feat: implement secure node join flow #924
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Unix4ever
force-pushed
the
implement-secure-join-tokens
branch
2 times, most recently
from
0f385a4 to
75734bf
Compare
utkuozdemir
reviewed
Feb 12, 2025
| message LinkStatusSpec { | ||
| string node_subnet = 1; | ||
| string node_public_key = 2; | ||
| string virtual_addrport = 3; |
There was a problem hiding this comment.
that's for the wireguard over gRPC. We keep it there to keep track of it being updated.
utkuozdemir
reviewed
Feb 12, 2025
utkuozdemir
reviewed
Feb 12, 2025
utkuozdemir
reviewed
Feb 12, 2025
utkuozdemir
reviewed
Feb 12, 2025
utkuozdemir
reviewed
Feb 12, 2025
utkuozdemir
reviewed
Feb 12, 2025
utkuozdemir
reviewed
Feb 12, 2025
internal/backend/runtime/omni/controllers/omni/pending_machine_status.go
Outdated
Show resolved
Hide resolved
utkuozdemir
reviewed
Feb 12, 2025
internal/backend/runtime/omni/controllers/omni/pending_machine_status.go
Outdated
Show resolved
Hide resolved
utkuozdemir
reviewed
Feb 12, 2025
internal/backend/runtime/omni/controllers/omni/pending_machine_status.go
Outdated
Show resolved
Hide resolved
utkuozdemir
reviewed
Feb 12, 2025
Comment on lines
+174
to
+189
| func getClient( | ||
| ctx context.Context, | ||
| r controller.Reader, | ||
| pendingMachine *siderolink.PendingMachine, | ||
| ) (*client.Client, error) { |
There was a problem hiding this comment.
We have more or less the same code in many places I think - should we consider moving them to a central place?
There was a problem hiding this comment.
I've extracted that and reused that in the place where I copy-pasted it from. Other places are slightly different.
utkuozdemir
reviewed
Feb 12, 2025
Unix4ever
force-pushed
the
implement-secure-join-tokens
branch
4 times, most recently
from
0a4f343 to
f72cfa6
Compare
Unix4ever
commented
Feb 14, 2025
Unix4ever
commented
Feb 14, 2025
Unix4ever
commented
Feb 14, 2025
Unix4ever
commented
Feb 14, 2025
internal/backend/runtime/omni/controllers/omni/pending_machine_status.go
Show resolved
Hide resolved
Unix4ever
commented
Feb 14, 2025
internal/backend/runtime/omni/controllers/omni/pending_machine_status.go
Outdated
Show resolved
Hide resolved
utkuozdemir
approved these changes
Feb 14, 2025
Unix4ever
force-pushed
the
implement-secure-join-tokens
branch
from
f72cfa6 to
45ba1e5
Compare
Fixes: siderolabs#840 This PR changes the Talos machine join flow drastically: - newly joined machine first put into a limbo state where Omni creates a temporary Wireguard connection to it. - the controller picks up and tries to write a unique machine token to the newly joined machine, in the mean time it also resolves UUID conflicts automatically and writes UUID override to the META partition. - the machine re-joins Omni, now with the unique token. - the unique token is saved in the `siderolink.Link` resource and any subsequent join checks that `siderolink.Link` has matching unique token. Siderolink manager was refactored, as it was a huge monolithic poorly testable chunk, it was split to: - LinkStatus controller, which creates/removes wireguard peers. - PendingMachineStatus controller, which ensures all joined machines have unique node tokens. - Provision handler, which implements gRPC server and has all logic related to the machine acceptance now. - PeersPool, which is used by LinkStatus controllers and deduplicate peers creation, reuse them when possible. Additionally updated siderolink loghandler to not accept logger connection for the machines which do not have corresponding log buffers. Nodes which do not support secure flow are still able to join by default. Secure join flow can be forced by setting `--disable-legacy-join-tokens` flag. Signed-off-by: Artem Chernyshev <[email protected]>
Unix4ever
force-pushed
the
implement-secure-join-tokens
branch
from
45ba1e5 to
9bb85f8
Compare
|
/m |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #840
This PR changes the Talos machine join flow drastically:
siderolink.Linkresource and any subsequent join checks thatsiderolink.Linkhas matching unique token.Siderolink manager was refactored, as it was a huge monolithic poorly testable chunk, it was split to:
Additionally updated siderolink loghandler to not accept logger connection for the machines which do not have corresponding log buffers.
Nodes which do not support secure flow are still able to join by default.
Secure join flow can be forced by setting
--disable-legacy-join-tokensflag.