Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: don't run operator's egress proxies with stateful filter #12075

Merged
merged 1 commit into from
May 10, 2024
Merged

cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: don't run operator's egress proxies with stateful filter #12075

merged 1 commit into from
May 10, 2024

Conversation

irbekrm
Copy link
Contributor

@irbekrm irbekrm commented May 9, 2024
edited

Turn off stateful filtering for egress proxies to allow cluster
traffic to be forwarded to tailnet.

Allow configuring stateful filter via tailscaled config file.

Deprecate EXPERIMENTAL_TS_CONFIGFILE_PATH env var and introduce a new
TS_EXPERIMENTAL_VERSIONED_CONFIG env var that can be used to provide
containerboot a directory that should contain one or more
tailscaled config files named cap-.hujson.
Containerboot will pick the one with the newest capability version
that is not newer than its current capability version.

Proxies with this change will not work with older Tailscale
Kubernetes operator versions - users must ensure that
the deployed operator is at the same version or newer (up to
4 version skew) than the proxies.

@irbekrm irbekrm changed the title cmd/k8s-operator,cmd/containerboot,ipn: cmd/k8s-operator,cmd/containerboot,ipn: don't run operator's proxies with stateful filter May 9, 2024
@irbekrm irbekrm force-pushed the irbekrm/nostateful branch 2 times, most recently from 62584be to 5a32014 Compare May 9, 2024 21:04
github-advanced-security[bot]
github-advanced-security bot found potential problems May 9, 2024
View reviewed changes
cmd/k8s-operator/sts.go Fixed Show resolved Hide resolved
cmd/k8s-operator/sts.go Fixed Show resolved Hide resolved
@irbekrm irbekrm marked this pull request as draft May 9, 2024 21:09
@irbekrm irbekrm marked this pull request as draft May 9, 2024 21:09
@irbekrm irbekrm force-pushed the irbekrm/nostateful branch 3 times, most recently from 46a1df2 to 00fd561 Compare May 9, 2024 22:26
@irbekrm irbekrm marked this pull request as ready for review May 9, 2024 22:29
github-advanced-security[bot]
github-advanced-security bot found potential problems May 10, 2024
View reviewed changes
cmd/k8s-operator/sts.go Fixed Show fixed Hide fixed
cmd/k8s-operator/sts.go Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems May 10, 2024
View reviewed changes
cmd/k8s-operator/sts.go Dismissed Show dismissed Hide dismissed
cmd/k8s-operator/sts.go Dismissed Show dismissed Hide dismissed
@irbekrm irbekrm force-pushed the irbekrm/nostateful branch 2 times, most recently from d3333e6 to 19f999e Compare May 10, 2024 13:25
irbekrm
irbekrm commented May 10, 2024
View reviewed changes
cmd/k8s-operator/sts.go Outdated
Comment on lines 527 to 533
for key := range configs {
fn := kubeutils.TailscaledConfigFileNameForCap(key)
configVolume.VolumeSource.Secret.Items = append(configVolume.VolumeSource.Secret.Items, corev1.KeyToPath{
Key: fn,
Path: fn,
})
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed these after spending a fair bit of time trying to figure out how to test/fix tests. There is really no need to explicitly name them as we use the same names as Secret keys (and we have tests for Secret key names/contents)

@irbekrm irbekrm force-pushed the irbekrm/nostateful branch 2 times, most recently from 726ca94 to 62e48bc Compare May 10, 2024 14:52
@irbekrm irbekrm requested a review from maisem May 10, 2024 14:54
@irbekrm irbekrm changed the title cmd/k8s-operator,cmd/containerboot,ipn: don't run operator's proxies with stateful filter cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: don't run operator's egress proxies with stateful filter May 10, 2024
maisem
maisem reviewed May 10, 2024
View reviewed changes
cmd/k8s-operator/sts.go Show resolved Hide resolved
cmd/k8s-operator/sts.go Show resolved Hide resolved
@irbekrm @maisem
cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: turn off statefu…
a507918 
…l filter for egress proxies.

Turn off stateful filtering for egress proxies to allow cluster
traffic to be forwarded to tailnet.

Allow configuring stateful filter via tailscaled config file.

Deprecate EXPERIMENTAL_TS_CONFIGFILE_PATH env var and introduce a new
TS_EXPERIMENTAL_VERSIONED_CONFIG env var that can be used to provide
containerboot a directory that should contain one or more
tailscaled config files named cap-<tailscaled-cap-version>.hujson.
Containerboot will pick the one with the newest capability version
that is not newer than its current capability version.

Proxies with this change will not work with older Tailscale
Kubernetes operator versions - users must ensure that
the deployed operator is at the same version or newer (up to
4 version skew) than the proxies.

Updates #12061

Co-authored-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
@irbekrm irbekrm merged commit d86d1e7 into main May 10, 2024
49 checks passed
@irbekrm irbekrm deleted the irbekrm/nostateful branch May 10, 2024 15:32
@irbekrm irbekrm mentioned this pull request May 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maisem maisem maisem approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@irbekrm @maisem