archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

k8s-operator: add "tailnet" field to custom resources (#18174)

Browse Source 
This commit modifies our `Connector`, `ProxyGroup` and `Recorder` resources
by adding a new field named "tailnet" that will be used to specify the
set of oauth credentials that should be used to generate the auth key
that authenticates them.

This field is optional and when set should contain the name of an existing
`Tailnet` resource.

Updates: https://github.com/tailscale/corp/issues/35132

Signed-off-by: David Bond <davidsbond93@gmail.com>
davidb/k8s-multi-tailnet
David Bond 2 days ago committed by GitHub
parent d06f48f3a6
commit 7f36045a16
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File

8
cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
Unescape Escape View File

@ -181,6 +181,14 @@ spec:
items: items:
type: string type: string
pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
tailnet:
description: |-
Tailnet specifies the tailnet this Connector should join. If blank, the default tailnet is used. When set, this
name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
type: string
x-kubernetes-validations:
- rule: self == oldSelf
message: Connector tailnet is immutable
x-kubernetes-validations: x-kubernetes-validations:
- rule: has(self.subnetRouter) || (has(self.exitNode) && self.exitNode == true) || has(self.appConnector) - rule: has(self.subnetRouter) || (has(self.exitNode) && self.exitNode == true) || has(self.appConnector)
message: A Connector needs to have at least one of exit node, subnet router or app connector configured. message: A Connector needs to have at least one of exit node, subnet router or app connector configured.

8
cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
Unescape Escape View File

@ -139,6 +139,14 @@ spec:
items: items:
type: string type: string
pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
tailnet:
description: |-
Tailnet specifies the tailnet this ProxyGroup should join. If blank, the default tailnet is used. When set, this
name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
type: string
x-kubernetes-validations:
- rule: self == oldSelf
message: ProxyGroup tailnet is immutable
type: type:
description: |- description: |-
Type of the ProxyGroup proxies. Supported types are egress, ingress, and kube-apiserver. Type of the ProxyGroup proxies. Supported types are egress, ingress, and kube-apiserver.

8
cmd/k8s-operator/deploy/crds/tailscale.com_recorders.yaml
Unescape Escape View File

@ -1688,6 +1688,14 @@ spec:
items: items:
type: string type: string
pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
tailnet:
description: |-
Tailnet specifies the tailnet this Recorder should join. If blank, the default tailnet is used. When set, this
name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
type: string
x-kubernetes-validations:
- rule: self == oldSelf
message: Recorder tailnet is immutable
x-kubernetes-validations: x-kubernetes-validations:
- rule: '!(self.replicas > 1 && (!has(self.storage) || !has(self.storage.s3)))' - rule: '!(self.replicas > 1 && (!has(self.storage) || !has(self.storage.s3)))'
message: S3 storage must be used when deploying multiple Recorder replicas message: S3 storage must be used when deploying multiple Recorder replicas

24
cmd/k8s-operator/deploy/manifests/operator.yaml
Unescape Escape View File

@ -206,6 +206,14 @@ spec:
pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
type: string type: string
type: array type: array
tailnet:
description: |-
Tailnet specifies the tailnet this Connector should join. If blank, the default tailnet is used. When set, this
name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
type: string
x-kubernetes-validations:
- message: Connector tailnet is immutable
rule: self == oldSelf
type: object type: object
x-kubernetes-validations: x-kubernetes-validations:
- message: A Connector needs to have at least one of exit node, subnet router or app connector configured. - message: A Connector needs to have at least one of exit node, subnet router or app connector configured.
@ -3145,6 +3153,14 @@ spec:
pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
type: string type: string
type: array type: array
tailnet:
description: |-
Tailnet specifies the tailnet this ProxyGroup should join. If blank, the default tailnet is used. When set, this
name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
type: string
x-kubernetes-validations:
- message: ProxyGroup tailnet is immutable
rule: self == oldSelf
type: type:
description: |- description: |-
Type of the ProxyGroup proxies. Supported types are egress, ingress, and kube-apiserver. Type of the ProxyGroup proxies. Supported types are egress, ingress, and kube-apiserver.
@ -4968,6 +4984,14 @@ spec:
pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$ pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
type: string type: string
type: array type: array
tailnet:
description: |-
Tailnet specifies the tailnet this Recorder should join. If blank, the default tailnet is used. When set, this
name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
type: string
x-kubernetes-validations:
- message: Recorder tailnet is immutable
rule: self == oldSelf
type: object type: object
x-kubernetes-validations: x-kubernetes-validations:
- message: S3 storage must be used when deploying multiple Recorder replicas - message: S3 storage must be used when deploying multiple Recorder replicas

