TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2024-11-29 13:05:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

build_docker.sh: add run.sh as an entrypoint to the docker image

Browse Source 
Fixes #4071

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2022-06-06 12:43:23 -07:00 committed by Maisem Ali
parent bf2fa7b184
commit 3b55bf9306
11 changed files with 75 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
build_docker.sh
View File

@ -40,7 +40,9 @@ go run github.com/tailscale/mkctr \
-X tailscale.com/version.Long=${VERSION_LONG} \ -X tailscale.com/version.Long=${VERSION_LONG} \
-X tailscale.com/version.Short=${VERSION_SHORT} \ -X tailscale.com/version.Short=${VERSION_SHORT} \
-X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \ -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
--files="docs/k8s/run.sh:/tailscale/run.sh" \
--base="${BASE}" \ --base="${BASE}" \
--tags="${TAGS}" \ --tags="${TAGS}" \
--repos="${REPOS}" \ --repos="${REPOS}" \
--push="${PUSH}" --push="${PUSH}" \
/bin/sh /tailscale/run.sh

7
docs/k8s/Dockerfile
View File

@ -1,7 +0,0 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
FROM ghcr.io/tailscale/tailscale:latest
COPY run.sh /run.sh
CMD "/run.sh"

24
docs/k8s/Makefile
View File

@ -1,38 +1,28 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
ifndef IMAGE_TAG
$(error "IMAGE_TAG is not set")
endif
ROUTES ?= "" ROUTES ?= ""
SA_NAME ?= tailscale SA_NAME ?= tailscale
KUBE_SECRET ?= tailscale KUBE_SECRET ?= tailscale
build:
@docker build . -t $(IMAGE_TAG)
push: build
@docker push $(IMAGE_TAG)
rbac: rbac:
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" role.yaml | kubectl apply -f - @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" role.yaml | kubectl apply -f -
@sed -e "s;{{SA_NAME}};$(SA_NAME);g" rolebinding.yaml | kubectl apply -f - @sed -e "s;{{SA_NAME}};$(SA_NAME);g" rolebinding.yaml | kubectl apply -f -
@sed -e "s;{{SA_NAME}};$(SA_NAME);g" sa.yaml | kubectl apply -f - @sed -e "s;{{SA_NAME}};$(SA_NAME);g" sa.yaml | kubectl apply -f -
sidecar: sidecar:
@kubectl delete -f sidecar.yaml --ignore-not-found --grace-period=0 @kubectl delete -f sidecar.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | kubectl create -f- @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | kubectl create -f-
userspace-sidecar: userspace-sidecar:
@kubectl delete -f userspace-sidecar.yaml --ignore-not-found --grace-period=0 @kubectl delete -f userspace-sidecar.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" userspace-sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | kubectl create -f- @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" userspace-sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | kubectl create -f-
proxy: proxy:
@kubectl delete -f proxy.yaml --ignore-not-found --grace-period=0 kubectl delete -f proxy.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | sed -e "s;{{DEST_IP}};$(DEST_IP);g" | kubectl create -f- sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_DEST_IP}};$(TS_DEST_IP);g" | kubectl create -f-
subnet-router: subnet-router:
@kubectl delete -f subnet.yaml --ignore-not-found --grace-period=0 @kubectl delete -f subnet.yaml --ignore-not-found --grace-period=0
@sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" subnet.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | sed -e "s;{{ROUTES}};$(ROUTES);g" | kubectl create -f- @sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" subnet.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_ROUTES}};$(TS_ROUTES);g" | kubectl create -f-

17
docs/k8s/README.md
View File

@ -15,19 +15,12 @@ There are quite a few ways of running Tailscale inside a Kubernetes Cluster, som
AUTH_KEY: tskey-... AUTH_KEY: tskey-...
``` ```
1. Build and push the container
```bash
export IMAGE_TAG=tailscale-k8s:latest
make push
```
1. Tailscale (v1.16+) supports storing state inside a Kubernetes Secret. 1. Tailscale (v1.16+) supports storing state inside a Kubernetes Secret.
Configure RBAC to allow the Tailscale pod to read/write the `tailscale` secret. Configure RBAC to allow the Tailscale pod to read/write the `tailscale` secret.
```bash ```bash
export SA_NAME=tailscale export SA_NAME=tailscale
export KUBE_SECRET=tailscale-auth export TS_KUBE_SECRET=tailscale-auth
make rbac make rbac
``` ```
@ -82,11 +75,11 @@ Running a Tailscale proxy allows you to provide inbound connectivity to a Kubern
```bash ```bash
kubectl create deployment nginx --image nginx kubectl create deployment nginx --image nginx
kubectl expose deployment nginx --port 80 kubectl expose deployment nginx --port 80
export DEST_IP="$(kubectl get svc nginx -o=jsonpath='{.spec.clusterIP}')" export TS_DEST_IP="$(kubectl get svc nginx -o=jsonpath='{.spec.clusterIP}')"
``` ```
**Using an existing service** **Using an existing service**
```bash ```bash
export DEST_IP="$(kubectl get svc <SVC_NAME> -o=jsonpath='{.spec.clusterIP}')" export TS_DEST_IP="$(kubectl get svc <SVC_NAME> -o=jsonpath='{.spec.clusterIP}')"
``` ```
1. Deploy the proxy pod 1. Deploy the proxy pod
@ -114,12 +107,12 @@ Running a Tailscale proxy allows you to provide inbound connectivity to a Kubern
Running a Tailscale [subnet router](https://tailscale.com/kb/1019/subnets/) allows you to access Running a Tailscale [subnet router](https://tailscale.com/kb/1019/subnets/) allows you to access
the entire Kubernetes cluster network (assuming NetworkPolicies allow) over Tailscale. the entire Kubernetes cluster network (assuming NetworkPolicies allow) over Tailscale.
1. Identify the Pod/Service CIDRs that cover your Kubernetes cluster. These will vary depending on [which CNI](https://kubernetes.io/docs/concepts/cluster-administration/networking/) you are using and on the Cloud Provider you are using. Add these to the `ROUTES` variable as comma-separated values. 1. Identify the Pod/Service CIDRs that cover your Kubernetes cluster. These will vary depending on [which CNI](https://kubernetes.io/docs/concepts/cluster-administration/networking/) you are using and on the Cloud Provider you are using. Add these to the `TS_ROUTES` variable as comma-separated values.
```bash ```bash
SERVICE_CIDR=10.20.0.0/16 SERVICE_CIDR=10.20.0.0/16
POD_CIDR=10.42.0.0/15 POD_CIDR=10.42.0.0/15
export ROUTES=$SERVICE_CIDR,$POD_CIDR export TS_ROUTES=$SERVICE_CIDR,$POD_CIDR
``` ```
1. Deploy the subnet-router pod. 1. Deploy the subnet-router pod.

16
docs/k8s/proxy.yaml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -26,21 +26,21 @@ spec:
containers: containers:
- name: tailscale - name: tailscale
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "false" value: "false"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth
key: AUTH_KEY key: AUTH_KEY
optional: true optional: true
- name: DEST_IP - name: TS_DEST_IP
value: "{{DEST_IP}}" value: "{{TS_DEST_IP}}"
securityContext: securityContext:
capabilities: capabilities:
add: add:

4
docs/k8s/role.yaml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -11,6 +11,6 @@ rules:
# Create can not be restricted to a resource name. # Create can not be restricted to a resource name.
verbs: ["create"] verbs: ["create"]
- apiGroups: [""] # "" indicates the core API group - apiGroups: [""] # "" indicates the core API group
resourceNames: ["{{KUBE_SECRET}}"] resourceNames: ["{{TS_KUBE_SECRET}}"]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "update"] verbs: ["get", "update"]

48
docs/k8s/run.sh
View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
@ -6,19 +6,29 @@
