build_docker.sh: add run.sh as an entrypoint to the docker image

Fixes #4071

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2022-06-06 12:43:23 -07:00 committed by Maisem Ali
parent bf2fa7b184
commit 3b55bf9306
11 changed files with 75 additions and 87 deletions

View File

@ -40,7 +40,9 @@ go run github.com/tailscale/mkctr \
-X tailscale.com/version.Long=${VERSION_LONG} \ -X tailscale.com/version.Long=${VERSION_LONG} \
-X tailscale.com/version.Short=${VERSION_SHORT} \ -X tailscale.com/version.Short=${VERSION_SHORT} \
-X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \ -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
--files="docs/k8s/run.sh:/tailscale/run.sh" \
--base="${BASE}" \ --base="${BASE}" \
--tags="${TAGS}" \ --tags="${TAGS}" \
--repos="${REPOS}" \ --repos="${REPOS}" \
--push="${PUSH}" --push="${PUSH}" \
/bin/sh /tailscale/run.sh

View File

@ -1,7 +0,0 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
FROM ghcr.io/tailscale/tailscale:latest
COPY run.sh /run.sh
CMD "/run.sh"

View File

@ -1,38 +1,28 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
ifndef IMAGE_TAG
$(error "IMAGE_TAG is not set")
endif
ROUTES ?= "" ROUTES ?= ""
SA_NAME ?= tailscale SA_NAME ?= tailscale
KUBE_SECRET ?= tailscale KUBE_SECRET ?= tailscale
build:
@docker build . -t $(IMAGE_TAG)
push: build
@docker push $(IMAGE_TAG)
rbac: rbac:
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" role.yaml | kubectl apply -f - @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" role.yaml | kubectl apply -f -
@sed -e "s;{{SA_NAME}};$(SA_NAME);g" rolebinding.yaml | kubectl apply -f - @sed -e "s;{{SA_NAME}};$(SA_NAME);g" rolebinding.yaml | kubectl apply -f -
@sed -e "s;{{SA_NAME}};$(SA_NAME);g" sa.yaml | kubectl apply -f - @sed -e "s;{{SA_NAME}};$(SA_NAME);g" sa.yaml | kubectl apply -f -
sidecar: sidecar:
@kubectl delete -f sidecar.yaml --ignore-not-found --grace-period=0 @kubectl delete -f sidecar.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | kubectl create -f- @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | kubectl create -f-
userspace-sidecar: userspace-sidecar:
@kubectl delete -f userspace-sidecar.yaml --ignore-not-found --grace-period=0 @kubectl delete -f userspace-sidecar.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" userspace-sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | kubectl create -f- @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" userspace-sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | kubectl create -f-
proxy: proxy:
@kubectl delete -f proxy.yaml --ignore-not-found --grace-period=0 kubectl delete -f proxy.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | sed -e "s;{{DEST_IP}};$(DEST_IP);g" | kubectl create -f- sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_DEST_IP}};$(TS_DEST_IP);g" | kubectl create -f-
subnet-router: subnet-router:
@kubectl delete -f subnet.yaml --ignore-not-found --grace-period=0 @kubectl delete -f subnet.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" subnet.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | sed -e "s;{{ROUTES}};$(ROUTES);g" | kubectl create -f- @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" subnet.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_ROUTES}};$(TS_ROUTES);g" | kubectl create -f-

