feat: filter out SideroLink addresses by default

As SideroLink addresses are ephemeral and point-to-point, filter them out for node addresses, Kubelet, etcd, etc. Fixes #4448 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
siderolabs · Nov 30, 2021 · 2cd3f9b · 2cd3f9b
1 parent 0f169bf
commit 2cd3f9b
Show file tree

Hide file tree

Showing 10 changed files with 49 additions and 6 deletions.
diff --git a/go.mod b/go.mod
@@ -94,7 +94,7 @@ require (
 	github.com/talos-systems/go-retry v0.3.1
 	github.com/talos-systems/go-smbios v0.1.1-0.20211122130416-fd5ec8ce4873
 	github.com/talos-systems/grpc-proxy v0.2.0
-	github.com/talos-systems/net v0.3.1-0.20211112122313-0abe5bdae8f8
+	github.com/talos-systems/net v0.3.1-0.20211129211222-b4b718179a1a
 	github.com/talos-systems/siderolink v0.1.0
 	github.com/talos-systems/talos/pkg/machinery v0.14.0-alpha.1.0.20211118180932-1ffa8e048008
 	github.com/u-root/u-root v7.0.0+incompatible

diff --git a/go.sum b/go.sum
@@ -1087,8 +1087,8 @@ github.com/talos-systems/go-smbios v0.1.1-0.20211122130416-fd5ec8ce4873 h1:YXgD3
 github.com/talos-systems/go-smbios v0.1.1-0.20211122130416-fd5ec8ce4873/go.mod h1:vk76naUSZaWE8Z95wbDn51FgH0goECM4oK3KY2hYSMU=
 github.com/talos-systems/grpc-proxy v0.2.0 h1:DN75bLfaW4xfhq0r0mwFRnfGhSB+HPhK1LNzuMEs9Pw=
 github.com/talos-systems/grpc-proxy v0.2.0/go.mod h1:sm97Vc/z2cok3pu6ruNeszQej4KDxFrDgfWs4C1mtC4=
-github.com/talos-systems/net v0.3.1-0.20211112122313-0abe5bdae8f8 h1:oT2MASZ8V3DuZbhaJWJ8oZ373zfmgXpvw2xLHM5cOYk=
-github.com/talos-systems/net v0.3.1-0.20211112122313-0abe5bdae8f8/go.mod h1:zhcGixNJz9dgwFiUwc7gkkAqdVqXagU1SNNoIVXYKGo=
+github.com/talos-systems/net v0.3.1-0.20211129211222-b4b718179a1a h1:FeWCNuAUTNRpEV5+8w7TSkWXCQ2UM9QNFxQinaBLD2Y=
+github.com/talos-systems/net v0.3.1-0.20211129211222-b4b718179a1a/go.mod h1:zhcGixNJz9dgwFiUwc7gkkAqdVqXagU1SNNoIVXYKGo=
 github.com/talos-systems/siderolink v0.1.0 h1:7mkJ9EicQ8J9DHHkwiNYGoccCgFcEIFcmfcKRyI7Y+8=
 github.com/talos-systems/siderolink v0.1.0/go.mod h1:bEGwDYl9QgC3oZ4kdnJTuR2HX/XlUhxZjx/QAakKuBc=
 github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=

diff --git a/internal/app/machined/pkg/controllers/network/node_address.go b/internal/app/machined/pkg/controllers/network/node_address.go
@@ -123,6 +123,11 @@ func (ctrl *NodeAddressController) Run(ctx context.Context, r controller.Runtime
 				continue
 			}
 
+			if network.IsULA(ip.IP(), network.ULASideroLink) {
+				// ignore SideroLink addresses, as they are point-to-point addresses
+				continue
+			}
+
 			// set defaultAddress to the smallest IP from the alphabetically first link
 			// ignore address which are not assigned from the physical links
 			if addr.Metadata().Owner() == addressStatusControllerName {

diff --git a/internal/app/machined/pkg/system/services/etcd.go b/internal/app/machined/pkg/system/services/etcd.go
@@ -680,6 +680,8 @@ func primaryAndListenAddresses(subnet string) (primary, listen string, err error
 		return "", "", fmt.Errorf("failed to discover interface IP addresses: %w", err)
 	}
 
+	ips = net.IPFilter(ips, network.NotSideroLinkStdIP)
+
 	if len(ips) == 0 {
 		return "", "", errors.New("no valid unicast IP addresses on any interface")
 	}

diff --git a/internal/app/machined/pkg/system/services/kubelet.go b/internal/app/machined/pkg/system/services/kubelet.go
@@ -456,6 +456,8 @@ func pickNodeIPs(cidrs []string) ([]stdnet.IP, error) {
 		return nil, fmt.Errorf("failed to discover interface IP addresses: %w", err)
 	}
 
+	ips = net.IPFilter(ips, network.NotSideroLinkStdIP)
+
 	ips, err = net.FilterIPs(ips, cidrs)
 	if err != nil {
 		return nil, err

diff --git a/internal/app/trustd/main.go b/internal/app/trustd/main.go
@@ -23,6 +23,7 @@ import (
 	"github.com/talos-systems/talos/pkg/grpc/middleware/auth/basic"
 	"github.com/talos-systems/talos/pkg/machinery/config/configloader"
 	"github.com/talos-systems/talos/pkg/machinery/constants"
+	"github.com/talos-systems/talos/pkg/machinery/resources/network"
 	"github.com/talos-systems/talos/pkg/startup"
 )
 
