Add strongswan utilities for ipsec

5 years ago · 999e40d6d3
7 changed files with 34 additions and 1 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,4 +1,5 @@
 ./bin
+./etc
 ./build/data
 ./build/data.tar.gz
 ./pkg/data/zz_generated_bindata.go
--- a/.gitignore
+++ b/.gitignore
@ -11,6 +11,7 @@
 /.lesshst
 /*.log
 /bin
+/etc
 /build
 /data-dir
 /dist
--- a/cmd/k3s/main.go
+++ b/cmd/k3s/main.go
@ -87,6 +87,9 @@ func stageAndRun(dataDir string, cmd string, args []string) error {
 	if err := os.Setenv("PATH", filepath.Join(dir, "bin")+":"+os.Getenv("PATH")+":"+filepath.Join(dir, "bin/aux")); err != nil {
 		return err
 	}
+	if err := os.Setenv("K3S_DATA_DIR", dir); err != nil {
+		return err
+	}

 	cmd, err = exec.LookPath(cmd)
 	if err != nil {
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@ -350,6 +350,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 	nodeConfig.AgentConfig.RootDir = filepath.Join(envInfo.DataDir, "kubelet")
 	nodeConfig.AgentConfig.PauseImage = envInfo.PauseImage
 	nodeConfig.AgentConfig.IPSECPSK = controlConfig.IPSECPSK
+	nodeConfig.AgentConfig.StrongSwanDir = filepath.Join(envInfo.DataDir, "strongswan")
 	nodeConfig.CACerts = info.CACerts
 	nodeConfig.Containerd.Config = filepath.Join(envInfo.DataDir, "etc/containerd/config.toml")
 	nodeConfig.Containerd.Root = filepath.Join(envInfo.DataDir, "containerd")
--- a/pkg/agent/flannel/setup.go
+++ b/pkg/agent/flannel/setup.go
@ -3,6 +3,8 @@ package flannel
 import (
 	"context"
 	"fmt"
+	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"time"
@ -131,6 +133,9 @@ func createFlannelConf(nodeConfig *config.Node) error {
 		backendConf = vxlanBackend
 	case config.FlannelBackendIPSEC:
 		backendConf = strings.Replace(ipsecBackend, "%psk%", nodeConfig.AgentConfig.IPSECPSK, -1)
+		if err := setupStrongSwan(nodeConfig); err != nil {
+			return err
+		}
 	case config.FlannelBackendWireguard:
 		backendConf = wireguardBackend
 	default:
@ -140,3 +145,24 @@ func createFlannelConf(nodeConfig *config.Node) error {

 	return util.WriteFile(nodeConfig.FlannelConf, confJSON)
 }
+
+func setupStrongSwan(nodeConfig *config.Node) error {
+	// if we don't know the location of extracted strongswan data then return
+	dataDir := os.Getenv("K3S_DATA_DIR")
+	if dataDir == "" {
+		return nil
+	}
+	dataDir = path.Join(dataDir, "etc", "strongswan")
+
+	info, err := os.Lstat(nodeConfig.AgentConfig.StrongSwanDir)
+	// something exists but is not a symlink, return
+	if err == nil && info.Mode()&os.ModeSymlink == 0 {
+		return nil
+	}
+
+	// clean up strongswan old link
+	os.Remove(nodeConfig.AgentConfig.StrongSwanDir)
+
+	// make new strongswan link
+	return os.Symlink(dataDir, nodeConfig.AgentConfig.StrongSwanDir)
+}
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@ -75,6 +75,7 @@ type Agent struct {
 	NodeTaints          []string
 	NodeLabels          []string
 	IPSECPSK            string
+	StrongSwanDir       string
 }

 type Control struct {
--- a/scripts/package-cli
+++ b/scripts/package-cli
@ -22,7 +22,7 @@ rm -rf build/data
 mkdir -p build/data build/out
 mkdir -p dist/artifacts

-tar cvzf ./build/out/data.tar.gz --exclude ./bin/hyperkube ./bin
+tar cvzf ./build/out/data.tar.gz --exclude ./bin/hyperkube ./bin ./etc
 HASH=$(sha256sum ./build/out/data.tar.gz | awk '{print $1}')

 cp ./build/out/data.tar.gz ./build/data/${HASH}.tgz