Calico wireguard (#7638)

* Calico: add Wireguard support

* CI: Add Calico Wireguard scenario

roles/network_plugin/calico/defaults/main.yml

@@ -80,6 +80,11 @@ calico_iptables_lock_timeout_secs: 10
 # Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND)
 calico_iptables_backend: "Legacy"
 
+# Calico Wireguard support
+calico_wireguard_enabled: false
+calico_wireguard_packages: []
+calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-{{ ansible_distribution_major_version }}-$basearch/
+
 # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of:
 # * can-reach=DESTINATION
 # * interface=INTERFACE-REGEX

roles/network_plugin/calico/tasks/install.yml

@@ -1,4 +1,14 @@
 ---
+- name: Calico | Install Wireguard packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ calico_wireguard_packages }}"
+  register: calico_package_install
+  until: calico_package_install is succeeded
+  retries: 4
+  when: calico_wireguard_enabled
+
 - name: Calico | Copy calicoctl binary from download dir
   copy:
     src: "{{ local_release_dir }}/calicoctl"
@@ -148,6 +158,7 @@
           "bpfLogLevel": "{{ calico_bpf_log_level }}",
           "bpfEnabled": {{ calico_bpf_enabled | bool }},
           "bpfExternalServiceMode": "{{ calico_bpf_service_mode }}",
+          "wireguardEnabled": {{ calico_wireguard_enabled | bool }},
           "logSeverityScreen": "{{ calico_felix_log_severity_screen }}" }}
   when:
     - inventory_hostname == groups['kube_control_plane'][0]

roles/network_plugin/calico/tasks/main.yml

@@ -3,4 +3,6 @@
 
 - import_tasks: pre.yml
 
+- import_tasks: repos.yml
+
 - include_tasks: install.yml

roles/network_plugin/calico/tasks/pre.yml

@@ -25,3 +25,20 @@
   delegate_to: "{{ groups['kube_control_plane'][0] }}"
   when:
   - "cloud_provider is defined"
+
+- name: Calico | Gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+  - files:
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+    - "{{ ansible_distribution|lower }}.yml"
+    - "{{ ansible_os_family|lower }}-{{ ansible_architecture }}.yml"
+    - "{{ ansible_os_family|lower }}.yml"
+    - defaults.yml
+    paths:
+    - ../vars
+    skip: true
+  tags:
+  - facts

roles/network_plugin/calico/tasks/repos.yml

@@ -0,0 +1,20 @@
+---
+- name: Calico | Add wireguard yum repo
+  when:
+    - calico_wireguard_enabled
+  block:
+
+    - name: Calico | Add wireguard yum repo
+      yum_repository:
+        name: copr:copr.fedorainfracloud.org:jdoss:wireguard
+        file: _copr:copr.fedorainfracloud.org:jdoss:wireguard
+        description: Copr repo for wireguard owned by jdoss
+        baseurl: "{{ calico_wireguard_repo }}"
+        gpgcheck: yes
+        gpgkey: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/pubkey.gpg
+        skip_if_unavailable: yes
+        enabled: yes
+        repo_gpgcheck: no
+      when:
+        - ansible_os_family in ['RedHat']
+        - ansible_distribution not in ['Fedora']

roles/network_plugin/calico/vars/amazon.yml

@@ -0,0 +1,5 @@
+---
+calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-7-$basearch/
+calico_wireguard_packages:
+  - wireguard-dkms
+  - wireguard-tools

roles/network_plugin/calico/vars/debian.yml

@@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard

roles/network_plugin/calico/vars/fedora.yml

@@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard-tools

roles/network_plugin/calico/vars/opensuse.yml

@@ -0,0 +1,3 @@
+---
+calico_wireguard_packages:
+  - wireguard-tools

roles/network_plugin/calico/vars/redhat.yml

@@ -0,0 +1,4 @@
+---
+calico_wireguard_packages:
+  - wireguard-dkms
+  - wireguard-tools