alt-orchestra/talos
1
0
Fork 0
Code Issues Pull Requests Actions 27 Packages Projects Releases Wiki Activity

chore: enable "WG over GRPC" testing in siderolink agent tests

Browse Source 
Fixes https://github.com/siderolabs/talos/issues/8514
For https://github.com/siderolabs/talos/issues/8392

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This commit is contained in:
Dmitriy Matrenichev 2024-04-01 14:27:31 +03:00
parent bac366e43e
commit 8dc4910c48
No known key found for this signature in database
GPG Key ID: 94B473337258BFD5
14 changed files with 234 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.drone.jsonnet
View File

@ -651,6 +651,13 @@ local integration_siderolink = Step('e2e-siderolink', target='e2e-qemu', privile
REGISTRY: local_registry,
});
local integration_siderolink_tunnel = Step('e2e-siderolink-tunnel', target='e2e-qemu', privileged=true, depends_on=[integration_siderolink], environment={
SHORT_INTEGRATION_TEST: 'yes',
WITH_SIDEROLINK_AGENT: 'tunnel',
VIA_MAINTENANCE_MODE: 'true',
REGISTRY: local_registry,
});
local push_edge = {
name: 'push-edge',
image: 'autonomy/build-container:latest',
@ -705,6 +712,7 @@ local integration_pipelines = [
integration_kubespan,
integration_default_hostname,
integration_siderolink,
integration_siderolink_tunnel,
]) + integration_trigger(['integration-misc']),
Pipeline('integration-extensions', default_pipeline_steps + integration_extensions) + integration_trigger(['integration-extensions']),
Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan]) + integration_trigger(['integration-cilium']),

2
.golangci.yml
View File

@ -97,6 +97,8 @@ linters-settings:
- gopkg.in/yaml.v3
- github.com/coredns/coredns
- github.com/mdlayher/kobject
- golang.zx2c4.com/wireguard
- golang.zx2c4.com/wireguard/wgctrl
retract-allow-no-explanation: false
exclude-forbidden: true

