink v0.0.0-20171020171820-b2de5d10e38e h1:f1yevOHP+Suqk0rVc13fIkzcLULJbyQcXDba2klljD0=
|
||||
github.com/vishvananda/netlink v0.0.0-20171020171820-b2de5d10e38e/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
|
||||
github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf h1:3J37+NPjNyGW/dbfXtj3yWuF9OEepIdGOXRaJGbORV8=
|
||||
github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
|
||||
github.com/vishvananda/netns v0.0.0-20171111001504-be1fbeda1936 h1:J9gO8RJCAFlln1jsvRba/CWVUnMHwObklfxxjErl1uk=
|
||||
github.com/vishvananda/netns v0.0.0-20171111001504-be1fbeda1936/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
|
||||
github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc h1:R83G5ikgLMxrBvLh22JhdfI8K6YXEPHx5P03Uu3DRs4=
|
||||
github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
|
||||
@ -747,7 +730,6 @@ golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACk
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190506204251-e1dfcc566284 h1:rlLehGeYg6jfoyz/eDqDU1iRXLKfR42nnNh57ytKEWo=
|
||||
golang.org/x/crypto v0.0.0-20190506204251-e1dfcc566284/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU=
|
||||
@ -788,7 +770,6 @@ golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc h1:gkKoSkUmnU6bpS/VhkuO27bzQ
|
||||
golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
|
||||
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
@ -815,7 +796,6 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190509141414-a5b02f93d862/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f h1:25KHgbfyiSm6vwQLbM3zZIe1v9p/3ea4Rz+nnM5K/i4=
|
||||
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190730183949-1393eb018365/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e h1:TsjK5I7fXk8f2FQrgu6NS7i5Qih3knl2FL1htyguLRE=
|
||||
@ -846,7 +826,6 @@ golang.org/x/tools v0.0.0-20190311215038-5c2858a9cfe5/go.mod h1:LCzVGOaR6xXOjkQ3
|
||||
golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384 h1:TFlARGu6Czu1z7q93HTxcP1P+/ZFC/IKythI5RzrnRg=
|
||||
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||
golang.org/x/tools v0.0.0-20190521203540-521d6ed310dd/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||
@ -876,7 +855,6 @@ google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiq
|
||||
google.golang.org/grpc v1.23.0 h1:AzbTB6ux+okLTzP8Ru1Xs41C303zdcfEht7MQnYJt5A=
|
||||
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
|
||||
gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
@ -915,7 +893,6 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
|
||||
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.1-2019.2.2/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
|
||||
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/gengo v0.0.0-20190327210449-e17681d19d3a h1:QoHVuRquf80YZ+/bovwxoMO3Q/A3nt3yTgS0/0nejuk=
|
||||
k8s.io/gengo v0.0.0-20190327210449-e17681d19d3a/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/gengo v0.0.0-20190822140433-26a664648505 h1:ZY6yclUKVbZ+SdWnkfY+Je5vrMpKOxmGeKRbsXVmqYM=
|
||||
k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
|
@ -330,8 +330,8 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
|
||||
|
||||
nodeConfig := &config.Node{
|
||||
Docker: envInfo.Docker,
|
||||
NoFlannel: envInfo.NoFlannel,
|
||||
ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint,
|
||||
FlannelBackend: controlConfig.FlannelBackend,
|
||||
}
|
||||
nodeConfig.FlannelIface = flannelIface
|
||||
nodeConfig.Images = filepath.Join(envInfo.DataDir, "images")
|
||||
@ -349,6 +349,8 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
|
||||
nodeConfig.AgentConfig.KubeConfigKubeProxy = kubeconfigKubeproxy
|
||||
nodeConfig.AgentConfig.RootDir = filepath.Join(envInfo.DataDir, "kubelet")
|
||||
nodeConfig.AgentConfig.PauseImage = envInfo.PauseImage
|
||||
nodeConfig.AgentConfig.IPSECPSK = controlConfig.IPSECPSK
|
||||
nodeConfig.AgentConfig.StrongSwanDir = filepath.Join(envInfo.DataDir, "strongswan")
|
||||
nodeConfig.CACerts = info.CACerts
|
||||
nodeConfig.Containerd.Config = filepath.Join(envInfo.DataDir, "etc/containerd/config.toml")
|
||||
nodeConfig.Containerd.Root = filepath.Join(envInfo.DataDir, "containerd")
|
||||
@ -361,8 +363,20 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
|
||||
nodeConfig.Containerd.Template = filepath.Join(envInfo.DataDir, "etc/containerd/config.toml.tmpl")
|
||||
nodeConfig.ServerAddress = serverURLParsed.Host
|
||||
nodeConfig.Certificate = servingCert
|
||||
|
||||
if nodeConfig.FlannelBackend == config.FlannelBackendNone {
|
||||
nodeConfig.NoFlannel = true
|
||||
} else {
|
||||
nodeConfig.NoFlannel = envInfo.NoFlannel
|
||||
}
|
||||
|
||||
if !nodeConfig.NoFlannel {
|
||||
if envInfo.FlannelConf == "" {
|
||||
nodeConfig.FlannelConf = filepath.Join(envInfo.DataDir, "etc/flannel/net-conf.json")
|
||||
} else {
|
||||
nodeConfig.FlannelConf = envInfo.FlannelConf
|
||||
nodeConfig.FlannelConfOverride = true
|
||||
}
|
||||
nodeConfig.AgentConfig.CNIBinDir = filepath.Dir(hostLocal)
|
||||
nodeConfig.AgentConfig.CNIConfDir = filepath.Join(envInfo.DataDir, "etc/cni/net.d")
|
||||
}
|
||||
|
@ -29,6 +29,8 @@ import (
|
||||
log "k8s.io/klog"
|
||||
|
||||
// Backends need to be imported for their init() to get executed and them to register
|
||||
_ "github.com/coreos/flannel/backend/extension"
|
||||
_ "github.com/coreos/flannel/backend/ipsec"
|
||||
_ "github.com/coreos/flannel/backend/vxlan"
|
||||
)
|
||||
|
||||
@ -42,7 +44,7 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube
|
||||
return err
|
||||
}
|
||||
|
||||
sm, err := kube.NewSubnetManager("", flannelConf, kubeConfigFile, "flannel.alpha.coreos.com")
|
||||
sm, err := kube.NewSubnetManager("", kubeConfigFile, "flannel.alpha.coreos.com", flannelConf)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -2,6 +2,9 @@ package flannel
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
@ -22,6 +25,7 @@ const (
|
||||
{
|
||||
"type":"flannel",
|
||||
"delegate":{
|
||||
"hairpinMode":true,
|
||||
"forceAddress":true,
|
||||
"isDefaultGateway":true
|
||||
}
|
||||
@ -35,27 +39,45 @@ const (
|
||||
]
|
||||
}
|
||||
`
|
||||
netJSON = `{
|
||||
|
||||
flannelConf = `{
|
||||
"Network": "%CIDR%",
|
||||
"Backend": {
|
||||
"Type": "vxlan"
|
||||
}
|
||||
"Backend": %backend%
|
||||
}
|
||||
`
|
||||
|
||||
vxlanBackend = `{
|
||||
"Type": "vxlan"
|
||||
}`
|
||||
|
||||
ipsecBackend = `{
|
||||
"Type": "ipsec",
|
||||
"UDPEncap": true,
|
||||
"PSK": "%psk%"
|
||||
}`
|
||||
|
||||
wireguardBackend = `{
|
||||
"Type": "extension",
|
||||
"PreStartupCommand": "wg genkey | tee privatekey | wg pubkey",
|
||||
"PostStartupCommand": "export SUBNET_IP=$(echo $SUBNET | cut -d'/' -f 1); ip link del flannel.1 2>/dev/null; echo $PATH >&2; wg-add.sh flannel.1 && wg set flannel.1 listen-port 51820 private-key privatekey && ip addr add $SUBNET_IP/32 dev flannel.1 && ip link set flannel.1 up && ip route add $NETWORK dev flannel.1",
|
||||
"ShutdownCommand": "ip link del flannel.1",
|
||||
"SubnetAddCommand": "read PUBLICKEY; wg set flannel.1 peer $PUBLICKEY endpoint $PUBLIC_IP:51820 allowed-ips $SUBNET",
|
||||
"SubnetRemoveCommand": "read PUBLICKEY; wg set flannel.1 peer $PUBLICKEY remove"
|
||||
}`
|
||||
)
|
||||
|
||||
func Prepare(ctx context.Context, config *config.Node) error {
|
||||
if err := createCNIConf(config.AgentConfig.CNIConfDir); err != nil {
|
||||
func Prepare(ctx context.Context, nodeConfig *config.Node) error {
|
||||
if err := createCNIConf(nodeConfig.AgentConfig.CNIConfDir); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return createFlannelConf(config)
|
||||
return createFlannelConf(nodeConfig)
|
||||
}
|
||||
|
||||
func Run(ctx context.Context, config *config.Node) error {
|
||||
nodeName := config.AgentConfig.NodeName
|
||||
func Run(ctx context.Context, nodeConfig *config.Node) error {
|
||||
nodeName := nodeConfig.AgentConfig.NodeName
|
||||
|
||||
restConfig, err := clientcmd.BuildConfigFromFlags("", config.AgentConfig.KubeConfigNode)
|
||||
restConfig, err := clientcmd.BuildConfigFromFlags("", nodeConfig.AgentConfig.KubeConfigNode)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -79,7 +101,7 @@ func Run(ctx context.Context, config *config.Node) error {
|
||||
}
|
||||
|
||||
go func() {
|
||||
err := flannel(ctx, config.FlannelIface, config.FlannelConf, config.AgentConfig.KubeConfigNode)
|
||||
err := flannel(ctx, nodeConfig.FlannelIface, nodeConfig.FlannelConf, nodeConfig.AgentConfig.KubeConfigNode)
|
||||
logrus.Fatalf("flannel exited: %v", err)
|
||||
}()
|
||||
|
||||
@ -94,10 +116,53 @@ func createCNIConf(dir string) error {
|
||||
return util.WriteFile(p, cniConf)
|
||||
}
|
||||
|
||||
func createFlannelConf(config *config.Node) error {
|
||||
if config.FlannelConf == "" {
|
||||
func createFlannelConf(nodeConfig *config.Node) error {
|
||||
if nodeConfig.FlannelConf == "" {
|
||||
return nil
|
||||
}
|
||||
return util.WriteFile(config.FlannelConf,
|
||||
strings.Replace(netJSON, "%CIDR%", config.AgentConfig.ClusterCIDR.String(), -1))
|
||||
if nodeConfig.FlannelConfOverride {
|
||||
logrus.Infof("Using custom flannel conf defined at %s", nodeConfig.FlannelConf)
|
||||
return nil
|
||||
}
|
||||
confJSON := strings.Replace(flannelConf, "%CIDR%", nodeConfig.AgentConfig.ClusterCIDR.String(), -1)
|
||||
|
||||
var backendConf string
|
||||
|
||||
switch nodeConfig.FlannelBackend {
|
||||
case config.FlannelBackendVXLAN:
|
||||
backendConf = vxlanBackend
|
||||
case config.FlannelBackendIPSEC:
|
||||
backendConf = strings.Replace(ipsecBackend, "%psk%", nodeConfig.AgentConfig.IPSECPSK, -1)
|
||||
if err := setupStrongSwan(nodeConfig); err != nil {
|
||||
return err
|
||||
}
|
||||
case config.FlannelBackendWireguard:
|
||||
backendConf = wireguardBackend
|
||||
default:
|
||||
return fmt.Errorf("Cannot configure unknown flannel backend '%s'", nodeConfig.FlannelBackend)
|
||||
}
|
||||
confJSON = strings.Replace(confJSON, "%backend%", backendConf, -1)
|
||||
|
||||
return util.WriteFile(nodeConfig.FlannelConf, confJSON)
|
||||
}
|
||||
|
||||
func setupStrongSwan(nodeConfig *config.Node) error {
|
||||
// if we don't know the location of extracted strongswan data then return
|
||||
dataDir := os.Getenv("K3S_DATA_DIR")
|
||||
if dataDir == "" {
|
||||
return nil
|
||||
}
|
||||
dataDir = path.Join(dataDir, "etc", "strongswan")
|
||||
|
||||
info, err := os.Lstat(nodeConfig.AgentConfig.StrongSwanDir)
|
||||
// something exists but is not a symlink, return
|
||||
if err == nil && info.Mode()&os.ModeSymlink == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
// clean up strongswan old link
|
||||
os.Remove(nodeConfig.AgentConfig.StrongSwanDir)
|
||||
|
||||
// make new strongswan link
|
||||
return os.Symlink(dataDir, nodeConfig.AgentConfig.StrongSwanDir)
|
||||
}
|
||||
|
@ -22,6 +22,7 @@ type Agent struct {
|
||||
ContainerRuntimeEndpoint string
|
||||
NoFlannel bool
|
||||
FlannelIface string
|
||||
FlannelConf string
|
||||
Debug bool
|
||||
Rootless bool
|
||||
AgentShared
|
||||
@ -64,6 +65,11 @@ var (
|
||||
Usage: "(agent) Override default flannel interface",
|
||||
Destination: &AgentConfig.FlannelIface,
|
||||
}
|
||||
FlannelConfFlag = cli.StringFlag{
|
||||
Name: "flannel-conf",
|
||||
Usage: "(agent) (experimental) Override default flannel config file",
|
||||
Destination: &AgentConfig.FlannelConf,
|
||||
}
|
||||
CRIEndpointFlag = cli.StringFlag{
|
||||
Name: "container-runtime-endpoint",
|
||||
Usage: "(agent) Disable embedded containerd and use alternative CRI implementation",
|
||||
@ -151,6 +157,7 @@ func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command {
|
||||
DockerFlag,
|
||||
FlannelFlag,
|
||||
FlannelIfaceFlag,
|
||||
FlannelConfFlag,
|
||||
NodeNameFlag,
|
||||
NodeIPFlag,
|
||||
CRIEndpointFlag,
|
||||
|
@ -1,6 +1,9 @@
|
||||
package cmds
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/rancher/k3s/pkg/daemons/config"
|
||||
"github.com/urfave/cli"
|
||||
)
|
||||
|
||||
@ -30,6 +33,7 @@ type Server struct {
|
||||
AdvertiseIP string
|
||||
AdvertisePort int
|
||||
DisableScheduler bool
|
||||
FlannelBackend string
|
||||
}
|
||||
|
||||
var ServerConfig Server
|
||||
@ -189,11 +193,18 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
|
||||
Usage: "Disable Kubernetes default scheduler",
|
||||
Destination: &ServerConfig.DisableScheduler,
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "flannel-backend",
|
||||
Usage: fmt.Sprintf("(experimental) One of '%s', '%s', '%s', or '%s'", config.FlannelBackendNone, config.FlannelBackendVXLAN, config.FlannelBackendIPSEC, config.FlannelBackendWireguard),
|
||||
Destination: &ServerConfig.FlannelBackend,
|
||||
Value: config.FlannelBackendVXLAN,
|
||||
},
|
||||
NodeIPFlag,
|
||||
NodeNameFlag,
|
||||
DockerFlag,
|
||||
FlannelFlag,
|
||||
FlannelIfaceFlag,
|
||||
FlannelConfFlag,
|
||||
CRIEndpointFlag,
|
||||
PauseImageFlag,
|
||||
ResolvConfFlag,
|
||||
|
@ -84,6 +84,7 @@ func run(app *cli.Context, cfg *cmds.Server) error {
|
||||
serverConfig.ControlConfig.AdvertiseIP = cfg.AdvertiseIP
|
||||
serverConfig.ControlConfig.AdvertisePort = cfg.AdvertisePort
|
||||
serverConfig.ControlConfig.BootstrapReadOnly = !cfg.StoreBootstrap
|
||||
serverConfig.ControlConfig.FlannelBackend = cfg.FlannelBackend
|
||||
|
||||
if cmds.AgentConfig.FlannelIface != "" && cmds.AgentConfig.NodeIP == "" {
|
||||
cmds.AgentConfig.NodeIP = netutil.GetIPFromInterface(cmds.AgentConfig.FlannelIface)
|
||||
|
@ -13,11 +13,20 @@ import (
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
)
|
||||
|
||||
const (
|
||||
FlannelBackendNone = "none"
|
||||
FlannelBackendVXLAN = "vxlan"
|
||||
FlannelBackendIPSEC = "ipsec"
|
||||
FlannelBackendWireguard = "wireguard"
|
||||
)
|
||||
|
||||
type Node struct {
|
||||
Docker bool
|
||||
ContainerRuntimeEndpoint string
|
||||
NoFlannel bool
|
||||
FlannelBackend string
|
||||
FlannelConf string
|
||||
FlannelConfOverride bool
|
||||
FlannelIface *net.Interface
|
||||
Containerd Containerd
|
||||
Images string
|
||||
@ -65,6 +74,8 @@ type Agent struct {
|
||||
CNIPlugin bool
|
||||
NodeTaints []string
|
||||
NodeLabels []string
|
||||
IPSECPSK string
|
||||
StrongSwanDir string
|
||||
}
|
||||
|
||||
type Control struct {
|
||||
@ -89,6 +100,8 @@ type Control struct {
|
||||
ExtraControllerArgs []string
|
||||
ExtraSchedulerAPIArgs []string
|
||||
NoLeaderElect bool
|
||||
FlannelBackend string
|
||||
IPSECPSK string
|
||||
|
||||
Runtime *ControlRuntime `json:"-"`
|
||||
}
|
||||
@ -105,6 +118,7 @@ type ControlRuntimeBootstrap struct {
|
||||
ClientKubeletKey string
|
||||
ClientKubeProxyKey string
|
||||
ServingKubeletKey string
|
||||
IPSECKey string
|
||||
}
|
||||
|
||||
type ControlRuntime struct {
|
||||
|
@ -62,6 +62,11 @@ users:
|
||||
`))
|
||||
)
|
||||
|
||||
const (
|
||||
userTokenSize = 16
|
||||
ipsecTokenSize = 48
|
||||
)
|
||||
|
||||
func Server(ctx context.Context, cfg *config.Control) error {
|
||||
rand.Seed(time.Now().UTC().UnixNano())
|
||||
|
||||
@ -252,6 +257,7 @@ func prepare(ctx context.Context, config *config.Control, runtime *config.Contro
|
||||
runtime.ServerCAKey = path.Join(config.DataDir, "tls", "server-ca.key")
|
||||
runtime.RequestHeaderCA = path.Join(config.DataDir, "tls", "request-header-ca.crt")
