From 17438a98c022387bc9c0594f6225370fe0f01b77 Mon Sep 17 00:00:00 2001
From: Irbe Krumina <irbekrm@gmail.com>
Date: Wed, 30 Aug 2023 14:22:06 +0100
Subject: [PATCH] cm/k8s-operator,cmd/containerboot: fix STS config, more tests
 (#9155)

Ensures that Statefulset reconciler config has only one of Cluster target IP or tailnet target IP.
Adds a test case for containerboot egress proxy mode.

Updates tailscale/tailscale#8184

Signed-off-by: irbekrm <irbekrm@gmail.com>
---
 cmd/containerboot/main_test.go | 26 +++++++++++++++++++++++++-
 cmd/k8s-operator/svc.go        |  8 ++++++--
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/cmd/containerboot/main_test.go b/cmd/containerboot/main_test.go
index ccbc73efc..e1353a8e6 100644
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -312,7 +312,7 @@ func TestContainerBoot(t *testing.T) {
 			},
 		},
 		{
-			Name: "proxy",
+			Name: "ingres proxy",
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
@@ -334,6 +334,30 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "egress proxy",
+			Env: map[string]string{
+				"TS_AUTHKEY":           "tskey-key",
+				"TS_TAILNET_TARGET_IP": "100.99.99.99",
+				"TS_USERSPACE":         "false",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+						"/usr/bin/iptables -t nat -I PREROUTING 1 ! -i tailscale0 -j DNAT --to-destination 100.99.99.99",
+						"/usr/bin/iptables -t nat -I POSTROUTING 1 --destination 100.99.99.99 -j SNAT --to-source 100.64.0.1",
+					},
+				},
+			},
+		},
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
diff --git a/cmd/k8s-operator/svc.go b/cmd/k8s-operator/svc.go
index 3bab3532a..40eb6a9a9 100644
--- a/cmd/k8s-operator/svc.go
+++ b/cmd/k8s-operator/svc.go
@@ -125,11 +125,15 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	sts := &tailscaleSTSConfig{
 		ParentResourceName:  svc.Name,
 		ParentResourceUID:   string(svc.UID),
-		ClusterTargetIP:     svc.Spec.ClusterIP,
 		Hostname:            hostname,
 		Tags:                tags,
 		ChildResourceLabels: crl,
-		TailnetTargetIP:     svc.Annotations[AnnotationTailnetTargetIP],
+	}
+
+	if a.shouldExpose(svc) {
+		sts.ClusterTargetIP = svc.Spec.ClusterIP
+	} else if a.hasTailnetTargetAnnotation(svc) {
+		sts.TailnetTargetIP = svc.Annotations[AnnotationTailnetTargetIP]
 	}
 
 	var hsvc *corev1.Service