Skip to content

Commit 05b67ab

Browse files
coadlercoadler
authored
feat: peer wireguard (coder#2445)
1 parent d21ab21 commit 05b67ab

34 files changed

Lines changed: 1937 additions & 238 deletions

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ coderd/database/dump.sql: $(wildcard coderd/database/migrations/*.sql)
6060
go run coderd/database/dump/main.go
6161

6262
# Generates Go code for querying the database.
63-
coderd/database/querier.go: coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
63+
coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
6464
coderd/database/generate.sh
6565

6666
# This target is deprecated, as GNU make has issues passing signals to subprocesses.

agent/agent.go

Lines changed: 38 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,13 @@ import (
2727
"go.uber.org/atomic"
2828
gossh "golang.org/x/crypto/ssh"
2929
"golang.org/x/xerrors"
30+
"inet.af/netaddr"
31+
"tailscale.com/types/key"
3032

3133
"cdr.dev/slog"
3234
"github.com/coder/coder/agent/usershell"
3335
"github.com/coder/coder/peer"
36+
"github.com/coder/coder/peer/peerwg"
3437
"github.com/coder/coder/peerbroker"
3538
"github.com/coder/coder/pty"
3639
"github.com/coder/retry"
@@ -43,20 +46,31 @@ const (
4346
)
4447

4548
type Options struct {
49+
EnableWireguard bool
50+
UploadWireguardKeys UploadWireguardKeys
51+
ListenWireguardPeers ListenWireguardPeers
4652
ReconnectingPTYTimeout time.Duration
4753
EnvironmentVariables map[string]string
4854
Logger slog.Logger
4955
}
5056

5157
type Metadata struct {
52-
OwnerEmail string `json:"owner_email"`
53-
OwnerUsername string `json:"owner_username"`
54-
EnvironmentVariables map[string]string `json:"environment_variables"`
55-
StartupScript string `json:"startup_script"`
56-
Directory string `json:"directory"`
58+
WireguardAddresses []netaddr.IPPrefix `json:"addresses"`
59+
OwnerEmail string `json:"owner_email"`
60+
OwnerUsername string `json:"owner_username"`
61+
EnvironmentVariables map[string]string `json:"environment_variables"`
62+
StartupScript string `json:"startup_script"`
63+
Directory string `json:"directory"`
64+
}
65+
66+
type WireguardPublicKeys struct {
67+
Public key.NodePublic `json:"public"`
68+
Disco key.DiscoPublic `json:"disco"`
5769
}
5870

5971
type Dialer func(ctx context.Context, logger slog.Logger) (Metadata, *peerbroker.Listener, error)
72+
type UploadWireguardKeys func(ctx context.Context, keys WireguardPublicKeys) error
73+
type ListenWireguardPeers func(ctx context.Context, logger slog.Logger) (<-chan peerwg.Handshake, func(), error)
6074

6175
func New(dialer Dialer, options *Options) io.Closer {
6276
if options == nil {
@@ -73,6 +87,9 @@ func New(dialer Dialer, options *Options) io.Closer {
7387
closeCancel: cancelFunc,
7488
closed: make(chan struct{}),
7589
envVars: options.EnvironmentVariables,
90+
enableWireguard: options.EnableWireguard,
91+
postKeys: options.UploadWireguardKeys,
92+
listenWireguardPeers: options.ListenWireguardPeers,
7693
}
7794
server.init(ctx)
7895
return server
@@ -95,6 +112,11 @@ type agent struct {
95112
metadata atomic.Value
96113
startupScript atomic.Bool
97114
sshServer *ssh.Server
115+
116+
enableWireguard bool
117+
network *peerwg.Network
118+
postKeys UploadWireguardKeys
119+
listenWireguardPeers ListenWireguardPeers
98120
}
99121

100122
func (a *agent) run(ctx context.Context) {
@@ -138,6 +160,13 @@ func (a *agent) run(ctx context.Context) {
138160
}()
139161
}
140162

163+
if a.enableWireguard {
164+
err = a.startWireguard(ctx, metadata.WireguardAddresses)
165+
if err != nil {
166+
a.logger.Error(ctx, "start wireguard", slog.Error(err))
167+
}
168+
}
169+
141170
for {
142171
conn, err := peerListener.Accept()
143172
if err != nil {
@@ -366,17 +395,17 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
366395

367396
// Load environment variables passed via the agent.
368397
// These should override all variables we manually specify.
369-
for key, value := range metadata.EnvironmentVariables {
398+
for envKey, value := range metadata.EnvironmentVariables {
370399
// Expanding environment variables allows for customization
371400
// of the $PATH, among other variables. Customers can prepand
372401
// or append to the $PATH, so allowing expand is required!
373-
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, os.ExpandEnv(value)))
402+
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, os.ExpandEnv(value)))
374403
}
375404

376405
// Agent-level environment variables should take over all!
377406
// This is used for setting agent-specific variables like "CODER_AGENT_TOKEN".
378-
for key, value := range a.envVars {
379-
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, value))
407+
for envKey, value := range a.envVars {
408+
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, value))
380409
}
381410

