├── .gitignore ├── Dockerfile ├── Makefile ├── README.md ├── cmd └── wg-cni │ └── main.go ├── go.mod ├── go.sum ├── manifests └── wg-cni.yml ├── pkg ├── k8sutil │ └── client.go ├── netlink │ └── wireguard.go └── util │ └── string.go └── scripts └── install /.gitignore: -------------------------------------------------------------------------------- 1 | .*.sw[po] 2 | bin/ 3 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.11 2 | 3 | RUN apk add --no-cache bash 4 | 5 | COPY bin/wg-cni /opt/cni/bin/wg-cni 6 | COPY scripts/install /install 7 | 8 | ENTRYPOINT ["/install"] 9 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | LDFLAGS := "-extldflags '-static'" 2 | 3 | .PHONY: all 4 | all: build 5 | 6 | .PHONY: build 7 | build: 8 | CGO_ENABLED=0 GOOS=linux go build \ 9 | -ldflags $(LDFLAGS) \ 10 | -o bin/wg-cni \ 11 | github.com/schu/wireguard-cni/cmd/wg-cni 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # wireguard-cni 2 | 3 | Status: alpha, use with caution 4 | 5 | wireguard-cni is a CNI plugin for [WireGuard](https://www.wireguard.com/). 6 | 7 | ## Installation 8 | 9 | Configure the apiserver endpoint that `wg-cni` should use to query 10 | configuration: 11 | 12 | ``` 13 | kubectl -n kube-system create configmap wg-cni-env --from-literal=KUBERNETES_APISERVER_ENDPOINT=https://: 14 | ``` 15 | 16 | Install wg-cni and its kubeconfig file on all nodes in the cluster: 17 | 18 | ``` 19 | kubectl apply -f manifests/wg-cni.yml 20 | ``` 21 | 22 | wg-cni is set up as a chained CNI plugin. This means you have 23 | to configure wg-cni as an additional CNI plugin in your configuration. 24 | 25 | To do this, add wg-cni to the list of `plugins`: 26 | 27 | ``` 28 | { 29 | "type": "wg-cni", 30 | "kubeConfigPath": "/etc/kubernetes/wg-cni.kubeconfig" 31 | } 32 | ``` 33 | 34 | Note that the `wg-cni.kubeconfig` file gets created automatically by 35 | wg-cni during installation. 36 | 37 | wg-cni should now be ready and running - you can check with: 38 | 39 | ``` 40 | kubectl -n kube-system get pods -l k8s-app=wg-cni 41 | ``` 42 | 43 | ### Example: chained plugin configuration with flannel 44 | 45 |
46 | 47 | Edit the `kube-flannel-cfg` configmap and add `wg-cni` as a chained 48 | plugin. Deploy new flannel pods for the configuration to be written. 49 | To do that, you can delete the currently running flannel pods with 50 | `kubectl -n kube-system delete pods -l app=flannel`. 51 | 52 | Edit the configmap: 53 | 54 | ``` 55 | kubectl -n kube-system edit configmap kube-flannel-cfg 56 | ``` 57 | 58 | Example kube-flannel-cfg configmap: 59 | 60 | ``` 61 | kind: ConfigMap 62 | apiVersion: v1 63 | metadata: 64 | name: kube-flannel-cfg 65 | namespace: kube-system 66 | labels: 67 | tier: node 68 | app: flannel 69 | data: 70 | cni-conf.json: | 71 | { 72 | "name": "cbr0", 73 | "plugins": [ 74 | { 75 | "type": "flannel", 76 | "delegate": { 77 | "hairpinMode": true, 78 | "isDefaultGateway": true 79 | } 80 | }, 81 | { 82 | "type": "portmap", 83 | "capabilities": { 84 | "portMappings": true 85 | } 86 | }, 87 | { 88 | "type": "wg-cni", 89 | "kubeConfigPath": "/etc/kubernetes/wg-cni.kubeconfig" 90 | } 91 | ] 92 | } 93 | net-conf.json: | 94 | { 95 | "Network": "10.244.0.0/16", 96 | "Backend": { 97 | "Type": "vxlan" 98 | } 99 | } 100 | ``` 101 | 102 |
103 | 104 | ## Usage 105 | 106 | To add a WireGuard connection to a pod, two things are required: 107 | 108 | 1. a secret with the configuration and 109 | 1. an annotation in the pod's metadata to signal wg-cni that it should 110 | configuare a link for it and where the configuration can be found. 111 | 112 | Note: pods that are not annotated are skipped by wg-cni. 113 | 114 | Create a file `config.json` with the following structure: 115 | 116 | ``` 117 | { 118 | "address": "10.13.13.210/24", 119 | "privateKey": "AAev16ZVYhmCQliIYKXMje1zObRp6TmET0KiUx7MJXc=", 120 | "peers": [ 121 | { 122 | "endpoint": "1.2.3.4:51820", 123 | "publicKey": "+gXCSfkib2xFMeebKXIYBVZxV/Vh2mbi1dJeHCCjQmg=", 124 | "allowedIPs": [ 125 | "10.13.13.0/24" 126 | ], 127 | "persistentKeepalive": "25s" 128 | } 129 | ] 130 | } 131 | ``` 132 | 133 | Create a secret from the file: 134 | 135 | ``` 136 | kubectl create secret generic wgcni-demo --from-file ./config.json 137 | ``` 138 | 139 | Start a new pod with a corresponding `wgcni.schu.io/configsecret` annotation: 140 | 141 | ``` 142 | apiVersion: v1 143 | kind: Pod 144 | metadata: 145 | name: test 146 | annotations: 147 | wgcni.schu.io/configsecret: "wgcni-demo" 148 | spec: 149 | ... 150 | ``` 151 | 152 | The value `wgcni-demo` is the name of the secret in the pod's namespace. 153 | 154 | Once running, the pod should have a `wg` interface that is 155 | configured according to your configuration. 