mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-11 02:34:43 +00:00
5bd19fd3e3
* cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource. ProxyClass custom resource can be used to specify customizations for the proxy resources created by the operator. Add a reconciler that validates ProxyClass resources and sets a Ready condition to True or False with a corresponding reason and message. This is required because some fields (labels and annotations) require complex validations that cannot be performed at custom resource apply time. Reconcilers that use the ProxyClass to configure proxy resources are expected to verify that the ProxyClass is Ready and not proceed with resource creation if configuration from a ProxyClass that is not yet Ready is required. If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet. If a tailscale Ingress has a tailscale.com/proxy-class annotation and the referenced ProxyClass custom resource is available and Ready, apply configuration from the ProxyClass to the proxy resources that will be created for the Ingress. Add a new .proxyClass field to the Connector spec. If connector.spec.proxyClass is set to a ProxyClass that is available and Ready, apply configuration from the ProxyClass to the proxy resources created for the Connector. Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml Signed-off-by: Irbe Krumina <irbe@tailscale.com>
129 lines
7.3 KiB
YAML
129 lines
7.3 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.13.0
|
|
name: connectors.tailscale.com
|
|
spec:
|
|
group: tailscale.com
|
|
names:
|
|
kind: Connector
|
|
listKind: ConnectorList
|
|
plural: connectors
|
|
shortNames:
|
|
- cn
|
|
singular: connector
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- description: CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance.
|
|
jsonPath: .status.subnetRoutes
|
|
name: SubnetRoutes
|
|
type: string
|
|
- description: Whether this Connector instance defines an exit node.
|
|
jsonPath: .status.isExitNode
|
|
name: IsExitNode
|
|
type: string
|
|
- description: Status of the deployed Connector resources.
|
|
jsonPath: .status.conditions[?(@.type == "ConnectorReady")].reason
|
|
name: Status
|
|
type: string
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
type: object
|
|
required:
|
|
- spec
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ConnectorSpec describes the desired Tailscale component.
|
|
type: object
|
|
properties:
|
|
exitNode:
|
|
description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
|
|
type: boolean
|
|
hostname:
|
|
description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
|
|
type: string
|
|
pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
|
|
proxyClass:
|
|
description: ProxyClass is the name of the ProxyClass custom resource that contains configuration options that should be applied to the resources created for this Connector. If unset, the operator will create resources with the default configuration.
|
|
type: string
|
|
subnetRouter:
|
|
description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
|
|
type: object
|
|
required:
|
|
- advertiseRoutes
|
|
properties:
|
|
advertiseRoutes:
|
|
description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
|
|
type: array
|
|
minItems: 1
|
|
items:
|
|
type: string
|
|
format: cidr
|
|
tags:
|
|
description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
|
|
type: array
|
|
items:
|
|
type: string
|
|
pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
|
|
x-kubernetes-validations:
|
|
- rule: has(self.subnetRouter) || self.exitNode == true
|
|
message: A Connector needs to be either an exit node or a subnet router, or both.
|
|
status:
|
|
description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
|
|
type: object
|
|
properties:
|
|
conditions:
|
|
description: List of status conditions to indicate the status of the Connector. Known condition types are `ConnectorReady`.
|
|
type: array
|
|
items:
|
|
description: ConnectorCondition contains condition information for a Connector.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the details of the last transition, complementing reason.
|
|
type: string
|
|
observedGeneration:
|
|
description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
|
|
type: integer
|
|
format: int64
|
|
reason:
|
|
description: Reason is a brief machine readable explanation for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False', 'Unknown').
|
|
type: string
|
|
type:
|
|
description: Type of the condition, known values are (`SubnetRouterReady`).
|
|
type: string
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
isExitNode:
|
|
description: IsExitNode is set to true if the Connector acts as an exit node.
|
|
type: boolean
|
|
subnetRoutes:
|
|
description: SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
|
|
type: string
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|