Skip to content

Commit

Permalink
feat: add cloudflared system extension
Browse files Browse the repository at this point in the history
Cloudflare Tunnel securely connects resources to Cloudflare without a public IP.

Signed-off-by: Maxime NARBAUD <rainy-month.2c@icloud.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
maxnrb authored and frezbo committed Dec 11, 2024
1 parent 43efd87 commit 1dd6c36
Show file tree
Hide file tree
Showing 15 changed files with 166 additions and 14 deletions.
3 changes: 2 additions & 1 deletion .github/renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@
{
"matchPackageNames": [
"google/gvisor",
"intel/Intel-Linux-Processor-Microcode-Data-Files"
"intel/Intel-Linux-Processor-Microcode-Data-Files",
"cloudflare/cloudflared"
],
"versioning": "regex:^(?<major>\\d{4})(?<minor>\\d{2})(?<patch>\\d{2})\\.?(?<build>\\d+)?$"
},
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-12-10T13:30:19Z by kres 8183c20.
# Generated on 2024-12-11T15:43:22Z by kres 8183c20.

name: default
concurrency:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/weekly.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-12-10T13:30:19Z by kres 8183c20.
# Generated on 2024-12-11T15:43:22Z by kres 8183c20.

name: weekly
concurrency:
Expand Down
1 change: 1 addition & 0 deletions .kres.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ spec:
- btrfs
- chelsio-drivers
- chelsio-firmware
- cloudflared
- crun
- drbd
- dvb-cx23885
Expand Down
1 change: 1 addition & 0 deletions MAINTAINERS.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ If the field is marked as `Needs Maintainer`, it means that the package is curre
| btrfs | Enno Boland | [Gottox](https://github.com/Gottox) |
| chelsio-drivers | Sidero Labs | NA |
| chelsio-firmware | Sidero Labs | NA |
| cloudflared | Maxime Nrb | [maxnrb](https://github.com/maxnrb) |
| crun | Henrik Gerdes | [hegerdes](https://github.com/hegerdes) |
| drbd | Needs Maintainer | NA |
| dvb-cx23885 | Skyler Mäntysaari | [samip5](https://github.com/samip5) |
Expand Down
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-12-10T13:30:19Z by kres 8183c20.
# Generated on 2024-12-11T16:03:30Z by kres 8183c20.

# common variables

Expand Down Expand Up @@ -62,6 +62,7 @@ TARGETS += bnx2-bnx2x
TARGETS += btrfs
TARGETS += chelsio-drivers
TARGETS += chelsio-firmware
TARGETS += cloudflared
TARGETS += crun
TARGETS += drbd
TARGETS += dvb-cx23885
Expand Down
23 changes: 13 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,12 +43,12 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
| Name | Image | Description | Version Format |
| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
| [crun](container-runtime/crun/) | [ghcr.io/siderolabs/crun](https://github.com/siderolabs/extensions/pkgs/container/crun) | [crun](https://github.com/containers/crun) container runtime | `upstream version` |
| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
| [gvisor](container-runtime/gvisor/) | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | [gVisor](https://gvisor.dev/) container runtime | `upstream version` |
| [kata-containers](container-runtime/kata-containers) | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime | `upstream version` |
| [spin](container-runtime/spin) | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin) | [Spin](https://github.com/spinkube/containerd-shim-spin) container runtime | `upstream_version` |
| [stargz-snapshotter](container-runtime/stargz-snapshotter/) | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime | `upstream version` |
| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
| [wasmedge](container-runtime/wasmedge) | [ghcr.io/siderolabs/wasmedge](https://github.com/siderolabs/extensions/pkgs/container/wasmedge) | [WasmEdge](https://github.com/containerd/runwasi) container runtime | `upstream_version` |
| [spin](container-runtime/spin) | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin) | [Spin](https://github.com/spinkube/containerd-shim-spin) container runtime | `upstream_version` |
| [kata-containers](container-runtime/kata-containers) | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime | `upstream version` |

### Firmware

Expand Down Expand Up @@ -96,20 +96,23 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi

### Network

| Name | Image | Description | Version Format |
| ------------------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------- | ------------------ |
| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com) | `upstream version` |
| [lldpd](network/lldpd/) | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd) | [LLDP](https://github.com/lldpd/lldpd) | `upstream version` |
| Name | Image | Description | Version Format |
| ----------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ------------------ |
| [cloudflared](network/cloudflared/) | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/cloudflared) | [Cloudflared](https://github.com/cloudflare/cloudflared/) | `upstream version` |
| [lldpd](network/lldpd/) | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd) | [LLDP](https://github.com/lldpd/lldpd) | `upstream version` |
| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com) | `upstream version` |


