2023-12-14 13:51:59 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
|
|
|
|
//go:build !plan9
|
|
|
|
|
|
|
|
package kube
|
|
|
|
|
|
|
|
import (
|
|
|
|
"slices"
|
2024-02-13 05:27:54 +00:00
|
|
|
"time"
|
2023-12-14 13:51:59 +00:00
|
|
|
|
|
|
|
"go.uber.org/zap"
|
|
|
|
xslices "golang.org/x/exp/slices"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
|
|
|
|
"tailscale.com/tstime"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SetConnectorCondition ensures that Connector status has a condition with the
|
|
|
|
// given attributes. LastTransitionTime gets set every time condition's status
|
2024-02-13 05:27:54 +00:00
|
|
|
// changes.
|
2023-12-14 13:51:59 +00:00
|
|
|
func SetConnectorCondition(cn *tsapi.Connector, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) {
|
2024-02-13 05:27:54 +00:00
|
|
|
conds := updateCondition(cn.Status.Conditions, conditionType, status, reason, message, gen, clock, logger)
|
|
|
|
cn.Status.Conditions = conds
|
|
|
|
}
|
|
|
|
|
cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017)
* cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster.
Adds a simple nameserver that can respond to A record queries for ts.net DNS names.
It can respond to queries from in-memory records, populated from a ConfigMap
mounted at /config. It dynamically updates its records as the ConfigMap
contents changes.
It will respond with NXDOMAIN to queries for any other record types
(AAAA to be implemented in the future).
It can respond to queries over UDP or TCP. It runs a miekg/dns
DNS server with a single registered handler for ts.net domain names.
Queries for other domain names will be refused.
The intended use of this is:
1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet
services exposed via Tailscale operator egress over HTTPS
2) to allow non-tailnet cluster workloads to talk to workloads in
the same cluster that have been exposed to tailnet over their
MagicDNS names but on their cluster IPs.
Updates tailscale/tailscale#10499
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator/deploy/crds,k8s-operator: add DNSConfig CustomResource Definition
DNSConfig CRD can be used to configure
the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator,k8s-operator: optionally reconcile nameserver resources
Adds a new reconciler that reconciles DNSConfig resources.
If a DNSConfig is deployed to cluster,
the reconciler creates kube nameserver resources.
This reconciler is only responsible for creating
nameserver resources and not for populating nameserver's records.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/{k8s-operator,k8s-nameserver}: generate DNSConfig CRD for charts, append to static manifests
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
---------
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-03-27 20:18:17 +00:00
|
|
|
// RemoveConnectorCondition will remove condition of the given type if it exists.
|
2024-02-13 05:27:54 +00:00
|
|
|
func RemoveConnectorCondition(conn *tsapi.Connector, conditionType tsapi.ConnectorConditionType) {
|
|
|
|
conn.Status.Conditions = slices.DeleteFunc(conn.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
|
|
|
|
return cond.Type == conditionType
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetProxyClassCondition ensures that ProxyClass status has a condition with the
|
|
|
|
// given attributes. LastTransitionTime gets set every time condition's status
|
|
|
|
// changes.
|
|
|
|
func SetProxyClassCondition(pc *tsapi.ProxyClass, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) {
|
|
|
|
conds := updateCondition(pc.Status.Conditions, conditionType, status, reason, message, gen, clock, logger)
|
|
|
|
pc.Status.Conditions = conds
|
|
|
|
}
|
|
|
|
|
cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017)
* cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster.
Adds a simple nameserver that can respond to A record queries for ts.net DNS names.
It can respond to queries from in-memory records, populated from a ConfigMap
mounted at /config. It dynamically updates its records as the ConfigMap
contents changes.
It will respond with NXDOMAIN to queries for any other record types
(AAAA to be implemented in the future).
It can respond to queries over UDP or TCP. It runs a miekg/dns
DNS server with a single registered handler for ts.net domain names.
Queries for other domain names will be refused.
