New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/k8s-operator,k8s-operator,go.{mod,sum}: make individual proxy images/image pull policies configurable #11928
base: main
Are you sure you want to change the base?
Conversation
…ges/image pull policies configurable Allow to configure images and image pull policies for individual proxies via ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.Image, and ProxyClass.Spec.StatefulSet.Pod.{TailscaleContainer,TailscaleInitContainer}.ImagePullPolicy fields. Document that we have images in ghcr.io on the relevant Helm chart fields. Updates #11675 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
@@ -22,6 +22,7 @@ require ( | |||
github.com/dave/patsy v0.0.0-20210517141501-957256f50cba | |||
github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa | |||
github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e | |||
github.com/distribution/reference v0.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also have https://github.com/tailscale/tailscale/blob/v1.64.2/go.mod#L184 which is a deprectated version of the same library pulled in by some dependency of mkctr it seems https://github.com/tailscale/mkctr/blob/main/go.mod#L13. We should probably update it there if possible
Image string `json:"image,omitempty"` | ||
// Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always. | ||
// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image | ||
// +kubebuilder:validation:Enum=Always;Never;IfNotPresent |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubebuilder:validation:Enum=Always;Never;IfNotPresent
This ensures that any ProxyClass
with an ImagePullPolicy value other than Always/Never/IfNotPresent gets rejected at apply time
// Container security context. | ||
// Security context specified here will override the security context by the operator. | ||
// By default the operator: | ||
// - sets 'privileged: true' for the init container | ||
// - set NET_ADMIN capability for tailscale container for proxies that | ||
// are created for Services or Connector. | ||
// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context | ||
// List of environment variables to set in the container. | ||
// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables | ||
// Note that environment variables provided here will take precedence | ||
// over Tailscale-specific environment variables set by the operator, | ||
// however running proxies with custom values for Tailscale environment | ||
// variables (i.e TS_USERSPACE) is not recommended and might break in | ||
// the future. | ||
// +optional | ||
SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` | ||
Env []Env `json:"env,omitempty"` | ||
// Container image name. By default images are pulled from | ||
// docker.io/tailscale/tailscale, but the official images are also | ||
// available at ghcr.io/tailscale/tailscale. Image name provided here | ||
// will override any proxy image values specified via the Kubernetes | ||
// operator's Helm chart values or PROXY_IMAGE env var to the operator | ||
// deployment. | ||
// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image | ||
// +optional |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just me shifting these fields around to order them alphabetically (just to make it easier to read the code)
// List of environment variables to set in the container. | ||
// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables | ||
// Note that environment variables provided here will take precedence | ||
// over Tailscale-specific environment variables set by the operator, | ||
// however running proxies with custom values for Tailscale environment | ||
// variables (i.e TS_USERSPACE) is not recommended and might break in | ||
// the future. | ||
// Container security context. | ||
// Security context specified here will override the security context by the operator. | ||
// By default the operator: | ||
// - sets 'privileged: true' for the init container | ||
// - set NET_ADMIN capability for tailscale container for proxies that | ||
// are created for Services or Connector. | ||
// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context | ||
// +optional | ||
Env []Env `json:"env,omitempty"` | ||
SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just me shifting those fields around to order them alphabetically (just to make it easier to read the code)
Given the below proxy class
In my testing, this worked for an ingress defined as follows:
But, it did not work for a service defined as follows:
|
The
Judging from the |
See #11675 for context - this PR attempts to make it easier to configure what images are used for the operator proxies and make it possible to configure image pull policies.
Adds a couple new fields to
ProxyClass
CRD to make it possilble to configure images/image pull policies for tailscale container and tailscale init container:To try this out:
kubectl apply -f ./cmd/k8s-operator/deploy/crds
helm upgrade --install operator tailscale-dev/tailscale-operator -n tailscale --set operatorConfig.image.repo=<image> --set installCRDs=false --set operatorConfig.image.tag=<tag>...
ProxyClass
with images/image pull policies configured, i.ekubectl apply -f ./cmd/k8s-operator/examples/proxyclass.yaml
ProxyClass
to any operator's managed proxy https://tailscale.com/kb/1236/kubernetes-operator#cluster-resource-customization-using-proxyclass-custom-resourceImage
/ImagePullPolicy
fields of the proxyPod
have the expected values