244
cmd/talosctl/cmd/mgmt/cluster/create.go
View File

@ -23,6 +23,7 @@ import (
"github.com/dustin/go-humanize"
"github.com/google/uuid"
"github.com/hashicorp/go-getter/v2"
"github.com/siderolabs/gen/maps"
"github.com/siderolabs/go-blockdevice/blockdevice/encryption"
"github.com/siderolabs/go-kubeconfig"
"github.com/siderolabs/go-pointer"
@ -174,7 +175,7 @@ var (
diskEncryptionKeyTypes []string
withFirewall string
withUUIDHostnames bool
withSiderolinkAgent bool
withSiderolinkAgent agentFlag
)
// createCmd represents the cluster up command.
@ -425,7 +426,7 @@ func create(ctx context.Context, flags *pflag.FlagSet) error {
provision.WithTPM2(tpm2Enabled),
provision.WithExtraUEFISearchPaths(extraUEFISearchPaths),
provision.WithTargetArch(targetArch),
provision.WithSiderolinkAgent(withSiderolinkAgent),
provision.WithSiderolinkAgent(withSiderolinkAgent.IsEnabled()),
}
var configBundleOpts []bundle.Option
@ -746,42 +747,22 @@ func create(ctx context.Context, flags *pflag.FlagSet) error {
var extraKernelArgs *procfs.Cmdline
if extraBootKernelArgs != "" {
if extraBootKernelArgs != "" || withSiderolinkAgent.IsEnabled() {
extraKernelArgs = procfs.NewCmdline(extraBootKernelArgs)
}
wgNodeGen := makeNodeAddrGenerator()
var slb *siderolinkBuilder
if withSiderolinkAgent {
if extraKernelArgs == nil {
extraKernelArgs = procfs.NewCmdline("")
}
if extraKernelArgs.Get("siderolink.api") != nil || extraKernelArgs.Get("talos.events.sink") != nil || extraKernelArgs.Get("talos.logging.kernel") != nil {
return errors.New("siderolink kernel arguments are already set, cannot run with --with-siderolink")
}
wgHost := gatewayIPs[0].String()
ports, err := getDynamicPorts()
if withSiderolinkAgent.IsEnabled() {
slb, err = newSiderolinkBuilder(gatewayIPs[0].String())
if err != nil {
return err
}
}
request.SiderolinkRequest.WireguardEndpoint = net.JoinHostPort(wgHost, ports.wgPort)
request.SiderolinkRequest.APIEndpoint = ":" + ports.apiPort
request.SiderolinkRequest.SinkEndpoint = ":" + ports.sinkPort
request.SiderolinkRequest.LogEndpoint = ":" + ports.logPort
agentNodeAddr := wgNodeGen.GetAgentNodeAddr()
apiLink := "grpc://" + net.JoinHostPort(wgHost, ports.apiPort) + "?jointoken=foo"
sinkURL := net.JoinHostPort(agentNodeAddr, ports.sinkPort)
kernelURL := "tcp://" + net.JoinHostPort(agentNodeAddr, ports.logPort)
extraKernelArgs.Append("siderolink.api", apiLink)
extraKernelArgs.Append("talos.events.sink", sinkURL)
extraKernelArgs.Append("talos.logging.kernel", kernelURL)
err = slb.SetKernelArgs(extraKernelArgs, withSiderolinkAgent.IsTunnel())
if err != nil {
return err
}
// Add talosconfig to provision options, so we'll have it to parse there
@ -798,15 +779,9 @@ func create(ctx context.Context, flags *pflag.FlagSet) error {
nodeUUID := uuid.New()
if withSiderolinkAgent {
var generated netip.Addr
generated, err = wgNodeGen.GenerateRandomNodeAddr()
if err != nil {
return err
}
request.SiderolinkRequest.AddBind(nodeUUID, generated)
err = slb.DefineIPv6ForUUID(nodeUUID)
if err != nil {
return err
}
nodeReq := provision.NodeRequest{
@ -869,15 +844,9 @@ func create(ctx context.Context, flags *pflag.FlagSet) error {
nodeUUID := uuid.New()
if withSiderolinkAgent {
var generated netip.Addr
generated, err = wgNodeGen.GenerateRandomNodeAddr()
if err != nil {
return err
}
request.SiderolinkRequest.AddBind(nodeUUID, generated)
err = slb.DefineIPv6ForUUID(nodeUUID)
if err != nil {
return err
}
request.Nodes = append(request.Nodes,
@ -896,6 +865,8 @@ func create(ctx context.Context, flags *pflag.FlagSet) error {
})
}
request.SiderolinkRequest = slb.SiderolinkRequest()
cluster, err := provisioner.Create(ctx, request, provisionOptions...)
if err != nil {
return err
@ -1213,7 +1184,7 @@ func init() {
createCmd.Flags().IntVar(&bandwidth, "with-network-bandwidth", 0, "specify bandwidth restriction (in kbps) on the bridge interface when creating a qemu cluster")
createCmd.Flags().StringVar(&withFirewall, firewallFlag, "", "inject firewall rules into the cluster, value is default policy - accept/block (QEMU only)")
createCmd.Flags().BoolVar(&withUUIDHostnames, "with-uuid-hostnames", false, "use machine UUIDs as default hostnames (QEMU only)")
createCmd.Flags().BoolVar(&withSiderolinkAgent, "with-siderolink", false, "enables the use of siderolink agent as configuration apply mechanism")
createCmd.Flags().Var(&withSiderolinkAgent, "with-siderolink", "enables the use of siderolink agent as configuration apply mechanism. `true` or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling") //nolint:lll
Cmd.AddCommand(createCmd)
}
@ -1254,51 +1225,124 @@ func checkForDefinedGenFlag(flags *pflag.FlagSet) string {
return ""
}
type generatedPorts struct {
wgPort string
apiPort string
sinkPort string
logPort string
}
