wireguard: add controller-side connectivity test#2893
Merged
Conversation
Adds a controller-side check that verifies the WireGuard gateway is forwarding traffic correctly after deployment. The test uses wireproxy (userspace WireGuard) to bring up a SOCKS5 listener without root or a kernel tunnel, probes Keystone through it, and tears down on exit. The WireGuard client config downloaded by vpn-wireguard-config is converted to wireproxy format inline: MTU and DNS lines are stripped (wg-quick-specific), bare Address entries get a /32 prefix, and a [Socks5] section is appended. pre.yml installs wireproxy from a pinned GitHub release alongside tofu, using the same unarchive pattern and a Renovate annotation for automatic version updates. deploy.yml runs make test-wireguard from the controller after the manager-side checks pass. The WIREPROXY Makefile variable defaults to wireproxy in PATH and can be overridden for local runs (e.g. WIREPROXY=~/wireproxy). AI-assisted: Claude Code Signed-off-by: Roger Luethi <luethi@osism.tech>
In CI, tofu lives at ~/tofu and is not in PATH. The test-wireguard
target triggers init (a PHONY dependency) which calls $(TERRAFORM);
without an explicit override it falls back to "tofu" and fails.
Pass TERRAFORM={{ terraform_binary }} the same way the create
infrastructure tasks do.
AI-assisted: Claude Code
Signed-off-by: Roger Luethi <luethi@osism.tech>
If wireproxy exits before the SOCKS5 port becomes ready (e.g. port already in use, bad config), the readiness loop previously spun for 10 s before a confusing curl failure. Check liveness of wireproxy_pid on each iteration so the error surfaces immediately. AI-assisted: Claude Code Signed-off-by: Roger Luethi <luethi@osism.tech>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a controller-side WireGuard connectivity test that runs without
root or a kernel tunnel. wireproxy brings up a SOCKS5 listener using
the downloaded client config; the test probes Keystone through it and
tears down on exit.
Changes
scripts/test-wireguard.sh— new script using wireproxyterraform/Makefile—WIREPROXYvariable,test-wireguardtargetMakefile— top-leveltest-wireguardtargetplaybooks/pre.yml— installs wireproxy from a pinned GitHub release (same pattern as tofu, Renovate-managed)playbooks/deploy.yml— runsmake test-wireguardfrom the controller after manager-side checksDependency
Requires osism/ansible-collection-services#2086 (WireGuard role: enable
ip_forward and MASQUERADE). The test will fail without that fix because
forwarded packets are dropped by Neutron anti-spoofing.
Test plan
test-wireguardgreen🤖 Generated with Claude Code