mirror of
https://github.com/tailscale/tailscale.git
synced 2025-06-30 20:19:04 +00:00
99b439a6e4
Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. The operator's RBAC has had some updates to ensure it can delegate the impersonation permissions that k8s-proxy requires to run its API Server proxy in auth mode where it can impersonate users and groups. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
62 lines
1.4 KiB
Go
62 lines
1.4 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build !plan9
|
|
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
)
|
|
|
|
type apiServerProxyMode int
|
|
|
|
func (a apiServerProxyMode) String() string {
|
|
switch a {
|
|
case apiServerProxyModeDisabled:
|
|
return "disabled"
|
|
case apiServerProxyModeEnabled:
|
|
return "auth"
|
|
case apiServerProxyModeNoAuth:
|
|
return "noauth"
|
|
default:
|
|
return "unknown"
|
|
}
|
|
}
|
|
|
|
const (
|
|
apiServerProxyModeDisabled apiServerProxyMode = iota
|
|
apiServerProxyModeEnabled
|
|
apiServerProxyModeNoAuth
|
|
)
|
|
|
|
func parseAPIProxyMode() apiServerProxyMode {
|
|
haveAuthProxyEnv := os.Getenv("AUTH_PROXY") != ""
|
|
haveAPIProxyEnv := os.Getenv("APISERVER_PROXY") != ""
|
|
switch {
|
|
case haveAPIProxyEnv && haveAuthProxyEnv:
|
|
log.Fatal("AUTH_PROXY (deprecated) and APISERVER_PROXY are mutually exclusive, please unset AUTH_PROXY")
|
|
case haveAuthProxyEnv:
|
|
var authProxyEnv = defaultBool("AUTH_PROXY", false) // deprecated
|
|
if authProxyEnv {
|
|
return apiServerProxyModeEnabled
|
|
}
|
|
return apiServerProxyModeDisabled
|
|
case haveAPIProxyEnv:
|
|
var apiProxyEnv = defaultEnv("APISERVER_PROXY", "") // true, false or "noauth"
|
|
switch apiProxyEnv {
|
|
case "true":
|
|
return apiServerProxyModeEnabled
|
|
case "false", "":
|
|
return apiServerProxyModeDisabled
|
|
case "noauth":
|
|
return apiServerProxyModeNoAuth
|
|
default:
|
|
panic(fmt.Sprintf("unknown APISERVER_PROXY value %q", apiProxyEnv))
|
|
}
|
|
}
|
|
return apiServerProxyModeDisabled
|
|
}
|