-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: don't run operator's egress proxies with stateful filter #12075
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
irbekrm
changed the title
cmd/k8s-operator,cmd/containerboot,ipn:
cmd/k8s-operator,cmd/containerboot,ipn: don't run operator's proxies with stateful filter
May 9, 2024
irbekrm
force-pushed
the
irbekrm/nostateful
branch
2 times, most recently
from
May 9, 2024 21:04
62584be
to
5a32014
Compare
irbekrm
force-pushed
the
irbekrm/nostateful
branch
3 times, most recently
from
May 9, 2024 22:26
46a1df2
to
00fd561
Compare
irbekrm
commented
May 10, 2024
irbekrm
force-pushed
the
irbekrm/nostateful
branch
2 times, most recently
from
May 10, 2024 13:25
d3333e6
to
19f999e
Compare
irbekrm
commented
May 10, 2024
cmd/k8s-operator/sts.go
Outdated
Comment on lines
527
to
533
for key := range configs { | ||
fn := kubeutils.TailscaledConfigFileNameForCap(key) | ||
configVolume.VolumeSource.Secret.Items = append(configVolume.VolumeSource.Secret.Items, corev1.KeyToPath{ | ||
Key: fn, | ||
Path: fn, | ||
}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed these after spending a fair bit of time trying to figure out how to test/fix tests. There is really no need to explicitly name them as we use the same names as Secret keys (and we have tests for Secret key names/contents)
irbekrm
force-pushed
the
irbekrm/nostateful
branch
2 times, most recently
from
May 10, 2024 14:52
726ca94
to
62e48bc
Compare
irbekrm
changed the title
cmd/k8s-operator,cmd/containerboot,ipn: don't run operator's proxies with stateful filter
cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: don't run operator's egress proxies with stateful filter
May 10, 2024
maisem
reviewed
May 10, 2024
maisem
approved these changes
May 10, 2024
…l filter for egress proxies. Turn off stateful filtering for egress proxies to allow cluster traffic to be forwarded to tailnet. Allow configuring stateful filter via tailscaled config file. Deprecate EXPERIMENTAL_TS_CONFIGFILE_PATH env var and introduce a new TS_EXPERIMENTAL_VERSIONED_CONFIG env var that can be used to provide containerboot a directory that should contain one or more tailscaled config files named cap-<tailscaled-cap-version>.hujson. Containerboot will pick the one with the newest capability version that is not newer than its current capability version. Proxies with this change will not work with older Tailscale Kubernetes operator versions - users must ensure that the deployed operator is at the same version or newer (up to 4 version skew) than the proxies. Updates #12061 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Irbe Krumina <irbe@tailscale.com>
irbekrm
force-pushed
the
irbekrm/nostateful
branch
from
May 10, 2024 15:22
62e48bc
to
a507918
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Turn off stateful filtering for egress proxies to allow cluster
traffic to be forwarded to tailnet.
Allow configuring stateful filter via tailscaled config file.
Deprecate EXPERIMENTAL_TS_CONFIGFILE_PATH env var and introduce a new
TS_EXPERIMENTAL_VERSIONED_CONFIG env var that can be used to provide
containerboot a directory that should contain one or more
tailscaled config files named cap-.hujson.
Containerboot will pick the one with the newest capability version
that is not newer than its current capability version.
Proxies with this change will not work with older Tailscale
Kubernetes operator versions - users must ensure that
the deployed operator is at the same version or newer (up to
4 version skew) than the proxies.