156 | 157 | If an error occurs, you should find a message in the events: 158 | 159 | ``` 160 | kubectl get events 161 | ``` 162 | 163 | ## Roadmap / Todo 164 | 165 | * [x] Switch to https://github.com/WireGuard/wgctrl-go for netlink 166 | * [x] Provide a container and manifest to install the wg-cni plugin binary 167 | and required configuration on all nodes in a cluster 168 | * [ ] Allow dynamic configuration through Kubernetes resources 169 | * [ ] Consider allowing wg-cni to be used in standalone and chained mode 170 | -------------------------------------------------------------------------------- /cmd/wg-cni/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Michael Schubert 2 | // Copyright 2017 CNI authors 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | // This is a sample chained plugin that supports multiple CNI versions. It 17 | // parses prevResult according to the cniVersion 18 | package main 19 | 20 | import ( 21 | "encoding/json" 22 | "fmt" 23 | "log" 24 | "net" 25 | "time" 26 | 27 | "github.com/containernetworking/cni/pkg/skel" 28 | "github.com/containernetworking/cni/pkg/types" 29 | "github.com/containernetworking/cni/pkg/types/current" 30 | "github.com/containernetworking/cni/pkg/version" 31 | "github.com/vishvananda/netlink" 32 | "github.com/vishvananda/netns" 33 | "golang.org/x/sys/unix" 34 | "golang.zx2c4.com/wireguard/wgctrl" 35 | "golang.zx2c4.com/wireguard/wgctrl/wgtypes" 36 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 37 | 38 | "github.com/schu/wireguard-cni/pkg/k8sutil" 39 | wgnetlink "github.com/schu/wireguard-cni/pkg/netlink" 40 | "github.com/schu/wireguard-cni/pkg/util" 41 | ) 42 | 43 | func init() { 44 | log.SetPrefix("[wg-cni] ") 45 | } 46 | 47 | // PluginConf is whatever you expect your configuration json to be. This is whatever 48 | // is passed in on stdin. Your plugin may wish to expose its functionality via 49 | // runtime args, see CONVENTIONS.md in the CNI spec. 50 | type PluginConf struct { 51 | types.NetConf // You may wish to not nest this type 52 | RuntimeConfig *struct { 53 | SampleConfig map[string]interface{} `json:"sample"` 54 | } `json:"runtimeConfig"` 55 | 56 | // This is the previous result, when called in the context of a chained 57 | // plugin. Because this plugin supports multiple versions, we'll have to 58 | // parse this in two passes. If your plugin is not chained, this can be 59 | // removed (though you may wish to error if a non-chainable plugin is 60 | // chained. 61 | // If you need to modify the result before returning it, you will need 62 | // to actually convert it to a concrete versioned struct. 63 | RawPrevResult *map[string]interface{} `json:"prevResult"` 64 | PrevResult *current.Result `json:"-"` 65 | 66 | // Add plugin-specifc flags here 67 | KubeConfigPath string `json: "kubeConfigPath"` 68 | StaticConfigPath string `json: "staticConfigPath"` 69 | } 70 | 71 | // parseConfig parses the supplied configuration (and prevResult) from stdin. 72 | func parseConfig(stdin []byte) (*PluginConf, error) { 73 | conf := PluginConf{} 74 | 75 | if err := json.Unmarshal(stdin, &conf); err != nil { 76 | return nil, fmt.Errorf("failed to parse network configuration: %v", err) 77 | } 78 | 79 | // Parse previous result. Remove this if your plugin is not chained. 80 | if conf.RawPrevResult != nil { 81 | resultBytes, err := json.Marshal(conf.RawPrevResult) 82 | if err != nil { 83 | return nil, fmt.Errorf("could not serialize prevResult: %v", err) 84 | } 85 | res, err := version.NewResult(conf.CNIVersion, resultBytes) 86 | if err != nil { 87 | return nil, fmt.Errorf("could not parse prevResult: %v", err) 88 | } 89 | conf.RawPrevResult = nil 90 | conf.PrevResult, err = current.NewResultFromResult(res) 91 | if err != nil { 92 | return nil, fmt.Errorf("could not convert result to current version: %v", err) 93 | } 94 | } 95 | // End previous result parsing 96 | 97 | // Do any validation here 98 | if conf.KubeConfigPath == "" && conf.StaticConfigPath == "" { 99 | return nil, fmt.Errorf("neither 'kubeConfigPath' nor 'staticConfigPath' given") 100 | } 101 | 102 | return &conf, nil 103 | } 104 | 105 | type kubernetesArgs struct { 106 | types.CommonArgs 107 | 108 | // Variable names must match CNI argument keys 109 | K8S_POD_NAMESPACE types.UnmarshallableString 110 | K8S_POD_NAME types.UnmarshallableString 111 | } 112 | 113 | type wgCNIConfig struct { 114 | Address string `json:"address"` 115 | PrivateKey string `json:"privateKey"` 116 | Peers []struct { 117 | Endpoint string `json:"endpoint"` 118 | PublicKey string `json:"publicKey"` 119 | PersistentKeepalive string `json:"persistentKeepalive"` 120 | AllowedIPs []string `json:"allowedIPs"` 121 | } `json:"peers"` 122 | } 123 | 124 | // cmdAdd is called for ADD requests 125 | func cmdAdd(args *skel.CmdArgs) error { 126 | conf, err := parseConfig(args.StdinData) 127 | if err != nil { 128 | return err 129 | } 130 | 131 | if conf.PrevResult == nil { 132 | return fmt.Errorf("must be called as chained plugin") 133 | } 134 | 135 | var wgConfig wgCNIConfig 136 | if conf.KubeConfigPath != "" { 137 | clientset, err := k8sutil.NewClientset(conf.KubeConfigPath) 138 | if err != nil { 139 | return fmt.Errorf("could not get k8s clientset: %v", err) 140 | } 141 | 142 | var k8sArgs kubernetesArgs 143 | if err := types.LoadArgs(args.Args, &k8sArgs); err != nil { 144 | return fmt.Errorf("could not load CNI args %q: %v", args.Args, err) 145 | } 146 | 147 | podNamespace := string(k8sArgs.K8S_POD_NAMESPACE) 148 | podName := string(k8sArgs.K8S_POD_NAME) 149 | 150 | podSpec, err := clientset.CoreV1().Pods(podNamespace).Get(podName, metav1.GetOptions{}) 151 | if err != nil { 152 | return fmt.Errorf("could not get pod spec: %v", err) 153 | } 154 | 155 | if podSpec.ObjectMeta.Annotations == nil || 156 | podSpec.ObjectMeta.Annotations["wgcni.schu.io/configsecret"] == "" { 157 | // This pod is not annoted to be configured 158 | // with wg-cni - nothing to do 159 | return types.PrintResult(conf.PrevResult, conf.CNIVersion) 160 | } 161 | 162 | configSecretName := podSpec.ObjectMeta.Annotations["wgcni.schu.io/configsecret"] 163 | 164 | wgConfigJSON, err := clientset.CoreV1().Secrets(podNamespace).Get(configSecretName, metav1.GetOptions{}) 165 | if err != nil { 166 | return fmt.Errorf("could not get secret '%q' with wg-cni config: %v", configSecretName, err) 167 | } 168 | 169 | if err := json.Unmarshal(wgConfigJSON.Data["config.json"], &wgConfig); err != nil { 170 | return fmt.Errorf("could not unmarshal wg-cni config: %v", err) 171 | } 172 | } 173 | 174 | privateKey, err := wgtypes.ParseKey(wgConfig.PrivateKey) 175 | if err != nil { 176 | return fmt.Errorf("could not parse private key: %v", err) 177 | } 178 | 179 | var peers []wgtypes.PeerConfig 180 | for _, peerConf := range wgConfig.Peers { 181 | var peer wgtypes.PeerConfig 182 | 183 | peer.PublicKey, err = wgtypes.ParseKey(peerConf.PublicKey) 184 | if err != nil { 185 | return fmt.Errorf("could not parse public key: %v", err) 186 | } 187 | 188 | keepaliveInterval, err := time.ParseDuration(peerConf.PersistentKeepalive) 189 | if err != nil { 190 | return fmt.Errorf("could not parse keepalive duration string %q: %v", peerConf.PersistentKeepalive, err) 191 | } 192 | peer.PersistentKeepaliveInterval = &keepaliveInterval 193 | 194 | peer.Endpoint, err = net.ResolveUDPAddr("udp", peerConf.Endpoint) 195 | if err != nil { 196 | return fmt.Errorf("could not parse endpoint %q: %v", peerConf.Endpoint, err) 197 | } 198 | 199 | for _, allowedIP := range peerConf.AllowedIPs { 200 | _, ipnet, err := net.ParseCIDR(allowedIP) 201 | if err != nil { 202 | return fmt.Errorf("could not parse CIDR %q: %v", allowedIP, err) 203 | } 204 | 205 | peer.AllowedIPs = append(peer.AllowedIPs, *ipnet) 206 | } 207 | 208 | peers = append(peers, peer) 209 | } 210 | 211 | wgctrlConfig := wgtypes.Config{ 212 | PrivateKey: &privateKey, 213 | Peers: peers, 214 | } 215 | 216 | netnsHandle, err := netns.GetFromPath(args.Netns) 217 | if err != nil { 218 | return fmt.Errorf("could not get container net ns handle: %v", err) 219 | } 220 | 221 | linkName := "wg" + util.RandString(6) 222 | 223 | linkAttrs := netlink.NewLinkAttrs() 224 | linkAttrs.Name = linkName 225 | 226 | wgLink := &wgnetlink.Wireguard{ 227 | LinkAttrs: linkAttrs, 228 | } 229 | if err := netlink.LinkAdd(wgLink); err != nil { 230 | return fmt.Errorf("could not create wg network interface: %v", err) 231 | } 232 | 233 | sourceIP, sourceIPNet, err := net.ParseCIDR(wgConfig.Address) 234 | if err != nil { 235 | return fmt.Errorf("could not parse cidr %q: %v", wgConfig.Address, err) 236 | } 237 | 238 | addr := &netlink.Addr{ 239 | IPNet: &net.IPNet{ 240 | IP: sourceIP, 241 | Mask: sourceIPNet.Mask, 242 | }, 243 | } 244 | 245 | wgClient, err := wgctrl.New() 246 | if err != nil { 247 | return fmt.Errorf("could not get wgctrl client: %v", err) 248 | } 249 | defer wgClient.Close() 250 | 251 | if err := wgClient.ConfigureDevice(linkName, wgctrlConfig); err != nil { 252 | return fmt.Errorf("could not configure wireguard link: %v", err) 253 | } 254 | 255 | if err := netlink.LinkSetNsFd(wgLink, (int)(netnsHandle)); err != nil { 256 | return fmt.Errorf("could not move network interface into container's net namespace: %v", err) 257 | } 258 | 259 | netnsNetlinkHandle, err := netlink.NewHandleAt(netnsHandle) 260 | if err != nil { 261 | return fmt.Errorf("could not get container net ns netlink handle: %v", err) 262 | } 263 | 264 | if err := netnsNetlinkHandle.AddrAdd(wgLink, addr); err != nil { 265 | return fmt.Errorf("could not add address: %v", err) 266 | } 267 | 268 | if err := netnsNetlinkHandle.LinkSetUp(wgLink); err != nil { 269 | return fmt.Errorf("could not set link up: %v", err) 270 | } 271 | 272 | for _, peer := range peers { 273 | for _, allowedIP := range peer.AllowedIPs { 274 | // For the source IP CIDR there is a route 275 | // already from `ip addr add ...