cm/k8s-operator,cmd/containerboot: fix STS config, more tests (#9155)

Ensures that Statefulset reconciler config has only one of Cluster target IP or tailnet target IP. Adds a test case for containerboot egress proxy mode. Updates tailscale/tailscale#8184 Signed-off-by: irbekrm <irbekrm@gmail.com>
2025-02-18 02:48:40 +00:00 · 2023-08-30 14:22:06 +01:00 · 2023-08-30 14:22:06 +01:00 · 17438a98c0
commit 17438a98c0
parent 29a35d4a5d
2 changed files with 31 additions and 3 deletions
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@ -312,7 +312,7 @@ func TestContainerBoot(t *testing.T) {
 			},
 		},
 		{
-			Name: "proxy",
+			Name: "ingres proxy",
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
@ -334,6 +334,30 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "egress proxy",
+			Env: map[string]string{
+				"TS_AUTHKEY":           "tskey-key",
+				"TS_TAILNET_TARGET_IP": "100.99.99.99",
+				"TS_USERSPACE":         "false",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantCmds: []string{
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
+						"/usr/bin/iptables -t nat -I PREROUTING 1 ! -i tailscale0 -j DNAT --to-destination 100.99.99.99",
+						"/usr/bin/iptables -t nat -I POSTROUTING 1 --destination 100.99.99.99 -j SNAT --to-source 100.64.0.1",
+					},
+				},
+			},
+		},
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
--- a/cmd/k8s-operator/svc.go
+++ b/cmd/k8s-operator/svc.go
@ -125,11 +125,15 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	sts := &tailscaleSTSConfig{
 		ParentResourceName:  svc.Name,
 		ParentResourceUID:   string(svc.UID),
-		ClusterTargetIP:     svc.Spec.ClusterIP,
 		Hostname:            hostname,
 		Tags:                tags,
 		ChildResourceLabels: crl,
-		TailnetTargetIP:     svc.Annotations[AnnotationTailnetTargetIP],
+	}
+
+	if a.shouldExpose(svc) {
+		sts.ClusterTargetIP = svc.Spec.ClusterIP
+	} else if a.hasTailnetTargetAnnotation(svc) {
+		sts.TailnetTargetIP = svc.Annotations[AnnotationTailnetTargetIP]
 	}

 	var hsvc *corev1.Service