Merge branch 'liqotech:master' into master

Author: thisiskazem

apis/networking/v1beta1/firewall/chain_types.go

@@ -83,7 +83,7 @@ type Chain struct {
 	Rules RulesSet `json:"rules"`
 	// Type defines what this chain will be used for.
 	// +kubebuilder:validation:Enum="filter";"route";"nat"
-	Type *ChainType `json:"type"`
+	Type ChainType `json:"type"`
 	// Policy defines what this chain default policy will be.
 	// +kubebuilder:validation:Enum="drop";"accept"
 	Policy *ChainPolicy `json:"policy"`

apis/networking/v1beta1/firewall/zz_generated.deepcopy.go

@@ -4,15 +4,36 @@ FROM alpine:3.20
 ARG COMPONENT
 ARG TARGETARCH
 
+RUN if [ "$COMPONENT" = "geneve" ] || [ "$COMPONENT" = "wireguard" ] || [ "$COMPONENT" = "gateway" ]; then \
+    set -x; \
+    apk add --no-cache iproute2 nftables bash wireguard-tools tcpdump conntrack-tools curl iputils; \
+    fi
+
+RUN if [ "$COMPONENT" = "wireguard" ]; then \
+    set -e; \
+    apk add --no-cache git curl; \
+    GO_VERSION=1.22.4; \
+    # Map Docker TARGETARCH to Go architecture names \
+    case "$TARGETARCH" in \
+        amd64) GO_ARCH=amd64 ;; \
+        arm64) GO_ARCH=arm64 ;; \
+        arm) GO_ARCH=armv6l ;; \
+        *) echo "Unsupported architecture: $TARGETARCH" && exit 1 ;; \
+    esac; \
+    curl -L https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz | tar -C /usr/local -xz; \
+    export PATH="/usr/local/go/bin:$PATH"; \
+    git clone https://git.zx2c4.com/wireguard-go; cd wireguard-go; git checkout f333402bd9cbe0f3eeb02507bd14e23d7d639280; \
+    CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH /usr/local/go/bin/go build -ldflags="-s -w" -o /usr/bin/wireguard-go; \
+    cd .. && rm -rf wireguard-go; \
+    rm -rf /usr/local/go; \
+    apk del git curl; \
+    fi
+
 # Copy the correct binary for the architecture
 COPY ./bin/${TARGETARCH}/${COMPONENT}_linux_${TARGETARCH} /usr/bin/${COMPONENT}
 RUN chmod +x /usr/bin/${COMPONENT}
 RUN ln -s /usr/bin/${COMPONENT} /usr/bin/liqo-component
 
-RUN if [ "$COMPONENT" = "geneve" ] || [ "$COMPONENT" = "wireguard" ] || [ "$COMPONENT" = "gateway" ]; then \
-    apk add --no-cache iproute2 nftables bash wireguard-tools tcpdump conntrack-tools curl iputils; \
-    fi
-
 WORKDIR /workspace
 
 ENTRYPOINT ["/usr/bin/liqo-component"]

build/liqo/Dockerfile

@@ -4,14 +4,8 @@ set -e
 set -o nounset
 set -o pipefail
 
-usage() {
-    echo "Usage: $0 [-m] [-p] <component-folder>"
-    echo "  -p    Push the built image to the registry"
-    echo "  -h    Show this help message"
-}
-
 if [ $# -ne 1 ]; then
-    usage
+    echo "Usage: $0 <component-folder>"
     exit 1
 fi
 

build/liqo/build.sh

@@ -47,6 +47,7 @@ type AuthOption struct {
 	APIServerAddressOverride string
 	CAOverrideB64            string
 	TrustedCA                bool
+	TLSCompatibilityMode     bool
 	SliceStatusOptions       *remoteresourceslicecontroller.SliceStatusOptions
 }
 
