mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 04:55:31 +00:00
cmd/k8s-operator,k8s-operator: use default ProxyClass if set for ProxyGroup (#13720)
The default ProxyClass can be set via helm chart or env var, and applies to all proxies that do not otherwise have an explicit ProxyClass set. This ensures proxies created by the new ProxyGroup CRD are consistent with the behaviour of existing proxies Nearby but unrelated changes: * Fix up double error logs (controller runtime logs returned errors) * Fix a couple of variable names Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
This commit is contained in:
parent
cba2e76568
commit
36cb2e4e5f
@ -278,7 +278,7 @@ func TestConnectorWithProxyClass(t *testing.T) {
|
|||||||
pc.Status = tsapi.ProxyClassStatus{
|
pc.Status = tsapi.ProxyClassStatus{
|
||||||
Conditions: []metav1.Condition{{
|
Conditions: []metav1.Condition{{
|
||||||
Status: metav1.ConditionTrue,
|
Status: metav1.ConditionTrue,
|
||||||
Type: string(tsapi.ProxyClassready),
|
Type: string(tsapi.ProxyClassReady),
|
||||||
ObservedGeneration: pc.Generation,
|
ObservedGeneration: pc.Generation,
|
||||||
}}}
|
}}}
|
||||||
})
|
})
|
||||||
|
@ -80,7 +80,7 @@ proxyConfig:
|
|||||||
firewallMode: auto
|
firewallMode: auto
|
||||||
# If defined, this proxy class will be used as the default proxy class for
|
# If defined, this proxy class will be used as the default proxy class for
|
||||||
# service and ingress resources that do not have a proxy class defined. It
|
# service and ingress resources that do not have a proxy class defined. It
|
||||||
# does not apply to Connector and ProxyGroup resources.
|
# does not apply to Connector resources.
|
||||||
defaultProxyClass: ""
|
defaultProxyClass: ""
|
||||||
|
|
||||||
# apiServerProxyConfig allows to configure whether the operator should expose
|
# apiServerProxyConfig allows to configure whether the operator should expose
|
||||||
|
@ -63,8 +63,9 @@ spec:
|
|||||||
description: |-
|
description: |-
|
||||||
ProxyClass is the name of the ProxyClass custom resource that contains
|
ProxyClass is the name of the ProxyClass custom resource that contains
|
||||||
configuration options that should be applied to the resources created
|
configuration options that should be applied to the resources created
|
||||||
for this ProxyGroup. If unset, the operator will create resources with
|
for this ProxyGroup. If unset, and there is no default ProxyClass
|
||||||
the default configuration.
|
configured, the operator will create resources with the default
|
||||||
|
configuration.
|
||||||
type: string
|
type: string
|
||||||
replicas:
|
replicas:
|
||||||
description: |-
|
description: |-
|
||||||
|
@ -2475,8 +2475,9 @@ spec:
|
|||||||
description: |-
|
description: |-
|
||||||
ProxyClass is the name of the ProxyClass custom resource that contains
|
ProxyClass is the name of the ProxyClass custom resource that contains
|
||||||
configuration options that should be applied to the resources created
|
configuration options that should be applied to the resources created
|
||||||
for this ProxyGroup. If unset, the operator will create resources with
|
for this ProxyGroup. If unset, and there is no default ProxyClass
|
||||||
the default configuration.
|
configured, the operator will create resources with the default
|
||||||
|
configuration.
|
||||||
type: string
|
type: string
|
||||||
replicas:
|
replicas:
|
||||||
description: |-
|
description: |-
|
||||||
|
@ -48,7 +48,7 @@ type IngressReconciler struct {
|
|||||||
// managing. This is only used for metrics.
|
// managing. This is only used for metrics.
