in controllers/daemon/staticgatewayconfiguration_controller.go [594:655]
func (r *StaticGatewayConfigurationReconciler) configureGatewayNamespace(
ctx context.Context,
gwConfig *egressgatewayv1alpha1.StaticGatewayConfiguration,
privateKey *wgtypes.Key,
vmPrimaryIP string,
vmSecondaryIP string,
) error {
gwns, err := r.NetNS.GetNS(consts.GatewayNetnsName)
if err != nil {
return fmt.Errorf("failed to get network namespace %s: %w", consts.GatewayNetnsName, err)
}
defer gwns.Close()
if err := r.reconcileWireguardLink(ctx, gwns, gwConfig, privateKey); err != nil {
return err
}
if err := r.reconcileVethPair(ctx, gwns, vmPrimaryIP, vmSecondaryIP); err != nil {
return err
}
return gwns.Do(func(nn ns.NetNS) error {
looplink, err := r.Netlink.LinkByName("lo")
if err != nil {
return fmt.Errorf("failed to retrieve link lo: %w", err)
}
if err := r.Netlink.LinkSetUp(looplink); err != nil {
return fmt.Errorf("failed to set lo up: %w", err)
}
linkName := getWireguardInterfaceName(gwConfig)
mark, err := getPacketMark(linkName)
if err != nil {
return err
}
if err := r.ensureIPTablesChain(
ctx,
utiliptables.TableNAT,
utiliptables.Chain(fmt.Sprintf("EGRESS-GATEWAY-MARK-%d", mark)), // target chain
utiliptables.ChainPrerouting, // source chain
fmt.Sprintf("kube-egress-gateway mark packets from gateway link %s", linkName),
[][]string{
{"-i", linkName, "-j", "CONNMARK", "--set-mark", fmt.Sprintf("%d", mark)},
}); err != nil {
return err
}
if err := r.ensureIPTablesChain(
ctx,
utiliptables.TableNAT,
utiliptables.Chain(fmt.Sprintf("EGRESS-GATEWAY-SNAT-%d", mark)), // target chain
utiliptables.ChainPostrouting, // source chain
fmt.Sprintf("kube-egress-gateway sNAT packets from gateway link %s", linkName),
[][]string{
{"-o", consts.HostLinkName, "-m", "connmark", "--mark", fmt.Sprintf("%d", mark), "-j", "SNAT", "--to-source", vmSecondaryIP},
}); err != nil {
return err
}
return nil
})
}