feat: tailscale extension

Tailscale as a system service extension.
Creates network devices in the talos 'host'

Makefile

@@ -51,7 +51,8 @@ TARGETS = \
 		nut-client \
 		nvidia-container-toolkit \
 		nvidia-fabricmanager \
-		nvidia-open-gpu-kernel-modules
+		nvidia-open-gpu-kernel-modules \
+		tailscale
 
 # Temporarily disabled, as mellanox-ofed fails to build with Linux 6.1
 #		mellanox-ofed \

network/tailscale/README.md

@@ -0,0 +1,69 @@
+# Tailscale
+
+Adds https://tailscale.com network interfaces as system extensions.
+This means you can access your talos nodes from machines you have configured 
+with tailscale
+
+## Installation
+
+
+Simplest install
+```
+machine:
+  install:
+    extensions:
+      - image: docker.io/btrepp/tailscale:1.40.0
+  files:
+    - content: *YOUR_AUTH_KEY*
+      permissions: 0644
+      path: /var/etc/tailscale/env/TS_AUTHKEY
+      op: create
+```
+
+```
+> talosctl apply -n node myconfig.yaml
+> talosctl upgrade -n node
+```
+
+## Configuration
+
+This extension uses s6-envdir, to read from `/var/etc/tailscale/env` folder.
+Each file is an environment variable, with its contents being the value.
+This then runs containerboot https://pkg.go.dev/tailscale.com@v1.40.1/cmd/containerboot
+
+In practice this allows setting any env var, so you can configure as needed
+Current known env vars are
+
+TS_AUTHKEY: the authkey to use for login.
+TS_HOSTNAME: the hostname to request for the node.
+TS_ROUTES: subnet routes to advertise.
+TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination.
+TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
+TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
+TS_USERSPACE: run with userspace networking (the default) instead of kernel networking.
+TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts.
+TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
+TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state.
+TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet.
+TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet.
+TS_SOCKET: the path where the tailscaled LocalAPI socket should be created.
+TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false (the default, for backwards compatibility), forcibly log in every time the container starts.
+
+
+### Subnet routing
+
+A pratical example is enabling subnetrouting
+```
+machine:
+  files:
+    - content: 10.96.0.0/12
+      permissions: 0644
+      path: /var/etc/tailscale/env/TS_ROUTES
+      op: create
+```
+
+10.96.0.0/12 is the service subnet talos uses by default (if you use a custom one, you will need to change it).
+This allows the k8s services to be available over tailscale (without an ingress controller!).
+
+With this enabled, you can configure tailscales DNS to actually forward certain search domains
+to corends, making it very easy to access k8s services from an external device.

network/tailscale/manifest.yaml

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: tailscale
+  version: "$VERSION"
+  author: Beau Trepp
+  description: |
+    Tailscale connects your team's devices and development environments for easy access to remote resources.
+  compatibility:
+    talos:
+      version: ">= v1.2.0"

