diff --git a/.drone.jsonnet b/.drone.jsonnet index 4a0d534d2..3f6cbf0b1 100644 --- a/.drone.jsonnet +++ b/.drone.jsonnet @@ -651,6 +651,13 @@ local integration_siderolink = Step('e2e-siderolink', target='e2e-qemu', privile REGISTRY: local_registry, }); +local integration_siderolink_tunnel = Step('e2e-siderolink-tunnel', target='e2e-qemu', privileged=true, depends_on=[integration_siderolink], environment={ + SHORT_INTEGRATION_TEST: 'yes', + WITH_SIDEROLINK_AGENT: 'tunnel', + VIA_MAINTENANCE_MODE: 'true', + REGISTRY: local_registry, +}); + local push_edge = { name: 'push-edge', image: 'autonomy/build-container:latest', @@ -705,6 +712,7 @@ local integration_pipelines = [ integration_kubespan, integration_default_hostname, integration_siderolink, + integration_siderolink_tunnel, ]) + integration_trigger(['integration-misc']), Pipeline('integration-extensions', default_pipeline_steps + integration_extensions) + integration_trigger(['integration-extensions']), Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan]) + integration_trigger(['integration-cilium']), diff --git a/.golangci.yml b/.golangci.yml index 26a23ef63..3fea0924b 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -97,6 +97,8 @@ linters-settings: - gopkg.in/yaml.v3 - github.com/coredns/coredns - github.com/mdlayher/kobject + - golang.zx2c4.com/wireguard + - golang.zx2c4.com/wireguard/wgctrl retract-allow-no-explanation: false exclude-forbidden: true diff --git a/cmd/talosctl/cmd/mgmt/cluster/create.go b/cmd/talosctl/cmd/mgmt/cluster/create.go index 7770e1d22..7483ac6ee 100644 --- a/cmd/talosctl/cmd/mgmt/cluster/create.go +++ b/cmd/talosctl/cmd/mgmt/cluster/create.go @@ -23,6 +23,7 @@ import ( "github.com/dustin/go-humanize" "github.com/google/uuid" "github.com/hashicorp/go-getter/v2" + "github.com/siderolabs/gen/maps" "github.com/siderolabs/go-blockdevice/blockdevice/encryption" "github.com/siderolabs/go-kubeconfig" "github.com/siderolabs/go-pointer" @@ -174,7 +175,7 @@ var ( diskEncryptionKeyTypes []string withFirewall string withUUIDHostnames bool - withSiderolinkAgent bool + withSiderolinkAgent agentFlag ) // createCmd represents the cluster up command. @@ -425,7 +426,7 @@ func create(ctx context.Context, flags *pflag.FlagSet) error { provision.WithTPM2(tpm2Enabled), provision.WithExtraUEFISearchPaths(extraUEFISearchPaths), provision.WithTargetArch(targetArch), - provision.WithSiderolinkAgent(withSiderolinkAgent), + provision.WithSiderolinkAgent(withSiderolinkAgent.IsEnabled()), } var configBundleOpts []bundle.Option @@ -746,42 +747,22 @@ func create(ctx context.Context, flags *pflag.FlagSet) error { var extraKernelArgs *procfs.Cmdline - if extraBootKernelArgs != "" { + if extraBootKernelArgs != "" || withSiderolinkAgent.IsEnabled() { extraKernelArgs = procfs.NewCmdline(extraBootKernelArgs) } - wgNodeGen := makeNodeAddrGenerator() + var slb *siderolinkBuilder - if withSiderolinkAgent { - if extraKernelArgs == nil { - extraKernelArgs = procfs.NewCmdline("") - } - - if extraKernelArgs.Get("siderolink.api") != nil || extraKernelArgs.Get("talos.events.sink") != nil || extraKernelArgs.Get("talos.logging.kernel") != nil { - return errors.New("siderolink kernel arguments are already set, cannot run with --with-siderolink") - } - - wgHost := gatewayIPs[0].String() - - ports, err := getDynamicPorts() + if withSiderolinkAgent.IsEnabled() { + slb, err = newSiderolinkBuilder(gatewayIPs[0].String()) if err != nil { return err } + } - request.SiderolinkRequest.WireguardEndpoint = net.JoinHostPort(wgHost, ports.wgPort) - request.SiderolinkRequest.APIEndpoint = ":" + ports.apiPort - request.SiderolinkRequest.SinkEndpoint = ":" + ports.sinkPort - request.SiderolinkRequest.LogEndpoint = ":" + ports.logPort - - agentNodeAddr := wgNodeGen.GetAgentNodeAddr() - - apiLink := "grpc://" + net.JoinHostPort(wgHost, ports.apiPort) + "?jointoken=foo" - sinkURL := net.JoinHostPort(agentNodeAddr, ports.sinkPort) - kernelURL := "tcp://" + net.JoinHostPort(agentNodeAddr, ports.logPort) - - extraKernelArgs.Append("siderolink.api", apiLink) - extraKernelArgs.Append("talos.events.sink", sinkURL) - extraKernelArgs.Append("talos.logging.kernel", kernelURL) + err = slb.SetKernelArgs(extraKernelArgs, withSiderolinkAgent.IsTunnel()) + if err != nil { + return err } // Add talosconfig to provision options, so we'll have it to parse there @@ -798,15 +779,9 @@ func create(ctx context.Context, flags *pflag.FlagSet) error { nodeUUID := uuid.New() - if withSiderolinkAgent { - var generated netip.Addr - - generated, err = wgNodeGen.GenerateRandomNodeAddr() - if err != nil { - return err - } - - request.SiderolinkRequest.AddBind(nodeUUID, generated) + err = slb.DefineIPv6ForUUID(nodeUUID) + if err != nil { + return err } nodeReq := provision.NodeRequest{ @@ -869,15 +844,9 @@ func create(ctx context.Context, flags *pflag.FlagSet) error { nodeUUID := uuid.New() - if withSiderolinkAgent { - var generated netip.Addr - - generated, err = wgNodeGen.GenerateRandomNodeAddr() - if err != nil { - return err - } - - request.SiderolinkRequest.AddBind(nodeUUID, generated) + err = slb.DefineIPv6ForUUID(nodeUUID) + if err != nil { + return err } request.Nodes = append(request.Nodes, @@ -896,6 +865,8 @@ func create(ctx context.Context, flags *pflag.FlagSet) error { }) } + request.SiderolinkRequest = slb.SiderolinkRequest() + cluster, err := provisioner.Create(ctx, request, provisionOptions...) if err != nil { return err @@ -1213,7 +1184,7 @@ func init() { createCmd.Flags().IntVar(&bandwidth, "with-network-bandwidth", 0, "specify bandwidth restriction (in kbps) on the bridge interface when creating a qemu cluster") createCmd.Flags().StringVar(&withFirewall, firewallFlag, "", "inject firewall rules into the cluster, value is default policy - accept/block (QEMU only)") createCmd.Flags().BoolVar(&withUUIDHostnames, "with-uuid-hostnames", false, "use machine UUIDs as default hostnames (QEMU only)") - createCmd.Flags().BoolVar(&withSiderolinkAgent, "with-siderolink", false, "enables the use of siderolink agent as configuration apply mechanism") + createCmd.Flags().Var(&withSiderolinkAgent, "with-siderolink", "enables the use of siderolink agent as configuration apply mechanism. `true` or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling") //nolint:lll Cmd.AddCommand(createCmd) } @@ -1254,51 +1225,124 @@ func checkForDefinedGenFlag(flags *pflag.FlagSet) string { return "" } -type generatedPorts struct { - wgPort string - apiPort string - sinkPort string - logPort string -} +func newSiderolinkBuilder(wgHost string) (*siderolinkBuilder, error) { + prefix, err := networkPrefix("") + if err != nil { + return nil, err + } + + result := &siderolinkBuilder{ + wgHost: wgHost, + binds: map[uuid.UUID]netip.Addr{}, + prefix: prefix, + nodeIPv6Addr: prefix.Addr().Next().String(), + } -func getDynamicPorts() (generatedPorts, error) { var resultErr error for range 10 { - wgPort, err := getDynamicPort("udp") - if err != nil { - return generatedPorts{}, fmt.Errorf("failed to get dynamic port for WireGuard: %w", err) + for _, d := range []struct { + field *int + net string + what string + }{ + {&result.wgPort, "udp", "WireGuard"}, + {&result.apiPort, "tcp", "gRPC API"}, + {&result.sinkPort, "tcp", "Event Sink"}, + {&result.logPort, "tcp", "Log Receiver"}, + } { + var err error + + *d.field, err = getDynamicPort(d.net) + if err != nil { + return nil, fmt.Errorf("failed to get dynamic port for %s: %w", d.what, err) + } } - apiPort, err := getDynamicPort("tcp") - if err != nil { - return generatedPorts{}, fmt.Errorf("failed to get dynamic port