Merge branch 'master' into iptables-host-compatibility-detection

go.mod

@@ -3,16 +3,16 @@ module github.com/submariner-io/submariner
 go 1.12
 
 require (
-	github.com/bronze1man/goStrongswanVici v0.0.0-20181105005556-92d3927c899e
+	cloud.google.com/go v0.45.1 // indirect
+	github.com/bronze1man/goStrongswanVici v0.0.0-20190921045355-4c81bd8d0bd5
 	github.com/coreos/go-iptables v0.4.0
 	github.com/evanphx/json-patch v0.0.0-20180908160633-36442dbdb585 // indirect
 	github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415 // indirect
 	github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 // indirect
-	github.com/google/btree v0.0.0-20160524151835-7d79101e329e // indirect
+	github.com/google/btree v1.0.0 // indirect
 	github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367 // indirect
 	github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d // indirect
 	github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7 // indirect
-	github.com/hashicorp/golang-lru v0.0.0-20160207214719-a0d98a5f2880 // indirect
 	github.com/imdario/mergo v0.0.0-20180608140156-9316a62528ac // indirect
 	github.com/jpillora/backoff v0.0.0-20170918002102-8eab2debe79d // indirect
 	github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be // indirect
@@ -28,10 +28,7 @@ require (
 	github.com/spf13/pflag v0.0.0-20180412120913-583c0c0531f0 // indirect
 	github.com/vishvananda/netlink v1.0.0
 	github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc // indirect
-	golang.org/x/oauth2 v0.0.0-20170412232759-a6bd8cefa181 // indirect
-	golang.org/x/sys v0.0.0-20190606165138-5da285871e9c
-	golang.org/x/time v0.0.0-20161028155119-f51c12702a4d // indirect
-	google.golang.org/appengine v1.6.1 // indirect
+	golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0
 	gopkg.in/inf.v0 v0.0.0-20150911125757-3887ee99ecf0 // indirect
 	gopkg.in/yaml.v2 v2.2.2 // indirect
 	k8s.io/api v0.0.0-20190222213804-5cb15d344471
@@ -42,6 +39,4 @@ require (
 	sigs.k8s.io/yaml v0.0.0-20181102190223-fd68e9863619 // indirect
 )
 
-replace github.com/bronze1man/goStrongswanVici => github.com/mangelajo/goStrongswanVici v0.0.0-20190701121157-9a5ae4453bda
-
 replace github.com/onsi/ginkgo => github.com/onsi/ginkgo v0.0.0-20190716150225-054541502288

package/Dockerfile

@@ -6,7 +6,6 @@ RUN dnf -y distrosync && \
     dnf -y install iproute iptables strongswan procps-ng && \
     dnf -y clean all
 
-COPY charon.conf /etc/strongswan.d/charon.conf
 COPY submariner.sh submariner-engine /usr/local/bin/
 
 ENTRYPOINT submariner.sh

pkg/cableengine/ipsec/strongswan.go

@@ -2,10 +2,12 @@ package ipsec
 
 import (
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
 	"strings"
 	"syscall"
+	"text/template"
 	"time"
 
 	"github.com/bronze1man/goStrongswanVici"
@@ -23,6 +25,9 @@ const (
 
 	// DefaultChildSaRekeyInterval specifies the default rekey interval for CHILD_SA
 	DefaultChildSaRekeyInterval = "1h"
+
+	// strongswanCharonConfigFilePAth points to the config file charon will use at start
+	strongswanCharonConfigFilePath = "/etc/strongswan/strongswan.d/charon.conf"
 )
 
 type strongSwan struct {
@@ -32,21 +37,29 @@ type strongSwan struct {
 	replayWindowSize          string
 	ipSecIkeSaRekeyInterval   string
 	ipSecChildSaRekeyInterval string
+	ipSecIKEPort              string
+	ipSecNATTPort             string
 
 	debug   bool
 	logFile string
 }
 
 type specification struct {
-	PSK     string
-	Debug   bool
-	LogFile string
+	PSK      string
+	Debug    bool
+	LogFile  string
+	IKEPort  string `default:"500"`
+	NATTPort string `default:"4500"`
 }
 