` above. 276 | if allowedIP.Contains(sourceIP) { 277 | continue 278 | } 279 | 280 | route := &netlink.Route{ 281 | LinkIndex: wgLink.Attrs().Index, 282 | Dst: &allowedIP, 283 | Scope: unix.RT_SCOPE_LINK, 284 | } 285 | if err := netnsNetlinkHandle.RouteAdd(route); err != nil { 286 | return fmt.Errorf("could not add route for %v: %v", route, err) 287 | } 288 | } 289 | } 290 | 291 | // Pass through the result for the next plugin 292 | return types.PrintResult(conf.PrevResult, conf.CNIVersion) 293 | } 294 | 295 | // cmdDel is called for DELETE requests 296 | func cmdDel(args *skel.CmdArgs) error { 297 | conf, err := parseConfig(args.StdinData) 298 | if err != nil { 299 | return err 300 | } 301 | _ = conf 302 | 303 | // Do your delete here 304 | 305 | return nil 306 | } 307 | 308 | func main() { 309 | // TODO: implement plugin version 310 | skel.PluginMain(cmdAdd, cmdGet, cmdDel, version.All, "TODO") 311 | } 312 | 313 | func cmdGet(args *skel.CmdArgs) error { 314 | // TODO: implement 315 | return fmt.Errorf("not implemented") 316 | } 317 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/schu/wireguard-cni 2 | 3 | go 1.14 4 | 5 | require ( 6 | github.com/containernetworking/cni v0.7.1 7 | github.com/vishvananda/netlink v1.1.0 8 | github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df 9 | golang.org/x/crypto v0.0.0-20200414173820-0848c9571904 // indirect 10 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e // indirect 11 | golang.org/x/sys v0.0.0-20200413165638-669c56c373c4 12 | golang.zx2c4.com/wireguard v0.0.20200320 // indirect 13 | golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200324154536-ceff61240acf 14 | k8s.io/apimachinery v0.17.5 15 | k8s.io/client-go v0.17.0 16 | ) 17 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 3 | cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= 4 | github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= 5 | github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= 6 | github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= 7 | github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= 8 | github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= 9 | github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= 10 | github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= 11 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 12 | github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= 13 | github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= 14 | github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= 15 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 16 | github.com/containernetworking/cni v0.7.1 h1:fE3r16wpSEyaqY4Z4oFrLMmIGfBYIKpPrHK31EJ9FzE= 17 | github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= 18 | github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 19 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 20 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 21 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 22 | github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= 23 | github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= 24 | github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= 25 | github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= 26 | github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= 27 | github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= 28 | github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= 29 | github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= 30 | github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= 31 | github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= 32 | github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= 33 | github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= 34 | github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= 35 | github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I= 36 | github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= 37 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 38 | github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 39 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 40 | github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 41 | github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 42 | github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM= 43 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 44 | github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= 45 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 46 | github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 47 | github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 48 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 49 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 50 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 51 | github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= 52 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 53 | github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= 54 | github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= 55 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 56 | github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= 57 | github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 58 | github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 59 | github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= 60 | github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d h1:7XGaL1e6bYS1yIonGp9761ExpPPV1ui0SAC59Yube9k= 61 | github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= 62 | github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= 63 | github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= 64 | github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 65 | github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 66 | github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= 67 | github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= 68 | github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= 69 | github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= 70 | github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw= 71 | github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4 h1:nwOc1YaOrYJ37sEBrtWZrdqzK22hiJs3GpDmP3sR2Yw= 72 | github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ= 73 | github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= 74 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= 75 | github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= 76 | github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 77 | github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= 78 | github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= 79 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 80 | github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= 81 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 82 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 83 | github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= 84 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 85 | github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 86 | github.com/mdlayher/genetlink v1.0.0 h1:OoHN1OdyEIkScEmRgxLEe2M9U8ClMytqA5niynLtfj0= 87 | github.com/mdlayher/genetlink v1.0.0/go.mod h1:0rJ0h4itni50A86M2kHcgS85ttZazNt7a8H2a2cw0Gc= 88 | github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA= 89 | github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M= 90 | github.com/mdlayher/netlink v1.1.0 h1:mpdLgm+brq10nI9zM1BpX1kpDbh3NLl3RSnVq6ZSkfg= 91 | github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY= 92 | github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws= 93 | github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc= 94 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 95 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= 96 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 97 | github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 98 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 99 | github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= 100 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 101 | github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 102 | github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= 103 | github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 104 | github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 105 | github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo= 106 | github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 107 | github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= 108 | github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= 109 | github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= 110 | github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= 111 | github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 112 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 113 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 114 | github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= 115 | github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= 116 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 117 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 118 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 119 | github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 120 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 121 | github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= 122 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 123 | github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0= 124 | github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= 125 | github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k= 126 | github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= 127 | go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= 128 | golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= 129 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 130 | golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 131 | golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 132 | golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72 h1:+ELyKg6m8UBf0nPFSqD0mi7zUfwPyXo23HNjMnXPz7w= 133 | golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 134 | golang.org/x/crypto v0.0.0-20200414173820-0848c9571904 h1:bXoxMPcSLOq08zI3/c5dEBT6lE4eh+jOh886GHrn6V8= 135 | golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 136 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 137 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 138 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 139 | golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 140 | golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 141 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 142 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 143 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd h1:nTDtHvHSdCn1m6ITfMRqtOd/9+7a3s8RBNOZ3eYZzJA= 144 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 145 | golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 146 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 147 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 148 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 149 | golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 150 | golang.org/x/net v0.0.0-20191003171128-d98b1b443823/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 151 | golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 152 | golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 153 | golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI= 154 | golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 155 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e h1:3G+cUijn7XD+S4eJFddp53Pv7+slrESplyjG25HgL+k= 156 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 157 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 158 | golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 159 | golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= 160 | golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 161 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA= 162 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 163 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 164 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 165 | golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 166 | golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 167 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 168 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e h1:o3PsSEY8E4eXWkXrIP9YJALUkVZqzHJT5DOasTyn8Vs= 169 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 170 | golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 171 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 172 | golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 173 | golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 174 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 175 | golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 176 | golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 177 | golang.org/x/sys v0.0.0-20191003212358-c178f38b412c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 178 | golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 179 | golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 