From 1dd6c364b8aae54a891ef1b371417e4b6b263030 Mon Sep 17 00:00:00 2001 From: Maxime NARBAUD Date: Sat, 7 Dec 2024 14:55:41 +0100 Subject: [PATCH] feat: add cloudflared system extension Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. Signed-off-by: Maxime NARBAUD Signed-off-by: Noel Georgi --- .github/renovate.json | 3 +- .github/workflows/ci.yaml | 2 +- .github/workflows/weekly.yaml | 2 +- .kres.yaml | 1 + MAINTAINERS.md | 1 + Makefile | 3 +- README.md | 23 +++++++----- hack/release.toml | 6 +++ network/cloudflared/README.md | 55 ++++++++++++++++++++++++++++ network/cloudflared/cloudflared.yaml | 17 +++++++++ network/cloudflared/manifest.yaml | 13 +++++++ network/cloudflared/pkg.yaml | 47 ++++++++++++++++++++++++ network/cloudflared/vars.yaml | 1 + network/vars.yaml | 2 + reproducibility/pkg.yaml | 4 ++ 15 files changed, 166 insertions(+), 14 deletions(-) create mode 100644 network/cloudflared/README.md create mode 100644 network/cloudflared/cloudflared.yaml create mode 100644 network/cloudflared/manifest.yaml create mode 100644 network/cloudflared/pkg.yaml create mode 100644 network/cloudflared/vars.yaml diff --git a/.github/renovate.json b/.github/renovate.json index 628546c2..76006c79 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -67,7 +67,8 @@ { "matchPackageNames": [ "google/gvisor", - "intel/Intel-Linux-Processor-Microcode-Data-Files" + "intel/Intel-Linux-Processor-Microcode-Data-Files", + "cloudflare/cloudflared" ], "versioning": "regex:^(?\\d{4})(?\\d{2})(?\\d{2})\\.?(?\\d+)?$" }, diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6c138579..c866dbed 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,6 +1,6 @@ # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. # -# Generated on 2024-12-10T13:30:19Z by kres 8183c20. +# Generated on 2024-12-11T15:43:22Z by kres 8183c20. name: default concurrency: diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml index 44c7ee14..ae174ad2 100644 --- a/.github/workflows/weekly.yaml +++ b/.github/workflows/weekly.yaml @@ -1,6 +1,6 @@ # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. # -# Generated on 2024-12-10T13:30:19Z by kres 8183c20. +# Generated on 2024-12-11T15:43:22Z by kres 8183c20. name: weekly concurrency: diff --git a/.kres.yaml b/.kres.yaml index 72a50588..f25f2e44 100644 --- a/.kres.yaml +++ b/.kres.yaml @@ -9,6 +9,7 @@ spec: - btrfs - chelsio-drivers - chelsio-firmware + - cloudflared - crun - drbd - dvb-cx23885 diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 618919e7..3e99e808 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -17,6 +17,7 @@ If the field is marked as `Needs Maintainer`, it means that the package is curre | btrfs | Enno Boland | [Gottox](https://github.com/Gottox) | | chelsio-drivers | Sidero Labs | NA | | chelsio-firmware | Sidero Labs | NA | +| cloudflared | Maxime Nrb | [maxnrb](https://github.com/maxnrb) | | crun | Henrik Gerdes | [hegerdes](https://github.com/hegerdes) | | drbd | Needs Maintainer | NA | | dvb-cx23885 | Skyler Mäntysaari | [samip5](https://github.com/samip5) | diff --git a/Makefile b/Makefile index db08de58..079dfa98 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. # -# Generated on 2024-12-10T13:30:19Z by kres 8183c20. +# Generated on 2024-12-11T16:03:30Z by kres 8183c20. # common variables @@ -62,6 +62,7 @@ TARGETS += bnx2-bnx2x TARGETS += btrfs TARGETS += chelsio-drivers TARGETS += chelsio-firmware +TARGETS += cloudflared TARGETS += crun TARGETS += drbd TARGETS += dvb-cx23885 diff --git a/README.md b/README.md index cb04fc30..7d7d0c87 100644 --- a/README.md +++ b/README.md @@ -43,12 +43,12 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi | Name | Image | Description | Version Format | | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------ | | [crun](container-runtime/crun/) | [ghcr.io/siderolabs/crun](https://github.com/siderolabs/extensions/pkgs/container/crun) | [crun](https://github.com/containers/crun) container runtime | `upstream version` | +| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` | | [gvisor](container-runtime/gvisor/) | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | [gVisor](https://gvisor.dev/) container runtime | `upstream version` | +| [kata-containers](container-runtime/kata-containers) | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime | `upstream version` | +| [spin](container-runtime/spin) | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin) | [Spin](https://github.com/spinkube/containerd-shim-spin) container runtime | `upstream_version` | | [stargz-snapshotter](container-runtime/stargz-snapshotter/) | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime | `upstream version` | -| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` | | [wasmedge](container-runtime/wasmedge) | [ghcr.io/siderolabs/wasmedge](https://github.com/siderolabs/extensions/pkgs/container/wasmedge) | [WasmEdge](https://github.com/containerd/runwasi) container runtime | `upstream_version` | -| [spin](container-runtime/spin) | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin) | [Spin](https://github.com/spinkube/containerd-shim-spin) container runtime | `upstream_version` | -| [kata-containers](container-runtime/kata-containers) | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime | `upstream version` | ### Firmware @@ -96,20 +96,23 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi ### Network -| Name | Image | Description | Version Format | -| ------------------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------- | ------------------ | -| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com) | `upstream version` | -| [lldpd](network/lldpd/) | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd) | [LLDP](https://github.com/lldpd/lldpd) | `upstream version` | +| Name | Image | Description | Version Format | +| ----------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ------------------ | +| [cloudflared](network/cloudflared/) | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/cloudflared) | [Cloudflared](https://github.com/cloudflare/cloudflared/) | `upstream version` | +| [lldpd](network/lldpd/) | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd) | [LLDP](https://github.com/lldpd/lldpd) | `upstream version` | +| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com) | `upstream version` | + ### Storage | Name | Image | Description | Version Format | | ----------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------- | ---------------------------------- | +| [btrfs](storage/btrfs/) | [ghcr.io/siderolabs/btrfs](https://github.com/siderolabs/extensions/pkgs/container/btrfs) | BTRFS driver module | `talos version` | +| [drbd](storage/drbd/) | [ghcr.io/siderolabs/drbd](https://github.com/siderolabs/extensions/pkgs/container/drbd) | DRBD driver module | `upstream version`-`talos version` | | [iscsi-tools](storage/iscsi-tools/) | [ghcr.io/siderolabs/iscsi-tools](https://github.com/siderolabs/extensions/pkgs/container/iscsi-tools) | Open iSCSI tools | `v0.1.0` | | [mdadm](storage/mdadm/) | [ghcr.io/siderolabs/mdadm](https://github.com/siderolabs/extensions/pkgs/container/mdadm) | manage MD devices tool | `upstream version` | -| [drbd](storage/drbd/) | [ghcr.io/siderolabs/drbd](https://github.com/siderolabs/extensions/pkgs/container/drbd) | DRBD driver module | `upstream version`-`talos version` | | [zfs](storage/zfs/) | [ghcr.io/siderolabs/zfs](https://github.com/siderolabs/extensions/pkgs/container/zfs) | ZFS driver module | `upstream version`-`talos version` | -| [btrfs](storage/btrfs/) | [ghcr.io/siderolabs/btrfs](https://github.com/siderolabs/extensions/pkgs/container/btrfs) | BTRFS