tailscale/k8s-operator/apis/v1alpha1/types_proxyclass.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

//go:build !plan9

package v1alpha1

import (
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

var ProxyClassKind = "ProxyClass"

// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Cluster
// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=`.status.conditions[?(@.type == "ProxyClassReady")].reason`,description="Status of the ProxyClass."

type ProxyClass struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec ProxyClassSpec `json:"spec"`

	// +optional
	Status ProxyClassStatus `json:"status"`
}

// +kubebuilder:object:root=true
type ProxyClassList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []ProxyClass `json:"items"`
}

type ProxyClassSpec struct {
	// Proxy's StatefulSet spec.
	StatefulSet *StatefulSet `json:"statefulSet"`
}

type StatefulSet struct {
	// Labels that will be added to the StatefulSet created for the proxy.
	// Any labels specified here will be merged with the default labels
	// applied to the StatefulSet by the Tailscale Kubernetes operator as
	// well as any other labels that might have been applied by other
	// actors.
	// Label keys and values must be valid Kubernetes label keys and values.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
	// Annotations that will be added to the StatefulSet created for the proxy.
	// Any Annotations specified here will be merged with the default annotations
	// applied to the StatefulSet by the Tailscale Kubernetes operator as
	// well as any other annotations that might have been applied by other
	// actors.
	// Annotations must be valid Kubernetes annotations.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// Configuration for the proxy Pod.
	// +optional
	Pod *Pod `json:"pod,omitempty"`
}

type Pod struct {
	// Labels that will be added to the proxy Pod.
	// Any labels specified here will be merged with the default labels
	// applied to the Pod by the Tailscale Kubernetes operator.
	// Label keys and values must be valid Kubernetes label keys and values.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
	// Annotations that will be added to the proxy Pod.
	// Any annotations specified here will be merged with the default
	// annotations applied to the Pod by the Tailscale Kubernetes operator.
	// Annotations must be valid Kubernetes annotations.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// Configuration for the proxy container running tailscale.
	// +optional
	TailscaleContainer *Container `json:"tailscaleContainer,omitempty"`
	// Configuration for the proxy init container that enables forwarding.
	// +optional
	TailscaleInitContainer *Container `json:"tailscaleInitContainer,omitempty"`
	// Proxy Pod's security context.
	// By default Tailscale Kubernetes operator does not apply any Pod
	// security context.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2
	// +optional
	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
	// Proxy Pod's image pull Secrets.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
	// +optional
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
	// Proxy Pod's node name.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
	// +optional
	NodeName string `json:"nodeName,omitempty"`
	// Proxy Pod's node selector.
	// By default Tailscale Kubernetes operator does not apply any node
	// selector.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
	// +optional
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
	// Proxy Pod's tolerations.
	// By default Tailscale Kubernetes operator does not apply any
	// tolerations.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
	// +optional
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}

type Container struct {
	// Container security context.
	// Security context specified here will override the security context by the operator.
	// By default the operator:
	// - sets 'privileged: true' for the init container
	// - set NET_ADMIN capability for tailscale container for proxies that
	// are created for Services or Connector.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
	// +optional
	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
	// Container resource requirements.
	// By default Tailscale Kubernetes operator does not apply any resource
	// requirements. The amount of resources required wil depend on the
	// amount of resources the operator needs to parse, usage patterns and
	// cluster size.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
	// +optional
	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
}

type ProxyClassStatus struct {
	// List of status conditions to indicate the status of the ProxyClass.
	// Known condition types are `ProxyClassReady`.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []ConnectorCondition `json:"conditions,omitempty"`
}
cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a new ProxyClass custom resource (#11074) * cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <irbe@tailscale.com> 5 months ago			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`

			`//go:build !plan9`

			`package v1alpha1`

			`import (`
			`corev1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`)`

			`var ProxyClassKind = "ProxyClass"`

			`// +kubebuilder:object:root=true`
			`// +kubebuilder:subresource:status`
			`// +kubebuilder:resource:scope=Cluster`
			// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=`.status.conditions[?(@.type == "ProxyClassReady")].reason`,description="Status of the ProxyClass."