View File

@ -15,19 +15,12 @@ There are quite a few ways of running Tailscale inside a Kubernetes Cluster, som
AUTH_KEY: tskey-... AUTH_KEY: tskey-...
``` ```
1. Build and push the container
```bash
export IMAGE_TAG=tailscale-k8s:latest
make push
```
1. Tailscale (v1.16+) supports storing state inside a Kubernetes Secret. 1. Tailscale (v1.16+) supports storing state inside a Kubernetes Secret.
Configure RBAC to allow the Tailscale pod to read/write the `tailscale` secret. Configure RBAC to allow the Tailscale pod to read/write the `tailscale` secret.
```bash ```bash
export SA_NAME=tailscale export SA_NAME=tailscale
export KUBE_SECRET=tailscale-auth export TS_KUBE_SECRET=tailscale-auth
make rbac make rbac
``` ```
@ -82,11 +75,11 @@ Running a Tailscale proxy allows you to provide inbound connectivity to a Kubern
```bash ```bash
kubectl create deployment nginx --image nginx kubectl create deployment nginx --image nginx
kubectl expose deployment nginx --port 80 kubectl expose deployment nginx --port 80
export DEST_IP="$(kubectl get svc nginx -o=jsonpath='{.spec.clusterIP}')" export TS_DEST_IP="$(kubectl get svc nginx -o=jsonpath='{.spec.clusterIP}')"
``` ```
**Using an existing service** **Using an existing service**
```bash ```bash
export DEST_IP="$(kubectl get svc <SVC_NAME> -o=jsonpath='{.spec.clusterIP}')" export TS_DEST_IP="$(kubectl get svc <SVC_NAME> -o=jsonpath='{.spec.clusterIP}')"
``` ```
1. Deploy the proxy pod 1. Deploy the proxy pod
@ -114,12 +107,12 @@ Running a Tailscale proxy allows you to provide inbound connectivity to a Kubern
Running a Tailscale [subnet router](https://tailscale.com/kb/1019/subnets/) allows you to access Running a Tailscale [subnet router](https://tailscale.com/kb/1019/subnets/) allows you to access
the entire Kubernetes cluster network (assuming NetworkPolicies allow) over Tailscale. the entire Kubernetes cluster network (assuming NetworkPolicies allow) over Tailscale.
1. Identify the Pod/Service CIDRs that cover your Kubernetes cluster. These will vary depending on [which CNI](https://kubernetes.io/docs/concepts/cluster-administration/networking/) you are using and on the Cloud Provider you are using. Add these to the `ROUTES` variable as comma-separated values. 1. Identify the Pod/Service CIDRs that cover your Kubernetes cluster. These will vary depending on [which CNI](https://kubernetes.io/docs/concepts/cluster-administration/networking/) you are using and on the Cloud Provider you are using. Add these to the `TS_ROUTES` variable as comma-separated values.
```bash ```bash
SERVICE_CIDR=10.20.0.0/16 SERVICE_CIDR=10.20.0.0/16
POD_CIDR=10.42.0.0/15 POD_CIDR=10.42.0.0/15
export ROUTES=$SERVICE_CIDR,$POD_CIDR export TS_ROUTES=$SERVICE_CIDR,$POD_CIDR
``` ```
1. Deploy the subnet-router pod. 1. Deploy the subnet-router pod.

View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -26,21 +26,21 @@ spec:
containers: containers:
- name: tailscale - name: tailscale
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "false" value: "false"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth
key: AUTH_KEY key: AUTH_KEY
optional: true optional: true
- name: DEST_IP - name: TS_DEST_IP
value: "{{DEST_IP}}" value: "{{TS_DEST_IP}}"
securityContext: securityContext:
capabilities: capabilities:
add: add:

View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -11,6 +11,6 @@ rules:
# Create can not be restricted to a resource name. # Create can not be restricted to a resource name.
verbs: ["create"] verbs: ["create"]
- apiGroups: [""] # "" indicates the core API group - apiGroups: [""] # "" indicates the core API group
