Add mesh VPN support to the CDH #763
Conversation
portersrc
force-pushed
the
feature/encrypted-mesh
branch
3 times, most recently
from
00e1f81
to
6fb1d22
Compare
portersrc
force-pushed
the
feature/encrypted-mesh
branch
9 times, most recently
from
60d552e
to
8cdf322
Compare
portersrc
force-pushed
the
feature/encrypted-mesh
branch
3 times, most recently
from
8947bea
to
8062c00
Compare
Signed-off-by: Chris Porter <[email protected]>
portersrc
force-pushed
the
feature/encrypted-mesh
branch
from
8062c00
to
2163ae5
Compare
| #[arg(short, long)] | ||
| pod_name: String, | ||
| #[arg(short, long)] | ||
| lighthouse_pub_ip: String, |
There was a problem hiding this comment.
I think this could maybe come from the CDH config file (with init-data coming soon) rather than be passed from the caller.
| overlay_network::init(pod_name, lighthouse_pub_ip).await?; | ||
| // FIXME remove return value for this interface if we don't need | ||
| // anything here. | ||
| Ok(Vec::<u8>::new()) |
There was a problem hiding this comment.
Agree with this comment. Just return a result here probably
| } | ||
|
|
||
| // FIXME This should be a shared struct, if possible, with trustee's nebula | ||
| // plugin. It's that plugin's custom protocol. |
There was a problem hiding this comment.
Not really possible. Even our attesters have structs that need to match the verifiers in the AS
|
|
||
| // FIXME These should be configurable | ||
| const LIGHTHOUSE_IP: Ipv4Addr = Ipv4Addr::new(192, 168, 100, 100); | ||
| const LIGHTHOUSE_MASK: Ipv4Addr = Ipv4Addr::new(255, 255, 255, 0); |
There was a problem hiding this comment.
Yeah, try to get these from the CDH config file. Otherwise we have sort of a single-use feature.
| /// Initialize a nebula mesh. The general approach is as follows: | ||
| /// - Calculate what the mesh IP will be for this worker. | ||
| /// - Ask trustee for its nebula credentials | ||
| /// - Start the nebula daemon. |
There was a problem hiding this comment.
nit: put comment before function name
| } | ||
|
|
||
| // FIXME: kbs hard-coded to localhost is wrong. This should be based on | ||
| // ResourceUri? Where does it come from? |
| /// - Ask trustee for its nebula credentials | ||
| /// - Start the nebula daemon. | ||
| pub async fn init(&self) -> Result<()> { | ||
| let is_lighthouse: bool = self.lighthouse_ip.is_empty(); |
There was a problem hiding this comment.
so we're going to use one of the pods as the lighthouse?
| pub async fn init(&self) -> Result<()> { | ||
| let is_lighthouse: bool = self.lighthouse_ip.is_empty(); | ||
|
|
||
| let (mesh_ip, which_config); |
There was a problem hiding this comment.
to be more rust-like, you could do let (mesh_ip, which_config) if is_lighthouse { and then have each arm return a tuple
| // FIXME: kbs hard-coded to localhost is wrong. This should be based on | ||
| // ResourceUri? Where does it come from? | ||
| let prefix_len: u32 = self.netmask_to_prefix_len(LIGHTHOUSE_MASK); | ||
| let neb_cred_uri: String = format!( |
There was a problem hiding this comment.
would it make sense to move this through 85ish into it's own method?
There was a problem hiding this comment.
it could be cool to make these configs more object oriented. rather than just storing a string config, you could have a struct that stores a string and knows how to write itself to a certain place and such. not a requirement but could be nifty
RFC issue is here
This PR is meant to hold the main guest functionality for overlay network support with Nebula. The main additions are in confidential-data-hub/overlay-network.
Related items not included in this PR: