feat: add openziti network extension

Adds OpenZiti's system extension to be run on the talos node, allowing to serve Talos nodes network resources
over the overlay network.

Signed-off-by: Chernenko Ruslan <[email protected]>

Author: nenkoru

Makefile

@@ -88,6 +88,7 @@ TARGETS += realtek-firmware
 TARGETS += spin
 TARGETS += stargz-snapshotter
 TARGETS += tailscale
+TARGETS += openziti
 TARGETS += thunderbolt
 TARGETS += usb-modem-drivers
 TARGETS += util-linux-tools

network/openziti/README.md

@@ -0,0 +1,50 @@
+# OpenZiti
+
+Runs OpenZiti's edge tunneler in run-host mode allowing to access talos nodes resources on the overlay network
+
+https://openziti.io
+
+https://openziti.io/docs/reference/tunnelers/docker/#use-case-hosting-openziti-services
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Usage
+
+Create an identity for the machine.
+Manually enroll it using(for example using ziti edge enroll ...) and output the enrolled identity into a file or stdout
+Copy the contents of the enrolled identity
+Create `ExtensionServiceConfig` as the example below with replacing `JSON_IDENTITY` with the JSON of the identity you created and in mountPath replace `IDENTITY_FILE_NAME` with the filename of the identity(preserve the json in the filename)
+
+```yaml
+---
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: openziti
+configFiles:
+    - content: 'JSON_IDENTITY'
+      mountPath: /var/lib/ziti/etc/identities/IDENTITY_FILE_NAME.json
+```
+
+Then apply the patch to your node's MachineConfigs
+```bash
+talosctl patch mc -p @openziti.talos.yaml
+```
+
+You will then be able to verify that it is in place with the following command
+```bash
+talosctl get extensionserviceconfigs
+
+NODE            NAMESPACE   TYPE                     ID         VERSION
+192.168.10.10   runtime     ExtensionServiceConfig   openziti   1
+```
+
+Example of creation of ziti service to serve talos api on the overlay network(note that 192.168.10.10 is the address of the node):
+```
+ziti edge create config talosctl-controlplane.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses": ["talosctl-controlplane.ziti.internal"], "portRanges":[{"low": 50000, "high":50000}]}'
+ziti edge create config talosctl-controlplane.host.v1 host.v1 '{"protocol": "tcp","address":"'"192.168.10.10"'", "port": 50000}'
+ziti edge create service talosctrl-controlplane.svc --configs talosctl-controlplane.intercept.v1,talosctl-controlplane.host.v1
+ziti edge create service-policy talosctl-controlplane.policy.dial Dial --service-roles "@talosctrl-controlplane.svc" --identity-roles "@macos"
+ziti edge create service-policy talosctl-controlplane.policy.bind Bind --service-roles "@talosctrl-controlplane.svc" --identity-roles "@talos-cluster-test-identity"
+```

network/openziti/manifest.yaml

@@ -0,0 +1,12 @@
+version: v1alpha1
+metadata:
+  name: openziti
+  version: "$VERSION"
+  author: Ruslan Chernenko
+  description: |
+    OpenZiti is the world’s most used and widely integrated open source secure networking platform.
+    This extension deploys a ziti-edge-tunneler in run-host mode which allows to access node's net resources
+    through the overlay network.
+  compatibility:
+    talos:
+      version: ">= v1.7.0"

network/openziti/openziti.yaml

@@ -0,0 +1,50 @@
+name: openziti
+depends:
+  - service: cri
+  - network:
+    - addresses
+    - connectivity
+    - etcfiles
+  - configuration: true
+container:
+  entrypoint: /usr/local/bin/ziti-edge-tunnel
+  args:
+    - run-host
+    - --verbose=4
+    - --identity-dir=/var/lib/ziti/etc/identities
+  security:
+    writeableRootfs: false
+    writeableSysfs: true
+  mounts:
+    # libssl lib
+  - source: /usr/lib
+    destination: /usr/lib
+    type: bind
+    options:
+      - bind
+      - ro
+  - source: /sbin
+    destination: /sbin
+    type: bind
+    options:
+      - bind
+      - ro
+  - source: /dev/net/tun
+    destination: /dev/net/tun
+    type: bind
+    options:
+      - bind
+      - rw
+  - source: /var/lib/ziti/etc/identities/
+    destination: /var/lib/ziti/etc/identities/
+    type: bind
+    options:
+      - bind
+      - rw
+  - source: /var/lib/ziti/
+    destination: /var/lib/ziti/
+    type: bind
+    options:
+      - bind
+      - rw
+restart: always

network/openziti/pkg.yaml

@@ -0,0 +1,65 @@
+name: openziti
+variant: alpine
+shell: /toolchain/bin/bash
+install:
+  - unzip
+  - zip
+  - ninja-build
+  - ninja
+  - zlib-static
+dependencies:
+  - image: "ghcr.io/siderolabs/tools:v1.7.0-4-gc844dc3"
+steps:
+  - sources:
+      - url: https://github.com/openziti/ziti-tunnel-sdk-c/archive/refs/tags/{{ .OPENZITI_TUNNELER_VERSION }}.tar.gz
+        destination: edge-tunnel-source.tar.gz
+        sha256: d455672bf3b6ff28fd0ff864f868f7d6e3de99e6c666a120227fa9dab2d91f78
+        sha512: 5aeb05347381124e9d75693f12e0d234499a8c6482d322019576a24c622d986d43f159454a43c844623f171a456062a5e1afffcee7f7cbb03740216dbd3bb74c
+    env:
+      VCPKG_ROOT: /vcpkg
+      VCPKG_FORCE_SYSTEM_BINARIES: 1
+      CC: /toolchain/bin/gcc
+      CXX: /toolchain/bin/g++
+    prepare:
+      - |
+        # vcpkg depends on git as a delivery tool
+        # if to download .tar.gz from releases it would fail saying it cannot retrieve versions/baseline.json version using git show
+        # tried my best to find any CMAKE variable within vcpkg which disables this behaviour
+        # we fetch here commit to which tag 2024.07.12 is assigned
+        git clone https://github.com/microsoft/vcpkg.git /vcpkg
+        git --git-dir=/vcpkg/.git --work-tree=/vcpkg checkout 1de2026f28ead93ff1773e6e680387643e914ea1
+
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+
+      - |
+        mkdir -p /vcpkg-git /vcpkg /ziti-tunnel-sdk-c/build
+        tar -xzvf edge-tunnel-source.tar.gz --strip-components=1 -C /ziti-tunnel-sdk-c
+
+    build:
+      - |
+        export PATH=${PATH}:/toolchain/bin
+        /vcpkg/bootstrap-vcpkg.sh
+
+      - |
+        export PATH=${PATH}:/toolchain/bin
+        PRESET="ci-linux-x64"
+        if [[ "$(uname -m)" == "arm64" || "$(uname -m)" == "aarch64" ]]; then
+            PRESET="ci-linux-arm64"
+            ln -s /toolchain/bin/g++ /toolchain/bin/aarch64-linux-gnu-g++
+            ln -s /toolchain/bin/gcc /toolchain/bin/aarch64-linux-gnu-gcc
+        fi
+        cmake -DBUILD_SHARED_LIBS=OFF -DCMAKE_EXE_LINKER_FLAGS="-static" -DDISABLE_SEMVER_VERIFICATION=ON -DDISABLE_LIBSYSTEMD_FEATURE=ON  -DCMAKE_MAKE_PROGRAM=/usr/bin/ninja --preset $PRESET -S /ziti-tunnel-sdk-c -B /ziti-tunnel-sdk-c/build
+      - |
+        cmake --build /ziti-tunnel-sdk-c/build --config Release
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/lib/containers/openziti/usr/local/bin/
+        mv /ziti-tunnel-sdk-c/build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel /rootfs/usr/local/lib/containers/openziti/usr/local/bin/
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
+  - from: /pkg/openziti.yaml
+    to: /rootfs/usr/local/etc/containers/

network/openziti/vars.yaml

@@ -0,0 +1 @@
+VERSION: "{{ .OPENZITI_TUNNELER_VERSION }}"

network/vars.yaml

@@ -1,2 +1,3 @@
 # renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=tailscale/tailscale
 TAILSCALE_VERSION: 1.70.0
+OPENZITI_TUNNELER_VERSION: v1.1.2