dtServices

A dtService is a Kubernetes CRD that allows creation of Wireguard networks between pods on different nodes of a federation. Each network is identified by the name of the dtService object. Creating a dtService with a name not already associated with a network will create a new one while using the name of an existing network will cause the associated pod to join the existing network.

Example

The yaml for adding a dtService to Kubernetes looks like:

apiVersion: sid.sightlineinnovation.com/v1
kind: dtService
metadata:
  name: myservice
spec:
  domainSelector: mydomain
  podSelector: my-pod

This will create a new network associated with the name myservice and add a network interface for this network to the pod my-pod. Due to the nature of kubernetes networking, all containers in the pod will have access to this new network interface. The domainSelector field here indicates that the dtService is associated with the federation defined by the dtDomain mydomain and only other nodes in this federation may add new pods to the network.

For more information on creation of a federation see here.

You can view the updated dtService using kubectl.

$ kubectl describe dtservices

Name:         myservice
Namespace:    dtaas-node0-dtaas
Labels:       <none>
Annotations:  <none>
API Version:  sid.sightlineinnovation.com/v1
Kind:         dtService
Metadata:
  Creation Timestamp:  2021-06-21T17:09:20Z
  Generation:          4
  Resource Version:  9361685
  Self Link:         /apis/sid.sightlineinnovation.com/v1/namespaces/dtaas-node0-dtaas/dtservices/testdtservice
  UID:               b4c5e0a5-dbff-49e2-bee6-eacbfb5ce3ce
Peers:
  100.96.0.1:  d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw=
Spec:
  Domain Selector:  mydomain
  Pod Selector:     my-pod
Status:             Connected
Events:             <none>

At this point there are two changes to note, the addition of the Status and Peers. The Status above indicates that we’re connected to the network. This is also where it will be indicated if we failed to create or join the network. The Peers are a mapping of IPv4 addresses to Wireguard public keys for the different peers of the resulting Wireguard network. Both of these fields are managed by DTaaS and should not be modified directly.

Once we have a network created we may add more pods on different nodes to the network. The yaml for doing doing so looks like:

apiVersion: sid.sightlineinnovation.com/v1
kind: dtService
metadata:
  name: myservice
spec:
  domainSelector: mydomain
  podSelector: service-pod

Notice that the above looks almost identical to the yaml used for creating the network. The name must be the same but the domainSelector and podSelector may be different depending on how the dtDomain was named and what pod we wish to attach to the network.

If we look at the dtService in Kubernetes at this point we will get:

$ kubectl describe dtservices

Name:         myservice
Namespace:    dtaas-node1-dtaas
Labels:       <none>
Annotations:  <none>
API Version:  sid.sightlineinnovation.com/v1
Kind:         dtService
Metadata:
  Creation Timestamp:  2021-06-21T17:28:34Z
  Generation:          5
  Resource Version:  9364231
  Self Link:         /apis/sid.sightlineinnovation.com/v1/namespaces/dtaas-node1-dtaas/dtservices/testdtservice
  UID:               839bbb8d-49f6-4c7b-9c01-585ea5b8294a
Peers:
  100.96.0.1:  d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw=
  100.96.0.2:  0/0DnGBZH2wc81p25+Kygj9KxLZu2vjWsX8kte/GUR4=
Spec:
  Domain Selector:  mydomain
  Pod Selector:     service-pod
  Server:
    Endpoint:    10.4.0.16:51830
    Peer:        100.96.0.0/24
    Public Key:  d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw=
Status:          Connected
Events:          <none>

This looks similar to the result after creating the network but we now have a new field called Server as part of the spec. This field contains the connection information needed for adding the connected pod as a client on the Wireguard network. This information is generated automatically by DTaaS and as such shouldn’t be set or modified manually.