diff --git a/cmd/containerboot/main_test.go b/cmd/containerboot/main_test.go index ccbc73efc..e1353a8e6 100644 --- a/cmd/containerboot/main_test.go +++ b/cmd/containerboot/main_test.go @@ -312,7 +312,7 @@ func TestContainerBoot(t *testing.T) { }, }, { - Name: "proxy", + Name: "ingres proxy", Env: map[string]string{ "TS_AUTHKEY": "tskey-key", "TS_DEST_IP": "1.2.3.4", @@ -334,6 +334,30 @@ func TestContainerBoot(t *testing.T) { }, }, }, + { + Name: "egress proxy", + Env: map[string]string{ + "TS_AUTHKEY": "tskey-key", + "TS_TAILNET_TARGET_IP": "100.99.99.99", + "TS_USERSPACE": "false", + }, + Phases: []phase{ + { + WantCmds: []string{ + "/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp", + "/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key", + }, + }, + { + Notify: runningNotify, + WantCmds: []string{ + "/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false", + "/usr/bin/iptables -t nat -I PREROUTING 1 ! -i tailscale0 -j DNAT --to-destination 100.99.99.99", + "/usr/bin/iptables -t nat -I POSTROUTING 1 --destination 100.99.99.99 -j SNAT --to-source 100.64.0.1", + }, + }, + }, + }, { Name: "authkey_once", Env: map[string]string{ diff --git a/cmd/k8s-operator/svc.go b/cmd/k8s-operator/svc.go index 3bab3532a..40eb6a9a9 100644 --- a/cmd/k8s-operator/svc.go +++ b/cmd/k8s-operator/svc.go @@ -125,11 +125,15 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga sts := &tailscaleSTSConfig{ ParentResourceName: svc.Name, ParentResourceUID: string(svc.UID), - ClusterTargetIP: svc.Spec.ClusterIP, Hostname: hostname, Tags: tags, ChildResourceLabels: crl, - TailnetTargetIP: svc.Annotations[AnnotationTailnetTargetIP], + } + + if a.shouldExpose(svc) { + sts.ClusterTargetIP = svc.Spec.ClusterIP + } else if a.hasTailnetTargetAnnotation(svc) { + sts.TailnetTargetIP = svc.Annotations[AnnotationTailnetTargetIP] } var hsvc *corev1.Service