mirrors/talos-extensions
1
0
Fork 0
mirror of https://github.com/siderolabs/extensions.git synced 2025-08-06 06:17:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: tailscale extension

Browse Source 
Tailscale as a system service extension.
Creates network devices in the talos 'host'

Requires: https://github.com/siderolabs/talos/pull/7408

Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: beau trepp <beautrepp@gmail.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This commit is contained in:
beau trepp 2023-04-27 07:27:56 +08:00 committed by Noel Georgi
parent 30f24da0ce
commit 6c502e1095
No known key found for this signature in database
GPG Key ID: 21A9F444075C9E36
9 changed files with 200 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile
View File

@ -52,6 +52,7 @@ TARGETS = \
nvidia-container-toolkit \
nvidia-fabricmanager \
nvidia-open-gpu-kernel-modules \
tailscale \
usb-modem-drivers
# Temporarily disabled, as mellanox-ofed fails to build with Linux 6.1

6
README.md
View File

@ -37,6 +37,12 @@ All system extensions provided by Sidero Labs can be found in the [ghcr.io regis
| [nvidia](nvidia-gpu/nvidia-modules/) | [ghcr.io/siderolabs/nvidia-open-gpu-kernel-modules](https://github.com/siderolabs/extensions/pkgs/container/nvidia-open-gpu-kernel-modules) | NVIDIA OSS Driver | `nvidia driver upstream version`-`talos version` |
| [usb-modem](drivers/usb-modem) | [ghcr.io/siderolabs/usb-modem-drivers](https://github.com/siderolabs/extensions/pkgs/container/usb-modem-drivers) | USB Modem drivers | `talos version` |
### Network
| Name | Image | Description | Version Format |
| ------------------------------- | ------------------------------------------------------------------------------------------------- | ---------------------------------- | ------------------ |
| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com) | `upstream version` |
### Storage
| Name | Image | Description | Version Format |

5
hack/release.toml
View File

@ -16,6 +16,11 @@ See [Talos Linux documentation](https://www.talos.dev/v1.5/talos-guides/configur
[notes]
[notes.tailscale]
title = "Tailscale"
description = """\
Tailscale is now supported as Talos System Extension. Requires Talos v1.5.0 or later.
"""
[notes.updates]
title = "Component Updates"

69
network/tailscale/README.md Normal file
View File

@ -0,0 +1,69 @@
# Tailscale
Adds https://tailscale.com network interfaces as system extensions.
This means you can access your talos nodes from machines you have configured
with tailscale
## Installation
Simplest install
```
machine:
install:
extensions:
- image: docker.io/btrepp/tailscale:1.40.0
files:
- content: |
TS_AUTHKEY=<your auth key>
permissions: 0o644
path: /var/etc/tailscale/auth.env
op: create
```
```
> talosctl apply -n node myconfig.yaml
> talosctl upgrade -n node
```
## Configuration
This extension runs containerboot https://pkg.go.dev/tailscale.com@v1.40.1/cmd/containerboot
Extra tailscale specific environment vars can be configured as needed in `/var/etc/tailscale/auth.env`
Current known env vars are:
TS_AUTHKEY: the authkey to use for login.
TS_HOSTNAME: the hostname to request for the node.
TS_ROUTES: subnet routes to advertise.
TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination.
TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
TS_USERSPACE: run with userspace networking (the default) instead of kernel networking.
TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts.
TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state.
TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet.
TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet.
TS_SOCKET: the path where the tailscaled LocalAPI socket should be created.
TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false (the default, for backwards compatibility), forcibly log in every time the container starts.
### Subnet routing
A pratical example is enabling subnetrouting
```
machine:
files:
- content: |
TS_AUTHKEY=<your auth key>
TS_ROUTES=10.96.0.0/12
permissions: 0o644
path: /var/etc/tailscale/auth.env
op: create
```
10.96.0.0/12 is the service subnet talos uses by default (if you use a custom one, you will need to change it).
This allows the k8s services to be available over tailscale (without an ingress controller!).
With this enabled, you can configure tailscales DNS to actually forward certain search domains
to coredns, making it very easy to access k8s services from an external device.