resourceNames: ["{{KUBE_SECRET}}"] resourceNames: ["{{TS_KUBE_SECRET}}"]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "update"] verbs: ["get", "update"]

View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
@ -6,19 +6,29 @@
export PATH=$PATH:/tailscale/bin export PATH=$PATH:/tailscale/bin
AUTH_KEY="${AUTH_KEY:-}" TS_AUTH_KEY="${TS_AUTH_KEY:-}"
ROUTES="${ROUTES:-}" TS_ROUTES="${TS_ROUTES:-}"
DEST_IP="${DEST_IP:-}" TS_DEST_IP="${TS_DEST_IP:-}"
EXTRA_ARGS="${EXTRA_ARGS:-}" TS_EXTRA_ARGS="${TS_EXTRA_ARGS:-}"
USERSPACE="${USERSPACE:-true}" TS_USERSPACE="${TS_USERSPACE:-true}"
KUBE_SECRET="${KUBE_SECRET:-tailscale}" TS_STATE_DIR="${TS_STATE_DIR:-}"
TS_ACCEPT_DNS="${TS_ACCEPT_DNS:-false}"
TS_KUBE_SECRET="${TS_KUBE_SECRET:-tailscale}"
set -e set -e
TAILSCALED_ARGS="--state=kube:${KUBE_SECRET} --socket=/tmp/tailscaled.sock" TAILSCALED_ARGS="--socket=/tmp/tailscaled.sock"
if [[ "${USERSPACE}" == "true" ]]; then if [[ ! -z "${KUBERNETES_SERVICE_HOST}" ]]; then
if [[ ! -z "${DEST_IP}" ]]; then TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=kube:${TS_KUBE_SECRET}"
elif [[ ! -z "${TS_STATE_DIR}" ]]; then
TAILSCALED_ARGS="${TAILSCALED_ARGS} --statedir=${TS_STATE_DIR}"
else
TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=mem:"
fi
if [[ "${TS_USERSPACE}" == "true" ]]; then
if [[ ! -z "${TS_DEST_IP}" ]]; then
echo "IP forwarding is not supported in userspace mode" echo "IP forwarding is not supported in userspace mode"
exit 1 exit 1
fi fi
@ -37,23 +47,23 @@ echo "Starting tailscaled"
tailscaled ${TAILSCALED_ARGS} & tailscaled ${TAILSCALED_ARGS} &
PID=$! PID=$!
UP_ARGS="--accept-dns=false" UP_ARGS="--accept-dns=${TS_ACCEPT_DNS}"
if [[ ! -z "${ROUTES}" ]]; then if [[ ! -z "${TS_ROUTES}" ]]; then
UP_ARGS="--advertise-routes=${ROUTES} ${UP_ARGS}" UP_ARGS="--advertise-routes=${TS_ROUTES} ${UP_ARGS}"
fi fi
if [[ ! -z "${AUTH_KEY}" ]]; then if [[ ! -z "${TS_AUTH_KEY}" ]]; then
UP_ARGS="--authkey=${AUTH_KEY} ${UP_ARGS}" UP_ARGS="--authkey=${TS_AUTH_KEY} ${UP_ARGS}"
fi fi
if [[ ! -z "${EXTRA_ARGS}" ]]; then if [[ ! -z "${TS_EXTRA_ARGS}" ]]; then
UP_ARGS="${UP_ARGS} ${EXTRA_ARGS:-}" UP_ARGS="${UP_ARGS} ${TS_EXTRA_ARGS:-}"
fi fi
echo "Running tailscale up" echo "Running tailscale up"
tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS} tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS}
if [[ ! -z "${DEST_IP}" ]]; then if [[ ! -z "${TS_DEST_IP}" ]]; then
echo "Adding iptables rule for DNAT" echo "Adding iptables rule for DNAT"
iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${DEST_IP}" iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
fi fi
wait ${PID} wait ${PID}

View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1

View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -12,14 +12,14 @@ spec:
image: nginx image: nginx
- name: ts-sidecar - name: ts-sidecar
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "false" value: "false"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth

View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -12,21 +12,21 @@ spec:
containers: containers:
- name: tailscale - name: tailscale
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "true" value: "true"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth
key: AUTH_KEY key: AUTH_KEY
optional: true optional: true
- name: ROUTES - name: TS_ROUTES
value: "{{ROUTES}}" value: "{{TS_ROUTES}}"
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000

View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -12,17 +12,17 @@ spec:
image: nginx image: nginx
- name: ts-sidecar - name: ts-sidecar
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "true" value: "true"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth