archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

cmd/k8s-operator,k8s-operator: use default ProxyClass if set for ProxyGroup (#13720)

Browse Source 
The default ProxyClass can be set via helm chart or env var, and applies
to all proxies that do not otherwise have an explicit ProxyClass set.
This ensures proxies created by the new ProxyGroup CRD are consistent
with the behaviour of existing proxies

Nearby but unrelated changes:

* Fix up double error logs (controller runtime logs returned errors)
* Fix a couple of variable names

Updates #13406

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
pull/13732/head
Tom Proctor 2 months ago committed by GitHub
parent cba2e76568
commit 36cb2e4e5f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
17 changed files with 118 additions and 69 deletions
Show Stats Download Patch File Download Diff File

2
cmd/k8s-operator/connector_test.go
Unescape Escape View File

@ -278,7 +278,7 @@ func TestConnectorWithProxyClass(t *testing.T) {
pc.Status = tsapi.ProxyClassStatus{ pc.Status = tsapi.ProxyClassStatus{
Conditions: []metav1.Condition{{ Conditions: []metav1.Condition{{
Status: metav1.ConditionTrue, Status: metav1.ConditionTrue,
Type: string(tsapi.ProxyClassready), Type: string(tsapi.ProxyClassReady),
ObservedGeneration: pc.Generation, ObservedGeneration: pc.Generation,
}}} }}}
}) })

2
cmd/k8s-operator/deploy/chart/values.yaml
Unescape Escape View File

@ -80,7 +80,7 @@ proxyConfig:
firewallMode: auto firewallMode: auto
# If defined, this proxy class will be used as the default proxy class for # If defined, this proxy class will be used as the default proxy class for
# service and ingress resources that do not have a proxy class defined. It # service and ingress resources that do not have a proxy class defined. It
# does not apply to Connector and ProxyGroup resources. # does not apply to Connector resources.
defaultProxyClass: "" defaultProxyClass: ""
# apiServerProxyConfig allows to configure whether the operator should expose # apiServerProxyConfig allows to configure whether the operator should expose

5
cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
Unescape Escape View File

@ -63,8 +63,9 @@ spec:
description: |- description: |-
ProxyClass is the name of the ProxyClass custom resource that contains ProxyClass is the name of the ProxyClass custom resource that contains
configuration options that should be applied to the resources created configuration options that should be applied to the resources created
for this ProxyGroup. If unset, the operator will create resources with for this ProxyGroup. If unset, and there is no default ProxyClass
the default configuration. configured, the operator will create resources with the default
configuration.
type: string type: string
replicas: replicas:
description: |- description: |-

5
cmd/k8s-operator/deploy/manifests/operator.yaml
Unescape Escape View File

@ -2475,8 +2475,9 @@ spec:
description: |- description: |-
ProxyClass is the name of the ProxyClass custom resource that contains ProxyClass is the name of the ProxyClass custom resource that contains
configuration options that should be applied to the resources created configuration options that should be applied to the resources created
for this ProxyGroup. If unset, the operator will create resources with for this ProxyGroup. If unset, and there is no default ProxyClass
the default configuration. configured, the operator will create resources with the default
configuration.
type: string type: string
replicas: replicas:
description: |- description: |-

4
cmd/k8s-operator/ingress.go
Unescape Escape View File

@ -48,7 +48,7 @@ type IngressReconciler struct {
// managing. This is only used for metrics. // managing. This is only used for metrics.
managedIngresses set.Slice[types.UID] managedIngresses set.Slice[types.UID]
proxyDefaultClass string defaultProxyClass string
} }
var ( var (
@ -136,7 +136,7 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
} }
} }
proxyClass := proxyClassForObject(ing, a.proxyDefaultClass) proxyClass := proxyClassForObject(ing, a.defaultProxyClass)
if proxyClass != "" { if proxyClass != "" {
if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil { if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
return fmt.Errorf("error verifying ProxyClass for Ingress: %w", err) return fmt.Errorf("error verifying ProxyClass for Ingress: %w", err)

