Merge pull request #1230 from andreek/add-wireguard

Add wireguard backend
flannel-io · Dec 2, 2021 · 7d0cbdf · 7d0cbdf
2 parents 2775ad9 + 4c5f708
commit 7d0cbdf
Show file tree

Hide file tree

Showing 554 changed files with 60,473 additions and 23,101 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -17,3 +17,11 @@ after_success:
     fi
 notifications:
   email: false
+
+addons:
+  apt:
+    sources:
+      - sourceline: 'ppa:wireguard/wireguard'
+    packages:
+      - wireguard
+      - linux-headers-$(uname -r)
diff --git a/Documentation/backends.md b/Documentation/backends.md
@@ -164,3 +164,20 @@ Troubleshooting
 * `ip xfrm policy` can be used to show the installed policies. Flannel installs three policies for each host it connects to. 
 
 Flannel will not restore policies that are manually deleted (unless flannel is restarted). It will also not delete stale policies on startup. They can be removed by rebooting your host or by removing all ipsec state with `ip xfrm state flush && ip xfrm policy flush` and restarting flannel.
+
+### WireGuard
+
+Use in-kernel [WireGuard](https://www.wireguard.com) to encapsulate and encrypt the packets.
+
+Type:
+* `Type` (string): `wireguard`
+* `PSK` (string): Optional. The pre shared key to use. Use `wg genpsk` to generate a key.
+* `ListenPort` (int): Optional. The udp port to listen on. Default is `51820`.
+* `ListenPortV6` (int): Optional. The udp port to listen on for ipv6. Default is `51821`.
+* `PersistentKeepaliveInterval` (int): Optional. Default is 0 (disabled).
+
+If no private key was generated before the private key is written to `/run/flannel/wgkey`. You can use environment `WIREGUARD_KEY_FILE` to change this path.
+
+The static names of the interfaces are `flannel-wg` and `flannel-wg-v6`. WireGuard tools like `wg show` can be used to debug interfaces and peers.
+
+Users of kernels < 5.6 need to [install](https://www.wireguard.com/install/) a module.
diff --git a/Documentation/configuration.md b/Documentation/configuration.md
@@ -83,7 +83,7 @@ Set `healthz-port` to a non-zero value will enable a healthz server for flannel.
 
 ## Dual-stack
 
-Flannel supports the dual-stack mode of Kubernetes. This means pods and services could use ipv4 and ipv6 at the same time. Currently, dual-stack is only supported for kube subnet manager and vxlan or host-gw(linux) backend.
+Flannel supports the dual-stack mode of Kubernetes. This means pods and services could use ipv4 and ipv6 at the same time. Currently, dual-stack is only supported for kube subnet manager and vxlan, wireguard or host-gw(linux) backend.
 
 Requirements:
 * v1.0 of flannel binary from [containernetworking/plugins](https://github.com/containernetworking/plugins)