Serge Bazanski
97b5cd7b58
This is a mega-change, but attempting to split this up further is probably not worth the effort. Summary: 1. Bump up bazel, rules_go, and others. 2. Switch to new go target naming (bye bye go_default_library) 3. Move go deps to go.mod/go.sum, use make gazelle generate from that 4. Bump up Python deps a bit And also whatever was required to actually get things to work - loads of small useless changes. Tested to work on NixOS and Ubuntu 20.04: $ bazel build //... $ bazel test //... Change-Id: I8364bdaa1406b9ae4d0385a6b607f3e7989f98a9 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1583 Reviewed-by: q3k <q3k@hackerspace.pl> |
||
---|---|---|
.. | ||
cri | ||
ident | ||
kubenat | ||
BUILD.bazel | ||
main.go | ||
README.md |
hscloud ident server
This server implements the ident protocol, as defined by RFC1413, which is mostly used by IRC servers to determine the 'identity' of an incoming IRC connection.
This implementation is supposed to run on production hosts which run containerd with containers whose outgoing connections NATed to the host's public IP address.
It responds with information about the namespace of the pod that originated the
connection. If the namespace is a personal-$owner namespace, it responds with
the owner of that namespace. Otherwise, it responds with kns-$namespace
.
In addition, it has hardcoded special behaviour for when the pod terminating
the connection is named appservice-irc-*
and runs in the matrix
namespace.
If so, it performs an ident request to that pod on port 1113. This effectively
integrates it with appservice-irc's integrated identd, and allows us to server
correct identities for IRC connections.
Example flow
.----------------------------------.
| k8s host |
|----------------------------------|
.-------------. | .-------------. |
| remote host | | | pod | |
|-------------| | ...... |-------------| |
| IRCd<:-:6697----:xxxx-:--< NAT <---:yyyy-:- IRC client | |
| identd-:--------. | '''''' | | |
'.............| | | ^ .-:->identd | |
| | | query | '-------------' |
| | | | |
'--:113-:-->identd- - - -' forward? |
| | |
| | query |
| v |
| ( containerd ) |
'----------------------------------'
In the above diagram, the remote hosts' identd client would query identd for
information about the TCP connection xxxx,6697
, which identd would attempt to
resolve back into the pod by consulting the NAT table. After that, it can
either return the pod's namespace information to identd, or (if the pod is an
appservice-irc) forward the query to another identd running within the pod,
this time asking for yyyy,6697
, and passing that reponse to the remote identd
client.
Libraries and building blocks
- ident/ is a Go ident server/client library, reusable across projects.
- kubenat/ is a Go library for figuring out which pod behind a NAT originated a given 4-tuple.
Deployment
See //cluster/kube/lib/identd.libsonnet .