tailscale

Commit Graph

Author	SHA1	Message	Date
Irbe Krumina	38b4eb9419	cmd/k8s-operator/deploy/chart: document passing multiple proxy tags + log level values (#10624 ) Updates #cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Irbe Krumina	1a08ea5990	cmd/k8s-operator: operator can create subnetrouter (#9505 ) * k8s-operator,cmd/k8s-operator,Makefile,scripts,.github/workflows: add Connector kube CRD. Connector CRD allows users to configure the Tailscale Kubernetes operator to deploy a subnet router to expose cluster CIDRs or other CIDRs available from within the cluster to their tailnet. Also adds various CRD related machinery to generate CRD YAML, deep copy implementations etc. Engineers will now have to run 'make kube-generate-all` after changing kube files to ensure that all generated files are up to date. * cmd/k8s-operator,k8s-operator: reconcile Connector resources Reconcile Connector resources, create/delete subnetrouter resources in response to changes to Connector(s). Connector reconciler will not be started unless ENABLE_CONNECTOR env var is set to true. This means that users who don't want to use the alpha Connector custom resource don't have to install the Connector CRD to their cluster. For users who do want to use it the flow is: - install the CRD - install the operator (via Helm chart or using static manifests). For Helm users set .values.enableConnector to true, for static manifest users, set ENABLE_CONNECTOR to true in the static manifest. Updates tailscale/tailscale#502 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Maisem Ali	fb632036e3	cmd/k8s-operator: drop https:// in capName Add the new format but keep respecting the old one. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Irbe Krumina	49fd0a62c9	cmd/k8s-operator: generate static kube manifests from the Helm chart. (#10436 ) * cmd/k8s-operator: generate static manifests from Helm charts This is done to ensure that there is a single source of truth for the operator kube manifests. Also adds linux node selector to the static manifests as this was added as a default to the Helm chart. Static manifests can now be generated by running `go generate tailscale.com/cmd/k8s-operator`. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Irbe Krumina	18ceb4e1f6	cmd/{containerboot,k8s-operator}: allow users to define tailnet egress target by FQDN (#10360 ) * cmd/containerboot: proxy traffic to tailnet target defined by FQDN Add a new Service annotation tailscale.com/tailnet-fqdn that users can use to specify a tailnet target for which an egress proxy should be deployed in the cluster. Updates tailscale/tailscale#10280 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Gabriel Martinez	128d3ad1a9	cmd/k8s-operator: helm chart add missing keys (#10296 ) * cmd/k8s-operator: add missing keys to Helm values file Updates #10182 Signed-off-by: Gabriel Martinez <gabrielmartinez@sisti.pt>	7 months ago
Irbe Krumina	66471710f8	cmd/k8s-operator: truncate long StatefulSet name prefixes (#10343 ) Kubernetes can generate StatefulSet names that are too long and result in invalid Pod revision hash label values. Calculate whether a StatefulSet name generated for a Service or Ingress will be too long and if so, truncate it. Updates tailscale/tailscale#10284 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	dd8bc9ba03	cmd/k8s-operator: log user/group impersonated by apiserver proxy (#10334 ) Updates tailscale/tailscale#10127 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	4f80f403be	cmd/k8s-operator: fix chart syntax error (#10333 ) Updates #9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	af49bcaa52	cmd/k8s-operator: set different app type for operator with proxy (#10081 ) Updates tailscale/tailscale#9222 plain k8s-operator should have hostinfo.App set to 'k8s-operator', operator with proxy should have it set to 'k8s-operator-proxy'. In proxy mode, we were setting the type after it had already been set to 'k8s-operator' Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
David Anderson	37863205ec	cmd/k8s-operator: strip credentials from client config in noauth mode Updates tailscale/corp#15526 Signed-off-by: David Anderson <danderson@tailscale.com>	8 months ago
Rhea Ghosh	970eb5e784	cmd/k8s-operator: sanitize connection headers (#10063 ) Fixes tailscale/corp#15526 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Irbe Krumina	c2b87fcb46	cmd/k8s-operator/deploy/chart,.github/workflows: use helm chart API v2 (#10055 ) API v1 is compatible with helm v2 and v2 is not. However, helm v2 (the Tiller deployment mechanism) was deprecated in 2020 and no-one should be using it anymore. This PR also adds a CI lint test for helm chart Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	ed1b935238	cmd/k8s-operator: allow to install operator via helm (#9920 ) Initial helm manifests. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Irbe Krumina	e9956419f6	cmd/k8s-operator: allow cleanup of cluster resources for deleted devices (#9917 ) Users should delete proxies by deleting or modifying the k8s cluster resources that they used to tell the operator to create they proxy. With this flow, the tailscale operator will delete the associated device from the control. However, in some cases users might have already deleted the device from the control manually. Updates tailscale/tailscale#9773 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	cac290da87	cmd/k8s-operator: users can configure firewall mode for kube operator proxies (#9769 ) * cmd/k8s-operator: users can configure operator to set firewall mode for proxies Users can now pass PROXY_FIREWALL_MODE={nftables,auto,iptables} to operator to make it create ingress/egress proxies with that firewall mode Also makes sure that if an invalid firewall mode gets configured, the operator will not start provisioning proxy resources, but will instead log an error and write an error event to the related Service. Updates tailscale/tailscale#9310 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Maisem Ali	f53c3be07c	cmd/k8s-operator: use our own container image instead of busybox We already have sysctl in the `tailscale/tailscale` image, just use that. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	1294b89792	cmd/k8s-operator: allow setting same host value for tls and ingress rules We were too strict and required the user not specify the host field at all in the ingress rules, but that degrades compatibility with existing helm charts. Relax the constraint so that rule.Host can either be empty, or match the tls.Host[0] value exactly. Fixes #9548 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	1cb9e33a95	cmd/k8s-operator: update env var in manifest to APISERVER_PROXY Replace the deprecated var with the one in docs to avoid confusion. Introduced in `335a5aaf9a`. Updates #8317 Fixes #9764 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Brad Fitzpatrick	93c6e1d53b	tstest/deptest: add check that x/exp/{maps,slices} imported as xfoo Updates #cleanup Change-Id: I4cbb5e477c739deddf7a46b66f286c9fdb106279 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Irbe Krumina	bdd9eeca90	cmd/k8s-operator: fix reconcile filters (#9533 ) Ensure that when there is an event on a Tailscale managed Ingress or Service child resource, the right parent type gets reconciled Updates tailscale/tailscale#502 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Irbe Krumina	c5b2a365de	cmd/k8s-operator: fix egress service name (#9494 ) Updates https://github.com/tailscale/tailscale/issues/502 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Maisem Ali	5f4d76c18c	cmd/k8s-operator: rename egress annotation It was tailscale.com/ts-tailnet-target-ip, which was pretty redundant. Change it to tailscale.com/tailnet-ip. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	d06b48dd0a	tailcfg: add RawMessage This adds a new RawMessage type backed by string instead of the json.RawMessage which is backed by []byte. The byte slice makes the generated views be a lot more defensive than the need to be which we can get around by using a string instead. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	335a5aaf9a	cmd/k8s-operator: add APISERVER_PROXY env The kube-apiserver proxy in the operator would only run in auth proxy mode but thats not always desirable. There are situations where the proxy should just be a transparent proxy and not inject auth headers, so do that using a new env var APISERVER_PROXY and deprecate the AUTH_PROXY env. THe new env var has three options `false`, `true` and `noauth`. Updates #8317 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	794650fe50	cmd/k8s-operator: emit event if HTTPS is disabled on Tailnet Instead of confusing users, emit an event that explicitly tells the user that HTTPS is disabled on the tailnet and that ingress may not work until they enable it. Updates #9141 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	306b85b9a3	cmd/k8s-operator: add metrics to track usage Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Irbe Krumina	17438a98c0	cm/k8s-operator,cmd/containerboot: fix STS config, more tests (#9155 ) Ensures that Statefulset reconciler config has only one of Cluster target IP or tailnet target IP. Adds a test case for containerboot egress proxy mode. Updates tailscale/tailscale#8184 Signed-off-by: irbekrm <irbekrm@gmail.com>	10 months ago
Irbe Krumina	fe709c81e5	cmd/k8s-operator,cmd/containerboot: add kube egress proxy (#9031 ) First part of work for the functionality that allows users to create an egress proxy to access Tailnet services from within Kubernetes cluster workloads. This PR allows creating an egress proxy that can access Tailscale services over HTTP only. Updates tailscale/tailscale#8184 Signed-off-by: irbekrm <irbekrm@gmail.com> Co-authored-by: Maisem Ali <maisem@tailscale.com> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	10 months ago
Maisem Ali	c919ff540f	cmd/k8s-operator,ipn/store/kubestore: patch secrets instead of updating We would call Update on the secret, but that was racey and would occasionaly fail. Instead use patch whenever we can. Fixes errors like ``` boot: 2023/08/29 01:03:53 failed to set serve config: sending serve config: updating config: writing ServeConfig to StateStore: Operation cannot be fulfilled on secrets "ts-webdav-kfrzv-0": the object has been modified; please apply your changes to the latest version and try again {"level":"error","ts":"2023-08-29T01:03:48Z","msg":"Reconciler error","controller":"ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"webdav","namespace":"default"},"namespace":"default","name":"webdav","reconcileID":"96f5cfed-7782-4834-9b75-b0950fd563ed","error":"failed to provision: failed to create or get API key secret: Operation cannot be fulfilled on secrets \"ts-webdav-kfrzv-0\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"} ``` Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	0c6fe94cf4	cmd/k8s-operator: add matching family addresses to status This was added in `3451b89e5f`, but resulted in the v6 Tailscale address being added to status when when the forwarding only happened on the v4 address. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	f92e6a1be8	cmd/k8s-operator: update RBAC to allow creating events The new ingress reconcile raises events on failure, but I forgot to add the updated permission. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Mike Beaumont	3451b89e5f	cmd/k8s-operator: put Tailscale IPs in Service ingress status Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	10 months ago
