New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/containerboot: add support for setting funnel TCP portforward #7136
base: main
Are you sure you want to change the base?
Conversation
a7a2b1f
to
ddf75e6
Compare
WIP Signed-off-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
ddf75e6
to
9500e7a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I like this as-is, especially the various "if kubernetes" branches in ipnlocal. We already have a bunch of these branches throughout our code and the magically different behavior makes it hard to maintain stuff :(
Maybe it's time to graduate the store API from plain key/value to structured Get/Set for specific data, so that the underlying implementations cna handle all this weird differential storage we're doing.
@@ -90,8 +90,31 @@ func main() { | |||
AuthOnce: defaultBool("TS_AUTH_ONCE", false), | |||
Root: defaultEnv("TS_TEST_ONLY_ROOT", "/"), | |||
} | |||
funnelForwardPorts := strings.Split(defaultEnv("TS_FUNNEL_TCP_PORTFORWARD", ""), ",") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd probably call this just "TS_FUNNEL_TCP", to reduce typing. Also add the envvar to the big comment at the top that lists all the available options.
} | ||
sc.AllowFunnel[ipn.HostPort(fmt.Sprintf("%s:%d", cd, f))] = true | ||
} | ||
return client.SetServeConfig(ctx, sc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do we know when funnel is working? Ideally the operator would like some signal that pod startup has completed correctly, so it doesn't advertise the ingress hostname until it's actually serving.
@@ -305,6 +324,35 @@ authLoop: | |||
} | |||
} | |||
|
|||
func configureForwarding(ctx context.Context, client *tailscale.LocalClient, cfg *settings) error { | |||
if cfg.ProxyTo == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is right for all scenarios, it's valid to configure funnel without ProxyTo if you're running the container as a sidecar. I think funnel needs to work in either case?
Recommend the commit message state that it Updates #6468 |
WIP
Signed-off-by: Maisem Ali maisem@tailscale.com