180 | golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 181 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 182 | golang.org/x/sys v0.0.0-20200413165638-669c56c373c4 h1:opSr2sbRXk5X5/givKrrKj9HXxFpW2sdCiP8MJSKLQY= 183 | golang.org/x/sys v0.0.0-20200413165638-669c56c373c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 184 | golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 185 | golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= 186 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 187 | golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 188 | golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= 189 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 190 | golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 191 | golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= 192 | golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 193 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 194 | golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 195 | golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 196 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 197 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 198 | golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 199 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= 200 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 201 | golang.zx2c4.com/wireguard v0.0.20200121 h1:vcswa5Q6f+sylDfjqyrVNNrjsFUUbPsgAQTBCAg/Qf8= 202 | golang.zx2c4.com/wireguard v0.0.20200121/go.mod h1:P2HsVp8SKwZEufsnezXZA4GRX/T49/HlU7DGuelXsU4= 203 | golang.zx2c4.com/wireguard v0.0.20200320 h1:1vE6zVeO7fix9cJX1Z9ZQ+ikPIIx7vIyU0o0tLDD88g= 204 | golang.zx2c4.com/wireguard v0.0.20200320/go.mod h1:lDian4Sw4poJ04SgHh35nzMVwGSYlPumkdnHcucAQoY= 205 | golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200324154536-ceff61240acf h1:rWUZHukj3poXegPQMZOXgxjTGIBe3mLNHNVvL5DsHus= 206 | golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200324154536-ceff61240acf/go.mod h1:UdS9frhv65KTfwxME1xE8+rHYoFpbm36gOud1GhBe9c= 207 | google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= 208 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 209 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 210 | google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c= 211 | google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 212 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 213 | google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 214 | google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 215 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 216 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= 217 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 218 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= 219 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 220 | gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= 221 | gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= 222 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= 223 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= 224 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= 225 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= 226 | gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE= 227 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 228 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 229 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 230 | gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= 231 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 232 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 233 | honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 234 | k8s.io/api v0.17.0 h1:H9d/lw+VkZKEVIUc8F3wgiQ+FUXTTr21M87jXLU7yqM= 235 | k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= 236 | k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= 237 | k8s.io/apimachinery v0.17.5 h1:QAjfgeTtSGksdkgyaPrIb4lhU16FWMIzxKejYD5S0gc= 238 | k8s.io/apimachinery v0.17.5/go.mod h1:ioIo1G/a+uONV7Tv+ZmCbMG1/a3kVw5YcDdncd8ugQ0= 239 | k8s.io/client-go v0.17.0 h1:8QOGvUGdqDMFrm9sD6IUFl256BcffynGoe80sxgTEDg= 240 | k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= 241 | k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= 242 | k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= 243 | k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= 244 | k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= 245 | k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= 246 | k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= 247 | k8s.io/kube-openapi v0.0.0-20200316234421-82d701f24f9d/go.mod h1:F+5wygcW0wmRTnM3cOgIqGivxkwSWIWT5YdsDbeAOaU= 248 | k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo= 249 | k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= 250 | sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e h1:4Z09Hglb792X0kfOBBJUPFEyvVfQWrYT/l8h5EKA6JQ= 251 | sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= 252 | sigs.k8s.io/structured-merge-diff/v2 v2.0.1/go.mod h1:Wb7vfKAodbKgf6tn1Kl0VvGj7mRH6DGaRcixXEJXTsE= 253 | sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= 254 | sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= 255 | -------------------------------------------------------------------------------- /manifests/wg-cni.