-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/k8s-operator,k8s-operator: allow the operator to deploy exit nodes via Connector custom resource #10724
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
b1091b3
to
713ed80
Compare
This comment was marked as outdated.
This comment was marked as outdated.
deca537
to
77817ae
Compare
77817ae
to
d4aeba5
Compare
cmd/k8s-operator/sts.go
Outdated
} else if len(sts.Routes) > 0 { | ||
container.Env = append(container.Env, corev1.EnvVar{ | ||
Name: "TS_ROUTES", | ||
Value: sts.Routes, | ||
}) | ||
|
||
} | ||
if a.tsFirewallMode != "" { | ||
container.Env = append(container.Env, corev1.EnvVar{ | ||
Name: "TS_DEBUG_FIREWALL_MODE", | ||
Value: a.tsFirewallMode, | ||
}, | ||
) | ||
} | ||
ss.ObjectMeta = metav1.ObjectMeta{ | ||
Name: headlessSvc.Name, | ||
Namespace: a.operatorNamespace, | ||
Labels: sts.ChildResourceLabels, | ||
} | ||
ss.Spec.ServiceName = headlessSvc.Name | ||
ss.Spec.Selector = &metav1.LabelSelector{ | ||
MatchLabels: map[string]string{ | ||
"app": sts.ParentResourceUID, | ||
}, | ||
} | ||
|
||
// containerboot currently doesn't have a way to re-read the hostname/ip as | ||
// it is passed via an environment variable. So we need to restart the | ||
// container when the value changes. We do this by adding an annotation to | ||
// the pod template that contains the last value we set. | ||
ss.Spec.Template.Annotations = map[string]string{ | ||
podAnnotationLastSetHostname: sts.Hostname, | ||
} | ||
if sts.ClusterTargetIP != "" { | ||
ss.Spec.Template.Annotations[podAnnotationLastSetClusterIP] = sts.ClusterTargetIP | ||
} | ||
if sts.TailnetTargetIP != "" { | ||
ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetIP] = sts.TailnetTargetIP | ||
} | ||
if sts.TailnetTargetFQDN != "" { | ||
ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetFQDN] = sts.TailnetTargetFQDN | ||
} | ||
ss.Spec.Template.Labels = map[string]string{ | ||
"app": sts.ParentResourceUID, | ||
} | ||
ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is moving existing STS configuration around so that it is ordered by type of configuration options.
@@ -0,0 +1,411 @@ | |||
// Copyright (c) Tailscale Inc & AUTHORS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new file contains utils shared between ingress/egress tests and connector tests, this is partially just moved from operator_test.go
, connector_test.go
b9fa612
to
0d1e750
Compare
…ine an exit node via Connector CR Make it possible to define an exit node to be deployed to a Kubernetes cluster via Connector Custom resource. Also changes to Connector API so that one Connector corresponds to one Tailnet node that can be either a subnet router or an exit node or both. Updates #10708 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
The Kubernetes operator parses Connector custom resource and, if .spec.isExitNode is set, configures that Tailscale node deployed for that connector as an exit node. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
…exit node Signed-off-by: Irbe Krumina <irbe@tailscale.com>
0d1e750
to
2ee5d3f
Compare
6633ef8
to
2ee5d3f
Compare
Thank you for the review @knyar , I have now addressed all the comments PTAL |
94a75df
to
36b0678
Compare
36b0678
to
65353b0
Compare
Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Irbe Krumina <irbe@tailscale.com>
65353b0
to
61720b6
Compare
I'm not sure this is the appropriate place for this given that it has been merged. I'm trying to utilize this functionality as it would greatly simplify something I'm currently attempting to do. I'm on the specified unstable-v1.57.42, I tried modifying the example and eventually just deployed the example as is and I get continuous errors during reconciliation rather than the connector being configured. The error is |
Hi @btobolaski thanks for trying this out!
I just pushed (Just for the record- the |
That was it, thank you. Everything appears to be working as expected. |
…s via Connector custom resource (#10724) cmd/k8s-operator/deploy/crds,k8s-operator/apis/v1alpha1: allow to define an exit node via Connector CR. Make it possible to define an exit node to be deployed to a Kubernetes cluster via Connector Custom resource. Also changes to Connector API so that one Connector corresponds to one Tailnet node that can be either a subnet router or an exit node or both. The Kubernetes operator parses Connector custom resource and, if .spec.isExitNode is set, configures that Tailscale node deployed for that connector as an exit node. Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com>
…s via Connector custom resource (tailscale#10724) cmd/k8s-operator/deploy/crds,k8s-operator/apis/v1alpha1: allow to define an exit node via Connector CR. Make it possible to define an exit node to be deployed to a Kubernetes cluster via Connector Custom resource. Also changes to Connector API so that one Connector corresponds to one Tailnet node that can be either a subnet router or an exit node or both. The Kubernetes operator parses Connector custom resource and, if .spec.isExitNode is set, configures that Tailscale node deployed for that connector as an exit node. Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com>
Context
This PR adds a new
.spec.exitNode
field to theConnector
custom resource that allows users to configure the Tailscale node created for theConnector
to act as an exit node.It also redesigns the API:
Connector
and a Tailscale nodeConnector
can be an exit node, a subnet router or both (and in future also an app connector)(For the above
Connector
the operator configures one Tailscale node that acts as an exit node and advertises routes10.40.0.0/14
,192.168.0.0/14
)UI
Connector
that acts as both exit node and advertises two routes:Connector
that only advertises routes:Connector
that is only an exit node:Notes:
Pod
s via the subnet router.See details below for how to try this out:
create an operator image from this PR
apply the CRD
kubectl apply -f ./cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
install the operator with the custom image and connector functionality enabled i.e
helm install operator tailscale/tailscale-dev --set enableConnector=true...
. Ensure that you are usingunstable-v1.57.42
or newer(if using the example manifest below) update ACL tags to allow the operator to own
tag:prod
and to allowtag:prod
to auto-approve exit nodes and the desired subnet routesapply a
Connector
CR, such as the example one added in this PR-kubectl apply -f ./cmd/k8s-operator/deploy/examples/connector.yaml
verify ready
Connector
status and that the subnet router and exit node are functioningUpdates #10708