fix: Update wireguard-with-cilium example

examples/wireguard-with-cilium/README.md

@@ -79,36 +79,20 @@ apt-get update
 apt-get install -y tcpdump
 ```
 
-6. Start a packet capture and verify you don't see payload in clear text
+6. Start a packet capture on `cilium_wg0` and verify you see payload in clear text, it means the traffic is encrypted with wireguard
 
 ```sh
-tcpdump -A -c 3 -i cilium_wg0
-
-# Output should look similar below (truncated for brevity)
-
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
-listening on cilium_wg0, link-type RAW (Raw IP), capture size 262144 bytes
-05:28:30.234209 IP ip-10-0-11-73.ec2.internal.58086 > ip-10-0-10-160.ec2.internal.http: Flags [S], seq 2831772984, win 62727, options [mss 8961,sackOK,TS val 3834644316 ecr 0,nop,wscale 7], length 0
-E..<].@.?...
-..I
-.
-....P..m8........&.....#....
-...\........
-05:28:30.234306 IP ip-10-0-10-160.ec2.internal.http > ip-10-0-11-73.ec2.internal.58086: Flags [S.], seq 131501951, ack 2831772985, win 62643, options [mss 8961,sackOK,TS val 1959385110 ecr 3834644316,nop,wscale 7], length 0
-E..<..@.?...
-.
-.
-..I.P........m9....*.....#....
-t......\....
-05:28:30.234930 IP ip-10-0-11-73.ec2.internal.58086 > ip-10-0-10-160.ec2.internal.http: Flags [.], ack 1, win 491, options [nop,nop,TS val 3834644317 ecr 1959385110], length 0
-E..4].@.?...
-..I
-.
-....P..m9...............
-...]t...
-3 packets captured
-9 packets received by filter
-1 packet dropped by kernel
+tcpdump -A -c 40 -i cilium_wg0 | grep "Welcome to nginx!"
+
+# Output should look similar below
+
+<title>Welcome to nginx!</title>
+<h1>Welcome to nginx!</h1>
+...
+
+40 packets captured
+40 packets received by filter
+0 packets dropped by kernel
 ```
 7. Exit the container shell
 
@@ -121,7 +105,6 @@ exit
 To teardown and remove the resources created in this example:
 
 ```sh
-terraform destroy -target=module.eks_blueprints_kubernetes_addons -auto-approve
-terraform destroy -target=module.eks_blueprints -auto-approve
+terraform destroy -target=module.eks -auto-approve
 terraform destroy -auto-approve
 ```

examples/wireguard-with-cilium/destroy.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+terraform destroy -target=module.eks -auto-approve
+terraform destroy -auto-approve

examples/wireguard-with-cilium/main.tf

@@ -68,7 +68,7 @@ module "eks" {
   version = "~> 19.13"
 
   cluster_name                   = local.name
-  cluster_version                = "1.25"
+  cluster_version                = "1.27"
   cluster_endpoint_public_access = true
 
   # EKS Addons
@@ -81,20 +81,31 @@ module "eks" {
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
+
   eks_managed_node_groups = {
     initial = {
       instance_types = ["m5.large"]
-
-      # BottleRocket ships with kernel 5.10 so there is no need
-      # to do anything special
-      ami_type = "BOTTLEROCKET_x86_64"
-      platform = "bottlerocket"
-
+      # Cilium Wireguard requires Linux Kernel 5.10 or aboved.
+      # For EKS 1.24 and above, the AMI the Kernerl version is 5.10
+      # For EKS 1.23 and below, you need to use Bottlerocket OS. For example:
+      #    ami_type = "BOTTLEROCKET_x86_64"
+      #    platform = "bottlerocket"
       min_size     = 1
-      max_size     = 5
+      max_size     = 3
       desired_size = 2
     }
   }
+  # Extend node-to-node security group rules
+  node_security_group_additional_rules = {
+    ingress_cilium_wireguard = {
+      description = "Allow Cilium Wireguard node to node"
+      protocol    = "udp"
+      from_port   = 51871
+      to_port     = 51871 # Cilium Wireguard Port https://github.com/cilium/cilium/blob/main/Documentation/security/network/encryption-wireguard.rst
+      type        = "ingress"
+      self        = true
+    }
+  }
 
   tags = local.tags
 }
@@ -106,7 +117,7 @@ module "eks" {
 resource "helm_release" "cilium" {
   name             = "cilium"
   chart            = "cilium"
-  version          = "1.12.3"
+  version          = "1.13.2"
   repository       = "https://helm.cilium.io/"
   description      = "Cilium Add-on"
   namespace        = "kube-system"
@@ -132,11 +143,18 @@ resource "helm_release" "cilium" {
   ]
 }
 
-
 #---------------------------------------------------------------
 # Sample App for Testing
 #---------------------------------------------------------------
 
+# For some reason the example pods can't be deployed right after helm install of cilium a delay needs to be introduced. This is being investigated
+resource "time_sleep" "wait_wireguard" {
+  count           = var.enable_example ? 1 : 0
+  create_duration = "15s"
+
+  depends_on = [helm_release.cilium]
+}
+
 resource "kubectl_manifest" "server" {
   count = var.enable_example ? 1 : 0
 
@@ -172,9 +190,7 @@ resource "kubectl_manifest" "server" {
     }
   })
 
-  depends_on = [
-    helm_release.cilium
-  ]
+  depends_on = [time_sleep.wait_wireguard]
 }
 
 resource "kubectl_manifest" "service" {
@@ -235,9 +251,7 @@ resource "kubectl_manifest" "client" {
     }
   })
 
-  depends_on = [
-    kubectl_manifest.server[0]
-  ]
+  depends_on = [kubectl_manifest.server]
 }
 
 ################################################################################

examples/wireguard-with-cilium/versions.tf

@@ -18,6 +18,10 @@ terraform {
       source  = "gavinbunney/kubectl"
       version = ">= 1.14"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
   }
 
   # ##  Used for end-to-end testing on project; update to suit your needs