Skip to content

Commit

Permalink
feat: add openziti network extension
Browse files Browse the repository at this point in the history
Adds OpenZiti's system extension to be run on the talos node, allowing to serve Talos nodes network resources
over the overlay network.

Signed-off-by: Chernenko Ruslan <[email protected]>
  • Loading branch information
nenkoru committed Aug 17, 2024
1 parent bb94c9d commit 9e26b1e
Show file tree
Hide file tree
Showing 7 changed files with 180 additions and 0 deletions.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ TARGETS += realtek-firmware
TARGETS += spin
TARGETS += stargz-snapshotter
TARGETS += tailscale
TARGETS += openziti
TARGETS += thunderbolt
TARGETS += usb-modem-drivers
TARGETS += util-linux-tools
Expand Down
50 changes: 50 additions & 0 deletions network/openziti/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# OpenZiti

Runs OpenZiti's edge tunneler in run-host mode allowing to access talos nodes resources on the overlay network

https://openziti.io

https://openziti.io/docs/reference/tunnelers/docker/#use-case-hosting-openziti-services

## Installation

See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).

## Usage

Create an identity for the machine.
Manually enroll it using(for example using ziti edge enroll ...) and output the enrolled identity into a file or stdout
Copy the contents of the enrolled identity
Create `ExtensionServiceConfig` as the example below with replacing `JSON_IDENTITY` with the JSON of the identity you created and in mountPath replace `IDENTITY_FILE_NAME` with the filename of the identity(preserve the json in the filename)

```yaml
---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: openziti
configFiles:
- content: 'JSON_IDENTITY'
mountPath: /var/lib/ziti/etc/identities/IDENTITY_FILE_NAME.json
```
Then apply the patch to your node's MachineConfigs
```bash
talosctl patch mc -p @openziti.talos.yaml
```

You will then be able to verify that it is in place with the following command
```bash
talosctl get extensionserviceconfigs

NODE NAMESPACE TYPE ID VERSION
192.168.10.10 runtime ExtensionServiceConfig openziti 1
```

