cmd/k8s-operator: adds a tailscale IngressClass resource, prints warning if class not found. (#10823)

* cmd/k8s-operator/deploy: deploy a Tailscale IngressClass resource. Some Ingress validating webhooks reject Ingresses with .spec.ingressClassName for which there is no matching IngressClass. Additionally, validate that the expected IngressClass is present, when parsing a tailscale `Ingress`. We currently do not utilize the IngressClass, however we might in the future at which point we might start requiring that the right class for this controller instance actually exists. Updates tailscale/tailscale#10820 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com>
2025-12-03 02:21:58 +00:00 · 2024-01-16 12:48:15 +00:00
parent 381430eeca
commit d0492fdee5
5 changed files with 66 additions and 1 deletions
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -173,6 +173,14 @@ rules:
        - ingresses/status
      verbs:
        - '*'
+    - apiGroups:
+        - networking.k8s.io
+      resources:
+        - ingressclasses
+      verbs:
+        - get
+        - list
+        - watch
    - apiGroups:
        - tailscale.com
      resources:
@@ -312,3 +320,11 @@ spec:
                - name: oauth
                  secret:
                    secretName: operator-oauth
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+    annotations: {}
+    name: tailscale
+spec:
+    controller: tailscale.com/ts-ingress