|
||||||
managedIngresses set.Slice[types.UID]
|
managedIngresses set.Slice[types.UID]
|
||||||
|
|
||||||
proxyDefaultClass string
|
defaultProxyClass string
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -136,7 +136,7 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
proxyClass := proxyClassForObject(ing, a.proxyDefaultClass)
|
proxyClass := proxyClassForObject(ing, a.defaultProxyClass)
|
||||||
if proxyClass != "" {
|
if proxyClass != "" {
|
||||||
if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
|
if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
|
||||||
return fmt.Errorf("error verifying ProxyClass for Ingress: %w", err)
|
return fmt.Errorf("error verifying ProxyClass for Ingress: %w", err)
|
||||||
|
@ -253,7 +253,7 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
|
|||||||
pc.Status = tsapi.ProxyClassStatus{
|
pc.Status = tsapi.ProxyClassStatus{
|
||||||
Conditions: []metav1.Condition{{
|
Conditions: []metav1.Condition{{
|
||||||
Status: metav1.ConditionTrue,
|
Status: metav1.ConditionTrue,
|
||||||
Type: string(tsapi.ProxyClassready),
|
Type: string(tsapi.ProxyClassReady),
|
||||||
ObservedGeneration: pc.Generation,
|
ObservedGeneration: pc.Generation,
|
||||||
}}}
|
}}}
|
||||||
})
|
})
|
||||||
|
@ -109,7 +109,7 @@ func main() {
|
|||||||
proxyActAsDefaultLoadBalancer: isDefaultLoadBalancer,
|
proxyActAsDefaultLoadBalancer: isDefaultLoadBalancer,
|
||||||
proxyTags: tags,
|
proxyTags: tags,
|
||||||
proxyFirewallMode: tsFirewallMode,
|
proxyFirewallMode: tsFirewallMode,
|
||||||
proxyDefaultClass: defaultProxyClass,
|
defaultProxyClass: defaultProxyClass,
|
||||||
}
|
}
|
||||||
runReconcilers(rOpts)
|
runReconcilers(rOpts)
|
||||||
}
|
}
|
||||||
@ -286,7 +286,7 @@ func runReconcilers(opts reconcilerOpts) {
|
|||||||
recorder: eventRecorder,
|
recorder: eventRecorder,
|
||||||
tsNamespace: opts.tailscaleNamespace,
|
tsNamespace: opts.tailscaleNamespace,
|
||||||
clock: tstime.DefaultClock{},
|
clock: tstime.DefaultClock{},
|
||||||
proxyDefaultClass: opts.proxyDefaultClass,
|
defaultProxyClass: opts.defaultProxyClass,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
startlog.Fatalf("could not create service reconciler: %v", err)
|
startlog.Fatalf("could not create service reconciler: %v", err)
|
||||||
@ -309,7 +309,7 @@ func runReconcilers(opts reconcilerOpts) {
|
|||||||
recorder: eventRecorder,
|
recorder: eventRecorder,
|
||||||
Client: mgr.GetClient(),
|
Client: mgr.GetClient(),
|
||||||
logger: opts.log.Named("ingress-reconciler"),
|
logger: opts.log.Named("ingress-reconciler"),
|
||||||
proxyDefaultClass: opts.proxyDefaultClass,
|
defaultProxyClass: opts.defaultProxyClass,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
startlog.Fatalf("could not create ingress reconciler: %v", err)
|
startlog.Fatalf("could not create ingress reconciler: %v", err)
|
||||||
@ -480,6 +480,7 @@ func runReconcilers(opts reconcilerOpts) {
|
|||||||
proxyImage: opts.proxyImage,
|
proxyImage: opts.proxyImage,
|
||||||
defaultTags: strings.Split(opts.proxyTags, ","),
|
defaultTags: strings.Split(opts.proxyTags, ","),
|
||||||
tsFirewallMode: opts.proxyFirewallMode,
|
tsFirewallMode: opts.proxyFirewallMode,
|
||||||
|
defaultProxyClass: opts.defaultProxyClass,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
startlog.Fatalf("could not create ProxyGroup reconciler: %v", err)
|
startlog.Fatalf("could not create ProxyGroup reconciler: %v", err)
|
||||||
@ -525,10 +526,10 @@ type reconcilerOpts struct {
|
|||||||
// Auto is usually the best choice, unless you want to explicitly set
|
// Auto is usually the best choice, unless you want to explicitly set
|
||||||
// specific mode for debugging purposes.
|
// specific mode for debugging purposes.
|
||||||
proxyFirewallMode string
|
proxyFirewallMode string
|
||||||
// proxyDefaultClass is the name of the ProxyClass to use as the default
|
// defaultProxyClass is the name of the ProxyClass to use as the default
|
||||||
// class for proxies that do not have a ProxyClass set.
