feat: implement secure node join flow

Fixes: #840

This PR changes the Talos machine join flow drastically:

- newly joined machine first put into a limbo state where Omni creates a
  temporary Wireguard connection to it.
- the controller picks up and tries to write a unique machine token to
  the newly joined machine, in the mean time it also resolves UUID
  conflicts automatically and writes UUID override to the META
  partition.
- the machine re-joins Omni, now with the unique token.
- the unique token is saved in the `siderolink.Link` resource and any
  subsequent join checks that `siderolink.Link` has matching unique
  token.

Siderolink manager was refactored, as it was a huge monolithic poorly
testable chunk, it was split to:
- LinkStatus controller, which creates/removes wireguard peers.
- PendingMachineStatus controller, which ensures all joined machines
  have unique node tokens.
- Provision handler, which implements gRPC server and has all logic
  related to the machine acceptance now.
- PeersPool, which is used by LinkStatus controllers and deduplicate
  peers creation, reuse them when possible.

Additionally updated siderolink loghandler to not accept logger
connection for the machines which do not have corresponding log buffers.

Nodes which do not support secure flow are still able to join by
default.
Secure join flow can be forced by setting `--disable-legacy-join-tokens`
flag.

Signed-off-by: Artem Chernyshev <[email protected]>

Author: Unix4ever

client/api/omni/specs/siderolink.pb.go

@@ -28,6 +28,19 @@ message SiderolinkSpec {
   // RemoteAddr is the machine address how it's visible from Omni
   // it is determined by reading X-Forwarded-For header coming from the gRPC API.
   string remote_addr = 8;
+  // NodeUniqueToken is the per node join token which is saved in the Node META partition after
+  // the machine is accepted in Omni.
+  // Only for Talos >= 1.6.
+  string node_unique_token = 9;
+}
+
+// LinkStatusSpec is created when the link peer event was submitted.
+message LinkStatusSpec {
+  string node_subnet = 1;
+  string node_public_key = 2;
+  string virtual_addrport = 3;
+  // LinkId is the ID of the resource which created the link status.
+  string link_id = 4;
 }
 
 // SiderolinkConnectionSpec describes each node connection information.
@@ -55,3 +68,8 @@ message ConnectionParamsSpec {
   // LogsPort is the logs port.
   int32 logs_port = 10;
 }
+
+// PendingMachineStatusSpec describes the spec of the pending machine status resource.
+message PendingMachineStatusSpec {
+  string token = 1;
+}