feat: implement KubeSpan multi-document configuration

[pranav767]

Resolves #12437

Pull Request

What? (description)

• Add KubeSpanConfigV1Alpha1 document type with registry support
• Implement container aggregation with wrapper pattern
• Deprecate .machine.network.kubespan v1alpha1 path

Why? (reasoning)

Making/applying config for kubespan easier,
instead of the current scenario which requires:

machine:
    network:
        nameservers:
            - 9.8.7.6
            - 8.7.6.5
        searchDomains:
            - example.org
            - example.com

        # # Configures KubeSpan feature.
        # kubespan:
        #     enabled: true # Enable the KubeSpan feature.

We can have independent config for Kubespan like:

apiVersion: v1alpha1
kind: KubeSpanConfig
enabled: true
advertiseKubernetesNetworks: false
allowDownPeerBypass: false
mtu: 1420

Few more Points for my own sanity:

1. The issue talks about deprecate and hide fully .machine.network. , but this still supports the previous config way, this just extends and gives priority to the multi-document config way for Kubespan.
2. Created pkg/machinery/config/types/network/kubespan.go which reads yaml and creates KubeSpanConfigV1Alpha1 (struct) with all values and implements all interfaces.
3. Updated container logic in pkg/machinery/config/container/container.go to use a wrapper-in-wrapper pattern instead of just returning container.v1alpha1Config.Machine() helps to intercept controller call on container.Machine().Network().KubeSpan() and use the desired (new multi-doc config) from container.documents
4. make generate Created json and copy stuff.
5. There is one confusing bit which I feel should be changed, from docs we have params as

enabled
advertiseKubernetesNetworks
allowDownPeerBypass
harvestExtraEndpoints
mtu
filters

and following above pattern we have such structs, but https://github.com/siderolabs/talos/blob/main/api/resource/definitions/kubespan/kubespan.proto has

// ConfigSpec describes KubeSpan configuration..
message ConfigSpec {
  bool enabled = 1;
  string cluster_id = 2;
  string shared_secret = 3;
  **bool force_routing = 4;**
  bool advertise_kubernetes_networks = 5;
  uint32 mtu = 6;
  repeated string endpoint_filters = 7;
  bool harvest_extra_endpoints = 8;
  repeated common.NetIPPort extra_endpoints = 9;
}

also the config for kubespan controller has
https://github.com/siderolabs/talos/blob/main/internal/app/machined/pkg/controllers/kubespan/config.go#L49
res.TypedSpec().ForceRouting = c.Machine().Network().KubeSpan().ForceRouting() forceRouting instead of allowDownPeerBypass,
which leads to https://github.com/siderolabs/talos/compare/main...pranav767:talos:feat/kubespan-multi-document-config?expand=1#diff-2f6f6aab6dbbcc38f191c5f752866e9d8d3dc787f0044c4eb9d7107ea7a1719dR170
Just feels a bit of inconsistency with the use of one parameter with 2 different names.

Acceptance

Please use the following checklist:

• you linked an issue (if applicable)
• you included tests (if applicable)
• you ran conformance (make conformance)
• you formatted your code (make fmt)
• you linted your code (make lint)
• you generated documentation (make docs)
• you ran unit-tests (make unit-tests)

See make help for a description of the available targets.

[smira]

this approach doesn't scale well.

we have this pattern:

talos/pkg/machinery/config/container/container.go

Lines 326 to 341 in 1549521

	// NetworkTimeSyncConfig implements config.Config interface.
	func (container *Container) NetworkTimeSyncConfig() config.NetworkTimeSyncConfig {
	// first check if we have a dedicated document
	matching := findMatchingDocs[config.NetworkTimeSyncConfig](container.documents)
	if len(matching) > 0 {
	return matching[0]
	}
	// fallback to v1alpha1
	if container.v1alpha1Config != nil {
	return container.v1alpha1Config.NetworkTimeSyncConfig()
	}
	return nil
	}

[pranav767]

Removed the wrapper in wrapper pattern, and followed existing one. 👍

[smira]

this needs more configuration/examples

[pranav767]

Updated 👍

[smira]

I think we had a constant for it.

[pranav767]

yes, found it KubeSpanLinkMTU

[smira]

this can be removed (nil slice is an empty slice).

[pranav767]

removed 👍

[smira]

we can now deprecate the whole .machine.network tree, so that it disappears from the docs (it's now empty as everything inside it is deprecated).

[pranav767]

Updated with docgen: nodoc

[smira]

• talosctl cluster create has --with-kubepsan option which should use new multi-doc for Talos >= 1.13 (need new config version contract flag)
• KubeSpanConfigController should have a new testcase for enabling KubeSpan via new multi-doc

[pranav767]

@smira

• There were two talosctl commands (talosctl cluster create and talosctl gen config) using --with-kubespan. Both have been updated to use the new multi-document configuration format for Talos ≥ 1.13.
• KubeSpanConfigController now includes a new test case for the multi-config–style KubeSpan.

[pranav767]

I'm aware that we're migrating .machine.network to multi-document format, but I've kept legacy v1alpha1 config generation for Talos < 1.13 as previous versions can't parse new KubeSpanConfigV1Alpha1