search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
5.93k stars 1.32k forks source link

Feature request: Use wireguard for site-to-site VPNs #4170

Open baurmatt opened 3 years ago

baurmatt commented 3 years ago

Expected Behavior

As a user of Calico, I'd like to use Wireguard to implement site-to-site VPN. This might be interesting for cluster-to-cluster traffic but also for securely connecting legacy services running outside of the cluster.

Current Behavior

We currently can only encrypt in-cluster traffic with Wireguard. This is already an awesome security feature for the cluster itself.

Possible Solution

?

Context

We're trying to securely connect on-premise infrastructure to our Kubernetes cluster running in the $cloud.

Your Environment

SacDin commented 3 years ago

Potentially useful for connecting remote services in cluster from developer's local system for debugging.

ffilippopoulos commented 3 years ago

+1 for this idea. This will allow us to write a small operator that syncs calico nodes from another cluster an use wireguard encryption in transit. Tried to "hack" it by adding additional calico nodes but this is apparently not allowed:

WARN[0000] Operation Create is not supported on Node type
caseydavenport commented 3 years ago

Tried to "hack" it by adding additional calico nodes but this is apparently not allowed:

Calico uses the kubernetes node resource behind the scenes. For your hack, you could probably create dummy nodes in the k8s API and Calico would just treat those as if they were real.

ffilippopoulos commented 3 years ago

@caseydavenport thanks! I thought of your suggestion as well, but for bigger clusters it's a lot of duplication and I am afraid that things might get messy. Is there any thoughts about creating a new crd for external wireguard nodes as part of this feature request? Something where we could probably specify addresses and wg public key in order to peer with external nodes we manage (something similar to BGPPeer resource but for wireguard :)))

caseydavenport commented 3 years ago

Yeah, I think that for this feature (and a couple of other similar features) we'd need to introduce the concept of a node that isn't part of the Kubernetes cluster, which currently doesn't exist when using the k8s API server as the backing store.

fwiw, this might be possible already in etcd mode, where we aren't limited by the k8s node resource.