cmd/{k8s-operator,k8s-proxy},kube: use consistent type for auth mode config (#16626)

Updates k8s-proxy's config so its auth mode config matches that we set in kube-apiserver ProxyGroups for consistency. Updates #13358 Change-Id: I95e29cec6ded2dc7c6d2d03f968a25c822bc0e01 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-08-14 06:57:31 +00:00 · 2025-07-22 14:46:38 +01:00
parent 6f7e78b10f
commit 22a8e0ac50
10 changed files with 99 additions and 48 deletions
--- a/kube/k8s-proxy/conf/conf.go
+++ b/kube/k8s-proxy/conf/conf.go
@@ -14,6 +14,7 @@ import (
 	"net/netip"

 	"github.com/tailscale/hujson"
+	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/opt"
 )
@@ -66,10 +67,10 @@ type ConfigV1Alpha1 struct {
 }

 type APIServerProxyConfig struct {
-	Enabled     opt.Bool             `json:",omitempty"` // Whether to enable the API Server proxy.
-	AuthMode    opt.Bool             `json:",omitempty"` // Run in auth or noauth mode.
-	ServiceName *tailcfg.ServiceName `json:",omitempty"` // Name of the Tailscale Service to advertise.
-	IssueCerts  opt.Bool             `json:",omitempty"` // Whether this replica should issue TLS certs for the Tailscale Service.
+	Enabled     opt.Bool                      `json:",omitempty"` // Whether to enable the API Server proxy.
+	Mode        *kubetypes.APIServerProxyMode `json:",omitempty"` // "auth" or "noauth" mode.
+	ServiceName *tailcfg.ServiceName          `json:",omitempty"` // Name of the Tailscale Service to advertise.
+	IssueCerts  opt.Bool                      `json:",omitempty"` // Whether this replica should issue TLS certs for the Tailscale Service.
 }

 // Load reads and parses the config file at the provided path on disk.
--- a/kube/kubetypes/types.go
+++ b/kube/kubetypes/types.go
@@ -3,6 +3,8 @@

 package kubetypes

+import "fmt"
+
 const (
 	// Hostinfo App values for the Tailscale Kubernetes Operator components.
 	AppOperator                = "k8s-operator"
@@ -59,5 +61,24 @@ const (
 	LabelSecretTypeState  = "state"
 	LabelSecretTypeCerts  = "certs"

-	KubeAPIServerConfigFile = "config.hujson"
+	KubeAPIServerConfigFile                     = "config.hujson"
+	APIServerProxyModeAuth   APIServerProxyMode = "auth"
+	APIServerProxyModeNoAuth APIServerProxyMode = "noauth"
 )
+
+// APIServerProxyMode specifies whether the API server proxy will add
+// impersonation headers to requests based on the caller's Tailscale identity.
+// May be "auth" or "noauth".
+type APIServerProxyMode string
+
+func (a *APIServerProxyMode) UnmarshalJSON(data []byte) error {
+	switch string(data) {
+	case `"auth"`:
+		*a = APIServerProxyModeAuth
+	case `"noauth"`:
+		*a = APIServerProxyModeNoAuth
+	default:
+		return fmt.Errorf("unknown APIServerProxyMode %q", data)
+	}
+	return nil
+}
--- a/kube/kubetypes/types_test.go
+++ b/kube/kubetypes/types_test.go
@@ -0,0 +1,42 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package kubetypes
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestUnmarshalAPIServerProxyMode(t *testing.T) {
+	tests := []struct {
+		data     string
+		expected APIServerProxyMode
+	}{
+		{data: `{"mode":"auth"}`, expected: APIServerProxyModeAuth},
+		{data: `{"mode":"noauth"}`, expected: APIServerProxyModeNoAuth},
+		{data: `{"mode":""}`, expected: ""},
+		{data: `{"mode":"Auth"}`, expected: ""},
+		{data: `{"mode":"unknown"}`, expected: ""},
+	}
+
+	for _, tc := range tests {
+		var s struct {
+			Mode *APIServerProxyMode `json:",omitempty"`
+		}
+		err := json.Unmarshal([]byte(tc.data), &s)
+		if tc.expected == "" {
+			if err == nil {
+				t.Errorf("expected error for %q, got none", tc.data)
+			}
+			continue
+		}
+		if err != nil {
+			t.Errorf("unexpected error for %q: %v", tc.data, err)
+			continue
+		}
+		if *s.Mode != tc.expected {
+			t.Errorf("for %q expected %q, got %q", tc.data, tc.expected, *s.Mode)
+		}
+	}
+}