wip gateway-agent

Author: jhrv

apiserver/api/api.go

@@ -13,6 +13,11 @@ type api struct {
 	db database.APIServerDB
 }
 
+type Peer struct {
+	PublicKey string
+	IP        string
+}
+
 // TODO(jhrv): do actual filtering of the clients.
 // TODO(jhrv): keep cache of gateway access group members to remove AAD runtime dependency
 // gatewayConfig returns the clients for the gateway that has the group membership required
@@ -26,8 +31,13 @@ func (a *api) gatewayConfig(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	peers := make([]Peer, 0)
+	for _, client := range clients {
+		peers = append(peers, Peer{PublicKey: client.PublicKey, IP: client.IP})
+	}
+
 	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(clients)
+	json.NewEncoder(w).Encode(peers)
 }
 
 func (a *api) clients(w http.ResponseWriter, r *http.Request) {
@@ -65,7 +75,7 @@ func (a *api) updateHealth(w http.ResponseWriter, r *http.Request) {
 	if err := a.db.UpdateClientStatus(healthUpdates); err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		log.Error(err)
-		w.Write([]byte("unable to persist client statuses"))
+		w.Write([]byte("unable to persist client statuses\n"))
 		return
 	}
 }

cmd/gateway-agent/main.go

@@ -0,0 +1,139 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"path/filepath"
+	"time"
+
+	"github.com/nais/device/apiserver/api"
+	log "github.com/sirupsen/logrus"
+	flag "github.com/spf13/pflag"
+)
+
+var (
+	cfg = DefaultConfig()
+)
+
+func init() {
+	log.SetFormatter(&log.JSONFormatter{})
+	flag.StringVar(&cfg.Apiserver, "apiserver", cfg.Apiserver, "hostname to apiserver")
+	flag.StringVar(&cfg.Name, "name", cfg.Name, "hostname to apiserver")
+	flag.StringVar(&cfg.PublicKey, "public-key", cfg.PublicKey, "path to wireguard public key")
+	flag.StringVar(&cfg.PrivateKey, "private-key", cfg.PrivateKey, "path to wireguard private key")
+	flag.StringVar(&cfg.TunnelInterfaceName, "interface", cfg.TunnelInterfaceName, "name of tunnel interface")
+	flag.StringVar(&cfg.TunnelConfigDir, "tunnel-config-dir", cfg.TunnelConfigDir, "path to tunnel interface config directory")
+
+	flag.Parse()
+}
+
+// Gateway agent ensures desired configuration as defined by the apiserver
+// is synchronized and enforced by the local wireguard process on the gateway.
+//
+// Prerequisites:
+// - controlplane tunnel is set up/apiserver is reachable at `Config.Apiserver`
+//
+// Prereqs for MVP (at least):
+//
+// - wireguard keypair is generated and provided as `Config.{Public,Private}Key`
+// - gateway is registered
+// - tunnel ip is configured on wireguard interface for dataplane (see below)
+//
+//# ip link add dev wg0 type wireguard
+//# ip addr add <tunnelip> wg0
+//# ip link set wg0 up
+func main() {
+	log.Info("starting gateway-agent")
+	log.Infof("with config:\n%+v", cfg)
+
+	privateKey, err := readPrivateKey()
+
+	if err != nil {
+		log.Fatalf("reading private key: %s", err)
+	}
+
+	for range time.NewTicker(10 * time.Second).C {
+		log.Infof("getting config")
+		apiserver := fmt.Sprintf("%s/gateways/%s", cfg.Apiserver, cfg.Name)
+		peers, err := getPeers(apiserver)
+		if err != nil {
+			log.Error(err)
+			// inc metric
+		}
+
+		fmt.Printf("%+v\n", peers)
+
+		if err := configureWireguard(peers, privateKey); err != nil {
+			log.Error(err)
+			// inc metric
+		}
+	}
+}
+
+func readPrivateKey() (string, error) {
+	privateKeyPath := filepath.Join(cfg.TunnelConfigDir, cfg.TunnelInterfaceName+".conf")
+	b, err := ioutil.ReadFile(privateKeyPath)
+	return string(b), err
+}
+
+func configureWireguard(peers []api.Peer, privateKey string) error {
+	// transform peers into wg0.conf
+	wg0conf := generateWGConfig(peers, privateKey)
+	fmt.Println(string(wg0conf))
+	ioutil.WriteFile("/etc/wireguard/wg0.conf", wg0conf, 0600)
+
+	//exec.Command("wg", "syncconf", "wg0", "/etc/wireguard/wg0.conf")
+
+	return nil
+}
+
+func generateWGConfig(peers []api.Peer, privateKey string) []byte {
+	wgConfig := "[Interface]\n"
+	wgConfig += fmt.Sprintf("PrivateKey = %s\n", privateKey)
+	for _, peer := range peers {
+		wgConfig += "[Peer]\n"
+		wgConfig += fmt.Sprintf("PublicKey = %s\n", peer.PublicKey)
+		wgConfig += fmt.Sprintf("AllowedIPs = %s\n\n", peer.IP)
+	}
+
+	return []byte(wgConfig)
+}
+
+func getPeers(apiserverURL string) (peers []api.Peer, err error) {
+	resp, err := http.Get(apiserverURL)
+	if err != nil {
+		return nil, fmt.Errorf("getting peer config from apiserver: %s", err)
+	}
+
+	defer resp.Body.Close()
+
+	err = json.NewDecoder(resp.Body).Decode(&peers)
+
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal json from apiserver: %s", err)
+	}
+
+	return
+}
+
+type Config struct {
+	Apiserver           string
+	Name                string
+	PublicKey           string
+	PrivateKey          string
+	TunnelIP            string
+	TunnelConfigDir     string
+	TunnelInterfaceName string
+}
+
+func DefaultConfig() Config {
+	return Config{
+		Apiserver:           "http://apiserver.device.nais.io",
+		PublicKey:           "/etc/wireguard/public.key",
+		PrivateKey:          "/etc/wireguard/private.key",
+		TunnelInterfaceName: "wgdata",
+		TunnelConfigDir:     "/etc/wireguard/",
+	}
+}