dtServices¶
A dtService is a Kubernetes CRD that allows creation of Wireguard networks
between pods on different nodes of a federation. Each network is identified by
the name of the dtService object. Creating a dtService with a name not
already associated with a network will create a new one while using the name of
an existing network will cause the associated pod to join the existing network.
Example¶
The yaml for adding a dtService to Kubernetes looks like:
apiVersion: sid.sightlineinnovation.com/v1
kind: dtService
metadata:
name: myservice
spec:
domainSelector: mydomain
podSelector: my-pod
This will create a new network associated with the name myservice and add
a network interface for this network to the pod my-pod. Due to the
nature of kubernetes networking, all containers in the pod will have access to
this new network interface. The domainSelector field here indicates that
the dtService is associated with the federation defined by the dtDomain
mydomain and only other nodes in this federation may add new pods to the
network.
For more information on creation of a federation see here.
You can view the updated dtService using kubectl.
$ kubectl describe dtservices
Name: myservice
Namespace: dtaas-node0-dtaas
Labels: <none>
Annotations: <none>
API Version: sid.sightlineinnovation.com/v1
Kind: dtService
Metadata:
Creation Timestamp: 2021-06-21T17:09:20Z
Generation: 4
Resource Version: 9361685
Self Link: /apis/sid.sightlineinnovation.com/v1/namespaces/dtaas-node0-dtaas/dtservices/testdtservice
UID: b4c5e0a5-dbff-49e2-bee6-eacbfb5ce3ce
Peers:
100.96.0.1: d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw=
Spec:
Domain Selector: mydomain
Pod Selector: my-pod
Status: Connected
Events: <none>
At this point there are two changes to note, the addition of the Status and
Peers. The Status above indicates that we’re connected to the network.
This is also where it will be indicated if we failed to create or join the
network. The Peers are a mapping of IPv4 addresses to Wireguard public keys
for the different peers of the resulting Wireguard network. Both of these
fields are managed by DTaaS and should not be modified directly.
Once we have a network created we may add more pods on different nodes to the network. The yaml for doing doing so looks like:
apiVersion: sid.sightlineinnovation.com/v1
kind: dtService
metadata:
name: myservice
spec:
domainSelector: mydomain
podSelector: service-pod
Notice that the above looks almost identical to the yaml used for creating the
network. The name must be the same but the domainSelector and
podSelector may be different depending on how the dtDomain was named
and what pod we wish to attach to the network.
If we look at the dtService in Kubernetes at this point we will get:
$ kubectl describe dtservices
Name: myservice
Namespace: dtaas-node1-dtaas
Labels: <none>
Annotations: <none>
API Version: sid.sightlineinnovation.com/v1
Kind: dtService
Metadata:
Creation Timestamp: 2021-06-21T17:28:34Z
Generation: 5
Resource Version: 9364231
Self Link: /apis/sid.sightlineinnovation.com/v1/namespaces/dtaas-node1-dtaas/dtservices/testdtservice
UID: 839bbb8d-49f6-4c7b-9c01-585ea5b8294a
Peers:
100.96.0.1: d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw=
100.96.0.2: 0/0DnGBZH2wc81p25+Kygj9KxLZu2vjWsX8kte/GUR4=
Spec:
Domain Selector: mydomain
Pod Selector: service-pod
Server:
Endpoint: 10.4.0.16:51830
Peer: 100.96.0.0/24
Public Key: d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw=
Status: Connected
Events: <none>
This looks similar to the result after creating the network but we now have a
new field called Server as part of the spec. This field contains the
connection information needed for adding the connected pod as a client on the
Wireguard network. This information is generated automatically by DTaaS and as
such shouldn’t be set or modified manually.