cmd/k8s-operator,k8s-operator: allow users to configure proxy env vars via ProxyClass (#11743)

Adds new ProxyClass.spec.statefulSet.pod.{tailscaleContainer,tailscaleInitContainer}.Env field that allow users to provide key, value pairs that will be set as env vars for the respective containers. Allow overriding all containerboot env vars, but warn that this is not supported and might break (in docs + a warning when validating ProxyClass). Updates tailscale/tailscale#10709 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-12-06 12:52:00 +00:00 · 2024-04-15 17:24:59 +01:00
parent 9258bcc360
commit 38fb23f120
10 changed files with 268 additions and 4 deletions
--- a/k8s-operator/apis/v1alpha1/types_proxyclass.go
+++ b/k8s-operator/apis/v1alpha1/types_proxyclass.go
@@ -131,8 +131,36 @@ type Container struct {
 	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
 	// +optional
 	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+	// List of environment variables to set in the container.
+	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
+	// Note that environment variables provided here will take precedence
+	// over Tailscale-specific environment variables set by the operator,
+	// however running proxies with custom values for Tailscale environment
+	// variables (i.e TS_USERSPACE) is not recommended and might break in
+	// the future.
+	// +optional
+	Env []Env `json:"env,omitempty"`
 }

+type Env struct {
+	// Name of the environment variable. Must be a C_IDENTIFIER.
+	Name Name `json:"name"`
+	// Variable references $(VAR_NAME) are expanded using the previously defined
+	//  environment variables in the container and any service environment
+	// variables. If a variable cannot be resolved, the reference in the input
+	// string will be unchanged. Double $$ are reduced to a single $, which
+	// allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+	// produce the string literal "$(VAR_NAME)". Escaped references will never
+	// be expanded, regardless of whether the variable exists or not. Defaults
+	// to "".
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
+// +kubebuilder:validation:Type=string
+// +kubebuilder:validation:Pattern=`^[-._a-zA-Z][-._a-zA-Z0-9]*$`
+type Name string
+
 type ProxyClassStatus struct {
 	// List of status conditions to indicate the status of the ProxyClass.
 	// Known condition types are `ProxyClassReady`.
--- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
@@ -146,6 +146,11 @@ func (in *Container) DeepCopyInto(out *Container) {
 		(*in).DeepCopyInto(*out)
 	}
 	in.Resources.DeepCopyInto(&out.Resources)
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make([]Env, len(*in))
+		copy(*out, *in)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Container.
@@ -158,6 +163,21 @@ func (in *Container) DeepCopy() *Container {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Env) DeepCopyInto(out *Env) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Env.
+func (in *Env) DeepCopy() *Env {
+	if in == nil {
+		return nil
+	}
+	out := new(Env)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Pod) DeepCopyInto(out *Pod) {
 	*out = *in