feat: bundle (some) CNI plugins with Talos core

Fixes siderolabs/extensions#448

Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is
the default CNI in Talos) in the Talos `initramfs`.

With this change, no plugin install is required, so the `install-cni`
step is dropped from the Flannel default manifest.

The bundled plugins:

```
$ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/
NODE         MODE         UID   GID   SIZE(B)   LASTMOD       NAME
172.20.0.2   drwxr-xr-x   0     0     109 B     7 hours ago   .
172.20.0.2   -rwxr-xr-x   0     0     3.2 MB    7 hours ago   bridge
172.20.0.2   -rwxr-xr-x   0     0     3.3 MB    7 hours ago   firewall
172.20.0.2   -rwxr-xr-x   0     0     2.4 MB    7 hours ago   flannel
172.20.0.2   -rwxr-xr-x   0     0     2.4 MB    7 hours ago   host-local
172.20.0.2   -rwxr-xr-x   0     0     2.4 MB    7 hours ago   loopback
172.20.0.2   -rwxr-xr-x   0     0     2.8 MB    7 hours ago   portmap
```

The `initramfs` for amd64 grows 67 -> 73 MiB with this change.

The path `/opt/cni/bin` is still an overlay mount, so extra plugins can
be dropped to this directory (no change here).

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: smira

Dockerfile

@@ -34,6 +34,8 @@ ARG PKG_APPARMOR
 ARG PKG_UTIL_LINUX
 ARG PKG_KMOD
 ARG PKG_KERNEL
+ARG PKG_CNI
+ARG PKG_FLANNEL_CNI
 ARG PKG_TALOSCTL_CNI_BUNDLE_INSTALL
 
 # Resolve package images using ${PKGS} to be used later in COPY --from=.
@@ -112,10 +114,32 @@ FROM --platform=arm64 ${PKG_UTIL_LINUX} AS pkg-util-linux-arm64
 FROM --platform=amd64 ${PKG_KMOD} AS pkg-kmod-amd64
 FROM --platform=arm64 ${PKG_KMOD} AS pkg-kmod-arm64
 
+FROM --platform=amd64 ${PKG_CNI} AS pkg-cni-amd64
+FROM --platform=arm64 ${PKG_CNI} AS pkg-cni-arm64
+
+FROM --platform=amd64 ${PKG_FLANNEL_CNI} AS pkg-flannel-cni-amd64
+FROM --platform=arm64 ${PKG_FLANNEL_CNI} AS pkg-flannel-cni-arm64
+
 FROM ${PKG_KERNEL} AS pkg-kernel
 FROM --platform=amd64 ${PKG_KERNEL} AS pkg-kernel-amd64
 FROM --platform=arm64 ${PKG_KERNEL} AS pkg-kernel-arm64
 
+# Strip CNI package.
+
+FROM scratch AS pkg-cni-stripped-amd64
+COPY --from=pkg-cni-amd64 /opt/cni/bin/bridge /opt/cni/bin/bridge
+COPY --from=pkg-cni-amd64 /opt/cni/bin/firewall /opt/cni/bin/firewall
+COPY --from=pkg-cni-amd64 /opt/cni/bin/host-local /opt/cni/bin/host-local
+COPY --from=pkg-cni-amd64 /opt/cni/bin/loopback /opt/cni/bin/loopback
+COPY --from=pkg-cni-amd64 /opt/cni/bin/portmap /opt/cni/bin/portmap
+
+FROM scratch AS pkg-cni-stripped-arm64
+COPY --from=pkg-cni-arm64 /opt/cni/bin/bridge /opt/cni/bin/bridge
+COPY --from=pkg-cni-arm64 /opt/cni/bin/firewall /opt/cni/bin/firewall
+COPY --from=pkg-cni-arm64 /opt/cni/bin/host-local /opt/cni/bin/host-local
+COPY --from=pkg-cni-arm64 /opt/cni/bin/loopback /opt/cni/bin/loopback
+COPY --from=pkg-cni-arm64 /opt/cni/bin/portmap /opt/cni/bin/portmap
+
 # Resolve package images using ${EXTRAS} to be used later in COPY --from=.
 
