hscloud/cluster/identd/README.md

hscloud ident server
===

This server implements the ident protocol, as defined by RFC1413, which is
mostly used by IRC servers to determine the 'identity' of an incoming IRC
connection.

This implementation is supposed to run on production hosts which run containerd
with containers whose outgoing connections NATed to the host's public IP
address.

It responds with information about the namespace of the pod that originated the
connection. If the namespace is a personal-$owner namespace, it responds with
the owner of that namespace. Otherwise, it responds with `kns-$namespace`.

In addition, it has hardcoded special behaviour for when the pod terminating
the connection is named `appservice-irc-*` and runs in the `matrix` namespace.
If so, it performs an ident request to that pod on port 1113. This effectively
integrates it with appservice-irc's integrated identd, and allows us to server
correct identities for IRC connections.

Example flow
---

                                   .----------------------------------.
                                   | k8s host                         |
                                   |----------------------------------|
    .-------------.                |                  .-------------. |
    | remote host |                |                  | pod         | |
    |-------------|                |   ......         |-------------| |
    |        IRCd<:-:6697----:xxxx-:--< NAT <---:yyyy-:- IRC client | |
    |      identd-:--------.       |   ''''''         |             | |
    '.............|        |       |     ^          .-:->identd     | |
                           |       |     | query    | '-------------' |
                           |       |     |          |                 |
                           '--:113-:-->identd- - - -' forward?        |
                                   |     |                            |
                                   |     | query                      |
                                   |     v                            |
                                   |  ( containerd )                  |
                                   '----------------------------------'

In the above diagram, the remote hosts' identd client would query identd for
information about the TCP connection `xxxx,6697`, which identd would attempt to
resolve back into the pod by consulting the NAT table. After that, it can
either return the pod's namespace information to identd, or (if the pod is an
appservice-irc) forward the query to another identd running within the pod,
this time asking for `yyyy,6697`, and passing that reponse to the remote identd
client.


Libraries and building blocks
---

- [ident/](//cluster/identd/ident/) is a Go ident server/client library, reusable across projects.
- [kubenat/](//cluster/idented/kubenat/) is a Go library for figuring out which pod behind a NAT originated a given 4-tuple.

Deployment
---

See //cluster/kube/lib/identd.libsonnet .
cluster/identd: implement This implements the main identd service that will run on our production hosts. It's comparatively small, as most of the functionality is implemented in //cluster/identd/ident and //cluster/identd/kubenat. Change-Id: I1861fe7c93d105faa19a2bafbe9c85fe36502f73 2021-05-24 13:10:08 +00:00			`hscloud ident server`
			`===`

			`This server implements the ident protocol, as defined by RFC1413, which is`
			`mostly used by IRC servers to determine the 'identity' of an incoming IRC`
			`connection.`

			`This implementation is supposed to run on production hosts which run containerd`
			`with containers whose outgoing connections NATed to the host's public IP`
			`address.`

			`It responds with information about the namespace of the pod that originated the`
			`connection. If the namespace is a personal-$owner namespace, it responds with`
			the owner of that namespace. Otherwise, it responds with `kns-$namespace`.

			`In addition, it has hardcoded special behaviour for when the pod terminating`
			the connection is named `appservice-irc-*` and runs in the `matrix` namespace.
			`If so, it performs an ident request to that pod on port 1113. This effectively`
			`integrates it with appservice-irc's integrated identd, and allows us to server`
			`correct identities for IRC connections.`

			`Example flow`
			`---`

			`.----------------------------------.`
			`\| k8s host \|`
			`\|----------------------------------\|`
			`.-------------. \| .-------------. \|`
			`\| remote host \| \| \| pod \| \|`
			`\|-------------\| \| ...... \|-------------\| \|`
			`\| IRCd<:-:6697----:xxxx-:--< NAT <---:yyyy-:- IRC client \| \|`
			`\| identd-:--------. \| '''''' \| \| \|`
			`'.............\| \| \| ^ .-:->identd \| \|`
			`\| \| \| query \| '-------------' \|`
			`\| \| \| \| \|`
			`'--:113-:-->identd- - - -' forward? \|`
			`\| \| \|`
			`\| \| query \|`
			`\| v \|`
			`\| ( containerd ) \|`
			`'----------------------------------'`

			`In the above diagram, the remote hosts' identd client would query identd for`
			information about the TCP connection `xxxx,6697`, which identd would attempt to
			`resolve back into the pod by consulting the NAT table. After that, it can`
			`either return the pod's namespace information to identd, or (if the pod is an`
			`appservice-irc) forward the query to another identd running within the pod,`
			this time asking for `yyyy,6697`, and passing that reponse to the remote identd
			`client.`


			`Libraries and building blocks`
			`---`

			`- [ident/](//cluster/identd/ident/) is a Go ident server/client library, reusable across projects.`
			`- [kubenat/](//cluster/idented/kubenat/) is a Go library for figuring out which pod behind a NAT originated a given 4-tuple.`

			`Deployment`
			`---`

			`See //cluster/kube/lib/identd.libsonnet .`