23 Commits (25ea53a375a2f2d64e73c2bc2672384ee9cfca48)

Author	SHA1	Message	Date
Tom Proctor	4dfed6b146	cmd/{k8s-operator,k8s-proxy}: add kube-apiserver ProxyGroup type (#16266) ... Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. To avoid needing to give the operator ClusterRole{,Binding} permissions, the helm chart now optionally deploys a new static ServiceAccount for the API Server proxy to use if in auth mode. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	6 months ago
David Bond	84eac7b8de	cmd/k8s-operator: Allow custom ingress class names (#16472) ... This commit modifies the k8s operator to allow for customisation of the ingress class name via a new `OPERATOR_INGRESS_CLASS_NAME` environment variable. For backwards compatibility, this defaults to `tailscale`. When using helm, a new `ingress.name` value is provided that will set this environment variable and modify the name of the deployed `IngressClass` resource. Fixes https://github.com/tailscale/tailscale/issues/16248 Signed-off-by: David Bond <davidsbond93@gmail.com>	6 months ago
David Bond	c46145b99e	cmd/k8s-operator: Move login server value to top-level (#16470) ... This commit modifies the operator helm chart values to bring the newly added `loginServer` field to the top level. We felt as though it was a bit confusing to be at the `operatorConfig` level as this value modifies the behaviour or the operator, api server & all resources that the operator manages. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	6 months ago
David Bond	eb03d42fe6	cmd/k8s-operator: Allow configuration of login server (#16432) ... This commit modifies the kubernetes operator to allow for customisation of the tailscale login url. This provides some data locality for people that want to configure it. This value is set in the `loginServer` helm value and is propagated down to all resources managed by the operator. The only exception to this is recorder nodes, where additional changes are required to support modifying the url. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	6 months ago
Oliver Rahner	cbf1a4efe9	cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account (#14264) ... cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account Updates #14264 Signed-off-by: Oliver Rahner <o.rahner@dke-data.com>	1 year ago
James Stocker	303a4a1dfb	Make the deployment of an IngressClass optional, default to true (#14153) ... Fixes tailscale/tailscale#14152 Signed-off-by: James Stocker jamesrstocker@gmail.com Co-authored-by: James Stocker <james.stocker@intenthq.co.uk>	1 year ago
Tom Proctor	36cb2e4e5f	cmd/k8s-operator,k8s-operator: use default ProxyClass if set for ProxyGroup (#13720) ... The default ProxyClass can be set via helm chart or env var, and applies to all proxies that do not otherwise have an explicit ProxyClass set. This ensures proxies created by the new ProxyGroup CRD are consistent with the behaviour of existing proxies Nearby but unrelated changes: * Fix up double error logs (controller runtime logs returned errors) * Fix a couple of variable names Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Tom Proctor	e48cddfbb3	cmd/{containerboot,k8s-operator},k8s-operator,kube: add ProxyGroup controller (#13684) ... Implements the controller for the new ProxyGroup CRD, designed for running proxies in a high availability configuration. Each proxy gets its own config and state Secret, and its own tailscale node ID. We are currently mounting all of the config secrets into the container, but will stop mounting them and instead read them directly from the kube API once #13578 is implemented. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Cameron Stokes	65c26357b1	cmd/k8s-operator, k8s-operator: fix outdated kb links (#13585) ... updates #13583 Signed-off-by: Cameron Stokes <cameron@tailscale.com>	1 year ago
ChandonPierre	93dc2ded6e	cmd/k8s-operator: support default proxy class in k8s-operator (#12711) ... Signed-off-by: ChandonPierre <cpierre@coreweave.com> Closes #12421	1 year ago
Lee Briggs	32ce18716b	Add extra environment variables in deployment template (#12858) ... Fixes #12857 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>	1 year ago
