feat: add cloudflared system extension

.github/renovate.json

@@ -67,7 +67,8 @@
         {
             "matchPackageNames": [
                 "google/gvisor",
-                "intel/Intel-Linux-Processor-Microcode-Data-Files"
+                "intel/Intel-Linux-Processor-Microcode-Data-Files",
+                "cloudflare/cloudflared"
             ],
             "versioning": "regex:^(?<major>\\d{4})(?<minor>\\d{2})(?<patch>\\d{2})\\.?(?<build>\\d+)?$"
         },

.github/workflows/ci.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-12-10T13:30:19Z by kres 8183c20.
+# Generated on 2024-12-11T15:43:22Z by kres 8183c20.
 
 name: default
 concurrency:

.github/workflows/weekly.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-12-10T13:30:19Z by kres 8183c20.
+# Generated on 2024-12-11T15:43:22Z by kres 8183c20.
 
 name: weekly
 concurrency:

.kres.yaml

@@ -9,6 +9,7 @@ spec:
     - btrfs
     - chelsio-drivers
     - chelsio-firmware
+    - cloudflared
     - crun
     - drbd
     - dvb-cx23885

MAINTAINERS.md

@@ -17,6 +17,7 @@ If the field is marked as `Needs Maintainer`, it means that the package is curre
 | btrfs                                     | Enno Boland          | [Gottox](https://github.com/Gottox)                                  |
 | chelsio-drivers                           | Sidero Labs          | NA                                                                   |
 | chelsio-firmware                          | Sidero Labs          | NA                                                                   |
+| cloudflared                               | Maxime Nrb           | [maxnrb](https://github.com/maxnrb)                                  |
 | crun                                      | Henrik Gerdes        | [hegerdes](https://github.com/hegerdes)                              |
 | drbd                                      | Needs Maintainer     | NA                                                                   |
 | dvb-cx23885                               | Skyler Mäntysaari    | [samip5](https://github.com/samip5)                                  |

Makefile

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-12-10T13:30:19Z by kres 8183c20.
+# Generated on 2024-12-11T16:03:30Z by kres 8183c20.
 
 # common variables
 
@@ -62,6 +62,7 @@ TARGETS += bnx2-bnx2x
 TARGETS += btrfs
 TARGETS += chelsio-drivers
 TARGETS += chelsio-firmware
+TARGETS += cloudflared
 TARGETS += crun
 TARGETS += drbd
 TARGETS += dvb-cx23885

README.md

@@ -43,12 +43,12 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 | Name                                                                 | Image                                                                                                                         | Description                                                                                                                        | Version Format     |
 | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
 | [crun](container-runtime/crun/)                                      | [ghcr.io/siderolabs/crun](https://github.com/siderolabs/extensions/pkgs/container/crun)                                       | [crun](https://github.com/containers/crun) container runtime                                                                       | `upstream version` |
+| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
 | [gvisor](container-runtime/gvisor/)                                  | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor)                                   | [gVisor](https://gvisor.dev/) container runtime                                                                                    | `upstream version` |
+| [kata-containers](container-runtime/kata-containers)                 | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers)                 | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime                                            | `upstream version` |
+| [spin](container-runtime/spin)                                       | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin)                                       | [Spin](https://github.com/spinkube/containerd-shim-spin) container runtime                                                         | `upstream_version` |
 | [stargz-snapshotter](container-runtime/stargz-snapshotter/)          | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter)           | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime                                           | `upstream version` |
-| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
 | [wasmedge](container-runtime/wasmedge)                               | [ghcr.io/siderolabs/wasmedge](https://github.com/siderolabs/extensions/pkgs/container/wasmedge)                               | [WasmEdge](https://github.com/containerd/runwasi) container runtime                                                                | `upstream_version` |
-| [spin](container-runtime/spin)                                       | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin)                                       | [Spin](https://github.com/spinkube/containerd-shim-spin) container runtime                                                         | `upstream_version` |
-| [kata-containers](container-runtime/kata-containers)                 | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers)                 | [Kata Containers](https://github.com/kata-containers/kata-containers) container runtime                                            | `upstream version` |
 
 ### Firmware
 
@@ -96,20 +96,23 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 
 ### Network
 
-| Name                            | Image                                                                                             | Description                            | Version Format     |
-| ------------------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------- | ------------------ |
-| [tailscale](network/tailscale/) | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | [Tailscale](https://tailscale.com)     | `upstream version` |
-| [lldpd](network/lldpd/)         | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd)         | [LLDP](https://github.com/lldpd/lldpd) | `upstream version` |
+| Name                                | Image                                                                                                 | Description                                               | Version Format     |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ------------------ |
+| [cloudflared](network/cloudflared/) | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/cloudflared) | [Cloudflared](https://github.com/cloudflare/cloudflared/) | `upstream version` |
+| [lldpd](network/lldpd/)             | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd)             | [LLDP](https://github.com/lldpd/lldpd)                    | `upstream version` |
+| [tailscale](network/tailscale/)     | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale)     | [Tailscale](https://tailscale.com)                        | `upstream version` |
+
 
