From 3cebc5aabce2bcddb9f45ee95e8e6a69746535c2 Mon Sep 17 00:00:00 2001 From: Chernenko Ruslan Date: Sat, 17 Aug 2024 13:56:53 +0300 Subject: [PATCH] feat: add openziti network extension Adds OpenZiti's system extension to be run on the talos node, allowing to serve Talos nodes network resources over the overlay network. Signed-off-by: Chernenko Ruslan --- Makefile | 1 + network/openziti/README.md | 50 ++++++++++++++++++++++++++ network/openziti/manifest.yaml | 12 +++++++ network/openziti/openziti.yaml | 50 ++++++++++++++++++++++++++ network/openziti/pkg.yaml | 65 ++++++++++++++++++++++++++++++++++ network/openziti/vars.yaml | 1 + network/vars.yaml | 1 + 7 files changed, 180 insertions(+) create mode 100644 network/openziti/README.md create mode 100644 network/openziti/manifest.yaml create mode 100644 network/openziti/openziti.yaml create mode 100644 network/openziti/pkg.yaml create mode 100644 network/openziti/vars.yaml diff --git a/Makefile b/Makefile index 54829dcb..dbf5c260 100644 --- a/Makefile +++ b/Makefile @@ -88,6 +88,7 @@ TARGETS += realtek-firmware TARGETS += spin TARGETS += stargz-snapshotter TARGETS += tailscale +TARGETS += openziti TARGETS += thunderbolt TARGETS += usb-modem-drivers TARGETS += util-linux-tools diff --git a/network/openziti/README.md b/network/openziti/README.md new file mode 100644 index 00000000..8be11e38 --- /dev/null +++ b/network/openziti/README.md @@ -0,0 +1,50 @@ +# OpenZiti + +Runs OpenZiti's edge tunneler in run-host mode allowing to access talos nodes resources on the overlay network + +https://openziti.io + +https://openziti.io/docs/reference/tunnelers/docker/#use-case-hosting-openziti-services + +## Installation + +See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions). + +## Usage + +Create an identity for the machine. +Manually enroll it using(for example using ziti edge enroll ...) and output the enrolled identity into a file or stdout +Copy the contents of the enrolled identity +Create `ExtensionServiceConfig` as the example below with replacing `JSON_IDENTITY` with the JSON of the identity you created and in mountPath replace `IDENTITY_FILE_NAME` with the filename of the identity(preserve the json in the filename) + +```yaml +--- +apiVersion: v1alpha1 +kind: ExtensionServiceConfig +name: openziti +configFiles: + - content: 'JSON_IDENTITY' + mountPath: /var/lib/ziti/etc/identities/IDENTITY_FILE_NAME.json +``` + +Then apply the patch to your node's MachineConfigs +```bash +talosctl patch mc -p @openziti.talos.yaml +``` + +You will then be able to verify that it is in place with the following command +```bash +talosctl get extensionserviceconfigs + +NODE NAMESPACE TYPE ID VERSION +192.168.10.10 runtime ExtensionServiceConfig openziti 1 +``` + +Example of creation of ziti service to serve talos api on the overlay network(note that 192.168.10.10 is the address of the node): +``` +ziti edge create config talosctl-controlplane.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses": ["talosctl-controlplane.ziti.internal"], "portRanges":[{"low": 50000, "high":50000}]}' +ziti edge create config talosctl-controlplane.host.v1 host.v1 '{"protocol": "tcp","address":"'"192.168.10.10"'", "port": 50000}' +ziti edge create service talosctrl-controlplane.svc --configs talosctl-controlplane.intercept.v1,talosctl-controlplane.host.v1 +ziti edge create service-policy talosctl-controlplane.policy.dial Dial --service-roles "@talosctrl-controlplane.svc" --identity-roles "@macos" +ziti edge create service-policy talosctl-controlplane.policy.bind Bind --service-roles "@talosctrl-controlplane.svc" --identity-roles "@talos-cluster-test-identity" +``` diff --git a/network/openziti/manifest.yaml b/network/openziti/manifest.yaml new file mode 100644 index 00000000..b2184700 --- /dev/null +++ b/network/openziti/manifest.yaml @@ -0,0 +1,12 @@ +version: v1alpha1 +metadata: + name: openziti + version: "$VERSION" + author: Ruslan Chernenko + description: | + OpenZiti is the world’s most used and widely integrated open source secure networking platform. + This extension deploys a ziti-edge-tunneler in run-host mode which allows to access node's net resources + through the overlay network. + compatibility: + talos: + version: ">= v1.7.0" diff --git a/network/openziti/openziti.yaml b/network/openziti/openziti.yaml new file mode 100644 index 00000000..fefbdee5 --- /dev/null +++ b/network/openziti/openziti.yaml @@ -0,0 +1,50 @@ +name: openziti +depends: + - service: cri + - network: + - addresses + - connectivity + - etcfiles + - configuration: true +container: + entrypoint: /usr/local/bin/ziti-edge-tunnel + args: + - run-host + - --verbose=4 + - --identity-dir=/var/lib/ziti/etc/identities + security: + writeableRootfs: false + writeableSysfs: true + mounts: + # libssl lib + - source: /usr/lib + destination: /usr/lib + type: bind + options: + - bind + - ro + - source: /sbin + destination: /sbin + type: bind + options: + - bind + - ro + - source: /dev/net/tun + destination: /dev/net/tun + type: bind + options: + - bind + - rw + - source: /var/lib/ziti/etc/identities/ + destination: /var/lib/ziti/etc/identities/ + type: bind + options: + - bind + - rw + - source: /var/lib/ziti/ + destination: /var/lib/ziti/ + type: bind + options: + - bind + - rw +restart: always diff --git a/network/openziti/pkg.yaml b/network/openziti/pkg.yaml new file mode 100644 index 00000000..fd354ef1 --- /dev/null +++ b/network/openziti/pkg.yaml @@ -0,0 +1,65 @@ +name: openziti +variant: alpine +shell: /toolchain/bin/bash +install: + - unzip + - zip + - ninja-build + - ninja + - zlib-static +dependencies: + - image: "ghcr.io/siderolabs/tools:v1.7.0-4-gc844dc3" +steps: + - sources: + - url: https://github.com/openziti/ziti-tunnel-sdk-c/archive/refs/tags/{{ .OPENZITI_TUNNELER_VERSION }}.tar.gz + destination: edge-tunnel-source.tar.gz + sha256: d455672bf3b6ff28fd0ff864f868f7d6e3de99e6c666a120227fa9dab2d91f78 + sha512: 5aeb05347381124e9d75693f12e0d234499a8c6482d322019576a24c622d986d43f159454a43c844623f171a456062a5e1afffcee7f7cbb03740216dbd3bb74c + env: + VCPKG_ROOT: /vcpkg + VCPKG_FORCE_SYSTEM_BINARIES: 1 + CC: /toolchain/bin/gcc + CXX: /toolchain/bin/g++ + prepare: + - | + # vcpkg depends on git as a delivery tool + # if to download .tar.gz from releases it would fail saying it cannot retrieve versions/baseline.json version using git show + # tried my best to find any CMAKE variable within vcpkg which disables this behaviour + # we fetch here commit to which tag 2024.07.12 is assigned + git clone https://github.com/microsoft/vcpkg.git /vcpkg + git --git-dir=/vcpkg/.git --work-tree=/vcpkg checkout 1de2026f28ead93ff1773e6e680387643e914ea1 + + - | + sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml + + - | + mkdir -p /vcpkg-git /vcpkg /ziti-tunnel-sdk-c/build + tar -xzvf edge-tunnel-source.tar.gz --strip-components=1 -C /ziti-tunnel-sdk-c + + build: + - | + export PATH=${PATH}:/toolchain/bin + /vcpkg/bootstrap-vcpkg.sh + + - | + export PATH=${PATH}:/toolchain/bin + PRESET="ci-linux-x64" + if [[ "$(uname -m)" == "arm64" || "$(uname -m)" == "aarch64" ]]; then + PRESET="ci-linux-arm64" + ln -s /toolchain/bin/g++ /toolchain/bin/aarch64-linux-gnu-g++ + ln -s /toolchain/bin/gcc /toolchain/bin/aarch64-linux-gnu-gcc + fi + cmake -DBUILD_SHARED_LIBS=OFF -DCMAKE_EXE_LINKER_FLAGS="-static" -DDISABLE_SEMVER_VERIFICATION=ON -DDISABLE_LIBSYSTEMD_FEATURE=ON -DCMAKE_MAKE_PROGRAM=/usr/bin/ninja --preset $PRESET -S /ziti-tunnel-sdk-c -B /ziti-tunnel-sdk-c/build + - | + cmake --build /ziti-tunnel-sdk-c/build --config Release + install: + - | + mkdir -p /rootfs/usr/local/lib/containers/openziti/usr/local/bin/ + mv /ziti-tunnel-sdk-c/build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel /rootfs/usr/local/lib/containers/openziti/usr/local/bin/ +finalize: + - from: /rootfs + to: /rootfs + - from: /pkg/manifest.yaml + to: / + - from: /pkg/openziti.yaml + to: /rootfs/usr/local/etc/containers/ diff --git a/network/openziti/vars.yaml b/network/openziti/vars.yaml new file mode 100644 index 00000000..dc67c700 --- /dev/null +++ b/network/openziti/vars.yaml @@ -0,0 +1 @@ +VERSION: "{{ .OPENZITI_TUNNELER_VERSION }}" diff --git a/network/vars.yaml b/network/vars.yaml index 2e1b48fc..c2af7327 100644 --- a/network/vars.yaml +++ b/network/vars.yaml @@ -1,2 +1,3 @@ # renovate: datasource=github-releases extractVersion=^v(?.*)$ depName=tailscale/tailscale TAILSCALE_VERSION: 1.70.0 +OPENZITI_TUNNELER_VERSION: v1.1.2