package relay import ( "context" "fmt" "net" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" "edge-infra.dev/pkg/sds/remoteaccess/constants" wg "edge-infra.dev/pkg/sds/remoteaccess/wireguard" secrets "edge-infra.dev/pkg/sds/remoteaccess/wireguard/secret" "edge-infra.dev/pkg/sds/remoteaccess/wireguard/store" ) type Relay struct { *wg.Instance } // relay interface configuration docs: https://wiki.archlinux.org/title/WireGuard#Server_configuration var relayInterfaceConfig = `[Interface] ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ` // Retrieves the relay wireguard instance and creates a new one if it does not exist func Get(ctx context.Context, c client.Client) (*Relay, error) { wg, err := wg.GetInstance(ctx, c, constants.RelayName, "cluster-infra", nil) return &Relay{Instance: wg}, err } func (r *Relay) UpdateWireguardSecret(ctx context.Context, c client.Client, subnetCIDR *net.IPNet, clientIP net.IP, clientPublicKey string, storeConfigs map[string]*store.Store) error { secret := r.GenerateConfigurationSecret(subnetCIDR, clientIP, clientPublicKey, storeConfigs) return secrets.CreateOrPatchSecret(ctx, c, secret) } func (r *Relay) GenerateConfigurationSecret(subnetCIDR *net.IPNet, clientIP net.IP, clientPublicKey string, storeConfigs map[string]*store.Store) *corev1.Secret { wg0ConfigString := r.wg0ConfigString(subnetCIDR, clientIP, clientPublicKey, storeConfigs) return &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: constants.VPNNamespace, Name: constants.RelayName, }, StringData: map[string]string{constants.WireguardSecretField: wg0ConfigString}, } } // The relay wg0 configuration file contents func (r *Relay) wg0ConfigString(subnetCIDR *net.IPNet, clientIPAddress net.IP, clientPublicKey string, storeConfigs map[string]*store.Store) string { interfaceConfigString := r.interfaceConfigString(subnetCIDR) peerConfigString := r.peerConfigString(clientIPAddress, clientPublicKey, storeConfigs) return interfaceConfigString + peerConfigString } func (r *Relay) interfaceConfigString(subnetCIDR *net.IPNet) string { return fmt.Sprintf( "%sAddress = %s\nPrivateKey = %s\nMTU = %s\n", relayInterfaceConfig, subnetCIDR.String(), r.GetPrivateKey(), constants.MTU, ) } func (r *Relay) peerConfigString(clientIP net.IP, clientPublicKey string, storeConfigs map[string]*store.Store) string { peerConfigString := fmt.Sprintf("\n[Peer]\n# friendly_json={\"cluster_name\":\"cluster_infra\"}\nAllowedIPs = %s/32\nPublicKey = %s\n", clientIP, clientPublicKey) for _, storeConfig := range storeConfigs { if storeConfig.IsEnabled { peerConfigString = fmt.Sprintf( "%s\n[Peer]\n# friendly_json={\"cluster_name\":\"%s\",\"cluster\":\"%s\",\"vpn_enabled\":\"%t\"}\nAllowedIPs = %s/32\nPublicKey = %s\n", peerConfigString, storeConfig.ClusterName, storeConfig.ClusterEdgeID, storeConfig.IsEnabled, storeConfig.GetIPAddress(), storeConfig.GetPublicKey(), ) } } return peerConfigString }