From dd4185b144a0ca63aedfa077da9435d4244986e3 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Thu, 5 Sep 2024 19:48:25 +0400
Subject: [PATCH] feat: add KubeSpan extra endpoint configuration

Fixes #9174

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
---
 .../definitions/kubespan/kubespan.proto       |   1 +
 hack/release.toml                             |   6 +
 .../controllers/cluster/local_affiliate.go    |   7 +
 .../cluster/local_affiliate_test.go           |   3 +-
 .../pkg/controllers/kubespan/config.go        |   1 +
 .../pkg/controllers/kubespan/config_test.go   |  40 ++--
 internal/integration/api/discovery.go         |  55 +++++
 .../definitions/kubespan/kubespan.pb.go       | 191 ++++++++++--------
 .../kubespan/kubespan_vtproto.pb.go           |  78 +++++++
 pkg/machinery/config/config/config.go         |   1 +
 pkg/machinery/config/config/kubespan.go       |  25 +++
 pkg/machinery/config/container/container.go   |   5 +
 .../config/schemas/config.schema.json         |  41 ++++
 .../types/network/deep_copy.generated.go      |  16 +-
 .../types/network/default_action_config.go    |   2 +-
 .../types/network/kubespan_endpoints.go       |  85 ++++++++
 .../types/network/kubespan_endpoints_test.go  |  60 ++++++
 pkg/machinery/config/types/network/network.go |   4 +-
 .../config/types/network/network_doc.go       |  22 ++
 .../testdata/kubespanendpointsconfig.yaml     |   5 +
 pkg/machinery/resources/kubespan/config.go    |   4 +
 .../resources/kubespan/deep_copy.generated.go |   4 +
 website/content/v1.8/reference/api.md         |   1 +
 .../network/kubespanendpoints.md              |  33 +++
 .../content/v1.8/schemas/config.schema.json   |  41 ++++
 .../v1.8/talos-guides/network/kubespan.md     |   9 +
 26 files changed, 632 insertions(+), 108 deletions(-)
 create mode 100644 pkg/machinery/config/config/kubespan.go
 create mode 100644 pkg/machinery/config/types/network/kubespan_endpoints.go
 create mode 100644 pkg/machinery/config/types/network/kubespan_endpoints_test.go
 create mode 100644 pkg/machinery/config/types/network/testdata/kubespanendpointsconfig.yaml
 create mode 100644 website/content/v1.8/reference/configuration/network/kubespanendpoints.md

diff --git a/api/resource/definitions/kubespan/kubespan.proto b/api/resource/definitions/kubespan/kubespan.proto
index 550752b1b..0b2ed83b3 100755
--- a/api/resource/definitions/kubespan/kubespan.proto
+++ b/api/resource/definitions/kubespan/kubespan.proto
@@ -19,6 +19,7 @@ message ConfigSpec {
   uint32 mtu = 6;
   repeated string endpoint_filters = 7;
   bool harvest_extra_endpoints = 8;
+  repeated common.NetIPPort extra_endpoints = 9;
 }
 
 // EndpointSpec describes Endpoint state.
diff --git a/hack/release.toml b/hack/release.toml
index c39160df0..795f26bbe 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -229,6 +229,12 @@ Talos Linux installer now never wipes the system disk on upgrades, which means t
         title = "Disk Management"
         description = """\
 Talos Linux now supports [configuration](https://www.talos.dev/v1.8/talos-guides/configuration/disk-management/#machine-configuration) for the `EPHEMERAL` volume.
+"""
+
+    [notes.kubespan]
+        title = "KubeSpan"
+        description = """\
+Extra announced endpoints can be added using the [`KubespanEndpointsConfig` document](https://www.talos.dev/v1.8/talos-guides/network/kubespan/#configuration).
 """
 
 [make_deps]
diff --git a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
index d79ef4869..6f234d447 100644
--- a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
+++ b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
@@ -288,6 +288,13 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 					spec.KubeSpan.Endpoints = xslices.Map(endpointIPs, func(addr netip.Addr) netip.AddrPort {
 						return netip.AddrPortFrom(addr, constants.KubeSpanDefaultPort)
 					})
+
+					// add extra announced endpoints, deduplicating on the way
+					for _, addr := range kubespanConfig.TypedSpec().ExtraEndpoints {
+						if !slices.Contains(spec.KubeSpan.Endpoints, addr) {
+							spec.KubeSpan.Endpoints = append(spec.KubeSpan.Endpoints, addr)
+						}
+					}
 				}
 
 				return nil
diff --git a/internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go b/internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go
index d53857347..a15d05d5c 100644
--- a/internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go
+++ b/internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go
@@ -70,6 +70,7 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 	ksConfig := kubespan.NewConfig(config.NamespaceName, kubespan.ConfigID)
 	ksConfig.TypedSpec().EndpointFilters = []string{"0.0.0.0/0", "!192.168.0.0/16", "2001::/16"}
 	ksConfig.TypedSpec().AdvertiseKubernetesNetworks = true
+	ksConfig.TypedSpec().ExtraEndpoints = []netip.AddrPort{netip.MustParseAddrPort("10.5.0.1:51820"), netip.MustParseAddrPort("1.2.3.4:5678")}
 	suite.Require().NoError(suite.state.Create(suite.ctx, ksConfig))
 
 	// add KS address to the list of node addresses, it should be ignored in the endpoints
@@ -109,7 +110,6 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 
 		asrt.NotZero(spec.KubeSpan.PublicKey)
 		asrt.NotZero(spec.KubeSpan.AdditionalAddresses)
-		asrt.Len(spec.KubeSpan.Endpoints, 4)
 
 		asrt.Equal(ksIdentity.TypedSpec().Address.Addr(), spec.KubeSpan.Address)
 		asrt.Equal(ksIdentity.TypedSpec().PublicKey, spec.KubeSpan.PublicKey)
@@ -120,6 +120,7 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 				"10.5.0.1:51820",
 				"1.1.1.1:51820",
 				"[2001:123:4567::1]:51820",
+				"1.2.3.4:5678",
 			},
 			xslices.Map(spec.KubeSpan.Endpoints, netip.AddrPort.String),
 		)
diff --git a/internal/app/machined/pkg/controllers/kubespan/config.go b/internal/app/machined/pkg/controllers/kubespan/config.go
index 5d7f299b1..4cf890828 100644
--- a/internal/app/machined/pkg/controllers/kubespan/config.go
+++ b/internal/app/machined/pkg/controllers/kubespan/config.go
@@ -51,6 +51,7 @@ func NewConfigController() *ConfigController {
 					res.TypedSpec().HarvestExtraEndpoints = c.Machine().Network().KubeSpan().HarvestExtraEndpoints()
 					res.TypedSpec().MTU = c.Machine().Network().KubeSpan().MTU()
 					res.TypedSpec().EndpointFilters = c.Machine().Network().KubeSpan().Filters().Endpoints()
+					res.TypedSpec().ExtraEndpoints = c.KubespanConfig().ExtraAnnouncedEndpoints()
 				}
 
 				return nil
diff --git a/internal/app/machined/pkg/controllers/kubespan/config_test.go b/internal/app/machined/pkg/controllers/kubespan/config_test.go
index 20fa93808..a36ed4320 100644
--- a/internal/app/machined/pkg/controllers/kubespan/config_test.go
+++ b/internal/app/machined/pkg/controllers/kubespan/config_test.go
@@ -4,6 +4,8 @@
 package kubespan_test
 
 import (
+	"fmt"
+	"net/netip"
 	"testing"
 	"time"
 