 ### Storage
 
 | Name                                | Image                                                                                                 | Description            | Version Format                     |
 | ----------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------- | ---------------------------------- |
+| [btrfs](storage/btrfs/)             | [ghcr.io/siderolabs/btrfs](https://github.com/siderolabs/extensions/pkgs/container/btrfs)             | BTRFS driver module    | `talos version`                    |
+| [drbd](storage/drbd/)               | [ghcr.io/siderolabs/drbd](https://github.com/siderolabs/extensions/pkgs/container/drbd)               | DRBD driver module     | `upstream version`-`talos version` |
 | [iscsi-tools](storage/iscsi-tools/) | [ghcr.io/siderolabs/iscsi-tools](https://github.com/siderolabs/extensions/pkgs/container/iscsi-tools) | Open iSCSI tools       | `v0.1.0`                           |
 | [mdadm](storage/mdadm/)             | [ghcr.io/siderolabs/mdadm](https://github.com/siderolabs/extensions/pkgs/container/mdadm)             | manage MD devices tool | `upstream version`                 |
-| [drbd](storage/drbd/)               | [ghcr.io/siderolabs/drbd](https://github.com/siderolabs/extensions/pkgs/container/drbd)               | DRBD driver module     | `upstream version`-`talos version` |
 | [zfs](storage/zfs/)                 | [ghcr.io/siderolabs/zfs](https://github.com/siderolabs/extensions/pkgs/container/zfs)                 | ZFS driver module      | `upstream version`-`talos version` |
-| [btrfs](storage/btrfs/)             | [ghcr.io/siderolabs/btrfs](https://github.com/siderolabs/extensions/pkgs/container/btrfs)             | BTRFS driver module    | `talos version`                    |
+
 
 ### Power
 
@@ -123,8 +126,8 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------ |
 | [metal-agent](guest-agents/metal-agent/)                   | [ghcr.io/siderolabs/metal-agent](https://github.com/siderolabs/extensions/pkgs/container/metal-agent)                   | [Talos Metal Agent](https://github.com/siderolabs/talos-metal-agent)   | `upstream version` |
 | [qemu-guest-agent](guest-agents/qemu-guest-agent/)         | [ghcr.io/siderolabs/qemu-guest-agent](https://github.com/siderolabs/extensions/pkgs/container/qemu-guest-agent)         | [QEMU Guest Agent](https://wiki.qemu.org/Features/GuestAgent)          | `upstream version` |
-| [xe-guest-utilities](guest-agents/xe-guest-utilities/)     | [ghcr.io/siderolabs/xe-guest-utilities](https://github.com/siderolabs/extensions/pkgs/container/xe-guest-utilities)     | [xe-guest-utilities](https://github.com/xenserver/xe-guest-utilitiest) | `upstream version` |
 | [vmtoolsd-guest-agent](guest-agents/vmtoolsd-guest-agent/) | [ghcr.io/siderolabs/vmtoolsd-guest-agent](https://github.com/siderolabs/extensions/pkgs/container/vmtoolsd-guest-agent) | [talos-vmtoolsd](https://github.com/siderolabs/talos-vmtoolsd)         | `upstream version` |
+| [xe-guest-utilities](guest-agents/xe-guest-utilities/)     | [ghcr.io/siderolabs/xe-guest-utilities](https://github.com/siderolabs/extensions/pkgs/container/xe-guest-utilities)     | [xe-guest-utilities](https://github.com/xenserver/xe-guest-utilitiest) | `upstream version` |
 
 ### NVIDIA GPU
 

hack/release.toml

@@ -25,6 +25,12 @@ lldpd is now available as a system extension.
         title = "dvb"
         description = """\
 dvb drivers + firmware is now available as a system extension.
+"""
+
+    [notes.cloudflared]
+        title = "Cloudflared"
+        description = """\
+Cloudflared is now available as a system extension.
 """
 
