Add option to configure multiple wireguard endpoints

Jakob Müllerrequested to merge
ibot3/k8s:wg-rotate into devel

Version Control Information

Source branch: wg-rotate
Target branch: devel

Commits:

* Add wireguard changes to changelog

* Update wireguard docs

* Fix typo in docs section ids

* Remove wireguard s2s options from config template

The support for wireguard s2s has been dropped and the
variables are not referenced anymore.

* Add missing check that wg peer ip is in subnet

The following ValueError implies that it is raised if the address
does not belong to the given subnet.
However, there was no such check implemented.

* Adjust wg helper to support multiple endpoints

The changes include:
- Giving the WireGuardUser object multiple IP addresses
- Parsing "old" wireguard config options into an endpoint with id 0
- Assigning IP addresses for all endpoints

* Adjust vault policies to new wireguard key paths

* Adjust nft role to support multiple wg endpoints

* Set default wg_endpoint id to 0

* Adjust wireguard role to allow multiple endpoints

* Add option to configure multiple wg endpoints

To allow wireguard key rotation, the configuration structure is
adjusted to support multiple wireguard endpoints.
This allows to run two wireguard endpoints with different server keys
so users can switch to the new endpoint without interruption.

Description

This MR removes the statically configured wireguard endpoint on the gateway nodes and instead adds the option to add as many wireguard endpoints as required.

This especially allows wireguard key rotation by doing these steps:

  1. Initial state: There is one wireguard endpoint with id 0
  2. We want to abandon the server key that is used for this endpoint
  3. We add a new wireguard endpoint with id 1
  4. Users can migrate their setup to the new wireguard endpoint
  5. After all users migrated, endpoint 0 can be disabled

Furthermore, the MR adds a missing check that verifies that existing wireguard ip addresses (from wireguard ipam or config.toml) are in the correct subnet.

Closes: #563 (closed)

Wireguard endpoints can be configured in config.toml like this:

[[wireguard.endpoints]]
id = 0
enabled = true
port = 7777
ip_cidr = "172.30.153.64/26"
ip_gw   = "172.30.153.65/26"

For removing an endpoint, enabled must be set to false. After successfully running stage 2, the endpoint can also be removed from config.toml.

The endpoint that is used by wg-up.sh can be selected with the wg_endpoint variable in envrc. The default is endpoint 0.

Old wireguard configuration in config.toml is automatically applied to the endpoint with id 0.

Some paths have changed:

  • The Wireguard server public keys are now stored at inventory/.etc/wireguard/pub/.
  • The Wireguard client templates are now stored at inventory/.etc/wireguard/wgX/.
  • The Wireguard private keys are now stored in the vault at wireguard/wgX-key.
  • The key in the vault named wireguard-key will be copied to wireguard/wg0-key.

Merge Prerequisites

  • MR title (and description) are descriptive
  • Code is readable and syntactically correct
  • Code is understandable
  • Documentation has been updated, if necessary
  • Changelog has been updated, if necessary
  • Commit messages look good

As a developer: please do not tick these boxes yourself. As a reviewer: please get yourself a hot cold beverage.

Edited by Jakob Müller

Merge request reports