@@ -61,6 +62,7 @@ func NewAuthOption(identityProvider identitymanager.IdentityProvider, namespaceM
 		APIServerAddressOverride: opts.APIServerAddressOverride,
 		CAOverrideB64:            opts.CAOverride,
 		TrustedCA:                opts.TrustedCA,
+		TLSCompatibilityMode:     opts.TLSCompatibilityMode,
 		SliceStatusOptions: &remoteresourceslicecontroller.SliceStatusOptions{
 			EnableStorage:             opts.EnableStorage,
 			LocalRealStorageClassName: opts.RealStorageClassName,
@@ -85,7 +87,7 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
 		}
 	}
 
-	if err := enforceAuthenticationKeys(ctx, uncachedClient, opts.LiqoNamespace); err != nil {
+	if err := enforceAuthenticationKeys(ctx, uncachedClient, opts.LiqoNamespace, opts.TLSCompatibilityMode); err != nil {
 		klog.Errorf("Unable to enforce authentication keys: %v", err)
 		return err
 	}
@@ -178,8 +180,8 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
 	return nil
 }
 
-func enforceAuthenticationKeys(ctx context.Context, cl client.Client, liqoNamespace string) error {
-	if err := authentication.InitClusterKeys(ctx, cl, liqoNamespace); err != nil {
+func enforceAuthenticationKeys(ctx context.Context, cl client.Client, liqoNamespace string, tlsCompatibilityMode bool) error {
+	if err := authentication.InitClusterKeys(ctx, cl, liqoNamespace, tlsCompatibilityMode); err != nil {
 		return err
 	}
 

cmd/liqo-controller-manager/modules/authentication.go

@@ -52,6 +52,7 @@ Examples:
   $ {{ .Executable }} peer --remote-kubeconfig <provider>
   $ {{ .Executable }} peer --remote-kubeconfig <provider> --gw-server-service-type NodePort
   $ {{ .Executable }} peer --remote-kubeconfig <provider> --cpu 2 --memory 4Gi --pods 10
+  $ {{ .Executable }} peer --remote-kubeconfig <provider> --cpu 2 --memory 4Gi --pods 10 --resource nvidia.com/gpu=2
   $ {{ .Executable }} peer --remote-kubeconfig <provider> --create-resource-slice false
   $ {{ .Executable }} peer --remote-kubeconfig <provider> --create-virtual-node false
 `
@@ -129,6 +130,8 @@ func newPeerCommand(ctx context.Context, f *factory.Factory) *cobra.Command {
 	cmd.Flags().StringVar(&options.CPU, "cpu", "", "The amount of CPU requested for the VirtualNode")
 	cmd.Flags().StringVar(&options.Memory, "memory", "", "The amount of memory requested for the VirtualNode")
 	cmd.Flags().StringVar(&options.Pods, "pods", "", "The amount of pods requested for the VirtualNode")
+	cmd.Flags().StringToStringVar(
+		&options.OtherResources, "resource", nil, "Other resources requested for the VirtualNode (e.g., '--resource=nvidia.com/gpu=2')")
 
 	return cmd
 }

cmd/liqoctl/cmd/peer.go

@@ -189,7 +189,6 @@ func newCertificateRetriever(kubeClient kubernetes.Interface, signer, nodeName s
 			certificates.UsageServerAuth,
 		},
 		CertificateStore: certificateStore,
-		Logf:             klog.V(2).Infof,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize server certificate manager: %w", err)

cmd/virtual-kubelet/root/http.go

@@ -11,12 +11,13 @@
 | authentication.awsConfig.secretAccessKey | string | `""` | SecretAccessKey for the Liqo user. |
 | authentication.awsConfig.useExistingSecret | bool | `false` | Use an existing secret to configure the AWS credentials. |
 | authentication.enabled | bool | `true` | Enable/Disable the authentication module. |
-| common.affinity | object | `{}` | Affinity for all liqo pods, excluding virtual kubelet. |
+| authentication.tlsCompatibilityMode | bool | `false` | Enable TLS compatibility mode for client certificates and keys. If set to true, Liqo will use widely supported algorithm (RSA) instead of Ed25519 (default) for generating private keys and CSRs. Enable this option to ensure compatibility with systems that do not yet support Ed25519 as signature algorithm. |
+| common.affinity | object | `{}` | Affinity for all liqo pods, excluding virtual kubelet pod and fabric daemonset. |
 | common.extraArgs | list | `[]` | Extra arguments for all liqo pods, excluding virtual kubelet. |
 | common.globalAnnotations | object | `{}` | Global annotations to be added to all resources created by Liqo controllers |
 | common.globalLabels | object | `{"liqo.io/managed":"true"}` | Global labels to be added to all resources created by Liqo controllers |
-| common.nodeSelector | object | `{}` | NodeSelector for all liqo pods, excluding virtual kubelet. |
-| common.tolerations | list | `[]` | Tolerations for all liqo pods, excluding virtual kubelet. |
+| common.nodeSelector | object | `{}` | NodeSelector for all liqo pods, excluding virtual kubelet pod and fabric daemonset. |
+| common.tolerations | list | `[]` | Tolerations for all liqo pods, excluding virtual kubelet pod and fabric daemonset. |
 | controllerManager.config.defaultLimitsEnforcement | string | `"None"` | Defines how strict is the enforcement of the quota offered by the remote cluster. enableResourceEnforcement must be enabled to use this feature. Possible values are: None, Soft, Hard. None: the offloaded pods might not have the resource `requests` or `limits`. Soft: it forces the offloaded pods to have `requests` set. If the pods go over the requests, the total used resources might go over the quota. Hard: it forces the offloaded pods to have `limits` and `requests` set, with `requests` == `limits`. This is the safest mode as the consumer cluster cannot go over the quota. |
 | controllerManager.config.enableNodeFailureController | bool | `false` | Ensure offloaded pods running on a failed node are evicted and rescheduled on a healthy node, preventing them to remain in a terminating state indefinitely. This feature can be useful in case of remote node failure to guarantee better service continuity and to have the expected pods workload on the remote cluster. However, enabling this feature could produce zombies in the worker node, in case the node returns Ready again without a restart. |
 | controllerManager.config.enableResourceEnforcement | bool | `true` | It enforces offerer-side that offloaded pods do not exceed offered resources (based on container limits). This feature is suggested to be enabled when consumer-side enforcement is not sufficient. It makes sure that the sum of the requests of the offloaded pods never exceeds the quota offered by the remote cluster. The quota can be still exceeded if no limits and requests are defined in the offloaded pods or if the limits are larger than the requests. For a stricter enforcement, the defaultLimitsEnforcement can be set to Hard. |
@@ -85,19 +86,21 @@
 | nameOverride | string | `""` | Override the standard name used by Helm and associated to Kubernetes/Liqo resources. |
 | networking.clientResources | list | `[{"apiVersion":"networking.liqo.io/v1beta1","resource":"wggatewayclients"}]` | Set the list of resources that implement the GatewayClient |
 | networking.enabled | bool | `true` | Use the default Liqo networking module. |
+| networking.fabric.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"liqo.io/type","operator":"NotIn","values":["virtual-node"]}]}]}}}` | Affinity for the fabric pod. |
 | networking.fabric.config.fullMasquerade | bool | `false` | Enabe/Disable the full masquerade mode for the fabric pod. It means that all traffic will be masquerade using the first external cidr IP, instead of using the pod IP. Full masquerade is useful when the cluster nodeports uses a PodCIDR IP to masqerade the incoming traffic. IMPORTANT: Please consider that enabling this feature will masquerade the source IP of traffic towards a remote cluster, making impossible for a pod that receives the traffic to know the original source IP. |
 | networking.fabric.config.gatewayMasqueradeBypass | bool | `false` | Enable/Disable the masquerade bypass for the gateway pods. It means that the packets from gateway pods will not be masqueraded from the host where the pod is scheduled. This is useful in scenarios where CNIs masquerade the traffic from pod to nodes. For example this is required when using the Azure CNI or Kindnet. |
 | networking.fabric.config.healthProbeBindAddressPort | string | `"8081"` | Set the port where the fabric pod will expose the health probe. To disable the health probe, set the port to 0. |
 | networking.fabric.config.metricsAddressPort | string | `"8082"` | Set the port where the fabric pod will expose the metrics. To disable the metrics, set the port to 0. |
 | networking.fabric.config.nftablesMonitor | bool | `false` | Enable/Disable the nftables monitor for the fabric pod. It means that the fabric pod will monitor the nftables rules and will restore them in case of changes. In some cases (like K3S), this monitor can cause a huge amount of CPU usage. If you are experiencing high CPU usage, you can disable this feature. |
 | networking.fabric.image.name | string | `"ghcr.io/liqotech/fabric"` | Image repository for the fabric pod. |
 | networking.fabric.image.version | string | `""` | Custom version for the fabric image. If not specified, the global tag is used. |
+| networking.fabric.nodeSelector | object | `{}` | NodeSelector for the fabric pod. |
 | networking.fabric.pod.annotations | object | `{}` | Annotations for the fabric pod. |
 | networking.fabric.pod.extraArgs | list | `[]` | Extra arguments for the fabric pod. |
 | networking.fabric.pod.labels | object | `{}` | Labels for the fabric pod. |
 | networking.fabric.pod.priorityClassName | string | `""` | PriorityClassName (https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) for the fabric pod. |
 | networking.fabric.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the fabric pod. |
-| networking.fabric.tolerations | list | `[]` | Extra tolerations for the fabric daemonset. |
+| networking.fabric.tolerations | list | `[]` | Extra tolerations for the fabric pod. |
 | networking.gatewayTemplates | object | `{"container":{"gateway":{"image":{"name":"ghcr.io/liqotech/gateway","version":""}},"geneve":{"image":{"name":"ghcr.io/liqotech/gateway/geneve","version":""}},"wireguard":{"image":{"name":"ghcr.io/liqotech/gateway/wireguard","version":""}}},"ping":{"interval":"2s","lossThreshold":5,"updateStatusInterval":"10s"},"replicas":1,"server":{"service":{"allocateLoadBalancerNodePorts":"","annotations":{}}},"wireguard":{"implementation":"kernel"}}` | Set the options for the default gateway (server/client) templates. The default templates use a WireGuard implementation to connect the gateway of the clusters. These options are used to configure only the default templates and should not be considered if a custom template is used. |
 | networking.gatewayTemplates.container.gateway.image.name | string | `"ghcr.io/liqotech/gateway"` | Image repository for the gateway container. |
 | networking.gatewayTemplates.container.gateway.image.version | string | `""` | Custom version for the gateway image. If not specified, the global tag is used. |

deployments/liqo/README.md

@@ -451,13 +451,12 @@ spec:
                         type: object
                       trafficDistribution:
                         description: |-
-                          TrafficDistribution offers a way to express preferences for how traffic is
-                          distributed to Service endpoints. Implementations can use this field as a
-                          hint, but are not required to guarantee strict adherence. If the field is
-                          not set, the implementation will apply its default routing strategy. If set
-                          to "PreferClose", implementations should prioritize endpoints that are
-                          topologically close (e.g., same zone).
-                          This is a beta field and requires enabling ServiceTrafficDistribution feature.
+                          TrafficDistribution offers a way to express preferences for how traffic
+                          is distributed to Service endpoints. Implementations can use this field
+                          as a hint, but are not required to guarantee strict adherence. If the
+                          field is not set, the implementation will apply its default routing
+                          strategy. If set to "PreferClose", implementations should prioritize
+                          endpoints that are in the same zone.
                         type: string
                       type:
                         description: |-