3
k8s-operator/api.md
Unescape Escape View File

@ -141,6 +141,7 @@ _Appears in:_
| `appConnector` _[AppConnector](#appconnector)_ | AppConnector defines whether the Connector device should act as a Tailscale app connector. A Connector that is<br />configured as an app connector cannot be a subnet router or an exit node. If this field is unset, the<br />Connector does not act as an app connector.<br />Note that you will need to manually configure the permissions and the domains for the app connector via the<br />Admin panel.<br />Note also that the main tested and supported use case of this config option is to deploy an app connector on<br />Kubernetes to access SaaS applications available on the public internet. Using the app connector to expose<br />cluster workloads or other internal workloads to tailnet might work, but this is not a use case that we have<br />tested or optimised for.<br />If you are using the app connector to access SaaS applications because you need a predictable egress IP that<br />can be whitelisted, it is also your responsibility to ensure that cluster traffic from the connector flows<br />via that predictable IP, for example by enforcing that cluster egress traffic is routed via an egress NAT<br />device with a static IP address.<br />https://tailscale.com/kb/1281/app-connectors | | | | `appConnector` _[AppConnector](#appconnector)_ | AppConnector defines whether the Connector device should act as a Tailscale app connector. A Connector that is<br />configured as an app connector cannot be a subnet router or an exit node. If this field is unset, the<br />Connector does not act as an app connector.<br />Note that you will need to manually configure the permissions and the domains for the app connector via the<br />Admin panel.<br />Note also that the main tested and supported use case of this config option is to deploy an app connector on<br />Kubernetes to access SaaS applications available on the public internet. Using the app connector to expose<br />cluster workloads or other internal workloads to tailnet might work, but this is not a use case that we have<br />tested or optimised for.<br />If you are using the app connector to access SaaS applications because you need a predictable egress IP that<br />can be whitelisted, it is also your responsibility to ensure that cluster traffic from the connector flows<br />via that predictable IP, for example by enforcing that cluster egress traffic is routed via an egress NAT<br />device with a static IP address.<br />https://tailscale.com/kb/1281/app-connectors | | |
| `exitNode` _boolean_ | ExitNode defines whether the Connector device should act as a Tailscale exit node. Defaults to false.<br />This field is mutually exclusive with the appConnector field.<br />https://tailscale.com/kb/1103/exit-nodes | | | | `exitNode` _boolean_ | ExitNode defines whether the Connector device should act as a Tailscale exit node. Defaults to false.<br />This field is mutually exclusive with the appConnector field.<br />https://tailscale.com/kb/1103/exit-nodes | | |
| `replicas` _integer_ | Replicas specifies how many devices to create. Set this to enable<br />high availability for app connectors, subnet routers, or exit nodes.<br />https://tailscale.com/kb/1115/high-availability. Defaults to 1. | | Minimum: 0 <br /> | | `replicas` _integer_ | Replicas specifies how many devices to create. Set this to enable<br />high availability for app connectors, subnet routers, or exit nodes.<br />https://tailscale.com/kb/1115/high-availability. Defaults to 1. | | Minimum: 0 <br /> |
| `tailnet` _string_ | Tailnet specifies the tailnet this Connector should join. If blank, the default tailnet is used. When set, this<br />name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set. | | |
#### ConnectorStatus #### ConnectorStatus
@ -743,6 +744,7 @@ _Appears in:_
| `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. | | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> | | `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. | | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> |
| `proxyClass` _string_ | ProxyClass is the name of the ProxyClass custom resource that contains<br />configuration options that should be applied to the resources created<br />for this ProxyGroup. If unset, and there is no default ProxyClass<br />configured, the operator will create resources with the default<br />configuration. | | | | `proxyClass` _string_ | ProxyClass is the name of the ProxyClass custom resource that contains<br />configuration options that should be applied to the resources created<br />for this ProxyGroup. If unset, and there is no default ProxyClass<br />configured, the operator will create resources with the default<br />configuration. | | |
| `kubeAPIServer` _[KubeAPIServerConfig](#kubeapiserverconfig)_ | KubeAPIServer contains configuration specific to the kube-apiserver<br />ProxyGroup type. This field is only used when Type is set to "kube-apiserver". | | | | `kubeAPIServer` _[KubeAPIServerConfig](#kubeapiserverconfig)_ | KubeAPIServer contains configuration specific to the kube-apiserver<br />ProxyGroup type. This field is only used when Type is set to "kube-apiserver". | | |
| `tailnet` _string_ | Tailnet specifies the tailnet this ProxyGroup should join. If blank, the default tailnet is used. When set, this<br />name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set. | | |
#### ProxyGroupStatus #### ProxyGroupStatus
@ -903,6 +905,7 @@ _Appears in:_
| `enableUI` _boolean_ | Set to true to enable the Recorder UI. The UI lists and plays recorded sessions.<br />The UI will be served at <MagicDNS name of the recorder>:443. Defaults to false.<br />Corresponds to --ui tsrecorder flag https://tailscale.com/kb/1246/tailscale-ssh-session-recording#deploy-a-recorder-node.<br />Required if S3 storage is not set up, to ensure that recordings are accessible. | | | | `enableUI` _boolean_ | Set to true to enable the Recorder UI. The UI lists and plays recorded sessions.<br />The UI will be served at <MagicDNS name of the recorder>:443. Defaults to false.<br />Corresponds to --ui tsrecorder flag https://tailscale.com/kb/1246/tailscale-ssh-session-recording#deploy-a-recorder-node.<br />Required if S3 storage is not set up, to ensure that recordings are accessible. | | |
| `storage` _[Storage](#storage)_ | Configure where to store session recordings. By default, recordings will<br />be stored in a local ephemeral volume, and will not be persisted past the<br />lifetime of a specific pod. | | | | `storage` _[Storage](#storage)_ | Configure where to store session recordings. By default, recordings will<br />be stored in a local ephemeral volume, and will not be persisted past the<br />lifetime of a specific pod. | | |
| `replicas` _integer_ | Replicas specifies how many instances of tsrecorder to run. Defaults to 1. | | Minimum: 0 <br /> | | `replicas` _integer_ | Replicas specifies how many instances of tsrecorder to run. Defaults to 1. | | Minimum: 0 <br /> |
| `tailnet` _string_ | Tailnet specifies the tailnet this Recorder should join. If blank, the default tailnet is used. When set, this<br />name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set. | | |
#### RecorderStatefulSet #### RecorderStatefulSet