Irbe Krumina	3a6d3f1a5b	cmd/k8s-operator,k8s-operator,go.{mod,sum}: make individual proxy images/image pull policies configurable (#11928) ... cmd/k8s-operator,k8s-operator,go.{mod,sum}: make individual proxy images/image pull policies configurable Allow to configure images and image pull policies for individual proxies via ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.Image, and ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.ImagePullPolicy fields. Document that we have images in ghcr.io on the relevant Helm chart fields. Updates tailscale/tailscale#11675 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
signed-long	1dc3136a24	cmd/k8s-operator: Support image 'repo' or 'repository' keys in helm values file (#12285) ... cmd/k8s-operator/deploy/chart: Support image 'repo' or 'repository' keys in helm values Fixes #12100 Signed-off-by: Michael Long <michaelongdev@gmail.com>	2 years ago
Irbe Krumina	d0d33f257f	cmd/k8s-operator: add a note pointing at ProxyClass (#12246) ... Updates tailscale/tailscale#12242 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Gabe Gorelick	de85610be0	cmd/k8s-operator/deploy/chart: allow users to configure additional labels for the operator's Pod via Helm chart values. ... cmd/k8s-operator/deploy/chart: allow users to configure additional labels for the operator's Pod via Helm chart values. Fixes #11947 Signed-off-by: Gabe Gorelick <gabe@hightouch.io>	2 years ago
Chris Milson-Tokunaga	b6dfd7443a	Change type of installCRDs (#11478) ... Including the double quotes (`"`) around the value made it appear like the helm chart should expect a string value for `installCRDs`. Signed-off-by: Chris Milson-Tokunaga <chris.w.milson@gmail.com>	2 years ago
ChandonPierre	2ce596ea7a	cmd/k8s-operator/deploy: allow modifying operator tags via Helm values ... Updates tailscale/tailscale#10659 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>	2 years ago
Irbe Krumina	5cc1bfe82d	cmd/k8s-operator: remove configuration knob for Connector (#10791) ... The configuration knob (that defaulted to Connector being disabled) was added largely because the Connector CRD had to be installed in a separate step. Now when the CRD has been added to both chart and static manifest, we can have it on by default. Updates tailscale/tailscale#10878 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Irbe Krumina	35f49ac99e	cmd/k8s-operator: add Connector CRD to Helm chart and static manifests (#10775) ... cmd/k8s-operator: add CRD to chart and static manifest Add functionality to insert CRD to chart at package time. Insert CRD to static manifests as this is where they are currently consumed from. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Irbe Krumina	38b4eb9419	cmd/k8s-operator/deploy/chart: document passing multiple proxy tags + log level values (#10624) ... Updates #cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Irbe Krumina	1a08ea5990	cmd/k8s-operator: operator can create subnetrouter (#9505) ... * k8s-operator,cmd/k8s-operator,Makefile,scripts,.github/workflows: add Connector kube CRD. Connector CRD allows users to configure the Tailscale Kubernetes operator to deploy a subnet router to expose cluster CIDRs or other CIDRs available from within the cluster to their tailnet. Also adds various CRD related machinery to generate CRD YAML, deep copy implementations etc. Engineers will now have to run 'make kube-generate-all` after changing kube files to ensure that all generated files are up to date. * cmd/k8s-operator,k8s-operator: reconcile Connector resources Reconcile Connector resources, create/delete subnetrouter resources in response to changes to Connector(s). Connector reconciler will not be started unless ENABLE_CONNECTOR env var is set to true. This means that users who don't want to use the alpha Connector custom resource don't have to install the Connector CRD to their cluster. For users who do want to use it the flow is: - install the CRD - install the operator (via Helm chart or using static manifests). For Helm users set .values.enableConnector to true, for static manifest users, set ENABLE_CONNECTOR to true in the static manifest. Updates tailscale/tailscale#502 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 years ago
Gabriel Martinez	128d3ad1a9	cmd/k8s-operator: helm chart add missing keys (#10296) ... * cmd/k8s-operator: add missing keys to Helm values file Updates #10182 Signed-off-by: Gabriel Martinez <gabrielmartinez@sisti.pt>	2 years ago
Irbe Krumina	ed1b935238	cmd/k8s-operator: allow to install operator via helm (#9920) ... Initial helm manifests. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	2 years ago