|
// class for proxies that do not have a ProxyClass set.
|
||||||
// this is defined by an operator env variable.
|
// this is defined by an operator env variable.
|
||||||
proxyDefaultClass string
|
defaultProxyClass string
|
||||||
}
|
}
|
||||||
|
|
||||||
// enqueueAllIngressEgressProxySvcsinNS returns a reconcile request for each
|
// enqueueAllIngressEgressProxySvcsinNS returns a reconcile request for each
|
||||||
|
@ -1064,7 +1064,7 @@ func TestProxyClassForService(t *testing.T) {
|
|||||||
pc.Status = tsapi.ProxyClassStatus{
|
pc.Status = tsapi.ProxyClassStatus{
|
||||||
Conditions: []metav1.Condition{{
|
Conditions: []metav1.Condition{{
|
||||||
Status: metav1.ConditionTrue,
|
Status: metav1.ConditionTrue,
|
||||||
Type: string(tsapi.ProxyClassready),
|
Type: string(tsapi.ProxyClassReady),
|
||||||
ObservedGeneration: pc.Generation,
|
ObservedGeneration: pc.Generation,
|
||||||
}}}
|
}}}
|
||||||
})
|
})
|
||||||
|
@ -98,9 +98,9 @@ func (pcr *ProxyClassReconciler) Reconcile(ctx context.Context, req reconcile.Re
|
|||||||
if errs := pcr.validate(pc); errs != nil {
|
if errs := pcr.validate(pc); errs != nil {
|
||||||
msg := fmt.Sprintf(messageProxyClassInvalid, errs.ToAggregate().Error())
|
msg := fmt.Sprintf(messageProxyClassInvalid, errs.ToAggregate().Error())
|
||||||
pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonProxyClassInvalid, msg)
|
pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonProxyClassInvalid, msg)
|
||||||
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, pc.Generation, pcr.clock, logger)
|
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, pc.Generation, pcr.clock, logger)
|
||||||
} else {
|
} else {
|
||||||
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionTrue, reasonProxyClassValid, reasonProxyClassValid, pc.Generation, pcr.clock, logger)
|
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionTrue, reasonProxyClassValid, reasonProxyClassValid, pc.Generation, pcr.clock, logger)
|
||||||
}
|
}
|
||||||
if !apiequality.Semantic.DeepEqual(oldPCStatus, pc.Status) {
|
if !apiequality.Semantic.DeepEqual(oldPCStatus, pc.Status) {
|
||||||
if err := pcr.Client.Status().Update(ctx, pc); err != nil {
|
if err := pcr.Client.Status().Update(ctx, pc); err != nil {
|
||||||
|
@ -69,7 +69,7 @@ func TestProxyClass(t *testing.T) {
|
|||||||
// 1. A valid ProxyClass resource gets its status updated to Ready.
|
// 1. A valid ProxyClass resource gets its status updated to Ready.
|
||||||
expectReconciled(t, pcr, "", "test")
|
expectReconciled(t, pcr, "", "test")
|
||||||
pc.Status.Conditions = append(pc.Status.Conditions, metav1.Condition{
|
pc.Status.Conditions = append(pc.Status.Conditions, metav1.Condition{
|
||||||
Type: string(tsapi.ProxyClassready),
|
Type: string(tsapi.ProxyClassReady),
|
||||||
Status: metav1.ConditionTrue,
|
Status: metav1.ConditionTrue,
|
||||||
Reason: reasonProxyClassValid,
|
Reason: reasonProxyClassValid,
|
||||||
Message: reasonProxyClassValid,
|
Message: reasonProxyClassValid,
|
||||||
@ -85,7 +85,7 @@ func TestProxyClass(t *testing.T) {
|
|||||||
})
|
})
|
||||||
expectReconciled(t, pcr, "", "test")
|
expectReconciled(t, pcr, "", "test")
|
||||||
msg := `ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: "?!someVal": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')`
|
msg := `ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: "?!someVal": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')`
|
||||||
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
|
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
|
||||||
expectEqual(t, fc, pc, nil)
|
expectEqual(t, fc, pc, nil)
|
||||||
expectedEvent := "Warning ProxyClassInvalid ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: \"?!someVal\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"
|
expectedEvent := "Warning ProxyClassInvalid ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: \"?!someVal\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"
