cmd/containerboot: store proxy's capability version in the state Secret

This is mostly for containerboot instances that are Kubernetes Operator proxies to make it possible for the operator to discover the actual Tailscale version of the proxy. Updates tailscale/tailscale#10407 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-11-29 13:05:46 +00:00 · 2024-11-20 14:17:58 +00:00 · 2024-11-20 14:17:58 +00:00 · 60bf1e168e
commit 60bf1e168e
parent ebeb5da202
3 changed files with 23 additions and 0 deletions
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@ -72,6 +72,21 @@ func deleteAuthKey(ctx context.Context, secretName string) error {
 	return nil
 }

+// storeCapVer stores the current capability version of tailscale and, if provided, UID of the Pod in the tailscale
+// state Secret. This can be used to observe the current capability version of tailscaled running in this container.
+func storeCapVer(ctx context.Context, secretName string, podUID string) error {
+	capVerS := fmt.Sprintf("%d", tailcfg.CurrentCapabilityVersion)
+	if podUID != "" {
+		capVerS += fmt.Sprintf(":%s", podUID)
+	}
+	s := &kubeapi.Secret{
+		Data: map[string][]byte{
+			"tailscale_capver": []byte(capVerS),
+		},
+	}
+	return kc.StrategicMergePatchSecret(ctx, secretName, s, "tailscale-container")
+}
+
 var kc kubeclient.Client

 func initKubeClient(root string) {
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@ -302,6 +302,12 @@ func main() {
 		}
 	}

+	if hasKubeStateStore(cfg) {
+		if err := storeCapVer(ctx, cfg.KubeSecret, cfg.PodUID); err != nil {
+			log.Fatalf("storing capability version: %v", err)
+		}
+	}
+
 	w, err = client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
 	if err != nil {
 		log.Fatalf("rewatching tailscaled for updates after auth: %v", err)
--- a/cmd/containerboot/settings.go
+++ b/cmd/containerboot/settings.go
@ -67,6 +67,7 @@ type settings struct {
 	PodIP               string
 	PodIPv4             string
 	PodIPv6             string
+	PodUID              string
 	HealthCheckAddrPort string
 	EgressSvcsCfgPath   string
 }
@ -99,6 +100,7 @@ func configFromEnv() (*settings, error) {
 		EnableForwardingOptimizations:         defaultBool("TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS", false),
 		HealthCheckAddrPort:                   defaultEnv("TS_HEALTHCHECK_ADDR_PORT", ""),
 		EgressSvcsCfgPath:                     defaultEnv("TS_EGRESS_SERVICES_CONFIG_PATH", ""),
+		PodUID:                                defaultEnv("POD_UID", ""),
 	}
 	podIPs, ok := os.LookupEnv("POD_IPS")
 	if ok {