Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add openziti network extension #454

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

nenkoru
Copy link

@nenkoru nenkoru commented Aug 17, 2024

Adds system extension to run OpenZiti edge tunneler which allows serving Talos nodes network resources over the overlay network.

OpenZiti is a free and open source project focused on bringing zero trust networking principles directly into any application. The project provides all the pieces required to implement a zero trust overlay network and provides all the tools necessary to integrate zero trust into your existing solutions. The OpenZiti project believes the principles of zero trust shouldn't stop at your network, those ideas belong in your application.
https://openziti.io
https://github.com/openziti

@nenkoru nenkoru force-pushed the network-openziti-extension branch from 7c6d295 to 3cebc5a Compare August 17, 2024 11:09
@nenkoru
Copy link
Author

nenkoru commented Aug 17, 2024

Idk how to solve gpg-identity EOF issue
I use mine ssh key to sign commits
Regarding number-of-commits - idk as well, branched from the main upstream.

@nenkoru nenkoru force-pushed the network-openziti-extension branch from 3cebc5a to 9e26b1e Compare August 17, 2024 11:14
Adds OpenZiti's system extension to be run on the talos node, allowing to serve Talos nodes network resources
over the overlay network.

Signed-off-by: Chernenko Ruslan <[email protected]>
@nenkoru nenkoru force-pushed the network-openziti-extension branch from 9e26b1e to e983aff Compare August 17, 2024 11:16
@frezbo
Copy link
Member

frezbo commented Aug 17, 2024

Idk how to solve gpg-identity EOF issue

you can ignore the gpg check, it checks if the commit is also signed by a member of org

Regarding number-of-commits - idk as well, branched from the main upstream.

the checks is passing, so all good

- ninja
- zlib-static
dependencies:
- image: "ghcr.io/siderolabs/tools:v1.7.0-4-gc844dc3"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks a bit strange... we usually build from base layer which contains toolchain (tools) and don't use alpine for the build. is there anything missing?

Copy link
Author

@nenkoru nenkoru Aug 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no zlib-static, zip, unzip when using scratch and its impossible to use install directive as apk manager doesnt exist in `scratch' variant.
Vcpkg relies on having zip, unzip as it downloads dependencies in that format.
Zlib-static is required to link an executable against it as there is no zlib on the host /usr/lib folder
the build process doesn't build zlib from sources and it has to be manually retrieved from the alpine packages repo in this case.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zlib should be available though, zip and unzip, there will be no apk of course.

vcpkg downloads dependencies? does it pin them in a secure way?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I could just change to using 'base' stage instead of explicitly binding to a tools image here.
Build seems to work fine with that. But idk what to do with those zip, unzip, zlib-static, ninja deps

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zlib should be available though, zip and unzip, there will be no apk of course.

vcpkg downloads dependencies? does it pin them in a secure way?

Yes it does by verifying their sha512sum as I skimmed the code.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, then this extension needs to add it's build time dependencies as like qemu-guest-agent for example

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, then this extension needs to add it's build time dependencies as like qemu-guest-agent for example

I guess would be hard to do as it heavily depends on vcpkg as the dependency manager.
Maybe I could try working on creating static builds and then pulling them within the build process. Would this be okay?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean pulling them from the releases page, as you suggested above.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, let's try static builds from the releases page. how big are those?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, let's try static builds from the releases page. how big are those?

Well, around 5MB, I am currently working on buildin those using gh workflows, just having a linker issue with CMAKE trying to link libpthread.so instead of libpthread.a.
openziti/ziti-tunnel-sdk-c#938

sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml

- |
mkdir -p /vcpkg-git /vcpkg /ziti-tunnel-sdk-c/build
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we building an sdk? doesn't make sense, shouldn't it be using this https://github.com/openziti/ziti/?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we building an sdk? doesn't make sense, shouldn't it be using this https://github.com/openziti/ziti/?

No we shouldn't. OpenZiti tunneler is exactly for hosting or tunneling. Main ziti repo is for the other part of the OpenZiti project which provides a controller, router and etc.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tunneler is just a daemon that runs on the host machines and allows to put the network communication on or from the overlay network it creates. For Talos its impossible to change routing from the extension, so the tunneler runs in a 'run-host' mode which allows offloading of a overlay traffic on the underlay network.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants