fix: disable KubeSpan endpoint harvesting by default

This disables by default (if not specified in the machine config) the
endpoint harvesting for KubeSpan peers.

The idea was to observe Wireguard endpoints as seen by other peers in
the cluster, and add them to the list of endpoints for the node. This
might be helpful only in case of some special type of NATs which are
almost never seen in the wild today.

So disable by default, but keep an option to enable it.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

hack/release.toml

@@ -106,6 +106,22 @@ Use `ExtensionServiceConfig` instead.
         description = """\
 The command `talosctl upgrade-k8s` now supports specifying custom image references for Kubernetes components via `--*-image` flags.
 The default behavior is unchanged, and the flags are optional.
+"""
+
+    [notes.kubespan]
+        title = "KubeSpan"
+        description = """\
+Talos Linux disables by default a KubeSpan feature to harvest additional endpoints from KubeSpan members.
+This feature turned out to be less helpful than expected and caused unnecessary performance issues.
+
+Previous behavior can be restored with:
+
+```yaml
+machine:
+  network:
+    kubespan:
+        harvestExtraEndpoints: true
+```
 """
 
 [make_deps]

internal/app/machined/pkg/controllers/kubespan/config_test.go

@@ -60,6 +60,7 @@ func (suite *ConfigSuite) TestReconcileConfig() {
 				suite.Assert().Equal("I+1In7fLnpcRIjUmEoeugZnSyFoTF6MztLxICL5Yu0s=", spec.SharedSecret)
 				suite.Assert().True(spec.ForceRouting)
 				suite.Assert().False(spec.AdvertiseKubernetesNetworks)
+				suite.Assert().False(spec.HarvestExtraEndpoints)
 
 				return nil
 			},

pkg/machinery/config/schemas/config.schema.json

@@ -2725,9 +2725,9 @@
         "harvestExtraEndpoints": {
           "type": "boolean",
           "title": "harvestExtraEndpoints",
-          "description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\n",
-          "markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u003e50) in the KubeSpan network it can cause performance issues.",
-          "x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\u003c/p\u003e\n"
+          "description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don’t enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\n",
+          "markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don't enable it\nwith high number of peers (\u003e50) in the KubeSpan network (performance issues).",
+          "x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don\u0026rsquo;t enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\u003c/p\u003e\n"
         },
         "mtu": {
           "type": "integer",

pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go

@@ -1118,10 +1118,6 @@ func (k *NetworkKubeSpan) AdvertiseKubernetesNetworks() bool {
 
 // HarvestExtraEndpoints implements KubeSpan interface.
 func (k *NetworkKubeSpan) HarvestExtraEndpoints() bool {
-	if k.KubeSpanHarvestExtraEndpoints == nil {
-		return true
-	}
-
 	return pointer.SafeDeref(k.KubeSpanHarvestExtraEndpoints)
 }
 

pkg/machinery/config/types/v1alpha1/v1alpha1_types.go

@@ -2260,8 +2260,8 @@ type NetworkKubeSpan struct {
 	// description: |
 	//   KubeSpan can collect and publish extra endpoints for each member of the cluster
 	//   based on Wireguard endpoint information for each peer.
-	//   This feature is enabled by default to help discover additional endpoints,
-	//   but with high number of peers (>50) in the KubeSpan network it can cause performance issues.
+	//   This feature is disabled by default, don't enable it
+	//   with high number of peers (>50) in the KubeSpan network (performance issues).
 	KubeSpanHarvestExtraEndpoints *bool `yaml:"harvestExtraEndpoints,omitempty"`
 	// description: |
 	//   KubeSpan link MTU size.

website/content/v1.7/reference/configuration/v1alpha1/config.md

@@ -1724,7 +1724,7 @@ machine:
 |`enabled` |bool |<details><summary>Enable the KubeSpan feature.</summary>Cluster discovery should be enabled with .cluster.discovery.enabled for KubeSpan to be enabled.</details>  | |
 |`advertiseKubernetesNetworks` |bool |<details><summary>Control whether Kubernetes pod CIDRs are announced over KubeSpan from the node.</summary>If disabled, CNI handles encapsulating pod-to-pod traffic into some node-to-node tunnel,<br />and KubeSpan handles the node-to-node traffic.<br />If enabled, KubeSpan will take over pod-to-pod traffic and send it over KubeSpan directly.<br />When enabled, KubeSpan should have a way to detect complete pod CIDRs of the node which<br />is not always the case with CNIs not relying on Kubernetes for IPAM.</details>  | |
 |`allowDownPeerBypass` |bool |<details><summary>Skip sending traffic via KubeSpan if the peer connection state is not up.</summary>This provides configurable choice between connectivity and security: either traffic is always<br />forced to go via KubeSpan (even if Wireguard peer connection is not up), or traffic can go directly<br />to the peer if Wireguard connection can't be established.</details>  | |
-|`harvestExtraEndpoints` |bool |<details><summary>KubeSpan can collect and publish extra endpoints for each member of the cluster</summary>based on Wireguard endpoint information for each peer.<br />This feature is enabled by default to help discover additional endpoints,<br />but with high number of peers (>50) in the KubeSpan network it can cause performance issues.</details>  | |
+|`harvestExtraEndpoints` |bool |<details><summary>KubeSpan can collect and publish extra endpoints for each member of the cluster</summary>based on Wireguard endpoint information for each peer.<br />This feature is disabled by default, don't enable it<br />with high number of peers (>50) in the KubeSpan network (performance issues).</details>  | |
 |`mtu` |uint32 |<details><summary>KubeSpan link MTU size.</summary>Default value is 1420.</details>  | |
 |`filters` |<a href="#Config.machine.network.kubespan.filters">KubeSpanFilters</a> |<details><summary>KubeSpan advanced filtering of network addresses .</summary><br />Settings in this section are optional, and settings apply only to the node.</details>  | |
 

website/content/v1.7/schemas/config.schema.json

@@ -2725,9 +2725,9 @@
         "harvestExtraEndpoints": {
           "type": "boolean",
           "title": "harvestExtraEndpoints",
-          "description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\n",
-          "markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u003e50) in the KubeSpan network it can cause performance issues.",
-          "x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\u003c/p\u003e\n"
+          "description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don’t enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\n",
+          "markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don't enable it\nwith high number of peers (\u003e50) in the KubeSpan network (performance issues).",
+          "x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don\u0026rsquo;t enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\u003c/p\u003e\n"
         },
         "mtu": {
           "type": "integer",