Feature: support SLB to expose service

njucjc · njucjc · commit 576627e69c56 · 2023-02-20T11:20:21.000+08:00
diff --git a/charts/raven-agent/values.yaml b/charts/raven-agent/values.yaml
@@ -32,8 +32,8 @@ securityContext:
   privileged: true
 
 nodeSelector:
-  beta.kubernetes.io/arch: amd64
-  beta.kubernetes.io/os: linux
+  kubernetes.io/arch: amd64
+  kubernetes.io/os: linux
 
 tolerations: [{"operator": "Exists"}]
 
diff --git a/config/raven-agent/agent/patches.yaml b/config/raven-agent/agent/patches.yaml
@@ -16,7 +16,7 @@ spec:
                     values:
                       - virtual-kubelet
       nodeSelector:
-        beta.kubernetes.io/arch: amd64
-        beta.kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+        kubernetes.io/os: linux
       tolerations:
         - operator: Exists
diff --git a/docs/raven-agent-tutorial.md b/docs/raven-agent-tutorial.md
@@ -197,11 +197,28 @@ NOTE: Make sure there are no node IP conflicts in the cluster.
 By default, raven uses IPSec as VPN backend, we also provide [WireGuard](https://www.wireguard.com/) as an alternative. You can switch to WireGuard backend by the following steps:
 
 - Raven requires the WireGuard kernel module to be loaded on gateway nodes in the cluster. Starting at Linux 5.6, the kernel includes WireGuard in-tree; Linux distributions with older kernels will need to install WireGuard. For most Linux distributions, this can be done using the system package manager. For more information, see [Install WireGuard](https://www.wireguard.com/install/).
-- The gateway nodes will require an open UDP port in order to communicate. By default, WireGuard uses UDP port 51820.
+- The gateway nodes will require an open UDP port in order to communicate. By default, we use UDP port 4500.
 - Run the following commands:
 
 ```bash
 cd raven
 make undeploy
 VPN_DRIVER=wireguard make deploy
 ```
+
+## (Optional 3) Use LoadBalancer to expose cloud gateway VPN service
+
+By default, raven use EIP/Public IP to expose cloud gateway VPN service, we also provide LoadBalancer as an alternative. You can set `exposeType: LoadBalancer` in Gateway CR to enable it.
+
+```bash
+$ cat <<EOF | kubectl apply -f -
+apiVersion: raven.openyurt.io/v1alpha1
+kind: Gateway
+metadata:
+  name: gw-cloud
+spec:
+  exposeType: LoadBalancer
+  endpoints:
+    - nodeName: master
+      underNAT: false
+```
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.16
 
 require (
 	github.com/EvilSuperstars/go-cidrman v0.0.0-20190607145828-28e79e32899a
-	github.com/openyurtio/raven-controller-manager v0.1.1-0.20220712045115-14910b0bce36
+	github.com/openyurtio/raven-controller-manager v0.3.1-0.20230220020223-39cb99a72df9
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
diff --git a/go.sum b/go.sum
@@ -411,8 +411,8 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/openyurtio/raven-controller-manager v0.1.1-0.20220712045115-14910b0bce36 h1:HW8NZch3pBHxzYknwga5Wcf3LvcZ7Z5AxHdb0SWQFD4=
-github.com/openyurtio/raven-controller-manager v0.1.1-0.20220712045115-14910b0bce36/go.mod h1:QkKI16Qr4wECtjA6e9QV4bNUmQj4zPEJNbz0tYvqdA0=
+github.com/openyurtio/raven-controller-manager v0.3.1-0.20230220020223-39cb99a72df9 h1:SY2xf14YoPKbZfjyHPzaV/gn710Z1s/MKVxQ6lA790Y=
+github.com/openyurtio/raven-controller-manager v0.3.1-0.20230220020223-39cb99a72df9/go.mod h1:op6Yh+6WYNF6EdIMyiK+yHxjOhxmAgfDHhHizZakgXM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
diff --git a/pkg/k8s/engine_controller.go b/pkg/k8s/engine_controller.go
@@ -272,10 +272,12 @@ func (c *EngineController) configGatewayPublicIP(gateway *v1alpha1.Gateway) erro
 	if gateway.Status.ActiveEndpoint.NodeName != c.nodeName {
 		return nil
 	}
+
 	publicIP, err := utils.GetPublicIP()
 	if err != nil {
 		return err
 	}
+
 	// retry to update public ip of localGateway
 	err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 		// get localGateway from api server
diff --git a/pkg/networkengine/vpndriver/driver_test.go b/pkg/networkengine/vpndriver/driver_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/openyurtio/raven-controller-manager/pkg/ravencontroller/apis/raven/v1alpha1"
+
 	"github.com/openyurtio/raven/cmd/agent/app/config"
 	"github.com/openyurtio/raven/pkg/types"
 )
diff --git a/pkg/networkengine/vpndriver/wireguard/wireguard.go b/pkg/networkengine/vpndriver/wireguard/wireguard.go
@@ -52,12 +52,12 @@ const (
 	// PublicKey is name (key) of publicKey entry in back-end map.
 	PublicKey = "publicKey"
 	// KeepAliveInterval to use for wg peers.
-	KeepAliveInterval = 10 * time.Second
+	KeepAliveInterval = 5 * time.Second
 