### Storage

| Name | Image | Description | Version Format |
| ----------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------- | ---------------------------------- |
| [btrfs](storage/btrfs/) | [ghcr.io/siderolabs/btrfs](https://github.com/siderolabs/extensions/pkgs/container/btrfs) | BTRFS driver module | `talos version` |
| [drbd](storage/drbd/) | [ghcr.io/siderolabs/drbd](https://github.com/siderolabs/extensions/pkgs/container/drbd) | DRBD driver module | `upstream version`-`talos version` |
| [iscsi-tools](storage/iscsi-tools/) | [ghcr.io/siderolabs/iscsi-tools](https://github.com/siderolabs/extensions/pkgs/container/iscsi-tools) | Open iSCSI tools | `v0.1.0` |
| [mdadm](storage/mdadm/) | [ghcr.io/siderolabs/mdadm](https://github.com/siderolabs/extensions/pkgs/container/mdadm) | manage MD devices tool | `upstream version` |
| [drbd](storage/drbd/) | [ghcr.io/siderolabs/drbd](https://github.com/siderolabs/extensions/pkgs/container/drbd) | DRBD driver module | `upstream version`-`talos version` |
| [zfs](storage/zfs/) | [ghcr.io/siderolabs/zfs](https://github.com/siderolabs/extensions/pkgs/container/zfs) | ZFS driver module | `upstream version`-`talos version` |
| [btrfs](storage/btrfs/) | [ghcr.io/siderolabs/btrfs](https://github.com/siderolabs/extensions/pkgs/container/btrfs) | BTRFS driver module | `talos version` |


### Power

Expand All @@ -123,8 +126,8 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------ |
| [metal-agent](guest-agents/metal-agent/) | [ghcr.io/siderolabs/metal-agent](https://github.com/siderolabs/extensions/pkgs/container/metal-agent) | [Talos Metal Agent](https://github.com/siderolabs/talos-metal-agent) | `upstream version` |
| [qemu-guest-agent](guest-agents/qemu-guest-agent/) | [ghcr.io/siderolabs/qemu-guest-agent](https://github.com/siderolabs/extensions/pkgs/container/qemu-guest-agent) | [QEMU Guest Agent](https://wiki.qemu.org/Features/GuestAgent) | `upstream version` |
| [xe-guest-utilities](guest-agents/xe-guest-utilities/) | [ghcr.io/siderolabs/xe-guest-utilities](https://github.com/siderolabs/extensions/pkgs/container/xe-guest-utilities) | [xe-guest-utilities](https://github.com/xenserver/xe-guest-utilitiest) | `upstream version` |
| [vmtoolsd-guest-agent](guest-agents/vmtoolsd-guest-agent/) | [ghcr.io/siderolabs/vmtoolsd-guest-agent](https://github.com/siderolabs/extensions/pkgs/container/vmtoolsd-guest-agent) | [talos-vmtoolsd](https://github.com/siderolabs/talos-vmtoolsd) | `upstream version` |
| [xe-guest-utilities](guest-agents/xe-guest-utilities/) | [ghcr.io/siderolabs/xe-guest-utilities](https://github.com/siderolabs/extensions/pkgs/container/xe-guest-utilities) | [xe-guest-utilities](https://github.com/xenserver/xe-guest-utilitiest) | `upstream version` |

### NVIDIA GPU

Expand Down
6 changes: 6 additions & 0 deletions hack/release.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ lldpd is now available as a system extension.
title = "dvb"
description = """\
dvb drivers + firmware is now available as a system extension.
"""

[notes.cloudflared]
title = "Cloudflared"
description = """\
Cloudflared is now available as a system extension.
"""

[notes.drm]
Expand Down
55 changes: 55 additions & 0 deletions network/cloudflared/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Cloudflare Tunnel

Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols.