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: wg-cni 7 | namespace: kube-system 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: wg-cni 15 | rules: 16 | - apiGroups: 17 | - "" 18 | resources: 19 | - pods 20 | - secrets 21 | verbs: 22 | - get 23 | - list 24 | 25 | --- 26 | 27 | apiVersion: rbac.authorization.k8s.io/v1 28 | kind: ClusterRoleBinding 29 | metadata: 30 | name: wg-cni 31 | roleRef: 32 | apiGroup: rbac.authorization.k8s.io 33 | kind: ClusterRole 34 | name: wg-cni 35 | subjects: 36 | - kind: ServiceAccount 37 | namespace: kube-system 38 | name: wg-cni 39 | 40 | --- 41 | 42 | apiVersion: apps/v1 43 | kind: DaemonSet 44 | metadata: 45 | name: wg-cni 46 | namespace: kube-system 47 | labels: 48 | k8s-app: wg-cni 49 | spec: 50 | selector: 51 | matchLabels: 52 | k8s-app: wg-cni 53 | template: 54 | metadata: 55 | labels: 56 | k8s-app: wg-cni 57 | spec: 58 | serviceAccountName: wg-cni 59 | containers: 60 | - name: install 61 | image: quay.io/schu/wireguard-cni:0.1.0 62 | imagePullPolicy: Always 63 | command: ["/install"] 64 | envFrom: 65 | - configMapRef: 66 | name: wg-cni-env 67 | volumeMounts: 68 | - name: host-cni-bin 69 | mountPath: /host/opt/cni/bin/ 70 | - name: host-etc-kubernetes 71 | mountPath: /host/etc/kubernetes/ 72 | tolerations: 73 | # TODO: maybe no need to run on controller nodes at all 74 | - key: node-role.kubernetes.io/master 75 | operator: Exists 76 | effect: NoSchedule 77 | volumes: 78 | - name: host-cni-bin 79 | hostPath: 80 | path: /opt/cni/bin 81 | - name: host-etc-kubernetes 82 | hostPath: 83 | path: /etc/kubernetes 84 | updateStrategy: 85 | rollingUpdate: 86 | maxUnavailable: 1 87 | type: RollingUpdate 88 | 89 | --- 90 | -------------------------------------------------------------------------------- /pkg/k8sutil/client.go: -------------------------------------------------------------------------------- 1 | package k8sutil 2 | 3 | import ( 4 | "k8s.io/client-go/kubernetes" 5 | _ "k8s.io/client-go/plugin/pkg/client/auth/oidc" 6 | "k8s.io/client-go/tools/clientcmd" 7 | ) 8 | 9 | func NewClientset(kubeconfigPath string) (*kubernetes.Clientset, error) { 10 | c, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath) 11 | if err != nil { 12 | return nil, err 13 | } 14 | apiclientset, err := kubernetes.NewForConfig(c) 15 | if err != nil { 16 | return nil, err 17 | } 18 | return apiclientset, nil 19 | } 20 | -------------------------------------------------------------------------------- /pkg/netlink/wireguard.go: -------------------------------------------------------------------------------- 1 | package netlink 2 | 3 | import ( 4 | "github.com/vishvananda/netlink" 5 | ) 6 | 7 | type Wireguard struct { 8 | netlink.LinkAttrs 9 | } 10 | 11 | func (wg *Wireguard) Attrs() *netlink.LinkAttrs { 12 | return &wg.LinkAttrs 13 | } 14 | 15 | func (wg *Wireguard) Type() string { 16 | return "wireguard" 17 | } 18 | -------------------------------------------------------------------------------- /pkg/util/string.go: -------------------------------------------------------------------------------- 1 | package util 2 | 3 | import ( 4 | "math/rand" 5 | "time" 6 | ) 7 | 8 | func init() { 9 | rand.Seed(time.Now().UnixNano()) 10 | } 11 | 12 | var letterRunes = []rune("abcdefghijklmnopqrstuvwxyz0123456789") 13 | 14 | func RandString(n int) string { 15 | b := make([]rune, n) 16 | for i := range b { 17 | b[i] = letterRunes[rand.Intn(len(letterRunes))] 18 | } 19 | return string(b) 20 | } 21 | -------------------------------------------------------------------------------- /scripts/install: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -o errexit 4 | set -o nounset 5 | set -o pipefail 6 | set -x 7 | 8 | readonly binary_install_path="/host/opt/cni/bin/" 9 | 10 | if [[ -w "${binary_install_path}" ]]; then 11 | cp /opt/cni/bin/wg-cni "${binary_install_path}/wg-cni" 12 | fi 13 | 14 | readonly kubeconfig_install_path="/host/etc/kubernetes/wg-cni.kubeconfig" 15 | readonly ca_cert="$(base64 &2 21 | exit 1 22 | fi 23 | 24 | cat >"${kubeconfig_install_path}" <