2
cmd/k8s-operator/ingress_test.go
Unescape Escape View File

@ -253,7 +253,7 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
pc.Status = tsapi.ProxyClassStatus{ pc.Status = tsapi.ProxyClassStatus{
Conditions: []metav1.Condition{{ Conditions: []metav1.Condition{{
Status: metav1.ConditionTrue, Status: metav1.ConditionTrue,
Type: string(tsapi.ProxyClassready), Type: string(tsapi.ProxyClassReady),
ObservedGeneration: pc.Generation, ObservedGeneration: pc.Generation,
}}} }}}
}) })

11
cmd/k8s-operator/operator.go
Unescape Escape View File

@ -109,7 +109,7 @@ func main() {
proxyActAsDefaultLoadBalancer: isDefaultLoadBalancer, proxyActAsDefaultLoadBalancer: isDefaultLoadBalancer,
proxyTags: tags, proxyTags: tags,
proxyFirewallMode: tsFirewallMode, proxyFirewallMode: tsFirewallMode,
proxyDefaultClass: defaultProxyClass, defaultProxyClass: defaultProxyClass,
} }
runReconcilers(rOpts) runReconcilers(rOpts)
} }
@ -286,7 +286,7 @@ func runReconcilers(opts reconcilerOpts) {
recorder: eventRecorder, recorder: eventRecorder,
tsNamespace: opts.tailscaleNamespace, tsNamespace: opts.tailscaleNamespace,
clock: tstime.DefaultClock{}, clock: tstime.DefaultClock{},
proxyDefaultClass: opts.proxyDefaultClass, defaultProxyClass: opts.defaultProxyClass,
}) })
if err != nil { if err != nil {
startlog.Fatalf("could not create service reconciler: %v", err) startlog.Fatalf("could not create service reconciler: %v", err)
@ -309,7 +309,7 @@ func runReconcilers(opts reconcilerOpts) {
recorder: eventRecorder, recorder: eventRecorder,
Client: mgr.GetClient(), Client: mgr.GetClient(),
logger: opts.log.Named("ingress-reconciler"), logger: opts.log.Named("ingress-reconciler"),
proxyDefaultClass: opts.proxyDefaultClass, defaultProxyClass: opts.defaultProxyClass,
}) })
if err != nil { if err != nil {
startlog.Fatalf("could not create ingress reconciler: %v", err) startlog.Fatalf("could not create ingress reconciler: %v", err)
@ -480,6 +480,7 @@ func runReconcilers(opts reconcilerOpts) {
proxyImage: opts.proxyImage, proxyImage: opts.proxyImage,
defaultTags: strings.Split(opts.proxyTags, ","), defaultTags: strings.Split(opts.proxyTags, ","),
tsFirewallMode: opts.proxyFirewallMode, tsFirewallMode: opts.proxyFirewallMode,
defaultProxyClass: opts.defaultProxyClass,
}) })
if err != nil { if err != nil {
startlog.Fatalf("could not create ProxyGroup reconciler: %v", err) startlog.Fatalf("could not create ProxyGroup reconciler: %v", err)
@ -525,10 +526,10 @@ type reconcilerOpts struct {
// Auto is usually the best choice, unless you want to explicitly set // Auto is usually the best choice, unless you want to explicitly set
// specific mode for debugging purposes. // specific mode for debugging purposes.
proxyFirewallMode string proxyFirewallMode string
// proxyDefaultClass is the name of the ProxyClass to use as the default // defaultProxyClass is the name of the ProxyClass to use as the default
// class for proxies that do not have a ProxyClass set. // class for proxies that do not have a ProxyClass set.
// this is defined by an operator env variable. // this is defined by an operator env variable.
proxyDefaultClass string defaultProxyClass string
} }
// enqueueAllIngressEgressProxySvcsinNS returns a reconcile request for each // enqueueAllIngressEgressProxySvcsinNS returns a reconcile request for each

2
cmd/k8s-operator/operator_test.go
Unescape Escape View File

@ -1064,7 +1064,7 @@ func TestProxyClassForService(t *testing.T) {
pc.Status = tsapi.ProxyClassStatus{ pc.Status = tsapi.ProxyClassStatus{
Conditions: []metav1.Condition{{ Conditions: []metav1.Condition{{
Status: metav1.ConditionTrue, Status: metav1.ConditionTrue,
Type: string(tsapi.ProxyClassready), Type: string(tsapi.ProxyClassReady),
ObservedGeneration: pc.Generation, ObservedGeneration: pc.Generation,
}}} }}}
}) })