export PATH=$PATH:/tailscale/bin export PATH=$PATH:/tailscale/bin
AUTH_KEY="${AUTH_KEY:-}" TS_AUTH_KEY="${TS_AUTH_KEY:-}"
ROUTES="${ROUTES:-}" TS_ROUTES="${TS_ROUTES:-}"
DEST_IP="${DEST_IP:-}" TS_DEST_IP="${TS_DEST_IP:-}"
EXTRA_ARGS="${EXTRA_ARGS:-}" TS_EXTRA_ARGS="${TS_EXTRA_ARGS:-}"
USERSPACE="${USERSPACE:-true}" TS_USERSPACE="${TS_USERSPACE:-true}"
KUBE_SECRET="${KUBE_SECRET:-tailscale}" TS_STATE_DIR="${TS_STATE_DIR:-}"
TS_ACCEPT_DNS="${TS_ACCEPT_DNS:-false}"
TS_KUBE_SECRET="${TS_KUBE_SECRET:-tailscale}"
set -e set -e
TAILSCALED_ARGS="--state=kube:${KUBE_SECRET} --socket=/tmp/tailscaled.sock" TAILSCALED_ARGS="--socket=/tmp/tailscaled.sock"
if [[ "${USERSPACE}" == "true" ]]; then if [[ ! -z "${KUBERNETES_SERVICE_HOST}" ]]; then
if [[ ! -z "${DEST_IP}" ]]; then TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=kube:${TS_KUBE_SECRET}"
elif [[ ! -z "${TS_STATE_DIR}" ]]; then
TAILSCALED_ARGS="${TAILSCALED_ARGS} --statedir=${TS_STATE_DIR}"
else
TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=mem:"
fi
if [[ "${TS_USERSPACE}" == "true" ]]; then
if [[ ! -z "${TS_DEST_IP}" ]]; then
echo "IP forwarding is not supported in userspace mode" echo "IP forwarding is not supported in userspace mode"
exit 1 exit 1
fi fi
@ -37,23 +47,23 @@ echo "Starting tailscaled"
tailscaled ${TAILSCALED_ARGS} & tailscaled ${TAILSCALED_ARGS} &
PID=$! PID=$!
UP_ARGS="--accept-dns=false" UP_ARGS="--accept-dns=${TS_ACCEPT_DNS}"
if [[ ! -z "${ROUTES}" ]]; then if [[ ! -z "${TS_ROUTES}" ]]; then
UP_ARGS="--advertise-routes=${ROUTES} ${UP_ARGS}" UP_ARGS="--advertise-routes=${TS_ROUTES} ${UP_ARGS}"
fi fi
if [[ ! -z "${AUTH_KEY}" ]]; then if [[ ! -z "${TS_AUTH_KEY}" ]]; then
UP_ARGS="--authkey=${AUTH_KEY} ${UP_ARGS}" UP_ARGS="--authkey=${TS_AUTH_KEY} ${UP_ARGS}"
fi fi
if [[ ! -z "${EXTRA_ARGS}" ]]; then if [[ ! -z "${TS_EXTRA_ARGS}" ]]; then
UP_ARGS="${UP_ARGS} ${EXTRA_ARGS:-}" UP_ARGS="${UP_ARGS} ${TS_EXTRA_ARGS:-}"
fi fi
echo "Running tailscale up" echo "Running tailscale up"
tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS} tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS}
if [[ ! -z "${DEST_IP}" ]]; then if [[ ! -z "${TS_DEST_IP}" ]]; then
echo "Adding iptables rule for DNAT" echo "Adding iptables rule for DNAT"
iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${DEST_IP}" iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
fi fi
wait ${PID} wait ${PID}

2
docs/k8s/sa.yaml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1

12
docs/k8s/sidecar.yaml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -12,14 +12,14 @@ spec:
image: nginx image: nginx
- name: ts-sidecar - name: ts-sidecar
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "false" value: "false"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth

16
docs/k8s/subnet.yaml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -12,21 +12,21 @@ spec:
containers: containers:
- name: tailscale - name: tailscale
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "true" value: "true"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth
key: AUTH_KEY key: AUTH_KEY
optional: true optional: true
- name: ROUTES - name: TS_ROUTES
value: "{{ROUTES}}" value: "{{TS_ROUTES}}"
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000

12
docs/k8s/userspace-sidecar.yaml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1 apiVersion: v1
@ -12,17 +12,17 @@ spec:
image: nginx image: nginx
- name: ts-sidecar - name: ts-sidecar
imagePullPolicy: Always imagePullPolicy: Always
image: "{{IMAGE_TAG}}" image: "ghcr.io/tailscale/tailscale:latest"
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
env: env:
# Store the state in a k8s secret # Store the state in a k8s secret
- name: KUBE_SECRET - name: TS_KUBE_SECRET
value: "{{KUBE_SECRET}}" value: "{{TS_KUBE_SECRET}}"
- name: USERSPACE - name: TS_USERSPACE
value: "true" value: "true"
- name: AUTH_KEY - name: TS_AUTH_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: tailscale-auth name: tailscale-auth