Integrate tailscale into k3s

[manuelbuil]

Proposed Changes

This PR adds the necessary code to integrate VPNs into k3s and incorporates tailscale as the first VPN option.
It also includes an ADR that explains the change

Types of Changes

New feature

Verification

1 - Install tailscale in the node
2 - Create a key in tailscale
3 - Deploy k3s with the flag:

vpn-auth: "name=tailscale,joinKey=$CREATED_KEY"

4 - Verify that:
a) Tailscale interface exists and has an IP
b) kubectl get endpoints is using the tailscale IP
c) kubectl get nodes -o wide shows the tailscale IP as the nodeIP

Testing

Linked Issues

#7353

User-Facing Change

Integration of tailscale VPN into k3s

Further Comments

[cwayne18]

Can we get either an integration or an e2e test for this?

[nikolaishields]

From a community perspective it would be really nice to include the ability to setup a tailscale funnel at node deploy time to allow public access to the node at a targeted port or service address. This would come in particularly convenient in situations where public ingress is desired. A few example use-cases:

• IDP (keycloak, vault, ory, dex) is deployed to the cluster by the k3s helm-manifest controller at cluster deploy. This would allow k3s users to have SSO access to their clusters immediately after bootstrap.
• Traefik ingress is proxying public services, yet the cluster is behind CGNAT and ports cannot be exposed.
• HTTP01 cert-generation via public exposure of the ACME endpoint

Perhaps a Kubernetes ingress integration could even be designed that instantiates a funnel as a CRD when ingress is created. The sky's the limit.
Special thanks to @manuelbuil for drafting this as it looks awesome!

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -28.27 ⚠️

Comparison is base (e5e1a67) 47.55% compared to head (023514f) 19.29%.

❗ Current head 023514f differs from pull request most recent head 869e030. Consider uploading reports for the commit 869e030 to get more accurate results

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #7352       +/-   ##
===========================================
- Coverage   47.55%   19.29%   -28.27%     
===========================================
  Files         141       81       -60     
  Lines       14347     5463     -8884     
===========================================
- Hits         6823     1054     -5769     
+ Misses       6442     4187     -2255     
+ Partials     1082      222      -860     

Flag	Coverage Δ
inttests	?
unittests	19.29% <0.00%> (-0.58%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/flannel/setup.go	0.00% <0.00%> (-41.14%)	⬇️
pkg/cli/cmds/agent.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/cli/cmds/server.go	0.00% <ø> (-100.00%)	⬇️
pkg/daemons/config/types.go	67.21% <ø> (-17.24%)	⬇️

... and 137 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[manuelbuil]

From a community perspective it would be really nice to include the ability to setup a tailscale funnel at node deploy time to allow public access to the node at a targeted port or service address. This would come in particularly convenient in situations where public ingress is desired. A few example use-cases:

• IDP (keycloak, vault, ory, dex) is deployed to the cluster by the k3s helm-manifest controller at cluster deploy. This would allow k3s users to have SSO access to their clusters immediately after bootstrap.
• Traefik ingress is proxying public services, yet the cluster is behind CGNAT and ports cannot be exposed.
• HTTP01 cert-generation via public exposure of the ACME endpoint

Perhaps a Kubernetes ingress integration could even be designed that instantiates a funnel as a CRD when ingress is created. The sky's the limit. Special thanks to @manuelbuil for drafting this as it looks awesome!

Hey @nikolaishields, how are you? Thanks for your suggestion :). There are several cool features that tailscale provides, such as funneling, but I decided to keep them outside of the integration (at least for the time being). I want to keep it dead simple and check what is the community reaction, typical bugs, etc before taking the next iteration.

The CRD+ingress idea could be cool. I guess you mean having the ingress service as a nodePort service and offering that port with tailscale funnel. Kind of a "type: loadbalancer" service but without the loadbalancer, right? Wouldn't klipper-lb fulfill that use case too? Now I want/need to test it

[manuelbuil]

Can we get either an integration or an e2e test for this?