 FROM ${PKG_TALOSCTL_CNI_BUNDLE_INSTALL} AS extras-talosctl-cni-bundle-install
@@ -578,6 +602,8 @@ COPY --from=depmod-arm64 /build/lib/modules /lib/modules
 FROM build AS rootfs-base-amd64
 COPY --link --from=pkg-fhs / /rootfs
 COPY --link --from=pkg-apparmor-amd64 / /rootfs
+COPY --link --from=pkg-cni-stripped-amd64 / /rootfs
+COPY --link --from=pkg-flannel-cni-amd64 / /rootfs
 COPY --link --from=pkg-cryptsetup-amd64 / /rootfs
 COPY --link --from=pkg-containerd-amd64 / /rootfs
 COPY --link --from=pkg-dosfstools-amd64 / /rootfs
@@ -642,6 +668,8 @@ END
 FROM build AS rootfs-base-arm64
 COPY --link --from=pkg-fhs / /rootfs
 COPY --link --from=pkg-apparmor-arm64 / /rootfs
+COPY --link --from=pkg-cni-stripped-arm64 / /rootfs
+COPY --link --from=pkg-flannel-cni-arm64 / /rootfs
 COPY --link --from=pkg-cryptsetup-arm64 / /rootfs
 COPY --link --from=pkg-containerd-arm64 / /rootfs
 COPY --link --from=pkg-dosfstools-arm64 / /rootfs

Makefile

@@ -20,7 +20,7 @@ ARTIFACTS := _out
 TOOLS ?= ghcr.io/siderolabs/tools:v1.8.0-alpha.0-8-ga764e8d
 
 PKGS_PREFIX ?= ghcr.io/siderolabs
-PKGS ?= v1.8.0-alpha.0-46-g124d35b
+PKGS ?= v1.8.0-alpha.0-49-g5f919c5
 EXTRAS ?= v1.8.0-alpha.0-5-g6f4a373
 
 KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
@@ -51,6 +51,8 @@ PKG_RUNC ?= $(PKGS_PREFIX)/runc:$(PKGS)
 PKG_XFSPROGS ?= $(PKGS_PREFIX)/xfsprogs:$(PKGS)
 PKG_UTIL_LINUX ?= $(PKGS_PREFIX)/util-linux:$(PKGS)
 PKG_KMOD ?= $(PKGS_PREFIX)/kmod:$(PKGS)
+PKG_CNI ?= $(PKGS_PREFIX)/cni:$(PKGS)
+PKG_FLANNEL_CNI ?= $(PKGS_PREFIX)/flannel-cni:$(PKGS)
 PKG_KERNEL ?= $(PKGS_PREFIX)/kernel:$(PKGS)
 PKG_TALOSCTL_CNI_BUNDLE_INSTALL ?= $(PKGS_PREFIX)/talosctl-cni-bundle-install:$(EXTRAS)
 
@@ -208,6 +210,8 @@ COMMON_ARGS += --build-arg=PKG_UTIL_LINUX=$(PKG_UTIL_LINUX)
 COMMON_ARGS += --build-arg=PKG_KMOD=$(PKG_KMOD)
 COMMON_ARGS += --build-arg=PKG_U_BOOT=$(PKG_U_BOOT)
 COMMON_ARGS += --build-arg=PKG_RASPBERYPI_FIRMWARE=$(PKG_RASPBERYPI_FIRMWARE)
+COMMON_ARGS += --build-arg=PKG_CNI=$(PKG_CNI)
+COMMON_ARGS += --build-arg=PKG_FLANNEL_CNI=$(PKG_FLANNEL_CNI)
 COMMON_ARGS += --build-arg=PKG_KERNEL=$(PKG_KERNEL)
 COMMON_ARGS += --build-arg=PKG_TALOSCTL_CNI_BUNDLE_INSTALL=$(PKG_TALOSCTL_CNI_BUNDLE_INSTALL)
 COMMON_ARGS += --build-arg=ABBREV_TAG=$(ABBREV_TAG)

