mirrors/talos-extensions
1
0
Fork 0
mirror of https://github.com/siderolabs/extensions.git synced 2025-08-05 22:07:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: add Nebula extension to Talos

Browse Source 
add Nebula extension.

Signed-off-by: iamawacko <iamawacko@protonmail.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This commit is contained in:
iamawacko 2025-02-11 13:04:12 -08:00 committed by Noel Georgi
parent f5c4efaefc
commit c6b6c61509
No known key found for this signature in database
GPG Key ID: 21A9F444075C9E36
12 changed files with 148 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.kres.yaml
View File

@ -29,6 +29,7 @@ spec:
- mdadm
- mei
- metal-agent
- nebula
- nut-client
- nvidia-container-toolkit-lts
- nvidia-container-toolkit-production

1
MAINTAINERS.md
View File

@ -36,6 +36,7 @@ If the field is marked as `Needs Maintainer`, it means that the package is curre
| mdadm | Serge Logvinov | [sergelogvinov](https://github.com/sergelogvinov) |
| mei | Nick Meyer | [e3b0c442](https://github.com/e3b0c442) |
| metal-agent | Sidero Labs | NA |
| nebula | s e | [iamwacko](https://github.com/iamwacko) |
| nut-client | Sidero Labs | NA |
| nvidia-container-toolkit-lts | Sidero Labs | NA |
| nivida-container-toolkit-production | Sidero Labs | NA |

1
Makefile
View File

@ -80,6 +80,7 @@ TARGETS += lldpd
TARGETS += mdadm
TARGETS += mei
TARGETS += metal-agent
TARGETS += nebula
TARGETS += nut-client
TARGETS += nvidia-container-toolkit-lts
TARGETS += nvidia-container-toolkit-production

1
README.md
View File

@ -99,6 +99,7 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
| Name | Image | Description | Version Format |
| ----------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ------------------ |
| [cloudflared](network/cloudflared/) | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/cloudflared) | [Cloudflared](https://github.com/cloudflare/cloudflared/) | `upstream version` |
| [nebula](network/nebula/) | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/nebula) | [Nebula](https://github.com/slackhq/nebula) | `upstream version` |
| [lldpd](network/lldpd/) | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd) | [LLDP](https://github.com/lldpd/lldpd) | `upstream version` |
| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com) | `upstream version` |

6
hack/release.toml
View File

@ -32,6 +32,12 @@ NVIDIA LTS: 535.230.02
NVIDIA Production: 550.144.03
NVIDIA Container Toolkit: 1.17.4
Intel u-code: 20250211
"""
[notes.nebula]
title = "Nebula"
description = """\
[Nebula](https://github.com/slackhq/nebula) is now supported as a system extension.
"""
[make_deps]

51
network/nebula/README.md Normal file
View File

@ -0,0 +1,51 @@
# Nebula
https://github.com/slackhq/nebula
## Installation
See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
## Usage
Configure the extension via `ExtensionServiceConfig` document. You can add any nebula related configuration and these will be executed at Nebula startup.
```yaml
---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: nebula
configFiles:
- content: |
pki:
ca: /usr/local/etc/nebula/ca.crt
cert: /usr/local/etc/nebula/node.crt
key: /usr/local//etc/nebula/node.key
mountPath: /usr/local/etc/nebula/config.yml
- content: |
-----BEGIN NEBULA CERTIFICATE-----
-----END NEBULA CERTIFICATE-----
mountPath: /usr/local/etc/nebula/ca.crt
- content: |
-----BEGIN NEBULA CERTIFICATE-----
-----END NEBULA CERTIFICATE-----
mountPath: /usr/local/etc/nebula/node.crt
- content: |
-----BEGIN NEBULA ED25519 PRIVATE KEY-----
-----END NEBULA ED25519 PRIVATE KEY-----
mountPath: /usr/local/etc/nebula/node.key
```
Then apply the patch to your node's MachineConfigs
```bash
talosctl patch mc -p @nebula-config.yaml
```
You will then be able to verify that it is in place with the following command
```bash
talosctl get extensionserviceconfigs
NODE NAMESPACE TYPE ID VERSION
mynode runtime ExtensionServiceConfig nebula 1
```

10
network/nebula/manifest.yaml Normal file
View File

@ -0,0 +1,10 @@
version: v1alpha1
metadata:
name: nebula
version: "$VERSION"
author: iamwacko
description: |
A scalable overlay networking tool with a focus on performance, simplicity and security
compatibility:
talos:
version: ">= v1.5.0"

24
network/nebula/nebula.yaml Normal file
View File

@ -0,0 +1,24 @@
name: nebula
depends:
- service: cri
- network:
- addresses
- connectivity
- etcfiles
- configuration: true
container:
entrypoint: /usr/local/bin/nebula
args:
- -config
- /usr/local/etc/nebula/config.yml
security:
writeableRootfs: false
writeableSysfs: true
## Nebula needs to write to this to create the interfaces
- source: /dev/net/tun
destination: /dev/net/tun
type: bind
options:
- bind
- rw
restart: always

49
network/nebula/pkg.yaml Normal file
View File

@ -0,0 +1,49 @@
name: nebula
variant: scratch
shell: /bin/bash
dependencies:
- stage: base
steps:
- env:
GOPATH: /tmp/go
- cachePaths:
- /.cache/go-build
- /tmp/go/pkg
sources:
- url: https://github.com/slackhq/nebula/archive/refs/tags/v{{ .NEBULA_VERSION}}.tar.gz
destination: nebula.tar.gz
sha256: 5f7000e943cbe8cc7d7e2651ee2301121654fe1f51902f010ca908ac9ca0eede
sha512: efdbceb05e0aa3958f81e6915d94f08a18e979ecf7cdf52c3158750a4b6131a72f15f1cb67b6756f8520ec7b2e2a57a437212d5386373abe9545ba7709bacbb3
- network: default
prepare:
- |
sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
- |
mkdir nebula
tar -xzvf nebula.tar.gz --strip-components=1 -C nebula
- |
cd nebula
go mod download
- network: none
build:
- |
cd nebula
make bin
install:
- |
mkdir -p /rootfs/usr/local/lib/containers/nebula/usr/local/bin/
cp -pr nebula/nebula /rootfs/usr/local/lib/containers/nebula/usr/local/bin
- |
mkdir -p /rootfs/usr/local/etc/containers
cp /pkg/nebula.yaml /rootfs/usr/local/etc/containers/
test:
- |
mkdir -p /extensions-validator-rootfs
cp -r /rootfs/ /extensions-validator-rootfs/rootfs
cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
/extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
finalize:
- from: /rootfs
to: /rootfs
- from: /pkg/manifest.yaml
to: /

1
network/nebula/vars.yaml Normal file
View File

@ -0,0 +1 @@
VERSION: "{{ .NEBULA_VERSION }}"

2
network/vars.yaml
View File

@ -4,3 +4,5 @@ TAILSCALE_VERSION: 1.78.1
LLDPD_VERSION: 1.0.19
# renovate: datasource=github-releases depName=cloudflare/cloudflared
CLOUDFLARED_VERSION: 2024.12.1
# renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=slackhq/nebula
NEBULA_VERSION: 1.9.5

1
reproducibility/pkg.yaml
View File

@ -69,6 +69,7 @@ dependencies:
# - stage: spin
- stage: stargz-snapshotter
- stage: tailscale
- stage: nebula
# thunderbolt can be ignored from reproducibility test since it's kernel modules copied from pkgs
# - stage: thunderbolt
# uinput can be ignored from reproducibility test since it's kernel modules copied from pkgs