network/tailscale/pkg.yaml

@@ -0,0 +1,80 @@
+name: tailscale
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - env:
+      GOPATH: /go
+  - sources:
+      - url: https://github.com/tailscale/tailscale/archive/refs/tags/v{{ .TAILSCALE_VERSION }}.tar.gz
+        destination: tailscale.tar.gz
+        sha256: 6964176889943e0e0b25d8d69e14226cfb1c1a9944a257b24cb2dd212f797141
+        sha512: a64cad7685ba1dd438e16c8fa6ed1c29e5d840ffe17b2417342e43a2da5c1679826eb3a29b33e40ac075171a59605cdc857e1e09e60cf5140b22d363bb31ff30
+      - url: https://skarnet.org/software/s6/s6-{{ .S6_VERSION }}.tar.gz
+        destination: s6.tar.gz
+        sha256: 7c16138ad2f0ffbe0ed2ae8dd0cecada9f7c787edd33a69084d219110693df74
+        sha512: fe87c7984905b3eb35d7c91a3f0b6ece5cb0eb2c6d16ea7725655f118c464cf017e10b6ed82b3b12b6deb331538fc5d20afea7f34ff98b85d4c437b09e07371a
+      - url: https://skarnet.org/software/skalibs/skalibs-{{.SKALIBS_VERSION}}.tar.gz
+        destination: skalibs.tar.gz
+        sha256: b272a1ab799f7fac44b9b4fb5ace78a9616b2fe4882159754b8088c4d8199e33
+        sha512: 9568c78b1a99bb183b89d0a4541fd6b2da6573215d9d58387b2cb7a439d2520f7dbb17999f5338c3e028bd425abd07230b4d12c8e3c70dfe54587b1b82af8e63
+      - url: https://skarnet.org/software/execline/execline-{{.EXECLINE_VERSION}}.tar.gz
+        destination: execline.tar.gz
+        sha256: c8027fa70922d117cdee8cc20d277e38d03fd960e6d136d8cec32603d4ec238d
+        sha512: a71a34896f2186e27959d84222ffefa15d2e43c802ad2c71a0442ee04be73aebe629079e31946ca776975e676a05840ce343e1a97f61bf420dad2cd450a948f2
+    prepare:  
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        mkdir dist
+
+      - |
+        mkdir tailscale
+        tar -xzvf tailscale.tar.gz --strip-components=1 -C tailscale
+
+      - | 
+        tar -xzvf skalibs.tar.gz
+        ( cd skalibs-{{.SKALIBS_VERSION}} && ./configure)
+        make -C skalibs-{{.SKALIBS_VERSION}}
+        make -C skalibs-{{.SKALIBS_VERSION}} install
+
+      - | 
+        tar -xzvf execline.tar.gz
+        (cd execline-{{.EXECLINE_VERSION}} && ./configure)
+        make -C execline-{{.EXECLINE_VERSION}}
+        make -C execline-{{.EXECLINE_VERSION}} install
+
+      - | 
+        tar -xzvf s6.tar.gz
+        (cd s6-{{.S6_VERSION}} && ./configure --bindir=../dist )
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+
+        go build \
+          -C tailscale \
+          -o ../dist \
+        	-ldflags "-X tailscale.com/version.shortStamp={{ .TAILSCALE_VERSION }} \
+         					  -X tailscale.com/version.longStamp={{ .TAILSCALE_VERSION }}-TalosLinux" \
+         tailscale.com/cmd/{tailscale,tailscaled,containerboot}
+
+        make -C s6-{{.S6_VERSION}}
+        make -C s6-{{.S6_VERSION}} install
+
+
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/lib/containers/tailscale/usr/local/bin/
+        cp -pr dist/tailscale /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+        cp -pr dist/tailscaled /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+        cp -pr dist/containerboot /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+        cp -pr dist/s6-envdir /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
+  - from: /pkg/tailscale.yaml
+    to: /rootfs/usr/local/etc/containers/

network/tailscale/tailscale.yaml

@@ -0,0 +1,72 @@
+name: tailscale
+depends:
+  - service: cri
+  - network:
+    - addresses
+    - connectivity
+    - etcfiles
+container:
+  entrypoint: /usr/local/bin/s6-envdir
+  args: 
+  - /etc/tailscale/env
+  - /usr/local/bin/containerboot
+  environment:
+  - PATH=/sbin:/usr/local/bin
+  - TS_SOCKET=/var/run/tailscale/tailscaled.sock
+  - TS_STATE_DIR=/var/lib/tailscale
+  - TS_USERSPACE=false
+  security:
+    writeableRootfs: false
+    writeableSysfs: true
+  mounts:
+  # libs
+  - source: /lib
+    destination: /lib
+    type: bind
+    options:
+      - bind
+      - ro
+  # more libs
+  - source: /usr/lib
+    destination: /usr/lib
+    type: bind
+    options:
+      - bind
+      - ro
+  ## Required for tailscale. Ip addr and other commands
+  - source: /sbin
+    destination: /sbin
+    type: bind
+    options:
+      - bind
+      - ro
+  ## Tailscale needs to write to this to create the interfaces
+  - source: /dev/net/tun
+    destination: /dev/net/tun
+    type: bind
+    options:
+      - bind
+      - rw
+  ## Tailscale socket
+  - source: /var/run/tailscale
+    destination: /var/run/tailscale
+    type: bind
+    options:
+      - bind
+      - rw
+  ## Tailscale state. Particularly its 'auth' state
+  - source: /var/lib/tailscale
+    destination: /var/lib/tailscale
+    type: bind
+    options:
+      - bind
+      - rw
+  ## Read configuration from this folder
+  - source: /var/etc/tailscale/env
+    destination: /etc/tailscale/env
+    type: bind
+    options:
+    - bind
+    - ro
+
+restart: always

network/tailscale/vars.yaml

@@ -0,0 +1,4 @@
+VERSION: "{{ .TAILSCALE_VERSION }}"
+S6_VERSION: 2.11.3.2
+SKALIBS_VERSION: 2.13.1.1
+EXECLINE_VERSION: 2.9.3.0

network/vars.yaml

@@ -0,0 +1 @@
+TAILSCALE_VERSION: 1.40.0