|
||||
runtime.RequestHeaderCAKey = path.Join(config.DataDir, "tls", "request-header-ca.key")
|
||||
runtime.IPSECKey = path.Join(config.DataDir, "cred", "ipsec.psk")
|
||||
|
||||
runtime.ServiceKey = path.Join(config.DataDir, "tls", "service.key")
|
||||
runtime.PasswdFile = path.Join(config.DataDir, "cred", "passwd")
|
||||
@ -304,6 +310,10 @@ func prepare(ctx context.Context, config *config.Control, runtime *config.Contro
|
||||
return err
|
||||
}
|
||||
|
||||
if err := genEncryptedNetworkInfo(config, runtime); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := storeBootstrapData(ctx, config, etcdClient); err != nil {
|
||||
return err
|
||||
}
|
||||
@ -422,20 +432,43 @@ func WritePasswords(passwdFile string, records [][]string) error {
|
||||
return os.Rename(passwdFile+".tmp", passwdFile)
|
||||
}
|
||||
|
||||
func genEncryptedNetworkInfo(controlConfig *config.Control, runtime *config.ControlRuntime) error {
|
||||
if s, err := os.Stat(runtime.IPSECKey); err == nil && s.Size() > 0 {
|
||||
psk, err := ioutil.ReadFile(runtime.IPSECKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
controlConfig.IPSECPSK = strings.TrimSpace(string(psk))
|
||||
return nil
|
||||
}
|
||||
|
||||
psk, err := getToken(ipsecTokenSize)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
controlConfig.IPSECPSK = psk
|
||||
if err := ioutil.WriteFile(runtime.IPSECKey, []byte(psk+"\n"), 0600); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func genUsers(config *config.Control, runtime *config.ControlRuntime) error {
|
||||
if s, err := os.Stat(runtime.PasswdFile); err == nil && s.Size() > 0 {
|
||||
return ensureNodeToken(config, runtime)
|
||||
}
|
||||
|
||||
adminToken, err := getToken()
|
||||
adminToken, err := getToken(userTokenSize)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
systemToken, err := getToken()
|
||||
systemToken, err := getToken(userTokenSize)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
nodeToken, err := getToken()
|
||||
nodeToken, err := getToken(userTokenSize)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -451,8 +484,8 @@ func genUsers(config *config.Control, runtime *config.ControlRuntime) error {
|
||||
})
|
||||
}
|
||||
|
||||
func getToken() (string, error) {
|
||||
token := make([]byte, 16, 16)
|
||||
func getToken(size int) (string, error) {
|
||||
token := make([]byte, size, size)
|
||||
_, err := cryptorand.Read(token)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
@ -16,3 +16,5 @@ mkdir -p bin/aux && rm bin/mount && ln -sf ../busybox bin/aux/mount
|
||||
|
||||
TRAEFIK_FILE=traefik-${TRAEFIK_VERSION}.tgz
|
||||
curl -sfL https://kubernetes-charts.storage.googleapis.com/${TRAEFIK_FILE} -o ${CHARTS_DIR}/${TRAEFIK_FILE}
|
||||
|
||||
cp scripts/wg-add.sh bin/aux/
|
||||
|
@ -22,7 +22,7 @@ rm -rf build/data
|
||||
mkdir -p build/data build/out
|
||||
mkdir -p dist/artifacts
|
||||
|
||||
tar cvzf ./build/out/data.tar.gz --exclude ./bin/hyperkube ./bin
|
||||
tar cvzf ./build/out/data.tar.gz --exclude ./bin/hyperkube ./bin ./etc
|
||||
HASH=$(sha256sum ./build/out/data.tar.gz | awk '{print $1}')
|
||||
|
||||
cp ./build/out/data.tar.gz ./build/data/${HASH}.tgz
|
||||
|
34
scripts/wg-add.sh
Executable file
34
scripts/wg-add.sh
Executable file
@ -0,0 +1,34 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
auto-mtu() {
|
||||
local mtu=0 endpoint output
|
||||
while read -r _ endpoint; do
|
||||
[[ $endpoint =~ ^\[?([a-z0-9:.]+)\]?:[0-9]+$ ]] || continue
|
||||
output="$(ip route get "${BASH_REMATCH[1]}" || true)"
|
||||
[[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}"
|
||||
done < <(wg show "$1" endpoints)
|
||||
if [[ $mtu -eq 0 ]]; then
|
||||
read -r output < <(ip route show default || true) || true
|
||||
[[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}"
|
||||
fi
|
||||
[[ $mtu -gt 0 ]] || mtu=1500
|
||||
ip link set mtu $(( mtu - 80 )) up dev "$1"
|
||||
}
|
||||
|
||||
# probe for any modules that may be needed
|
||||
modprobe wireguard
|
||||
modprobe tun
|
||||
|
||||
# try wireguard kernel module first
|
||||
ip link add "$1" type wireguard && exit
|
||||
|
||||
# try boringtun and let it drop privileges
|
||||
boringtun "$1" && auto-mtu "$1" && exit
|
||||
|
||||
# try boringtun w/o dropping privileges
|
||||
WG_SUDO=1 boringtun "$1" && auto-mtu "$1" && exit
|
||||
|
||||
# try wireguard-go - p.s. should not use wireguard-go, it leaks memory
|
||||
WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD=1 wireguard-go "$1" && auto-mtu "$1" && exit
|
||||
|
||||
exit 1
|
1
vendor/github.com/bronze1man/goStrongswanVici/.gitignore
generated
vendored
Normal file
1
vendor/github.com/bronze1man/goStrongswanVici/.gitignore
generated
vendored
Normal file
@ -0,0 +1 @@
|
||||
*.swp
|
16
vendor/github.com/bronze1man/goStrongswanVici/.travis.yml
generated
vendored
Normal file
16
vendor/github.com/bronze1man/goStrongswanVici/.travis.yml
generated
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
language: go
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
go:
|
||||
- "1.11.x"
|
||||
|
||||
before_script:
|
||||
- docker-compose up -d strongswan
|
||||
|
||||
script:
|
||||
- docker-compose run app go test -v ./...
|
||||
|
||||
after_script:
|
||||
- docker-compose down -v
|
7
vendor/github.com/bronze1man/goStrongswanVici/Dockerfile
generated
vendored
Normal file
7
vendor/github.com/bronze1man/goStrongswanVici/Dockerfile
generated
vendored
Normal file
@ -0,0 +1,7 @@
|
||||
# Docker image for building the Go app
|
||||
FROM golang:latest
|
||||
|
||||
WORKDIR /app
|
||||
ADD . /app
|
||||
|
||||
RUN GO111MODULE=on go mod download
|
20
vendor/github.com/bronze1man/goStrongswanVici/LICENSE
generated
vendored
Normal file
20
vendor/github.com/bronze1man/goStrongswanVici/LICENSE
generated
vendored
Normal file
@ -0,0 +1,20 @@
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2015 bronze1man
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
the Software without restriction, including without limitation the rights to
|
||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||||
the Software, and to permit persons to whom the Software is furnished to do so,
|
||||
subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
167
vendor/github.com/bronze1man/goStrongswanVici/README.md
generated
vendored
Normal file
167
vendor/github.com/bronze1man/goStrongswanVici/README.md
generated
vendored
Normal file
@ -0,0 +1,167 @@
|
||||
strongswan vici golang client
|
||||
=============================
|
||||
[![Build Status](https://travis-ci.org/bronze1man/goStrongswanVici.svg)](https://travis-ci.org/bronze1man/goStrongswanVici)
|
||||
[![GoDoc](https://godoc.org/github.com/bronze1man/goStrongswanVici?status.svg)](https://godoc.org/github.com/bronze1man/goStrongswanVici)
|
||||
[![docs examples](https://sourcegraph.com/api/repos/github.com/bronze1man/goStrongswanVici/badges/docs-examples.png)](https://sourcegraph.com/github.com/bronze1man/goStrongswanVici)
|
||||
[![Total views](https://sourcegraph.com/api/repos/github.com/bronze1man/goStrongswanVici/counters/views.png)](https://sourcegraph.com/github.com/bronze1man/goStrongswanVici)
|
||||
[![GitHub issues](https://img.shields.io/github/issues/bronze1man/goStrongswanVici.svg)](https://github.com/bronze1man/goStrongswanVici/issues)
|
||||
[![GitHub stars](https://img.shields.io/github/stars/bronze1man/goStrongswanVici.svg)](https://github.com/bronze1man/goStrongswanVici/stargazers)
|
||||
[![GitHub forks](https://img.shields.io/github/forks/bronze1man/goStrongswanVici.svg)](https://github.com/bronze1man/goStrongswanVici/network)
|
||||
[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat-square)](https://github.com/bronze1man/goStrongswanVici/blob/master/LICENSE)
|
||||
|
||||
a golang implement of strongswan vici plugin client.
|
||||
|
||||
### document
|
||||
* http://godoc.org/github.com/bronze1man/goStrongswanVici
|
||||
* https://github.com/strongswan/strongswan/tree/master/src/libcharon/plugins/vici
|
||||
|
||||
### Implemented command list
|
||||
* version()
|
||||
* list-sas()
|
||||
* get-shared()
|
||||
* terminate()
|
||||
* load-conn()
|
||||
* load-cert()
|
||||
* load-key()
|
||||
* load-pool()
|
||||
* load-shared()
|
||||
* list-conns()
|
||||
* unload-conn()
|
||||
* unload-shared()
|
||||
|
||||
If you need some commands, but it is not here .you can implement yourself, and send a pull request to this project.
|
||||
|
||||
### Testing
|
||||
|
||||
To test the library's functionality, `docker-compose` is used to spin up strongswan in a separate Docker container.
|
||||
|
||||
```bash
|
||||
$ docker-compose up -V
|
||||
Creating network "gostrongswanvici_default" with the default drive
|
||||
Creating volume "gostrongswanvici_charondata" with default driver
|
||||
Creating gostrongswanvici_strongswan_1 ... done
|
||||
Creating gostrongswanvici_go-test_1 ... done
|
||||
Attaching to gostrongswanvici_strongswan_1, gostrongswanvici_go-test_1
|
||||
...
|
||||
go-test_1 | ok github.com/RenaultAI/goStrongswanVici 0.017s
|
||||
gostrongswanvici_go-test_1 exited with code 0
|
||||
```
|
||||
|
||||
### example
|
||||
```go
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/bronze1man/goStrongswanVici"
|
||||
)
|
||||
|
||||
func main(){
|
||||
// create a client.
|
||||
client, err := goStrongswanVici.NewClientConnFromDefaultSocket()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
defer client.Close()
|
||||
|
||||
// get strongswan version
|
||||
v, err := client.Version()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
fmt.Printf("%#v\n", v)
|
||||
|
||||
childConfMap := make(map[string]goStrongswanVici.ChildSAConf)
|
||||
childSAConf := goStrongswanVici.ChildSAConf{
|
||||
Local_ts: []string{"10.10.59.0/24"},
|
||||
Remote_ts: []string{"10.10.40.0/24"},
|
||||
ESPProposals: []string{"aes256-sha256-modp2048"},
|
||||
StartAction: "trap",
|
||||
CloseAction: "restart",
|
||||
Mode: "tunnel",
|
||||
ReqID: "10",
|
||||
RekeyTime: "10m",
|
||||
InstallPolicy: "no",
|
||||
}
|
||||
childConfMap["test-child-conn"] = childSAConf
|
||||
|
||||
localAuthConf := goStrongswanVici.AuthConf{
|
||||
AuthMethod: "psk",
|
||||
}
|
||||
remoteAuthConf := goStrongswanVici.AuthConf{
|
||||
AuthMethod: "psk",
|
||||
}
|
||||
|
||||
ikeConfMap := make(map[string] goStrongswanVici.IKEConf)
|
||||
|
||||
ikeConf := goStrongswanVici.IKEConf{
|
||||
LocalAddrs: []string{"192.168.198.10"},
|
||||
RemoteAddrs: []string{"192.168.198.11"},
|
||||
Proposals: []string{"aes256-sha256-modp2048"},
|
||||
Version: "1",
|
||||
LocalAuth: localAuthConf,
|
||||
RemoteAuth: remoteAuthConf,
|
||||
Children: childConfMap,
|
||||
Encap: "no",
|
||||
}
|
||||
|
||||
ikeConfMap["test-connection"] = ikeConf
|
||||
|
||||
//load connenction information into strongswan
|
||||
err = client.LoadConn(&ikeConfMap)
|
||||
if err != nil {
|
||||
fmt.Printf("error loading connection: %v")
|
||||
panic(err)
|
||||
}
|
||||
|
||||
sharedKey := &goStrongswanVici.Key{
|
||||
Typ: "IKE",
|
||||
Data: "this is the key",
|
||||
Owners: []string{"192.168.198.10"}, //IP of the remote host
|
||||
}
|
||||
|
||||
//load shared key into strongswan
|
||||
err = client.LoadShared(sharedKey)
|
||||
if err != nil {
|
||||
fmt.Printf("error returned from loadsharedkey \n")
|
||||
panic(err)
|
||||
}
|
||||
|
||||
//list-conns
|
||||
connList, err := client.ListConns("")
|
||||
if err != nil {
|
||||
fmt.Printf("error list-conns: %v \n", err)
|
||||
}
|
||||
|
||||
for _, connection := range connList {
|
||||
fmt.Printf("connection map: %v", connection)
|
||||
}
|
||||
|
||||
// get all conns info from strongswan
|
||||
connInfo, err := client.ListAllVpnConnInfo()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
fmt.Printf("found %d connections. \n", len(connInfo))
|
||||
|
||||
//unload connection from strongswan
|
||||
unloadConnReq := &goStrongswanVici.UnloadConnRequest{
|
||||
Name: "test-connection",
|
||||
}
|
||||
err = client.UnloadConn(unloadConnReq)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
// kill all conns in strongswan
|
||||
for _, info := range connInfo {
|
||||
fmt.Printf("kill connection id %s\n", info.Uniqueid)
|
||||
err = client.Terminate(&goStrongswanVici.TerminateRequest{
|
||||
Ike_id: info.Uniqueid,
|
||||
})
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
79
vendor/github.com/bronze1man/goStrongswanVici/client.go
generated
vendored
Normal file
79
vendor/github.com/bronze1man/goStrongswanVici/client.go
generated
vendored
Normal file
@ -0,0 +1,79 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"net"
|
||||
)
|
||||
|
||||
type ClientOptions struct {
|
||||
Network string
|
||||
Addr string
|
||||
// Dialer creates new network connection and has priority over
|
||||
// Network and Addr options.
|
||||
Dialer func() (net.Conn, error)
|
||||
}
|
||||
|
||||
type Client struct {
|
||||
o ClientOptions
|
||||
}
|
||||
|
||||
func NewClient(options ClientOptions) (client *Client) {
|
||||
if options.Dialer == nil {
|
||||
options.Dialer = func() (net.Conn, error) {
|
||||
return net.Dial(options.Network, options.Addr)
|
||||
}
|
||||
}
|
||||
return &Client{
|
||||
o: options,
|
||||
}
|
||||
}
|
||||
|
||||
func NewClientFromDefaultSocket() (client *Client) {
|
||||
return NewClient(ClientOptions{
|
||||
Network: "unix",
|
||||
Addr: "/var/run/charon.vici",
|
||||
})
|
||||
}
|
||||
|
||||
func (c *Client) NewConn() (conn *ClientConn, err error) {
|
||||
conn1, err := c.o.Dialer()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewClientConn(conn1), nil
|
||||
}
|
||||
|
||||
func (c *Client) ListSas(ike string, ike_id string) (sas []map[string]IkeSa, err error) {
|
||||
conn, err := c.NewConn()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer conn.Close()
|
||||
return conn.ListSas(ike, ike_id)
|
||||
}
|
||||
|
||||
func (c *Client) ListAllVpnConnInfo() (list []VpnConnInfo, err error) {
|
||||
conn, err := c.NewConn()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer conn.Close()
|
||||
return conn.ListAllVpnConnInfo()
|
||||
}
|
||||
|
||||
func (c *Client) Version() (out *Version, err error) {
|
||||
conn, err := c.NewConn()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer conn.Close()
|
||||
return conn.Version()
|
||||
}
|
||||
|
||||
func (c *Client) Terminate(r *TerminateRequest) (err error) {
|
||||
conn, err := c.NewConn()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer conn.Close()
|
||||
return conn.Terminate(r)
|
||||
}
|
154
vendor/github.com/bronze1man/goStrongswanVici/clientConn.go
generated
vendored
Normal file
154
vendor/github.com/bronze1man/goStrongswanVici/clientConn.go
generated
vendored
Normal file
@ -0,0 +1,154 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"time"
|
||||
)
|
||||
|
||||
const (
|
||||
DefaultReadTimeout = 15 * time.Second
|
||||
)
|
||||
|
||||
// This object is not thread safe.
|
||||
// if you want concurrent, you need create more clients.
|
||||
type ClientConn struct {
|
||||
conn net.Conn
|
||||
responseChan chan segment
|
||||
eventHandlers map[string]func(response map[string]interface{})
|
||||
lastError error
|
||||
|
||||
// ReadTimeout specifies a time limit for requests made
|
||||
// by this client.