@@ -14,6 +16,7 @@ import (
 
 	kubespanctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/kubespan"
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/kubespan"
@@ -28,22 +31,30 @@ func (suite *ConfigSuite) TestReconcileConfig() {
 
 	suite.startRuntime()
 
-	cfg := config.NewMachineConfig(
-		container.NewV1Alpha1(
-			&v1alpha1.Config{
-				ConfigVersion: "v1alpha1",
-				MachineConfig: &v1alpha1.MachineConfig{
-					MachineNetwork: &v1alpha1.NetworkConfig{
-						NetworkKubeSpan: &v1alpha1.NetworkKubeSpan{
-							KubeSpanEnabled: pointer.To(true),
-						},
+	ctr, err := container.New(
+		&v1alpha1.Config{
+			ConfigVersion: "v1alpha1",
+			MachineConfig: &v1alpha1.MachineConfig{
+				MachineNetwork: &v1alpha1.NetworkConfig{
+					NetworkKubeSpan: &v1alpha1.NetworkKubeSpan{
+						KubeSpanEnabled: pointer.To(true),
 					},
 				},
-				ClusterConfig: &v1alpha1.ClusterConfig{
-					ClusterID:     "8XuV9TZHW08DOk3bVxQjH9ih_TBKjnh-j44tsCLSBzo=",
-					ClusterSecret: "I+1In7fLnpcRIjUmEoeugZnSyFoTF6MztLxICL5Yu0s=",
-				},
-			}))
+			},
+			ClusterConfig: &v1alpha1.ClusterConfig{
+				ClusterID:     "8XuV9TZHW08DOk3bVxQjH9ih_TBKjnh-j44tsCLSBzo=",
+				ClusterSecret: "I+1In7fLnpcRIjUmEoeugZnSyFoTF6MztLxICL5Yu0s=",
+			},
+		},
+		&network.KubespanEndpointsConfigV1Alpha1{
+			ExtraAnnouncedEndpointsConfig: []netip.AddrPort{
+				netip.MustParseAddrPort("192.168.33.11:1001"),
+			},
+		},
+	)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
 
 	suite.Require().NoError(suite.state.Create(suite.ctx, cfg))
 
@@ -61,6 +72,7 @@ func (suite *ConfigSuite) TestReconcileConfig() {
 				suite.Assert().True(spec.ForceRouting)
 				suite.Assert().False(spec.AdvertiseKubernetesNetworks)
 				suite.Assert().False(spec.HarvestExtraEndpoints)
+				suite.Assert().Equal("[\"192.168.33.11:1001\"]", fmt.Sprintf("%q", spec.ExtraEndpoints))
 
 				return nil
 			},
diff --git a/internal/integration/api/discovery.go b/internal/integration/api/discovery.go
index 71914c4d6..5d0637834 100644
--- a/internal/integration/api/discovery.go
+++ b/internal/integration/api/discovery.go
@@ -9,6 +9,7 @@ package api
 import (
 	"context"
 	"fmt"
+	"math/rand/v2"
 	"net/netip"
 	"strings"
 	"time"
@@ -23,6 +24,7 @@ import (
 
 	"github.com/siderolabs/talos/internal/integration/base"
 	"github.com/siderolabs/talos/pkg/machinery/client"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/resources/cluster"
 	"github.com/siderolabs/talos/pkg/machinery/resources/kubespan"
 )
@@ -277,6 +279,59 @@ func (suite *DiscoverySuite) TestKubeSpanPeers() {
 	}
 }
 
+// TestKubeSpanExtraEndpoints verifies that KubeSpan peer specs are updated with extra endpoints.
+func (suite *DiscoverySuite) TestKubeSpanExtraEndpoints() {
+	if !suite.Capabilities().RunsTalosKernel {
+		suite.T().Skip("not running Talos kernel")
+	}
+
+	// check that cluster has KubeSpan enabled
+	node := suite.RandomDiscoveredNodeInternalIP()
+	suite.ClearConnectionRefused(suite.ctx, node)
+
+	nodeCtx := client.WithNode(suite.ctx, node)
+	provider, err := suite.ReadConfigFromNode(nodeCtx)
+	suite.Require().NoError(err)
+
+	if !provider.Machine().Network().KubeSpan().Enabled() {
+		suite.T().Skip("KubeSpan is disabled")
+	}
+
+	nodes := suite.DiscoverNodeInternalIPs(suite.ctx)
+
+	if len(nodes) < 2 {
+		suite.T().Skip("need at least two nodes for this test")
+	}
+
+	perm := rand.Perm(len(nodes))
+
+	checkNode := nodes[perm[0]]
+	targetNode := nodes[perm[1]]
+
+	mockEndpoint := netip.MustParseAddrPort("169.254.121.121:5820")
+
+	// inject extra endpoint to target node
+	cfgDocument := network.NewKubespanEndpointsV1Alpha1()
+	cfgDocument.ExtraAnnouncedEndpointsConfig = []netip.AddrPort{mockEndpoint}
+
+	suite.T().Logf("injecting extra endpoint %s to node %s", mockEndpoint, targetNode)
+	suite.PatchMachineConfig(client.WithNode(suite.ctx, targetNode), cfgDocument)
+
+	targetIdentity, err := safe.ReaderGetByID[*kubespan.Identity](client.WithNode(suite.ctx, targetNode), suite.Client.COSI, kubespan.LocalIdentity)
+	suite.Require().NoError(err)
+
+	suite.T().Logf("checking extra endpoint %s on node %s", mockEndpoint, checkNode)
+	rtestutils.AssertResources(client.WithNode(suite.ctx, checkNode), suite.T(), suite.Client.COSI, []string{targetIdentity.TypedSpec().PublicKey},
+		func(peer *kubespan.PeerSpec, asrt *assert.Assertions) {
+			asrt.Contains(peer.TypedSpec().Endpoints, mockEndpoint)
+		},
+	)
+
+	// the extra endpoints disappears with a timeout from the discovery service, so can't assert on that
+	suite.T().Logf("removin extra endpoint %s from node %s", mockEndpoint, targetNode)
+	suite.RemoveMachineConfigDocuments(client.WithNode(suite.ctx, targetNode), cfgDocument.MetaKind)
+}
+
 func (suite *DiscoverySuite) getMembers(nodeCtx context.Context) []*cluster.Member {
 	var result []*cluster.Member
 
diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go
index 50a1d43ed..bad7f39f8 100644
--- a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go
+++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go
@@ -31,14 +31,15 @@ type ConfigSpec struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Enabled                     bool     `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
-	ClusterId                   string   `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
-	SharedSecret                string   `protobuf:"bytes,3,opt,name=shared_secret,json=sharedSecret,proto3" json:"shared_secret,omitempty"`
-	ForceRouting                bool     `protobuf:"varint,4,opt,name=force_routing,json=forceRouting,proto3" json:"force_routing,omitempty"`
-	AdvertiseKubernetesNetworks bool     `protobuf:"varint,5,opt,name=advertise_kubernetes_networks,json=advertiseKubernetesNetworks,proto3" json:"advertise_kubernetes_networks,omitempty"`
-	Mtu                         uint32   `protobuf:"varint,6,opt,name=mtu,proto3" json:"mtu,omitempty"`
-	EndpointFilters             []string `protobuf:"bytes,7,rep,name=endpoint_filters,json=endpointFilters,proto3" json:"endpoint_filters,omitempty"`
-	HarvestExtraEndpoints       bool     `protobuf:"varint,8,opt,name=harvest_extra_endpoints,json=harvestExtraEndpoints,proto3" json:"harvest_extra_endpoints,omitempty"`
+	Enabled                     bool                `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
+	ClusterId                   string              `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
+	SharedSecret                string              `protobuf:"bytes,3,opt,name=shared_secret,json=sharedSecret,proto3" json:"shared_secret,omitempty"`
+	ForceRouting                bool                `protobuf:"varint,4,opt,name=force_routing,json=forceRouting,proto3" json:"force_routing,omitempty"`
+	AdvertiseKubernetesNetworks bool                `protobuf:"varint,5,opt,name=advertise_kubernetes_networks,json=advertiseKubernetesNetworks,proto3" json:"advertise_kubernetes_networks,omitempty"`
+	Mtu                         uint32              `protobuf:"varint,6,opt,name=mtu,proto3" json:"mtu,omitempty"`
+	EndpointFilters             []string            `protobuf:"bytes,7,rep,name=endpoint_filters,json=endpointFilters,proto3" json:"endpoint_filters,omitempty"`
+	HarvestExtraEndpoints       bool                `protobuf:"varint,8,opt,name=harvest_extra_endpoints,json=harvestExtraEndpoints,proto3" json:"harvest_extra_endpoints,omitempty"`
+	ExtraEndpoints              []*common.NetIPPort `protobuf:"bytes,9,rep,name=extra_endpoints,json=extraEndpoints,proto3" json:"extra_endpoints,omitempty"`
 }
 
 func (x *ConfigSpec) Reset() {
@@ -129,6 +130,13 @@ func (x *ConfigSpec) GetHarvestExtraEndpoints() bool {
 	return false
 }
 