func newSiderolinkBuilder(wgHost string) (*siderolinkBuilder, error) {
prefix, err := networkPrefix("")
if err != nil {
return nil, err
}
result := &siderolinkBuilder{
wgHost: wgHost,
binds: map[uuid.UUID]netip.Addr{},
prefix: prefix,
nodeIPv6Addr: prefix.Addr().Next().String(),
}
func getDynamicPorts() (generatedPorts, error) {
var resultErr error
for range 10 {
wgPort, err := getDynamicPort("udp")
if err != nil {
return generatedPorts{}, fmt.Errorf("failed to get dynamic port for WireGuard: %w", err)
for _, d := range []struct {
field *int
net string
what string
}{
{&result.wgPort, "udp", "WireGuard"},
{&result.apiPort, "tcp", "gRPC API"},
{&result.sinkPort, "tcp", "Event Sink"},
{&result.logPort, "tcp", "Log Receiver"},
} {
var err error
*d.field, err = getDynamicPort(d.net)
if err != nil {
return nil, fmt.Errorf("failed to get dynamic port for %s: %w", d.what, err)
}
}
apiPort, err := getDynamicPort("tcp")
if err != nil {
return generatedPorts{}, fmt.Errorf("failed to get dynamic port for GRPC API: %w", err)
resultErr = checkPortsDontOverlap(result.wgPort, result.apiPort, result.sinkPort, result.logPort)
if resultErr == nil {
break
}
sinkPort, err := getDynamicPort("tcp")
if err != nil {
return generatedPorts{}, fmt.Errorf("failed to get dynamic port for Sink: %w", err)
}
logPort, err := getDynamicPort("tcp")
if err != nil {
return generatedPorts{}, fmt.Errorf("failed to get dynamic port for Log: %w", err)
}
resultErr = checkPortsDontOverlap(wgPort, apiPort, sinkPort, logPort)
if resultErr != nil {
continue
}
return generatedPorts{
wgPort: strconv.Itoa(wgPort),
apiPort: strconv.Itoa(apiPort),
sinkPort: strconv.Itoa(sinkPort),
logPort: strconv.Itoa(logPort),
}, nil
}
return generatedPorts{}, fmt.Errorf("failed to get non-overlapping dynamic ports in 10 attempts: %w", resultErr)
if resultErr != nil {
return nil, fmt.Errorf("failed to get non-overlapping dynamic ports in 10 attempts: %w", resultErr)
}
return result, nil
}
type siderolinkBuilder struct {
wgHost string
binds map[uuid.UUID]netip.Addr
prefix netip.Prefix
nodeIPv6Addr string
wgPort int
apiPort int
sinkPort int
logPort int
}
// DefineIPv6ForUUID defines an IPv6 address for a given UUID. It is safe to call this method on a nil pointer.
func (slb *siderolinkBuilder) DefineIPv6ForUUID(id uuid.UUID) error {
if slb == nil {
return nil
}
result, err := generateRandomNodeAddr(slb.prefix)
if err != nil {
return err
}
slb.binds[id] = result.Addr()
return nil
}
// SiderolinkRequest returns a SiderolinkRequest based on the current state of the builder.
// It is safe to call this method on a nil pointer.
func (slb *siderolinkBuilder) SiderolinkRequest() provision.SiderolinkRequest {
if slb == nil {
return provision.SiderolinkRequest{}
}
return provision.SiderolinkRequest{
WireguardEndpoint: net.JoinHostPort(slb.wgHost, strconv.Itoa(slb.wgPort)),
APIEndpoint: ":" + strconv.Itoa(slb.apiPort),
SinkEndpoint: ":" + strconv.Itoa(slb.sinkPort),
LogEndpoint: ":" + strconv.Itoa(slb.logPort),
SiderolinkBind: maps.ToSlice(slb.binds, func(k uuid.UUID, v netip.Addr) provision.SiderolinkBind {
return provision.SiderolinkBind{
UUID: k,
Addr: v,
}
}),
}
}
// SetKernelArgs sets the kernel arguments for the current builder. It is safe to call this method on a nil pointer.
func (slb *siderolinkBuilder) SetKernelArgs(extraKernelArgs *procfs.Cmdline, tunnel bool) error {
switch {
case slb == nil:
return nil
case extraKernelArgs.Get("siderolink.api") != nil,
extraKernelArgs.Get("talos.events.sink") != nil,
extraKernelArgs.Get("talos.logging.kernel") != nil:
return errors.New("siderolink kernel arguments are already set, cannot run with --with-siderolink")
default:
apiLink := "grpc://" + net.JoinHostPort(slb.wgHost, strconv.Itoa(slb.apiPort)) + "?jointoken=foo"
if tunnel {
apiLink += "&grpc_tunnel=true"
}
extraKernelArgs.Append("siderolink.api", apiLink)
extraKernelArgs.Append("talos.events.sink", net.JoinHostPort(slb.nodeIPv6Addr, strconv.Itoa(slb.sinkPort)))
extraKernelArgs.Append("talos.logging.kernel", "tcp://"+net.JoinHostPort(slb.nodeIPv6Addr, strconv.Itoa(slb.logPort)))
return nil
}
}
func getDynamicPort(network string) (int, error) {
@ -1361,3 +1405,33 @@ func checkPortsDontOverlap(ports ...int) error {
return nil
}
type agentFlag uint8
func (a *agentFlag) String() string {
switch *a {
case 1:
return "wireguard"
case 2:
return "grpc-tunnel"
default:
return "none"
}
}
func (a *agentFlag) Set(s string) error {
switch s {
case "true", "wireguard":
*a = 1
case "tunnel":
*a = 2
default:
return fmt.Errorf("unknown type: %s, possible values: 'true', 'wireguard' for the usual WG; 'tunnel' for WG over GRPC", s)
}
return nil
}
func (a *agentFlag) Type() string { return "agent" }
func (a *agentFlag) IsEnabled() bool { return *a != 0 }
func (a *agentFlag) IsTunnel() bool { return *a == 2 }

19
cmd/talosctl/cmd/mgmt/cluster/create_linux.go Normal file
View File

@ -0,0 +1,19 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package cluster
import (
"net/netip"
"github.com/siderolabs/siderolink/pkg/wireguard"
)
func generateRandomNodeAddr(prefix netip.Prefix) (netip.Prefix, error) {
return wireguard.GenerateRandomNodeAddr(prefix)
}
func networkPrefix(prefix string) (netip.Prefix, error) {
return wireguard.NetworkPrefix(prefix), nil
}

20
cmd/talosctl/cmd/mgmt/cluster/create_other.go Normal file
View File

@ -0,0 +1,20 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//go:build !linux
package cluster
import (
"errors"
"net/netip"
)
func generateRandomNodeAddr(prefix netip.Prefix) (netip.Prefix, error) {
return netip.Prefix{}, nil
}
func networkPrefix(prefix string) (netip.Prefix, error) {
return netip.Prefix{}, errors.New("unsupported platform")
}

42
cmd/talosctl/cmd/mgmt/cluster/wg_linux.go
View File

@ -1,42 +0,0 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//go:build linux
package cluster
import (
"fmt"
"net/netip"
"github.com/siderolabs/siderolink/pkg/wireguard"
)
type nodeAddrGenerator struct {
prefix netip.Prefix
nodeAddr netip.Addr
}
func makeNodeAddrGenerator() nodeAddrGenerator {
prefix := wireguard.NetworkPrefix("")
nodeAddr := prefix.Addr().Next()
return nodeAddrGenerator{
prefix: prefix,
nodeAddr: nodeAddr,
}
}
func (ng *nodeAddrGenerator) GenerateRandomNodeAddr() (netip.Addr, error) {
result, err := wireguard.GenerateRandomNodeAddr(ng.prefix)
if err != nil {
return netip.Addr{}, fmt.Errorf("failed to generate random node address: %w", err)
}
return result.Addr(), nil
}
func (ng *nodeAddrGenerator) GetAgentNodeAddr() string {
return ng.nodeAddr.String()
}