6
k8s-operator/apis/v1alpha1/types_connector.go
Unescape Escape View File

@ -133,6 +133,12 @@ type ConnectorSpec struct {
// +optional // +optional
// +kubebuilder:validation:Minimum=0 // +kubebuilder:validation:Minimum=0
Replicas *int32 `json:"replicas,omitempty"` Replicas *int32 `json:"replicas,omitempty"`
// Tailnet specifies the tailnet this Connector should join. If blank, the default tailnet is used. When set, this
// name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
// +optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Connector tailnet is immutable"
Tailnet string `json:"tailnet,omitempty"`
} }
// SubnetRouter defines subnet routes that should be exposed to tailnet via a // SubnetRouter defines subnet routes that should be exposed to tailnet via a

6
k8s-operator/apis/v1alpha1/types_proxygroup.go
Unescape Escape View File

@ -97,6 +97,12 @@ type ProxyGroupSpec struct {
// ProxyGroup type. This field is only used when Type is set to "kube-apiserver". // ProxyGroup type. This field is only used when Type is set to "kube-apiserver".
// +optional // +optional
KubeAPIServer *KubeAPIServerConfig `json:"kubeAPIServer,omitempty"` KubeAPIServer *KubeAPIServerConfig `json:"kubeAPIServer,omitempty"`
// Tailnet specifies the tailnet this ProxyGroup should join. If blank, the default tailnet is used. When set, this
// name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
// +optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ProxyGroup tailnet is immutable"
Tailnet string `json:"tailnet,omitempty"`
} }
type ProxyGroupStatus struct { type ProxyGroupStatus struct {

6
k8s-operator/apis/v1alpha1/types_recorder.go
Unescape Escape View File

@ -81,6 +81,12 @@ type RecorderSpec struct {
// +optional // +optional
// +kubebuilder:validation:Minimum=0 // +kubebuilder:validation:Minimum=0
Replicas *int32 `json:"replicas,omitzero"` Replicas *int32 `json:"replicas,omitzero"`
// Tailnet specifies the tailnet this Recorder should join. If blank, the default tailnet is used. When set, this
// name must match that of a valid Tailnet resource. This field is immutable and cannot be changed once set.
// +optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Recorder tailnet is immutable"
Tailnet string `json:"tailnet,omitempty"`
} }
type RecorderStatefulSet struct { type RecorderStatefulSet struct {

Write Preview
Loading…
Cancel
Save