Example of creation of ziti service to serve talos api on the overlay network(note that 192.168.10.10 is the address of the node):
```
ziti edge create config talosctl-controlplane.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses": ["talosctl-controlplane.ziti.internal"], "portRanges":[{"low": 50000, "high":50000}]}'
ziti edge create config talosctl-controlplane.host.v1 host.v1 '{"protocol": "tcp","address":"'"192.168.10.10"'", "port": 50000}'
ziti edge create service talosctrl-controlplane.svc --configs talosctl-controlplane.intercept.v1,talosctl-controlplane.host.v1
ziti edge create service-policy talosctl-controlplane.policy.dial Dial --service-roles "@talosctrl-controlplane.svc" --identity-roles "@macos"
ziti edge create service-policy talosctl-controlplane.policy.bind Bind --service-roles "@talosctrl-controlplane.svc" --identity-roles "@talos-cluster-test-identity"
```
12 changes: 12 additions & 0 deletions network/openziti/manifest.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
version: v1alpha1
metadata:
name: openziti
version: "$VERSION"
author: Ruslan Chernenko
description: |
OpenZiti is the world’s most used and widely integrated open source secure networking platform.
This extension deploys a ziti-edge-tunneler in run-host mode which allows to access node's net resources
through the overlay network.
compatibility:
talos:
version: ">= v1.7.0"
50 changes: 50 additions & 0 deletions network/openziti/openziti.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: openziti
depends:
- service: cri
- network:
- addresses
- connectivity
- etcfiles
- configuration: true
container:
entrypoint: /usr/local/bin/ziti-edge-tunnel
args:
- run-host
- --verbose=4
- --identity-dir=/var/lib/ziti/etc/identities
security:
writeableRootfs: false
writeableSysfs: true
mounts:
# libssl lib
- source: /usr/lib
destination: /usr/lib
type: bind
options:
- bind
- ro
- source: /sbin
destination: /sbin
type: bind
options:
- bind
- ro
- source: /dev/net/tun
destination: /dev/net/tun
type: bind
options:
- bind
- rw
- source: /var/lib/ziti/etc/identities/
destination: /var/lib/ziti/etc/identities/
type: bind
options:
- bind
- rw
- source: /var/lib/ziti/
destination: /var/lib/ziti/
type: bind
options:
- bind
- rw
restart: always
65 changes: 65 additions & 0 deletions network/openziti/pkg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: openziti
variant: alpine
shell: /toolchain/bin/bash
install:
- unzip
- zip
- ninja-build
- ninja
- zlib-static
dependencies:
- image: "ghcr.io/siderolabs/tools:v1.7.0-4-gc844dc3"
steps:
- sources:
- url: https://github.com/openziti/ziti-tunnel-sdk-c/archive/refs/tags/{{ .OPENZITI_TUNNELER_VERSION }}.tar.gz
destination: edge-tunnel-source.tar.gz
sha256: d455672bf3b6ff28fd0ff864f868f7d6e3de99e6c666a120227fa9dab2d91f78
sha512: 5aeb05347381124e9d75693f12e0d234499a8c6482d322019576a24c622d986d43f159454a43c844623f171a456062a5e1afffcee7f7cbb03740216dbd3bb74c
env:
VCPKG_ROOT: /vcpkg
VCPKG_FORCE_SYSTEM_BINARIES: 1
CC: /toolchain/bin/gcc
CXX: /toolchain/bin/g++
prepare:
- |
# vcpkg depends on git as a delivery tool
# if to download .tar.gz from releases it would fail saying it cannot retrieve versions/baseline.json version using git show
# tried my best to find any CMAKE variable within vcpkg which disables this behaviour
# we fetch here commit to which tag 2024.07.12 is assigned
git clone https://github.com/microsoft/vcpkg.git /vcpkg
git --git-dir=/vcpkg/.git --work-tree=/vcpkg checkout 1de2026f28ead93ff1773e6e680387643e914ea1
- |
sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
- |
mkdir -p /vcpkg-git /vcpkg /ziti-tunnel-sdk-c/build
tar -xzvf edge-tunnel-source.tar.gz --strip-components=1 -C /ziti-tunnel-sdk-c
build:
- |
export PATH=${PATH}:/toolchain/bin
/vcpkg/bootstrap-vcpkg.sh
- |
export PATH=${PATH}:/toolchain/bin
PRESET="ci-linux-x64"
if [[ "$(uname -m)" == "arm64" || "$(uname -m)" == "aarch64" ]]; then
PRESET="ci-linux-arm64"
ln -s /toolchain/bin/g++ /toolchain/bin/aarch64-linux-gnu-g++
ln -s /toolchain/bin/gcc /toolchain/bin/aarch64-linux-gnu-gcc
fi
cmake -DBUILD_SHARED_LIBS=OFF -DCMAKE_EXE_LINKER_FLAGS="-static" -DDISABLE_SEMVER_VERIFICATION=ON -DDISABLE_LIBSYSTEMD_FEATURE=ON -DCMAKE_MAKE_PROGRAM=/usr/bin/ninja --preset $PRESET -S /ziti-tunnel-sdk-c -B /ziti-tunnel-sdk-c/build
- |
cmake --build /ziti-tunnel-sdk-c/build --config Release
install:
- |
mkdir -p /rootfs/usr/local/lib/containers/openziti/usr/local/bin/
mv /ziti-tunnel-sdk-c/build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel /rootfs/usr/local/lib/containers/openziti/usr/local/bin/
finalize:
- from: /rootfs
to: /rootfs
- from: /pkg/manifest.yaml
to: /
- from: /pkg/openziti.yaml
to: /rootfs/usr/local/etc/containers/
1 change: 1 addition & 0 deletions network/openziti/vars.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
VERSION: "{{ .OPENZITI_TUNNELER_VERSION }}"
1 change: 1 addition & 0 deletions network/vars.yaml
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
# renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=tailscale/tailscale
TAILSCALE_VERSION: 1.70.0
OPENZITI_TUNNELER_VERSION: v1.1.2

0 comments on commit 9e26b1e

Please sign in to comment.