26
cmd/talosctl/cmd/mgmt/cluster/wg_other.go
View File

@ -1,26 +0,0 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//go:build !linux
package cluster
import (
"errors"
"net/netip"
)
type nodeAddrGenerator struct{}
func (ng *nodeAddrGenerator) GenerateRandomNodeAddr() (netip.Addr, error) {
return netip.Addr{}, errors.New("unsupported platform")
}
func (ng *nodeAddrGenerator) GetAgentNodeAddr() string {
return ""
}
func makeNodeAddrGenerator() nodeAddrGenerator {
return nodeAddrGenerator{}
}

10
go.mod
View File

@ -12,6 +12,12 @@ replace (
// Use nested module.
github.com/siderolabs/talos/pkg/machinery => ./pkg/machinery
// see https://github.com/siderolabs/talos/issues/8514
golang.zx2c4.com/wireguard => github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9
// see https://github.com/siderolabs/talos/issues/8514
golang.zx2c4.com/wireguard/wgctrl => github.com/siderolabs/wgctrl-go v0.0.0-20240401105613-579af3342774
// forked go-yaml that introduces RawYAML interface, which can be used to populate YAML fields using bytes
// which are then encoded as a valid YAML blocks with proper indentiation
gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c
@ -160,7 +166,6 @@ require (
golang.org/x/term v0.18.0
golang.org/x/text v0.14.0
golang.org/x/time v0.5.0
golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 // indirect
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
google.golang.org/grpc v1.62.1
google.golang.org/protobuf v1.33.0
@ -239,7 +244,7 @@ require (
github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
@ -336,6 +341,7 @@ require (
golang.org/x/mod v0.15.0 // indirect
golang.org/x/tools v0.18.0 // indirect
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20240205150955-31a09d347014 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect

16
go.sum
View File

@ -330,8 +330,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@ -706,6 +706,10 @@ github.com/siderolabs/siderolink v0.3.5 h1:sU4WNGCRGQYZ/sQZaVQbGfUNOqS561oL4kafK
github.com/siderolabs/siderolink v0.3.5/go.mod h1:/7Dg0Nkh4q/8yqsY/VirDOTOFOqRvPikagCoyf3+Mf4=
github.com/siderolabs/tcpproxy v0.1.0 h1:IbkS9vRhjMOscc1US3M5P1RnsGKFgB6U5IzUk+4WkKA=
github.com/siderolabs/tcpproxy v0.1.0/go.mod h1:onn6CPPj/w1UNqQ0U97oRPF0CqbrgEApYCw4P9IiCW8=
github.com/siderolabs/wgctrl-go v0.0.0-20240401105613-579af3342774 h1:wLhs5zMQVjA6LN9WpF2owOdtcoRp40zL8AaQSle+9EE=
github.com/siderolabs/wgctrl-go v0.0.0-20240401105613-579af3342774/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9 h1:VSb26LYkpr9EZeSqn2agvsbF1xUxg66AEkPSIg3Ncsc=
github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9/go.mod h1:7+dAh+K+Zo+AnP0mCypmwx7M6k2SyqRuLQMX91qZPr0=
github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@ -1108,10 +1112,6 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@ -1234,8 +1234,8 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
gvisor.dev/gvisor v0.0.0-20240331093104-8c9cbf0d9090 h1:KTw+dIw6IOztE+8fwVoedLPFAh7r1FQ+jFoX+sixIcs=
gvisor.dev/gvisor v0.0.0-20240331093104-8c9cbf0d9090/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

2
hack/test/e2e-qemu.sh
View File

@ -157,7 +157,7 @@ case "${WITH_SIDEROLINK_AGENT:-false}" in
false)
;;
*)
QEMU_FLAGS+=("--with-siderolink")
QEMU_FLAGS+=("--with-siderolink=${WITH_SIDEROLINK_AGENT}")
;;
esac

