We used to need to do timed requeues in a few places in the reconcile logic,
and the easiest way to do that was to plumb reconcile.Result return values
around. But now we're purely event-driven, so the only thing we care about
is whether or not an error occurred.
Incidentally also fix a very minor bug where headless services would get
completely ignored, rather than reconciled into the correct state. This
shouldn't matter in practice because you can't transition from a headful
to a headless service without a deletion, but for consistency let's avoid
having a path that takes no definite action if a service of interest does
exist.
Updates #502.
Signed-off-by: David Anderson <danderson@tailscale.com>
Previously, we had to do blind timed requeues while waiting for
the tailscale hostname, because we looked up the hostname through
the API. But now the proxy container image writes back its hostname
to the k8s secret, so we get an event-triggered reconcile automatically
when the time is right.
Updates #502
Signed-off-by: David Anderson <danderson@tailscale.com>
As is convention in the k8s world, use zap for structured logging. For
development, OPERATOR_LOGGING=dev switches to a more human-readable output
than JSON.
Updates #502
Signed-off-by: David Anderson <danderson@tailscale.com>
Our reconcile loop gets triggered again when the StatefulSet object
finally disappears (in addition to when its deletion starts, as indicated
by DeletionTimestamp != 0). So, we don't need to queue additional
reconciliations to proceed with the remainder of the cleanup, that
happens organically.
Signed-off-by: David Anderson <danderson@tailscale.com>
Tests cover configuring a proxy through an annotation rather than a
LoadBalancerClass, and converting between those two modes at runtime.
Updates #502.
Signed-off-by: David Anderson <danderson@tailscale.com>
For other test cases, the operator is going to produce similar generated
objects in several codepaths, and those objects are large. Move them out
to helpers so that the main test code stays a bit more intelligible.
The top-level Service that we start and end with remains in the main test
body, because its shape at the start and end is one of the main things that
varies a lot between test cases.
Updates #502.
Signed-off-by: David Anderson <danderson@tailscale.com>
The test verifies one of the successful reconcile paths, where
a client requests an exposed service via a LoadBalancer class.
Updates #502.
Signed-off-by: David Anderson <danderson@tailscale.com>
Also introduces an intermediary interface for the tailscale client, in
preparation for operator tests that fake out the Tailscale API interaction.
Updates #502.
Signed-off-by: David Anderson <danderson@tailscale.com>
This was initially developed in a separate repo, but for build/release
reasons and because go module management limits the damage of importing
k8s things now, moving it into this repo.
At time of commit, the operator enables exposing services over tailscale,
with the 'tailscale' loadBalancerClass. It also currently requires an
unreleased feature to access the Tailscale API, so is not usable yet.
Updates #502.
Signed-off-by: David Anderson <danderson@tailscale.com>
We've been doing a hard kill of the subprocess, which is only safe as long as
both the cli and gui are not running and the subprocess has had the opportunity
to clean up DNS settings etc. If unattended mode is turned on, this is definitely
unsafe.
I changed babysitProc to close the subprocess's stdin to make it shut down, and
then I plumbed a cancel function into the stdin reader on the subprocess side.
Fixes https://github.com/tailscale/corp/issues/5621
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
This is temporary while we work to upstream performance work in
https://github.com/WireGuard/wireguard-go/pull/64. A replace directive
is less ideal as it breaks dependent code without duplication of the
directive.
Signed-off-by: Jordan Whited <jordan@tailscale.com>
This commit updates the wireguard-go dependency and implements the
necessary changes to the tun.Device and conn.Bind implementations to
support passing vectors of packets in tailscaled. This significantly
improves throughput performance on Linux.
Updates #414
Signed-off-by: Jordan Whited <jordan@tailscale.com>
Signed-off-by: James Tucker <james@tailscale.com>
Co-authored-by: James Tucker <james@tailscale.com>
This avoids the issue in the common case where the socket path is the
default path, avoiding the immediate need for a Windows shell quote
implementation.
Updates #6639
Signed-off-by: James Tucker <james@tailscale.com>
Fixes#6400
open up GETs for localapi serve-config to allow read-only access to
ServeConfig
`tailscale status` will include "Funnel on" status when Funnel is
configured. Prints nothing if Funnel is not running.
Example:
$ tailscale status
<nodes redacted>
# Funnel on:
# - https://node-name.corp.ts.net
# - https://node-name.corp.ts.net:8443
# - tcp://node-name.corp.ts.net:10000
Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
We still have to shell out to `tailscale up` because the container image's
API includes "arbitrary flags to tailscale up", unfortunately. But this
should still speed up startup a little, and also enables k8s-bound containers
to update their device information as new netmap updates come in.
Fixes#6657
Signed-off-by: David Anderson <danderson@tailscale.com>
* Do not print the status at the end of a successful operation
* Ensure the key of the current node is actually trusted to make these changes
Signed-off-by: Tom DNetto <tom@tailscale.com>
WinTun is installed lazily by tailscaled while it is running as LocalSystem.
Based upon what we're seeing in bug reports and support requests, removing
WinTun as a lesser user may fail under certain Windows versions, even when that
user is an Administrator.
By adding a user-defined command code to tailscaled, we can ask the service to
do the removal on our behalf while it is still running as LocalSystem.
* The uninstall code is basically the same as it is in corp;
* The command code will be sent as a service control request and is protected by
the SERVICE_USER_DEFINED_CONTROL access right, which requires Administrator.
I'll be adding follow-up patches in corp to engage this functionality.
Updates https://github.com/tailscale/tailscale/issues/6433
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
This handles the case where the inner *os.PathError is wrapped in
another error type, and additionally will redact errors of type
*os.LinkError. Finally, add tests to verify that redaction works.
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ie83424ff6c85cdb29fb48b641330c495107aab7c
x/exp/slices now has ContainsFunc (golang/go#53983) so we can delete
our versions.
Change-Id: I5157a403bfc1b30e243bf31c8b611da25e995078
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
renamed from `useNetstack` to `onlyNetstack` which is 1 letter more but
more descriptive because we always have netstack enabled and `useNetstack`
doesn't convey what it is supposed to be used for. e.g. we always use
netstack for Tailscale SSH.
Also renamed shouldWrapNetstack to handleSubnetsInNetstack as it was only used
to configure subnet routing via netstack.
Updates tailscale/corp#8020
Signed-off-by: Maisem Ali <maisem@tailscale.com>
To simplify clients getting the initial state when they subscribe.
Change-Id: I2490a5ab2411253717c74265a46a98012b80db82
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
When running `tailscale web` as a standalone process,
it was necessary to send auth requests to QTS using
localhost to avoid hitting the proxy recursively.
However running `tailscale web` as a process means it is
consuming RAM all the time even when it isn't actively
doing anything.
After switching back to the `tailscale web` CGI mode, we
don't need to specifically use localhost for QNAP auth.
This reverts commit e0cadc5496.
Signed-off-by: Denton Gentry <dgentry@tailscale.com>
This reverts commit f1130421f0.
It was submitted with failing tests (go generate checks)
Requires a lot of API changes to fix so rolling back instead of
forward.
Change-Id: I024e8885c0ed44675d3028a662f386dda811f2ad
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