10
network/tailscale/manifest.yaml Normal file
View File

@ -0,0 +1,10 @@
version: v1alpha1
metadata:
name: tailscale
version: "$VERSION"
author: Beau Trepp
description: |
Tailscale connects your team's devices and development environments for easy access to remote resources.
compatibility:
talos:
version: ">= v1.5.0"

44
network/tailscale/pkg.yaml Normal file
View File

@ -0,0 +1,44 @@
name: tailscale
variant: scratch
shell: /toolchain/bin/bash
dependencies:
- stage: base
steps:
- env:
GOPATH: /go
- sources:
- url: https://github.com/tailscale/tailscale/archive/refs/tags/v{{ .TAILSCALE_VERSION }}.tar.gz
destination: tailscale.tar.gz
sha256: dc230cf3ac290140e573268a6e8f17124752ef064c8d3a86765a9dbb6f1bd354
sha512: d3bd5adf469cb2cc5a6e7df08fd9327d1b2492f7779dbf9e4158cc137dfcbe7c07c51f10adc142d5cd2827b837633722b585f2f20dfdd5821703fc9e4aed333d
prepare:
- |
sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
- |
mkdir tailscale dist
tar -xzvf tailscale.tar.gz --strip-components=1 -C tailscale
build:
- |
export PATH=${PATH}:${TOOLCHAIN}/go/bin
go build \
-C tailscale \
-o ../dist \
-ldflags "-X tailscale.com/version.shortStamp={{ .TAILSCALE_VERSION }} \
-X tailscale.com/version.longStamp={{ .TAILSCALE_VERSION }}-TalosLinux" \
tailscale.com/cmd/{tailscale,tailscaled,containerboot}
install:
- |
mkdir -p /rootfs/usr/local/lib/containers/tailscale/usr/local/bin/
cp -pr dist/tailscale /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
cp -pr dist/tailscaled /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
cp -pr dist/containerboot /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
finalize:
- from: /rootfs
to: /rootfs
- from: /pkg/manifest.yaml
to: /
- from: /pkg/tailscale.yaml
to: /rootfs/usr/local/etc/containers/

62
network/tailscale/tailscale.yaml Normal file
View File

@ -0,0 +1,62 @@
name: tailscale
depends:
- service: cri
- network:
- addresses
- connectivity
- etcfiles
container:
entrypoint: /usr/local/bin/containerboot
environmentFile: /var/etc/tailscale/auth.env
environment:
- PATH=/sbin:/usr/local/bin
- TS_SOCKET=/var/run/tailscale/tailscaled.sock
- TS_STATE_DIR=/var/lib/tailscale
- TS_USERSPACE=false
security:
writeableRootfs: false
writeableSysfs: true
mounts:
# libs
- source: /lib
destination: /lib
type: bind
options:
- bind
- ro
# more libs
- source: /usr/lib
destination: /usr/lib
type: bind
options:
- bind
- ro
## Required for tailscale. Ip addr and other commands
- source: /sbin
destination: /sbin
type: bind
options:
- bind
- ro
## Tailscale needs to write to this to create the interfaces
- source: /dev/net/tun
destination: /dev/net/tun
type: bind
options:
- bind
- rw
## Tailscale socket
- source: /var/run/tailscale
destination: /var/run/tailscale
type: bind
options:
- bind
- rw
## Tailscale state. Particularly its 'auth' state
- source: /var/lib/tailscale
destination: /var/lib/tailscale
type: bind
options:
- bind
- rw
restart: always

1
network/tailscale/vars.yaml Normal file
View File

@ -0,0 +1 @@
VERSION: "{{ .TAILSCALE_VERSION }}"

2
network/vars.yaml Normal file
View File

@ -0,0 +1,2 @@
# renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=tailscale/tailscale
TAILSCALE_VERSION: 1.44.0