|
||||
ReadTimeout time.Duration
|
||||
}
|
||||
|
||||
func (c *ClientConn) Close() error {
|
||||
close(c.responseChan)
|
||||
c.lastError = io.ErrClosedPipe
|
||||
return c.conn.Close()
|
||||
}
|
||||
|
||||
func NewClientConn(conn net.Conn) (client *ClientConn) {
|
||||
client = &ClientConn{
|
||||
conn: conn,
|
||||
responseChan: make(chan segment, 2),
|
||||
eventHandlers: map[string]func(response map[string]interface{}){},
|
||||
ReadTimeout: DefaultReadTimeout,
|
||||
}
|
||||
go client.readThread()
|
||||
return client
|
||||
}
|
||||
|
||||
// it dial from unix:///var/run/charon.vici
|
||||
func NewClientConnFromDefaultSocket() (client *ClientConn, err error) {
|
||||
conn, err := net.Dial("unix", "/var/run/charon.vici")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return NewClientConn(conn), nil
|
||||
}
|
||||
|
||||
func (c *ClientConn) Request(apiname string, request map[string]interface{}) (response map[string]interface{}, err error) {
|
||||
err = writeSegment(c.conn, segment{
|
||||
typ: stCMD_REQUEST,
|
||||
name: apiname,
|
||||
msg: request,
|
||||
})
|
||||
if err != nil {
|
||||
fmt.Printf("error writing segment \n")
|
||||
return
|
||||
}
|
||||
|
||||
outMsg := c.readResponse()
|
||||
if c.lastError != nil {
|
||||
return nil, c.lastError
|
||||
}
|
||||
if outMsg.typ != stCMD_RESPONSE {
|
||||
return nil, fmt.Errorf("[%s] response error %d", apiname, outMsg.typ)
|
||||
}
|
||||
return outMsg.msg, nil
|
||||
}
|
||||
|
||||
func (c *ClientConn) readResponse() segment {
|
||||
select {
|
||||
case outMsg := <-c.responseChan:
|
||||
return outMsg
|
||||
case <-time.After(c.ReadTimeout):
|
||||
if c.lastError == nil {
|
||||
c.lastError = fmt.Errorf("Timeout waiting for message response")
|
||||
}
|
||||
return segment{}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *ClientConn) RegisterEvent(name string, handler func(response map[string]interface{})) (err error) {
|
||||
if c.eventHandlers[name] != nil {
|
||||
return fmt.Errorf("[event %s] register a event twice.", name)
|
||||
}
|
||||
c.eventHandlers[name] = handler
|
||||
err = writeSegment(c.conn, segment{
|
||||
typ: stEVENT_REGISTER,
|
||||
name: name,
|
||||
})
|
||||
if err != nil {
|
||||
delete(c.eventHandlers, name)
|
||||
return
|
||||
}
|
||||
outMsg := c.readResponse()
|
||||
//fmt.Printf("registerEvent %#v\n", outMsg)
|
||||
if c.lastError != nil {
|
||||
delete(c.eventHandlers, name)
|
||||
return c.lastError
|
||||
}
|
||||
|
||||
if outMsg.typ != stEVENT_CONFIRM {
|
||||
delete(c.eventHandlers, name)
|
||||
return fmt.Errorf("[event %s] response error %d", name, outMsg.typ)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *ClientConn) UnregisterEvent(name string) (err error) {
|
||||
err = writeSegment(c.conn, segment{
|
||||
typ: stEVENT_UNREGISTER,
|
||||
name: name,
|
||||
})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
outMsg := c.readResponse()
|
||||
//fmt.Printf("UnregisterEvent %#v\n", outMsg)
|
||||
if c.lastError != nil {
|
||||
return c.lastError
|
||||
}
|
||||
|
||||
if outMsg.typ != stEVENT_CONFIRM {
|
||||
return fmt.Errorf("[event %s] response error %d", name, outMsg.typ)
|
||||
}
|
||||
delete(c.eventHandlers, name)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *ClientConn) readThread() {
|
||||
for {
|
||||
outMsg, err := readSegment(c.conn)
|
||||
if err != nil {
|
||||
c.lastError = err
|
||||
return
|
||||
}
|
||||
switch outMsg.typ {
|
||||
case stCMD_RESPONSE, stEVENT_CONFIRM:
|
||||
c.responseChan <- outMsg
|
||||
case stEVENT:
|
||||
handler := c.eventHandlers[outMsg.name]
|
||||
if handler != nil {
|
||||
handler(outMsg.msg)
|
||||
}
|
||||
default:
|
||||
c.lastError = fmt.Errorf("[Client.readThread] unknow msg type %d", outMsg.typ)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
5
vendor/github.com/bronze1man/goStrongswanVici/doc.go
generated
vendored
Normal file
5
vendor/github.com/bronze1man/goStrongswanVici/doc.go
generated
vendored
Normal file
@ -0,0 +1,5 @@
|
||||
/*
|
||||
a golang implement of strongswan vici plugin client.
|
||||
https://github.com/strongswan/strongswan/tree/master/src/libcharon/plugins/vici
|
||||
*/
|
||||
package goStrongswanVici
|
22
vendor/github.com/bronze1man/goStrongswanVici/docker-compose.yaml
generated
vendored
Normal file
22
vendor/github.com/bronze1man/goStrongswanVici/docker-compose.yaml
generated
vendored
Normal file
@ -0,0 +1,22 @@
|
||||
version: '3.3'
|
||||
services:
|
||||
strongswan:
|
||||
image: philplckthun/strongswan
|
||||
ports:
|
||||
- "500:500/udp"
|
||||
- "4500:4500/udp"
|
||||
- "1701:1701/udp"
|
||||
privileged: true
|
||||
volumes:
|
||||
- "charondata:/var/run"
|
||||
|
||||
app:
|
||||
build: .
|
||||
volumes:
|
||||
- ".:/app"
|
||||
- "charondata:/var/run"
|
||||
depends_on:
|
||||
- strongswan
|
||||
|
||||
volumes:
|
||||
charondata:
|
24
vendor/github.com/bronze1man/goStrongswanVici/err.go
generated
vendored
Normal file
24
vendor/github.com/bronze1man/goStrongswanVici/err.go
generated
vendored
Normal file
@ -0,0 +1,24 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
func handlePanic(f func() error) (err error) {
|
||||
defer func() {
|
||||
r := recover()
|
||||
//no panic
|
||||
if r == nil {
|
||||
return
|
||||
}
|
||||
//panic a error
|
||||
if e, ok := r.(error); ok {
|
||||
err = e
|
||||
return
|
||||
}
|
||||
//panic another stuff
|
||||
err = fmt.Errorf("%s", r)
|
||||
}()
|
||||
err = f()
|
||||
return
|
||||
}
|
7
vendor/github.com/bronze1man/goStrongswanVici/go.mod
generated
vendored
Normal file
7
vendor/github.com/bronze1man/goStrongswanVici/go.mod
generated
vendored
Normal file
@ -0,0 +1,7 @@
|
||||
module github.com/bronze1man/goStrongswanVici
|
||||
|
||||
require (
|
||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
github.com/stretchr/testify v1.2.2
|
||||
)
|
6
vendor/github.com/bronze1man/goStrongswanVici/go.sum
generated
vendored
Normal file
6
vendor/github.com/bronze1man/goStrongswanVici/go.sum
generated
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
|
||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
25
vendor/github.com/bronze1man/goStrongswanVici/initiate.go
generated
vendored
Normal file
25
vendor/github.com/bronze1man/goStrongswanVici/initiate.go
generated
vendored
Normal file
@ -0,0 +1,25 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
// Initiate is used to initiate an SA. This is the
|
||||
// equivalent of `swanctl --initiate -c childname`
|
||||
func (c *ClientConn) Initiate(child string, ike string) (err error) {
|
||||
inMap := map[string]interface{}{}
|
||||
if child != "" {
|
||||
inMap["child"] = child
|
||||
}
|
||||
if ike != "" {
|
||||
inMap["ike"] = ike
|
||||
}
|
||||
msg, err := c.Request("initiate", inMap)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("unsuccessful Initiate: %v", msg["errmsg"])
|
||||
}
|
||||
return nil
|
||||
}
|
47
vendor/github.com/bronze1man/goStrongswanVici/listConns.go
generated
vendored
Normal file
47
vendor/github.com/bronze1man/goStrongswanVici/listConns.go
generated
vendored
Normal file
@ -0,0 +1,47 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
func (c *ClientConn) ListConns(ike string) ([]map[string]IKEConf, error) {
|
||||
conns := []map[string]IKEConf{}
|
||||
var eventErr error
|
||||
var err error
|
||||
|
||||
err = c.RegisterEvent("list-conn", func(response map[string]interface{}) {
|
||||
conn := &map[string]IKEConf{}
|
||||
err = ConvertFromGeneral(response, conn)
|
||||
if err != nil {
|
||||
eventErr = fmt.Errorf("list-conn event error: %v", err)
|
||||
return
|
||||
}
|
||||
conns = append(conns, *conn)
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error registering list-conn event: %v", err)
|
||||
}
|
||||
|
||||
if eventErr != nil {
|
||||
return nil, eventErr
|
||||
}
|
||||
|
||||
reqMap := map[string]interface{}{}
|
||||
|
||||
if ike != "" {
|
||||
reqMap["ike"] = ike
|
||||
}
|
||||
|
||||
_, err = c.Request("list-conns", reqMap)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error requesting list-conns: %v", err)
|
||||
}
|
||||
|
||||
err = c.UnregisterEvent("list-conn")
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unregistering list-conns event: %v", err)
|
||||
}
|
||||
|
||||
return conns, nil
|
||||
}
|
176
vendor/github.com/bronze1man/goStrongswanVici/listSas.go
generated
vendored
Normal file
176
vendor/github.com/bronze1man/goStrongswanVici/listSas.go
generated
vendored
Normal file
@ -0,0 +1,176 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
//from list-sa event
|
||||
type IkeSa struct {
|
||||
Uniqueid string `json:"uniqueid"` //called ike_id in terminate() argument.
|
||||
Version string `json:"version"`
|
||||
State string `json:"state"` //had saw: ESTABLISHED
|
||||
Local_host string `json:"local-host"`
|
||||
Local_port string `json:"local-port"`
|
||||
Local_id string `json:"local-id"`
|
||||
Remote_host string `json:"remote-host"`
|
||||
Remote_port string `json:"remote-port"`
|
||||
Remote_id string `json:"remote-id"`
|
||||
Remote_xauth_id string `json:"remote-xauth-id"` //client username
|
||||
Initiator string `json:"initiator"`
|
||||
Initiator_spi string `json:"initiator-spi"`
|
||||
Responder_spi string `json:"responder-spi"`
|
||||
Encr_alg string `json:"encr-alg"`
|
||||
Encr_keysize string `json:"encr-keysize"`
|
||||
Integ_alg string `json:"integ-alg"`
|
||||
Integ_keysize string `json:"integ-keysize"`
|
||||
Prf_alg string `json:"prf-alg"`
|
||||
Dh_group string `json:"dh-group"`
|
||||
Established string `json:"established"`
|
||||
Rekey_time string `json:"rekey-time"`
|
||||
Reauth_time string `json:"reauth-time"`
|
||||
Remote_vips []string `json:"remote-vips"`
|
||||
Child_sas map[string]Child_sas `json:"child-sas"` //key means child-sa-name(conn name in ipsec.conf)
|
||||
}
|
||||
|
||||
type Child_sas struct {
|
||||
Reqid string `json:"reqid"`
|
||||
State string `json:"state"` //had saw: INSTALLED
|
||||
Mode string `json:"mode"` //had saw: TUNNEL
|
||||
Protocol string `json:"protocol"`
|
||||
Encap string `json:"encap"`
|
||||
Spi_in string `json:"spi-in"`
|
||||
Spi_out string `json:"spi-out"`
|
||||
Cpi_in string `json:"cpi-in"`
|
||||
Cpi_out string `json:"cpi-out"`
|
||||
Encr_alg string `json:"encr-alg"`
|
||||
Encr_keysize string `json:"encr-keysize"`
|
||||
Integ_alg string `json:"integ-alg"`
|
||||
Integ_keysize string `json:"integ-keysize"`
|
||||
Prf_alg string `json:"prf-alg"`
|
||||
Dh_group string `json:"dh-group"`
|
||||
Esn string `json:"esn"`
|
||||
Bytes_in string `json:"bytes-in"` //bytes into this machine
|
||||
Packets_in string `json:"packets-in"`
|
||||
Use_in string `json:"use-in"`
|
||||
Bytes_out string `json:"bytes-out"` // bytes out of this machine
|
||||
Packets_out string `json:"packets-out"`
|
||||
Use_out string `json:"use-out"`
|
||||
Rekey_time string `json:"rekey-time"`
|
||||
Life_time string `json:"life-time"`
|
||||
Install_time string `json:"install-time"`
|
||||
Local_ts []string `json:"local-ts"`
|
||||
Remote_ts []string `json:"remote-ts"`
|
||||
}
|
||||
|
||||
func (s *Child_sas) GetBytesIn() uint64 {
|
||||
num, err := strconv.ParseUint(s.Bytes_in, 10, 64)
|
||||
if err != nil {
|
||||
return 0
|
||||
}
|
||||
return num
|
||||
}
|
||||
|
||||
func (s *Child_sas) GetBytesOut() uint64 {
|
||||
num, err := strconv.ParseUint(s.Bytes_out, 10, 64)
|
||||
if err != nil {
|
||||
return 0
|
||||
}
|
||||
return num
|
||||
}
|
||||
|
||||
// To be simple, list all clients that are connecting to this server .
|
||||
// A client is a sa.
|
||||
// Lists currently active IKE_SAs
|
||||
func (c *ClientConn) ListSas(ike string, ike_id string) (sas []map[string]IkeSa, err error) {
|
||||
sas = []map[string]IkeSa{}
|
||||
var eventErr error
|
||||
//register event
|
||||
err = c.RegisterEvent("list-sa", func(response map[string]interface{}) {
|
||||
sa := &map[string]IkeSa{}
|
||||
err = ConvertFromGeneral(response, sa)
|
||||
if err != nil {
|
||||
fmt.Printf("list-sa event error: %s\n", err)
|
||||
eventErr = err
|
||||
return
|
||||
}
|
||||
sas = append(sas, *sa)
|
||||
//fmt.Printf("event %#v\n", response)
|
||||
})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if eventErr != nil {
|
||||
return
|
||||
}
|
||||
|
||||
inMap := map[string]interface{}{}
|
||||
if ike != "" {
|
||||
inMap["ike"] = ike
|
||||
}
|
||||
if ike_id != "" {
|
||||
inMap["ike_id"] = ike_id
|
||||
}
|
||||
_, err = c.Request("list-sas", inMap)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
//fmt.Printf("request finish %#v\n", sas)
|
||||
err = c.UnregisterEvent("list-sa")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
//a vpn conn in the strongswan server
|
||||
type VpnConnInfo struct {
|
||||
IkeSa
|
||||
Child_sas
|
||||
IkeSaName string //looks like conn name in ipsec.conf, content is same as ChildSaName
|
||||
ChildSaName string //looks like conn name in ipsec.conf
|
||||
}
|
||||
|
||||
func (c *VpnConnInfo) GuessUserName() string {
|
||||
if c.Remote_xauth_id != "" {
|
||||
return c.Remote_xauth_id
|
||||
}
|
||||
if c.Remote_id != "" {
|
||||
return c.Remote_id
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// a helper method to avoid complex data struct in ListSas
|
||||
// if it only have one child_sas ,it will put it into info.Child_sas
|
||||
func (c *ClientConn) ListAllVpnConnInfo() (list []VpnConnInfo, err error) {
|
||||
sasList, err := c.ListSas("", "")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
list = make([]VpnConnInfo, len(sasList))
|
||||
for i, sa := range sasList {
|
||||
info := VpnConnInfo{}
|
||||
if len(sa) != 1 {
|
||||
fmt.Printf("[vici.ListAllVpnConnInfo] warning: len(sa)[%d]!=1\n", len(sa))
|
||||
}
|
||||
for ikeSaName, ikeSa := range sa {
|
||||
info.IkeSaName = ikeSaName
|
||||
info.IkeSa = ikeSa
|
||||
//if len(ikeSa.Child_sas) != 1 {
|
||||
// fmt.Println("[vici.ListAllVpnConnInfo] warning: len(ikeSa.Child_sas)[%d]!=1", len(ikeSa.Child_sas))
|
||||
//}
|
||||
for childSaName, childSa := range ikeSa.Child_sas {
|
||||
info.ChildSaName = childSaName
|
||||
info.Child_sas = childSa
|
||||
break
|
||||
}
|
||||
break
|
||||
}
|
||||
if len(info.IkeSa.Child_sas) == 1 {
|
||||
info.IkeSa.Child_sas = nil
|
||||
}
|
||||
list[i] = info
|
||||
}
|
||||
return
|
||||
}
|
37
vendor/github.com/bronze1man/goStrongswanVici/loadCert.go
generated
vendored
Normal file
37
vendor/github.com/bronze1man/goStrongswanVici/loadCert.go
generated
vendored
Normal file
@ -0,0 +1,37 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type certPayload struct {
|
||||
Typ string `json:"type"` // (X509|X509_AC|X509_CRL)
|
||||
Flag string `json:"flag"` // (CA|AA|OCSP|NONE)
|
||||
Data string `json:"data"`
|
||||
}
|
||||
|
||||
func (c *ClientConn) LoadCertificate(s string, typ string, flag string) (err error) {
|
||||
requestMap := &map[string]interface{}{}
|
||||
|
||||
var k = certPayload{
|
||||
Typ: typ,
|
||||
Flag: flag,
|
||||
Data: s,
|
||||
}
|
||||
|
||||
if err = ConvertToGeneral(k, requestMap); err != nil {
|
||||
return fmt.Errorf("error creating request: %v", err)
|
||||
}
|
||||
|
||||
msg, err := c.Request("load-cert", *requestMap)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("unsuccessful loadCert: %v", err.Error())
|
||||
}
|
||||
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("unsuccessful loadCert: %v", msg["success"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
68
vendor/github.com/bronze1man/goStrongswanVici/loadConn.go
generated
vendored
Normal file
68
vendor/github.com/bronze1man/goStrongswanVici/loadConn.go
generated
vendored
Normal file
@ -0,0 +1,68 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type Connection struct {
|
||||
ConnConf map[string]IKEConf `json:"connections"`
|
||||
}
|
||||
|
||||
type IKEConf struct {
|
||||
LocalAddrs []string `json:"local_addrs"`
|
||||
RemoteAddrs []string `json:"remote_addrs,omitempty"`
|
||||
Proposals []string `json:"proposals,omitempty"`
|
||||
Version string `json:"version"` //1 for ikev1, 0 for ikev1 & ikev2
|
||||
Encap string `json:"encap"` //yes,no
|
||||
KeyingTries string `json:"keyingtries"`
|
||||
RekeyTime string `json:"rekey_time"`
|
||||
DPDDelay string `json:"dpd_delay,omitempty"`
|
||||
LocalAuth AuthConf `json:"local"`
|
||||
RemoteAuth AuthConf `json:"remote"`
|
||||
Pools []string `json:"pools,omitempty"`
|
||||
Children map[string]ChildSAConf `json:"children"`
|
||||
}
|
||||
|
||||
type AuthConf struct {
|
||||
ID string `json:"id"`
|
||||
Round string `json:"round,omitempty"`
|
||||
AuthMethod string `json:"auth"` // (psk|pubkey)
|
||||
EAP_ID string `json:"eap_id,omitempty"`
|
||||
}
|
||||
|
||||
type ChildSAConf struct {
|
||||
Local_ts []string `json:"local_ts"`
|
||||
Remote_ts []string `json:"remote_ts"`
|
||||
ESPProposals []string `json:"esp_proposals,omitempty"` //aes128-sha1_modp1024
|
||||
StartAction string `json:"start_action"` //none,trap,start
|
||||
CloseAction string `json:"close_action"`
|
||||
ReqID string `json:"reqid,omitempty"`
|
||||
RekeyTime string `json:"rekey_time"`
|
||||
ReplayWindow string `json:"replay_window,omitempty"`
|
||||
Mode string `json:"mode"`
|
||||
InstallPolicy string `json:"policies"`
|
||||
UpDown string `json:"updown,omitempty"`
|
||||
Priority string `json:"priority,omitempty"`
|
||||
MarkIn string `json:"mark_in,omitempty"`
|
||||
MarkOut string `json:"mark_out,omitempty"`
|
||||
DpdAction string `json:"dpd_action,omitempty"`
|
||||
LifeTime string `json:"life_time,omitempty"`
|
||||
}
|
||||
|
||||
func (c *ClientConn) LoadConn(conn *map[string]IKEConf) error {
|
||||
requestMap := &map[string]interface{}{}
|
||||
|
||||
err := ConvertToGeneral(conn, requestMap)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("error creating request: %v", err)
|
||||
}
|
||||
|
||||
msg, err := c.Request("load-conn", *requestMap)
|
||||
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("unsuccessful LoadConn: %v", msg["errmsg"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
66
vendor/github.com/bronze1man/goStrongswanVici/loadPrivateKey.go
generated
vendored
Normal file
66
vendor/github.com/bronze1man/goStrongswanVici/loadPrivateKey.go
generated
vendored
Normal file
@ -0,0 +1,66 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type keyPayload struct {
|
||||
Typ string `json:"type"`
|
||||
Data string `json:"data"`
|
||||
}
|
||||
|
||||
// LoadECDSAPrivateKey encodes a *ecdsa.PrivateKey as a PEM block before sending
|
||||
// it to the Vici interface
|
||||
func (c *ClientConn) LoadECDSAPrivateKey(key *ecdsa.PrivateKey) error {
|
||||
mk, err := x509.MarshalECPrivateKey(key)
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var pemData = pem.EncodeToMemory(&pem.Block{
|
||||
Type: "ECDSA PRIVATE KEY",
|
||||
Bytes: mk,
|
||||
})
|
||||
|
||||
return c.loadPrivateKey("ECDSA", string(pemData))
|
||||
}
|
||||
|
||||
// LoadRSAPrivateKey encodes a *rsa.PrivateKey as a PEM block before sending
|
||||
// it to the Vici interface
|
||||
func (c *ClientConn) LoadRSAPrivateKey(key *rsa.PrivateKey) error {
|
||||
var mk = x509.MarshalPKCS1PrivateKey(key)
|
||||
|
||||
var pemData = pem.EncodeToMemory(&pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: mk,
|
||||
})
|
||||
|
||||
return c.loadPrivateKey("RSA", string(pemData))
|
||||
}
|
||||
|
||||
// loadPrivateKey expects typ to be (RSA|ECDSA) and a PEM encoded data as a
|
||||
// string
|
||||
func (c *ClientConn) loadPrivateKey(typ, data string) (err error) {
|
||||
requestMap := &map[string]interface{}{}
|
||||
|
||||
var k = keyPayload{
|
||||
Typ: typ,
|
||||
Data: data,
|
||||
}
|
||||
|
||||
if err = ConvertToGeneral(k, requestMap); err != nil {
|
||||
return fmt.Errorf("error creating request: %v", err)
|
||||
}
|
||||
|
||||
msg, err := c.Request("load-key", *requestMap)
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("unsuccessful loadPrivateKey: %v", msg["success"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
29
vendor/github.com/bronze1man/goStrongswanVici/marshal.go
generated
vendored
Normal file
29
vendor/github.com/bronze1man/goStrongswanVici/marshal.go
generated
vendored
Normal file
@ -0,0 +1,29 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
)
|
||||
|
||||
//concrete data type to general data type
|
||||
// concrete data type like *Version
|
||||
// general data type include map[string]interface{} []string string
|
||||
// TODO make it faster
|
||||
func ConvertToGeneral(concrete interface{}, general interface{}) (err error) {
|
||||
b, err := json.Marshal(concrete)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return json.Unmarshal(b, general)
|
||||
}
|
||||
|
||||
// general data type to concrete data type
|
||||
// concrete data type like *Version
|
||||
// general data type include map[string]interface{} []string string
|
||||
// TODO make it faster
|
||||
func ConvertFromGeneral(general interface{}, concrete interface{}) (err error) {
|
||||
b, err := json.Marshal(general)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return json.Unmarshal(b, concrete)
|
||||
}
|
251
vendor/github.com/bronze1man/goStrongswanVici/monitorSA.go
generated
vendored
Normal file
251
vendor/github.com/bronze1man/goStrongswanVici/monitorSA.go
generated
vendored
Normal file
@ -0,0 +1,251 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"time"
|
||||
)
|
||||
|
||||
const (
|
||||
EVENT_IKE_UPDOWN = "ike-updown"
|
||||
EVENT_IKE_REKEY = "ike-rekey"
|
||||
EVENT_CHILD_UPDOWN = "child-updown"
|
||||
EVENT_CHILD_REKEY = "child-rekey"
|
||||
)
|
||||
|
||||
type EventIkeSAUpDown struct {
|
||||
Child_sas map[string]*EventChildSAUpDown `json:"child-sas"`
|
||||
Dh_group string `json:"dh-group"`
|
||||
Encr_keysize string `json:"encr-keysize"`
|
||||
Encr_alg string `json:"encr-alg"`
|
||||
Established string `json:"established"`
|
||||
Initiator_spi string `json:"initiator-spi"`
|
||||
Integ_alg string `json:"integ-alg"`
|
||||
Local_id string `json:"local-id"`
|
||||
Local_host string `json:"local-host"`
|
||||
Local_port string `json:"local-port"`
|
||||
Nat_any string `json:"nat-any"`
|
||||
Nat_remote string `json:"nat-remote"`
|
||||
Prf_alg string `json:"prf-alg"`
|
||||
Rekey_time string `json:"rekey-time"`
|
||||
Remote_id string `json:"remote-id"`
|
||||
Remote_host string `json:"remote-host"`
|
||||
Remote_port string `json:"remote-port"`
|
||||
Responder_spi string `json:"responder-spi"`
|
||||
State string `json:"state"`
|
||||
Task_Active []string `json:"tasks-active"`
|
||||
Uniqueid string `json:"uniqueid"`
|
||||
Version string `json:"version"`
|
||||
}
|
||||
|
||||
type EventChildSAUpDown struct {
|
||||
Bytes_in string `json:"bytes-in"`
|
||||
Bytes_out string `json:"bytes-out"`
|
||||
Encap string `json:"encap"`
|
||||
Encr_alg string `json:"encr-alg"`
|
||||
Encr_keysize string `json:"encr-keysize"`
|
||||
Integ_alg string `json:"integ-alg"`
|
||||
Install_time string `json:"install-time"`
|
||||
Life_time string `json:"life-time"`
|
||||
Local_ts []string `json:"local-ts"`
|
||||
Mode string `json:"mode"`
|
||||
Name string `json:"name"`
|
||||
Protocol string `json:"protocol"`
|
||||
Packets_out string `json:"packets-out"`
|
||||
Packets_in string `json:"packets-in"`
|
||||
Rekey_time string `json:"rekey-time"`
|
||||
Remote_ts []string `json:"remote-ts"`
|
||||
Reqid string `json:"reqid"`
|
||||
Spi_in string `json:"spi-in"`
|
||||
Spi_out string `json:"spi-out"`
|
||||
State string `json:"state"`
|
||||
UniqueId string `json:"uniqueid"`
|
||||
}
|
||||
|
||||
type EventIkeRekeyPair struct {
|
||||
New EventIkeRekeySA `json:"new"`
|
||||
Old EventIkeRekeySA `json:"old"`
|
||||
}
|
||||
|
||||
type EventIkeRekeySA struct {
|
||||
Child_sas map[string]*EventChildRekeyPair `json:"child-sas"`
|
||||
Dh_group string `json:"dh-group"`
|
||||
Encr_alg string `json:"encr-alg"`
|
||||
Encr_keysize string `json:"encr-keysize"`
|
||||
Established string `json:"established"`
|
||||
Initiator_spi string `json:"initiator-spi"`
|
||||
Integ_alg string `json:"integ-alg"`
|
||||
Local_host string `json:"local-host"`
|
||||
Local_port string `json:"local-port"`
|
||||
Local_id string `json:"local-id"`
|
||||
Nat_any string `json:"nat-any"`
|
||||
Nat_remote string `json:"nat-remote"`
|
||||
Prf_alg string `json:"prf-alg"`
|
||||
Rekey_time string `json:"rekey-time"`
|
||||
Remote_id string `json:"remote-id"`
|
||||
Remote_host string `json:"remote-host"`
|
||||
Remote_port string `json:"remote-port"`
|
||||
Responder_spi string `json:"responder-spi"`
|
||||
State string `json:"state"`
|
||||
Task_Active []string `json:"tasks-active"`
|
||||
Task_Passive []string `json:"tasks-passive"`
|
||||
Uniqueid string `json:"uniqueid"`
|
||||
Version string `json:"version"`
|
||||
}
|
||||
|
||||
type EventChildRekeyPair struct {
|
||||
New EventChildRekeySA `json:"new"`
|
||||
Old EventChildRekeySA `json:"old"`
|
||||
}
|
||||
|
||||
type EventChildRekeySA struct {
|
||||
Bytes_in string `json:"bytes-in"`
|
||||
Bytes_out string `json:"bytes-out"`
|
||||
Encap string `json:"encap"`
|
||||
Encr_alg string `json:"encr-alg"`
|
||||
Encr_keysize string `json:"encr-keysize"`
|
||||
Integ_alg string `json:"integ-alg"`
|
||||
Install_time string `json:"install-time"`
|
||||
Life_time string `json:"life-time"`
|
||||
Local_ts []string `json:"local-ts"`
|
||||
Mode string `json:"mode"`
|
||||
Name string `json:"name"`
|
||||
Packets_in string `json:"packets-in"`
|
||||
Packets_out string `json:"packets-out"`
|
||||
Protocol string `json:"protocol"`
|
||||
Remote_ts []string `json:"remote-ts"`
|
||||
Rekey_time string `json:"rekey-time"`
|
||||
Reqid string `json:"reqid"`
|
||||
Spi_in string `json:"spi-in"`
|
||||
Spi_out string `json:"spi-out"`
|
||||
State string `json:"state"`
|
||||
Use_in string `json:"use-in"`
|
||||
Use_out string `json:"use-out"`
|
||||
UniqueId string `json:"uniqueid"`
|
||||
}
|
||||
|
||||
type EventIkeUpDown struct {
|
||||
Up bool
|
||||
Ike map[string]*EventIkeSAUpDown
|
||||
}
|
||||
|
||||
type EventIkeRekey struct {
|
||||
Ike map[string]*EventIkeRekeyPair
|
||||
}
|
||||
|
||||
type EventChildRekey struct {
|
||||
Ike map[string]*EventIkeRekeySA
|
||||
}
|
||||
|
||||
type EventChildUpDown struct {
|
||||
Up bool
|
||||
Ike map[string]*EventIkeSAUpDown
|
||||
}
|
||||
|
||||
type EventIkeSa struct {
|
||||
IkeSa
|
||||
TasksActive []string `json:"tasks-active"`
|
||||
}
|
||||
|
||||
type EventInfo struct {
|
||||
Up bool
|
||||
Ike map[string]*EventIkeSa
|
||||
}
|
||||
|
||||
func prettyprint(b []byte) string {
|
||||
var out bytes.Buffer
|
||||
json.Indent(&out, b, "", " ")
|
||||
return string(out.Bytes())
|
||||
}
|
||||
|
||||
type monitorCallBack func(event string, info interface{})
|
||||
|
||||
|
||||
func handleIkeUpDown(eventName string, callback monitorCallBack, response map[string]interface{}) {
|
||||
event := &EventIkeUpDown{}
|
||||
event.Ike = map[string]*EventIkeSAUpDown{}
|
||||
//we need to marshall all ikes manual because json uses connections names as key
|
||||
for name := range response {
|
||||
value := response[name]
|
||||
if name == "up" {
|
||||
event.Up = true
|
||||
} else {
|
||||
sa := &EventIkeSAUpDown{}
|
||||
ConvertFromGeneral(value, sa)
|
||||
event.Ike[name] = sa
|
||||
}
|
||||
}
|
||||
callback(eventName, event)
|
||||
}
|
||||
|
||||
func handleIkeRekey(eventName string, callback monitorCallBack, response map[string]interface{}) {
|
||||
event := &EventIkeRekey{}
|
||||
event.Ike = map[string]*EventIkeRekeyPair{}
|
||||
//we need to marshall all ikes manual because json uses connections names as key
|
||||
for name := range response {
|
||||
value := response[name]
|
||||
sa := &EventIkeRekeyPair{}
|
||||
ConvertFromGeneral(value, sa)
|
||||
event.Ike[name] = sa
|
||||
}
|
||||
callback(eventName, event)
|
||||
}
|
||||
|
||||
func handleChildUpDown(eventName string, callback monitorCallBack, response map[string]interface{}) {
|
||||
event := &EventChildUpDown{}
|
||||
event.Ike = map[string]*EventIkeSAUpDown{}
|
||||
//we need to marshall all ikes manual because json uses connections names as key
|
||||
for name := range response {
|
||||
value := response[name]
|
||||
if name == "up" {
|
||||
event.Up = true
|
||||
} else {
|
||||
sa := &EventIkeSAUpDown{}
|
||||
ConvertFromGeneral(value, sa)
|
||||
event.Ike[name] = sa
|
||||
}
|
||||
}
|
||||
callback(eventName, event)
|
||||
}
|
||||
|
||||
func handleChildRekey(eventName string, callback monitorCallBack, response map[string]interface{}) {
|
||||
event := &EventChildRekey{}
|
||||
event.Ike = map[string]*EventIkeRekeySA{}
|
||||
//we need to marshall all ikes manual because json uses connections names as key
|
||||
for name := range response {
|
||||
value := response[name]
|
||||
sa := &EventIkeRekeySA{}
|
||||
ConvertFromGeneral(value, sa)
|
||||
event.Ike[name] = sa
|
||||
}
|
||||
callback(eventName, event)
|
||||
}
|
||||
|
||||
func (c *ClientConn) MonitorSA(callback monitorCallBack,watchdog time.Duration) (err error) {
|
||||
//register event
|
||||
c.RegisterEvent(EVENT_CHILD_UPDOWN, func(response map[string]interface{}) {
|
||||
//dumpResponse(response)
|
||||
handleChildUpDown(EVENT_CHILD_UPDOWN, callback, response)
|
||||
})
|
||||
c.RegisterEvent(EVENT_CHILD_REKEY, func(response map[string]interface{}) {
|
||||
//dumpResponse(response)
|
||||
handleChildRekey(EVENT_CHILD_REKEY, callback, response)
|
||||
})
|
||||
c.RegisterEvent(EVENT_IKE_UPDOWN, func(response map[string]interface{}) {
|
||||
//dumpResponse(response)
|
||||
handleIkeUpDown(EVENT_IKE_UPDOWN, callback, response)
|
||||
})
|
||||
c.RegisterEvent(EVENT_IKE_REKEY, func(response map[string]interface{}) {
|
||||
//dumpResponse(response)
|
||||
handleIkeRekey(EVENT_IKE_REKEY, callback, response)
|
||||
})
|
||||
|
||||
for {
|
||||
time.Sleep(watchdog)
|
||||
//collect some daemon stats to see if connection is alive
|
||||
if _, err := c.Stats(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
359
vendor/github.com/bronze1man/goStrongswanVici/msg.go
generated
vendored
Normal file
359
vendor/github.com/bronze1man/goStrongswanVici/msg.go
generated
vendored
Normal file
@ -0,0 +1,359 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"io"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
type segmentType byte
|
||||
|
||||
const (
|
||||
stCMD_REQUEST segmentType = 0
|
||||
stCMD_RESPONSE = 1
|
||||
stCMD_UNKNOWN = 2
|
||||
stEVENT_REGISTER = 3
|
||||
stEVENT_UNREGISTER = 4
|
||||
stEVENT_CONFIRM = 5
|
||||