			`type ProxyClass struct {`
			metav1.TypeMeta `json:",inline"`
			metav1.ObjectMeta `json:"metadata,omitempty"`

			Spec ProxyClassSpec `json:"spec"`

			`// +optional`
			Status ProxyClassStatus `json:"status"`
			`}`

			`// +kubebuilder:object:root=true`
			`type ProxyClassList struct {`
			metav1.TypeMeta `json:",inline"`
			metav1.ListMeta `json:"metadata"`

			Items []ProxyClass `json:"items"`
			`}`

			`type ProxyClassSpec struct {`
			`// Proxy's StatefulSet spec.`
			StatefulSet *StatefulSet `json:"statefulSet"`
			`}`

			`type StatefulSet struct {`
			`// Labels that will be added to the StatefulSet created for the proxy.`
			`// Any labels specified here will be merged with the default labels`
			`// applied to the StatefulSet by the Tailscale Kubernetes operator as`
			`// well as any other labels that might have been applied by other`
			`// actors.`
			`// Label keys and values must be valid Kubernetes label keys and values.`
			`// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set`
			`// +optional`
			Labels map[string]string `json:"labels,omitempty"`
			`// Annotations that will be added to the StatefulSet created for the proxy.`
			`// Any Annotations specified here will be merged with the default annotations`
			`// applied to the StatefulSet by the Tailscale Kubernetes operator as`
			`// well as any other annotations that might have been applied by other`
			`// actors.`
			`// Annotations must be valid Kubernetes annotations.`
			`// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set`
			`// +optional`
			Annotations map[string]string `json:"annotations,omitempty"`
			`// Configuration for the proxy Pod.`
			`// +optional`
			Pod *Pod `json:"pod,omitempty"`
			`}`

			`type Pod struct {`
			`// Labels that will be added to the proxy Pod.`
			`// Any labels specified here will be merged with the default labels`
			`// applied to the Pod by the Tailscale Kubernetes operator.`
			`// Label keys and values must be valid Kubernetes label keys and values.`
			`// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set`
			`// +optional`
			Labels map[string]string `json:"labels,omitempty"`
			`// Annotations that will be added to the proxy Pod.`
			`// Any annotations specified here will be merged with the default`
			`// annotations applied to the Pod by the Tailscale Kubernetes operator.`
			`// Annotations must be valid Kubernetes annotations.`
			`// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set`
			`// +optional`
			Annotations map[string]string `json:"annotations,omitempty"`
			`// Configuration for the proxy container running tailscale.`
			`// +optional`
			TailscaleContainer *Container `json:"tailscaleContainer,omitempty"`
			`// Configuration for the proxy init container that enables forwarding.`
			`// +optional`
			TailscaleInitContainer *Container `json:"tailscaleInitContainer,omitempty"`
			`// Proxy Pod's security context.`
			`// By default Tailscale Kubernetes operator does not apply any Pod`
			`// security context.`
			`// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2`
			`// +optional`
			SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
			`// Proxy Pod's image pull Secrets.`
			`// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec`
			`// +optional`
			ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
			`// Proxy Pod's node name.`
			`// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling`
			`// +optional`
			NodeName string `json:"nodeName,omitempty"`
			`// Proxy Pod's node selector.`
			`// By default Tailscale Kubernetes operator does not apply any node`
			`// selector.`
			`// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling`
			`// +optional`
			NodeSelector map[string]string `json:"nodeSelector,omitempty"`
			`// Proxy Pod's tolerations.`
			`// By default Tailscale Kubernetes operator does not apply any`
			`// tolerations.`
			`// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling`
			`// +optional`
			Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
			`}`

			`type Container struct {`
			`// Container security context.`
			`// Security context specified here will override the security context by the operator.`
			`// By default the operator:`
			`// - sets 'privileged: true' for the init container`
			`// - set NET_ADMIN capability for tailscale container for proxies that`
			`// are created for Services or Connector.`
			`// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context`
			`// +optional`
			SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
			`// Container resource requirements.`
			`// By default Tailscale Kubernetes operator does not apply any resource`
			`// requirements. The amount of resources required wil depend on the`
			`// amount of resources the operator needs to parse, usage patterns and`
			`// cluster size.`
			`// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources`
			`// +optional`
			Resources corev1.ResourceRequirements `json:"resources,omitempty"`
			`}`

			`type ProxyClassStatus struct {`
			`// List of status conditions to indicate the status of the ProxyClass.`
			// Known condition types are `ProxyClassReady`.
			`// +listType=map`
			`// +listMapKey=type`
			`// +optional`
			Conditions []ConnectorCondition `json:"conditions,omitempty"`
			`}`