@highstate/wireguard 0.7.0 → 0.7.2

package/dist/config/index.js

@@ -1,6 +1,6 @@
 import { wireguard } from '@highstate/library';
 import { forUnit, output } from '@highstate/pulumi';
-import { b as generateIdentityConfig } from '../shared-BVOzbQ3O.js';
+import { b as generateIdentityConfig } from '../shared-D24icZbJ.js';
 import '@noble/curves/ed25519';
 
 function text(array, ...values) {

package/dist/identity/index.js

@@ -1,6 +1,6 @@
 import { wireguard } from '@highstate/library';
 import { forUnit, getOrCreateSecret, toPromise } from '@highstate/pulumi';
-import { g as generateKey, a as generatePresharedKey, c as convertPrivateKeyToPublicKey } from '../shared-BVOzbQ3O.js';
+import { g as generateKey, a as generatePresharedKey, c as convertPrivateKeyToPublicKey } from '../shared-D24icZbJ.js';
 import '@noble/curves/ed25519';
 
 const { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity);
@@ -10,10 +10,12 @@ const presharedKeyPart = getOrCreateSecret(secrets, "presharedKeyPart", () => {
     return network?.presharedKeyMode === "secure" ? generatePresharedKey() : void 0;
   });
 });
-const allowedIps = await toPromise(addK8sServiceIps(args.allowedIps ?? [args.address]));
+const defaultAllowedIps = args.address ? [args.address] : [];
+const allowedIps = await toPromise(addK8sServiceIps(args.allowedIps ?? defaultAllowedIps));
 const argsAllowedIpsString = args.allowedIps?.join(", ");
 const calculatedAllowedIpsString = allowedIps.join(", ");
 const calculatedEndpoint = args.externalIp && args.listenPort ? ` ${args.externalIp}:${args.listenPort}` : void 0;
+const publicKey = privateKey.apply(convertPrivateKeyToPublicKey);
 var index = outputs({
   identity: {
     name: args.peerName ?? name,
@@ -24,25 +26,27 @@ var index = outputs({
     k8sServices: inputs.k8sServices,
     exitNode: args.exitNode ?? false,
     listenPort: args.listenPort,
-    externalIp: args.externalIp
+    externalIp: args.externalIp,
+    endpoint: args.endpoint ?? calculatedEndpoint
   },
   peer: {
     name: args.peerName ?? name,
     network: inputs.network,
     address: args.address,
-    publicKey: privateKey.apply(convertPrivateKeyToPublicKey),
+    publicKey,
     allowedIps,
     endpoint: args.endpoint ?? calculatedEndpoint,
     presharedKeyPart
   },
   $status: {
+    publicKey,
     allowedIps: calculatedAllowedIpsString !== argsAllowedIpsString ? calculatedAllowedIpsString : void 0,
     endpoint: calculatedEndpoint !== args.endpoint ? calculatedEndpoint : void 0
   }
 });
 function addK8sServiceIps(allowedIps2) {
   return inputs.k8sServices.apply((k8sServices) => {
-    const ips = k8sServices.map((service) => service.ip).filter((ip) => ip !== void 0);
+    const ips = k8sServices.map((service) => service.spec.clusterIP).filter((ip) => ip !== void 0);
     return allowedIps2.concat(ips);
   });
 }

package/dist/node/index.js

@@ -1,30 +1,39 @@
-import { createProvider, createNamespace, mapMetadata, Deployment, NetworkPolicy } from '@highstate/k8s';
+import { createProvider, getNamespace, createNamespace, mapMetadata, Deployment, StatefulSet, NetworkPolicy, getAppDisplayName, getAppName } from '@highstate/k8s';
 import { wireguard } from '@highstate/library';
 import { forUnit, toPromise, output } from '@highstate/pulumi';
 import { core } from '@pulumi/kubernetes';
-import { b as generateIdentityConfig } from '../shared-BVOzbQ3O.js';
+import { b as generateIdentityConfig } from '../shared-D24icZbJ.js';
 import '@noble/curves/ed25519';
 
-const { name, args, inputs } = forUnit(wireguard.node);
+const { name, args, inputs, outputs } = forUnit(wireguard.node);
 const identity = await toPromise(inputs.identity);
 const appName = args.appName ?? `wg-${name}`;
 const containerPort = 51820;
 const serviceType = args.serviceType ?? "ClusterIP";
 const provider = await createProvider(inputs.k8sCluster);
-const namespace = createNamespace(appName, provider, {
-  metadata: {
-    labels: {
-      "pod-security.kubernetes.io/enforce": "privileged"
+const existingNamespace = await toPromise(
+  inputs.deployment?.metadata?.namespace ?? inputs.statefulSet?.metadata?.namespace
+);
+const namespace = existingNamespace ? getNamespace(existingNamespace, provider) : createNamespace(appName, provider);
+new core.v1.NamespacePatch(
+  "allow-privileged",
+  {
+    metadata: {
+      name: namespace.metadata.name,
+      labels: {
+        "pod-security.kubernetes.io/enforce": "privileged"
+      }
     }
-  }
-});
+  },
+  { provider }
+);
 const configSecret = new core.v1.Secret(
   appName,
   {
     metadata: mapMetadata({ name: appName, namespace }),
     stringData: {
-      "wg0.conf": output(inputs).apply(({ identity: identity2, peers }) => {
-        return generateIdentityConfig(identity2, peers, containerPort, [
+      "wg0.conf": output(inputs).apply(({ identity: identity2, peers: peers2 }) => {
+        return generateIdentityConfig(identity2, peers2, containerPort, args.dns, [
           "iptables -t nat -A POSTROUTING -j MASQUERADE"
         ]);
       })
@@ -32,66 +41,65 @@ const configSecret = new core.v1.Secret(
   },
   { provider }
 );
-const deployment = new Deployment(
-  appName,
-  {
-    namespace,
-    container: {
-      image: "linuxserver/wireguard:latest",
-      environment: {
-        PUID: "1000",
-        PGID: "1000",
-        TZ: "Etc/UTC"
-      },
-      securityContext: {
-        capabilities: {
-          add: ["NET_ADMIN"]
-        }
-      },
-      port: {
-        containerPort,
-        protocol: "UDP"
-      },
-      volume: configSecret,
-      volumeMount: {
-        volume: configSecret,
-        mountPath: "/config/wg_confs"
-      }
+const workloadOptions = {
+  namespace,
+  cluster: inputs.k8sCluster,
+  container: {
+    image: "linuxserver/wireguard:latest",
+    environment: {
+      PUID: "1000",
+      PGID: "1000",
+      TZ: "Etc/UTC"
     },
-    service: {
-      type: serviceType,
-      externalIPs: identity.externalIp ? [identity.externalIp] : void 0,
-      port: {
-        port: containerPort,
-        protocol: "UDP",
-        nodePort: serviceType === "NodePort" ? identity.listenPort : void 0
+    securityContext: {
+      capabilities: {
+        add: ["NET_ADMIN"]
       }
+    },
+    port: identity.endpoint ? { containerPort, protocol: "UDP" } : void 0,
+    volumeMount: {
+      volume: configSecret,
+      mountPath: "/config/wg_confs"
     }
   },
-  { provider }
-);
-NetworkPolicy.create(
-  "allow-wireguard-ingress",
-  {
-    cni: inputs.k8sCluster.cni,
-    namespace,
-    description: "Allow encapsulated WireGuard traffic to the node from anywhere.",
-    selector: deployment.deployment.spec.selector,
-    ingressRule: {
-      fromAll: true,
-      toPort: { port: containerPort, protocol: "UDP" }
-    }
-  },
-  { provider }
-);
+  service: {
+    type: serviceType,
+    externalIPs: identity.externalIp ? [identity.externalIp] : void 0,
+    port: identity.endpoint ? {
+      port: containerPort,
+      protocol: "UDP",
+      nodePort: identity.listenPort
+    } : void 0
+  }
+};
+const deployment = !inputs.statefulSet ? Deployment.create(appName, { ...workloadOptions, patch: inputs.deployment }, { provider }) : void 0;
+const statefulSet = inputs.statefulSet ? StatefulSet.create(appName, { ...workloadOptions, patch: inputs.statefulSet }, { provider }) : void 0;