+func (x *ConfigSpec) GetExtraEndpoints() []*common.NetIPPort {
+	if x != nil {
+		return x.ExtraEndpoints
+	}
+	return nil
+}
+
 // EndpointSpec describes Endpoint state.
 type EndpointSpec struct {
 	state         protoimpl.MessageState
@@ -450,7 +458,7 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{
 	0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x26, 0x72, 0x65, 0x73, 0x6f, 0x75,
 	0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
 	0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x22, 0xc8, 0x02, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63,
+	0x6f, 0x22, 0x84, 0x03, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63,
 	0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c,
 	0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
@@ -470,72 +478,76 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{
 	0x74, 0x65, 0x72, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x68, 0x61, 0x72, 0x76, 0x65, 0x73, 0x74, 0x5f,
 	0x65, 0x78, 0x74, 0x72, 0x61, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18,
 	0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x15, 0x68, 0x61, 0x72, 0x76, 0x65, 0x73, 0x74, 0x45, 0x78,
-	0x74, 0x72, 0x61, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x22, 0x60, 0x0a, 0x0c,
-	0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c,
-	0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x0b, 0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x49, 0x64, 0x12,
-	0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50,
-	0x50, 0x6f, 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22, 0xaa,
-	0x01, 0x0a, 0x0c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12,
-	0x2d, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50,
-	0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x2b,
-	0x0a, 0x06, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13,
-	0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65,
-	0x66, 0x69, 0x78, 0x52, 0x06, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x70,
-	0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1d, 0x0a, 0x0a,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0xb4, 0x01, 0x0a, 0x0c,
-	0x50, 0x65, 0x65, 0x72, 0x53, 0x70, 0x65, 0x63, 0x53, 0x70, 0x65, 0x63, 0x12, 0x27, 0x0a, 0x07,
-	0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e,
-	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x52, 0x07, 0x61, 0x64,
-	0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x34, 0x0a, 0x0b, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64,
-	0x5f, 0x69, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d,
+	0x74, 0x72, 0x61, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x12, 0x3a, 0x0a, 0x0f,
+	0x65, 0x78, 0x74, 0x72, 0x61, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18,
+	0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e,
+	0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x0e, 0x65, 0x78, 0x74, 0x72, 0x61, 0x45,
+	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x22, 0x60, 0x0a, 0x0c, 0x45, 0x6e, 0x64, 0x70,
+	0x6f, 0x69, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x66, 0x66, 0x69,
+	0x6c, 0x69, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b,
+	0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x49, 0x64, 0x12, 0x2d, 0x0a, 0x08, 0x65,
+	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e,
+	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74,
+	0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22, 0xaa, 0x01, 0x0a, 0x0c, 0x49,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x07, 0x61,
+	0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63,
+	0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69,
+	0x78, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x2b, 0x0a, 0x06, 0x73, 0x75,
+	0x62, 0x6e, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d,
 	0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52,
-	0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x65,
-	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11,
-	0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72,
-	0x74, 0x52, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05,
-	0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62,
-	0x65, 0x6c, 0x22, 0xc7, 0x03, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e,
-	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
-	0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70,
-	0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x49, 0x0a, 0x05, 0x73, 0x74,
-	0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x33, 0x2e, 0x74, 0x61, 0x6c, 0x6f,
-	0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x4b, 0x75, 0x62,
-	0x65, 0x73, 0x70, 0x61, 0x6e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05,
-	0x73, 0x74, 0x61, 0x74, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65,
-	0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x72, 0x65,
-	0x63, 0x65, 0x69, 0x76, 0x65, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x72,
-	0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x03, 0x52, 0x0d, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x42, 0x79, 0x74, 0x65,
-	0x73, 0x12, 0x4a, 0x0a, 0x13, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68,
-	0x61, 0x6b, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74,
-	0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x3f, 0x0a,
-	0x12, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f,
-	0x69, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
-	0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x10, 0x6c, 0x61,
-	0x73, 0x74, 0x55, 0x73, 0x65, 0x64, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x4c,
-	0x0a, 0x14, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f,
-	0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,
-	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x6e,
-	0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x42, 0x7a, 0x0a, 0x2b,
-	0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65,
+	0x06, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61,
+	0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72,
+	0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0xb4, 0x01, 0x0a, 0x0c, 0x50, 0x65, 0x65, 0x72,
+	0x53, 0x70, 0x65, 0x63, 0x53, 0x70, 0x65, 0x63, 0x12, 0x27, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72,
+	0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
+	0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73,
+	0x73, 0x12, 0x34, 0x0a, 0x0b, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x69, 0x70, 0x73,
+	0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
+	0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x0a, 0x61, 0x6c, 0x6c,
+	0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f,
+	0x69, 0x6e, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x09, 0x65,
+	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65,
+	0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x22, 0xc7,
+	0x03, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65,
+	0x63, 0x12, 0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74,
+	0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+	0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x49, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x33, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65,
 	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x5a, 0x4b, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61,
-	0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
-	0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f,
-	0x6b, 0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x4b, 0x75, 0x62, 0x65, 0x73, 0x70, 0x61,
+	0x6e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74,
+	0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x5f, 0x62, 0x79, 0x74,
+	0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76,
+	0x65, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d,
+	0x69, 0x74, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x4a, 0x0a,
+	0x13, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x5f,
+	0x74, 0x69, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d,
+	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x48, 0x61, 0x6e, 0x64,
+	0x73, 0x68, 0x61, 0x6b, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x3f, 0x0a, 0x12, 0x6c, 0x61, 0x73,
+	0x74, 0x5f, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
+	0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e,
+	0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x55, 0x73,
+	0x65, 0x64, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x4c, 0x0a, 0x14, 0x6c, 0x61,
+	0x73, 0x74, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x63, 0x68, 0x61, 0x6e,
+	0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
+	0x74, 0x61, 0x6d, 0x70, 0x52, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69,
+	0x6e, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x42, 0x7a, 0x0a, 0x2b, 0x64, 0x65, 0x76, 0x2e,
+	0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x6b,
+	0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x5a, 0x4b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
+	0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74,
+	0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f,
+	0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x6b, 0x75, 0x62, 0x65,
+	0x73, 0x70, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -564,22 +576,23 @@ var file_resource_definitions_kubespan_kubespan_proto_goTypes = []any{
 	(*timestamppb.Timestamp)(nil), // 9: google.protobuf.Timestamp
 }
 var file_resource_definitions_kubespan_kubespan_proto_depIdxs = []int32{
-	5,  // 0: talos.resource.definitions.kubespan.EndpointSpec.endpoint:type_name -> common.NetIPPort
-	6,  // 1: talos.resource.definitions.kubespan.IdentitySpec.address:type_name -> common.NetIPPrefix
-	6,  // 2: talos.resource.definitions.kubespan.IdentitySpec.subnet:type_name -> common.NetIPPrefix
-	7,  // 3: talos.resource.definitions.kubespan.PeerSpecSpec.address:type_name -> common.NetIP
-	6,  // 4: talos.resource.definitions.kubespan.PeerSpecSpec.allowed_ips:type_name -> common.NetIPPrefix
-	5,  // 5: talos.resource.definitions.kubespan.PeerSpecSpec.endpoints:type_name -> common.NetIPPort
-	5,  // 6: talos.resource.definitions.kubespan.PeerStatusSpec.endpoint:type_name -> common.NetIPPort
-	8,  // 7: talos.resource.definitions.kubespan.PeerStatusSpec.state:type_name -> talos.resource.definitions.enums.KubespanPeerState
-	9,  // 8: talos.resource.definitions.kubespan.PeerStatusSpec.last_handshake_time:type_name -> google.protobuf.Timestamp
-	5,  // 9: talos.resource.definitions.kubespan.PeerStatusSpec.last_used_endpoint:type_name -> common.NetIPPort
-	9,  // 10: talos.resource.definitions.kubespan.PeerStatusSpec.last_endpoint_change:type_name -> google.protobuf.Timestamp
-	11, // [11:11] is the sub-list for method output_type
-	11, // [11:11] is the sub-list for method input_type
-	11, // [11:11] is the sub-list for extension type_name
-	11, // [11:11] is the sub-list for extension extendee
-	0,  // [0:11] is the sub-list for field type_name
+	5,  // 0: talos.resource.definitions.kubespan.ConfigSpec.extra_endpoints:type_name -> common.NetIPPort
+	5,  // 1: talos.resource.definitions.kubespan.EndpointSpec.endpoint:type_name -> common.NetIPPort
+	6,  // 2: talos.resource.definitions.kubespan.IdentitySpec.address:type_name -> common.NetIPPrefix
+	6,  // 3: talos.resource.definitions.kubespan.IdentitySpec.subnet:type_name -> common.NetIPPrefix
+	7,  // 4: talos.resource.definitions.kubespan.PeerSpecSpec.address:type_name -> common.NetIP
+	6,  // 5: talos.resource.definitions.kubespan.PeerSpecSpec.allowed_ips:type_name -> common.NetIPPrefix
+	5,  // 6: talos.resource.definitions.kubespan.PeerSpecSpec.endpoints:type_name -> common.NetIPPort
+	5,  // 7: talos.resource.definitions.kubespan.PeerStatusSpec.endpoint:type_name -> common.NetIPPort
+	8,  // 8: talos.resource.definitions.kubespan.PeerStatusSpec.state:type_name -> talos.resource.definitions.enums.KubespanPeerState
+	9,  // 9: talos.resource.definitions.kubespan.PeerStatusSpec.last_handshake_time:type_name -> google.protobuf.Timestamp
+	5,  // 10: talos.resource.definitions.kubespan.PeerStatusSpec.last_used_endpoint:type_name -> common.NetIPPort
+	9,  // 11: talos.resource.definitions.kubespan.PeerStatusSpec.last_endpoint_change:type_name -> google.protobuf.Timestamp
+	12, // [12:12] is the sub-list for method output_type
+	12, // [12:12] is the sub-list for method input_type
+	12, // [12:12] is the sub-list for extension type_name
+	12, // [12:12] is the sub-list for extension extendee
+	0,  // [0:12] is the sub-list for field type_name
 }
 