Yep, on it

[nikolaishields]

Hey @nikolaishields, how are you?

I'm doing well thanks for asking!

There are several cool features that tailscale provides, such as funneling, but I decided to keep them outside of the integration (at least for the time being). I want to keep it dead simple and check what is the community reaction, typical bugs, etc before taking the next iteration.

Makes perfect sense, if you ever want/need a hand on implementing any of these features let me know. Happy to help!

The CRD+ingress idea could be cool. I guess you mean having the ingress service as a nodePort service and offering that port with tailscale funnel. Kind of a "type: loadbalancer" service but without the loadbalancer, right? Wouldn't klipper-lb fulfill that use case too? Now I want/need to test it

It probably could and then a user could just run a funnel against the node port. In theory I suppose one could also just funnel a service directly via local dns lookup (e.g. tailscale serve <servicename>.default.cluster.local:<port number>).

[manuelbuil]

Can we get either an integration or an e2e test for this?

Actually, could we merge this PR and then work on the e2e test? It complicates things that the code is not yet part of upstream k3s

stale

[brandond]

I would defer to @cwayne18 on merging without tests. I think @dereknola might have some suggestions on how to add tests before the PR is merged? I have had some frustrations with that process as well.

[manuelbuil]

I would defer to @cwayne18 on merging without tests. I think @dereknola might have some suggestions on how to add tests before the PR is merged? I have had some frustrations with that process as well.

I am adding them in the end

[dereknola]

With this, you get more info if there is an error, the err outs from exec are almost always just exit 1/2, which isn't helpful.

Suggested change

	var out bytes.Buffer
	cmd := exec.Command(command, args...)
	cmd.Stdout = &out
	err := cmd.Run()
	if err != nil {
	return "", err
	}
	var out, errOut bytes.Buffer
	cmd := exec.Command(command, args...)
	cmd.Stdout = &out
	cmd.Stderr = &errOut
	err := cmd.Run()
	if err != nil {
	return errOut.String(), err
	}

[manuelbuil]

nice, thanks for that. The user of this function should then be aware that the interesting error is the string returned and not the error, right? I'll add a comment

[dereknola]

I would suggest adding a failure state is after 5min or something, the path still does not exist.

[manuelbuil]

yeah, good point, let me replace the infinite loop with something else using time. I copied/pasted this function from another place though, and it never happened before, but better safe than sorry

[dereknola]

Same comment as in the linux version

[brandond]

I don't understand why this is OS-specific, there doesn't appear to be anything in either function that would differ across platforms.

[manuelbuil]

We could remove it in another PR (just in case we need to revert) and see if things are still working

[dereknola]

Do we need the special libvirt flags? Its not dualstack

Suggested change

	node.vm.network "private_network",
	:ip => node_ip4,
	:netmask => "255.255.255.0",
	:libvirt__dhcp_enabled => false,
	:libvirt__forward_mode => "none"
	vm.network "private_network", ip: node_ip, netmask: "255.255.255.0"

[manuelbuil]

oh, I think we are using those flags in all the networking tests. We should remove it when not needed then. Thanks!

[brandond]

nit on the filename - should it be integrate-vpns.md? I'm not sure why the word was truncated.

[manuelbuil]

good catch, probably my mistake

[brandond]

nit: be consistent with the format for vpn-auth-file

Suggested change

	Usage: "(agent/networking) (experimental) Credentials for the VPN provider. It must include the provider name and join key in the format name=tailscale,joinKey=<key>",
	Usage: "(agent/networking) (experimental) Credentials for the VPN provider. It must include the provider name and join key in the format name=<vpn-provider>,joinKey=<key>",

[manuelbuil]

👍

[brandond]

I don't understand why this is OS-specific, there doesn't appear to be anything in either function that would differ across platforms.

concerns were addressed