4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2024-12-14 17:00:21 +00:00
hscloud/cluster/identd
Serge Bazanski 97b5cd7b58 go: re-do the entire thing
This is a mega-change, but attempting to split this up further is
probably not worth the effort.

Summary:

1. Bump up bazel, rules_go, and others.
2. Switch to new go target naming (bye bye go_default_library)
3. Move go deps to go.mod/go.sum, use make gazelle generate from that
4. Bump up Python deps a bit

And also whatever was required to actually get things to work - loads of
small useless changes.

Tested to work on NixOS and Ubuntu 20.04:

   $ bazel build //...
   $ bazel test //...

Change-Id: I8364bdaa1406b9ae4d0385a6b607f3e7989f98a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1583
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-22 21:50:19 +00:00
..
cri go: re-do the entire thing 2023-09-22 21:50:19 +00:00
ident go: re-do the entire thing 2023-09-22 21:50:19 +00:00
kubenat go: re-do the entire thing 2023-09-22 21:50:19 +00:00
BUILD.bazel go: re-do the entire thing 2023-09-22 21:50:19 +00:00
main.go cluster/identd: implement 2021-05-26 19:46:06 +00:00
README.md cluster/identd: implement 2021-05-26 19:46:06 +00:00

hscloud ident server

This server implements the ident protocol, as defined by RFC1413, which is mostly used by IRC servers to determine the 'identity' of an incoming IRC connection.

This implementation is supposed to run on production hosts which run containerd with containers whose outgoing connections NATed to the host's public IP address.

It responds with information about the namespace of the pod that originated the connection. If the namespace is a personal-$owner namespace, it responds with the owner of that namespace. Otherwise, it responds with kns-$namespace.

In addition, it has hardcoded special behaviour for when the pod terminating the connection is named appservice-irc-* and runs in the matrix namespace. If so, it performs an ident request to that pod on port 1113. This effectively integrates it with appservice-irc's integrated identd, and allows us to server correct identities for IRC connections.

Example flow

                               .----------------------------------.
                               | k8s host                         |
                               |----------------------------------|
.-------------.                |                  .-------------. |
| remote host |                |                  | pod         | |
|-------------|                |   ......         |-------------| |
|        IRCd<:-:6697----:xxxx-:--< NAT <---:yyyy-:- IRC client | |
|      identd-:--------.       |   ''''''         |             | |
'.............|        |       |     ^          .-:->identd     | |
                       |       |     | query    | '-------------' |
                       |       |     |          |                 |
                       '--:113-:-->identd- - - -' forward?        |
                               |     |                            |
                               |     | query                      |
                               |     v                            |
                               |  ( containerd )                  |
                               '----------------------------------'

In the above diagram, the remote hosts' identd client would query identd for information about the TCP connection xxxx,6697, which identd would attempt to resolve back into the pod by consulting the NAT table. After that, it can either return the pod's namespace information to identd, or (if the pod is an appservice-irc) forward the query to another identd running within the pod, this time asking for yyyy,6697, and passing that reponse to the remote identd client.

Libraries and building blocks

  • ident/ is a Go ident server/client library, reusable across projects.
  • kubenat/ is a Go library for figuring out which pod behind a NAT originated a given 4-tuple.

Deployment

See //cluster/kube/lib/identd.libsonnet .