feat: implement KubeSpan manager for Wireguard peer state

KubeSpan manager uses list of KubeSpan peers prepared from the discovery and local KubeSpan identity to set up and update configuration of the Wireguard interface. As new peers are getting added or deleted, manager takes care of updating the Wireguard config. Manager also keeps track of all peers and their state coming from the Wireguard link status: whether the connection is up or not, some stats, last actually used endpoint, etc. Manager cycles through the available peer endpoints until it finds the one which works. Manager exposes peer status as `PeerStatus` resources. Example: ``` $ talosctl -n 172.20.0.2 get kubespanpeerstatuses NODE NAMESPACE TYPE ID VERSION LABEL ENDPOINT STATE RX TX 172.20.0.2 kubespan KubeSpanPeerStatus GpO3gs5n09WpoiVANbzRL5nwrkRi+9Q19qoeC8RTkQ4= 30 talos-default-worker-2 172.20.0.6:51820 up 640 1920 172.20.0.2 kubespan KubeSpanPeerStatus j4CRlKByMcTWOBS2ifZcPzcUr3lXdBOc/I4AxGmhXxI= 30 talos-default-worker-1 172.20.0.5:51820 up 672 1888 172.20.0.2 kubespan KubeSpanPeerStatus o5EPScFrD895A5EpVyKU8hFR+vi25D0CJMYsoaXN3Qk= 28 talos-default-master-3 172.20.0.4:51820 up 640 1920 172.20.0.2 kubespan KubeSpanPeerStatus rBp5wyHdxqZkq5CWher2DcPcGgwHrFOwB6fP/ReFRlE= 16 talos-default-master-2 172.20.0.3:51820 up 432 2088 ``` Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> Signed-off-by: Seán C McCord <ulexus@gmail.com> Co-authored-by: Seán C McCord <ulexus@gmail.com>
siderolabs · Sep 15, 2021 · 1c05089 · 1c05089
1 parent ec7f44e
commit 1c05089
Show file tree

Hide file tree

Showing 17 changed files with 1,155 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -190,6 +190,7 @@ COPY --from=generate-build /api/storage/*.pb.go /pkg/machinery/api/storage/
 COPY --from=generate-build /api/resource/*.pb.go /pkg/machinery/api/resource/
 COPY --from=generate-build /api/resource/secrets/*.pb.go /pkg/machinery/api/resource/secrets/
 COPY --from=generate-build /api/inspect/*.pb.go /pkg/machinery/api/inspect/
+COPY --from=go-generate /src/pkg/resources/kubespan/ /pkg/resources/kubespan/
 COPY --from=go-generate /src/pkg/resources/network/ /pkg/resources/network/
 COPY --from=go-generate /src/pkg/machinery/config/types/v1alpha1/ /pkg/machinery/config/types/v1alpha1/
 COPY --from=go-generate /src/pkg/machinery/nethelpers/ /pkg/machinery/nethelpers/

diff --git a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
@@ -179,6 +179,8 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 					spec.Nodename = nodename.(*k8s.Nodename).TypedSpec().Nodename
 					spec.MachineType = machineType.(*config.MachineType).MachineType()
 
+					spec.KubeSpan = cluster.KubeSpanAffiliateSpec{}
+
 					if kubespanIdentity != nil {
 						spec.KubeSpan.Address = kubespanIdentity.(*kubespan.Identity).TypedSpec().Address.IP()
 						spec.KubeSpan.PublicKey = kubespanIdentity.(*kubespan.Identity).TypedSpec().PublicKey

diff --git a/internal/app/machined/pkg/controllers/kubespan/config.go b/internal/app/machined/pkg/controllers/kubespan/config.go
@@ -72,6 +72,7 @@ func (ctrl *ConfigController) Run(ctx context.Context, r controller.Runtime, log
 				if err = r.Modify(ctx, kubespan.NewConfig(config.NamespaceName, kubespan.ConfigID), func(res resource.Resource) error {
 					res.(*kubespan.Config).TypedSpec().Enabled = c.Machine().Network().KubeSpan().Enabled()
 					res.(*kubespan.Config).TypedSpec().ClusterID = c.Cluster().ID()
+					res.(*kubespan.Config).TypedSpec().SharedSecret = c.Cluster().Secret()
 
 					return nil
 				}); err != nil {

diff --git a/internal/app/machined/pkg/controllers/kubespan/config_test.go b/internal/app/machined/pkg/controllers/kubespan/config_test.go
@@ -36,7 +36,8 @@ func (suite *ConfigSuite) TestReconcileConfig() {
 			},
 		},
 		ClusterConfig: &v1alpha1.ClusterConfig{
-			ClusterID: "8XuV9TZHW08DOk3bVxQjH9ih_TBKjnh-j44tsCLSBzo=",
+			ClusterID:     "8XuV9TZHW08DOk3bVxQjH9ih_TBKjnh-j44tsCLSBzo=",
+			ClusterSecret: "I+1In7fLnpcRIjUmEoeugZnSyFoTF6MztLxICL5Yu0s=",
 		},
 	})
 
@@ -52,6 +53,7 @@ func (suite *ConfigSuite) TestReconcileConfig() {
 
 				suite.Assert().True(spec.Enabled)
 				suite.Assert().Equal("8XuV9TZHW08DOk3bVxQjH9ih_TBKjnh-j44tsCLSBzo=", spec.ClusterID)
+				suite.Assert().Equal("I+1In7fLnpcRIjUmEoeugZnSyFoTF6MztLxICL5Yu0s=", spec.SharedSecret)
 
 				return nil
 			},

diff --git a/internal/app/machined/pkg/controllers/kubespan/identity_test.go b/internal/app/machined/pkg/controllers/kubespan/identity_test.go
@@ -82,7 +82,7 @@ func (suite *IdentitySuite) TestGenerate() {
 }
 
 func (suite *IdentitySuite) TestLoad() {
-	// using verbatim data here to make sure nodeId representation is supported in future version fo Talos
+	// using verbatim data here to make sure nodeId representation is supported in future version of Talos
 	const identityYaml = `address: ""
 subnet: ""
 privateKey: sF45u5ePau58WeeCUY3T8D9foEKaQ8Opx4cGC8g4XE4=

diff --git a/internal/app/machined/pkg/controllers/kubespan/kubespan_test.go b/internal/app/machined/pkg/controllers/kubespan/kubespan_test.go
@@ -98,6 +98,21 @@ func (suite *KubeSpanSuite) assertNoResource(md resource.Metadata) func() error
 	}
 }
 
+func (suite *KubeSpanSuite) assertNoResourceType(md resource.Metadata) func() error {
+	return func() error {
+		list, err := suite.state.List(suite.ctx, md)
+		if err != nil {
+			return err
+		}
+
+		if len(list.Items) > 0 {
+			return retry.ExpectedErrorf("resource list is not empty: %d items", len(list.Items))
+		}
+
+		return nil
+	}
+}
+
 func (suite *KubeSpanSuite) assertResource(md resource.Metadata, check func(res resource.Resource) error) func() error {
 	return func() error {
 		r, err := suite.state.Get(suite.ctx, md)