dtService is a Kubernetes CRD that allows creation of Wireguard networks
between pods on different nodes of a federation. Each network is identified by
the name of the dtService object. Creating a
dtService with a name not
already associated with a network will create a new one while using the name of
an existing network will cause the associated pod to join the existing network.
The yaml for adding a
dtService to Kubernetes looks like:
apiVersion: sid.sightlineinnovation.com/v1 kind: dtService metadata: name: myservice spec: domainSelector: mydomain podSelector: my-pod
This will create a new network associated with the name
myservice and add
a network interface for this network to the pod
my-pod. Due to the
nature of kubernetes networking, all containers in the pod will have access to
this new network interface. The
domainSelector field here indicates that
dtService is associated with the federation defined by the
mydomain and only other nodes in this federation may add new pods to the
For more information on creation of a federation see here.
You can view the updated
$ kubectl describe dtservices Name: myservice Namespace: dtaas-node0-dtaas Labels: <none> Annotations: <none> API Version: sid.sightlineinnovation.com/v1 Kind: dtService Metadata: Creation Timestamp: 2021-06-21T17:09:20Z Generation: 4 Resource Version: 9361685 Self Link: /apis/sid.sightlineinnovation.com/v1/namespaces/dtaas-node0-dtaas/dtservices/testdtservice UID: b4c5e0a5-dbff-49e2-bee6-eacbfb5ce3ce Peers: 100.96.0.1: d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw= Spec: Domain Selector: mydomain Pod Selector: my-pod Status: Connected Events: <none>
At this point there are two changes to note, the addition of the
Status above indicates that we’re connected to the network.
This is also where it will be indicated if we failed to create or join the
Peers are a mapping of IPv4 addresses to Wireguard public keys
for the different peers of the resulting Wireguard network. Both of these
fields are managed by DTaaS and should not be modified directly.
Once we have a network created we may add more pods on different nodes to the network. The yaml for doing doing so looks like:
apiVersion: sid.sightlineinnovation.com/v1 kind: dtService metadata: name: myservice spec: domainSelector: mydomain podSelector: service-pod
Notice that the above looks almost identical to the yaml used for creating the
name must be the same but the
podSelector may be different depending on how the
dtDomain was named
and what pod we wish to attach to the network.
If we look at the
dtService in Kubernetes at this point we will get:
$ kubectl describe dtservices Name: myservice Namespace: dtaas-node1-dtaas Labels: <none> Annotations: <none> API Version: sid.sightlineinnovation.com/v1 Kind: dtService Metadata: Creation Timestamp: 2021-06-21T17:28:34Z Generation: 5 Resource Version: 9364231 Self Link: /apis/sid.sightlineinnovation.com/v1/namespaces/dtaas-node1-dtaas/dtservices/testdtservice UID: 839bbb8d-49f6-4c7b-9c01-585ea5b8294a Peers: 100.96.0.1: d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw= 100.96.0.2: 0/0DnGBZH2wc81p25+Kygj9KxLZu2vjWsX8kte/GUR4= Spec: Domain Selector: mydomain Pod Selector: service-pod Server: Endpoint: 10.4.0.16:51830 Peer: 100.96.0.0/24 Public Key: d7Q5KQuLcr4VTxJcwsZmtDoq7fEpyYTuR1x0BWiaEXw= Status: Connected Events: <none>
This looks similar to the result after creating the network but we now have a
new field called
Server as part of the
spec. This field contains the
connection information needed for adding the connected pod as a client on the
Wireguard network. This information is generated automatically by DTaaS and as
such shouldn’t be set or modified manually.