stEVENT_UNKNOWN = 6
|
||||
stEVENT = 7
|
||||
)
|
||||
|
||||
func (t segmentType) hasName() bool {
|
||||
switch t {
|
||||
case stCMD_REQUEST, stEVENT_REGISTER, stEVENT_UNREGISTER, stEVENT:
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
func (t segmentType) isValid() bool {
|
||||
switch t {
|
||||
case stCMD_REQUEST, stCMD_RESPONSE, stCMD_UNKNOWN, stEVENT_REGISTER,
|
||||
stEVENT_UNREGISTER, stEVENT_CONFIRM, stEVENT_UNKNOWN, stEVENT:
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (t segmentType) hasMsg() bool {
|
||||
switch t {
|
||||
case stCMD_REQUEST, stCMD_RESPONSE, stEVENT:
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
type elementType byte
|
||||
|
||||
const (
|
||||
etSECTION_START elementType = 1
|
||||
etSECTION_END = 2
|
||||
etKEY_VALUE = 3
|
||||
etLIST_START = 4
|
||||
etLIST_ITEM = 5
|
||||
etLIST_END = 6
|
||||
)
|
||||
|
||||
type segment struct {
|
||||
typ segmentType
|
||||
name string
|
||||
msg map[string]interface{}
|
||||
}
|
||||
|
||||
//msg 在内部以下列3种类型表示(降低复杂度)
|
||||
// string
|
||||
// map[string]interface{}
|
||||
// []string
|
||||
func writeSegment(w io.Writer, msg segment) (err error) {
|
||||
if !msg.typ.isValid() {
|
||||
return fmt.Errorf("[writeSegment] msg.typ %d not defined", msg.typ)
|
||||
}
|
||||
buf := &bytes.Buffer{}
|
||||
buf.WriteByte(byte(msg.typ))
|
||||
//name
|
||||
if msg.typ.hasName() {
|
||||
err = writeString1(buf, msg.name)
|
||||
if err != nil {
|
||||
fmt.Printf("error returned from writeString1i \n")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if msg.typ.hasMsg() {
|
||||
err = writeMap(buf, msg.msg)
|
||||
if err != nil {
|
||||
fmt.Printf("error retruned from writeMap \n")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
//写长度
|
||||
err = binary.Write(w, binary.BigEndian, uint32(buf.Len()))
|
||||
if err != nil {
|
||||
fmt.Printf("[writeSegment] error writing to binary \n")
|
||||
return
|
||||
}
|
||||
|
||||
_, err = buf.WriteTo(w)
|
||||
if err != nil {
|
||||
fmt.Printf("[writeSegment] error writing to buffer \n")
|
||||
return
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func readSegment(inR io.Reader) (msg segment, err error) {
|
||||
//长度
|
||||
var length uint32
|
||||
err = binary.Read(inR, binary.BigEndian, &length)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
r := bufio.NewReader(&io.LimitedReader{
|
||||
R: inR,
|
||||
N: int64(length),
|
||||
})
|
||||
//类型
|
||||
c, err := r.ReadByte()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
msg.typ = segmentType(c)
|
||||
if !msg.typ.isValid() {
|
||||
return msg, fmt.Errorf("[readSegment] msg.typ %d not defined", msg.typ)
|
||||
}
|
||||
if msg.typ.hasName() {
|
||||
msg.name, err = readString1(r)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
if msg.typ.hasMsg() {
|
||||
msg.msg, err = readMap(r, true)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
//一个字节长度的字符串
|
||||
func writeString1(w *bytes.Buffer, s string) (err error) {
|
||||
length := len(s)
|
||||
if length > 255 {
|
||||
return fmt.Errorf("[writeString1] length>255")
|
||||
}
|
||||
w.WriteByte(byte(length))
|
||||
w.WriteString(s)
|
||||
return
|
||||
}
|
||||
|
||||
func readString1(r *bufio.Reader) (s string, err error) {
|
||||
length, err := r.ReadByte()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
buf := make([]byte, length)
|
||||
_, err = io.ReadFull(r, buf)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return string(buf), nil
|
||||
}
|
||||
|
||||
//两个字节长度的字符串
|
||||
func writeString2(w *bytes.Buffer, s string) (err error) {
|
||||
length := len(s)
|
||||
if length > 65535 {
|
||||
return fmt.Errorf("[writeString2] length>65535")
|
||||
}
|
||||
binary.Write(w, binary.BigEndian, uint16(length))
|
||||
w.WriteString(s)
|
||||
return
|
||||
}
|
||||
|
||||
func readString2(r io.Reader) (s string, err error) {
|
||||
var length uint16
|
||||
err = binary.Read(r, binary.BigEndian, &length)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
buf := make([]byte, length)
|
||||
_, err = io.ReadFull(r, buf)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return string(buf), nil
|
||||
}
|
||||
|
||||
func writeKeyMap(w *bytes.Buffer, name string, msg map[string]interface{}) (err error) {
|
||||
w.WriteByte(byte(etSECTION_START))
|
||||
err = writeString1(w, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
writeMap(w, msg)
|
||||
w.WriteByte(byte(etSECTION_END))
|
||||
return nil
|
||||
}
|
||||
|
||||
func writeKeyList(w *bytes.Buffer, name string, msg []string) (err error) {
|
||||
w.WriteByte(byte(etLIST_START))
|
||||
err = writeString1(w, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
for _, s := range msg {
|
||||
w.WriteByte(byte(etLIST_ITEM))
|
||||
err = writeString2(w, s)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
w.WriteByte(byte(etLIST_END))
|
||||
return nil
|
||||
}
|
||||
|
||||
func writeKeyString(w *bytes.Buffer, name string, msg string) (err error) {
|
||||
w.WriteByte(byte(etKEY_VALUE))
|
||||
err = writeString1(w, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = writeString2(w, msg)
|
||||
return
|
||||
}
|
||||
|
||||
func writeMap(w *bytes.Buffer, msg map[string]interface{}) (err error) {
|
||||
for k, v := range msg {
|
||||
switch t := v.(type) {
|
||||
case map[string]interface{}:
|
||||
writeKeyMap(w, k, t)
|
||||
case []string:
|
||||
writeKeyList(w, k, t)
|
||||
case string:
|
||||
writeKeyString(w, k, t)
|
||||
case []interface{}:
|
||||
str := make([]string, len(t))
|
||||
for i := range t {
|
||||
str[i] = t[i].(string)
|
||||
}
|
||||
writeKeyList(w, k, str)
|
||||
default:
|
||||
return fmt.Errorf("[writeMap] can not write type %T right now", msg)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
//SECTION_START has been read already.
|
||||
func readKeyMap(r *bufio.Reader) (key string, msg map[string]interface{}, err error) {
|
||||
key, err = readString1(r)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
msg, err = readMap(r, false)
|
||||
return
|
||||
}
|
||||
|
||||
//LIST_START has been read already.
|
||||
func readKeyList(r *bufio.Reader) (key string, msg []string, err error) {
|
||||
key, err = readString1(r)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
msg = []string{}
|
||||
for {
|
||||
var c byte
|
||||
c, err = r.ReadByte()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
switch elementType(c) {
|
||||
case etLIST_ITEM:
|
||||
value, err := readString2(r)
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
msg = append(msg, value)
|
||||
case etLIST_END: //end of outer list
|
||||
return key, msg, nil
|
||||
default:
|
||||
return "", nil, fmt.Errorf("[readKeyList] protocol error 2")
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
//KEY_VALUE has been read already.
|
||||
func readKeyString(r *bufio.Reader) (key string, msg string, err error) {
|
||||
key, err = readString1(r)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
msg, err = readString2(r)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// Since the original key chosen can have duplicates,
|
||||
// this function is used to map the original key to a new one
|
||||
// to make them unique.
|
||||
func getNewKeyToHandleDuplicates(key string, msg map[string]interface{}) string {
|
||||
if _, ok := msg[key]; !ok {
|
||||
return key
|
||||
}
|
||||
|
||||
for i := 0; ; i++ {
|
||||
newKey := key + "##" + strconv.Itoa(i)
|
||||
if _, ok := msg[newKey]; !ok {
|
||||
return newKey
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//SECTION_START has been read already.
|
||||
func readMap(r *bufio.Reader, isRoot bool) (msg map[string]interface{}, err error) {
|
||||
msg = map[string]interface{}{}
|
||||
for {
|
||||
c, err := r.ReadByte()
|
||||
if err == io.EOF && isRoot { //may be root section
|
||||
return msg, nil
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
switch elementType(c) {
|
||||
case etSECTION_START:
|
||||
key, value, err := readKeyMap(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
msg[getNewKeyToHandleDuplicates(key, msg)] = value
|
||||
case etLIST_START:
|
||||
key, value, err := readKeyList(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
msg[getNewKeyToHandleDuplicates(key, msg)] = value
|
||||
case etKEY_VALUE:
|
||||
key, value, err := readKeyString(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
msg[getNewKeyToHandleDuplicates(key, msg)] = value
|
||||
case etSECTION_END: //end of outer section
|
||||
return msg, nil
|
||||
default:
|
||||
panic(fmt.Errorf("[readMap] protocol error 1, %d %#v", c, msg))
|
||||
//return nil, fmt.Errorf("[readMap] protocol error 1, %d",c)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
36
vendor/github.com/bronze1man/goStrongswanVici/pools.go
generated
vendored
Normal file
36
vendor/github.com/bronze1man/goStrongswanVici/pools.go
generated
vendored
Normal file
@ -0,0 +1,36 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type Pool struct {
|
||||
PoolMapping map[string]interface{} `json:"pools"`
|
||||
}
|
||||
|
||||
type PoolMapping struct {
|
||||
Addrs string `json:"addrs"`
|
||||
DNS []string `json:"dns,omitempty"`
|
||||
NBNS []string `json:"nbns,omitempty"`
|
||||
ApplicationVersion []string `json:"7,omitempty"`
|
||||
InternalIPv6Prefix []string `json:"18,omitempty"`
|
||||
}
|
||||
|
||||
func (c *ClientConn) LoadPool(ph Pool) error {
|
||||
requestMap := map[string]interface{}{}
|
||||
|
||||
err := ConvertToGeneral(ph.PoolMapping, &requestMap)
|
||||
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
return fmt.Errorf("error creating request: %v", err)
|
||||
}
|
||||
|
||||
msg, err := c.Request("load-pool", requestMap)
|
||||
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("unsuccessful LoadPool: %v", msg["success"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
76
vendor/github.com/bronze1man/goStrongswanVici/shared.go
generated
vendored
Normal file
76
vendor/github.com/bronze1man/goStrongswanVici/shared.go
generated
vendored
Normal file
@ -0,0 +1,76 @@
|
||||
// this file contains the functions for managing shared secrets
|
||||
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type Key struct {
|
||||
ID string `json:"id,omitempty"`
|
||||
Typ string `json:"type"`
|
||||
Data string `json:"data"`
|
||||
Owners []string `json:"owners"`
|
||||
}
|
||||
|
||||
type UnloadKeyRequest struct {
|
||||
ID string `json:"id"`
|
||||
}
|
||||
|
||||
type keyList struct {
|
||||
Keys []string `json:"keys"`
|
||||
}
|
||||
|
||||
// load a shared secret into the IKE daemon
|
||||
func (c *ClientConn) LoadShared(key *Key) error {
|
||||
requestMap := &map[string]interface{}{}
|
||||
|
||||
err := ConvertToGeneral(key, requestMap)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("error creating request: %v", err)
|
||||
}
|
||||
|
||||
msg, err := c.Request("load-shared", *requestMap)
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("unsuccessful loadSharedKey: %v", msg["errmsg"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// unload (delete) a shared secret from the IKE daemon
|
||||
func (c *ClientConn) UnloadShared(key *UnloadKeyRequest) error {
|
||||
requestMap := &map[string]interface{}{}
|
||||
|
||||
err := ConvertToGeneral(key, requestMap)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("error creating request: %v", err)
|
||||
}
|
||||
|
||||
msg, err := c.Request("unload-shared", *requestMap)
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("unsuccessful loadSharedKey: %v", msg["errmsg"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// get a the names of the shared secrets currently loaded
|
||||
func (c *ClientConn) GetShared() ([]string, error) {
|
||||
msg, err := c.Request("get-shared", nil)
|
||||
if err != nil {
|
||||
fmt.Errorf("Error making request: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
keys := &keyList{}
|
||||
|
||||
err = ConvertFromGeneral(msg, keys)
|
||||
if err != nil {
|
||||
fmt.Errorf("Error converting data: %v", err)
|
||||
}
|
||||
|
||||
return keys.Keys, err
|
||||
}
|
7
vendor/github.com/bronze1man/goStrongswanVici/stats.go
generated
vendored
Normal file
7
vendor/github.com/bronze1man/goStrongswanVici/stats.go
generated
vendored
Normal file
@ -0,0 +1,7 @@
|
||||
package goStrongswanVici
|
||||
|
||||
// Stats returns IKE daemon statistics and load information.
|
||||
func (c *ClientConn) Stats() (msg map[string]interface{}, err error) {
|
||||
msg, err = c.Request("stats", nil)
|
||||
return
|
||||
}
|
32
vendor/github.com/bronze1man/goStrongswanVici/terminate.go
generated
vendored
Normal file
32
vendor/github.com/bronze1man/goStrongswanVici/terminate.go
generated
vendored
Normal file
@ -0,0 +1,32 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type TerminateRequest struct {
|
||||
Child string `json:"child,omitempty"`
|
||||
Ike string `json:"ike,omitempty"`
|
||||
Child_id string `json:"child-id,omitempty"`
|
||||
Ike_id string `json:"ike-id,omitempty"`
|
||||
Timeout string `json:"timeout,omitempty"`
|
||||
Loglevel string `json:"loglevel,omitempty"`
|
||||
}
|
||||
|
||||
// To be simple, kill a client that is connecting to this server. A client is a sa.
|
||||
//Terminates an SA while streaming control-log events.
|
||||
func (c *ClientConn) Terminate(r *TerminateRequest) (err error) {
|
||||
err = handlePanic(func() (err error) {
|
||||
reqMap := &map[string]interface{}{}
|
||||
ConvertToGeneral(r, reqMap)
|
||||
msg, err := c.Request("terminate", *reqMap)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("[Terminate] %s", msg["errmsg"])
|
||||
}
|
||||
return
|
||||
})
|
||||
return
|
||||
}
|
24
vendor/github.com/bronze1man/goStrongswanVici/unloadConn.go
generated
vendored
Normal file
24
vendor/github.com/bronze1man/goStrongswanVici/unloadConn.go
generated
vendored
Normal file
@ -0,0 +1,24 @@
|
||||
package goStrongswanVici
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
type UnloadConnRequest struct {
|
||||
Name string `json:"name"`
|
||||
}
|
||||
|
||||
func (c *ClientConn) UnloadConn(r *UnloadConnRequest) error {
|
||||
reqMap := &map[string]interface{}{}
|
||||
ConvertToGeneral(r, reqMap)
|
||||
msg, err := c.Request("unload-conn", *reqMap)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if msg["success"] != "yes" {
|
||||
return fmt.Errorf("[Unload-Connection] %s", msg["errmsg"])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
19
vendor/github.com/bronze1man/goStrongswanVici/version.go
generated
vendored
Normal file
19
vendor/github.com/bronze1man/goStrongswanVici/version.go
generated
vendored
Normal file
@ -0,0 +1,19 @@
|
||||
package goStrongswanVici
|
||||
|
||||
type Version struct {
|
||||
Daemon string `json:"daemon"`
|
||||
Version string `json:"version"`
|
||||
Sysname string `json:"sysname"`
|
||||
Release string `json:"release"`
|
||||
Machine string `json:"machine"`
|
||||
}
|
||||
|
||||
func (c *ClientConn) Version() (out *Version, err error) {
|
||||
msg, err := c.Request("version", nil)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
out = &Version{}
|
||||
err = ConvertFromGeneral(msg, out)
|
||||
return
|
||||
}
|
153
vendor/github.com/coreos/flannel/backend/extension/extension.go
generated
vendored
Normal file
153
vendor/github.com/coreos/flannel/backend/extension/extension.go
generated
vendored
Normal file
@ -0,0 +1,153 @@
|
||||
// Copyright 2017 flannel authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package extension
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"encoding/json"
|
||||
"os/exec"
|
||||
"sync"
|
||||
|
||||
log "k8s.io/klog"
|
||||
|
||||
"github.com/coreos/flannel/backend"
|
||||
"github.com/coreos/flannel/pkg/ip"
|
||||
"github.com/coreos/flannel/subnet"
|
||||
"golang.org/x/net/context"
|
||||
)
|
||||
|
||||
func init() {
|
||||
backend.Register("extension", New)
|
||||
}
|
||||
|
||||
type ExtensionBackend struct {
|
||||
sm subnet.Manager
|
||||
extIface *backend.ExternalInterface
|
||||
networks map[string]*network
|
||||
}
|
||||
|
||||
func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backend.Backend, error) {
|
||||
be := &ExtensionBackend{
|
||||
sm: sm,
|
||||
extIface: extIface,
|
||||
networks: make(map[string]*network),
|
||||
}
|
||||
|
||||
return be, nil
|
||||
}
|
||||
|
||||
func (_ *ExtensionBackend) Run(ctx context.Context) {
|
||||
<-ctx.Done()
|
||||
}
|
||||
|
||||
func (be *ExtensionBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup, config *subnet.Config) (backend.Network, error) {
|
||||
n := &network{
|
||||
extIface: be.extIface,
|
||||
sm: be.sm,
|
||||
}
|
||||
|
||||
// Parse out configuration
|
||||
if len(config.Backend) > 0 {
|
||||
cfg := struct {
|
||||
PreStartupCommand string
|
||||
PostStartupCommand string
|
||||
SubnetAddCommand string
|
||||
SubnetRemoveCommand string
|
||||
}{}
|
||||
if err := json.Unmarshal(config.Backend, &cfg); err != nil {
|
||||
return nil, fmt.Errorf("error decoding backend config: %v", err)
|
||||
}
|
||||
n.preStartupCommand = cfg.PreStartupCommand
|
||||
n.postStartupCommand = cfg.PostStartupCommand
|
||||
n.subnetAddCommand = cfg.SubnetAddCommand
|
||||
n.subnetRemoveCommand = cfg.SubnetRemoveCommand
|
||||
}
|
||||
|
||||
data := []byte{}
|
||||
if len(n.preStartupCommand) > 0 {
|
||||
cmd_output, err := runCmd([]string{}, "", "sh", "-c", n.preStartupCommand)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to run command: %s Err: %v Output: %s", n.preStartupCommand, err, cmd_output)
|
||||
} else {
|
||||
log.Infof("Ran command: %s\n Output: %s", n.preStartupCommand, cmd_output)
|
||||
}
|
||||
|
||||
data, err = json.Marshal(cmd_output)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
} else {
|
||||
log.Infof("No pre startup command configured - skipping")
|
||||
}
|
||||
|
||||
attrs := subnet.LeaseAttrs{
|
||||
PublicIP: ip.FromIP(be.extIface.ExtAddr),
|
||||
BackendType: "extension",
|
||||
BackendData: data,
|
||||
}
|
||||
|
||||
lease, err := be.sm.AcquireLease(ctx, &attrs)
|
||||
switch err {
|
||||
case nil:
|
||||
n.lease = lease
|
||||
|
||||
case context.Canceled, context.DeadlineExceeded:
|
||||
return nil, err
|
||||
|
||||
default:
|
||||
return nil, fmt.Errorf("failed to acquire lease: %v", err)
|
||||
}
|
||||
|
||||
if len(n.postStartupCommand) > 0 {
|
||||
cmd_output, err := runCmd([]string{
|
||||
fmt.Sprintf("NETWORK=%s", config.Network),
|
||||
fmt.Sprintf("SUBNET=%s", lease.Subnet),
|
||||
fmt.Sprintf("PUBLIC_IP=%s", attrs.PublicIP)},
|
||||
"", "sh", "-c", n.postStartupCommand)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to run command: %s Err: %v Output: %s", n.postStartupCommand, err, cmd_output)
|
||||
} else {
|
||||
log.Infof("Ran command: %s\n Output: %s", n.postStartupCommand, cmd_output)
|
||||
}
|
||||
} else {
|
||||
log.Infof("No post startup command configured - skipping")
|
||||
}
|
||||
|
||||
return n, nil
|
||||
}
|
||||
|
||||
// Run a cmd, returning a combined stdout and stderr.
