m/node/allocs: split new package off m/node
The metropolis/node package contains various unrelated things. One of
these things are node-wide allocations of identifiers.
These are moved here to the new metropolis/node/allocs package.
Additionally, the constants are renamed to move the type of identifier
in front.
Change-Id: Ibc841ca64d4450a7054463e6d2d44753a118e07a
Reviewed-on: https://review.monogon.dev/c/monogon/+/4566
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
Tested-by: Jenkins CI
diff --git a/metropolis/node/allocs/BUILD.bazel b/metropolis/node/allocs/BUILD.bazel
new file mode 100644
index 0000000..f2ead45
--- /dev/null
+++ b/metropolis/node/allocs/BUILD.bazel
@@ -0,0 +1,17 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+ name = "allocs",
+ srcs = [
+ "doc.go",
+ "ids.go",
+ "net_ips.go",
+ "net_protocols.go",
+ "ports.go",
+ ],
+ importpath = "source.monogon.dev/metropolis/node/allocs",
+ visibility = [
+ "//metropolis:__subpackages__",
+ "@io_k8s_kubernetes//pkg/registry:__subpackages__",
+ ],
+)
diff --git a/metropolis/node/allocs/doc.go b/metropolis/node/allocs/doc.go
new file mode 100644
index 0000000..dcc6960
--- /dev/null
+++ b/metropolis/node/allocs/doc.go
@@ -0,0 +1,6 @@
+// Copyright The Monogon Project Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package allocs contains allocations of various types of identifiers used in a
+// node. By tracking these centrally, we can avoid collisions.
+package allocs
diff --git a/metropolis/node/allocs/ids.go b/metropolis/node/allocs/ids.go
new file mode 100644
index 0000000..51d74fd
--- /dev/null
+++ b/metropolis/node/allocs/ids.go
@@ -0,0 +1,11 @@
+// Copyright The Monogon Project Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package allocs
+
+// These are UID/GID constants for components inside the Metropolis node
+// code.
+const (
+ UidRoot = 0
+ UidTime = 100
+)
diff --git a/metropolis/node/allocs/net_ips.go b/metropolis/node/allocs/net_ips.go
new file mode 100644
index 0000000..b0d19a0
--- /dev/null
+++ b/metropolis/node/allocs/net_ips.go
@@ -0,0 +1,13 @@
+// Copyright The Monogon Project Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package allocs
+
+import "net"
+
+// These are IP addresses used by various parts of Metropolis.
+var (
+ // Used by //metropolis/node/kubernetes as the DNS server IP for containers.
+ // Link-local IP space, 77 for ASCII M(onogon), 53 for DNS port.
+ IPContainerDNS = net.IPv4(169, 254, 77, 53)
+)
diff --git a/metropolis/node/allocs/net_protocols.go b/metropolis/node/allocs/net_protocols.go
new file mode 100644
index 0000000..360f763
--- /dev/null
+++ b/metropolis/node/allocs/net_protocols.go
@@ -0,0 +1,22 @@
+// Copyright The Monogon Project Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package allocs
+
+// These are netlink protocol numbers used internally for various netlink
+// resource (e.g. route) owners/manager.
+const (
+ // ProtocolOverlay is used by //metropolis/node/core/network/overlay
+ // when creating/removing routes pointing to the overlay interface.
+ ProtocolOverlay int = 129
+)
+
+// Netlink link groups used for interface classification and traffic matching.
+const (
+ // LinkGroupK8sPod is set on all host side PtP interfaces going to K8s
+ // pods.
+ LinkGroupK8sPod uint32 = 8
+ // LinkGroupOverlay is set on all interfaces which are part of the overlay
+ // network and thus exempt from SNATing of workload traffic.
+ LinkGroupOverlay uint32 = 9
+)
diff --git a/metropolis/node/allocs/ports.go b/metropolis/node/allocs/ports.go
new file mode 100644
index 0000000..4595733
--- /dev/null
+++ b/metropolis/node/allocs/ports.go
@@ -0,0 +1,130 @@
+// Copyright The Monogon Project Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package allocs
+
+import (
+ "strconv"
+)
+
+// Port is a TCP and/or UDP port number reserved for and used by Metropolis
+// node code.
+type Port uint16
+
+const (
+ // PortCuratorService is the TCP port on which the Curator listens for gRPC
+ // calls and services Management/AAA/Curator RPCs.
+ PortCuratorService Port = 7835
+ // PortConsensus is the TCP port on which etcd listens for peer traffic.
+ PortConsensus Port = 7834
+ // PortDebugService is the TCP port on which the debug service serves gRPC
+ // traffic. This is only available in debug builds.
+ PortDebugService Port = 7837
+ // PortWireGuard is the UDP port on which the Wireguard Kubernetes network
+ // overlay listens for incoming peer traffic.
