From 37a946a6e1a7b252ef3f65ed6c168e062e4fd7a0 Mon Sep 17 00:00:00 2001
From: Tom Proctor <tomhjp@users.noreply.github.com>
Date: Wed, 8 Oct 2025 12:28:06 +0100
Subject: [PATCH] cmd/containerboot: support egress to Tailscale Service FQDNs

Adds support for targeting FQDNs that are a Tailscale Service. Uses the
same method of searching for Services as the tailscale configure
kubeconfig command. This fixes using the tailscale.com/tailnet-fqdn
annotation for Kubernetes Service when the specified FQDN is a Tailscale
Service.

Fixes #16534

Change-Id: I422795de76dc83ae30e7e757bc4fbd8eec21cc64
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
---
 cmd/containerboot/egressservices.go | 36 +++++-------
 cmd/containerboot/main.go           | 88 ++++++++++++++++++++++-------
 cmd/tailscale/cli/configure-kube.go |  4 +-
 3 files changed, 85 insertions(+), 43 deletions(-)

diff --git a/cmd/containerboot/egressservices.go b/cmd/containerboot/egressservices.go
index fe835a69e..6b7c085ab 100644
--- a/cmd/containerboot/egressservices.go
+++ b/cmd/containerboot/egressservices.go
@@ -27,7 +27,6 @@ import (
 	"tailscale.com/kube/egressservices"
 	"tailscale.com/kube/kubeclient"
 	"tailscale.com/kube/kubetypes"
-	"tailscale.com/tailcfg"
 	"tailscale.com/util/httpm"
 	"tailscale.com/util/linuxfw"
 	"tailscale.com/util/mak"
@@ -477,30 +476,23 @@ func (ep *egressProxy) tailnetTargetIPsForSvc(svc egressservices.Config, n ipn.N
 		log.Printf("netmap is not available, unable to determine backend addresses for %s", svc.TailnetTarget.FQDN)
 		return addrs, nil
 	}
-	var (
-		node      tailcfg.NodeView
-		nodeFound bool
-	)
-	for _, nn := range n.NetMap.Peers {
-		if equalFQDNs(nn.Name(), svc.TailnetTarget.FQDN) {
-			node = nn
-			nodeFound = true
-			break
-		}
+	egressAddrs, err := resolveTailnetFQDN(n.NetMap, svc.TailnetTarget.FQDN)
+	if err != nil || len(egressAddrs) == 0 {
+		log.Printf("tailnet target %q does not have any backend addresses, skipping", svc.TailnetTarget.FQDN)
+		return addrs, nil
 	}
-	if nodeFound {
-		for _, addr := range node.Addresses().AsSlice() {
-			if addr.Addr().Is6() && !ep.nfr.HasIPV6NAT() {
-				log.Printf("tailnet target %v is an IPv6 address, but this host does not support IPv6 in the chosen firewall mode, skipping.", addr.Addr().String())
-				continue
-			}
-			addrs = append(addrs, addr.Addr())
+
+	for _, addr := range egressAddrs {
+		if addr.Addr().Is6() && !ep.nfr.HasIPV6NAT() {
+			log.Printf("tailnet target %v is an IPv6 address, but this host does not support IPv6 in the chosen firewall mode, skipping.", addr.Addr().String())
+			continue
 		}
-		// Egress target endpoints configured via FQDN are stored, so
-		// that we can determine if a netmap update should trigger a
-		// resync.
-		mak.Set(&ep.targetFQDNs, svc.TailnetTarget.FQDN, node.Addresses().AsSlice())
+		addrs = append(addrs, addr.Addr())
 	}
+	// Egress target endpoints configured via FQDN are stored, so
+	// that we can determine if a netmap update should trigger a
+	// resync.
+	mak.Set(&ep.targetFQDNs, svc.TailnetTarget.FQDN, egressAddrs)
 	return addrs, nil
 }
 
diff --git a/cmd/containerboot/main.go b/cmd/containerboot/main.go
index f056d26f3..b181f3526 100644
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -127,8 +127,10 @@ import (
 	"tailscale.com/kube/services"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/netmap"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/deephash"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/util/linuxfw"
 )
 