|
||||
func runCmd(env []string, stdin string, name string, arg ...string) (string, error) {
|
||||
env = append(env, fmt.Sprintf("PATH=%s", os.Getenv("PATH")))
|
||||
cmd := exec.Command(name, arg...)
|
||||
cmd.Env = env
|
||||
|
||||
stdinpipe, err := cmd.StdinPipe()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
io.WriteString(stdinpipe, stdin)
|
||||
io.WriteString(stdinpipe, "\n")
|
||||
stdinpipe.Close()
|
||||
|
||||
output, err := cmd.CombinedOutput()
|
||||
|
||||
return strings.TrimSpace(string(output)), err
|
||||
}
|
141
vendor/github.com/coreos/flannel/backend/extension/extension_network.go
generated
vendored
Normal file
141
vendor/github.com/coreos/flannel/backend/extension/extension_network.go
generated
vendored
Normal file
@ -0,0 +1,141 @@
|
||||
// Copyright 2017 flannel authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package extension
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"sync"
|
||||
|
||||
log "k8s.io/klog"
|
||||
"golang.org/x/net/context"
|
||||
|
||||
"fmt"
|
||||
|
||||
"github.com/coreos/flannel/backend"
|
||||
"github.com/coreos/flannel/subnet"
|
||||
)
|
||||
|
||||
type network struct {
|
||||
name string
|
||||
extIface *backend.ExternalInterface
|
||||
lease *subnet.Lease
|
||||
sm subnet.Manager
|
||||
preStartupCommand string
|
||||
postStartupCommand string
|
||||
subnetAddCommand string
|
||||
subnetRemoveCommand string
|
||||
}
|
||||
|
||||
func (n *network) Lease() *subnet.Lease {
|
||||
return n.lease
|
||||
}
|
||||
|
||||
func (n *network) MTU() int {
|
||||
return n.extIface.Iface.MTU
|
||||
}
|
||||
|
||||
func (n *network) Run(ctx context.Context) {
|
||||
wg := sync.WaitGroup{}
|
||||
|
||||
log.Info("Watching for new subnet leases")
|
||||
evts := make(chan []subnet.Event)
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
subnet.WatchLeases(ctx, n.sm, n.lease, evts)
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
defer wg.Wait()
|
||||
|
||||
for {
|
||||
select {
|
||||
case evtBatch := <-evts:
|
||||
n.handleSubnetEvents(evtBatch)
|
||||
|
||||
case <-ctx.Done():
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (n *network) handleSubnetEvents(batch []subnet.Event) {
|
||||
for _, evt := range batch {
|
||||
switch evt.Type {
|
||||
case subnet.EventAdded:
|
||||
log.Infof("Subnet added: %v via %v", evt.Lease.Subnet, evt.Lease.Attrs.PublicIP)
|
||||
|
||||
if evt.Lease.Attrs.BackendType != "extension" {
|
||||
log.Warningf("Ignoring non-extension subnet: type=%v", evt.Lease.Attrs.BackendType)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(n.subnetAddCommand) > 0 {
|
||||
backendData := ""
|
||||
|
||||
if len(evt.Lease.Attrs.BackendData) > 0 {
|
||||
if err := json.Unmarshal(evt.Lease.Attrs.BackendData, &backendData); err != nil {
|
||||
log.Errorf("failed to unmarshal BackendData: %v", err)
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
cmd_output, err := runCmd([]string{
|
||||
fmt.Sprintf("SUBNET=%s", evt.Lease.Subnet),
|
||||
fmt.Sprintf("PUBLIC_IP=%s", evt.Lease.Attrs.PublicIP)},
|
||||
backendData,
|
||||
"sh", "-c", n.subnetAddCommand)
|
||||
|
||||
if err != nil {
|
||||
log.Errorf("failed to run command: %s Err: %v Output: %s", n.subnetAddCommand, err, cmd_output)
|
||||
} else {
|
||||
log.Infof("Ran command: %s\n Output: %s", n.subnetAddCommand, cmd_output)
|
||||
}
|
||||
}
|
||||
|
||||
case subnet.EventRemoved:
|
||||
log.Info("Subnet removed: ", evt.Lease.Subnet)
|
||||
|
||||
if evt.Lease.Attrs.BackendType != "extension" {
|
||||
log.Warningf("Ignoring non-extension subnet: type=%v", evt.Lease.Attrs.BackendType)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(n.subnetRemoveCommand) > 0 {
|
||||
backendData := ""
|
||||
|
||||
if len(evt.Lease.Attrs.BackendData) > 0 {
|
||||
if err := json.Unmarshal(evt.Lease.Attrs.BackendData, &backendData); err != nil {
|
||||
log.Errorf("failed to unmarshal BackendData: %v", err)
|
||||
continue
|
||||
}
|
||||
}
|
||||
cmd_output, err := runCmd([]string{
|
||||
fmt.Sprintf("SUBNET=%s", evt.Lease.Subnet),
|
||||
fmt.Sprintf("PUBLIC_IP=%s", evt.Lease.Attrs.PublicIP)},
|
||||
backendData,
|
||||
"sh", "-c", n.subnetRemoveCommand)
|
||||
|
||||
if err != nil {
|
||||
log.Errorf("failed to run command: %s Err: %v Output: %s", n.subnetRemoveCommand, err, cmd_output)
|
||||
} else {
|
||||
log.Infof("Ran command: %s\n Output: %s", n.subnetRemoveCommand, cmd_output)
|
||||
}
|
||||
}
|
||||
|
||||
default:
|
||||
log.Error("Internal error: unknown event type: ", int(evt.Type))
|
||||
}
|
||||
}
|
||||
}
|
236
vendor/github.com/coreos/flannel/backend/ipsec/handle_charon.go
generated
vendored
Normal file
236
vendor/github.com/coreos/flannel/backend/ipsec/handle_charon.go
generated
vendored
Normal file
@ -0,0 +1,236 @@
|
||||
// Copyright 2017 flannel authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
// +build !windows
|
||||
|
||||
package ipsec
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strings"
|
||||
"sync"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/bronze1man/goStrongswanVici"
|
||||
"github.com/coreos/flannel/subnet"
|
||||
log "k8s.io/klog"
|
||||
"golang.org/x/net/context"
|
||||
)
|
||||
|
||||
type Uri struct {
|
||||
network, address string
|
||||
}
|
||||
|
||||
type CharonIKEDaemon struct {
|
||||
viciUri Uri
|
||||
espProposal string
|
||||
ctx context.Context
|
||||
}
|
||||
|
||||
func NewCharonIKEDaemon(ctx context.Context, wg sync.WaitGroup, espProposal string) (*CharonIKEDaemon, error) {
|
||||
|
||||
charon := &CharonIKEDaemon{ctx: ctx, espProposal: espProposal}
|
||||
|
||||
addr := strings.Split("unix:///var/run/charon.vici", "://")
|
||||
charon.viciUri = Uri{addr[0], addr[1]}
|
||||
|
||||
cmd, err := charon.runBundled("/usr/lib/strongswan/", "charon")
|
||||
|
||||
if err != nil {
|
||||
log.Errorf("Error starting charon daemon: %v", err)
|
||||
return nil, err
|
||||
} else {
|
||||
log.Info("Charon daemon started")
|
||||
}
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
cmd.Process.Signal(syscall.SIGTERM)
|
||||
cmd.Wait()
|
||||
log.Infof("Stopped charon daemon")
|
||||
wg.Done()
|
||||
}
|
||||
}()
|
||||
return charon, nil
|
||||
}
|
||||
|
||||
func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongswanVici.ClientConn, err error) {
|
||||
for {
|
||||
socket_conn, err := net.Dial(charon.viciUri.network, charon.viciUri.address)
|
||||
if err == nil {
|
||||
return goStrongswanVici.NewClientConn(socket_conn), nil
|
||||
} else {
|
||||
if wait {
|
||||
select {
|
||||
case <-charon.ctx.Done():
|
||||
log.Error("Cancel waiting for charon")
|
||||
return nil, err
|
||||
default:
|
||||
log.Errorf("ClientConnection failed: %v", err)
|
||||
}
|
||||
|
||||
log.Info("Retrying in a second ...")
|
||||
time.Sleep(time.Second)
|
||||
} else {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (charon *CharonIKEDaemon) runBundled(staticLocation string, command string) (cmd *exec.Cmd, err error) {
|
||||
path, err := exec.LookPath(command)
|
||||
if err != nil {
|
||||
path = staticLocation + command
|
||||
}
|
||||
cmd = &exec.Cmd{
|
||||
Path: path,
|
||||
SysProcAttr: &syscall.SysProcAttr{
|
||||
Pdeathsig: syscall.SIGTERM,
|
||||
},
|
||||
Stdout: os.Stdout,
|
||||
Stderr: os.Stderr,
|
||||
}
|
||||
err = cmd.Start()
|
||||
return
|
||||
}
|
||||
|
||||
func (charon *CharonIKEDaemon) LoadSharedKey(remotePublicIP, password string) error {
|
||||
var err error
|
||||
var client *goStrongswanVici.ClientConn
|
||||
|
||||
client, err = charon.getClient(true)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to acquire Vici client: %v", err)
|
||||
return err
|
||||
}
|
||||
|
||||
defer client.Close()
|
||||
|
||||
sharedKey := &goStrongswanVici.Key{
|
||||
Typ: "IKE",
|
||||
Data: password,
|
||||
Owners: []string{remotePublicIP},
|
||||
}
|
||||
|
||||
for {
|
||||
err = client.LoadShared(sharedKey)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to load my key. Retrying. %v", err)
|
||||
time.Sleep(time.Second)
|
||||
} else {
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
log.Infof("Loaded shared key for: %v", remotePublicIP)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (charon *CharonIKEDaemon) LoadConnection(localLease, remoteLease *subnet.Lease,
|
||||
reqID, encap string) error {
|
||||
var err error
|
||||
var client *goStrongswanVici.ClientConn
|
||||
|
||||
client, err = charon.getClient(true)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to acquire Vici client: %s", err)
|
||||
return err
|
||||
}
|
||||
defer client.Close()
|
||||
|
||||
childConfMap := make(map[string]goStrongswanVici.ChildSAConf)
|
||||
childSAConf := goStrongswanVici.ChildSAConf{
|
||||
Local_ts: []string{localLease.Subnet.String()},
|
||||
Remote_ts: []string{remoteLease.Subnet.String()},
|
||||
ESPProposals: []string{charon.espProposal},
|
||||
StartAction: "start",
|
||||
CloseAction: "trap",
|
||||
Mode: "tunnel",
|
||||
ReqID: reqID,
|
||||
// RekeyTime: rekeyTime,
|
||||
InstallPolicy: "no",
|
||||
}
|
||||
|
||||
childSAConfName := formatChildSAConfName(localLease, remoteLease)
|
||||
|
||||
childConfMap[childSAConfName] = childSAConf
|
||||
|
||||
localAuthConf := goStrongswanVici.AuthConf{
|
||||
AuthMethod: "psk",
|
||||
}
|
||||
remoteAuthConf := goStrongswanVici.AuthConf{
|
||||
AuthMethod: "psk",
|
||||
}
|
||||
|
||||
ikeConf := goStrongswanVici.IKEConf{
|
||||
LocalAddrs: []string{localLease.Attrs.PublicIP.String()},
|
||||
RemoteAddrs: []string{remoteLease.Attrs.PublicIP.String()},
|
||||
Proposals: []string{"aes256-sha256-modp4096"},
|
||||
Version: "2",
|
||||
KeyingTries: "0", //continues to retry
|
||||
LocalAuth: localAuthConf,
|
||||
RemoteAuth: remoteAuthConf,
|
||||
Children: childConfMap,
|
||||
Encap: encap,
|
||||
}
|
||||
ikeConfMap := make(map[string]goStrongswanVici.IKEConf)
|
||||
|
||||
connectionName := formatConnectionName(localLease, remoteLease)
|
||||
ikeConfMap[connectionName] = ikeConf
|
||||
|
||||
err = client.LoadConn(&ikeConfMap)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Infof("Loaded connection: %v", connectionName)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (charon *CharonIKEDaemon) UnloadCharonConnection(localLease,
|
||||
remoteLease *subnet.Lease) error {
|
||||
client, err := charon.getClient(false)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to acquire Vici client: %s", err)
|
||||
return err
|
||||
}
|
||||
defer client.Close()
|
||||
|
||||
connectionName := formatConnectionName(localLease, remoteLease)
|
||||
unloadConnRequest := &goStrongswanVici.UnloadConnRequest{
|
||||
Name: connectionName,
|
||||
}
|
||||
|
||||
err = client.UnloadConn(unloadConnRequest)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Infof("Unloaded connection: %v", connectionName)
|
||||
return nil
|
||||
}
|
||||
|
||||
func formatConnectionName(localLease, remoteLease *subnet.Lease) string {
|
||||
return fmt.Sprintf("%s-%s-%s-%s", localLease.Attrs.PublicIP,
|
||||
localLease.Subnet, remoteLease.Subnet, remoteLease.Attrs.PublicIP)
|
||||
}
|
||||
|
||||
func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
|
||||
return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
|
||||
}
|
91
vendor/github.com/coreos/flannel/backend/ipsec/handle_xfrm.go
generated
vendored
Normal file
91
vendor/github.com/coreos/flannel/backend/ipsec/handle_xfrm.go
generated
vendored
Normal file
@ -0,0 +1,91 @@
|
||||
// Copyright 2017 flannel authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
// +build !windows
|
||||
|
||||
package ipsec
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
|
||||
log "k8s.io/klog"
|
||||
"github.com/vishvananda/netlink"
|
||||
|
||||
"github.com/coreos/flannel/subnet"
|
||||
)
|
||||
|
||||
func AddXFRMPolicy(myLease, remoteLease *subnet.Lease, dir netlink.Dir, reqID int) error {
|
||||
src := myLease.Subnet.ToIPNet()
|
||||
|
||||
dst := remoteLease.Subnet.ToIPNet()
|
||||
|
||||
policy := netlink.XfrmPolicy{
|
||||
Src: src,
|
||||
Dst: dst,
|
||||
Dir: dir,
|
||||
}
|
||||
|
||||
tunnelLeft := myLease.Attrs.PublicIP.ToIP()
|
||||
tunnelRight := remoteLease.Attrs.PublicIP.ToIP()
|
||||
|
||||
tmpl := netlink.XfrmPolicyTmpl{
|
||||
Src: tunnelLeft,
|
||||
Dst: tunnelRight,
|
||||
Proto: netlink.XFRM_PROTO_ESP,
|
||||
Mode: netlink.XFRM_MODE_TUNNEL,
|
||||
Reqid: reqID,
|
||||
}
|
||||
|
||||
log.Infof("Adding ipsec policy: %+v", tmpl)
|
||||
|
||||
policy.Tmpls = append(policy.Tmpls, tmpl)
|
||||
|
||||
if err := netlink.XfrmPolicyAdd(&policy); err != nil {
|
||||
return fmt.Errorf("error adding policy: %+v err: %v", policy, err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func DeleteXFRMPolicy(localSubnet, remoteSubnet *net.IPNet, localPublicIP, remotePublicIP net.IP, dir netlink.Dir, reqID int) error {
|
||||
src := localSubnet
|
||||
dst := remoteSubnet
|
||||
|
||||
policy := netlink.XfrmPolicy{
|
||||
Src: src,
|
||||
Dst: dst,
|
||||
Dir: dir,
|
||||
}
|
||||
|
||||
tunnelLeft := localPublicIP
|
||||
tunnelRight := remotePublicIP
|
||||
|
||||
tmpl := netlink.XfrmPolicyTmpl{
|
||||
Src: tunnelLeft,
|
||||
Dst: tunnelRight,
|
||||
Proto: netlink.XFRM_PROTO_ESP,
|
||||
Mode: netlink.XFRM_MODE_TUNNEL,
|
||||
Reqid: reqID,
|
||||
}
|
||||
|
||||
log.Infof("Deleting ipsec policy: %+v", tmpl)
|
||||
|
||||
policy.Tmpls = append(policy.Tmpls, tmpl)
|
||||
|
||||
if err := netlink.XfrmPolicyDel(&policy); err != nil {
|
||||
return fmt.Errorf("error deleting policy: %+v err: %v", policy, err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
121
vendor/github.com/coreos/flannel/backend/ipsec/ipsec.go
generated
vendored
Normal file
121
vendor/github.com/coreos/flannel/backend/ipsec/ipsec.go
generated
vendored
Normal file
@ -0,0 +1,121 @@
|
||||
// Copyright 2017 flannel authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
// +build !windows
|
||||
|
||||
package ipsec
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"sync"
|
||||
|
||||
log "k8s.io/klog"
|
||||
"golang.org/x/net/context"
|
||||
|
||||
"github.com/coreos/flannel/backend"
|
||||
"github.com/coreos/flannel/pkg/ip"
|
||||
"github.com/coreos/flannel/subnet"
|
||||
)
|
||||
|
||||
/*
|
||||
Flannel's approach to IPSec uses Strongswan to handle the key exchange (using IKEv2) and the kernel to handle the
|
||||
actual encryption.
