From f53c3be07cc89635d3d8f0b3b12818d2710e4cb3 Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Mon, 16 Oct 2023 17:25:00 -0700
Subject: [PATCH] cmd/k8s-operator: use our own container image instead of
 busybox

We already have sysctl in the `tailscale/tailscale` image, just use that.

Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 cmd/k8s-operator/manifests/proxy.yaml | 1 -
 cmd/k8s-operator/operator_test.go     | 4 ++--
 cmd/k8s-operator/sts.go               | 7 +++++++
 docs/k8s/proxy.yaml                   | 2 +-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/cmd/k8s-operator/manifests/proxy.yaml b/cmd/k8s-operator/manifests/proxy.yaml
index 361af8910..ff9a44973 100644
--- a/cmd/k8s-operator/manifests/proxy.yaml
+++ b/cmd/k8s-operator/manifests/proxy.yaml
@@ -12,7 +12,6 @@ spec:
       serviceAccountName: proxies
       initContainers:
         - name: sysctler
-          image: busybox
           securityContext:
             privileged: true
           command: ["/bin/sh"]
diff --git a/cmd/k8s-operator/operator_test.go b/cmd/k8s-operator/operator_test.go
index ef661febb..b251d81bf 100644
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -899,7 +899,7 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 					InitContainers: []corev1.Container{
 						{
 							Name:    "sysctler",
-							Image:   "busybox",
+							Image:   "tailscale/tailscale",
 							Command: []string{"/bin/sh"},
 							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
 							SecurityContext: &corev1.SecurityContext{
@@ -968,7 +968,7 @@ func expectedEgressSTS(stsName, secretName, tailnetTargetIP, hostname, priorityC
 					InitContainers: []corev1.Container{
 						{
 							Name:    "sysctler",
-							Image:   "busybox",
+							Image:   "tailscale/tailscale",
 							Command: []string{"/bin/sh"},
 							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
 							SecurityContext: &corev1.SecurityContext{
diff --git a/cmd/k8s-operator/sts.go b/cmd/k8s-operator/sts.go
index 90d5b1d46..bc1bea137 100644
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -307,6 +307,13 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 		if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
 			return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
 		}
+		for i := range ss.Spec.Template.Spec.InitContainers {
+			c := &ss.Spec.Template.Spec.InitContainers[i]
+			if c.Name == "sysctler" {
+				c.Image = a.proxyImage
+				break
+			}
+		}
 	}
 	container := &ss.Spec.Template.Spec.Containers[0]
 	container.Image = a.proxyImage
diff --git a/docs/k8s/proxy.yaml b/docs/k8s/proxy.yaml
index b5125484d..bff4efd6f 100644
--- a/docs/k8s/proxy.yaml
+++ b/docs/k8s/proxy.yaml
@@ -11,7 +11,7 @@ spec:
     # the container. The `net.ipv4.ip_forward` sysctl is not allowlisted
     # in Kubelet by default.
   - name: sysctler
-    image: busybox
+    image: "ghcr.io/tailscale/tailscale:latest"
     securityContext:
       privileged: true
     command: ["/bin/sh"]