|
||||||
expectEvents(t, fr, []string{expectedEvent})
|
expectEvents(t, fr, []string{expectedEvent})
|
||||||
@ -99,7 +99,7 @@ func TestProxyClass(t *testing.T) {
|
|||||||
})
|
})
|
||||||
expectReconciled(t, pcr, "", "test")
|
expectReconciled(t, pcr, "", "test")
|
||||||
msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
||||||
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
|
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
|
||||||
expectEqual(t, fc, pc, nil)
|
expectEqual(t, fc, pc, nil)
|
||||||
expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
||||||
expectEvents(t, fr, []string{expectedEvent})
|
expectEvents(t, fr, []string{expectedEvent})
|
||||||
@ -118,7 +118,7 @@ func TestProxyClass(t *testing.T) {
|
|||||||
})
|
})
|
||||||
expectReconciled(t, pcr, "", "test")
|
expectReconciled(t, pcr, "", "test")
|
||||||
msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
||||||
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
|
tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
|
||||||
expectEqual(t, fc, pc, nil)
|
expectEqual(t, fc, pc, nil)
|
||||||
expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
|
||||||
expectEvents(t, fr, []string{expectedEvent})
|
expectEvents(t, fr, []string{expectedEvent})
|
||||||
|
@ -62,6 +62,7 @@ type ProxyGroupReconciler struct {
|
|||||||
proxyImage string
|
proxyImage string
|
||||||
defaultTags []string
|
defaultTags []string
|
||||||
tsFirewallMode string
|
tsFirewallMode string
|
||||||
|
defaultProxyClass string
|
||||||
|
|
||||||
mu sync.Mutex // protects following
|
mu sync.Mutex // protects following
|
||||||
proxyGroups set.Slice[types.UID] // for proxygroups gauge
|
proxyGroups set.Slice[types.UID] // for proxygroups gauge
|
||||||
@ -125,24 +126,42 @@ func (r *ProxyGroupReconciler) Reconcile(ctx context.Context, req reconcile.Requ
|
|||||||
// operation is underway.
|
// operation is underway.
|
||||||
logger.Infof("ensuring ProxyGroup is set up")
|
logger.Infof("ensuring ProxyGroup is set up")
|
||||||
pg.Finalizers = append(pg.Finalizers, FinalizerName)
|
pg.Finalizers = append(pg.Finalizers, FinalizerName)
|
||||||
if err := r.Update(ctx, pg); err != nil {
|
if err = r.Update(ctx, pg); err != nil {
|
||||||
logger.Errorf("error adding finalizer: %w", err)
|
err = fmt.Errorf("error adding finalizer: %w", err)
|
||||||
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, reasonProxyGroupCreationFailed)
|
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, reasonProxyGroupCreationFailed)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := r.validate(pg); err != nil {
|
if err = r.validate(pg); err != nil {
|
||||||
logger.Errorf("error validating ProxyGroup spec: %w", err)
|
|
||||||
message := fmt.Sprintf("ProxyGroup is invalid: %s", err)
|
message := fmt.Sprintf("ProxyGroup is invalid: %s", err)
|
||||||
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupInvalid, message)
|
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupInvalid, message)
|
||||||
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupInvalid, message)
|
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupInvalid, message)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = r.maybeProvision(ctx, pg); err != nil {
|
proxyClassName := r.defaultProxyClass
|
||||||
logger.Errorf("error provisioning ProxyGroup resources: %w", err)
|
if pg.Spec.ProxyClass != "" {
|
||||||
message := fmt.Sprintf("failed provisioning ProxyGroup: %s", err)
|
proxyClassName = pg.Spec.ProxyClass
|
||||||
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupCreationFailed, message)
|
}
|
||||||
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, message)
|
|
||||||
|
var proxyClass *tsapi.ProxyClass
|
||||||
|
if proxyClassName != "" {
|
||||||
|
proxyClass = new(tsapi.ProxyClass)
|
||||||
|
