Review feedback

* Document that default ProxyClass does not currently apply to CRDs
* Remove stateful filtering

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
This commit is contained in:
Tom Proctor 2024-10-04 14:30:32 +01:00
parent aebba51df8
commit fa0b70739d
2 changed files with 7 additions and 13 deletions

View File

@ -79,7 +79,8 @@ proxyConfig:
defaultTags: "tag:k8s" defaultTags: "tag:k8s"
firewallMode: auto firewallMode: auto
# If defined, this proxy class will be used as the default proxy class for # If defined, this proxy class will be used as the default proxy class for
# service and ingress resources that do not have a proxy class defined. # service and ingress resources that do not have a proxy class defined. It
# does not apply to Connector and ProxyGroup resources.
defaultProxyClass: "" defaultProxyClass: ""
# apiServerProxyConfig allows to configure whether the operator should expose # apiServerProxyConfig allows to configure whether the operator should expose

View File

@ -400,24 +400,17 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
func pgTailscaledConfig(pg *tsapi.ProxyGroup, class *tsapi.ProxyClass, idx int32, authKey string, oldSecret *corev1.Secret) (tailscaledConfigs, error) { func pgTailscaledConfig(pg *tsapi.ProxyGroup, class *tsapi.ProxyClass, idx int32, authKey string, oldSecret *corev1.Secret) (tailscaledConfigs, error) {
conf := &ipn.ConfigVAlpha{ conf := &ipn.ConfigVAlpha{
Version: "alpha0", Version: "alpha0",
AcceptDNS: "false", AcceptDNS: "false",
AcceptRoutes: "false", // AcceptRoutes defaults to true AcceptRoutes: "false", // AcceptRoutes defaults to true
Locked: "false", Locked: "false",
Hostname: ptr.To(fmt.Sprintf("%s-%d", pg.Name, idx)), Hostname: ptr.To(fmt.Sprintf("%s-%d", pg.Name, idx)),
NoStatefulFiltering: "false",
} }
if pg.Spec.HostnamePrefix != "" { if pg.Spec.HostnamePrefix != "" {
conf.Hostname = ptr.To(fmt.Sprintf("%s%d", pg.Spec.HostnamePrefix, idx)) conf.Hostname = ptr.To(fmt.Sprintf("%s%d", pg.Spec.HostnamePrefix, idx))
} }
// For egress proxies only, we need to ensure that stateful filtering is
// not in place so that traffic from cluster can be forwarded via
// Tailscale IPs.
if pg.Spec.Type == tsapi.ProxyGroupTypeEgress {
conf.NoStatefulFiltering = "true"
}
if shouldAcceptRoutes(class) { if shouldAcceptRoutes(class) {
conf.AcceptRoutes = "true" conf.AcceptRoutes = "true"
} }