@@ -64,6 +65,8 @@ func Main() {
 		log.Fatal(err)
 	}
 
+	ips = net.IPFilter(ips, network.NotSideroLinkStdIP)
+
 	dnsNames, err := net.DNSNames()
 	if err != nil {
 		log.Fatal(err)

diff --git a/internal/pkg/etcd/certs.go b/internal/pkg/etcd/certs.go
@@ -13,6 +13,8 @@ import (
 
 	"github.com/talos-systems/crypto/x509"
 	"github.com/talos-systems/net"
+
+	"github.com/talos-systems/talos/pkg/machinery/resources/network"
 )
 
 // NewCommonOptions set common certificate options.
@@ -22,6 +24,8 @@ func NewCommonOptions() ([]x509.Option, error) {
 		return nil, fmt.Errorf("failed to discover IP addresses: %w", err)
 	}
 
+	ips = net.IPFilter(ips, network.NotSideroLinkStdIP)
+
 	ips = append(ips, stdlibnet.ParseIP("127.0.0.1"))
 	if net.IsIPv6(ips...) {
 		ips = append(ips, stdlibnet.ParseIP("::1"))

diff --git a/pkg/machinery/go.mod b/pkg/machinery/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/talos-systems/crypto v0.3.4
 	github.com/talos-systems/go-blockdevice v0.2.4
 	github.com/talos-systems/go-debug v0.2.1
-	github.com/talos-systems/net v0.3.1-0.20211112122313-0abe5bdae8f8
+	github.com/talos-systems/net v0.3.1-0.20211129211222-b4b718179a1a
 	google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1
 	google.golang.org/grpc v1.42.0
 	google.golang.org/protobuf v1.27.1

diff --git a/pkg/machinery/go.sum b/pkg/machinery/go.sum
@@ -173,8 +173,8 @@ github.com/talos-systems/go-debug v0.2.1 h1:VSN8P1zXWeHWgUBZn4cVT3keBcecCAJBG9Up
 github.com/talos-systems/go-debug v0.2.1/go.mod h1:pR4NjsZQNFqGx3n4qkD4MIj1F2CxyIF8DCiO1+05JO0=
 github.com/talos-systems/go-retry v0.1.1-0.20201113203059-8c63d290a688/go.mod h1:HiXQqyVStZ35uSY/MTLWVvQVmC3lIW2MS5VdDaMtoKM=
 github.com/talos-systems/go-retry v0.3.1/go.mod h1:HiXQqyVStZ35uSY/MTLWVvQVmC3lIW2MS5VdDaMtoKM=
-github.com/talos-systems/net v0.3.1-0.20211112122313-0abe5bdae8f8 h1:oT2MASZ8V3DuZbhaJWJ8oZ373zfmgXpvw2xLHM5cOYk=
-github.com/talos-systems/net v0.3.1-0.20211112122313-0abe5bdae8f8/go.mod h1:zhcGixNJz9dgwFiUwc7gkkAqdVqXagU1SNNoIVXYKGo=
+github.com/talos-systems/net v0.3.1-0.20211129211222-b4b718179a1a h1:FeWCNuAUTNRpEV5+8w7TSkWXCQ2UM9QNFxQinaBLD2Y=
+github.com/talos-systems/net v0.3.1-0.20211129211222-b4b718179a1a/go.mod h1:zhcGixNJz9dgwFiUwc7gkkAqdVqXagU1SNNoIVXYKGo=
 github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b h1:8pnPjZJU0SYanlmHnhMTeR8OR148K9yStwBz1GsjBsQ=
 github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/pkg/machinery/resources/network/ula.go b/pkg/machinery/resources/network/ula.go
@@ -6,6 +6,7 @@ package network
 
 import (
 	"crypto/sha256"
+	"net"
 
 	"inet.af/netaddr"
 )
@@ -46,3 +47,29 @@ func ULAPrefix(clusterID string, purpose ULAPurpose) netaddr.IPPrefix {
 
 	return netaddr.IPPrefixFrom(netaddr.IPFrom16(prefixData), 64).Masked()
 }
+
+// IsULA checks whether IP address is a Unique Local Address with the specific purpose.
+func IsULA(ip netaddr.IP, purpose ULAPurpose) bool {
+	if !ip.Is6() {
+		return false
+	}
+
+	raw := ip.As16()
+
+	return raw[0] == 0xfd && raw[7] == byte(purpose)
+}
+
+// IsStdULA implements IsULA for stdlib net.IP.
+func IsStdULA(ip net.IP, purpose ULAPurpose) bool {
+	addr, ok := netaddr.FromStdIP(ip)
+	if !ok {
+		return false
+	}
+
+	return IsULA(addr, purpose)
+}
+
+// NotSideroLinkStdIP is a shorthand for !IsStdULA(ip, ULASideroLink).
+func NotSideroLinkStdIP(ip net.IP) bool {
+	return !IsStdULA(ip, ULASideroLink)
+}