 func init() { file_resource_definitions_kubespan_kubespan_proto_init() }
diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go
index 79b528fde..b3dff449e 100644
--- a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go
+++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go
@@ -55,6 +55,30 @@ func (m *ConfigSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if len(m.ExtraEndpoints) > 0 {
+		for iNdEx := len(m.ExtraEndpoints) - 1; iNdEx >= 0; iNdEx-- {
+			if vtmsg, ok := interface{}(m.ExtraEndpoints[iNdEx]).(interface {
+				MarshalToSizedBufferVT([]byte) (int, error)
+			}); ok {
+				size, err := vtmsg.MarshalToSizedBufferVT(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = protohelpers.EncodeVarint(dAtA, i, uint64(size))
+			} else {
+				encoded, err := proto.Marshal(m.ExtraEndpoints[iNdEx])
+				if err != nil {
+					return 0, err
+				}
+				i -= len(encoded)
+				copy(dAtA[i:], encoded)
+				i = protohelpers.EncodeVarint(dAtA, i, uint64(len(encoded)))
+			}
+			i--
+			dAtA[i] = 0x4a
+		}
+	}
 	if m.HarvestExtraEndpoints {
 		i--
 		if m.HarvestExtraEndpoints {
@@ -543,6 +567,18 @@ func (m *ConfigSpec) SizeVT() (n int) {
 	if m.HarvestExtraEndpoints {
 		n += 2
 	}
+	if len(m.ExtraEndpoints) > 0 {
+		for _, e := range m.ExtraEndpoints {
+			if size, ok := interface{}(e).(interface {
+				SizeVT() int
+			}); ok {
+				l = size.SizeVT()
+			} else {
+				l = proto.Size(e)
+			}
+			n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+		}
+	}
 	n += len(m.unknownFields)
 	return n
 }
@@ -932,6 +968,48 @@ func (m *ConfigSpec) UnmarshalVT(dAtA []byte) error {
 				}
 			}
 			m.HarvestExtraEndpoints = bool(v != 0)
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExtraEndpoints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExtraEndpoints = append(m.ExtraEndpoints, &common.NetIPPort{})
+			if unmarshal, ok := interface{}(m.ExtraEndpoints[len(m.ExtraEndpoints)-1]).(interface {
+				UnmarshalVT([]byte) error
+			}); ok {
+				if err := unmarshal.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+					return err
+				}
+			} else {
+				if err := proto.Unmarshal(dAtA[iNdEx:postIndex], m.ExtraEndpoints[len(m.ExtraEndpoints)-1]); err != nil {
+					return err
+				}
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
diff --git a/pkg/machinery/config/config/config.go b/pkg/machinery/config/config/config.go
index 934fcde27..2e54242b1 100644
--- a/pkg/machinery/config/config/config.go
+++ b/pkg/machinery/config/config/config.go
@@ -16,4 +16,5 @@ type Config interface {
 	NetworkRules() NetworkRuleConfig
 	TrustedRoots() TrustedRootsConfig
 	Volumes() VolumesConfig
+	KubespanConfig() KubespanConfig
 }
diff --git a/pkg/machinery/config/config/kubespan.go b/pkg/machinery/config/config/kubespan.go
new file mode 100644
index 000000000..9f0256ce5
--- /dev/null
+++ b/pkg/machinery/config/config/kubespan.go
@@ -0,0 +1,25 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package config
+
+import "net/netip"
+
+// KubespanConfig defines the interface to access KubeSpan configuration.
+type KubespanConfig interface {
+	ExtraAnnouncedEndpoints() []netip.AddrPort
+}
+
+// WrapKubespanConfig wraps a list of KubespanConfig into a single KubespanConfig aggregating the results.
+func WrapKubespanConfig(configs ...KubespanConfig) KubespanConfig {
+	return kubespanConfigWrapper(configs)
+}
+
+type kubespanConfigWrapper []KubespanConfig
+
+func (w kubespanConfigWrapper) ExtraAnnouncedEndpoints() []netip.AddrPort {
+	return aggregateValues(w, func(c KubespanConfig) []netip.AddrPort {
+		return c.ExtraAnnouncedEndpoints()
+	})
+}
diff --git a/pkg/machinery/config/container/container.go b/pkg/machinery/config/container/container.go
index a7ab8c3b4..bbd9ea5a9 100644
--- a/pkg/machinery/config/container/container.go
+++ b/pkg/machinery/config/container/container.go
@@ -199,6 +199,11 @@ func (container *Container) Volumes() config.VolumesConfig {
 	return config.WrapVolumesConfigList(findMatchingDocs[config.VolumeConfig](container.documents)...)
 }
 
+// KubespanConfig implements config.Config interface.
+func (container *Container) KubespanConfig() config.KubespanConfig {
+	return config.WrapKubespanConfig(findMatchingDocs[config.KubespanConfig](container.documents)...)
+}
+
 // Bytes returns source YAML representation (if available) or does default encoding.
 func (container *Container) Bytes() ([]byte, error) {
 	if !container.readonly {
diff --git a/pkg/machinery/config/schemas/config.schema.json b/pkg/machinery/config/schemas/config.schema.json
index 9de650b80..1fb4f1f26 100644
--- a/pkg/machinery/config/schemas/config.schema.json
+++ b/pkg/machinery/config/schemas/config.schema.json
@@ -227,6 +227,44 @@
       "additionalProperties": false,
       "type": "object"
     },
+    "network.KubespanEndpointsConfigV1Alpha1": {
+      "properties": {
+        "apiVersion": {
+          "enum": [
+            "v1alpha1"
+          ],
+          "title": "apiVersion",
+          "description": "apiVersion is the API version of the resource.\n",
+          "markdownDescription": "apiVersion is the API version of the resource.",
+          "x-intellij-html-description": "\u003cp\u003eapiVersion is the API version of the resource.\u003c/p\u003e\n"
+        },
+        "kind": {
+          "enum": [
+            "KubespanEndpoints"
+          ],
+          "title": "kind",
+          "description": "kind is the kind of the resource.\n",
+          "markdownDescription": "kind is the kind of the resource.",
+          "x-intellij-html-description": "\u003cp\u003ekind is the kind of the resource.\u003c/p\u003e\n"
+        },
+        "extraAnnouncedEndpoints": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array",
+          "title": "extraAnnouncedEndpoints",
+          "description": "A list of extra Wireguard endpoints to announce from this machine.\n\nTalos automatically adds endpoints based on machine addresses, public IP, etc.\nThis field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.\n",
+          "markdownDescription": "A list of extra Wireguard endpoints to announce from this machine.\n\nTalos automatically adds endpoints based on machine addresses, public IP, etc.\nThis field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.",
+          "x-intellij-html-description": "\u003cp\u003eA list of extra Wireguard endpoints to announce from this machine.\u003c/p\u003e\n\n\u003cp\u003eTalos automatically adds endpoints based on machine addresses, public IP, etc.\nThis field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.\u003c/p\u003e\n"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "required": [
+        "apiVersion",
+        "kind"
+      ]
+    },
     "network.RuleConfigV1Alpha1": {
       "properties": {
         "apiVersion": {
@@ -3569,6 +3607,9 @@
     {
       "$ref": "#/$defs/network.DefaultActionConfigV1Alpha1"
     },
+    {
+      "$ref": "#/$defs/network.KubespanEndpointsConfigV1Alpha1"
+    },
     {
       "$ref": "#/$defs/network.RuleConfigV1Alpha1"
     },
diff --git a/pkg/machinery/config/types/network/deep_copy.generated.go b/pkg/machinery/config/types/network/deep_copy.generated.go
index 6af50d5e5..bccb98b56 100644
--- a/pkg/machinery/config/types/network/deep_copy.generated.go
+++ b/pkg/machinery/config/types/network/deep_copy.generated.go
@@ -2,16 +2,30 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-// Code generated by "deep-copy -type DefaultActionConfigV1Alpha1 -type RuleConfigV1Alpha1 -pointer-receiver -header-file ../../../../../hack/boilerplate.txt -o deep_copy.generated.go ."; DO NOT EDIT.
+// Code generated by "deep-copy -type DefaultActionConfigV1Alpha1 -type KubespanEndpointsConfigV1Alpha1 -type RuleConfigV1Alpha1 -pointer-receiver -header-file ../../../../../hack/boilerplate.txt -o deep_copy.generated.go ."; DO NOT EDIT.
 