+ PortWireGuard Port = 7838
+ // PortNodeManagement is the TCP port on which the node-local management service
+ // serves gRPC traffic for NodeManagement.
+ PortNodeManagement Port = 7839
+ // PortMetrics is the TCP port on which the Metrics Service exports
+ // Prometheus-compatible metrics for this node, secured using TLS and the
+ // Cluster/Node certificates.
+ PortMetrics Port = 7840
+ // PortMetricsNodeListener is the TCP port on which the Prometheus node_exporter
+ // runs, bound to 127.0.0.1. The Metrics Service proxies traffic to it from the
+ // public PortMetrics.
+ PortMetricsNodeListener Port = 7841
+ // PortMetricsEtcdListener is the TCP port on which the etcd exporter
+ // runs, bound to 127.0.0.1. The metrics service proxies traffic to it from the
+ // public PortMetrics.
+ PortMetricsEtcdListener Port = 7842
+ // PortMetricsKubeSchedulerListener is the TCP port on which the proxy for
+ // the kube-scheduler runs, bound to 127.0.0.1. The metrics service proxies
+ // traffic to it from the public PortMetrics.
+ PortMetricsKubeSchedulerListener Port = 7843
+ // PortMetricsKubeControllerManagerListener is the TCP port on which the
+ // proxy for the controller-manager runs, bound to 127.0.0.1. The metrics
+ // service proxies traffic to it from the public PortMetrics.
+ PortMetricsKubeControllerManagerListener Port = 7844
+ // PortMetricsKubeAPIServerListener is the TCP port on which the
+ // proxy for the api-server runs, bound to 127.0.0.1. The metrics
+ // service proxies traffic to it from the public PortMetrics.
+ PortMetricsKubeAPIServerListener Port = 7845
+ // PortMetricsContainerdListener is the TCP port on which the
+ // containerd metrics endpoint, bound to 127.0.0.1, is exposed.
+ PortMetricsContainerdListener Port = 7846
+ // PortKubernetesAPI is the TCP port on which the Kubernetes API is
+ // exposed.
+ PortKubernetesAPI Port = 6443
+ // PortKubernetesAPIWrapped is the TCP port on which the Metropolis
+ // authenticating proxy for the Kubernetes API is exposed.
+ PortKubernetesAPIWrapped Port = 6444
+ // PortKubernetesWorkerLocalAPI is the TCP port on which Kubernetes worker nodes
+ // run a loadbalancer to access the cluster's API servers before cluster
+ // networking is available. This port is only bound to 127.0.0.1.
+ PortKubernetesWorkerLocalAPI Port = 6445
+ // PortDebugger is the port on which the delve debugger runs (on debug
+ // builds only). Not to be confused with PortDebugService.
+ PortDebugger Port = 2345
+)
+
+var SystemPorts = []Port{
+ PortCuratorService,
+ PortConsensus,
+ PortDebugService,
+ PortWireGuard,
+ PortNodeManagement,
+ PortMetrics,
+ PortMetricsNodeListener,
+ PortMetricsEtcdListener,
+ PortMetricsKubeSchedulerListener,
+ PortMetricsKubeControllerManagerListener,
+ PortMetricsKubeAPIServerListener,
+ PortMetricsContainerdListener,
+ PortKubernetesAPI,
+ PortKubernetesAPIWrapped,
+ PortKubernetesWorkerLocalAPI,
+ PortDebugger,
+}
+
+func (p Port) String() string {
+ switch p {
+ case PortCuratorService:
+ return "curator"
+ case PortConsensus:
+ return "consensus"
+ case PortDebugService:
+ return "debug"
+ case PortWireGuard:
+ return "wireguard"
+ case PortNodeManagement:
+ return "node-mgmt"
+ case PortMetrics:
+ return "metrics"
+ case PortMetricsNodeListener:
+ return "metrics-node-exporter"
+ case PortMetricsEtcdListener:
+ return "metrics-etcd"
+ case PortMetricsKubeSchedulerListener:
+ return "metrics-kubernetes-scheduler"
+ case PortMetricsKubeControllerManagerListener:
+ return "metrics-kubernetes-controller-manager"
+ case PortMetricsKubeAPIServerListener:
+ return "metrics-kubernetes-api-server"
+ case PortMetricsContainerdListener:
+ return "metrics-containerd"
+ case PortKubernetesAPI:
+ return "kubernetes-api"
+ case PortKubernetesAPIWrapped:
+ return "kubernetes-api-wrapped"
+ case PortKubernetesWorkerLocalAPI:
+ return "kubernetes-worker-local-api"
+ case PortDebugger:
+ return "delve"
+ }
+ return "unknown"
+}
+
+func (p Port) PortString() string {
+ return strconv.Itoa(int(p))
+}