+const defaultIKEPort = "500"
+const defaultNATTPort = "4500"
+const ipsecSpecEnvVarPrefix = "ce_ipsec"
+
 func NewStrongSwan(localSubnets []string, localEndpoint types.SubmarinerEndpoint) (Driver, error) {
 	ipSecSpec := specification{}
 
-	err := envconfig.Process("ce_ipsec", &ipSecSpec)
+	err := envconfig.Process(ipsecSpecEnvVarPrefix, &ipSecSpec)
 	if err != nil {
 		return nil, fmt.Errorf("error processing environment config for ce_ipsec: %v", err)
 	}
@@ -55,6 +68,8 @@ func NewStrongSwan(localSubnets []string, localEndpoint types.SubmarinerEndpoint
 		replayWindowSize:          DefaultReplayWindowSize,
 		ipSecIkeSaRekeyInterval:   DefaultIkeSaRekeyInterval,
 		ipSecChildSaRekeyInterval: DefaultChildSaRekeyInterval,
+		ipSecIKEPort:              ipSecSpec.IKEPort,
+		ipSecNATTPort:             ipSecSpec.NATTPort,
 		localEndpoint:             localEndpoint,
 		localSubnets:              localSubnets,
 		secretKey:                 ipSecSpec.PSK,
@@ -64,7 +79,7 @@ func NewStrongSwan(localSubnets []string, localEndpoint types.SubmarinerEndpoint
 }
 
 func (i *strongSwan) Init() error {
-	if err := runCharon(i.debug, i.logFile); err != nil {
+	if err := i.runCharon(); err != nil {
 		return err
 	}
 
@@ -138,6 +153,15 @@ func (i *strongSwan) ConnectToEndpoint(endpoint types.SubmarinerEndpoint) (strin
 		Encap:       "yes",
 		Mobike:      "no",
 	}
+
+	// We point to the remote port that has proven to work by trial and error
+	// with strongswan over non-standard UDP ports
+	if i.ipSecNATTPort != defaultNATTPort {
+		ikeConf.RemotePort = i.ipSecNATTPort
+	} else if i.ipSecIKEPort != defaultIKEPort {
+		ikeConf.RemotePort = i.ipSecIKEPort
+	}
+
 	ikeConf.Children = map[string]goStrongswanVici.ChildSAConf{
 		"submariner-child-" + endpoint.Spec.CableName: childSAConf,
 	}
@@ -291,15 +315,71 @@ func (i *strongSwan) loadSharedKey(endpoint types.SubmarinerEndpoint, client *go
 	return nil
 }
 
-func runCharon(debug bool, logFile string) error {
+// charonConfTemplate defines the configuration for strongswan IKE keying daemon,
+// * port and port_nat_t define the IKE and IKE NATT UDP ports
+// * make_before_break ensures dataplane connectivity while re-authenticating endpoints (check this)
+// TODO : check what * ignore_acquire_ts means
+const charonConfTemplate = `
+	charon {
+		port = {{.ipSecIKEPort}}
+		port_nat_t = {{.ipSecNATTPort}}
+		make_before_break = yes
+		ignore_acquire_ts = yes
+	}
+`
+
+func (i *strongSwan) writeCharonConfig(path string) error {
+	err := os.Remove(path)
+	if err != nil {
+		klog.Warningf("Error deleting %s: %s", path, err)
+	}
+
+	f, err := os.Create(path)
+
+	if err != nil {
+		return fmt.Errorf("Error creating %s: %s", path, err)
+	}
+	if err = i.renderCharonConfigTemplate(f); err != nil {
+		return err
+	}
+
+	if err = f.Close(); err != nil {
+		return fmt.Errorf("Unable to close %s: %s", path, err)
+	}
+
+	return nil
+}
+
+func (i *strongSwan) renderCharonConfigTemplate(f io.Writer) error {
+	t, err := template.New("charon.conf").Parse(charonConfTemplate)
+	if err != nil {
+		return fmt.Errorf("Error creating template for charon.conf: %s", err)
+	}
+
+	err = t.Execute(f, map[string]string{
+		"ipSecIKEPort":  i.ipSecIKEPort,
+		"ipSecNATTPort": i.ipSecNATTPort})
+
+	if err != nil {
+		return fmt.Errorf("Error rendering charon config file: %s", err)
+	}
+	return nil
+}
+
+func (i *strongSwan) runCharon() error {
+
+	if err := i.writeCharonConfig(strongswanCharonConfigFilePath); err != nil {
+		return fmt.Errorf("Error writing strongswan charon config: %s", err)
+	}
+
 	klog.Infof("Starting Charon")
 	// Ignore error
 	os.Remove("/var/run/charon.vici")
 