4
cmd/k8s-operator/proxyclass.go
Unescape Escape View File

@ -98,9 +98,9 @@ func (pcr *ProxyClassReconciler) Reconcile(ctx context.Context, req reconcile.Re
if errs := pcr.validate(pc); errs != nil { if errs := pcr.validate(pc); errs != nil {
msg := fmt.Sprintf(messageProxyClassInvalid, errs.ToAggregate().Error()) msg := fmt.Sprintf(messageProxyClassInvalid, errs.ToAggregate().Error())
pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonProxyClassInvalid, msg) pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonProxyClassInvalid, msg)
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, pc.Generation, pcr.clock, logger) tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, pc.Generation, pcr.clock, logger)
} else { } else {
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionTrue, reasonProxyClassValid, reasonProxyClassValid, pc.Generation, pcr.clock, logger) tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionTrue, reasonProxyClassValid, reasonProxyClassValid, pc.Generation, pcr.clock, logger)
} }
if !apiequality.Semantic.DeepEqual(oldPCStatus, pc.Status) { if !apiequality.Semantic.DeepEqual(oldPCStatus, pc.Status) {
if err := pcr.Client.Status().Update(ctx, pc); err != nil { if err := pcr.Client.Status().Update(ctx, pc); err != nil {

8
cmd/k8s-operator/proxyclass_test.go
Unescape Escape View File

@ -69,7 +69,7 @@ func TestProxyClass(t *testing.T) {
// 1. A valid ProxyClass resource gets its status updated to Ready. // 1. A valid ProxyClass resource gets its status updated to Ready.
expectReconciled(t, pcr, "", "test") expectReconciled(t, pcr, "", "test")
pc.Status.Conditions = append(pc.Status.Conditions, metav1.Condition{ pc.Status.Conditions = append(pc.Status.Conditions, metav1.Condition{
Type: string(tsapi.ProxyClassready), Type: string(tsapi.ProxyClassReady),
Status: metav1.ConditionTrue, Status: metav1.ConditionTrue,
Reason: reasonProxyClassValid, Reason: reasonProxyClassValid,
Message: reasonProxyClassValid, Message: reasonProxyClassValid,
@ -85,7 +85,7 @@ func TestProxyClass(t *testing.T) {
}) })
expectReconciled(t, pcr, "", "test") expectReconciled(t, pcr, "", "test")
msg := `ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: "?!someVal": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')` msg := `ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: "?!someVal": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')`
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar()) tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
expectEqual(t, fc, pc, nil) expectEqual(t, fc, pc, nil)
expectedEvent := "Warning ProxyClassInvalid ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: \"?!someVal\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')" expectedEvent := "Warning ProxyClassInvalid ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: \"?!someVal\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"
expectEvents(t, fr, []string{expectedEvent}) expectEvents(t, fr, []string{expectedEvent})
@ -99,7 +99,7 @@ func TestProxyClass(t *testing.T) {
}) })
expectReconciled(t, pcr, "", "test") expectReconciled(t, pcr, "", "test")
msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase` msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar()) tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
expectEqual(t, fc, pc, nil) expectEqual(t, fc, pc, nil)
expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase` expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
expectEvents(t, fr, []string{expectedEvent}) expectEvents(t, fr, []string{expectedEvent})
@ -118,7 +118,7 @@ func TestProxyClass(t *testing.T) {
}) })
expectReconciled(t, pcr, "", "test") expectReconciled(t, pcr, "", "test")
msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase` msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar()) tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
expectEqual(t, fc, pc, nil) expectEqual(t, fc, pc, nil)
expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase` expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
expectEvents(t, fr, []string{expectedEvent}) expectEvents(t, fr, []string{expectedEvent})