 package network
 
+import (
+	"net/netip"
+)
+
 // DeepCopy generates a deep copy of *DefaultActionConfigV1Alpha1.
 func (o *DefaultActionConfigV1Alpha1) DeepCopy() *DefaultActionConfigV1Alpha1 {
 	var cp DefaultActionConfigV1Alpha1 = *o
 	return &cp
 }
 
+// DeepCopy generates a deep copy of *KubespanEndpointsConfigV1Alpha1.
+func (o *KubespanEndpointsConfigV1Alpha1) DeepCopy() *KubespanEndpointsConfigV1Alpha1 {
+	var cp KubespanEndpointsConfigV1Alpha1 = *o
+	if o.ExtraAnnouncedEndpointsConfig != nil {
+		cp.ExtraAnnouncedEndpointsConfig = make([]netip.AddrPort, len(o.ExtraAnnouncedEndpointsConfig))
+		copy(cp.ExtraAnnouncedEndpointsConfig, o.ExtraAnnouncedEndpointsConfig)
+	}
+	return &cp
+}
+
 // DeepCopy generates a deep copy of *RuleConfigV1Alpha1.
 func (o *RuleConfigV1Alpha1) DeepCopy() *RuleConfigV1Alpha1 {
 	var cp RuleConfigV1Alpha1 = *o
diff --git a/pkg/machinery/config/types/network/default_action_config.go b/pkg/machinery/config/types/network/default_action_config.go
index 124b3efce..7320b1883 100644
--- a/pkg/machinery/config/types/network/default_action_config.go
+++ b/pkg/machinery/config/types/network/default_action_config.go
@@ -19,7 +19,7 @@ const DefaultActionConfig = "NetworkDefaultActionConfig"
 func init() {
 	registry.Register(DefaultActionConfig, func(version string) config.Document {
 		switch version {
-		case "v1alpha1":
+		case "v1alpha1": //nolint:goconst
 			return &DefaultActionConfigV1Alpha1{}
 		default:
 			return nil
diff --git a/pkg/machinery/config/types/network/kubespan_endpoints.go b/pkg/machinery/config/types/network/kubespan_endpoints.go
new file mode 100644
index 000000000..1a6eb8536
--- /dev/null
+++ b/pkg/machinery/config/types/network/kubespan_endpoints.go
@@ -0,0 +1,85 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package network
+
+//docgen:jsonschema
+
+import (
+	"net/netip"
+	"slices"
+
+	"github.com/siderolabs/talos/pkg/machinery/config/config"
+	"github.com/siderolabs/talos/pkg/machinery/config/internal/registry"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/meta"
+)
+
+// KubespanEndpointsKind is a KubeSpan endpoints document kind.
+const KubespanEndpointsKind = "KubespanEndpointsConfig"
+
+func init() {
+	registry.Register(KubespanEndpointsKind, func(version string) config.Document {
+		switch version {
+		case "v1alpha1":
+			return &KubespanEndpointsConfigV1Alpha1{}
+		default:
+			return nil
+		}
+	})
+}
+
+// Check interfaces.
+var (
+	_ config.KubespanConfig = &KubespanEndpointsConfigV1Alpha1{}
+)
+
+// KubespanEndpointsConfigV1Alpha1 is a config document to configure KubeSpan endpoints.
+//
+//	examples:
+//	  - value: exampleKubespanEndpointsV1Alpha1()
+//	alias: KubespanEndpoints
+//	schemaRoot: true
+//	schemaMeta: v1alpha1/KubespanEndpoints
+type KubespanEndpointsConfigV1Alpha1 struct {
+	meta.Meta `yaml:",inline"`
+	//   description: |
+	//     A list of extra Wireguard endpoints to announce from this machine.
+	//
+	//     Talos automatically adds endpoints based on machine addresses, public IP, etc.
+	//     This field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.
+	//   schema:
+	//     type: array
+	//     items:
+	//       type: string
+	ExtraAnnouncedEndpointsConfig []netip.AddrPort `yaml:"extraAnnouncedEndpoints"`
+}
+
+// NewKubespanEndpointsV1Alpha1 creates a new KubespanEndpoints config document.
+func NewKubespanEndpointsV1Alpha1() *KubespanEndpointsConfigV1Alpha1 {
+	return &KubespanEndpointsConfigV1Alpha1{
+		Meta: meta.Meta{
+			MetaKind:       KubespanEndpointsKind,
+			MetaAPIVersion: "v1alpha1",
+		},
+	}
+}
+
+func exampleKubespanEndpointsV1Alpha1() *KubespanEndpointsConfigV1Alpha1 {
+	cfg := NewKubespanEndpointsV1Alpha1()
+	cfg.ExtraAnnouncedEndpointsConfig = []netip.AddrPort{
+		netip.MustParseAddrPort("192.168.13.46:52000"),
+	}
+
+	return cfg
+}
+
+// Clone implements config.Document interface.
+func (s *KubespanEndpointsConfigV1Alpha1) Clone() config.Document {
+	return s.DeepCopy()
+}
+
+// ExtraAnnouncedEndpoints implements KubespanConfig interface.
+func (s *KubespanEndpointsConfigV1Alpha1) ExtraAnnouncedEndpoints() []netip.AddrPort {
+	return slices.Clone(s.ExtraAnnouncedEndpointsConfig)
+}
diff --git a/pkg/machinery/config/types/network/kubespan_endpoints_test.go b/pkg/machinery/config/types/network/kubespan_endpoints_test.go
new file mode 100644
index 000000000..39fa78240
--- /dev/null
+++ b/pkg/machinery/config/types/network/kubespan_endpoints_test.go
@@ -0,0 +1,60 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package network_test
+
+import (
+	_ "embed"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/pkg/machinery/config/configloader"
+	"github.com/siderolabs/talos/pkg/machinery/config/encoder"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/meta"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/network"
+)
+
+//go:embed testdata/kubespanendpointsconfig.yaml
+var expectedKubespanEndpointsConfigDocument []byte
+
+func TestKubespanEndpointsConfigMarshalStability(t *testing.T) {
+	t.Parallel()
+
+	cfg := network.NewKubespanEndpointsV1Alpha1()
+	cfg.ExtraAnnouncedEndpointsConfig = []netip.AddrPort{
+		netip.MustParseAddrPort("3.4.5.6:123"),
+		netip.MustParseAddrPort("10.11.12.13:456"),
+	}
+
+	marshaled, err := encoder.NewEncoder(cfg, encoder.WithComments(encoder.CommentsDisabled)).Encode()
+	require.NoError(t, err)
+
+	t.Log(string(marshaled))
+
+	assert.Equal(t, expectedKubespanEndpointsConfigDocument, marshaled)
+}
+
+func TestKubespanEndpointsConfigUnmarshal(t *testing.T) {
+	t.Parallel()
+
+	provider, err := configloader.NewFromBytes(expectedKubespanEndpointsConfigDocument)
+	require.NoError(t, err)
+
+	docs := provider.Documents()
+	require.Len(t, docs, 1)
+
+	assert.Equal(t, &network.KubespanEndpointsConfigV1Alpha1{
+		Meta: meta.Meta{
+			MetaAPIVersion: "v1alpha1",
+			MetaKind:       network.KubespanEndpointsKind,
+		},
+		ExtraAnnouncedEndpointsConfig: []netip.AddrPort{
+			netip.MustParseAddrPort("3.4.5.6:123"),
+			netip.MustParseAddrPort("10.11.12.13:456"),
+		},
+	}, docs[0])
+}
diff --git a/pkg/machinery/config/types/network/network.go b/pkg/machinery/config/types/network/network.go
index f396a9a01..558330dde 100644
--- a/pkg/machinery/config/types/network/network.go
+++ b/pkg/machinery/config/types/network/network.go
@@ -5,6 +5,6 @@
 // Package network provides network machine configuration documents.
 package network
 
