Open baurmatt opened 3 years ago
Potentially useful for connecting remote services in cluster from developer's local system for debugging.
+1 for this idea. This will allow us to write a small operator that syncs calico nodes from another cluster an use wireguard encryption in transit. Tried to "hack" it by adding additional calico nodes but this is apparently not allowed:
WARN[0000] Operation Create is not supported on Node type
Tried to "hack" it by adding additional calico nodes but this is apparently not allowed:
Calico uses the kubernetes node resource behind the scenes. For your hack, you could probably create dummy nodes in the k8s API and Calico would just treat those as if they were real.
@caseydavenport thanks! I thought of your suggestion as well, but for bigger clusters it's a lot of duplication and I am afraid that things might get messy. Is there any thoughts about creating a new crd for external wireguard nodes as part of this feature request? Something where we could probably specify addresses and wg public key in order to peer with external nodes we manage (something similar to BGPPeer resource but for wireguard :)))
Yeah, I think that for this feature (and a couple of other similar features) we'd need to introduce the concept of a node that isn't part of the Kubernetes cluster, which currently doesn't exist when using the k8s API server as the backing store.
fwiw, this might be possible already in etcd mode, where we aren't limited by the k8s node resource.
Expected Behavior
As a user of Calico, I'd like to use Wireguard to implement site-to-site VPN. This might be interesting for cluster-to-cluster traffic but also for securely connecting legacy services running outside of the cluster.
Current Behavior
We currently can only encrypt in-cluster traffic with Wireguard. This is already an awesome security feature for the cluster itself.
Possible Solution
?
Context
We're trying to securely connect on-premise infrastructure to our Kubernetes cluster running in the $cloud.
Your Environment