382411
return cmd, nil

agent/wireguard.go

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
package agent
2+
3+
import (
4+
"context"
5+
6+
"golang.org/x/xerrors"
7+
"inet.af/netaddr"
8+
9+
"cdr.dev/slog"
10+
"github.com/coder/coder/peer/peerwg"
11+
)
12+
13+
func (a *agent) startWireguard(ctx context.Context, addrs []netaddr.IPPrefix) error {
14+
if a.network != nil {
15+
_ = a.network.Close()
16+
a.network = nil
17+
}
18+
19+
// We can't create a wireguard network without these.
20+
if len(addrs) == 0 || a.listenWireguardPeers == nil || a.postKeys == nil {
21+
return xerrors.New("wireguard is enabled, but no addresses were provided or necessary functions were not provided")
22+
}
23+
24+
wg, err := peerwg.New(a.logger.Named("wireguard"), addrs)
25+
if err != nil {
26+
return xerrors.Errorf("create wireguard network: %w", err)
27+
}
28+
29+
// A new keypair is generated on each agent start.
30+
// This keypair must be sent to Coder to allow for incoming connections.
31+
err = a.postKeys(ctx, WireguardPublicKeys{
32+
Public: wg.NodePrivateKey.Public(),
33+
Disco: wg.DiscoPublicKey,
34+
})
35+
if err != nil {
36+
a.logger.Warn(ctx, "post keys", slog.Error(err))
37+
}
38+
39+
go func() {
40+
for {
41+
ch, listenClose, err := a.listenWireguardPeers(ctx, a.logger)
42+
if err != nil {
43+
a.logger.Warn(ctx, "listen wireguard peers", slog.Error(err))
44+
return
45+
}
46+
47+
for {
48+
peer, ok := <-ch
49+
if !ok {
50+
break
51+
}
52+
53+
err := wg.AddPeer(peer)
54+
a.logger.Info(ctx, "added wireguard peer", slog.F("peer", peer.NodePublicKey.ShortString()), slog.Error(err))
55+
}
56+
57+
listenClose()
58+
}
59+
}()
60+
61+
a.network = wg
62+
return nil
63+
}

cli/agent.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,17 +14,15 @@ import (
1414
"cloud.google.com/go/compute/metadata"
1515
"github.com/spf13/cobra"
1616
"golang.org/x/xerrors"
17+
"gopkg.in/natefinch/lumberjack.v2"
1718

1819
"cdr.dev/slog"
1920
"cdr.dev/slog/sloggers/sloghuman"
20-
2121
"github.com/coder/coder/agent"
2222
"github.com/coder/coder/agent/reaper"
2323
"github.com/coder/coder/cli/cliflag"
2424
"github.com/coder/coder/codersdk"
2525
"github.com/coder/retry"
26-
27-
"gopkg.in/natefinch/lumberjack.v2"
2826
)
2927

3028
func workspaceAgent() *cobra.Command {
@@ -33,6 +31,7 @@ func workspaceAgent() *cobra.Command {
3331
pprofEnabled bool
3432
pprofAddress string
3533
noReap bool
34+
wireguard bool
3635
)
3736
cmd := &cobra.Command{
3837
Use: "agent",
@@ -178,6 +177,9 @@ func workspaceAgent() *cobra.Command {
178177
// shells so "gitssh" works!
179178
"CODER_AGENT_TOKEN": client.SessionToken,
180179
},
180+
EnableWireguard: wireguard,
181+
UploadWireguardKeys: client.UploadWorkspaceAgentKeys,
182+
ListenWireguardPeers: client.WireguardPeerListener,
181183
})
182184
<-cmd.Context().Done()
183185
return closer.Close()
@@ -188,5 +190,6 @@ func workspaceAgent() *cobra.Command {
188190
cliflag.BoolVarP(cmd.Flags(), &pprofEnabled, "pprof-enable", "", "CODER_AGENT_PPROF_ENABLE", false, "Enable serving pprof metrics on the address defined by --pprof-address.")
189191
cliflag.BoolVarP(cmd.Flags(), &noReap, "no-reap", "", "", false, "Do not start a process reaper.")
190192
cliflag.StringVarP(cmd.Flags(), &pprofAddress, "pprof-address", "", "CODER_AGENT_PPROF_ADDRESS", "127.0.0.1:6060", "The address to serve pprof.")
193+
cliflag.BoolVarP(cmd.Flags(), &wireguard, "wireguard", "", "CODER_AGENT_WIREGUARD", true, "Whether to start the Wireguard interface.")
191194
return cmd
192195
}

cli/agent_test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ func TestWorkspaceAgent(t *testing.T) {
4646
workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
4747
coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
4848

49-
cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
49+
cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
5050
ctx, cancelFunc := context.WithCancel(context.Background())
5151
defer cancelFunc()
5252
errC := make(chan error)
@@ -101,7 +101,7 @@ func TestWorkspaceAgent(t *testing.T) {
101101
workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
102102
coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
103103

104-
cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
104+
cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
105105
ctx, cancelFunc := context.WithCancel(context.Background())
106106
defer cancelFunc()
107107
errC := make(chan error)
@@ -156,7 +156,7 @@ func TestWorkspaceAgent(t *testing.T) {
156156
workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
157157
coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
158158

159-
cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
159+
cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
160160
ctx, cancelFunc := context.WithCancel(context.Background())
161161
defer cancelFunc()
162162
errC := make(chan error)

cli/root.go

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -73,22 +73,23 @@ func Root() *cobra.Command {
7373
list(),
7474
login(),
7575
logout(),
76+
parameters(),
77+
portForward(),
7678
publickey(),
7779
resetPassword(),
7880
schedules(),
7981
server(),
8082
show(),
83+
ssh(),
8184
start(),
8285
state(),
8386
stop(),
84-
ssh(),
8587
templates(),
8688
update(),
8789
users(),
88-
portForward(),
89-
workspaceAgent(),
9090
versionCmd(),
91-
parameters(),
91+
wireguardPortForward(),
92+
workspaceAgent(),
9293
)
9394

9495
cmd.SetUsageTemplate(usageTemplate())

0 commit comments

Comments
 (0)