feat: tailscale extension

Tailscale as a system service extension.
Creates network devices in the talos 'host'

Requires: https://github.com/siderolabs/talos/pull/7408

Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: beau trepp <beautrepp@gmail.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>

Makefile

@@ -52,6 +52,7 @@ TARGETS = \
 		nvidia-container-toolkit \
 		nvidia-fabricmanager \
 		nvidia-open-gpu-kernel-modules \
+		tailscale \
 		usb-modem-drivers
 
 # Temporarily disabled, as mellanox-ofed fails to build with Linux 6.1

README.md

@@ -37,6 +37,12 @@ All system extensions provided by Sidero Labs can be found in the [ghcr.io regis
 | [nvidia](nvidia-gpu/nvidia-modules/) | [ghcr.io/siderolabs/nvidia-open-gpu-kernel-modules](https://github.com/siderolabs/extensions/pkgs/container/nvidia-open-gpu-kernel-modules) | NVIDIA OSS Driver                    | `nvidia driver upstream version`-`talos version`      |
 | [usb-modem](drivers/usb-modem)       | [ghcr.io/siderolabs/usb-modem-drivers](https://github.com/siderolabs/extensions/pkgs/container/usb-modem-drivers)                           | USB Modem drivers                    | `talos version`                                       |
 
+### Network
+
+| Name                            | Image                                                                                             | Description                        | Version Format     |
+| ------------------------------- | ------------------------------------------------------------------------------------------------- | ---------------------------------- | ------------------ |
+| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com) | `upstream version` |
+
 ### Storage
 
 | Name                                | Image                                                                                                 | Description        | Version Format                     |

hack/release.toml

@@ -16,6 +16,11 @@ See [Talos Linux documentation](https://www.talos.dev/v1.5/talos-guides/configur
 
 [notes]
 
+    [notes.tailscale]
+        title = "Tailscale"
+        description = """\
+Tailscale is now supported as Talos System Extension. Requires Talos v1.5.0 or later.
+"""
 
     [notes.updates]
         title = "Component Updates"

network/tailscale/README.md

@@ -0,0 +1,69 @@
+# Tailscale
+
+Adds https://tailscale.com network interfaces as system extensions.
+This means you can access your talos nodes from machines you have configured
+with tailscale
+
+## Installation
+
+Simplest install
+```
+machine:
+  install:
+    extensions:
+      - image: docker.io/btrepp/tailscale:1.40.0
+  files:
+    - content: |
+        TS_AUTHKEY=<your auth key>
+      permissions: 0o644
+      path: /var/etc/tailscale/auth.env
+      op: create
+```
+
+```
+> talosctl apply -n node myconfig.yaml
+> talosctl upgrade -n node
+```
+
+## Configuration
+
+This extension runs containerboot https://pkg.go.dev/tailscale.com@v1.40.1/cmd/containerboot
+
+Extra tailscale specific environment vars can be configured as needed in `/var/etc/tailscale/auth.env`
+
+Current known env vars are:
+
+TS_AUTHKEY: the authkey to use for login.
+TS_HOSTNAME: the hostname to request for the node.
+TS_ROUTES: subnet routes to advertise.
+TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination.
+TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
+TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
+TS_USERSPACE: run with userspace networking (the default) instead of kernel networking.
+TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts.
+TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
+TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state.
+TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet.
+TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet.
+TS_SOCKET: the path where the tailscaled LocalAPI socket should be created.
+TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false (the default, for backwards compatibility), forcibly log in every time the container starts.
+
+### Subnet routing
+
+A pratical example is enabling subnetrouting
+```
+machine:
+  files:
+    - content: |
+        TS_AUTHKEY=<your auth key>
+        TS_ROUTES=10.96.0.0/12
+      permissions: 0o644
+      path: /var/etc/tailscale/auth.env
+      op: create
+```
+
+10.96.0.0/12 is the service subnet talos uses by default (if you use a custom one, you will need to change it).
+This allows the k8s services to be available over tailscale (without an ingress controller!).
+
+With this enabled, you can configure tailscales DNS to actually forward certain search domains
+to coredns, making it very easy to access k8s services from an external device.

network/tailscale/manifest.yaml

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: tailscale
+  version: "$VERSION"
+  author: Beau Trepp
+  description: |
+    Tailscale connects your team's devices and development environments for easy access to remote resources.
+  compatibility:
+    talos:
+      version: ">= v1.5.0"

network/tailscale/pkg.yaml

@@ -0,0 +1,44 @@
+name: tailscale
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - env:
+      GOPATH: /go
+  - sources:
+      - url: https://github.com/tailscale/tailscale/archive/refs/tags/v{{ .TAILSCALE_VERSION }}.tar.gz
+        destination: tailscale.tar.gz
+        sha256: dc230cf3ac290140e573268a6e8f17124752ef064c8d3a86765a9dbb6f1bd354
+        sha512: d3bd5adf469cb2cc5a6e7df08fd9327d1b2492f7779dbf9e4158cc137dfcbe7c07c51f10adc142d5cd2827b837633722b585f2f20dfdd5821703fc9e4aed333d
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+
+      - |
+        mkdir tailscale dist
+        tar -xzvf tailscale.tar.gz --strip-components=1 -C tailscale
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+
+        go build \
+          -C tailscale \
+          -o ../dist \
+        	-ldflags "-X tailscale.com/version.shortStamp={{ .TAILSCALE_VERSION }} \
+         					  -X tailscale.com/version.longStamp={{ .TAILSCALE_VERSION }}-TalosLinux" \
+         tailscale.com/cmd/{tailscale,tailscaled,containerboot}
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/lib/containers/tailscale/usr/local/bin/
+        cp -pr dist/tailscale /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+        cp -pr dist/tailscaled /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+        cp -pr dist/containerboot /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
+  - from: /pkg/tailscale.yaml
+    to: /rootfs/usr/local/etc/containers/

network/tailscale/tailscale.yaml

@@ -0,0 +1,62 @@
+name: tailscale
+depends:
+  - service: cri
+  - network:
+    - addresses
+    - connectivity
+    - etcfiles
+container:
+  entrypoint: /usr/local/bin/containerboot
+  environmentFile: /var/etc/tailscale/auth.env
+  environment:
+  - PATH=/sbin:/usr/local/bin
+  - TS_SOCKET=/var/run/tailscale/tailscaled.sock
+  - TS_STATE_DIR=/var/lib/tailscale
+  - TS_USERSPACE=false
+  security:
+    writeableRootfs: false
+    writeableSysfs: true
+  mounts:
+  # libs
+  - source: /lib
+    destination: /lib
+    type: bind
+    options:
+      - bind
+      - ro
+  # more libs
+  - source: /usr/lib
+    destination: /usr/lib
+    type: bind
+    options:
+      - bind
+      - ro
+  ## Required for tailscale. Ip addr and other commands
+  - source: /sbin
+    destination: /sbin
+    type: bind
+    options:
+      - bind
+      - ro
+  ## Tailscale needs to write to this to create the interfaces
+  - source: /dev/net/tun
+    destination: /dev/net/tun
+    type: bind
+    options:
+      - bind
+      - rw
+  ## Tailscale socket
+  - source: /var/run/tailscale
+    destination: /var/run/tailscale
+    type: bind
+    options:
+      - bind
+      - rw
+  ## Tailscale state. Particularly its 'auth' state
+  - source: /var/lib/tailscale
+    destination: /var/lib/tailscale
+    type: bind
+    options:
+      - bind
+      - rw
+restart: always

network/tailscale/vars.yaml

@@ -0,0 +1 @@
+VERSION: "{{ .TAILSCALE_VERSION }}"

network/vars.yaml

@@ -0,0 +1,2 @@
+# renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=tailscale/tailscale
+TAILSCALE_VERSION: 1.44.0