for GRPC API: %w", err) + resultErr = checkPortsDontOverlap(result.wgPort, result.apiPort, result.sinkPort, result.logPort) + if resultErr == nil { + break } - - sinkPort, err := getDynamicPort("tcp") - if err != nil { - return generatedPorts{}, fmt.Errorf("failed to get dynamic port for Sink: %w", err) - } - - logPort, err := getDynamicPort("tcp") - if err != nil { - return generatedPorts{}, fmt.Errorf("failed to get dynamic port for Log: %w", err) - } - - resultErr = checkPortsDontOverlap(wgPort, apiPort, sinkPort, logPort) - if resultErr != nil { - continue - } - - return generatedPorts{ - wgPort: strconv.Itoa(wgPort), - apiPort: strconv.Itoa(apiPort), - sinkPort: strconv.Itoa(sinkPort), - logPort: strconv.Itoa(logPort), - }, nil } - return generatedPorts{}, fmt.Errorf("failed to get non-overlapping dynamic ports in 10 attempts: %w", resultErr) + if resultErr != nil { + return nil, fmt.Errorf("failed to get non-overlapping dynamic ports in 10 attempts: %w", resultErr) + } + + return result, nil +} + +type siderolinkBuilder struct { + wgHost string + + binds map[uuid.UUID]netip.Addr + prefix netip.Prefix + nodeIPv6Addr string + wgPort int + apiPort int + sinkPort int + logPort int +} + +// DefineIPv6ForUUID defines an IPv6 address for a given UUID. It is safe to call this method on a nil pointer. +func (slb *siderolinkBuilder) DefineIPv6ForUUID(id uuid.UUID) error { + if slb == nil { + return nil + } + + result, err := generateRandomNodeAddr(slb.prefix) + if err != nil { + return err + } + + slb.binds[id] = result.Addr() + + return nil +} + +// SiderolinkRequest returns a SiderolinkRequest based on the current state of the builder. +// It is safe to call this method on a nil pointer. +func (slb *siderolinkBuilder) SiderolinkRequest() provision.SiderolinkRequest { + if slb == nil { + return provision.SiderolinkRequest{} + } + + return provision.SiderolinkRequest{ + WireguardEndpoint: net.JoinHostPort(slb.wgHost, strconv.Itoa(slb.wgPort)), + APIEndpoint: ":" + strconv.Itoa(slb.apiPort), + SinkEndpoint: ":" + strconv.Itoa(slb.sinkPort), + LogEndpoint: ":" + strconv.Itoa(slb.logPort), + SiderolinkBind: maps.ToSlice(slb.binds, func(k uuid.UUID, v netip.Addr) provision.SiderolinkBind { + return provision.SiderolinkBind{ + UUID: k, + Addr: v, + } + }), + } +} + +// SetKernelArgs sets the kernel arguments for the current builder. It is safe to call this method on a nil pointer. +func (slb *siderolinkBuilder) SetKernelArgs(extraKernelArgs *procfs.Cmdline, tunnel bool) error { + switch { + case slb == nil: + return nil + case extraKernelArgs.Get("siderolink.api") != nil, + extraKernelArgs.Get("talos.events.sink") != nil, + extraKernelArgs.Get("talos.logging.kernel") != nil: + return errors.New("siderolink kernel arguments are already set, cannot run with --with-siderolink") + default: + apiLink := "grpc://" + net.JoinHostPort(slb.wgHost, strconv.Itoa(slb.apiPort)) + "?jointoken=foo" + + if tunnel { + apiLink += "&grpc_tunnel=true" + } + + extraKernelArgs.Append("siderolink.api", apiLink) + extraKernelArgs.Append("talos.events.sink", net.JoinHostPort(slb.nodeIPv6Addr, strconv.Itoa(slb.sinkPort))) + extraKernelArgs.Append("talos.logging.kernel", "tcp://"+net.JoinHostPort(slb.nodeIPv6Addr, strconv.Itoa(slb.logPort))) + + return nil + } } func getDynamicPort(network string) (int, error) { @@ -1361,3 +1405,33 @@ func checkPortsDontOverlap(ports ...int) error { return nil } + +type agentFlag uint8 + +func (a *agentFlag) String() string { + switch *a { + case 1: + return "wireguard" + case 2: + return "grpc-tunnel" + default: + return "none" + } +} + +func (a *agentFlag) Set(s string) error { + switch s { + case "true", "wireguard": + *a = 1 + case "tunnel": + *a = 2 + default: + return fmt.Errorf("unknown type: %s, possible values: 'true', 'wireguard' for the usual WG; 'tunnel' for WG over GRPC", s) + } + + return nil +} + +func (a *agentFlag) Type() string { return "agent" } +func (a *agentFlag) IsEnabled() bool { return *a != 0 } +func (a *agentFlag) IsTunnel() bool { return *a == 2 } diff --git a/cmd/talosctl/cmd/mgmt/cluster/create_linux.go b/cmd/talosctl/cmd/mgmt/cluster/create_linux.go new file mode 100644 index 000000000..8d07e6048 --- /dev/null +++ b/cmd/talosctl/cmd/mgmt/cluster/create_linux.go @@ -0,0 +1,19 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +package cluster + +import ( + "net/netip" + + "github.com/siderolabs/siderolink/pkg/wireguard" +) + +func generateRandomNodeAddr(prefix netip.Prefix) (netip.Prefix, error) { + return wireguard.GenerateRandomNodeAddr(prefix) +} + +func networkPrefix(prefix string) (netip.Prefix, error) { + return wireguard.NetworkPrefix(prefix), nil +} diff --git a/cmd/talosctl/cmd/mgmt/cluster/create_other.go b/cmd/talosctl/cmd/mgmt/cluster/create_other.go new file mode 100644 index 000000000..ce5d86808 --- /dev/null +++ b/cmd/talosctl/cmd/mgmt/cluster/create_other.go @@ -0,0 +1,20 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +//go:build !linux + +package cluster + +import ( + "errors" + "net/netip" +) + +func generateRandomNodeAddr(prefix netip.Prefix) (netip.Prefix, error) { + return netip.Prefix{}, nil +} + +func networkPrefix(prefix string) (netip.Prefix, error) { + return netip.Prefix{}, errors.New("unsupported platform") +} diff --git a/cmd/talosctl/cmd/mgmt/cluster/wg_linux.go b/cmd/talosctl/cmd/mgmt/cluster/wg_linux.go deleted file mode 100644 index 93d3a131e..000000000 --- a/cmd/talosctl/cmd/mgmt/cluster/wg_linux.go +++ /dev/null @@ -1,42 +0,0 @@ -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -//go:build linux - -package cluster - -import ( - "fmt" - "net/netip" - - "github.com/siderolabs/siderolink/pkg/wireguard" -) - -type nodeAddrGenerator struct { - prefix netip.Prefix - nodeAddr netip.Addr -} - -func makeNodeAddrGenerator() nodeAddrGenerator { - prefix := wireguard.NetworkPrefix("") - nodeAddr := prefix.Addr().Next() - - return nodeAddrGenerator{ - prefix: prefix, - nodeAddr: nodeAddr, - } -} - -func (ng *nodeAddrGenerator) GenerateRandomNodeAddr() (netip.Addr, error) { - result, err := wireguard.GenerateRandomNodeAddr(ng.prefix) - if err != nil { - return netip.Addr{}, fmt.Errorf("failed to generate random node address: %w", err) - } - - return result.Addr(), nil -} - -func (ng *nodeAddrGenerator) GetAgentNodeAddr() string { - return ng.nodeAddr.String() -} diff --git a/cmd/talosctl/cmd/mgmt/cluster/wg_other.go b/cmd/talosctl/cmd/mgmt/cluster/wg_other.go deleted file mode 100644 index 30d438849..000000000 --- a/cmd/talosctl/cmd/mgmt/cluster/wg_other.go +++ /dev/null @@ -1,26 +0,0 @@ -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -//go:build !linux - -package cluster - -import ( - "errors" - "net/netip" -) - -type nodeAddrGenerator struct{} - -func (ng *nodeAddrGenerator) GenerateRandomNodeAddr() (netip.Addr, error) { - return netip.Addr{}, errors.New("unsupported platform") -} - -func (ng *nodeAddrGenerator) GetAgentNodeAddr() string { - return "" -} - -func makeNodeAddrGenerator() nodeAddrGenerator { - return nodeAddrGenerator{} -} diff --git a/go.mod b/go.mod index d43026fac..addf96604 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,12 @@ replace ( // Use nested module. github.com/siderolabs/talos/pkg/machinery => ./pkg/machinery + // see https://github.com/siderolabs/talos/issues/8514 + golang.zx2c4.com/wireguard => github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9 + + // see https://github.com/siderolabs/talos/issues/8514 + golang.zx2c4.com/wireguard/wgctrl => github.com/siderolabs/wgctrl-go v0.0.0-20240401105613-579af3342774 + // forked go-yaml that introduces RawYAML interface, which can be used to populate YAML fields using bytes // which are then encoded as a valid YAML blocks with proper indentiation gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c @@ -160,7 +166,6 @@ require ( golang.org/x/term v0.18.0 golang.org/x/text v0.14.0 golang.org/x/time v0.5.0 - golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 // indirect golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 google.golang.org/grpc v1.62.1 google.golang.org/protobuf v1.33.0 @@ -239,7 +244,7 @@ require ( github.com/golang-jwt/jwt/v5 v5.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/btree v1.0.1 // indirect + github.com/google/btree v1.1.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect @@ -336,6 +341,7 @@ require ( golang.org/x/mod v0.15.0 // indirect golang.org/x/tools v0.18.0 // indirect golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect + golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto v0.0.0-20240205150955-31a09d347014 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect diff --git a/go.sum b/go.sum index 461afce37..fd647ceff 100644 --- a/go.sum +++ b/go.sum @@ -330,8 +330,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= -github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -706,6 +706,10 @@ github.com/siderolabs/siderolink v0.3.5 h1:sU4WNGCRGQYZ/sQZaVQbGfUNOqS561oL4kafK github.com/siderolabs/siderolink v0.3.5/go.mod h1:/7Dg0Nkh4q/8yqsY/VirDOTOFOqRvPikagCoyf3+Mf4= github.com/siderolabs/tcpproxy v0.1.0 h1:IbkS9vRhjMOscc1US3M5P1RnsGKFgB6U5IzUk+4WkKA= github.com/siderolabs/tcpproxy v0.1.0/go.mod h1:onn6CPPj/w1UNqQ0U97oRPF0CqbrgEApYCw4P9IiCW8= +github.com/siderolabs/wgctrl-go v0.0.0-20240401105613-579af3342774 h1:wLhs5zMQVjA6LN9WpF2owOdtcoRp40zL8AaQSle+9EE= +github.com/siderolabs/wgctrl-go v0.0.0-20240401105613-579af3342774/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80= +github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9 h1:VSb26LYkpr9EZeSqn2agvsbF1xUxg66AEkPSIg3Ncsc= +github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9/go.mod h1:7+dAh+K+Zo+AnP0mCypmwx7M6k2SyqRuLQMX91qZPr0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= @@ -1108,10 +1112,6 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg= golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI= -golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4= -golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE= -golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -1234,8 +1234,8 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= -gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ= -gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY= +gvisor.dev/gvisor v0.0.0-20240331093104-8c9cbf0d9090 h1:KTw+dIw6IOztE+8fwVoedLPFAh7r1FQ+jFoX+sixIcs= +gvisor.dev/gvisor v0.0.0-20240331093104-8c9cbf0d9090/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/hack/test/e2e-qemu.sh b/hack/test/e2e-qemu.sh index e761b2bef..b089c9983 100755 --- a/hack/test/e2e-qemu.sh +++ b/hack/test/e2e-qemu.sh @@ -157,7 +157,7 @@ case "${WITH_SIDEROLINK_AGENT:-false}" in false) ;; *) - QEMU_FLAGS+=("--with-siderolink") + QEMU_FLAGS+=("--with-siderolink=${WITH_SIDEROLINK_AGENT}") ;; esac diff --git a/internal/app/machined/pkg/controllers/siderolink/userspace.go b/internal/app/machined/pkg/controllers/siderolink/userspace.go index 7ea3773e5..410ee3077 100644 --- a/internal/app/machined/pkg/controllers/siderolink/userspace.go +++ b/internal/app/machined/pkg/controllers/siderolink/userspace.go @@ -112,7 +112,7 @@ func (ctrl *UserspaceWireguardController) Run(ctx context.Context, r controller. logger.Info("wg over grpc tunnel device created", zap.String("link_name", res.TypedSpec().LinkName)) eg.Go(func() error { - logger.Debug("running tunnel