Review feedback

* Document that default ProxyClass does not currently apply to CRDs * Remove stateful filtering Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-04-18 20:51:45 +00:00 · 2024-10-04 14:30:32 +01:00 · 2024-10-04 14:30:32 +01:00 · fa0b70739d
commit fa0b70739d
parent aebba51df8
2 changed files with 7 additions and 13 deletions
--- a/cmd/k8s-operator/deploy/chart/values.yaml
+++ b/cmd/k8s-operator/deploy/chart/values.yaml
@ -79,7 +79,8 @@ proxyConfig:
  defaultTags: "tag:k8s"
  firewallMode: auto
  # If defined, this proxy class will be used as the default proxy class for
-  # service and ingress resources that do not have a proxy class defined.
+  # service and ingress resources that do not have a proxy class defined. It
+  # does not apply to Connector and ProxyGroup resources.
  defaultProxyClass: ""

 # apiServerProxyConfig allows to configure whether the operator should expose
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@ -405,19 +405,12 @@ func pgTailscaledConfig(pg *tsapi.ProxyGroup, class *tsapi.ProxyClass, idx int32
 		AcceptRoutes: "false", // AcceptRoutes defaults to true
 		Locked:       "false",
 		Hostname:     ptr.To(fmt.Sprintf("%s-%d", pg.Name, idx)),
-		NoStatefulFiltering: "false",
 	}

 	if pg.Spec.HostnamePrefix != "" {
 		conf.Hostname = ptr.To(fmt.Sprintf("%s%d", pg.Spec.HostnamePrefix, idx))
 	}

-	// For egress proxies only, we need to ensure that stateful filtering is
-	// not in place so that traffic from cluster can be forwarded via
-	// Tailscale IPs.
-	if pg.Spec.Type == tsapi.ProxyGroupTypeEgress {
-		conf.NoStatefulFiltering = "true"
-	}
 	if shouldAcceptRoutes(class) {
 		conf.AcceptRoutes = "true"
 	}