2
internal/app/machined/pkg/controllers/siderolink/userspace.go
View File

@ -112,7 +112,7 @@ func (ctrl *UserspaceWireguardController) Run(ctx context.Context, r controller.
logger.Info("wg over grpc tunnel device created", zap.String("link_name", res.TypedSpec().LinkName))
eg.Go(func() error {
logger.Debug("running tunnel device")
logger.Debug("tunnel device running")
defer logger.Debug("tunnel device exited")
return td.Run()

8
internal/integration/api/serviceaccount.go
View File

@ -59,6 +59,8 @@ func (suite *ServiceAccountSuite) SuiteName() string {
func (suite *ServiceAccountSuite) SetupTest() {
// make sure API calls have timeout
suite.ctx, suite.ctxCancel = context.WithTimeout(context.Background(), 5*time.Minute)
suite.AssertClusterHealthy(suite.ctx)
}
// TearDownTest ...
@ -119,10 +121,10 @@ func (suite *ServiceAccountSuite) TestNotAllowedNamespace() {
name := "test-allowed-ns"
err := suite.configureAPIAccess(true, []string{"os:reader"}, []string{"kube-system"})
suite.Assert().NoError(err)
suite.Require().NoError(err)
sa, err := suite.createServiceAccount("default", name, []string{"os:reader"})
suite.Assert().NoError(err)
suite.Require().NoError(err)
defer suite.DeleteResource(suite.ctx, serviceAccountGVR, "default", name) //nolint:errcheck
@ -131,7 +133,7 @@ func (suite *ServiceAccountSuite) TestNotAllowedNamespace() {
event.Type == corev1.EventTypeWarning &&
event.Reason == "ErrNamespaceNotAllowed"
})
suite.Assert().NoError(err)
suite.Require().NoError(err)
}
// TestNotAllowedRoles tests Kubernetes service accounts with not allowed roles.

29
pkg/provision/request.go
View File

@ -6,7 +6,6 @@ package provision
import (
"errors"
"fmt"
"net/netip"
"slices"
"time"
@ -213,34 +212,10 @@ type SiderolinkRequest struct {
SiderolinkBind []SiderolinkBind
}
// AddBind adds a pair of prebinded UUID->Addr for SideroLink agent.
func (sr *SiderolinkRequest) AddBind(id uuid.UUID, addr netip.Addr) {
idx := slices.IndexFunc(sr.SiderolinkBind, func(b SiderolinkBind) bool { return b.UUID == id })
if idx != -1 {
panic(fmt.Errorf("duplicate UUID %s in SideroLink bind", id))
}
idx = slices.IndexFunc(sr.SiderolinkBind, func(b SiderolinkBind) bool { return b.Addr == addr })
if idx != -1 {
panic(fmt.Errorf("duplicate address %s in SideroLink bind", addr))
}
sr.SiderolinkBind = append(sr.SiderolinkBind, SiderolinkBind{
UUID: id,
Addr: addr,
})
}
// GetAddr returns the address for the given UUID.
func (sr *SiderolinkRequest) GetAddr(u *uuid.UUID) (netip.Addr, bool) {
if u == nil {
return netip.Addr{}, false
}
for _, b := range sr.SiderolinkBind {
if b.UUID == *u {
return b.Addr, true
}
if idx := slices.IndexFunc(sr.SiderolinkBind, func(sb SiderolinkBind) bool { return sb.UUID == *u }); idx != -1 {
return sr.SiderolinkBind[idx].Addr, true
}
return netip.Addr{}, false

2
website/content/v1.7/reference/cli.md
View File

@ -167,7 +167,7 @@ talosctl cluster create [flags]
--with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
--with-network-packet-loss float specify percent of packet loss on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
--with-network-packet-reorder float specify percent of reordered packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
--with-siderolink enables the use of siderolink agent as configuration apply mechanism
--with-siderolink true enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none)
--with-tpm2 enable TPM2 emulation support using swtpm
--with-uefi enable UEFI on x86_64 architecture (default true)
--with-uuid-hostnames use machine UUIDs as default hostnames (QEMU only)