device") + logger.Debug("tunnel device running") defer logger.Debug("tunnel device exited") return td.Run() diff --git a/internal/integration/api/serviceaccount.go b/internal/integration/api/serviceaccount.go index 8d4209056..7b3fc74cf 100644 --- a/internal/integration/api/serviceaccount.go +++ b/internal/integration/api/serviceaccount.go @@ -59,6 +59,8 @@ func (suite *ServiceAccountSuite) SuiteName() string { func (suite *ServiceAccountSuite) SetupTest() { // make sure API calls have timeout suite.ctx, suite.ctxCancel = context.WithTimeout(context.Background(), 5*time.Minute) + + suite.AssertClusterHealthy(suite.ctx) } // TearDownTest ... @@ -119,10 +121,10 @@ func (suite *ServiceAccountSuite) TestNotAllowedNamespace() { name := "test-allowed-ns" err := suite.configureAPIAccess(true, []string{"os:reader"}, []string{"kube-system"}) - suite.Assert().NoError(err) + suite.Require().NoError(err) sa, err := suite.createServiceAccount("default", name, []string{"os:reader"}) - suite.Assert().NoError(err) + suite.Require().NoError(err) defer suite.DeleteResource(suite.ctx, serviceAccountGVR, "default", name) //nolint:errcheck @@ -131,7 +133,7 @@ func (suite *ServiceAccountSuite) TestNotAllowedNamespace() { event.Type == corev1.EventTypeWarning && event.Reason == "ErrNamespaceNotAllowed" }) - suite.Assert().NoError(err) + suite.Require().NoError(err) } // TestNotAllowedRoles tests Kubernetes service accounts with not allowed roles. diff --git a/pkg/provision/request.go b/pkg/provision/request.go index 83c2bb658..252bb3a42 100644 --- a/pkg/provision/request.go +++ b/pkg/provision/request.go @@ -6,7 +6,6 @@ package provision import ( "errors" - "fmt" "net/netip" "slices" "time" @@ -213,34 +212,10 @@ type SiderolinkRequest struct { SiderolinkBind []SiderolinkBind } -// AddBind adds a pair of prebinded UUID->Addr for SideroLink agent. -func (sr *SiderolinkRequest) AddBind(id uuid.UUID, addr netip.Addr) { - idx := slices.IndexFunc(sr.SiderolinkBind, func(b SiderolinkBind) bool { return b.UUID == id }) - if idx != -1 { - panic(fmt.Errorf("duplicate UUID %s in SideroLink bind", id)) - } - - idx = slices.IndexFunc(sr.SiderolinkBind, func(b SiderolinkBind) bool { return b.Addr == addr }) - if idx != -1 { - panic(fmt.Errorf("duplicate address %s in SideroLink bind", addr)) - } - - sr.SiderolinkBind = append(sr.SiderolinkBind, SiderolinkBind{ - UUID: id, - Addr: addr, - }) -} - // GetAddr returns the address for the given UUID. func (sr *SiderolinkRequest) GetAddr(u *uuid.UUID) (netip.Addr, bool) { - if u == nil { - return netip.Addr{}, false - } - - for _, b := range sr.SiderolinkBind { - if b.UUID == *u { - return b.Addr, true - } + if idx := slices.IndexFunc(sr.SiderolinkBind, func(sb SiderolinkBind) bool { return sb.UUID == *u }); idx != -1 { + return sr.SiderolinkBind[idx].Addr, true } return netip.Addr{}, false diff --git a/website/content/v1.7/reference/cli.md b/website/content/v1.7/reference/cli.md index 0f65952a9..4a11865e2 100644 --- a/website/content/v1.7/reference/cli.md +++ b/website/content/v1.7/reference/cli.md @@ -167,7 +167,7 @@ talosctl cluster create [flags] --with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0) --with-network-packet-loss float specify percent of packet loss on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0) --with-network-packet-reorder float specify percent of reordered packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0) - --with-siderolink enables the use of siderolink agent as configuration apply mechanism + --with-siderolink true enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none) --with-tpm2 enable TPM2 emulation support using swtpm --with-uefi enable UEFI on x86_64 architecture (default true) --with-uuid-hostnames use machine UUIDs as default hostnames (QEMU only)