diff --git a/examples/wireguard-with-cilium/README.md b/examples/wireguard-with-cilium/README.md index 4172c84963..61e11172e5 100644 --- a/examples/wireguard-with-cilium/README.md +++ b/examples/wireguard-with-cilium/README.md @@ -79,36 +79,20 @@ apt-get update apt-get install -y tcpdump ``` -6. Start a packet capture and verify you don't see payload in clear text +6. Start a packet capture on `cilium_wg0` and verify you see payload in clear text, it means the traffic is encrypted with wireguard ```sh -tcpdump -A -c 3 -i cilium_wg0 - -# Output should look similar below (truncated for brevity) - -tcpdump: verbose output suppressed, use -v or -vv for full protocol decode -listening on cilium_wg0, link-type RAW (Raw IP), capture size 262144 bytes -05:28:30.234209 IP ip-10-0-11-73.ec2.internal.58086 > ip-10-0-10-160.ec2.internal.http: Flags [S], seq 2831772984, win 62727, options [mss 8961,sackOK,TS val 3834644316 ecr 0,nop,wscale 7], length 0 -E..<].@.?... -..I -. -....P..m8........&.....#.... -...\........ -05:28:30.234306 IP ip-10-0-10-160.ec2.internal.http > ip-10-0-11-73.ec2.internal.58086: Flags [S.], seq 131501951, ack 2831772985, win 62643, options [mss 8961,sackOK,TS val 1959385110 ecr 3834644316,nop,wscale 7], length 0 -E..<..@.?... -. -. -..I.P........m9....*.....#.... -t......\.... -05:28:30.234930 IP ip-10-0-11-73.ec2.internal.58086 > ip-10-0-10-160.ec2.internal.http: Flags [.], ack 1, win 491, options [nop,nop,TS val 3834644317 ecr 1959385110], length 0 -E..4].@.?... -..I -. -....P..m9............... -...]t... -3 packets captured -9 packets received by filter -1 packet dropped by kernel +tcpdump -A -c 40 -i cilium_wg0 | grep "Welcome to nginx!" + +# Output should look similar below + +Welcome to nginx! +

Welcome to nginx!

+... + +40 packets captured +40 packets received by filter +0 packets dropped by kernel ``` 7. Exit the container shell @@ -121,7 +105,6 @@ exit To teardown and remove the resources created in this example: ```sh -terraform destroy -target=module.eks_blueprints_kubernetes_addons -auto-approve -terraform destroy -target=module.eks_blueprints -auto-approve +terraform destroy -target=module.eks -auto-approve terraform destroy -auto-approve ``` diff --git a/examples/wireguard-with-cilium/destroy.sh b/examples/wireguard-with-cilium/destroy.sh new file mode 100755 index 0000000000..dd4567a6b2 --- /dev/null +++ b/examples/wireguard-with-cilium/destroy.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +terraform destroy -target=module.eks -auto-approve +terraform destroy -auto-approve diff --git a/examples/wireguard-with-cilium/main.tf b/examples/wireguard-with-cilium/main.tf index 8183257f69..55ca941b67 100644 --- a/examples/wireguard-with-cilium/main.tf +++ b/examples/wireguard-with-cilium/main.tf @@ -68,7 +68,7 @@ module "eks" { version = "~> 19.13" cluster_name = local.name - cluster_version = "1.25" + cluster_version = "1.27" cluster_endpoint_public_access = true # EKS Addons @@ -81,20 +81,31 @@ module "eks" { vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets + eks_managed_node_groups = { initial = { instance_types = ["m5.large"] - - # BottleRocket ships with kernel 5.10 so there is no need - # to do anything special - ami_type = "BOTTLEROCKET_x86_64" - platform = "bottlerocket" - + # Cilium Wireguard requires Linux Kernel 5.10 or aboved. + # For EKS 1.24 and above, the AMI the Kernerl version is 5.10 + # For EKS 1.23 and below, you need to use Bottlerocket OS. For example: + # ami_type = "BOTTLEROCKET_x86_64" + # platform = "bottlerocket" min_size = 1 - max_size = 5 + max_size = 3 desired_size = 2 } } + # Extend node-to-node security group rules + node_security_group_additional_rules = { + ingress_cilium_wireguard = { + description = "Allow Cilium Wireguard node to node" + protocol = "udp" + from_port = 51871 + to_port = 51871 # Cilium Wireguard Port https://github.com/cilium/cilium/blob/main/Documentation/security/network/encryption-wireguard.rst + type = "ingress" + self = true + } + } tags = local.tags } @@ -106,7 +117,7 @@ module "eks" { resource "helm_release" "cilium" { name = "cilium" chart = "cilium" - version = "1.12.3" + version = "1.13.2" repository = "https://helm.cilium.io/" description = "Cilium Add-on" namespace = "kube-system" @@ -132,11 +143,18 @@ resource "helm_release" "cilium" { ] } - #--------------------------------------------------------------- # Sample App for Testing #--------------------------------------------------------------- +# For some reason the example pods can't be deployed right after helm install of cilium a delay needs to be introduced. This is being investigated +resource "time_sleep" "wait_wireguard" { + count = var.enable_example ? 1 : 0 + create_duration = "15s" + + depends_on = [helm_release.cilium] +} + resource "kubectl_manifest" "server" { count = var.enable_example ? 1 : 0 @@ -172,9 +190,7 @@ resource "kubectl_manifest" "server" { } }) - depends_on = [ - helm_release.cilium - ] + depends_on = [time_sleep.wait_wireguard] } resource "kubectl_manifest" "service" { @@ -235,9 +251,7 @@ resource "kubectl_manifest" "client" { } }) - depends_on = [ - kubectl_manifest.server[0] - ] + depends_on = [kubectl_manifest.server] } ################################################################################ diff --git a/examples/wireguard-with-cilium/versions.tf b/examples/wireguard-with-cilium/versions.tf index 4e2e5b8339..895e26d778 100644 --- a/examples/wireguard-with-cilium/versions.tf +++ b/examples/wireguard-with-cilium/versions.tf @@ -18,6 +18,10 @@ terraform { source = "gavinbunney/kubectl" version = ">= 1.14" } + time = { + source = "hashicorp/time" + version = ">= 0.9" + } } # ## Used for end-to-end testing on project; update to suit your needs