tailscale

Commit Graph

Author	SHA1	Message	Date
Irbe Krumina	f5936d132a	kube: fix typo (#12437 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Irbe Krumina	a95ea31a4e	kube,tailcfg: store parsed recorder tags in a separate field (#12429 ) Add an additional RecorderAddrs field to tailscale.com/cap/kubernetes capability. RecorderAddrs will only be populated by control with the addresses of any tsrecorder tags set via Recorder. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Irbe Krumina	c3e2b7347b	tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236 ) This PR is in prep of adding logic to control to be able to parse tailscale.com/cap/kubernetes grants in control: - moves the type definition of PeerCapabilityKubernetes cap to a location shared with control. - update the Kubernetes cap rule definition with fields for granting kubectl exec session recording capabilities. - adds a convenience function to produce tailcfg.RawMessage from an arbitrary cap rule and a test for it. An example grant defined via ACLs: "grants": [{ "src": ["tag:eng"], "dst": ["tag:k8s-operator"], "app": { "tailscale.com/cap/kubernetes": [{ "recorder": ["tag:my-recorder"] “enforceRecorder”: true }], }, } ] This grant enforces `kubectl exec` sessions from tailnet clients, matching `tag:eng` via API server proxy matching `tag:k8s-operator` to be recorded and recording to be sent to a tsrecorder instance, matching `tag:my-recorder`. The type needs to be shared with control because we want control to parse this cap and resolve tags to peer IPs. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Irbe Krumina	1452faf510	cmd/containerboot,kube,ipn/store/kubestore: allow interactive login on kube, check Secret create perms, allow empty state Secret (#11326 ) cmd/containerboot,kube,ipn/store/kubestore: allow interactive login and empty state Secrets, check perms * Allow users to pre-create empty state Secrets * Add a fake internal kube client, test functionality that has dependencies on kube client operations. * Fix an issue where interactive login was not allowed in an edge case where state Secret does not exist * Make the CheckSecretPermissions method report whether we have permissions to create/patch a Secret if it's determined that these operations will be needed Updates tailscale/tailscale#11170 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Maisem Ali	c919ff540f	cmd/k8s-operator,ipn/store/kubestore: patch secrets instead of updating We would call Update on the secret, but that was racey and would occasionaly fail. Instead use patch whenever we can. Fixes errors like ``` boot: 2023/08/29 01:03:53 failed to set serve config: sending serve config: updating config: writing ServeConfig to StateStore: Operation cannot be fulfilled on secrets "ts-webdav-kfrzv-0": the object has been modified; please apply your changes to the latest version and try again {"level":"error","ts":"2023-08-29T01:03:48Z","msg":"Reconciler error","controller":"ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"webdav","namespace":"default"},"namespace":"default","name":"webdav","reconcileID":"96f5cfed-7782-4834-9b75-b0950fd563ed","error":"failed to provision: failed to create or get API key secret: Operation cannot be fulfilled on secrets \"ts-webdav-kfrzv-0\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"} ``` Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	e0d291ab8a	ipn/store: add support for stores to hook into a custom dialer For stores like k8s secrets we need to dial out to the k8s API as though Tailscale wasn't running. The issue currently only manifests when you try to use an exit node while running inside a k8s cluster and are trying to use Kubernetes secrets as the backing store. This doesn't address cmd/containerboot, which I'll do in a follow up. Updates #7695 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	e1530cdfcc	cmd/containerboot,kube: consolidate the two kube clients We had two implemenetations of the kube client, merge them. containerboot was also using a raw http.Transport, this also has the side effect of making it use a http.Client Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Maisem Ali	af966391c7	kube: handle 201 as a valid status code. Fixes tailscale/corp#7478 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Josh Bleecher Snyder	0868329936	all: use any instead of interface{} My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2 years ago
Maisem Ali	0842e2f45b	ipn/store: add ability to store data as k8s secrets. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago

11 Commits (4b39b6f7ceed7ac640f5231a56bb56dad3e01850)