Skip to content

WireGuard: Deprecate userspace fallback #31867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 15, 2024
Merged

WireGuard: Deprecate userspace fallback #31867

merged 1 commit into from
Apr 15, 2024

Conversation

gandro
Copy link
Member

@gandro gandro commented Apr 9, 2024
edited
Loading

Cilium's WireGuard transparent encryption has the ability to run the WireGuard encryption logic in userspace via the
enable-wireguard-userspace-fallback flag. When enabled, and the Linux kernel does not support WireGuard, Cilium will run wireguard-go's userspace implementation of WireGuard inside the cilium-agent to provide encryption.

However, because encryption is done inside the cilium-agent process in that mode, any downtime of cilium-agent (e.g. during upgrades or pod restarts) means that all pod-to-pod traffic is disrupted during that downtime. This means that enable-wireguard-userspace-fallback is unsuitable for production use in its current form. As many cloud providers now have WireGuard support in their kernel, there is less need to provide a userspace fallback. This change therefore deprecates the enable-wireguard-userspace-fallback flag, so it can be removed in a future Cilium release. This does not prevent any future re-implementation of the feature using an out-of-process implementation if the need arises.

@gandro gandro added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/wireguard Relates to Cilium's Wireguard feature labels Apr 9, 2024
@gandro gandro requested review from a team as code owners April 9, 2024 14:41
@gandro gandro requested review from brb, joamaki, squeed and qmonnet April 9, 2024 14:41
@gandro
Copy link
Member Author

gandro commented Apr 9, 2024

/test

@gandro gandro added the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 15, 2024
@gandro
wireguard: Deprecate userspace fallback
2628b8b 
Cilium's WireGuard transparent encryption has the ability to run the
WireGuard encryption logic in userspace via the
`enable-wireguard-userspace-fallback` flag. When enabled, and the Linux
kernel does not support WireGuard, Cilium will run wireguard-go's
userspace implementation of WireGuard inside the `cilium-agent` to
provide encryption.

However, because encryption is done inside the `cilium-agent` process in
that mode, any downtime of `cilium-agent` (e.g. during upgrades or pod
restarts) means that all pod-to-pod traffic is disrupted during that
downtime. This means that `enable-wireguard-userspace-fallback` is
unsuitable for production use in its current form. As many cloud
providers now have WireGuard support in their kernel, there is less need
to provide a userspace fallback. This change therefore deprecates the
`enable-wireguard-userspace-fallback` flag, so it can be removed in a
future Cilium release. This does not prevent any future
re-implementation of the feature using an out-of-process implementation
if the need arises.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
@gandro gandro force-pushed the pr/gandro/deprecate-wireguard-usermode-fallback branch from 72cbee6 to 2628b8b Compare April 15, 2024 07:57
@gandro gandro removed the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 15, 2024
@gandro
Copy link
Member Author

gandro commented Apr 15, 2024

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 15, 2024
@squeed squeed added this pull request to the merge queue Apr 15, 2024
Merged via the queue into cilium:main with commit c5f486d Apr 15, 2024
@joestringer joestringer changed the title wireguard: Deprecate userspace fallback WireGuard: Deprecate userspace fallback May 2, 2024
@joestringer
Copy link
Member

Given that PR titles end up in release notes, we may want to aim for using the canonical formatting of the name WireGuard to ensure consistency. I've updated this one.

@julianwiedmann julianwiedmann mentioned this pull request Jul 5, 2024
Closed
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 1, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
e8864c2 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann mentioned this pull request Oct 1, 2024
Merged
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 1, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
e4a7c9e 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 1, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
1c96153 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 1, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
fb14355 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 2, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
4cb71c9 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 3, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
1322001 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 7, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
6396845 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Oct 7, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
0061fcf 
The userspace fallback was deprecated in v1.16 with
cilium#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request Oct 7, 2024
@julianwiedmann
wireguard: remove deprecated userspace fallback
2578e8f 
The userspace fallback was deprecated in v1.16 with
#31867. Let's remove it now.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@squeed squeed squeed approved these changes

@joamaki joamaki joamaki approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/wireguard Relates to Cilium's Wireguard feature ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@gandro @joestringer @brb @squeed @joamaki @qmonnet