if err = r.Get(ctx, types.NamespacedName{Name: proxyClassName}, proxyClass); err != nil {
|
||||||
|
err = fmt.Errorf("error getting ProxyGroup's ProxyClass %s: %s", proxyClassName, err)
|
||||||
|
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupCreationFailed, err.Error())
|
||||||
|
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, err.Error())
|
||||||
|
}
|
||||||
|
if !tsoperator.ProxyClassIsReady(proxyClass) {
|
||||||
|
message := fmt.Sprintf("the ProxyGroup's ProxyClass %s is not yet in a ready state, waiting...", proxyClassName)
|
||||||
|
logger.Info(message)
|
||||||
|
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreating, message)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = r.maybeProvision(ctx, pg, proxyClass); err != nil {
|
||||||
|
err = fmt.Errorf("error provisioning ProxyGroup resources: %w", err)
|
||||||
|
r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupCreationFailed, err.Error())
|
||||||
|
return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
desiredReplicas := int(pgReplicas(pg))
|
desiredReplicas := int(pgReplicas(pg))
|
||||||
@ -162,25 +181,13 @@ func (r *ProxyGroupReconciler) Reconcile(ctx context.Context, req reconcile.Requ
|
|||||||
return setStatusReady(pg, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady)
|
return setStatusReady(pg, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.ProxyGroup) error {
|
func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.ProxyGroup, proxyClass *tsapi.ProxyClass) error {
|
||||||
logger := r.logger(pg.Name)
|
logger := r.logger(pg.Name)
|
||||||
r.mu.Lock()
|
r.mu.Lock()
|
||||||
r.proxyGroups.Add(pg.UID)
|
r.proxyGroups.Add(pg.UID)
|
||||||
gaugeProxyGroupResources.Set(int64(r.proxyGroups.Len()))
|
gaugeProxyGroupResources.Set(int64(r.proxyGroups.Len()))
|
||||||
r.mu.Unlock()
|
r.mu.Unlock()
|
||||||
|
|
||||||
var proxyClass *tsapi.ProxyClass
|
|
||||||
if pg.Spec.ProxyClass != "" {
|
|
||||||
proxyClass = new(tsapi.ProxyClass)
|
|
||||||
if err := r.Get(ctx, types.NamespacedName{Name: pg.Spec.ProxyClass}, proxyClass); err != nil {
|
|
||||||
return fmt.Errorf("failed to get ProxyClass: %w", err)
|
|
||||||
}
|
|
||||||
if !tsoperator.ProxyClassIsReady(proxyClass) {
|
|
||||||
logger.Infof("ProxyClass %s specified for the ProxyGroup, but it is not (yet) in a ready state, waiting...", pg.Spec.ProxyClass)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
cfgHash, err := r.ensureConfigSecretsCreated(ctx, pg, proxyClass)
|
cfgHash, err := r.ensureConfigSecretsCreated(ctx, pg, proxyClass)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error provisioning config Secrets: %w", err)
|
return fmt.Errorf("error provisioning config Secrets: %w", err)
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/google/go-cmp/cmp"
|
"github.com/google/go-cmp/cmp"
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
@ -29,7 +30,21 @@
|
|||||||
|
|
||||||
const testProxyImage = "tailscale/tailscale:test"
|
const testProxyImage = "tailscale/tailscale:test"
|
||||||
|
|
||||||
|
var defaultProxyClassAnnotations = map[string]string{
|
||||||
|
"some-annotation": "from-the-proxy-class",
|
||||||
|
}
|
||||||
|
|
||||||
func TestProxyGroup(t *testing.T) {
|
func TestProxyGroup(t *testing.T) {
|
||||||
|
pc := &tsapi.ProxyClass{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "default-pc",
|
||||||
|
},
|
||||||
|
Spec: tsapi.ProxyClassSpec{
|
||||||
|
StatefulSet: &tsapi.StatefulSet{
|
||||||
|
Annotations: defaultProxyClassAnnotations,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
pg := &tsapi.ProxyGroup{
|
pg := &tsapi.ProxyGroup{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "test",
|
Name: "test",
|
||||||
@ -39,8 +54,8 @@ func TestProxyGroup(t *testing.T) {
|
|||||||
|
|
||||||
fc := fake.NewClientBuilder().
|
fc := fake.NewClientBuilder().
|
||||||
WithScheme(tsapi.GlobalScheme).
|
WithScheme(tsapi.GlobalScheme).
|
||||||
WithObjects(pg).
|
WithObjects(pg, pc).
|
||||||
WithStatusSubresource(pg).
|
WithStatusSubresource(pg, pc).
|
||||||
Build()
|
Build()
|
||||||
tsClient := &fakeTSClient{}
|
tsClient := &fakeTSClient{}
|
||||||
zl, _ := zap.NewDevelopment()
|
zl, _ := zap.NewDevelopment()
|
||||||
@ -51,6 +66,8 @@ func TestProxyGroup(t *testing.T) {
|
|||||||
proxyImage: testProxyImage,
|
proxyImage: testProxyImage,
|
||||||
defaultTags: []string{"tag:test-tag"},
|
defaultTags: []string{"tag:test-tag"},
|
||||||
tsFirewallMode: "auto",
|
tsFirewallMode: "auto",
|
||||||
|
defaultProxyClass: "default-pc",
|
||||||
|
|
||||||
Client: fc,
|
Client: fc,
|
||||||
tsClient: tsClient,
|
tsClient: tsClient,
|
||||||
recorder: fr,
|
recorder: fr,
|
||||||
@ -58,7 +75,27 @@ func TestProxyGroup(t *testing.T) {
|
|||||||
clock: cl,
|
clock: cl,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
t.Run("proxyclass_not_ready", func(t *testing.T) {
|
||||||
|
expectReconciled(t, reconciler, "", pg.Name)
|
||||||
|
|
||||||
|
tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "the ProxyGroup's ProxyClass default-pc is not yet in a ready state, waiting...", 0, cl, zl.Sugar())
|
||||||
|
expectEqual(t, fc, pg, nil)
|
||||||
|
})
|
||||||
|
|
||||||
t.Run("observe_ProxyGroupCreating_status_reason", func(t *testing.T) {
|
t.Run("observe_ProxyGroupCreating_status_reason", func(t *testing.T) {
|
||||||
|
pc.Status = tsapi.ProxyClassStatus{
|
||||||
|
Conditions: []metav1.Condition{{
|
||||||
|
Type: string(tsapi.ProxyClassReady),
|
||||||
|
Status: metav1.ConditionTrue,
|
||||||
|
Reason: reasonProxyClassValid,
|
||||||
|
Message: reasonProxyClassValid,
|
||||||
|
LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
|
||||||
|
}},
|
||||||
|
}
|
||||||
|
if err := fc.Status().Update(context.Background(), pc); err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
expectReconciled(t, reconciler, "", pg.Name)
|
expectReconciled(t, reconciler, "", pg.Name)
|
||||||
|
|
||||||
tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
|
tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
|
||||||
@ -161,6 +198,7 @@ func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.Prox
|
|||||||
roleBinding := pgRoleBinding(pg, tsNamespace)
|
roleBinding := pgRoleBinding(pg, tsNamespace)
|
||||||
serviceAccount := pgServiceAccount(pg, tsNamespace)
|
serviceAccount := pgServiceAccount(pg, tsNamespace)
|
||||||
statefulSet := pgStatefulSet(pg, tsNamespace, testProxyImage, "auto", "")
|
statefulSet := pgStatefulSet(pg, tsNamespace, testProxyImage, "auto", "")
|
||||||
|
statefulSet.Annotations = defaultProxyClassAnnotations
|
||||||
|
|
||||||
if shouldExist {
|
if shouldExist {
|
||||||
expectEqual(t, fc, role, nil)
|
expectEqual(t, fc, role, nil)
|
||||||
|
@ -64,7 +64,7 @@ type ServiceReconciler struct {
|
|||||||
|
|
||||||
clock tstime.Clock
|
clock tstime.Clock
|
||||||
|
|
||||||
proxyDefaultClass string
|
defaultProxyClass string
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -215,7 +215,7 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
proxyClass := proxyClassForObject(svc, a.proxyDefaultClass)
|
proxyClass := proxyClassForObject(svc, a.defaultProxyClass)
|
||||||
if proxyClass != "" {
|
if proxyClass != "" {
|
||||||
if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
|
if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
|
||||||
errMsg := fmt.Errorf("error verifying ProxyClass for Service: %w", err)
|
errMsg := fmt.Errorf("error verifying ProxyClass for Service: %w", err)
|
||||||
|
@ -526,7 +526,7 @@ _Appears in:_
|
|||||||
| `tags` _[Tags](#tags)_ | Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s].<br />If you specify custom tags here, make sure you also make the operator<br />an owner of these tags.<br />See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.<br />Tags cannot be changed once a ProxyGroup device has been created.<br />Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. | | Pattern: `^tag:[a-zA-Z][a-zA-Z0-9-]*$` <br />Type: string <br /> |