+const selector = deployment?.spec.selector ?? statefulSet?.spec.selector;
+const service = deployment?.service ?? statefulSet?.service;
+if (identity.listenPort) {
+  NetworkPolicy.create(
+    "allow-wireguard-ingress",
+    {
+      cni: inputs.k8sCluster.info.cni,
+      namespace,
+      selector,
+      description: "Allow encapsulated WireGuard traffic to the node from anywhere.",
+      ingressRule: {
+        fromAll: true,
+        toPort: { port: containerPort, protocol: "UDP" }
+      }
+    },
+    { provider }
+  );
+}
 if (identity.exitNode) {
   NetworkPolicy.create(
     "allow-all-egress",
     {
-      cni: inputs.k8sCluster.cni,
+      cni: inputs.k8sCluster.info.cni,
       namespace,
+      selector,
       description: "Allow all egress traffic from the WireGuard node.",
-      selector: deployment.deployment.spec.selector,
       egressRule: {
         toAll: true
       }
@@ -99,37 +107,66 @@ if (identity.exitNode) {
     { provider }
   );
 }
-for (const service of identity.k8sServices) {
+for (const service2 of identity.k8sServices) {
+  const displayName = getAppDisplayName(service2.metadata);
   NetworkPolicy.create(
-    `allow-egress-to-${service.namespace}-${service.name}`,
+    `allow-egress-to-${getAppName(service2.metadata)}`,
     {
-      cni: inputs.k8sCluster.cni,
+      cni: inputs.k8sCluster.info.cni,
       namespace,
-      description: `Allow egress traffic from the WireGuard node to ${service.namespace}/${service.name}.`,
-      selector: deployment.deployment.spec.selector,
+      selector,
+      description: `Allow egress traffic from the WireGuard node to the service "${displayName}".`,
       egressRules: [
         {
-          toNamespace: service.namespace,
-          toSelector: service.selector
+          toNamespace: service2.metadata.namespace,
+          toSelector: service2.spec.selector
         },
         // for compatibility with Cilium which cannot correctly detect the destination endpoint when the packet is redirected by the WireGuard node
-        ...service.serviceType === "ClusterIP" && service.ip ? [{ toCidr: `${service.ip}/32` }] : []
+        ...service2.spec.clusterIP ? [{ toCidr: `${service2.spec.clusterIP}/32` }] : []
       ]
     },
     { provider }
   );
   NetworkPolicy.create(
-    `allow-ingress-from-${appName}-to-${service.name}`,
+    `allow-ingress-to-${getAppName(service2.metadata)}`,
     {
-      cni: inputs.k8sCluster.cni,
-      namespace: service.namespace,
-      description: `Allow ingress traffic from the WireGuard node ${appName} to ${service.name}.`,
-      selector: service.selector,
+      name: `allow-ingress-from-${appName}`,
+      cni: inputs.k8sCluster.info.cni,
+      namespace: service2.metadata.namespace,
+      selector: service2.spec.selector,
+      description: `Allow ingress traffic from the WireGuard node "${appName}" to the service "${displayName}".`,
       ingressRule: {
         fromNamespace: namespace,
-        fromSelector: deployment.deployment.spec.selector
+        fromSelector: selector
       }
     },
     { provider }
   );
 }
+const peers = await toPromise(inputs.peers);
+for (const peer of peers) {
+  if (!peer.endpoint) {
+    continue;
+  }
+  const [endpoint, port] = peer.endpoint.split(":");
+  NetworkPolicy.create(
+    `allow-egress-to-peer-${peer.name}`,
+    {
+      cni: inputs.k8sCluster.info.cni,
+      namespace,
+      selector,
+      description: `Allow egress traffic from the WireGuard node to the endpoint of the peer "${peer.name}".`,
+      egressRule: {
+        toEndpoint: endpoint,
+        toPort: { port: port ? parseInt(port) : containerPort, protocol: "UDP" }
+      }
+    },
+    { provider }
+  );
+}
+var index = outputs({
+  deployment: deployment?.entity,
+  service: service?.entity
+});
+
+export { index as default };

package/dist/peer/index.js

@@ -0,0 +1,22 @@
+import { wireguard } from '@highstate/library';
+import { forUnit } from '@highstate/pulumi';
+
+const { name, args, inputs, outputs } = forUnit(wireguard.peer);
+const calculatedAllowedIpds = args.address ? [args.address] : [];
+const argsAllowedIpsString = args.allowedIps?.join(", ");
+const calculatedAllowedIpsString = calculatedAllowedIpds.join(", ");
+var index = outputs({
+  peer: {
+    name: args.peerName ?? name,
+    network: inputs.network,
+    address: args.address,
+    publicKey: args.publicKey,
+    allowedIps: args.allowedIps ?? calculatedAllowedIpds,
+    endpoint: args.endpoint
+  },
+  $status: {
+    allowedIps: calculatedAllowedIpsString !== argsAllowedIpsString ? calculatedAllowedIpsString : void 0
+  }
+});
+
+export { index as default };

package/dist/{shared-BVOzbQ3O.js → shared-D24icZbJ.js}

@@ -54,14 +54,23 @@ function generatePeerConfig(identity, peer) {
   }
   return lines.join("\n");
 }
-function generateIdentityConfig(identity, peers, listenPort, postUp) {
+function generateIdentityConfig(identity, peers, listenPort, dns, postUp) {
   const lines = [
+    //
     "[Interface]",
-    `# ${identity.name}`,
-    `Address = ${identity.address}`,
+    `# ${identity.name}`
+  ];
+  if (identity.address) {
+    lines.push(`Address = ${identity.address}`);
+  }
+  lines.push(
+    //
     `PrivateKey = ${identity.privateKey}`,
     "MTU = 1280"
-  ];
+  );
+  if (dns) {
+    lines.push(`DNS = ${dns.join(", ")}`);
+  }
   if (listenPort) {
     lines.push(`ListenPort = ${listenPort}`);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/wireguard",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "type": "module",
   "files": [
     "dist"
@@ -9,7 +9,8 @@
     "./network": "./dist/network/index.js",
     "./identity": "./dist/identity/index.js",
     "./config": "./dist/config/index.js",
-    "./node": "./dist/node/index.js"
+    "./node": "./dist/node/index.js",
+    "./peer": "./dist/peer/index.js"
   },
   "publishConfig": {
     "access": "public"
@@ -18,8 +19,8 @@
     "build": "pkgroll --tsconfig=tsconfig.build.json"
   },
   "dependencies": {
-    "@highstate/k8s": "^0.7.0",
-    "@highstate/pulumi": "^0.7.0",
+    "@highstate/k8s": "^0.7.2",
+    "@highstate/pulumi": "^0.7.2",
     "@noble/curves": "^1.8.0",
     "@pulumi/kubernetes": "^4.18.0"
   },
@@ -29,5 +30,5 @@
   "devDependencies": {
     "pkgroll": "^2.5.1"
   },
-  "gitHead": "2f5227f7b88cf38946e490fc4cdb96127bd8b174"
+  "gitHead": "e177535015e0fa3c74ae8ddc0bc6d31b191d2c54"
 }