This is a kmods-via-containers implementation for WireGuard using atomic-wireguard example.
The intended utility of this repository is for fulfilling some of the Openshift encrypt cluster traffic steps here: https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic#install-wireguard
In your work directory:
git clone https://github.com/tigera/kmods-via-containers
- clone this repository also
git clone https://github.com/tigera/kvc-wireguard-kmod
- Edit kvc-wireguard-kmod/wireguard-kmod.conf so that the variables correspond to the data below that matches your cluster
uname -r
Please refer to the following sections below for Quick Config Variables Guide and Compatibility Table.
export FAKEROOT=$(mktemp -d)make -C kmods-via-container install FAKEROOT=$FAKEROOTmake -C kvc-wireguard-kmod install FAKEROOT=$FAKEROOTmake -sC kvc-wireguard-kmod FAKEROOT=$FAKEROOT ignition > mc-wg.yamloc apply -f mc-wg.yaml
| wireguard-kmod.conf | comment |
|---|---|
| WIREGUARD_KERNEL_VERSION | Run uname -r on your cluster to fill out this field |
| WIREGUARD_VERSION | Please obtain the tar.xz file of the latest wireguard-linux-compat version here without the 'v' prefix |
| WIREGUARD_SHA256 | SHA256 of the above wireguard-linux-compat-(version).tar.xz file |
WireGuard snapshots vs kernel version compatibility for atomic-wireguard kvc build system
This may aid in populating the wireguard-kmod.conf. However, please always use the latest wireguard snapshot vs the latest kernel version (by running uname -r on your cluster).
| WIREGUARD_VERSION | WIREGUARD_SHA256 | WIREGUARD_KERNEL_VERSION | actual uname -r |
|---|---|---|---|
| 1.0.20220627 | 362d412693c8fe82de00283435818d5c5def7f15e2433a07a9fe99d0518f63c0 | 4.18.0-305.el8.x86_64 | 4.18.0-305.49.1.el8_4.x86_64 |
| 1.0.20211208 | c0e607138a17daac656f508d8e63ea3737b5221fa5d9288191ddeb099f5a3b92 | 4.18.0-305.el8.x86_64 | 4.18.0-305.30.1.el8_4.x86_64 |
| 1.0.20210606 | 3f5d990006e6eabfd692d925ec314fff2c5ee7dcdb869a6510d579acfdd84ec0 | 4.18.0-305.el8.x86_64 | 4.18.0-305.19.1.el8_4.x86_64 |
| 1.0.20210606 | 3f5d990006e6eabfd692d925ec314fff2c5ee7dcdb869a6510d579acfdd84ec0 | 4.18.0-240.el8.x86_64 | 4.18.0-240.22.1.el8_3.x86_64 |
| 1.0.20210219 | 99d35296b8d847a0d4db97a4dda96b464311a6354e75fe0bef6e7c4578690f00 | 4.18.0-240.el8.x86_64 | 4.18.0-240.15.1.el8_3.x86_64 |
| 1.0.20200611 | 9b0478c3b1f3a7b488916e632e2fcbb1383bb1a2ef294489858ce2ba1da3246d | 4.18.0-193.el8.x86_64 | 4.18.0-193.60.2.el8_2.x86_64 |
| 1.0.20200520 | 16e7ae4bef734b243428eea07f3b3c3d4721880c3ea8eb8f98628fd6ae5b77c3 | 4.18.0-193.el8.x86_64 | 4.18.0-193.28.1.el8_2.x86_64 |
To troubleshoot and debug to see if this has produced any build errors during the kmods-via-containers service build phase, this can be done via oc debug:
Submit issues here: https://github.com/tigera/kvc-wireguard-kmod/issues/new
-
oc apply -f mc-wg.yamlbut nothing is happening!check machine-config-operator output for details:
oc logs -n openshift-machine-config-operator -l k8s-app=machine-config-controller --since=3h -f -
machine-config-operator was accepted / not in a degraded state but wireguard isn't working!
check the systemd output for the userspace service that runs kmod in one of the worker nodes
$ oc debug node/<node-name> # must be a worker node, for now # chroot /host # bash $ journalctl [email protected] -n 1000 --no-pager
-
butaneignition config output is too new for my clusterconsider manually editing the resulting
mc-wg.yamlfile'sconfig.ignition.versionfield value from3.2.0to2.2.0. Or, alternatively, consult the Butane Config spec documentation for more information on editing config.bu.