51
cmd/k8s-operator/proxygroup.go
Unescape Escape View File

@ -62,6 +62,7 @@ type ProxyGroupReconciler struct {
proxyImage string proxyImage string
defaultTags []string defaultTags []string
tsFirewallMode string tsFirewallMode string
defaultProxyClass string
mu sync.Mutex // protects following mu sync.Mutex // protects following
proxyGroups set.Slice[types.UID] // for proxygroups gauge proxyGroups set.Slice[types.UID] // for proxygroups gauge
@ -125,24 +126,42 @@ func (r *ProxyGroupReconciler) Reconcile(ctx context.Context, req reconcile.Requ
// operation is underway. // operation is underway.
logger.Infof("ensuring ProxyGroup is set up") logger.Infof("ensuring ProxyGroup is set up")
pg.Finalizers = append(pg.Finalizers, FinalizerName) pg.Finalizers = append(pg.Finalizers, FinalizerName)
if err := r.Update(ctx, pg); err != nil { if err = r.Update(ctx, pg); err != nil {
logger.Errorf("error adding finalizer: %w", err) err = fmt.Errorf("error adding finalizer: %w", err)
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, reasonProxyGroupCreationFailed) return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, reasonProxyGroupCreationFailed)
} }
} }
if err := r.validate(pg); err != nil { if err = r.validate(pg); err != nil {
logger.Errorf("error validating ProxyGroup spec: %w", err)
message := fmt.Sprintf("ProxyGroup is invalid: %s", err) message := fmt.Sprintf("ProxyGroup is invalid: %s", err)
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupInvalid, message) r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupInvalid, message)
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupInvalid, message) return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupInvalid, message)
} }
if err = r.maybeProvision(ctx, pg); err != nil { proxyClassName := r.defaultProxyClass
logger.Errorf("error provisioning ProxyGroup resources: %w", err) if pg.Spec.ProxyClass != "" {
message := fmt.Sprintf("failed provisioning ProxyGroup: %s", err) proxyClassName = pg.Spec.ProxyClass
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupCreationFailed, message) }
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, message)
var proxyClass *tsapi.ProxyClass
if proxyClassName != "" {
proxyClass = new(tsapi.ProxyClass)
if err = r.Get(ctx, types.NamespacedName{Name: proxyClassName}, proxyClass); err != nil {
err = fmt.Errorf("error getting ProxyGroup's ProxyClass %s: %s", proxyClassName, err)
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupCreationFailed, err.Error())
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, err.Error())
}
if !tsoperator.ProxyClassIsReady(proxyClass) {
message := fmt.Sprintf("the ProxyGroup's ProxyClass %s is not yet in a ready state, waiting...", proxyClassName)
logger.Info(message)
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreating, message)
}
}
if err = r.maybeProvision(ctx, pg, proxyClass); err != nil {
err = fmt.Errorf("error provisioning ProxyGroup resources: %w", err)
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupCreationFailed, err.Error())
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, err.Error())
} }
desiredReplicas := int(pgReplicas(pg)) desiredReplicas := int(pgReplicas(pg))
@ -162,25 +181,13 @@ func (r *ProxyGroupReconciler) Reconcile(ctx context.Context, req reconcile.Requ
return setStatusReady(pg, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady) return setStatusReady(pg, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady)
} }
func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.ProxyGroup) error { func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.ProxyGroup, proxyClass *tsapi.ProxyClass) error {
logger := r.logger(pg.Name) logger := r.logger(pg.Name)
r.mu.Lock() r.mu.Lock()
r.proxyGroups.Add(pg.UID) r.proxyGroups.Add(pg.UID)
gaugeProxyGroupResources.Set(int64(r.proxyGroups.Len())) gaugeProxyGroupResources.Set(int64(r.proxyGroups.Len()))
r.mu.Unlock() r.mu.Unlock()
var proxyClass *tsapi.ProxyClass
if pg.Spec.ProxyClass != "" {
proxyClass = new(tsapi.ProxyClass)
if err := r.Get(ctx, types.NamespacedName{Name: pg.Spec.ProxyClass}, proxyClass); err != nil {
return fmt.Errorf("failed to get ProxyClass: %w", err)
}
if !tsoperator.ProxyClassIsReady(proxyClass) {
logger.Infof("ProxyClass %s specified for the ProxyGroup, but it is not (yet) in a ready state, waiting...", pg.Spec.ProxyClass)
return nil
}
}
cfgHash, err := r.ensureConfigSecretsCreated(ctx, pg, proxyClass) cfgHash, err := r.ensureConfigSecretsCreated(ctx, pg, proxyClass)
if err != nil { if err != nil {
return fmt.Errorf("error provisioning config Secrets: %w", err) return fmt.Errorf("error provisioning config Secrets: %w", err)