|
| `tags` _[Tags](#tags)_ | Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s].<br />If you specify custom tags here, make sure you also make the operator<br />an owner of these tags.<br />See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.<br />Tags cannot be changed once a ProxyGroup device has been created.<br />Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. | | Pattern: `^tag:[a-zA-Z][a-zA-Z0-9-]*$` <br />Type: string <br /> |
|
||||||
| `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.<br />Defaults to 2. | | |
|
| `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.<br />Defaults to 2. | | |
|
||||||
| `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. | | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> |
|
| `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. | | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> |
|
||||||
| `proxyClass` _string_ | ProxyClass is the name of the ProxyClass custom resource that contains<br />configuration options that should be applied to the resources created<br />for this ProxyGroup. If unset, the operator will create resources with<br />the default configuration. | | |
|
| `proxyClass` _string_ | ProxyClass is the name of the ProxyClass custom resource that contains<br />configuration options that should be applied to the resources created<br />for this ProxyGroup. If unset, and there is no default ProxyClass<br />configured, the operator will create resources with the default<br />configuration. | | |
|
||||||
|
|
||||||
|
|
||||||
#### ProxyGroupStatus
|
#### ProxyGroupStatus
|
||||||
|
@ -171,7 +171,7 @@ type ConnectorStatus struct {
|
|||||||
|
|
||||||
const (
|
const (
|
||||||
ConnectorReady ConditionType = `ConnectorReady`
|
ConnectorReady ConditionType = `ConnectorReady`
|
||||||
ProxyClassready ConditionType = `ProxyClassReady`
|
ProxyClassReady ConditionType = `ProxyClassReady`
|
||||||
ProxyGroupReady ConditionType = `ProxyGroupReady`
|
ProxyGroupReady ConditionType = `ProxyGroupReady`
|
||||||
ProxyReady ConditionType = `TailscaleProxyReady` // a Tailscale-specific condition type for corev1.Service
|
ProxyReady ConditionType = `TailscaleProxyReady` // a Tailscale-specific condition type for corev1.Service
|
||||||
RecorderReady ConditionType = `RecorderReady`
|
RecorderReady ConditionType = `RecorderReady`
|
||||||
|
@ -64,8 +64,9 @@ type ProxyGroupSpec struct {
|
|||||||
|
|
||||||
// ProxyClass is the name of the ProxyClass custom resource that contains
|
// ProxyClass is the name of the ProxyClass custom resource that contains
|
||||||
// configuration options that should be applied to the resources created
|
// configuration options that should be applied to the resources created
|
||||||
// for this ProxyGroup. If unset, the operator will create resources with
|
// for this ProxyGroup. If unset, and there is no default ProxyClass
|
||||||
// the default configuration.
|
// configured, the operator will create resources with the default
|
||||||
|
// configuration.
|
||||||
// +optional
|
// +optional
|
||||||
ProxyClass string `json:"proxyClass,omitempty"`
|
ProxyClass string `json:"proxyClass,omitempty"`
|
||||||
}
|
}
|
||||||
|
@ -137,7 +137,7 @@ func updateCondition(conds []metav1.Condition, conditionType tsapi.ConditionType
|
|||||||
|
|
||||||
func ProxyClassIsReady(pc *tsapi.ProxyClass) bool {
|
func ProxyClassIsReady(pc *tsapi.ProxyClass) bool {
|
||||||
idx := xslices.IndexFunc(pc.Status.Conditions, func(cond metav1.Condition) bool {
|
idx := xslices.IndexFunc(pc.Status.Conditions, func(cond metav1.Condition) bool {
|
||||||
return cond.Type == string(tsapi.ProxyClassready)
|
return cond.Type == string(tsapi.ProxyClassReady)
|
||||||
})
|
})
|
||||||
if idx == -1 {
|
if idx == -1 {
|
||||||
return false
|
return false
|
||||||
|
Loading…
Reference in New Issue
Block a user