tailscale

Commit Graph

Author	SHA1	Message	Date
signed-long	5ad0dad15e	go generate directives reorder for 'make kube-generate-all' (#12210 ) Fixes #11980 Signed-off-by: Michael Long <michaelongdev@gmail.com>	5 days ago
Irbe Krumina	406293682c	cmd/k8s-operator: cleanup runReconciler signature (#11993 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Irbe Krumina	19b31ac9a6	cmd/{k8s-operator,k8s-nameserver},k8s-operator: update nameserver config with records for ingress/egress proxies (#11019 ) cmd/k8s-operator: optionally update dnsrecords Configmap with DNS records for proxies. This commit adds functionality to automatically populate DNS records for the in-cluster ts.net nameserver to allow cluster workloads to resolve MagicDNS names associated with operator's proxies. The records are created as follows: * For tailscale Ingress proxies there will be a record mapping the MagicDNS name of the Ingress device and each proxy Pod's IP address. * For cluster egress proxies, configured via tailscale.com/tailnet-fqdn annotation, there will be a record for each proxy Pod, mapping the MagicDNS name of the exposed tailnet workload to the proxy Pod's IP. No records will be created for any other proxy types. Records will only be created if users have configured the operator to deploy an in-cluster ts.net nameserver by applying tailscale.com/v1alpha1.DNSConfig. It is user's responsibility to add the ts.net nameserver as a stub nameserver for ts.net DNS names. https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns#upstream_nameservers See also https://github.com/tailscale/tailscale/pull/11017 Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Irbe Krumina	44aa809cb0	cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11919 ) * cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster. Adds a simple nameserver that can respond to A record queries for ts.net DNS names. It can respond to queries from in-memory records, populated from a ConfigMap mounted at /config. It dynamically updates its records as the ConfigMap contents changes. It will respond with NXDOMAIN to queries for any other record types (AAAA to be implemented in the future). It can respond to queries over UDP or TCP. It runs a miekg/dns DNS server with a single registered handler for ts.net domain names. Queries for other domain names will be refused. The intended use of this is: 1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet services exposed via Tailscale operator egress over HTTPS 2) to allow non-tailnet cluster workloads to talk to workloads in the same cluster that have been exposed to tailnet over their MagicDNS names but on their cluster IPs. DNSConfig CRD can be used to configure the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Irbe Krumina	bbe194c80d	cmd/k8s-operator: correctly determine cluster domain (#11512 ) Kubernetes cluster domain defaults to 'cluster.local', but can also be customized. We need to determine cluster domain to set up in-cluster forwarding to our egress proxies. This was previously hardcoded to 'cluster.local', so was the egress proxies were not usable in clusters with custom domains. This PR ensures that we attempt to determine the cluster domain by parsing /etc/resolv.conf. In case the cluster domain cannot be determined from /etc/resolv.conf, we fall back to 'cluster.local'. Updates tailscale/tailscale#10399,tailscale/tailscale#11445 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Irbe Krumina	231e44e742	Revert "cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017 )" (#11669 ) Temporarily reverting this PR to avoid releasing half finished featue. This reverts commit `9e2f58f846`. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	9e2f58f846	cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017 ) * cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster. Adds a simple nameserver that can respond to A record queries for ts.net DNS names. It can respond to queries from in-memory records, populated from a ConfigMap mounted at /config. It dynamically updates its records as the ConfigMap contents changes. It will respond with NXDOMAIN to queries for any other record types (AAAA to be implemented in the future). It can respond to queries over UDP or TCP. It runs a miekg/dns DNS server with a single registered handler for ts.net domain names. Queries for other domain names will be refused. The intended use of this is: 1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet services exposed via Tailscale operator egress over HTTPS 2) to allow non-tailnet cluster workloads to talk to workloads in the same cluster that have been exposed to tailnet over their MagicDNS names but on their cluster IPs. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com> * cmd/k8s-operator/deploy/crds,k8s-operator: add DNSConfig CustomResource Definition DNSConfig CRD can be used to configure the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster. Signed-off-by: Irbe Krumina <irbe@tailscale.com> * cmd/k8s-operator,k8s-operator: optionally reconcile nameserver resources Adds a new reconciler that reconciles DNSConfig resources. If a DNSConfig is deployed to cluster, the reconciler creates kube nameserver resources. This reconciler is only responsible for creating nameserver resources and not for populating nameserver's records. Signed-off-by: Irbe Krumina <irbe@tailscale.com> * cmd/{k8s-operator,k8s-nameserver}: generate DNSConfig CRD for charts, append to static manifests Signed-off-by: Irbe Krumina <irbe@tailscale.com> --------- Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	95dcc1745b	cmd/k8s-operator: reconcile tailscale Ingresses when their backend Services change. (#11255 ) This is so that if a backend Service gets created after the Ingress, it gets picked up by the operator. Updates tailscale/tailscale#11251 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>	3 months ago
Irbe Krumina	45d27fafd6	cmd/k8s-operator,k8s-operator,go.{mod,sum},tstest/tools: add Tailscale Kubernetes operator API docs (#11246 ) Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale/tailscale#11023 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Irbe Krumina	5bd19fd3e3	cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a new ProxyClass custom resource (#11074 ) * cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Irbe Krumina	d0492fdee5	cmd/k8s-operator: adds a tailscale IngressClass resource, prints warning if class not found. (#10823 ) * cmd/k8s-operator/deploy: deploy a Tailscale IngressClass resource. Some Ingress validating webhooks reject Ingresses with .spec.ingressClassName for which there is no matching IngressClass. Additionally, validate that the expected IngressClass is present, when parsing a tailscale `Ingress`. We currently do not utilize the IngressClass, however we might in the future at which point we might start requiring that the right class for this controller instance actually exists. Updates tailscale/tailscale#10820 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com>	5 months ago
Irbe Krumina	5cc1bfe82d	cmd/k8s-operator: remove configuration knob for Connector (#10791 ) The configuration knob (that defaulted to Connector being disabled) was added largely because the Connector CRD had to be installed in a separate step. Now when the CRD has been added to both chart and static manifest, we can have it on by default. Updates tailscale/tailscale#10878 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Irbe Krumina	35f49ac99e	cmd/k8s-operator: add Connector CRD to Helm chart and static manifests (#10775 ) cmd/k8s-operator: add CRD to chart and static manifest Add functionality to insert CRD to chart at package time. Insert CRD to static manifests as this is where they are currently consumed from. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Irbe Krumina	1a08ea5990	cmd/k8s-operator: operator can create subnetrouter (#9505 ) * k8s-operator,cmd/k8s-operator,Makefile,scripts,.github/workflows: add Connector kube CRD. Connector CRD allows users to configure the Tailscale Kubernetes operator to deploy a subnet router to expose cluster CIDRs or other CIDRs available from within the cluster to their tailnet. Also adds various CRD related machinery to generate CRD YAML, deep copy implementations etc. Engineers will now have to run 'make kube-generate-all` after changing kube files to ensure that all generated files are up to date. * cmd/k8s-operator,k8s-operator: reconcile Connector resources Reconcile Connector resources, create/delete subnetrouter resources in response to changes to Connector(s). Connector reconciler will not be started unless ENABLE_CONNECTOR env var is set to true. This means that users who don't want to use the alpha Connector custom resource don't have to install the Connector CRD to their cluster. For users who do want to use it the flow is: - install the CRD - install the operator (via Helm chart or using static manifests). For Helm users set .values.enableConnector to true, for static manifest users, set ENABLE_CONNECTOR to true in the static manifest. Updates tailscale/tailscale#502 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	49fd0a62c9	cmd/k8s-operator: generate static kube manifests from the Helm chart. (#10436 ) * cmd/k8s-operator: generate static manifests from Helm charts This is done to ensure that there is a single source of truth for the operator kube manifests. Also adds linux node selector to the static manifests as this was added as a default to the Helm chart. Static manifests can now be generated by running `go generate tailscale.com/cmd/k8s-operator`. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	18ceb4e1f6	cmd/{containerboot,k8s-operator}: allow users to define tailnet egress target by FQDN (#10360 ) * cmd/containerboot: proxy traffic to tailnet target defined by FQDN Add a new Service annotation tailscale.com/tailnet-fqdn that users can use to specify a tailnet target for which an egress proxy should be deployed in the cluster. Updates tailscale/tailscale#10280 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	af49bcaa52	cmd/k8s-operator: set different app type for operator with proxy (#10081 ) Updates tailscale/tailscale#9222 plain k8s-operator should have hostinfo.App set to 'k8s-operator', operator with proxy should have it set to 'k8s-operator-proxy'. In proxy mode, we were setting the type after it had already been set to 'k8s-operator' Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Irbe Krumina	cac290da87	cmd/k8s-operator: users can configure firewall mode for kube operator proxies (#9769 ) * cmd/k8s-operator: users can configure operator to set firewall mode for proxies Users can now pass PROXY_FIREWALL_MODE={nftables,auto,iptables} to operator to make it create ingress/egress proxies with that firewall mode Also makes sure that if an invalid firewall mode gets configured, the operator will not start provisioning proxy resources, but will instead log an error and write an error event to the related Service. Updates tailscale/tailscale#9310 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	bdd9eeca90	cmd/k8s-operator: fix reconcile filters (#9533 ) Ensure that when there is an event on a Tailscale managed Ingress or Service child resource, the right parent type gets reconciled Updates tailscale/tailscale#502 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Maisem Ali	335a5aaf9a	cmd/k8s-operator: add APISERVER_PROXY env The kube-apiserver proxy in the operator would only run in auth proxy mode but thats not always desirable. There are situations where the proxy should just be a transparent proxy and not inject auth headers, so do that using a new env var APISERVER_PROXY and deprecate the AUTH_PROXY env. THe new env var has three options `false`, `true` and `noauth`. Updates #8317 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	794650fe50	cmd/k8s-operator: emit event if HTTPS is disabled on Tailnet Instead of confusing users, emit an event that explicitly tells the user that HTTPS is disabled on the tailnet and that ingress may not work until they enable it. Updates #9141 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Mike Beaumont	ce4bf41dcf	cmd/k8s-operator: support being the default loadbalancer controller Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	9 months ago
Maisem Ali	c8dea67cbf	cmd/k8s-operator: add support for Ingress resources Previously, the operator would only monitor Services and create a Tailscale StatefulSet which acted as a L3 proxy which proxied traffic inbound to the Tailscale IP onto the services ClusterIP. This extends that functionality to also monitor Ingress resources where the `ingressClassName=tailscale` and similarly creates a Tailscale StatefulSet, acting as a L7 proxy instead. Users can override the desired hostname by setting: ``` - tls hosts: - "foo" ``` Hostnames specified under `rules` are ignored as we only create a single host. This is emitted as an event for users to see. Fixes #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Brad Fitzpatrick	98a5116434	all: adjust some build tags for plan9 I'm not saying it works, but it compiles. Updates #5794 Change-Id: I2f3c99732e67fe57a05edb25b758d083417f083e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Maisem Ali	74388a771f	cmd/k8s-operator: fix regression from earlier refactor I forgot to move the defer out of the func, so the tsnet.Server immediately closed after starting. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	836f932ead	cmd/k8s-operator: split operator.go into svc.go/sts.go Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	7f6bc52b78	cmd/k8s-operator: refactor operator code It was jumbled doing a lot of things, this breaks it up into the svc reconciliation and the tailscale sts reconciliation. Prep for future commit. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Vince Prignano	1a691ec5b2	cmd/k8s-operator: update controller-runtime to v0.15 Fixes #8170 Signed-off-by: Vince Prignano <vince@prigna.com>	1 year ago
Gabriel Martinez	03e848e3b5	cmd/k8s-operator: add support for priorityClassName Updates #8155 Signed-off-by: Gabriel Martinez <gabrielmartinez@sisti.pt>	1 year ago
Brad Fitzpatrick	4664318be2	client/tailscale: revert CreateKey API change, add Client.CreateKeyWithExpiry The client/tailscale is a stable-ish API we try not to break. Revert the Client.CreateKey method as it was and add a new CreateKeyWithExpiry method to do the new thing. And document the expiry field and enforce that the time.Duration can't be between in range greater than 0 and less than a second. Updates #7143 Updates #8124 (reverts it, effectively) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Matt Brown	9b6e48658f	client: allow the expiry time to be specified for new keys Adds a parameter for create key that allows a number of seconds (less than 90) to be specified for new keys. Fixes https://github.com/tailscale/tailscale/issues/7965 Signed-off-by: Matthew Brown <matthew@bargrove.com>	1 year ago
