From 999e40d6d316195ebcd46a484f14178d4b2943dd Mon Sep 17 00:00:00 2001 From: Erik Wilson Date: Thu, 5 Sep 2019 17:39:18 -0700 Subject: [PATCH] Add strongswan utilities for ipsec --- .dockerignore | 1 + .gitignore | 1 + cmd/k3s/main.go | 3 +++ pkg/agent/config/config.go | 1 + pkg/agent/flannel/setup.go | 26 ++++++++++++++++++++++++++ pkg/daemons/config/types.go | 1 + scripts/package-cli | 2 +- 7 files changed, 34 insertions(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index 2fe08c8f23..5f31b7fd15 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,5 @@ ./bin +./etc ./build/data ./build/data.tar.gz ./pkg/data/zz_generated_bindata.go diff --git a/.gitignore b/.gitignore index 76a1accfea..be9c881c17 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,7 @@ /.lesshst /*.log /bin +/etc /build /data-dir /dist diff --git a/cmd/k3s/main.go b/cmd/k3s/main.go index d02e7484a3..20055c7e63 100644 --- a/cmd/k3s/main.go +++ b/cmd/k3s/main.go @@ -87,6 +87,9 @@ func stageAndRun(dataDir string, cmd string, args []string) error { if err := os.Setenv("PATH", filepath.Join(dir, "bin")+":"+os.Getenv("PATH")+":"+filepath.Join(dir, "bin/aux")); err != nil { return err } + if err := os.Setenv("K3S_DATA_DIR", dir); err != nil { + return err + } cmd, err = exec.LookPath(cmd) if err != nil { diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go index 32987e083a..b4296f360a 100644 --- a/pkg/agent/config/config.go +++ b/pkg/agent/config/config.go @@ -350,6 +350,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) { nodeConfig.AgentConfig.RootDir = filepath.Join(envInfo.DataDir, "kubelet") nodeConfig.AgentConfig.PauseImage = envInfo.PauseImage nodeConfig.AgentConfig.IPSECPSK = controlConfig.IPSECPSK + nodeConfig.AgentConfig.StrongSwanDir = filepath.Join(envInfo.DataDir, "strongswan") nodeConfig.CACerts = info.CACerts nodeConfig.Containerd.Config = filepath.Join(envInfo.DataDir, "etc/containerd/config.toml") nodeConfig.Containerd.Root = filepath.Join(envInfo.DataDir, "containerd") diff --git a/pkg/agent/flannel/setup.go b/pkg/agent/flannel/setup.go index d7f219bd48..dbc0b69c06 100644 --- a/pkg/agent/flannel/setup.go +++ b/pkg/agent/flannel/setup.go @@ -3,6 +3,8 @@ package flannel import ( "context" "fmt" + "os" + "path" "path/filepath" "strings" "time" @@ -131,6 +133,9 @@ func createFlannelConf(nodeConfig *config.Node) error { backendConf = vxlanBackend case config.FlannelBackendIPSEC: backendConf = strings.Replace(ipsecBackend, "%psk%", nodeConfig.AgentConfig.IPSECPSK, -1) + if err := setupStrongSwan(nodeConfig); err != nil { + return err + } case config.FlannelBackendWireguard: backendConf = wireguardBackend default: @@ -140,3 +145,24 @@ func createFlannelConf(nodeConfig *config.Node) error { return util.WriteFile(nodeConfig.FlannelConf, confJSON) } + +func setupStrongSwan(nodeConfig *config.Node) error { + // if we don't know the location of extracted strongswan data then return + dataDir := os.Getenv("K3S_DATA_DIR") + if dataDir == "" { + return nil + } + dataDir = path.Join(dataDir, "etc", "strongswan") + + info, err := os.Lstat(nodeConfig.AgentConfig.StrongSwanDir) + // something exists but is not a symlink, return + if err == nil && info.Mode()&os.ModeSymlink == 0 { + return nil + } + + // clean up strongswan old link + os.Remove(nodeConfig.AgentConfig.StrongSwanDir) + + // make new strongswan link + return os.Symlink(dataDir, nodeConfig.AgentConfig.StrongSwanDir) +} diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index 90b6879509..8a8ffc8bc8 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -75,6 +75,7 @@ type Agent struct { NodeTaints []string NodeLabels []string IPSECPSK string + StrongSwanDir string } type Control struct { diff --git a/scripts/package-cli b/scripts/package-cli index ef658d8497..e8b6f20a54 100755 --- a/scripts/package-cli +++ b/scripts/package-cli @@ -22,7 +22,7 @@ rm -rf build/data mkdir -p build/data build/out mkdir -p dist/artifacts -tar cvzf ./build/out/data.tar.gz --exclude ./bin/hyperkube ./bin +tar cvzf ./build/out/data.tar.gz --exclude ./bin/hyperkube ./bin ./etc HASH=$(sha256sum ./build/out/data.tar.gz | awk '{print $1}') cp ./build/out/data.tar.gz ./build/data/${HASH}.tgz