|
||||
|
||||
Strongswan's "charon" is bundled in the flannel container. Flannel runs it as a child process when the ipsec backend
|
||||
is selected and communicates with it using the "VICI" interface. Strongswan ships a utility "swanctl" which also
|
||||
uses the VICI interface. This utility is bundled in the flannel container and can help with debugging.
|
||||
|
||||
The file "handle_charon.go" contains the logic for working with the charon. It supports creating a "CharonIKEDaemon"
|
||||
which supports loading the PSK into the charon and adding and removing connections.
|
||||
|
||||
The file "handle_xfrm.go" contains functions for adding and removing the ipsec polcies.
|
||||
|
||||
ipsec_network.go ties it all together, loading the PSK for current host on startu and as new hosts are added and
|
||||
removed it, adds/removes the PSK and connection details to strongswan and adds/remove the policy to the kernel.
|
||||
*/
|
||||
|
||||
const (
|
||||
defaultESPProposal = "aes128gcm16-sha256-prfsha256-ecp256"
|
||||
minPasswordLength = 96
|
||||
)
|
||||
|
||||
func init() {
|
||||
backend.Register("ipsec", New)
|
||||
}
|
||||
|
||||
type IPSECBackend struct {
|
||||
sm subnet.Manager
|
||||
extIface *backend.ExternalInterface
|
||||
}
|
||||
|
||||
func New(sm subnet.Manager, extIface *backend.ExternalInterface) (
|
||||
backend.Backend, error) {
|
||||
be := &IPSECBackend{
|
||||
sm: sm,
|
||||
extIface: extIface,
|
||||
}
|
||||
|
||||
return be, nil
|
||||
}
|
||||
|
||||
func (be *IPSECBackend) RegisterNetwork(
|
||||
ctx context.Context, wg sync.WaitGroup, config *subnet.Config) (backend.Network, error) {
|
||||
|
||||
cfg := struct {
|
||||
UDPEncap bool
|
||||
ESPProposal string
|
||||
PSK string
|
||||
}{
|
||||
UDPEncap: false,
|
||||
ESPProposal: defaultESPProposal,
|
||||
}
|
||||
|
||||
if len(config.Backend) > 0 {
|
||||
if err := json.Unmarshal(config.Backend, &cfg); err != nil {
|
||||
return nil, fmt.Errorf("error decoding IPSEC backend config: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
if len(cfg.PSK) < minPasswordLength {
|
||||
return nil, fmt.Errorf(
|
||||
"config error, password should be at least %d characters long",
|
||||
minPasswordLength)
|
||||
}
|
||||
|
||||
log.Infof("IPSec config: UDPEncap=%v ESPProposal=%s", cfg.UDPEncap, cfg.ESPProposal)
|
||||
|
||||
attrs := subnet.LeaseAttrs{
|
||||
PublicIP: ip.FromIP(be.extIface.ExtAddr),
|
||||
BackendType: "ipsec",
|
||||
}
|
||||
|
||||
l, err := be.sm.AcquireLease(ctx, &attrs)
|
||||
|
||||
switch err {
|
||||
case nil:
|
||||
|
||||
case context.Canceled, context.DeadlineExceeded:
|
||||
return nil, err
|
||||
|
||||
default:
|
||||
return nil, fmt.Errorf("failed to acquire lease: %v", err)
|
||||
}
|
||||
|
||||
ikeDaemon, err := NewCharonIKEDaemon(ctx, wg, cfg.ESPProposal)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error creating CharonIKEDaemon struct: %v", err)
|
||||
}
|
||||
|
||||
return newNetwork(be.sm, be.extIface, cfg.UDPEncap, cfg.PSK, ikeDaemon, l)
|
||||
}
|
207
vendor/github.com/coreos/flannel/backend/ipsec/ipsec_network.go
generated
vendored
Normal file
207
vendor/github.com/coreos/flannel/backend/ipsec/ipsec_network.go
generated
vendored
Normal file
@ -0,0 +1,207 @@
|
||||
// Copyright 2017 flannel authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
// +build !windows
|
||||
|
||||
package ipsec
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"strconv"
|
||||
"sync"
|
||||
|
||||
log "k8s.io/klog"
|
||||
"github.com/vishvananda/netlink"
|
||||
"golang.org/x/net/context"
|
||||
|
||||
"github.com/coreos/flannel/backend"
|
||||
"github.com/coreos/flannel/subnet"
|
||||
)
|
||||
|
||||
const (
|
||||
/*
|
||||
New IP header (Tunnel Mode) : 20
|
||||
SPI (ESP Header) : 4
|
||||
Sequence (ESP Header) : 4
|
||||
ESP-AES IV : 16
|
||||
ESP-AES Pad : 0-15
|
||||
Pad length (ESP Trailer) : 1
|
||||
Next Header (ESP Trailer) : 1
|
||||
ESP-SHA-256 ICV : 16
|
||||
*/
|
||||
ipsecOverhead = 77
|
||||
udpEncapOverhead = 8
|
||||
|
||||
defaultReqID = 11
|
||||
)
|
||||
|
||||
type network struct {
|
||||
backend.SimpleNetwork
|
||||
password string
|
||||
UDPEncap bool
|
||||
sm subnet.Manager
|
||||
iked *CharonIKEDaemon
|
||||
}
|
||||
|
||||
func newNetwork(sm subnet.Manager, extIface *backend.ExternalInterface,
|
||||
UDPEncap bool, password string, ikeDaemon *CharonIKEDaemon,
|
||||
l *subnet.Lease) (*network, error) {
|
||||
n := &network{
|
||||
SimpleNetwork: backend.SimpleNetwork{
|
||||
SubnetLease: l,
|
||||
ExtIface: extIface,
|
||||
},
|
||||
sm: sm,
|
||||
iked: ikeDaemon,
|
||||
password: password,
|
||||
UDPEncap: UDPEncap,
|
||||
}
|
||||
|
||||
return n, nil
|
||||
}
|
||||
|
||||
func (n *network) Run(ctx context.Context) {
|
||||
|
||||
err := n.iked.LoadSharedKey(n.SimpleNetwork.SubnetLease.Attrs.PublicIP.ToIP().String(), n.password)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to load PSK: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
wg := sync.WaitGroup{}
|
||||
defer wg.Wait()
|
||||
|
||||
log.Info("Watching for new subnet leases")
|
||||
|
||||
evts := make(chan []subnet.Event)
|
||||
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
subnet.WatchLeases(ctx, n.sm, n.SubnetLease, evts)
|
||||
log.Info("WatchLeases exited")
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
for {
|
||||
select {
|
||||
case evtsBatch := <-evts:
|
||||
log.Info("Handling event")
|
||||
n.handleSubnetEvents(evtsBatch)
|
||||
case <-ctx.Done():
|
||||
log.Info("Received DONE")
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (n *network) handleSubnetEvents(batch []subnet.Event) {
|
||||
for _, evt := range batch {
|
||||
switch evt.Type {
|
||||
case subnet.EventAdded:
|
||||
log.Info("Subnet added: ", evt.Lease.Subnet)
|
||||
|
||||
if evt.Lease.Attrs.BackendType != "ipsec" {
|
||||
log.Warningf("Ignoring non-ipsec event: type: %v", evt.Lease.Attrs.BackendType)
|
||||
continue
|
||||
}
|
||||
|
||||
if evt.Lease.Subnet.Equal(n.SubnetLease.Subnet) {
|
||||
log.Warningf("Ignoring own lease add event: %+v", evt.Lease)
|
||||
continue
|
||||
}
|
||||
|
||||
if err := n.AddIPSECPolicies(&evt.Lease, defaultReqID); err != nil {
|
||||
log.Errorf("error adding ipsec policy: %v", err)
|
||||
}
|
||||
|
||||
if err := n.iked.LoadSharedKey(evt.Lease.Attrs.PublicIP.String(), n.password); err != nil {
|
||||
log.Errorf("error loading shared key into IKE daemon: %v", err)
|
||||
}
|
||||
|
||||
if err := n.iked.LoadConnection(n.SubnetLease, &evt.Lease, strconv.Itoa(defaultReqID),
|
||||
strconv.FormatBool(n.UDPEncap)); err != nil {
|
||||
log.Errorf("error loading connection into IKE daemon: %v", err)
|
||||
}
|
||||
|
||||
case subnet.EventRemoved:
|
||||
log.Info("Subnet removed: ", evt.Lease.Subnet)
|
||||
if evt.Lease.Attrs.BackendType != "ipsec" {
|
||||
log.Warningf("Ignoring non-ipsec event: type: %v", evt.Lease.Attrs.BackendType)
|
||||
continue
|
||||
}
|
||||
|
||||
if evt.Lease.Subnet.Equal(n.SubnetLease.Subnet) {
|
||||
log.Warningf("Ignoring own lease remove event: %+v", evt.Lease)
|
||||
continue
|
||||
}
|
||||
|
||||
if err := n.iked.UnloadCharonConnection(n.SubnetLease, &evt.Lease); err != nil {
|
||||
log.Errorf("error unloading charon connections: %v", err)
|
||||
}
|
||||
|
||||
if err := n.DeleteIPSECPolicies(n.SubnetLease.Subnet.ToIPNet(), evt.Lease.Subnet.ToIPNet(),
|
||||
n.SubnetLease.Attrs.PublicIP.ToIP(), evt.Lease.Attrs.PublicIP.ToIP(), defaultReqID); err != nil {
|
||||
|
||||
log.Errorf("error deleting ipsec policies: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (n *network) MTU() int {
|
||||
mtu := n.ExtIface.Iface.MTU - ipsecOverhead
|
||||
if n.UDPEncap {
|
||||
mtu -= udpEncapOverhead
|
||||
}
|
||||
|
||||
return mtu
|
||||
}
|
||||
|
||||
func (n *network) AddIPSECPolicies(remoteLease *subnet.Lease, reqID int) error {
|
||||
err := AddXFRMPolicy(n.SubnetLease, remoteLease, netlink.XFRM_DIR_OUT, reqID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error adding ipsec out policy: %v", err)
|
||||
}
|
||||
|
||||
err = AddXFRMPolicy(remoteLease, n.SubnetLease, netlink.XFRM_DIR_IN, reqID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error adding ipsec in policy: %v", err)
|
||||
}
|
||||
|
||||
err = AddXFRMPolicy(remoteLease, n.SubnetLease, netlink.XFRM_DIR_FWD, reqID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error adding ipsec fwd policy: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (n *network) DeleteIPSECPolicies(localSubnet, remoteSubnet *net.IPNet, localPublicIP, remotePublicIP net.IP, reqID int) error {
|
||||
err := DeleteXFRMPolicy(localSubnet, remoteSubnet, localPublicIP, remotePublicIP, netlink.XFRM_DIR_OUT, reqID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error deleting ipsec out policy: %v", err)
|
||||
}
|
||||
|
||||
err = DeleteXFRMPolicy(remoteSubnet, localSubnet, remotePublicIP, localPublicIP, netlink.XFRM_DIR_IN, reqID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error deleting ipsec in policy: %v", err)
|
||||
}
|
||||
|
||||
err = DeleteXFRMPolicy(remoteSubnet, localSubnet, remotePublicIP, localPublicIP, netlink.XFRM_DIR_FWD, reqID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error deleting ipsec fwd policy: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
21
vendor/github.com/coreos/flannel/backend/ipsec/ipsec_windows.go
generated
vendored
Normal file
21
vendor/github.com/coreos/flannel/backend/ipsec/ipsec_windows.go
generated
vendored
Normal file
@ -0,0 +1,21 @@
|
||||
// Copyright 2017 flannel authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ipsec
|
||||
|
||||
import log "k8s.io/klog"
|
||||
|
||||
func init() {
|
||||
log.Infof("ipsec is not supported on this platform")
|
||||
}
|
3
vendor/github.com/coreos/flannel/backend/vxlan/device.go
generated
vendored
3
vendor/github.com/coreos/flannel/backend/vxlan/device.go
generated
vendored
@ -35,6 +35,7 @@ type vxlanDeviceAttrs struct {
|
||||
vtepAddr net.IP
|
||||
vtepPort int
|
||||
gbp bool
|
||||
learning bool
|
||||
}
|
||||
|
||||
type vxlanDevice struct {
|
||||
@ -51,7 +52,7 @@ func newVXLANDevice(devAttrs *vxlanDeviceAttrs) (*vxlanDevice, error) {
|
||||
VtepDevIndex: devAttrs.vtepIndex,
|
||||
SrcAddr: devAttrs.vtepAddr,
|
||||
Port: devAttrs.vtepPort,
|
||||
Learning: false,
|
||||
Learning: devAttrs.learning,
|
||||
GBP: devAttrs.gbp,
|
||||
}
|
||||
|
||||
|
26
vendor/github.com/coreos/flannel/backend/vxlan/device_windows.go
generated
vendored
26
vendor/github.com/coreos/flannel/backend/vxlan/device_windows.go
generated
vendored
@ -18,6 +18,7 @@ import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"github.com/Microsoft/hcsshim"
|
||||
"github.com/Microsoft/hcsshim/hcn"
|
||||
"github.com/buger/jsonparser"
|
||||
"github.com/coreos/flannel/pkg/ip"
|
||||
log "k8s.io/klog"
|
||||
@ -129,7 +130,30 @@ func ensureNetwork(expectedNetwork *hcsshim.HNSNetwork, expectedVSID int64, expe
|
||||
}
|
||||
|
||||
log.Infof("Created HNSNetwork %s", networkName)
|
||||
return newNetwork, nil
|
||||
existingNetwork = newNetwork
|
||||
}
|
||||
|
||||
existingNetworkV2, err := hcn.GetNetworkByID(existingNetwork.Id)
|
||||
if err != nil {
|
||||
return nil, errors.Annotatef(err, "Could not find vxlan0 in V2")
|
||||
}
|
||||
|
||||
addHostRoute := true
|
||||
for _, policy := range existingNetworkV2.Policies {
|
||||
if policy.Type == hcn.HostRoute {
|
||||
addHostRoute = false
|
||||
}
|
||||
}
|
||||
if addHostRoute {
|
||||
hostRoutePolicy := hcn.NetworkPolicy{
|
||||
Type: hcn.HostRoute,
|
||||
Settings: []byte("{}"),
|
||||
}
|
||||
|
||||
networkRequest := hcn.PolicyNetworkRequest{
|
||||
Policies: []hcn.NetworkPolicy{hostRoutePolicy},
|
||||
}
|
||||
existingNetworkV2.AddPolicy(networkRequest)
|
||||
}
|
||||
|
||||
return existingNetwork, nil
|
||||
|
4
vendor/github.com/coreos/flannel/backend/vxlan/vxlan.go
generated
vendored
4
vendor/github.com/coreos/flannel/backend/vxlan/vxlan.go
generated
vendored
@ -107,6 +107,7 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup,
|
||||
VNI int
|
||||
Port int
|
||||
GBP bool
|
||||
Learning bool
|
||||
DirectRouting bool
|
||||
}{
|
||||
VNI: defaultVNI,
|
||||
@ -117,7 +118,7 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup,
|
||||
return nil, fmt.Errorf("error decoding VXLAN backend config: %v", err)
|
||||
}
|
||||
}
|
||||
log.Infof("VXLAN config: VNI=%d Port=%d GBP=%v DirectRouting=%v", cfg.VNI, cfg.Port, cfg.GBP, cfg.DirectRouting)
|
||||
log.Infof("VXLAN config: VNI=%d Port=%d GBP=%v Learning=%v DirectRouting=%v", cfg.VNI, cfg.Port, cfg.GBP, cfg.Learning, cfg.DirectRouting)
|
||||
|
||||
devAttrs := vxlanDeviceAttrs{
|
||||
vni: uint32(cfg.VNI),
|
||||
@ -126,6 +127,7 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup,
|
||||
vtepAddr: be.extIface.IfaceAddr,
|
||||
vtepPort: cfg.Port,
|
||||
gbp: cfg.GBP,
|
||||
learning: cfg.Learning,
|
||||
}
|
||||
|
||||
dev, err := newVXLANDevice(&devAttrs)
|
||||
|
70
vendor/github.com/coreos/flannel/backend/vxlan/vxlan_windows.go
generated
vendored
70
vendor/github.com/coreos/flannel/backend/vxlan/vxlan_windows.go
generated
vendored
@ -33,7 +33,6 @@ import (
|
||||
|
||||
"golang.org/x/net/context"
|
||||
|
||||
"github.com/Microsoft/hcsshim"
|
||||
"github.com/Microsoft/hcsshim/hcn"
|
||||
"github.com/coreos/flannel/backend"
|
||||
"github.com/coreos/flannel/pkg/ip"
|
||||