More info: https://github.com/cloudflare/cloudflared/

## Installation

Cloudflared system extension can be installed by customising boot assets or after installation with the `installer`

You can use the following schematic file:
```yaml
# cloudflared-ext.yaml
customization:
systemExtensions:
officialExtensions:
- siderolabs/cloudflared
```
Check documentation for install:
* https://www.talos.dev/latest/talos-guides/configuration/system-extensions/
* https://www.talos.dev/latest/talos-guides/install/boot-assets/
## Usage
Configure the extension via `ExtensionServiceConfig` document.

```yaml
# cloudflared-config.yaml
---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: cloudflared
environment:
- TUNNEL_TOKEN=<your_token>
- TUNNEL_METRICS=localhost:2000
- TUNNEL_EDGE_IP_VERSION=auto # if your node is only configured for IPv6
```

Then apply the patch to your node's MachineConfigs
```bash
talosctl patch mc -p @cloudflared-config.yaml
```

You will then be able to verify that it is in place with the following command
```bash
talosctl get extensionserviceconfigs
NODE NAMESPACE TYPE ID VERSION
mynode runtime ExtensionServiceConfig cloudflared 1
```

## Configuration

See all run parameters here (use environment variables): https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/
17 changes: 17 additions & 0 deletions network/cloudflared/cloudflared.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: cloudflared
depends:
- service: cri
- network:
- addresses
- connectivity
- etcfiles
- hostname
- configuration: true
container:
entrypoint: /usr/local/bin/cloudflared
args:
- tunnel
- run
environment:
- NO_AUTOUPDATE=true
restart: always
13 changes: 13 additions & 0 deletions network/cloudflared/manifest.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: v1alpha1
metadata:
name: cloudflared
version: "$VERSION"
author: Maxime Narbaud
description: |
Cloudflare Tunnel securely connects resources to Cloudflare without a public IP.
A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare,
allowing safe access to services like HTTP, SSH, remote desktops, and other protocols.
More info: https://github.com/cloudflare/cloudflared/
compatibility:
talos:
version: ">= v1.5.0"
47 changes: 47 additions & 0 deletions network/cloudflared/pkg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: cloudflared
variant: scratch
shell: /bin/bash
dependencies:
- stage: base
steps:
- sources:
- url: https://github.com/cloudflare/cloudflared/archive/refs/tags/{{ .CLOUDFLARED_VERSION }}.tar.gz
destination: cloudflared.tar.gz
sha256: 74794fbcdd7b71131799100d493cf70a8e126cb109f3d9e2abce55593df6a737
sha512: cd417fc8410537fd0e59799be750f18b13e5931a5785258833b518aa5f516a479e00af0bbceb9f6e03d7cc6f2da406a956f25f64a57f282de56d9f6c47b281a2
env:
GOPATH: /go
cachePaths:
- /.cache/go-build
- /go/pkg
prepare:
- |
sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
- |
tar -xzvf cloudflared.tar.gz --strip-components=1
build:
- |
export PATH=${PATH}:${TOOLCHAIN}/go/bin
make cloudflared VERSION="{{ .CLOUDFLARED_VERSION}}" DATE="{{ .BUILD_ARG_SOURCE_DATE_EPOCH }}"
install:
- |
mkdir -p /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin
mv cloudflared /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin
- |
mkdir -p /rootfs/usr/local/etc/containers
cp /pkg/cloudflared.yaml /rootfs/usr/local/etc/containers/
test:
- |
mkdir -p /extensions-validator-rootfs
cp -r /rootfs/ /extensions-validator-rootfs/rootfs
cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
/extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
- |
[[ $(/rootfs/usr/local/lib/containers/cloudflared/usr/local/bin/cloudflared version) == *{{ .CLOUDFLARED_VERSION }}* ]]
finalize:
- from: /rootfs
to: /rootfs
- from: /pkg/manifest.yaml
to: /
1 change: 1 addition & 0 deletions network/cloudflared/vars.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
VERSION: "{{ .CLOUDFLARED_VERSION }}"
2 changes: 2 additions & 0 deletions network/vars.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@
TAILSCALE_VERSION: 1.76.6
# renovate: datasource=github-releases depName=lldpd/lldpd
LLDPD_VERSION: 1.0.18
# renovate: datasource=github-releases depName=cloudflare/cloudflared
CLOUDFLARED_VERSION: 2024.12.1
4 changes: 4 additions & 0 deletions reproducibility/pkg.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,14 @@ dependencies:
# - stage: chelsio-drivers
# chelsio-firmware can be ignored from reproducibility test since it's linux-firmware copied from pkgs
# - stage: chelsio-firmware

- stage: cloudflared

# drbd can be ignored from reproducibility test since it's kernel modules copied from pkgs
# crun can be ignored from reproducibility test since it's a tarball downloaded and extracted (no build happens)
# - stage: crun
# - stage: drbd
# - stage: dvb-cx23885
- stage: ecr-credential-provider
- stage: fuse3
# gasket-driver can be ignored from reproducibility test since it's kernel modules copied from pkgs
Expand Down

0 comments on commit 1dd6c36

Please sign in to comment.