in controllers/daemon/podendpoint_controller.go [113:182]
func (r *PodEndpointReconciler) reconcile(
ctx context.Context,
gwConfig *egressgatewayv1alpha1.StaticGatewayConfiguration,
podEndpoint *egressgatewayv1alpha1.PodEndpoint,
) (ctrl.Result, error) {
log := log.FromContext(ctx)
log.Info("Reconciling PodEndpoint")
nsName := consts.GatewayNetnsName
gwns, err := r.NetNS.GetNS(nsName)
if err != nil {
return ctrl.Result{}, fmt.Errorf("failed to get gateway network namespace %s: %w", nsName, err)
}
defer gwns.Close()
if err := gwns.Do(func(nn ns.NetNS) error {
wgClient, err := r.WgCtrl.New()
if err != nil {
return fmt.Errorf("failed to create wgctrl client: %w", err)
}
defer func() { _ = wgClient.Close() }()
podPublicKey, err := wgtypes.ParseKey(podEndpoint.Spec.PodPublicKey)
if err != nil {
return fmt.Errorf("failed to parse pod wireguard public key: %w", err)
}
_, podIPNet, err := net.ParseCIDR(podEndpoint.Spec.PodIpAddress)
if err != nil {
return fmt.Errorf("failed to parse pod IPv4 address: %w", err)
}
wgConfig := wgtypes.Config{
Peers: []wgtypes.PeerConfig{
{
PublicKey: podPublicKey,
ReplaceAllowedIPs: true,
AllowedIPs: []net.IPNet{
*podIPNet,
},
},
},
}
if err := wgClient.ConfigureDevice(getWireguardInterfaceName(gwConfig), wgConfig); err != nil {
return fmt.Errorf("failed to add peer to wireguard device: %w", err)
}
if err := r.addWireguardPeerRoutes(gwConfig, podEndpoint); err != nil {
return fmt.Errorf("failed to add pod route: %w", err)
}
return nil
}); err != nil {
return ctrl.Result{}, err
}
peerConfigs := []egressgatewayv1alpha1.PeerConfiguration{
{
PodEndpoint: fmt.Sprintf("%s/%s", podEndpoint.Namespace, podEndpoint.Name),
InterfaceName: getWireguardInterfaceName(gwConfig),
PublicKey: podEndpoint.Spec.PodPublicKey,
},
}
if err := r.updateGatewayNodeStatus(ctx, peerConfigs, true /* add */); err != nil {
return ctrl.Result{}, err
}
log.Info("Pod wireguard endpoint reconciled")
return ctrl.Result{}, nil
}