The intended use of this is:
1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet
services exposed via Tailscale operator egress over HTTPS
2) to allow non-tailnet cluster workloads to talk to workloads in
the same cluster that have been exposed to tailnet over their
MagicDNS names but on their cluster IPs.
Updates tailscale/tailscale#10499
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator/deploy/crds,k8s-operator: add DNSConfig CustomResource Definition
DNSConfig CRD can be used to configure
the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator,k8s-operator: optionally reconcile nameserver resources
Adds a new reconciler that reconciles DNSConfig resources.
If a DNSConfig is deployed to cluster,
the reconciler creates kube nameserver resources.
This reconciler is only responsible for creating
nameserver resources and not for populating nameserver's records.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/{k8s-operator,k8s-nameserver}: generate DNSConfig CRD for charts, append to static manifests
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
---------
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-03-27 20:18:17 +00:00
|
|
|
// SetDNSConfigCondition ensures that DNSConfig status has a condition with the
|
|
|
|
// given attributes. LastTransitionTime gets set every time condition's status
|
|
|
|
// changes
|
|
|
|
func SetDNSConfigCondition(dnsCfg *tsapi.DNSConfig, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) {
|
|
|
|
conds := updateCondition(dnsCfg.Status.Conditions, conditionType, status, reason, message, gen, clock, logger)
|
|
|
|
dnsCfg.Status.Conditions = conds
|
|
|
|
}
|
|
|
|
|
2024-02-13 05:27:54 +00:00
|
|
|
func updateCondition(conds []tsapi.ConnectorCondition, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) []tsapi.ConnectorCondition {
|
2023-12-14 13:51:59 +00:00
|
|
|
newCondition := tsapi.ConnectorCondition{
|
|
|
|
Type: conditionType,
|
|
|
|
Status: status,
|
|
|
|
Reason: reason,
|
|
|
|
Message: message,
|
|
|
|
ObservedGeneration: gen,
|
|
|
|
}
|
|
|
|
|
2024-02-13 05:27:54 +00:00
|
|
|
nowTime := metav1.NewTime(clock.Now().Truncate(time.Second))
|
2023-12-14 13:51:59 +00:00
|
|
|
newCondition.LastTransitionTime = &nowTime
|
|
|
|
|
2024-02-13 05:27:54 +00:00
|
|
|
idx := xslices.IndexFunc(conds, func(cond tsapi.ConnectorCondition) bool {
|
2023-12-14 13:51:59 +00:00
|
|
|
return cond.Type == conditionType
|
|
|
|
})
|
|
|
|
|
|
|
|
if idx == -1 {
|
2024-02-13 05:27:54 +00:00
|
|
|
conds = append(conds, newCondition)
|
|
|
|
return conds
|
2023-12-14 13:51:59 +00:00
|
|
|
}
|
|
|
|
|
2024-02-13 05:27:54 +00:00
|
|
|
cond := conds[idx] // update the existing condition
|
cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017)
* cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster.
Adds a simple nameserver that can respond to A record queries for ts.net DNS names.
It can respond to queries from in-memory records, populated from a ConfigMap
mounted at /config. It dynamically updates its records as the ConfigMap
contents changes.
It will respond with NXDOMAIN to queries for any other record types
(AAAA to be implemented in the future).
It can respond to queries over UDP or TCP. It runs a miekg/dns
DNS server with a single registered handler for ts.net domain names.
Queries for other domain names will be refused.
The intended use of this is:
1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet
services exposed via Tailscale operator egress over HTTPS
2) to allow non-tailnet cluster workloads to talk to workloads in
the same cluster that have been exposed to tailnet over their
MagicDNS names but on their cluster IPs.
Updates tailscale/tailscale#10499
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator/deploy/crds,k8s-operator: add DNSConfig CustomResource Definition
DNSConfig CRD can be used to configure
the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator,k8s-operator: optionally reconcile nameserver resources
Adds a new reconciler that reconciles DNSConfig resources.
If a DNSConfig is deployed to cluster,
the reconciler creates kube nameserver resources.
