cmd/{k8s-operator,k8s-proxy},kube: use consistent type for auth mode config (#16626)

Updates k8s-proxy's config so its auth mode config matches that we set in kube-apiserver ProxyGroups for consistency. Updates #13358 Change-Id: I95e29cec6ded2dc7c6d2d03f968a25c822bc0e01 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-08-14 15:07:55 +00:00 · 2025-07-22 14:46:38 +01:00
parent 6f7e78b10f
commit 22a8e0ac50
10 changed files with 99 additions and 48 deletions
--- a/cmd/k8s-operator/api-server-proxy.go
+++ b/cmd/k8s-operator/api-server-proxy.go
@@ -9,30 +9,12 @@ import (
 	"fmt"
 	"log"
 	"os"
+
+	"tailscale.com/kube/kubetypes"
+	"tailscale.com/types/ptr"
 )

-type apiServerProxyMode int
-
-func (a apiServerProxyMode) String() string {
-	switch a {
-	case apiServerProxyModeDisabled:
-		return "disabled"
-	case apiServerProxyModeEnabled:
-		return "auth"
-	case apiServerProxyModeNoAuth:
-		return "noauth"
-	default:
-		return "unknown"
-	}
-}
-
-const (
-	apiServerProxyModeDisabled apiServerProxyMode = iota
-	apiServerProxyModeEnabled
-	apiServerProxyModeNoAuth
-)
-
-func parseAPIProxyMode() apiServerProxyMode {
+func parseAPIProxyMode() *kubetypes.APIServerProxyMode {
 	haveAuthProxyEnv := os.Getenv("AUTH_PROXY") != ""
 	haveAPIProxyEnv := os.Getenv("APISERVER_PROXY") != ""
 	switch {
@@ -41,21 +23,21 @@ func parseAPIProxyMode() apiServerProxyMode {
 	case haveAuthProxyEnv:
 		var authProxyEnv = defaultBool("AUTH_PROXY", false) // deprecated
 		if authProxyEnv {
-			return apiServerProxyModeEnabled
+			return ptr.To(kubetypes.APIServerProxyModeAuth)
 		}
-		return apiServerProxyModeDisabled
+		return nil
 	case haveAPIProxyEnv:
 		var apiProxyEnv = defaultEnv("APISERVER_PROXY", "") // true, false or "noauth"
 		switch apiProxyEnv {
 		case "true":
-			return apiServerProxyModeEnabled
+			return ptr.To(kubetypes.APIServerProxyModeAuth)
 		case "false", "":
-			return apiServerProxyModeDisabled
+			return nil
 		case "noauth":
-			return apiServerProxyModeNoAuth
+			return ptr.To(kubetypes.APIServerProxyModeNoAuth)
 		default:
 			panic(fmt.Sprintf("unknown APISERVER_PROXY value %q", apiProxyEnv))
 		}
 	}
-	return apiServerProxyModeDisabled
+	return nil
 }
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -113,7 +113,7 @@ func main() {
 	// additionally act as api-server proxy
 	// https://tailscale.com/kb/1236/kubernetes-operator/?q=kubernetes#accessing-the-kubernetes-control-plane-using-an-api-server-proxy.
 	mode := parseAPIProxyMode()
-	if mode == apiServerProxyModeDisabled {
+	if mode == nil {
 		hostinfo.SetApp(kubetypes.AppOperator)
 	} else {
 		hostinfo.SetApp(kubetypes.AppInProcessAPIServerProxy)
@@ -122,8 +122,8 @@ func main() {
 	s, tsc := initTSNet(zlog, loginServer)
 	defer s.Close()
 	restConfig := config.GetConfigOrDie()
-	if mode != apiServerProxyModeDisabled {
-		ap, err := apiproxy.NewAPIServerProxy(zlog, restConfig, s, mode == apiServerProxyModeEnabled, true)
+	if mode != nil {
+		ap, err := apiproxy.NewAPIServerProxy(zlog, restConfig, s, *mode, true)
 		if err != nil {
 			zlog.Fatalf("error creating API server proxy: %v", err)
 		}
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -805,6 +805,10 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 				}
 			}

+			mode := kubetypes.APIServerProxyModeAuth
+			if !isAuthAPIServerProxy(pg) {
+				mode = kubetypes.APIServerProxyModeNoAuth
+			}
 			cfg := conf.VersionedConfig{
 				Version: "v1alpha1",
 				ConfigV1Alpha1: &conf.ConfigV1Alpha1{
@@ -816,8 +820,8 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 					// Reloadable fields.
 					Hostname: &hostname,
 					APIServerProxy: &conf.APIServerProxyConfig{
-						Enabled:  opt.NewBool(true),
-						AuthMode: opt.NewBool(isAuthAPIServerProxy(pg)),
+						Enabled: opt.NewBool(true),
+						Mode:    &mode,
 						// The first replica is elected as the cert issuer, same
 						// as containerboot does for ingress-pg-reconciler.
 						IssueCerts: opt.NewBool(i == 0),
--- a/cmd/k8s-operator/proxygroup_test.go
+++ b/cmd/k8s-operator/proxygroup_test.go
@@ -1376,7 +1376,7 @@ func TestKubeAPIServerType_DoesNotOverwriteServicesConfig(t *testing.T) {
 			Hostname: ptr.To("test-k8s-apiserver-0"),
 			APIServerProxy: &conf.APIServerProxyConfig{
 				Enabled:    opt.NewBool(true),
-				AuthMode:   opt.NewBool(false),
+				Mode:       ptr.To(kubetypes.APIServerProxyModeNoAuth),
 				IssueCerts: opt.NewBool(true),
 			},
 		},