 	// DeviceName specifies name of WireGuard network device.
 	DeviceName = "raven-wg0"
 	// ListenPort specifies port of WireGuard listened.
-	ListenPort = 51820
+	ListenPort = 4500
 )
 
 var findCentralGw = vpndriver.FindCentralGwFn
@@ -417,7 +417,8 @@ func (w *wireguard) configGatewayPublicKey(gwName string, nodeName string) error
 // calWgRules calculates and returns the desired WireGuard rules on gateway node.
 // Rules on gateway will give raven route table a higher priority than main table in order to bypass the CNI routing rules.
 // The rules format are equivalent to the following `ip rule` command:
-//   ip rule add from all lookup {wgRouteTableID} prio {wgRulePriority}
+//
+//	ip rule add from all lookup {wgRouteTableID} prio {wgRulePriority}
 func (w *wireguard) calWgRules() map[string]*netlink.Rule {
 	rules := make(map[string]*netlink.Rule)
 	rule := networkutil.NewRavenRule(wgRulePriority, wgRouteTableID)
@@ -428,7 +429,8 @@ func (w *wireguard) calWgRules() map[string]*netlink.Rule {
 // calWgRoutes calculates and returns the desired WireGuard routes on gateway node.
 // Routes on gateway node will use a separate route table(wg route table),
 // The routes entries format are equivalent to the following `ip route` command:
-//   ip route add {remote_subnet} dev raven-wg0 table {wgRouteTableID}
+//
+//	ip route add {remote_subnet} dev raven-wg0 table {wgRouteTableID}
 func (w *wireguard) calWgRoutes(network *types.Network) map[string]*netlink.Route {
 	routes := make(map[string]*netlink.Route)
 	for _, v := range network.RemoteEndpoints {
diff --git a/pluto b/pluto
@@ -26,4 +26,4 @@ set -e
 /usr/sbin/ipsec --checknss
 
 # Start the daemon itself with any additional arguments passed in
-exec /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork  "$@"
+exec /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --keep-alive 5 --nofork  "$@"

Original file line number	Diff line number	Diff line change
`@@ -272,10 +272,12 @@ func (c EngineController) configGatewayPublicIP(gateway v1alpha1.Gateway) erro`
`272`	`272`	`if gateway.Status.ActiveEndpoint.NodeName != c.nodeName {`
`273`	`273`	`return nil`
`274`	`274`	`}`
	`275`	`+`
`275`	`276`	`publicIP, err := utils.GetPublicIP()`
`276`	`277`	`if err != nil {`
`277`	`278`	`return err`
`278`	`279`	`}`
	`280`	`+`
`279`	`281`	`// retry to update public ip of localGateway`
`280`	`282`	`err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {`
`281`	`283`	`// get localGateway from api server`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ import (`
`5`	`5`	`"testing"`
`6`	`6`
`7`	`7`	`"github.com/openyurtio/raven-controller-manager/pkg/ravencontroller/apis/raven/v1alpha1"`
	`8`	`+`
`8`	`9`	`"github.com/openyurtio/raven/cmd/agent/app/config"`
`9`	`10`	`"github.com/openyurtio/raven/pkg/types"`
`10`	`11`	`)`