42
cmd/k8s-operator/proxygroup_test.go
Unescape Escape View File

@ -10,6 +10,7 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"testing" "testing"
"time"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"go.uber.org/zap" "go.uber.org/zap"
@ -29,7 +30,21 @@ import (
const testProxyImage = "tailscale/tailscale:test" const testProxyImage = "tailscale/tailscale:test"
var defaultProxyClassAnnotations = map[string]string{
"some-annotation": "from-the-proxy-class",
}
func TestProxyGroup(t *testing.T) { func TestProxyGroup(t *testing.T) {
pc := &tsapi.ProxyClass{
ObjectMeta: metav1.ObjectMeta{
Name: "default-pc",
},
Spec: tsapi.ProxyClassSpec{
StatefulSet: &tsapi.StatefulSet{
Annotations: defaultProxyClassAnnotations,
},
},
}
pg := &tsapi.ProxyGroup{ pg := &tsapi.ProxyGroup{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "test", Name: "test",
@ -39,8 +54,8 @@ func TestProxyGroup(t *testing.T) {
fc := fake.NewClientBuilder(). fc := fake.NewClientBuilder().
WithScheme(tsapi.GlobalScheme). WithScheme(tsapi.GlobalScheme).
WithObjects(pg). WithObjects(pg, pc).
WithStatusSubresource(pg). WithStatusSubresource(pg, pc).
Build() Build()
tsClient := &fakeTSClient{} tsClient := &fakeTSClient{}
zl, _ := zap.NewDevelopment() zl, _ := zap.NewDevelopment()
@ -51,6 +66,8 @@ func TestProxyGroup(t *testing.T) {
proxyImage: testProxyImage, proxyImage: testProxyImage,
defaultTags: []string{"tag:test-tag"}, defaultTags: []string{"tag:test-tag"},
tsFirewallMode: "auto", tsFirewallMode: "auto",
defaultProxyClass: "default-pc",
Client: fc, Client: fc,
tsClient: tsClient, tsClient: tsClient,
recorder: fr, recorder: fr,
@ -58,7 +75,27 @@ func TestProxyGroup(t *testing.T) {
clock: cl, clock: cl,
} }
t.Run("proxyclass_not_ready", func(t *testing.T) {
expectReconciled(t, reconciler, "", pg.Name)
tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "the ProxyGroup's ProxyClass default-pc is not yet in a ready state, waiting...", 0, cl, zl.Sugar())
expectEqual(t, fc, pg, nil)
})
t.Run("observe_ProxyGroupCreating_status_reason", func(t *testing.T) { t.Run("observe_ProxyGroupCreating_status_reason", func(t *testing.T) {
pc.Status = tsapi.ProxyClassStatus{
Conditions: []metav1.Condition{{
Type: string(tsapi.ProxyClassReady),
Status: metav1.ConditionTrue,
Reason: reasonProxyClassValid,
Message: reasonProxyClassValid,
LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
}},
}
if err := fc.Status().Update(context.Background(), pc); err != nil {
t.Fatal(err)
}
expectReconciled(t, reconciler, "", pg.Name) expectReconciled(t, reconciler, "", pg.Name)
tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar()) tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
@ -161,6 +198,7 @@ func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.Prox
roleBinding := pgRoleBinding(pg, tsNamespace) roleBinding := pgRoleBinding(pg, tsNamespace)
serviceAccount := pgServiceAccount(pg, tsNamespace) serviceAccount := pgServiceAccount(pg, tsNamespace)
statefulSet := pgStatefulSet(pg, tsNamespace, testProxyImage, "auto", "") statefulSet := pgStatefulSet(pg, tsNamespace, testProxyImage, "auto", "")
statefulSet.Annotations = defaultProxyClassAnnotations
if shouldExist { if shouldExist {
expectEqual(t, fc, role, nil) expectEqual(t, fc, role, nil)

