Skip to content

Commit

Permalink
feat: tailscale extension
Browse files Browse the repository at this point in the history
Tailscale as a system service extension.
Creates network devices in the talos 'host'

Requires: siderolabs/talos#7408

Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: beau trepp <beautrepp@gmail.com>
  • Loading branch information
btrepp committed Jun 28, 2023
1 parent 30f24da commit db9b414
Show file tree
Hide file tree
Showing 7 changed files with 189 additions and 0 deletions.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ TARGETS = \
nvidia-container-toolkit \
nvidia-fabricmanager \
nvidia-open-gpu-kernel-modules \
tailscale \
usb-modem-drivers

# Temporarily disabled, as mellanox-ofed fails to build with Linux 6.1
Expand Down
69 changes: 69 additions & 0 deletions network/tailscale/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Tailscale

Adds https://tailscale.com network interfaces as system extensions.
This means you can access your talos nodes from machines you have configured
with tailscale

## Installation

Simplest install
```
machine:
install:
extensions:
- image: docker.io/btrepp/tailscale:1.40.0
files:
- content: |
TS_AUTHKEY=<your auth key>
permissions: 0o644
path: /var/etc/tailscale/auth.env
op: create
```

```
> talosctl apply -n node myconfig.yaml
> talosctl upgrade -n node
```

## Configuration

This extension runs containerboot https://pkg.go.dev/tailscale.com@v1.40.1/cmd/containerboot

Extra tailscale specific environment vars can be configured as needed in `/var/etc/tailscale/auth.env`

Current known env vars are:

TS_AUTHKEY: the authkey to use for login.
TS_HOSTNAME: the hostname to request for the node.
TS_ROUTES: subnet routes to advertise.
TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination.
TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
TS_USERSPACE: run with userspace networking (the default) instead of kernel networking.
TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts.
TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state.
TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet.
TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet.
TS_SOCKET: the path where the tailscaled LocalAPI socket should be created.
TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false (the default, for backwards compatibility), forcibly log in every time the container starts.

### Subnet routing

A pratical example is enabling subnetrouting
```
machine:
files:
- content: |
TS_AUTHKEY=<your auth key>
TS_ROUTES=10.96.0.0/12
permissions: 0o644
path: /var/etc/tailscale/auth.env
op: create
```

10.96.0.0/12 is the service subnet talos uses by default (if you use a custom one, you will need to change it).
This allows the k8s services to be available over tailscale (without an ingress controller!).

With this enabled, you can configure tailscales DNS to actually forward certain search domains
to coredns, making it very easy to access k8s services from an external device.
10 changes: 10 additions & 0 deletions network/tailscale/manifest.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
version: v1alpha1
metadata:
name: tailscale
version: "$VERSION"
author: Beau Trepp
description: |
Tailscale connects your team's devices and development environments for easy access to remote resources.
compatibility:
talos:
version: ">= v1.5.0"
44 changes: 44 additions & 0 deletions network/tailscale/pkg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: tailscale
variant: scratch
shell: /toolchain/bin/bash
dependencies:
- stage: base
steps:
- env:
GOPATH: /go
- sources:
- url: https://github.com/tailscale/tailscale/archive/refs/tags/v{{ .TAILSCALE_VERSION }}.tar.gz
destination: tailscale.tar.gz
sha256: dc230cf3ac290140e573268a6e8f17124752ef064c8d3a86765a9dbb6f1bd354
sha512: d3bd5adf469cb2cc5a6e7df08fd9327d1b2492f7779dbf9e4158cc137dfcbe7c07c51f10adc142d5cd2827b837633722b585f2f20dfdd5821703fc9e4aed333d
prepare:
- |
sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
- |
mkdir tailscale dist
tar -xzvf tailscale.tar.gz --strip-components=1 -C tailscale
build:
- |
export PATH=${PATH}:${TOOLCHAIN}/go/bin
go build \
-C tailscale \
-o ../dist \
-ldflags "-X tailscale.com/version.shortStamp={{ .TAILSCALE_VERSION }} \
-X tailscale.com/version.longStamp={{ .TAILSCALE_VERSION }}-TalosLinux" \
tailscale.com/cmd/{tailscale,tailscaled,containerboot}
install:
- |
mkdir -p /rootfs/usr/local/lib/containers/tailscale/usr/local/bin/
cp -pr dist/tailscale /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
cp -pr dist/tailscaled /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
cp -pr dist/containerboot /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
finalize:
- from: /rootfs
to: /rootfs
- from: /pkg/manifest.yaml
to: /
- from: /pkg/tailscale.yaml
to: /rootfs/usr/local/etc/containers/
62 changes: 62 additions & 0 deletions network/tailscale/tailscale.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: tailscale
depends:
- service: cri
- network:
- addresses
- connectivity
- etcfiles
container:
entrypoint: /usr/local/bin/containerboot
environmentFile: /var/etc/tailscale/auth.env
environment:
- PATH=/sbin:/usr/local/bin
- TS_SOCKET=/var/run/tailscale/tailscaled.sock
- TS_STATE_DIR=/var/lib/tailscale
- TS_USERSPACE=false
security:
writeableRootfs: false
writeableSysfs: true
mounts:
# libs
- source: /lib
destination: /lib
type: bind
options:
- bind
- ro
# more libs
- source: /usr/lib
destination: /usr/lib
type: bind
options:
- bind
- ro
## Required for tailscale. Ip addr and other commands
- source: /sbin
destination: /sbin
type: bind
options:
- bind
- ro
## Tailscale needs to write to this to create the interfaces
- source: /dev/net/tun
destination: /dev/net/tun
type: bind
options:
- bind
- rw
## Tailscale socket
- source: /var/run/tailscale
destination: /var/run/tailscale
type: bind
options:
- bind
- rw
## Tailscale state. Particularly its 'auth' state
- source: /var/lib/tailscale
destination: /var/lib/tailscale
type: bind
options:
- bind
- rw
restart: always
1 change: 1 addition & 0 deletions network/tailscale/vars.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
VERSION: "{{ .TAILSCALE_VERSION }}"
2 changes: 2 additions & 0 deletions network/vars.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=tailscale/tailscale
TAILSCALE_VERSION: 1.44.0

0 comments on commit db9b414

Please sign in to comment.