     [notes.drm]

network/cloudflared/README.md

@@ -0,0 +1,55 @@
+# Cloudflare Tunnel
+
+Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols.
+
+More info: https://github.com/cloudflare/cloudflared/
+
+## Installation
+
+Cloudflared system extension can be installed by customising boot assets or after installation with the `installer`
+
+You can use the following schematic file:
+```yaml
+# cloudflared-ext.yaml
+customization:
+  systemExtensions:
+    officialExtensions:
+      - siderolabs/cloudflared
+```
+
+Check documentation for install:
+* https://www.talos.dev/latest/talos-guides/configuration/system-extensions/
+* https://www.talos.dev/latest/talos-guides/install/boot-assets/
+
+## Usage
+
+Configure the extension via `ExtensionServiceConfig` document.
+
+```yaml
+# cloudflared-config.yaml
+---
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: cloudflared
+environment:
+  - TUNNEL_TOKEN=<your_token>
+  - TUNNEL_METRICS=localhost:2000
+  - TUNNEL_EDGE_IP_VERSION=auto   # if your node is only configured for IPv6
+```
+
+Then apply the patch to your node's MachineConfigs
+```bash
+talosctl patch mc -p @cloudflared-config.yaml
+```
+
+You will then be able to verify that it is in place with the following command
+```bash
+talosctl get extensionserviceconfigs
+
+NODE     NAMESPACE   TYPE                     ID            VERSION
+mynode   runtime     ExtensionServiceConfig   cloudflared   1
+```
+
+## Configuration
+
+See all run parameters here (use environment variables): https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/

network/cloudflared/cloudflared.yaml

@@ -0,0 +1,17 @@
+name: cloudflared
+depends:
+  - service: cri
+  - network:
+    - addresses
+    - connectivity
+    - etcfiles
+    - hostname
+  - configuration: true
+container:
+  entrypoint: /usr/local/bin/cloudflared
+  args:
+    - tunnel
+    - run
+  environment:
+    - NO_AUTOUPDATE=true
+restart: always

network/cloudflared/manifest.yaml

@@ -0,0 +1,13 @@
+version: v1alpha1
+metadata:
+  name: cloudflared
+  version: "$VERSION"
+  author: Maxime Narbaud
+  description: |
+    Cloudflare Tunnel securely connects resources to Cloudflare without a public IP.
+    A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare,
+    allowing safe access to services like HTTP, SSH, remote desktops, and other protocols.
+    More info: https://github.com/cloudflare/cloudflared/
+  compatibility:
+    talos:
+      version: ">= v1.5.0"

network/cloudflared/pkg.yaml

@@ -0,0 +1,47 @@
+name: cloudflared
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/cloudflare/cloudflared/archive/refs/tags/{{ .CLOUDFLARED_VERSION }}.tar.gz
+        destination: cloudflared.tar.gz
+        sha256: 74794fbcdd7b71131799100d493cf70a8e126cb109f3d9e2abce55593df6a737
+        sha512: cd417fc8410537fd0e59799be750f18b13e5931a5785258833b518aa5f516a479e00af0bbceb9f6e03d7cc6f2da406a956f25f64a57f282de56d9f6c47b281a2
+    env:
+      GOPATH: /go
+    cachePaths:
+      - /.cache/go-build
+      - /go/pkg
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        tar -xzvf cloudflared.tar.gz --strip-components=1
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+
+        make cloudflared VERSION="{{ .CLOUDFLARED_VERSION}}" DATE="{{ .BUILD_ARG_SOURCE_DATE_EPOCH }}"
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin
+
+        mv cloudflared /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin
+      - |
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/cloudflared.yaml /rootfs/usr/local/etc/containers/
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+      - |
+        [[ $(/rootfs/usr/local/lib/containers/cloudflared/usr/local/bin/cloudflared version) == *{{ .CLOUDFLARED_VERSION }}* ]]
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

network/cloudflared/vars.yaml

@@ -0,0 +1 @@
+VERSION: "{{ .CLOUDFLARED_VERSION }}"

network/vars.yaml

@@ -2,3 +2,5 @@
 TAILSCALE_VERSION: 1.76.6
 # renovate: datasource=github-releases depName=lldpd/lldpd
 LLDPD_VERSION: 1.0.18
+# renovate: datasource=github-releases depName=cloudflare/cloudflared
+CLOUDFLARED_VERSION: 2024.12.1

reproducibility/pkg.yaml

@@ -15,10 +15,14 @@ dependencies:
   # - stage: chelsio-drivers
   # chelsio-firmware can be ignored from reproducibility test since it's linux-firmware copied from pkgs
   # - stage: chelsio-firmware
+
+  - stage: cloudflared
+
   # drbd can be ignored from reproducibility test since it's kernel modules copied from pkgs
   # crun can be ignored from reproducibility test since it's a tarball downloaded and extracted (no build happens)
   # - stage: crun
   # - stage: drbd
+  # - stage: dvb-cx23885
   - stage: ecr-credential-provider
   - stage: fuse3
   # gasket-driver can be ignored from reproducibility test since it's kernel modules copied from pkgs