Maisem Ali	85215ed58a	cmd/k8s-operator: handle NotFound secrets getSingleObject can return `nil, nil`, getDeviceInfo was not handling that case which resulted in panics. Fixes #7303 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Craig Rodrigues	827abbeeaa	cmd/k8s-operator: print version in startup logs Fixes: #7813 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	1 year ago
Maisem Ali	df89b7de10	cmd/k8s-operator: disable HTTP/2 for the auth proxy Kubernetes uses SPDY/3.1 which is incompatible with HTTP/2, disable it in the transport and server. Fixes #7645 Fixes #7646 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	558735bc63	cmd/k8s-operator: require HTTPS to be enabled for AuthProxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Sonia Appasamy	7985f5243a	cmd/k8s-operator: update device authorization copy "Device Authorization" was recently renamed to "Device Approval" on the control side. This change updates the k8s operator to match. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	1 year ago
Maisem Ali	49c206fe1e	tailcfg,hostinfo: add App field to identify tsnet uses This allows us to differentiate between the various tsnet apps that we have like `golinks` and `k8s-operator`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	06a10125fc	cmd/k8s-operator: set hostinfo.Package This allows identifying the operator. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	05adf22383	cmd/k8s-operator: add support for running an auth proxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
David Anderson	9bd6a2fb8d	cmd/k8s-operator: support setting a custom hostname. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
Vince Prignano	30380403d0	cmd/k8s-operator: remove use of InjectClient (deprecated) The dependency injection functionality has been deprecated a while back and it'll be removed in the 0.15 release of Controller Runtime. This changeset sets the Client after creating the Manager, instead of using InjectClient. Signed-off-by: Vince Prignano <vince@prigna.com>	1 year ago
David Anderson	8171eb600c	cmd/k8s-operator: move the operator into its own namespace. The operator creates a fair bit of internal cluster state to manage proxying, dumping it all in the default namespace is handy for development but rude for production. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	3a5fc233aa	cmd/k8s-operator: use oauth credentials for API access. This automates both the operator's initial login, and provisioning/deprovisioning of proxies. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	a7ab3429b6	cmd/k8s-operator: refactor reconcile loop, un-plumbing reconcile.Result. We used to need to do timed requeues in a few places in the reconcile logic, and the easiest way to do that was to plumb reconcile.Result return values around. But now we're purely event-driven, so the only thing we care about is whether or not an error occurred. Incidentally also fix a very minor bug where headless services would get completely ignored, rather than reconciled into the correct state. This shouldn't matter in practice because you can't transition from a headful to a headless service without a deletion, but for consistency let's avoid having a path that takes no definite action if a service of interest does exist. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	835a73cc1f	cmd/k8s-operator: remove unnecessary timed requeue. Previously, we had to do blind timed requeues while waiting for the tailscale hostname, because we looked up the hostname through the API. But now the proxy container image writes back its hostname to the k8s secret, so we get an event-triggered reconcile automatically when the time is right. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	d857fd00b3	cmd/k8s-operator: sprinkle debug logging throughout. As is convention in the k8s world, use zap for structured logging. For development, OPERATOR_LOGGING=dev switches to a more human-readable output than JSON. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	8ccd707218	cmd/k8s-operator: remove times requeues in proxy deletion path. Our reconcile loop gets triggered again when the StatefulSet object finally disappears (in addition to when its deletion starts, as indicated by DeletionTimestamp != 0). So, we don't need to queue additional reconciliations to proceed with the remainder of the cleanup, that happens organically. Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago
David Anderson	8dbb3b8bbe	cmd/k8s-operator: remove unused structs. Cleanup missed in #6718 . Signed-off-by: David Anderson <danderson@tailscale.com>	1 year ago

1 2

51 Commits (main)