@@ -526,27 +528,14 @@ runLoop:
 					}
 				}
 				if cfg.TailnetTargetFQDN != "" {
-					var (
-						egressAddrs          []netip.Prefix
-						newCurentEgressIPs   deephash.Sum
-						egressIPsHaveChanged bool
-						node                 tailcfg.NodeView
-						nodeFound            bool
-					)
-					for _, n := range n.NetMap.Peers {
-						if strings.EqualFold(n.Name(), cfg.TailnetTargetFQDN) {
-							node = n
-							nodeFound = true
-							break
-						}
-					}
-					if !nodeFound {
-						log.Printf("Tailscale node %q not found; it either does not exist, or not reachable because of ACLs", cfg.TailnetTargetFQDN)
+					egressAddrs, err := resolveTailnetFQDN(n.NetMap, cfg.TailnetTargetFQDN)
+					if err != nil {
+						log.Print(err.Error())
 						break
 					}
-					egressAddrs = node.Addresses().AsSlice()
-					newCurentEgressIPs = deephash.Hash(&egressAddrs)
-					egressIPsHaveChanged = newCurentEgressIPs != currentEgressIPs
+
+					newCurentEgressIPs := deephash.Hash(&egressAddrs)
+					egressIPsHaveChanged := newCurentEgressIPs != currentEgressIPs
 					// The firewall rules get (re-)installed:
 					// - on startup
 					// - when the tailnet IPs of the tailnet target have changed
@@ -892,3 +881,64 @@ func runHTTPServer(mux *http.ServeMux, addr string) (close func() error) {
 		return errors.Join(err, ln.Close())
 	}
 }
+
+// resolveTailnetFQDN resolves a tailnet FQDN to a list of IP prefixes, which
+// can be either a peer device or a Tailscale Service.
+func resolveTailnetFQDN(nm *netmap.NetworkMap, fqdn string) ([]netip.Prefix, error) {
+	// Check all peer devices first.
+	for _, p := range nm.Peers {
+		if strings.EqualFold(p.Name(), fqdn) {
+			return p.Addresses().AsSlice(), nil
+		}
+	}
+
+	// If not found yet, check for a matching Tailscale Service.
+	dnsFQDN, err := dnsname.ToFQDN(fqdn)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing %q as FQDN: %w", fqdn, err)
+	}
+	if svcIPs := serviceIPsFromNetMap(nm, dnsFQDN); len(svcIPs) != 0 {
+		return svcIPs, nil
+	}
+
+	return nil, fmt.Errorf("could not find Tailscale node or service %q; it either does not exist, or not reachable because of ACLs", fqdn)
+}
+
+// serviceIPsFromNetMap returns all IPs of a Tailscale Service if its FQDN is
+// found in the netmap. Note that Tailscale Services are not a first-class
+// object in the netmap, so we guess based on DNS ExtraRecords and AllowedIPs.
+func serviceIPsFromNetMap(nm *netmap.NetworkMap, fqdn dnsname.FQDN) []netip.Prefix {
+	var extraRecords []tailcfg.DNSRecord
+	for _, rec := range nm.DNS.ExtraRecords {
+		recFQDN, err := dnsname.ToFQDN(rec.Name)
+		if err != nil {
+			continue
+		}
+		if strings.EqualFold(fqdn.WithTrailingDot(), recFQDN.WithTrailingDot()) {
+			extraRecords = append(extraRecords, rec)
+		}
+	}
+
+	if len(extraRecords) == 0 {
+		return nil
+	}
+
+	// Validate we can see a peer advertising the Tailscale Service.
+	var prefixes []netip.Prefix
+	for _, extraRecord := range extraRecords {
+		ip, err := netip.ParseAddr(extraRecord.Value)
+		if err != nil {
+			continue
+		}
+		ipPrefix := netip.PrefixFrom(ip, ip.BitLen())
+		for _, ps := range nm.Peers {
+			for _, allowedIP := range ps.AllowedIPs().All() {
+				if allowedIP == ipPrefix {
+					prefixes = append(prefixes, ipPrefix)
+				}
+			}
+		}
+	}
+
+	return prefixes
+}
diff --git a/cmd/tailscale/cli/configure-kube.go b/cmd/tailscale/cli/configure-kube.go
index e74e88779..bf5624856 100644
--- a/cmd/tailscale/cli/configure-kube.go
+++ b/cmd/tailscale/cli/configure-kube.go
@@ -247,7 +247,7 @@ func nodeOrServiceDNSNameFromArg(st *ipnstate.Status, nm *netmap.NetworkMap, arg
 	}
 
 	// If not found, check for a Tailscale Service DNS name.
-	rec, ok := serviceDNSRecordFromNetMap(nm, st.CurrentTailnet.MagicDNSSuffix, arg)
+	rec, ok := serviceDNSRecordFromNetMap(nm, arg)
 	if !ok {
 		return "", fmt.Errorf("no peer found for %q", arg)
 	}
@@ -287,7 +287,7 @@ func getNetMap(ctx context.Context) (*netmap.NetworkMap, error) {
 	return n.NetMap, nil
 }
 
-func serviceDNSRecordFromNetMap(nm *netmap.NetworkMap, tcd, arg string) (rec tailcfg.DNSRecord, ok bool) {
+func serviceDNSRecordFromNetMap(nm *netmap.NetworkMap, arg string) (rec tailcfg.DNSRecord, ok bool) {
 	argIP, _ := netip.ParseAddr(arg)
 	argFQDN, err := dnsname.ToFQDN(arg)
 	argFQDNValid := err == nil