Calico: feature request: Add wireguard to encapsulation options

Created on 21 Nov 2019  路  4Comments  路  Source: projectcalico/calico

Adding the above should have the following benefits:

  1. blazingly fast network encryption, a competitive over other IPSec based solutions.
  2. cross network encapsulation as a bonus!
  3. reach feature parity with flannel (supports WireGuard via the extension backend) - making migration to calico even more enticing!

Reference flannel wireguard support:
https://github.com/coreos/flannel/blob/master/dist/extension-wireguard

Context

We're using flannel with wireguard backend in production for the past 1.5 years now and would like to simplify our network stack around Calico.

Your Environment

  • calico 3.7.x (plans to upgrade to 3.10.x)
  • k8s 1.15.x -> k8s 1.16.x
  • AWS/Bare metal/OpenStack/AKS etc
  • Container Linux

Thank you for making Calico great!

kinenhancement

Most helpful comment

That is awesome news! From what I can tell from https://github.com/projectcalico/libcalico-go/pull/1215 there is no support for wireguard nodes that live outside of the kube cluster(?) as the public keys exchange rely on reading calico nodes' attributes (if I read this right). Are there any plans to support communication outside the cluster (non-calico hosts or another remote kube cluster)?

All 4 comments

@mindw good news! Calico v3.14.0 has tech-preview support for wireguard.

Read more about it here: https://docs.projectcalico.org/security/try-node-to-node-encryption.

I'll leave this issue open for now in order to gather feedback.

Indeed. Many thanks we'll take this to a spin ASAP!

That is awesome news! From what I can tell from https://github.com/projectcalico/libcalico-go/pull/1215 there is no support for wireguard nodes that live outside of the kube cluster(?) as the public keys exchange rely on reading calico nodes' attributes (if I read this right). Are there any plans to support communication outside the cluster (non-calico hosts or another remote kube cluster)?

An update on this. We've successfully replaced our custom setup of Canal/wireguard with Calico 3.15.x.

Many thanks yet again!

Was this page helpful?
0 / 5 - 0 ratings