 	args := []string{}
-	for _, i := range strings.Split("dmn|mgr|ike|chd|cfg|knl|net|asn|tnc|imc|imv|pts|tls|esp|lib", "|") {
-		args = append(args, "--debug-"+i)
-		if debug {
+	for _, idx := range strings.Split("dmn|mgr|ike|chd|cfg|knl|net|asn|tnc|imc|imv|pts|tls|esp|lib", "|") {
+		args = append(args, "--debug-"+idx)
+		if i.debug {
 			args = append(args, "3")
 		} else {
 			args = append(args, "1")
@@ -311,10 +391,10 @@ func runCharon(debug bool, logFile string) error {
 	cmd.Stderr = os.Stderr
 
 	var outputFile *os.File
-	if logFile != "" {
-		out, err := os.OpenFile(logFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
+	if i.logFile != "" {
+		out, err := os.OpenFile(i.logFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
 		if err != nil {
-			return fmt.Errorf("Failed to open log file %s: %v", logFile, err)
+			return fmt.Errorf("Failed to open log file %s: %v", i.logFile, err)
 		}
 
 		cmd.Stdout = out

pkg/cableengine/ipsec/strongswan_test.go

@@ -0,0 +1,70 @@
+package ipsec
+
+import (
+	"bytes"
+	"os"
+	"testing"
+
+	"github.com/kelseyhightower/envconfig"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Strongswan", func() {
+	Describe("Charon port configuration", testCharonConfigPortsGen)
+})
+
+func testCharonConfigPortsGen() {
+	Context("config rendering", func() {
+		It("should render config correctly out of strongSwan parameters", func() {
+			ss := strongSwan{ipSecIKEPort: "500", ipSecNATTPort: "4500"}
+			buf := new(bytes.Buffer)
+
+			err := ss.renderCharonConfigTemplate(buf)
+
+			Expect(err).ShouldNot(HaveOccurred())
+
+			Expect(buf.String()).To(ContainSubstring("port = 500"))
+			Expect(buf.String()).To(ContainSubstring("port_nat_t = 4500"))
+			Expect(buf.String()).To(ContainSubstring("make_before_break = yes"))
+			Expect(buf.String()).To(ContainSubstring("ignore_acquire_ts = yes"))
+
+		})
+	})
+
+	Context("environment variable processing", func() {
+		It("should get the defaults from the specification definition", func() {
+			checkEnvVarParsingPorts("500", "4500")
+		})
+
+		It("should get the right environment variable names", func() {
+			const (
+				ikePort        = "555"
+				nattPort       = "4555"
+				ikePortEnvVar  = "CE_IPSEC_IKEPORT"
+				nattPortEnvVar = "CE_IPSEC_NATTPORT"
+			)
+			os.Setenv(ikePortEnvVar, ikePort)
+			os.Setenv(nattPortEnvVar, nattPort)
+
+			checkEnvVarParsingPorts(ikePort, nattPort)
+
+			os.Unsetenv(ikePortEnvVar)
+			os.Unsetenv(nattPortEnvVar)
+		})
+	})
+}
+
+func checkEnvVarParsingPorts(ikePort string, nattPort string) {
+	ipSecSpec := specification{}
+	err := envconfig.Process(ipsecSpecEnvVarPrefix, &ipSecSpec)
+	Expect(err).NotTo(HaveOccurred())
+	Expect(ipSecSpec.IKEPort).To(Equal(ikePort))
+	Expect(ipSecSpec.NATTPort).To(Equal(nattPort))
+}
+
+func TestStrongswan(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Strongswan Suite")
+}

test/e2e/framework/util.go

@@ -3,12 +3,12 @@ package framework
 import (
 	"strings"
 
+	. "github.com/onsi/gomega"
 	"github.com/pkg/errors"
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-
-	. "github.com/onsi/gomega"
 )
 
 func loadConfig(configPath, context string) (*restclient.Config, *clientcmdapi.Config, error) {