tailscale/cmd/k8s-operator/deploy/manifests/proxy.yaml

# This file is not a complete manifest, it's a skeleton that the operator embeds
# at build time and then uses to construct Tailscale proxy pods.
apiVersion: apps/v1
kind: StatefulSet
metadata: {}
spec:
  replicas: 1
  template:
    metadata:
      deletionGracePeriodSeconds: 10
    spec:
      serviceAccountName: proxies
      initContainers:
        - name: sysctler
          securityContext:
            privileged: true
          command: ["/bin/sh"]
          args:
            - -c
            - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
      resources:
        requests:
          cpu: 1m
          memory: 1Mi
      containers:
        - name: tailscale
          imagePullPolicy: Always
          env:
            - name: TS_USERSPACE
              value: "false"
            - name: TS_AUTH_ONCE
              value: "true"
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
cmd/k8s-operator: add a kubernetes operator. This was initially developed in a separate repo, but for build/release reasons and because go module management limits the damage of importing k8s things now, moving it into this repo. At time of commit, the operator enables exposing services over tailscale, with the 'tailscale' loadBalancerClass. It also currently requires an unreleased feature to access the Tailscale API, so is not usable yet. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com> 2022-12-12 19:15:34 +00:00			`# This file is not a complete manifest, it's a skeleton that the operator embeds`
			`# at build time and then uses to construct Tailscale proxy pods.`
			`apiVersion: apps/v1`
			`kind: StatefulSet`
cmd/k8s-operator: add support for Ingress resources Previously, the operator would only monitor Services and create a Tailscale StatefulSet which acted as a L3 proxy which proxied traffic inbound to the Tailscale IP onto the services ClusterIP. This extends that functionality to also monitor Ingress resources where the `ingressClassName=tailscale` and similarly creates a Tailscale StatefulSet, acting as a L7 proxy instead. Users can override the desired hostname by setting: ``` - tls hosts: - "foo" ``` Hostnames specified under `rules` are ignored as we only create a single host. This is emitted as an event for users to see. Fixes #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-08-24 19:18:17 +00:00			`metadata: {}`
cmd/k8s-operator: add a kubernetes operator. This was initially developed in a separate repo, but for build/release reasons and because go module management limits the damage of importing k8s things now, moving it into this repo. At time of commit, the operator enables exposing services over tailscale, with the 'tailscale' loadBalancerClass. It also currently requires an unreleased feature to access the Tailscale API, so is not usable yet. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com> 2022-12-12 19:15:34 +00:00			`spec:`
			`replicas: 1`
			`template:`
			`metadata:`
			`deletionGracePeriodSeconds: 10`
			`spec:`
			`serviceAccountName: proxies`
			`initContainers:`
			`- name: sysctler`
			`securityContext:`
			`privileged: true`
			`command: ["/bin/sh"]`
			`args:`
			`- -c`
			`- sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1`
			`resources:`
			`requests:`
			`cpu: 1m`
			`memory: 1Mi`
			`containers:`
			`- name: tailscale`
			`imagePullPolicy: Always`
			`env:`
			`- name: TS_USERSPACE`
			`value: "false"`
			`- name: TS_AUTH_ONCE`
			`value: "true"`
cmd/{containerboot,k8s-operator/deploy/manifests}: optionally allow proxying cluster traffic to a cluster target via ingress proxy (#11036) * cmd/containerboot,cmd/k8s-operator/deploy/manifests: optionally forward cluster traffic via ingress proxy. If a tailscale Ingress has tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation, configure the associated ingress proxy to have its tailscale serve proxy to listen on Pod's IP address. This ensures that cluster traffic too can be forwarded via this proxy to the ingress backend(s). In containerboot, if EXPERIMENTAL_PROXY_CLUSTER_TRAFFIC_VIA_INGRESS is set to true and the node is Kubernetes operator ingress proxy configured via Ingress, make sure that traffic from within the cluster can be proxied to the ingress target. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com> 2024-02-08 06:45:42 +00:00			`- name: POD_IP`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: status.podIP`
cmd/k8s-operator: add a kubernetes operator. This was initially developed in a separate repo, but for build/release reasons and because go module management limits the damage of importing k8s things now, moving it into this repo. At time of commit, the operator enables exposing services over tailscale, with the 'tailscale' loadBalancerClass. It also currently requires an unreleased feature to access the Tailscale API, so is not usable yet. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com> 2022-12-12 19:15:34 +00:00			`securityContext:`
			`capabilities:`
			`add:`
			`- NET_ADMIN`