Mike Beaumont	ce4bf41dcf	cmd/k8s-operator: support being the default loadbalancer controller Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	10 months ago
Maisem Ali	c8dea67cbf	cmd/k8s-operator: add support for Ingress resources Previously, the operator would only monitor Services and create a Tailscale StatefulSet which acted as a L3 proxy which proxied traffic inbound to the Tailscale IP onto the services ClusterIP. This extends that functionality to also monitor Ingress resources where the `ingressClassName=tailscale` and similarly creates a Tailscale StatefulSet, acting as a L7 proxy instead. Users can override the desired hostname by setting: ``` - tls hosts: - "foo" ``` Hostnames specified under `rules` are ignored as we only create a single host. This is emitted as an event for users to see. Fixes #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	12ac672542	cmd/k8s-operator: handle changes to services w/o teardown Previously users would have to unexpose/expose the service in order to change Hostname/TargetIP. This now applies those changes by causing a StatefulSet rollout now that `a61a9ab087` is in. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	98a5116434	all: adjust some build tags for plan9 I'm not saying it works, but it compiles. Updates #5794 Change-Id: I2f3c99732e67fe57a05edb25b758d083417f083e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Maisem Ali	74388a771f	cmd/k8s-operator: fix regression from earlier refactor I forgot to move the defer out of the func, so the tsnet.Server immediately closed after starting. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	836f932ead	cmd/k8s-operator: split operator.go into svc.go/sts.go Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Maisem Ali	7f6bc52b78	cmd/k8s-operator: refactor operator code It was jumbled doing a lot of things, this breaks it up into the svc reconciliation and the tailscale sts reconciliation. Prep for future commit. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Maisem Ali	24509f8b22	cmd/k8s-operator: add support for control plane assigned groups Previously we would use the Impersonate-Group header to pass through tags to the k8s api server. However, we would do nothing for non-tagged nodes. Now that we have a way to specify these via peerCaps respect those and send down groups for non-tagged nodes as well. For tagged nodes, it defaults to sending down the tags as groups to retain legacy behavior if there are no caps set. Otherwise, the tags are omitted. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Vince Prignano	1a691ec5b2	cmd/k8s-operator: update controller-runtime to v0.15 Fixes #8170 Signed-off-by: Vince Prignano <vince@prigna.com>	1 year ago
Gabriel Martinez	03e848e3b5	cmd/k8s-operator: add support for priorityClassName Updates #8155 Signed-off-by: Gabriel Martinez <gabrielmartinez@sisti.pt>	1 year ago
Brad Fitzpatrick	4664318be2	client/tailscale: revert CreateKey API change, add Client.CreateKeyWithExpiry The client/tailscale is a stable-ish API we try not to break. Revert the Client.CreateKey method as it was and add a new CreateKeyWithExpiry method to do the new thing. And document the expiry field and enforce that the time.Duration can't be between in range greater than 0 and less than a second. Updates #7143 Updates #8124 (reverts it, effectively) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Matt Brown	9b6e48658f	client: allow the expiry time to be specified for new keys Adds a parameter for create key that allows a number of seconds (less than 90) to be specified for new keys. Fixes https://github.com/tailscale/tailscale/issues/7965 Signed-off-by: Matthew Brown <matthew@bargrove.com>	1 year ago
Maisem Ali	85215ed58a	cmd/k8s-operator: handle NotFound secrets getSingleObject can return `nil, nil`, getDeviceInfo was not handling that case which resulted in panics. Fixes #7303 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Craig Rodrigues	827abbeeaa	cmd/k8s-operator: print version in startup logs Fixes: #7813 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	1 year ago
Andrew Dunham	f85dc6f97c	ci: add more lints (#7909 ) This is a follow-up to #7905 that adds two more linters and fixes the corresponding findings. As per the previous PR, this only flags things that are "obviously" wrong, and fixes the issues found. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8739bdb7bc4f75666a7385a7a26d56ec13741b7c	1 year ago
Maisem Ali	df89b7de10	cmd/k8s-operator: disable HTTP/2 for the auth proxy Kubernetes uses SPDY/3.1 which is incompatible with HTTP/2, disable it in the transport and server. Fixes #7645 Fixes #7646 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago

1 2

75 Commits (e26ee6952f8872411f416339aca4e9ad73fd3b8e)