api/api.descriptors

@@ -54,7 +54,6 @@ message BootstrapManifestsConfigSpec {
   string dns_service_i_pv6 = 10;
   bool flannel_enabled = 11;
   string flannel_image = 12;
-  string flannel_cni_image = 13;
   bool pod_security_policy_enabled = 14;
   bool talos_api_service_enabled = 15;
   repeated string flannel_extra_args = 16;

api/resource/definitions/k8s/k8s.proto

@@ -135,7 +135,6 @@ var imageDefaultCmd = &cobra.Command{
 		}))
 
 		fmt.Printf("%s\n", images.Flannel)
-		fmt.Printf("%s\n", images.FlannelCNI)
 		fmt.Printf("%s\n", images.CoreDNS)
 		fmt.Printf("%s\n", images.Etcd)
 		fmt.Printf("%s\n", images.KubeAPIServer)

cmd/talosctl/cmd/talos/image.go

@@ -19,7 +19,7 @@ preface = """\
         title = "Component Updates"
         description = """\
 Kubernetes: 1.31.0-rc.1
-Linux: 6.6.44
+Linux: 6.6.45
 containerd: 2.0.0-rc.3
 runc: 1.2.0-rc.2
 etcd: 3.5.15
@@ -157,6 +157,21 @@ default tag would point to slim image:
 
 * `v1.x.y` (default, slim)
 * `v1.x.y-fat` (fat)
+"""
+
+    [notes.cni]
+        title = "CNI Plugins"
+        description = """\
+Talos Linux now bundles by default the following standard CNI plugins:
+
+* `bridge`
+* `firewall`
+* `flannel`
+* `host-local`
+* `loopback`
+* `portmap`
+
+The Talos bundled Flannel manifest was simplified to remove the `install-cni` step.
 """
 
 [make_deps]

hack/release.toml

@@ -292,7 +292,6 @@ func NewControlPlaneBootstrapManifestsController() *ControlPlaneBootstrapManifes
 
 					FlannelEnabled:         cfgProvider.Cluster().Network().CNI().Name() == constants.FlannelCNI,
 					FlannelImage:           images.Flannel,
-					FlannelCNIImage:        images.FlannelCNI,
 					FlannelExtraArgs:       cfgProvider.Cluster().Network().CNI().Flannel().ExtraArgs(),
 					FlannelKubeServiceHost: flannelKubeServiceHost,
 					FlannelKubeServicePort: flannelKubeServicePort,

internal/app/machined/pkg/controllers/k8s/control_plane.go

@@ -108,9 +108,8 @@ var defaultManifestSpec = k8s.BootstrapManifestsConfigSpec{
 
 	DNSServiceIP: "192.168.0.1",
 
-	FlannelEnabled:  true,
-	FlannelImage:    "foo/bar",
-	FlannelCNIImage: "foo/bar",
+	FlannelEnabled: true,
+	FlannelImage:   "foo/bar",
 
 	PodSecurityPolicyEnabled: true,
 }

internal/app/machined/pkg/controllers/k8s/manifest_test.go

@@ -221,17 +221,6 @@ var Template = []byte(`+"`", url)
 						},
 					},
 				},
-				{
-					Name:    "install-cni",
-					Image:   "{{ .FlannelCNIImage }}",
-					Command: []string{"/install-cni.sh"},
-					VolumeMounts: []corev1.VolumeMount{
-						{
-							Name:      "cni-plugin",
-							MountPath: "/host/opt/cni/bin/",
-						},
-					},
-				},
 			}
 
 			marshal(out, obj)