driver module | `talos version` | + ### Power @@ -123,8 +126,8 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------ | | [metal-agent](guest-agents/metal-agent/) | [ghcr.io/siderolabs/metal-agent](https://github.com/siderolabs/extensions/pkgs/container/metal-agent) | [Talos Metal Agent](https://github.com/siderolabs/talos-metal-agent) | `upstream version` | | [qemu-guest-agent](guest-agents/qemu-guest-agent/) | [ghcr.io/siderolabs/qemu-guest-agent](https://github.com/siderolabs/extensions/pkgs/container/qemu-guest-agent) | [QEMU Guest Agent](https://wiki.qemu.org/Features/GuestAgent) | `upstream version` | -| [xe-guest-utilities](guest-agents/xe-guest-utilities/) | [ghcr.io/siderolabs/xe-guest-utilities](https://github.com/siderolabs/extensions/pkgs/container/xe-guest-utilities) | [xe-guest-utilities](https://github.com/xenserver/xe-guest-utilitiest) | `upstream version` | | [vmtoolsd-guest-agent](guest-agents/vmtoolsd-guest-agent/) | [ghcr.io/siderolabs/vmtoolsd-guest-agent](https://github.com/siderolabs/extensions/pkgs/container/vmtoolsd-guest-agent) | [talos-vmtoolsd](https://github.com/siderolabs/talos-vmtoolsd) | `upstream version` | +| [xe-guest-utilities](guest-agents/xe-guest-utilities/) | [ghcr.io/siderolabs/xe-guest-utilities](https://github.com/siderolabs/extensions/pkgs/container/xe-guest-utilities) | [xe-guest-utilities](https://github.com/xenserver/xe-guest-utilitiest) | `upstream version` | ### NVIDIA GPU diff --git a/hack/release.toml b/hack/release.toml index 3ed2b3d8..cbb7766f 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -25,6 +25,12 @@ lldpd is now available as a system extension. title = "dvb" description = """\ dvb drivers + firmware is now available as a system extension. +""" + + [notes.cloudflared] + title = "Cloudflared" + description = """\ +Cloudflared is now available as a system extension. """ [notes.drm] diff --git a/network/cloudflared/README.md b/network/cloudflared/README.md new file mode 100644 index 00000000..6048fb71 --- /dev/null +++ b/network/cloudflared/README.md @@ -0,0 +1,55 @@ +# Cloudflare Tunnel + +Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. + +More info: https://github.com/cloudflare/cloudflared/ + +## Installation + +Cloudflared system extension can be installed by customising boot assets or after installation with the `installer` + +You can use the following schematic file: +```yaml +# cloudflared-ext.yaml +customization: + systemExtensions: + officialExtensions: + - siderolabs/cloudflared +``` + +Check documentation for install: +* https://www.talos.dev/latest/talos-guides/configuration/system-extensions/ +* https://www.talos.dev/latest/talos-guides/install/boot-assets/ + +## Usage + +Configure the extension via `ExtensionServiceConfig` document. + +```yaml +# cloudflared-config.yaml +--- +apiVersion: v1alpha1 +kind: ExtensionServiceConfig +name: cloudflared +environment: + - TUNNEL_TOKEN= + - TUNNEL_METRICS=localhost:2000 + - TUNNEL_EDGE_IP_VERSION=auto # if your node is only configured for IPv6 +``` + +Then apply the patch to your node's MachineConfigs +```bash +talosctl patch mc -p @cloudflared-config.yaml +``` + +You will then be able to verify that it is in place with the following command +```bash +talosctl get extensionserviceconfigs + +NODE NAMESPACE TYPE ID VERSION +mynode runtime ExtensionServiceConfig cloudflared 1 +``` + +## Configuration + +See all run parameters here (use environment variables): https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/ diff --git a/network/cloudflared/cloudflared.yaml b/network/cloudflared/cloudflared.yaml new file mode 100644 index 00000000..84f8104f --- /dev/null +++ b/network/cloudflared/cloudflared.yaml @@ -0,0 +1,17 @@ +name: cloudflared +depends: + - service: cri + - network: + - addresses + - connectivity + - etcfiles + - hostname + - configuration: true +container: + entrypoint: /usr/local/bin/cloudflared + args: + - tunnel + - run + environment: + - NO_AUTOUPDATE=true +restart: always diff --git a/network/cloudflared/manifest.yaml b/network/cloudflared/manifest.yaml new file mode 100644 index 00000000..2876976c --- /dev/null +++ b/network/cloudflared/manifest.yaml @@ -0,0 +1,13 @@ +version: v1alpha1 +metadata: + name: cloudflared + version: "$VERSION" + author: Maxime Narbaud + description: | + Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. + A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, + allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. + More info: https://github.com/cloudflare/cloudflared/ + compatibility: + talos: + version: ">= v1.5.0" diff --git a/network/cloudflared/pkg.yaml b/network/cloudflared/pkg.yaml new file mode 100644 index 00000000..1c6360e2 --- /dev/null +++ b/network/cloudflared/pkg.yaml @@ -0,0 +1,47 @@ +name: cloudflared +variant: scratch +shell: /bin/bash +dependencies: + - stage: base +steps: + - sources: + - url: https://github.com/cloudflare/cloudflared/archive/refs/tags/{{ .CLOUDFLARED_VERSION }}.tar.gz + destination: cloudflared.tar.gz + sha256: 74794fbcdd7b71131799100d493cf70a8e126cb109f3d9e2abce55593df6a737 + sha512: cd417fc8410537fd0e59799be750f18b13e5931a5785258833b518aa5f516a479e00af0bbceb9f6e03d7cc6f2da406a956f25f64a57f282de56d9f6c47b281a2 + env: + GOPATH: /go + cachePaths: + - /.cache/go-build + - /go/pkg + prepare: + - | + sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml + - | + tar -xzvf cloudflared.tar.gz --strip-components=1 + build: + - | + export PATH=${PATH}:${TOOLCHAIN}/go/bin + + make cloudflared VERSION="{{ .CLOUDFLARED_VERSION}}" DATE="{{ .BUILD_ARG_SOURCE_DATE_EPOCH }}" + install: + - | + mkdir -p /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin + + mv cloudflared /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin + - | + mkdir -p /rootfs/usr/local/etc/containers + cp /pkg/cloudflared.yaml /rootfs/usr/local/etc/containers/ + test: + - | + mkdir -p /extensions-validator-rootfs + cp -r /rootfs/ /extensions-validator-rootfs/rootfs + cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml + /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}" + - | + [[ $(/rootfs/usr/local/lib/containers/cloudflared/usr/local/bin/cloudflared version) == *{{ .CLOUDFLARED_VERSION }}* ]] +finalize: + - from: /rootfs + to: /rootfs + - from: /pkg/manifest.yaml + to: / diff --git a/network/cloudflared/vars.yaml b/network/cloudflared/vars.yaml new file mode 100644 index 00000000..8c6ce966 --- /dev/null +++ b/network/cloudflared/vars.yaml @@ -0,0 +1 @@ +VERSION: "{{ .CLOUDFLARED_VERSION }}" diff --git a/network/vars.yaml b/network/vars.yaml index 2ac19df3..314fdef6 100644 --- a/network/vars.yaml +++ b/network/vars.yaml @@ -2,3 +2,5 @@ TAILSCALE_VERSION: 1.76.6 # renovate: datasource=github-releases depName=lldpd/lldpd LLDPD_VERSION: 1.0.18 +# renovate: datasource=github-releases depName=cloudflare/cloudflared +CLOUDFLARED_VERSION: 2024.12.1 diff --git a/reproducibility/pkg.yaml b/reproducibility/pkg.yaml index f833b1d7..db1a5f58 100644 --- a/reproducibility/pkg.yaml +++ b/reproducibility/pkg.yaml @@ -15,10 +15,14 @@ dependencies: # - stage: chelsio-drivers # chelsio-firmware can be ignored from reproducibility test since it's linux-firmware copied from pkgs # - stage: chelsio-firmware + + - stage: cloudflared + # drbd can be ignored from reproducibility test since it's kernel modules copied from pkgs # crun can be ignored from reproducibility test since it's a tarball downloaded and extracted (no build happens) # - stage: crun # - stage: drbd + # - stage: dvb-cx23885 - stage: ecr-credential-provider - stage: fuse3 # gasket-driver can be ignored from reproducibility test since it's kernel modules copied from pkgs