4
cmd/k8s-operator/svc.go
Unescape Escape View File

@ -64,7 +64,7 @@ type ServiceReconciler struct {
clock tstime.Clock clock tstime.Clock
proxyDefaultClass string defaultProxyClass string
} }
var ( var (
@ -215,7 +215,7 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
return nil return nil
} }
proxyClass := proxyClassForObject(svc, a.proxyDefaultClass) proxyClass := proxyClassForObject(svc, a.defaultProxyClass)
if proxyClass != "" { if proxyClass != "" {
if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil { if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
errMsg := fmt.Errorf("error verifying ProxyClass for Service: %w", err) errMsg := fmt.Errorf("error verifying ProxyClass for Service: %w", err)

2
k8s-operator/api.md
Unescape Escape View File

@ -526,7 +526,7 @@ _Appears in:_
| `tags` _[Tags](#tags)_ | Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s].<br />If you specify custom tags here, make sure you also make the operator<br />an owner of these tags.<br />See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.<br />Tags cannot be changed once a ProxyGroup device has been created.<br />Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. | | Pattern: `^tag:[a-zA-Z][a-zA-Z0-9-]*$` <br />Type: string <br /> | | `tags` _[Tags](#tags)_ | Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s].<br />If you specify custom tags here, make sure you also make the operator<br />an owner of these tags.<br />See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.<br />Tags cannot be changed once a ProxyGroup device has been created.<br />Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. | | Pattern: `^tag:[a-zA-Z][a-zA-Z0-9-]*$` <br />Type: string <br /> |
| `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.<br />Defaults to 2. | | | | `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.<br />Defaults to 2. | | |
| `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. | | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> | | `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. | | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> |
| `proxyClass` _string_ | ProxyClass is the name of the ProxyClass custom resource that contains<br />configuration options that should be applied to the resources created<br />for this ProxyGroup. If unset, the operator will create resources with<br />the default configuration. | | | | `proxyClass` _string_ | ProxyClass is the name of the ProxyClass custom resource that contains<br />configuration options that should be applied to the resources created<br />for this ProxyGroup. If unset, and there is no default ProxyClass<br />configured, the operator will create resources with the default<br />configuration. | | |
#### ProxyGroupStatus #### ProxyGroupStatus

2
k8s-operator/apis/v1alpha1/types_connector.go
Unescape Escape View File

@ -171,7 +171,7 @@ type ConditionType string
const ( const (
ConnectorReady ConditionType = `ConnectorReady` ConnectorReady ConditionType = `ConnectorReady`
ProxyClassready ConditionType = `ProxyClassReady` ProxyClassReady ConditionType = `ProxyClassReady`
ProxyGroupReady ConditionType = `ProxyGroupReady` ProxyGroupReady ConditionType = `ProxyGroupReady`
ProxyReady ConditionType = `TailscaleProxyReady` // a Tailscale-specific condition type for corev1.Service ProxyReady ConditionType = `TailscaleProxyReady` // a Tailscale-specific condition type for corev1.Service
RecorderReady ConditionType = `RecorderReady` RecorderReady ConditionType = `RecorderReady`

5
k8s-operator/apis/v1alpha1/types_proxygroup.go
Unescape Escape View File

@ -64,8 +64,9 @@ type ProxyGroupSpec struct {
// ProxyClass is the name of the ProxyClass custom resource that contains // ProxyClass is the name of the ProxyClass custom resource that contains
// configuration options that should be applied to the resources created // configuration options that should be applied to the resources created
// for this ProxyGroup. If unset, the operator will create resources with // for this ProxyGroup. If unset, and there is no default ProxyClass
// the default configuration. // configured, the operator will create resources with the default
// configuration.
// +optional // +optional
ProxyClass string `json:"proxyClass,omitempty"` ProxyClass string `json:"proxyClass,omitempty"`
} }

2
k8s-operator/conditions.go
Unescape Escape View File

@ -137,7 +137,7 @@ func updateCondition(conds []metav1.Condition, conditionType tsapi.ConditionType
func ProxyClassIsReady(pc *tsapi.ProxyClass) bool { func ProxyClassIsReady(pc *tsapi.ProxyClass) bool {
idx := xslices.IndexFunc(pc.Status.Conditions, func(cond metav1.Condition) bool { idx := xslices.IndexFunc(pc.Status.Conditions, func(cond metav1.Condition) bool {
return cond.Type == string(tsapi.ProxyClassready) return cond.Type == string(tsapi.ProxyClassReady)
}) })
if idx == -1 { if idx == -1 {
return false return false

Write Preview
Loading…
Cancel
Save