@ -65,9 +64,13 @@ func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backend.Backen
|
||||
}
|
||||
|
||||
func newSubnetAttrs(publicIP net.IP, vnid uint16, mac net.HardwareAddr) (*subnet.LeaseAttrs, error) {
|
||||
var hardwareAddress hardwareAddr
|
||||
if mac != nil {
|
||||
hardwareAddress = hardwareAddr(mac)
|
||||
}
|
||||
leaseAttrs := &vxlanLeaseAttrs{
|
||||
VNI: vnid,
|
||||
VtepMAC: hardwareAddr(mac),
|
||||
VtepMAC: hardwareAddress,
|
||||
}
|
||||
data, err := json.Marshal(&leaseAttrs)
|
||||
if err != nil {
|
||||
@ -123,33 +126,12 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup,
|
||||
}
|
||||
log.Infof("VXLAN config: Name=%s MacPrefix=%s VNI=%d Port=%d GBP=%v DirectRouting=%v", cfg.Name, cfg.MacPrefix, cfg.VNI, cfg.Port, cfg.GBP, cfg.DirectRouting)
|
||||
|
||||
hnsNetworks, err := hcsshim.HNSListNetworkRequest("GET", "", "")
|
||||
if err != nil {
|
||||
log.Infof("Cannot get HNS networks [%+v]", err)
|
||||
}
|
||||
|
||||
var remoteDrMac string
|
||||
for _, hnsnetwork := range hnsNetworks {
|
||||
if hnsnetwork.ManagementIP == be.extIface.ExtAddr.String() {
|
||||
hcnnetwork, err := hcn.GetNetworkByID(hnsnetwork.Id)
|
||||
policies := hcnnetwork.Policies
|
||||
for _, policy := range policies {
|
||||
if policy.Type == hcn.DrMacAddress {
|
||||
policySettings := hcn.DrMacAddressNetworkPolicySetting{}
|
||||
err = json.Unmarshal(policy.Settings, &policySettings)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Failed to unmarshal settings")
|
||||
}
|
||||
remoteDrMac = policySettings.Address
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
mac, err := net.ParseMAC(string(remoteDrMac))
|
||||
err := hcn.RemoteSubnetSupported()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
subnetAttrs, err := newSubnetAttrs(be.extIface.ExtAddr, uint16(cfg.VNI), mac)
|
||||
|
||||
subnetAttrs, err := newSubnetAttrs(be.extIface.ExtAddr, uint16(cfg.VNI), nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -176,7 +158,41 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGroup,
|
||||
dev.directRouting = cfg.DirectRouting
|
||||
dev.macPrefix = cfg.MacPrefix
|
||||
|
||||
return newNetwork(be.subnetMgr, be.extIface, dev, ip.IP4Net{}, lease)
|
||||
network, err := newNetwork(be.subnetMgr, be.extIface, dev, ip.IP4Net{}, lease)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
hcnNetwork, err := hcn.GetNetworkByName(cfg.Name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var newDrMac string
|
||||
for _, policy := range hcnNetwork.Policies {
|
||||
if policy.Type == hcn.DrMacAddress {
|
||||
policySettings := hcn.DrMacAddressNetworkPolicySetting{}
|
||||
err = json.Unmarshal(policy.Settings, &policySettings)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Failed to unmarshal settings")
|
||||
}
|
||||
newDrMac = policySettings.Address
|
||||
}
|
||||
}
|
||||
|
||||
mac, err := net.ParseMAC(string(newDrMac))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Cannot parse DR MAC %v: %+v", newDrMac, err)
|
||||
}
|
||||
|
||||
subnetAttrs, err = newSubnetAttrs(be.extIface.ExtAddr, uint16(cfg.VNI), mac)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
lease, err = be.subnetMgr.AcquireLease(ctx, subnetAttrs)
|
||||
|
||||
return network, nil
|
||||
}
|
||||
|
||||
// So we can make it JSON (un)marshalable
|
||||
|
8
vendor/github.com/coreos/flannel/pkg/ip/ipnet.go
generated
vendored
8
vendor/github.com/coreos/flannel/pkg/ip/ipnet.go
generated
vendored
@ -77,12 +77,12 @@ func (ip IP4) StringSep(sep string) string {
|
||||
return fmt.Sprintf("%d%s%d%s%d%s%d", a, sep, b, sep, c, sep, d)
|
||||
}
|
||||
|
||||
// json.Marshaler impl
|
||||
// MarshalJSON: json.Marshaler impl
|
||||
func (ip IP4) MarshalJSON() ([]byte, error) {
|
||||
return []byte(fmt.Sprintf(`"%s"`, ip)), nil
|
||||
}
|
||||
|
||||
// json.Unmarshaler impl
|
||||
// UnmarshalJSON: json.Unmarshaler impl
|
||||
func (ip *IP4) UnmarshalJSON(j []byte) error {
|
||||
j = bytes.Trim(j, "\"")
|
||||
if val, err := ParseIP4(string(j)); err != nil {
|
||||
@ -163,12 +163,12 @@ func (n IP4Net) Empty() bool {
|
||||
return n.IP == IP4(0) && n.PrefixLen == uint(0)
|
||||
}
|
||||
|
||||
// json.Marshaler impl
|
||||
// MarshalJSON: json.Marshaler impl
|
||||
func (n IP4Net) MarshalJSON() ([]byte, error) {
|
||||
return []byte(fmt.Sprintf(`"%s"`, n)), nil
|
||||
}
|
||||
|
||||
// json.Unmarshaler impl
|
||||
// UnmarshalJSON: json.Unmarshaler impl
|
||||
func (n *IP4Net) UnmarshalJSON(j []byte) error {
|
||||
j = bytes.Trim(j, "\"")
|
||||
if _, val, err := net.ParseCIDR(string(j)); err != nil {
|
||||
|
66
vendor/github.com/coreos/flannel/subnet/kube/kube.go
generated
vendored
66
vendor/github.com/coreos/flannel/subnet/kube/kube.go
generated
vendored
@ -25,6 +25,7 @@ import (
|
||||
|
||||
"github.com/coreos/flannel/pkg/ip"
|
||||
"github.com/coreos/flannel/subnet"
|
||||
log "k8s.io/klog"
|
||||
"golang.org/x/net/context"
|
||||
"k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
@ -38,7 +39,6 @@ import (
|
||||
"k8s.io/client-go/rest"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
"k8s.io/klog"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -48,8 +48,6 @@ var (
|
||||
const (
|
||||
resyncPeriod = 5 * time.Minute
|
||||
nodeControllerSyncTimeout = 10 * time.Minute
|
||||
|
||||
netConfPath = "/etc/kube-flannel/net-conf.json"
|
||||
)
|
||||
|
||||
type kubeSubnetManager struct {
|
||||
@ -62,21 +60,16 @@ type kubeSubnetManager struct {
|
||||
events chan subnet.Event
|
||||
}
|
||||
|
||||
func NewSubnetManager(apiUrl, flannelConf, kubeconfig, prefix string) (subnet.Manager, error) {
|
||||
func NewSubnetManager(apiUrl, kubeconfig, prefix, netConfPath string) (subnet.Manager, error) {
|
||||
|
||||
var cfg *rest.Config
|
||||
var err error
|
||||
// Use out of cluster config if the URL or kubeconfig have been specified. Otherwise use incluster config.
|
||||
if apiUrl != "" || kubeconfig != "" {
|
||||
// Try to build kubernetes config from a master url or a kubeconfig filepath. If neither masterUrl
|
||||
// or kubeconfigPath are passed in we fall back to inClusterConfig. If inClusterConfig fails,
|
||||
// we fallback to the default config.
|
||||
cfg, err = clientcmd.BuildConfigFromFlags(apiUrl, kubeconfig)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create k8s config: %v", err)
|
||||
}
|
||||
} else {
|
||||
cfg, err = rest.InClusterConfig()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to initialize inclusterconfig: %v", err)
|
||||
}
|
||||
return nil, fmt.Errorf("fail to create kubernetes config: %v", err)
|
||||
}
|
||||
|
||||
c, err := clientset.NewForConfig(cfg)
|
||||
@ -105,10 +98,7 @@ func NewSubnetManager(apiUrl, flannelConf, kubeconfig, prefix string) (subnet.Ma
|
||||
}
|
||||
}
|
||||
|
||||
if flannelConf == "" {
|
||||
flannelConf = netConfPath
|
||||
}
|
||||
netConf, err := ioutil.ReadFile(flannelConf)
|
||||
netConf, err := ioutil.ReadFile(netConfPath)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to read net conf: %v", err)
|
||||
}
|
||||
@ -124,14 +114,14 @@ func NewSubnetManager(apiUrl, flannelConf, kubeconfig, prefix string) (subnet.Ma
|
||||
}
|
||||
go sm.Run(context.Background())
|
||||
|
||||
klog.Infof("Waiting %s for node controller to sync", nodeControllerSyncTimeout)
|
||||
log.Infof("Waiting %s for node controller to sync", nodeControllerSyncTimeout)
|
||||
err = wait.Poll(time.Second, nodeControllerSyncTimeout, func() (bool, error) {
|
||||
return sm.nodeController.HasSynced(), nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error waiting for nodeController to sync state: %v", err)
|
||||
}
|
||||
klog.Infof("Node controller sync successful")
|
||||
log.Infof("Node controller sync successful")
|
||||
|
||||
return sm, nil
|
||||
}
|
||||
@ -169,12 +159,12 @@ func newKubeSubnetManager(c clientset.Interface, sc *subnet.Config, nodeName, pr
|
||||
if !isNode {
|
||||
deletedState, ok := obj.(cache.DeletedFinalStateUnknown)
|
||||
if !ok {
|
||||
klog.Infof("Error received unexpected object: %v", obj)
|
||||
log.Infof("Error received unexpected object: %v", obj)
|
||||
return
|
||||
}
|
||||
node, ok = deletedState.Obj.(*v1.Node)
|
||||
if !ok {
|
||||
klog.Infof("Error deletedFinalStateUnknown contained non-Node object: %v", deletedState.Obj)
|
||||
log.Infof("Error deletedFinalStateUnknown contained non-Node object: %v", deletedState.Obj)
|
||||
return
|
||||
}
|
||||
obj = node
|
||||
@ -197,7 +187,7 @@ func (ksm *kubeSubnetManager) handleAddLeaseEvent(et subnet.EventType, obj inter
|
||||
|
||||
l, err := ksm.nodeToLease(*n)
|
||||
if err != nil {
|
||||
klog.Infof("Error turning node %q to lease: %v", n.ObjectMeta.Name, err)
|
||||
log.Infof("Error turning node %q to lease: %v", n.ObjectMeta.Name, err)
|
||||
return
|
||||
}
|
||||
ksm.events <- subnet.Event{et, l}
|
||||
@ -217,7 +207,7 @@ func (ksm *kubeSubnetManager) handleUpdateLeaseEvent(oldObj, newObj interface{})
|
||||
|
||||
l, err := ksm.nodeToLease(*n)
|
||||
if err != nil {
|
||||
klog.Infof("Error turning node %q to lease: %v", n.ObjectMeta.Name, err)
|
||||
log.Infof("Error turning node %q to lease: %v", n.ObjectMeta.Name, err)
|
||||
return
|
||||
}
|
||||
ksm.events <- subnet.Event{subnet.EventAdded, l}
|
||||
@ -254,7 +244,7 @@ func (ksm *kubeSubnetManager) AcquireLease(ctx context.Context, attrs *subnet.Le
|
||||
n.Annotations[ksm.annotations.BackendData] = string(bd)
|
||||
if n.Annotations[ksm.annotations.BackendPublicIPOverwrite] != "" {
|
||||
if n.Annotations[ksm.annotations.BackendPublicIP] != n.Annotations[ksm.annotations.BackendPublicIPOverwrite] {
|
||||
klog.Infof("Overriding public ip with '%s' from node annotation '%s'",
|
||||
log.Infof("Overriding public ip with '%s' from node annotation '%s'",
|
||||
n.Annotations[ksm.annotations.BackendPublicIPOverwrite],
|
||||
ksm.annotations.BackendPublicIPOverwrite)
|
||||
n.Annotations[ksm.annotations.BackendPublicIP] = n.Annotations[ksm.annotations.BackendPublicIPOverwrite]
|
||||
@ -284,6 +274,10 @@ func (ksm *kubeSubnetManager) AcquireLease(ctx context.Context, attrs *subnet.Le
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
err = ksm.setNodeNetworkUnavailableFalse()
|
||||
if err != nil {
|
||||
log.Errorf("Unable to set NetworkUnavailable to False for %q: %v", ksm.nodeName, err)
|
||||
}
|
||||
return &subnet.Lease{
|
||||
Subnet: ip.FromIPNet(cidr),
|
||||
Attrs: *attrs,
|
||||
@ -303,7 +297,7 @@ func (ksm *kubeSubnetManager) WatchLeases(ctx context.Context, cursor interface{
|
||||
}
|
||||
|
||||
func (ksm *kubeSubnetManager) Run(ctx context.Context) {
|
||||
klog.Infof("Starting kube subnet manager")
|
||||
log.Infof("Starting kube subnet manager")
|
||||
ksm.nodeController.Run(ctx.Done())
|
||||
}
|
||||
|
||||
@ -325,7 +319,7 @@ func (ksm *kubeSubnetManager) nodeToLease(n v1.Node) (l subnet.Lease, err error)
|
||||
return l, nil
|
||||
}
|
||||
|
||||
// unimplemented
|
||||
// RenewLease: unimplemented
|
||||
func (ksm *kubeSubnetManager) RenewLease(ctx context.Context, lease *subnet.Lease) error {
|
||||
return ErrUnimplemented
|
||||
}
|
||||
@ -337,3 +331,23 @@ func (ksm *kubeSubnetManager) WatchLease(ctx context.Context, sn ip.IP4Net, curs
|
||||
func (ksm *kubeSubnetManager) Name() string {
|
||||
return fmt.Sprintf("Kubernetes Subnet Manager - %s", ksm.nodeName)
|
||||
}
|
||||
|
||||
// Set Kubernetes NodeNetworkUnavailable to false when starting
|
||||
// https://kubernetes.io/docs/concepts/architecture/nodes/#condition
|
||||
func (ksm *kubeSubnetManager) setNodeNetworkUnavailableFalse() error {
|
||||
condition := v1.NodeCondition{
|
||||
Type: v1.NodeNetworkUnavailable,
|
||||
Status: v1.ConditionFalse,
|
||||
Reason: "FlannelIsUp",
|
||||
Message: "Flannel is running on this node",
|
||||
LastTransitionTime: metav1.Now(),
|
||||
LastHeartbeatTime: metav1.Now(),
|
||||
}
|
||||
raw, err := json.Marshal(&[]v1.NodeCondition{condition})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
patch := []byte(fmt.Sprintf(`{"status":{"conditions":%s}}`, raw))
|
||||
_, err = ksm.client.CoreV1().Nodes().PatchStatus(ksm.nodeName, patch)
|
||||
return err
|
||||
}
|
||||
|
6
vendor/modules.txt
vendored
6
vendor/modules.txt
vendored
@ -119,6 +119,8 @@ github.com/bhendo/go-powershell/backend
|
||||
github.com/bhendo/go-powershell/utils
|
||||
# github.com/blang/semver v3.5.0+incompatible
|
||||
github.com/blang/semver
|
||||
# github.com/bronze1man/goStrongswanVici v0.0.0-20190828090544-27d02f80ba40
|
||||
github.com/bronze1man/goStrongswanVici
|
||||
# github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23
|
||||
github.com/buger/jsonparser
|
||||
# github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5
|
||||
@ -358,8 +360,10 @@ github.com/coreos/etcd/clientv3/balancer/connectivity
|
||||
github.com/coreos/etcd/pkg/systemd
|
||||
github.com/coreos/etcd/raft
|
||||
github.com/coreos/etcd/raft/raftpb
|
||||
# github.com/coreos/flannel v0.11.0 => github.com/ibuildthecloud/flannel v0.10.1-0.20190131215433-823afe66b226
|
||||
# github.com/coreos/flannel v0.11.0 => github.com/rancher/flannel v0.11.0-k3s.1
|
||||
github.com/coreos/flannel/backend
|
||||
github.com/coreos/flannel/backend/extension
|
||||
github.com/coreos/flannel/backend/ipsec
|
||||
github.com/coreos/flannel/backend/vxlan
|
||||
github.com/coreos/flannel/network
|
||||
github.com/coreos/flannel/pkg/ip
|
||||
|
Loading…
Reference in New Issue
Block a user