-//go:generate docgen -output network_doc.go network.go default_action_config.go port_range.go rule_config.go
+//go:generate docgen -output network_doc.go network.go default_action_config.go kubespan_endpoints.go port_range.go rule_config.go
 
-//go:generate deep-copy -type DefaultActionConfigV1Alpha1 -type RuleConfigV1Alpha1 -pointer-receiver -header-file ../../../../../hack/boilerplate.txt -o deep_copy.generated.go .
+//go:generate deep-copy -type DefaultActionConfigV1Alpha1 -type KubespanEndpointsConfigV1Alpha1 -type RuleConfigV1Alpha1 -pointer-receiver -header-file ../../../../../hack/boilerplate.txt -o deep_copy.generated.go .
diff --git a/pkg/machinery/config/types/network/network_doc.go b/pkg/machinery/config/types/network/network_doc.go
index 8aacb5456..b95565e64 100644
--- a/pkg/machinery/config/types/network/network_doc.go
+++ b/pkg/machinery/config/types/network/network_doc.go
@@ -37,6 +37,27 @@ func (DefaultActionConfigV1Alpha1) Doc() *encoder.Doc {
 	return doc
 }
 
+func (KubespanEndpointsConfigV1Alpha1) Doc() *encoder.Doc {
+	doc := &encoder.Doc{
+		Type:        "KubespanEndpoints",
+		Comments:    [3]string{"" /* encoder.HeadComment */, "KubespanEndpoints is a config document to configure KubeSpan endpoints." /* encoder.LineComment */, "" /* encoder.FootComment */},
+		Description: "KubespanEndpoints is a config document to configure KubeSpan endpoints.",
+		Fields: []encoder.Doc{
+			{}, {
+				Name:        "extraAnnouncedEndpoints",
+				Type:        "[]AddrPort",
+				Note:        "",
+				Description: "A list of extra Wireguard endpoints to announce from this machine.\n\nTalos automatically adds endpoints based on machine addresses, public IP, etc.\nThis field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.",
+				Comments:    [3]string{"" /* encoder.HeadComment */, "A list of extra Wireguard endpoints to announce from this machine." /* encoder.LineComment */, "" /* encoder.FootComment */},
+			},
+		},
+	}
+
+	doc.AddExample("", exampleKubespanEndpointsV1Alpha1())
+
+	return doc
+}
+
 func (RuleConfigV1Alpha1) Doc() *encoder.Doc {
 	doc := &encoder.Doc{
 		Type:        "NetworkRuleConfig",
@@ -157,6 +178,7 @@ func GetFileDoc() *encoder.FileDoc {
 		Description: "Package network provides network machine configuration documents.\n",
 		Structs: []*encoder.Doc{
 			DefaultActionConfigV1Alpha1{}.Doc(),
+			KubespanEndpointsConfigV1Alpha1{}.Doc(),
 			RuleConfigV1Alpha1{}.Doc(),
 			RulePortSelector{}.Doc(),
 			IngressRule{}.Doc(),
diff --git a/pkg/machinery/config/types/network/testdata/kubespanendpointsconfig.yaml b/pkg/machinery/config/types/network/testdata/kubespanendpointsconfig.yaml
new file mode 100644
index 000000000..50bccf710
--- /dev/null
+++ b/pkg/machinery/config/types/network/testdata/kubespanendpointsconfig.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1alpha1
+kind: KubespanEndpointsConfig
+extraAnnouncedEndpoints:
+    - 3.4.5.6:123
+    - 10.11.12.13:456
diff --git a/pkg/machinery/resources/kubespan/config.go b/pkg/machinery/resources/kubespan/config.go
index 78630c652..77dbe3693 100644
--- a/pkg/machinery/resources/kubespan/config.go
+++ b/pkg/machinery/resources/kubespan/config.go
@@ -5,6 +5,8 @@
 package kubespan
 
 import (
+	"net/netip"
+
 	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/cosi-project/runtime/pkg/resource/meta"
 	"github.com/cosi-project/runtime/pkg/resource/protobuf"
@@ -42,6 +44,8 @@ type ConfigSpec struct {
 	EndpointFilters []string `yaml:"endpointFilters,omitempty" protobuf:"7"`
 	// Harvest endpoints from the peer statuses.
 	HarvestExtraEndpoints bool `yaml:"harvestExtraEndpoints" protobuf:"8"`
+	// Extra endpoints to announce.
+	ExtraEndpoints []netip.AddrPort `yaml:"extraEndpoints,omitempty" protobuf:"9"`
 }
 
 // NewConfig initializes a Config resource.
diff --git a/pkg/machinery/resources/kubespan/deep_copy.generated.go b/pkg/machinery/resources/kubespan/deep_copy.generated.go
index 2e143dfd1..b8b75ee45 100644
--- a/pkg/machinery/resources/kubespan/deep_copy.generated.go
+++ b/pkg/machinery/resources/kubespan/deep_copy.generated.go
@@ -17,6 +17,10 @@ func (o ConfigSpec) DeepCopy() ConfigSpec {
 		cp.EndpointFilters = make([]string, len(o.EndpointFilters))
 		copy(cp.EndpointFilters, o.EndpointFilters)
 	}
+	if o.ExtraEndpoints != nil {
+		cp.ExtraEndpoints = make([]netip.AddrPort, len(o.ExtraEndpoints))
+		copy(cp.ExtraEndpoints, o.ExtraEndpoints)
+	}
 	return cp
 }
 
diff --git a/website/content/v1.8/reference/api.md b/website/content/v1.8/reference/api.md
index e4e3c1b61..129d0ee23 100644
--- a/website/content/v1.8/reference/api.md
+++ b/website/content/v1.8/reference/api.md
@@ -3147,6 +3147,7 @@ ConfigSpec describes KubeSpan configuration..
 | mtu | [uint32](#uint32) |  |  |
 | endpoint_filters | [string](#string) | repeated |  |
 | harvest_extra_endpoints | [bool](#bool) |  |  |
+| extra_endpoints | [common.NetIPPort](#common.NetIPPort) | repeated |  |
 
 
 
diff --git a/website/content/v1.8/reference/configuration/network/kubespanendpoints.md b/website/content/v1.8/reference/configuration/network/kubespanendpoints.md
new file mode 100644
index 000000000..9313a2de0
--- /dev/null
+++ b/website/content/v1.8/reference/configuration/network/kubespanendpoints.md
@@ -0,0 +1,33 @@
+---
+description: KubespanEndpoints is a config document to configure KubeSpan endpoints.
+title: KubespanEndpoints
+---
+
+<!-- markdownlint-disable -->
+
+
+
+
+
+
+
+
+
+{{< highlight yaml >}}
+apiVersion: v1alpha1
+kind: KubespanEndpointsConfig
+# A list of extra Wireguard endpoints to announce from this machine.
+extraAnnouncedEndpoints:
+    - 192.168.13.46:52000
+{{< /highlight >}}
+
+
+| Field | Type | Description | Value(s) |
+|-------|------|-------------|----------|
+|`extraAnnouncedEndpoints` |[]AddrPort |<details><summary>A list of extra Wireguard endpoints to announce from this machine.</summary><br />Talos automatically adds endpoints based on machine addresses, public IP, etc.<br />This field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.</details>  | |
+
+
+
+
+
+
diff --git a/website/content/v1.8/schemas/config.schema.json b/website/content/v1.8/schemas/config.schema.json
index 9de650b80..1fb4f1f26 100644
--- a/website/content/v1.8/schemas/config.schema.json
+++ b/website/content/v1.8/schemas/config.schema.json
@@ -227,6 +227,44 @@
       "additionalProperties": false,
       "type": "object"
     },
+    "network.KubespanEndpointsConfigV1Alpha1": {
+      "properties": {
+        "apiVersion": {
+          "enum": [
+            "v1alpha1"
+          ],
+          "title": "apiVersion",
+          "description": "apiVersion is the API version of the resource.\n",
+          "markdownDescription": "apiVersion is the API version of the resource.",
+          "x-intellij-html-description": "\u003cp\u003eapiVersion is the API version of the resource.\u003c/p\u003e\n"
+        },
+        "kind": {
+          "enum": [
+            "KubespanEndpoints"
+          ],
+          "title": "kind",
+          "description": "kind is the kind of the resource.\n",
+          "markdownDescription": "kind is the kind of the resource.",
+          "x-intellij-html-description": "\u003cp\u003ekind is the kind of the resource.\u003c/p\u003e\n"
+        },
+        "extraAnnouncedEndpoints": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array",
+          "title": "extraAnnouncedEndpoints",
+          "description": "A list of extra Wireguard endpoints to announce from this machine.\n\nTalos automatically adds endpoints based on machine addresses, public IP, etc.\nThis field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.\n",
+          "markdownDescription": "A list of extra Wireguard endpoints to announce from this machine.\n\nTalos automatically adds endpoints based on machine addresses, public IP, etc.\nThis field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.",
+          "x-intellij-html-description": "\u003cp\u003eA list of extra Wireguard endpoints to announce from this machine.\u003c/p\u003e\n\n\u003cp\u003eTalos automatically adds endpoints based on machine addresses, public IP, etc.\nThis field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.\u003c/p\u003e\n"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "required": [
+        "apiVersion",
+        "kind"
+      ]
+    },
     "network.RuleConfigV1Alpha1": {
       "properties": {
         "apiVersion": {
@@ -3569,6 +3607,9 @@
     {
       "$ref": "#/$defs/network.DefaultActionConfigV1Alpha1"
     },
+    {
+      "$ref": "#/$defs/network.KubespanEndpointsConfigV1Alpha1"
+    },
     {
       "$ref": "#/$defs/network.RuleConfigV1Alpha1"
     },
diff --git a/website/content/v1.8/talos-guides/network/kubespan.md b/website/content/v1.8/talos-guides/network/kubespan.md
index 3204c415c..7b22450d8 100644
--- a/website/content/v1.8/talos-guides/network/kubespan.md
+++ b/website/content/v1.8/talos-guides/network/kubespan.md
@@ -134,6 +134,15 @@ The `filters` setting allows hiding some endpoints from being advertised over Ku
 This is useful when some endpoints are known to be unreachable between the nodes, so that KubeSpan doesn't try to establish a connection to them.
 Another use-case is hiding some endpoints if nodes can connect on multiple networks, and some of the networks are more preferable than others.
 
+To include additional announced endpoints, such as inbound NAT mappings, you can add the [machine config document]({{< relref "../../reference/configuration/network/kubespanendpoints" >}}).
+
+```yaml
+apiVersion: v1alpha1
+kind: KubespanEndpointsConfig
+extraAnnouncedEndpoints:
+    - 192.168.101.3:61033
+```
+
 ## Resource Definitions
 
 ### KubeSpanIdentities