WireGuard Support for Canal

[oxr463]

I first modified the canal-config on a running cluster:

kubectl edit configmap canal-config -n kube-system

And then put the contents of the wireguard extension inside of the net-conf.json block:

net-conf.json:
----
{
  "Network": "10.42.0.0/16",
  "Backend": {
    "Type": "extension",
    "PreStartupCommand": "wg genkey | tee privatekey | wg pubkey",
    "PostStartupCommand": "export SUBNET_IP=`echo $SUBNET | cut -d'/' -f 1`; ip link del flannel-wg 2>/dev/null; ip link add flannel-wg type wireguard && wg set flannel-wg listen-port 51820 private-key privatekey && ip addr add $SUBNET_IP/32 dev flannel-wg && ip link set flannel-wg up && ip route add $NETWORK dev flannel-wg",
    "ShutdownCommand": "ip link del flannel-wg",
    "SubnetAddCommand": "read PUBLICKEY; wg set flannel-wg peer $PUBLICKEY endpoint $PUBLIC_IP:51820 allowed-ips $SUBNET",
    "SubnetRemoveCommand": "read PUBLICKEY; wg set flannel-wg peer $PUBLICKEY remove"
  }
}

This is exactly what k3s is doing, (See: https://github.com/rancher/k3s/blob/master/pkg/agent/flannel/setup.go#L62).

gz#12903

[oxr463]

See also: https://github.com/rancher/rke/blob/master/cluster/network.go#L246

[pasikarkkainen]

Yes please, wireguard support for canal would be awesome!

[oxr463]

See also: #1125

[stale]

This issue/PR has been automatically marked as stale because it has not had activity (commit/comment/label) for 60 days. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[oxr463]

This issue/PR has been automatically marked as stale because it has not had activity (commit/comment/label) for 60 days. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

This is not stale.

[dkeightley]

A docs PR to adjust the port requirements would be ideal to track that port 51820/UDP inbound is needed from nodes within the cluster.

[neoakris]

Note: According to RKE2's docs this works in RKE2. I wouldn't be surprised if this could work/does work with RKE1, but maybe just isn't documented.

Quoting the following site: https://docs.rke2.io/install/network_options/#install-a-cni-plugin

Starting with RKE2 v1.23 it is possible to use flannels wireguard backend for in-kernel WireGuard encapsulation and encryption (Users of kernels < 5.6 need to install a module). This can be achieved using the following config:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-canal
  namespace: kube-system
spec:
  valuesContent: |-
    flannel:
      backend: "wireguard"

[yankcrime]

Note: According to RKE2's docs this works in RKE2. I wouldn't be surprised if this could work/does work with RKE1, but maybe just isn't documented.

The RKE equivalent would be:

network:
  plugin: canal
  options:
    canal_flannel_backend_type: wireguard

Which doesn't work, unfortunately.

[yankcrime]

And for anyone else that lands on this issue when searching for 'wireguard', if you're not married to using Canal then it can be easily enabled using Calico as your CNI instead with the following configuration in your cluster.yml:

network:
  plugin: calico

addons: |-
  ---
  apiVersion: crd.projectcalico.org/v1
  kind: FelixConfiguration
  metadata:
    name: default
  spec:
    wireguardEnabled: true