feat: add openziti network extension

[nenkoru]

Adds system extension to run OpenZiti edge tunneler which allows serving Talos nodes network resources over the overlay network.

OpenZiti is a free and open source project focused on bringing zero trust networking principles directly into any application. The project provides all the pieces required to implement a zero trust overlay network and provides all the tools necessary to integrate zero trust into your existing solutions. The OpenZiti project believes the principles of zero trust shouldn't stop at your network, those ideas belong in your application.
https://openziti.io
https://github.com/openziti

[nenkoru]

Idk how to solve gpg-identity EOF issue
I use mine ssh key to sign commits
Regarding number-of-commits - idk as well, branched from the main upstream.

[frezbo]

Idk how to solve gpg-identity EOF issue

you can ignore the gpg check, it checks if the commit is also signed by a member of org

Regarding number-of-commits - idk as well, branched from the main upstream.

the checks is passing, so all good

[smira]

this looks a bit strange... we usually build from base layer which contains toolchain (tools) and don't use alpine for the build. is there anything missing?

[nenkoru]

There is no zlib-static, zip, unzip when using scratch and its impossible to use install directive as apk manager doesnt exist in `scratch' variant.
Vcpkg relies on having zip, unzip as it downloads dependencies in that format.
Zlib-static is required to link an executable against it as there is no zlib on the host /usr/lib folder
the build process doesn't build zlib from sources and it has to be manually retrieved from the alpine packages repo in this case.

[smira]

zlib should be available though, zip and unzip, there will be no apk of course.

vcpkg downloads dependencies? does it pin them in a secure way?

[nenkoru]

I guess I could just change to using 'base' stage instead of explicitly binding to a tools image here.
Build seems to work fine with that. But idk what to do with those zip, unzip, zlib-static, ninja deps

[nenkoru]

zlib should be available though, zip and unzip, there will be no apk of course.

vcpkg downloads dependencies? does it pin them in a secure way?

Yes it does by verifying their sha512sum as I skimmed the code.

[frezbo]

hmm, then this extension needs to add it's build time dependencies as like qemu-guest-agent for example

[nenkoru]

hmm, then this extension needs to add it's build time dependencies as like qemu-guest-agent for example

I guess would be hard to do as it heavily depends on vcpkg as the dependency manager.
Maybe I could try working on creating static builds and then pulling them within the build process. Would this be okay?

[nenkoru]

I mean pulling them from the releases page, as you suggested above.

[smira]

yes, let's try static builds from the releases page. how big are those?

[nenkoru]

yes, let's try static builds from the releases page. how big are those?

Well, around 5MB, I am currently working on buildin those using gh workflows, just having a linker issue with CMAKE trying to link libpthread.so instead of libpthread.a.
openziti/ziti-tunnel-sdk-c#938

[frezbo]

why are we building an sdk? doesn't make sense, shouldn't it be using this https://github.com/openziti/ziti/?

[nenkoru]

why are we building an sdk? doesn't make sense, shouldn't it be using this https://github.com/openziti/ziti/?

No we shouldn't. OpenZiti tunneler is exactly for hosting or tunneling. Main ziti repo is for the other part of the OpenZiti project which provides a controller, router and etc.

[nenkoru]

Tunneler is just a daemon that runs on the host machines and allows to put the network communication on or from the overlay network it creates. For Talos its impossible to change routing from the extension, so the tunneler runs in a 'run-host' mode which allows offloading of a overlay traffic on the underlay network.