This reconciler is only responsible for creating
nameserver resources and not for populating nameserver's records.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/{k8s-operator,k8s-nameserver}: generate DNSConfig CRD for charts, append to static manifests
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
---------
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-03-27 20:18:17 +00:00
|
|
|
|
|
|
|
// If this update doesn't contain a state transition, don't update last
|
|
|
|
// transition time.
|
2023-12-14 13:51:59 +00:00
|
|
|
if cond.Status == status {
|
|
|
|
newCondition.LastTransitionTime = cond.LastTransitionTime
|
|
|
|
} else {
|
2024-02-13 05:27:54 +00:00
|
|
|
logger.Infof("Status change for condition %s from %s to %s", conditionType, cond.Status, status)
|
2023-12-14 13:51:59 +00:00
|
|
|
}
|
2024-02-13 05:27:54 +00:00
|
|
|
conds[idx] = newCondition
|
|
|
|
return conds
|
2023-12-14 13:51:59 +00:00
|
|
|
}
|
|
|
|
|
2024-02-13 05:27:54 +00:00
|
|
|
func ProxyClassIsReady(pc *tsapi.ProxyClass) bool {
|
|
|
|
idx := xslices.IndexFunc(pc.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
|
|
|
|
return cond.Type == tsapi.ProxyClassready
|
2023-12-14 13:51:59 +00:00
|
|
|
})
|
2024-02-13 05:27:54 +00:00
|
|
|
if idx == -1 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
cond := pc.Status.Conditions[idx]
|
|
|
|
return cond.Status == metav1.ConditionTrue && cond.ObservedGeneration == pc.Generation
|
2023-12-14 13:51:59 +00:00
|
|
|
}
|
cmd/{k8s-nameserver,k8s-operator},k8s-operator: add a kube nameserver, make operator deploy it (#11017)
* cmd/k8s-nameserver,k8s-operator: add a nameserver that can resolve ts.net DNS names in cluster.
Adds a simple nameserver that can respond to A record queries for ts.net DNS names.
It can respond to queries from in-memory records, populated from a ConfigMap
mounted at /config. It dynamically updates its records as the ConfigMap
contents changes.
It will respond with NXDOMAIN to queries for any other record types
(AAAA to be implemented in the future).
It can respond to queries over UDP or TCP. It runs a miekg/dns
DNS server with a single registered handler for ts.net domain names.
Queries for other domain names will be refused.
The intended use of this is:
1) to allow non-tailnet cluster workloads to talk to HTTPS tailnet
services exposed via Tailscale operator egress over HTTPS
2) to allow non-tailnet cluster workloads to talk to workloads in
the same cluster that have been exposed to tailnet over their
MagicDNS names but on their cluster IPs.
Updates tailscale/tailscale#10499
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator/deploy/crds,k8s-operator: add DNSConfig CustomResource Definition
DNSConfig CRD can be used to configure
the operator to deploy kube nameserver (./cmd/k8s-nameserver) to cluster.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/k8s-operator,k8s-operator: optionally reconcile nameserver resources
Adds a new reconciler that reconciles DNSConfig resources.
If a DNSConfig is deployed to cluster,
the reconciler creates kube nameserver resources.
This reconciler is only responsible for creating
nameserver resources and not for populating nameserver's records.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* cmd/{k8s-operator,k8s-nameserver}: generate DNSConfig CRD for charts, append to static manifests
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
---------
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-03-27 20:18:17 +00:00
|
|
|
|
|
|
|
func DNSCfgIsReady(cfg *tsapi.DNSConfig) bool {
|
|
|
|
idx := xslices.IndexFunc(cfg.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
|
|
|
|
return cond.Type == tsapi.NameserverReady
|
|
|
|
})
|
|
|
|
if idx == -1 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
cond := cfg.Status.Conditions[idx]
|
|
|
|
return cond.Status == metav1.ConditionTrue && cond.ObservedGeneration == cfg.Generation
|
|
|
|
}
|