From e1224804c3c71b6d0a80db65174d6dbefe1bd848 Mon Sep 17 00:00:00 2001 From: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Date: Sat, 5 Nov 2022 20:24:36 +0200 Subject: [PATCH] fix(tailscale): switch to the new golang binary (#4307) * fix(tailscale): switch to the new golang binary * temp, let CI install tailscale * test without secret * change key name in secret * change socket to varrun, which is the default that `tailscale` command looks for * test with varrun enabled * remove tty * don't try to install TS * dont load authkey as env * update vpn template * remove /var/lib as it now uses kubesecret for the state * bump --- charts/stable/tailscale/Chart.yaml | 2 +- charts/stable/tailscale/questions.yaml | 27 ++++++++++--------- .../stable/tailscale/templates/_configmap.tpl | 5 ++++ charts/stable/tailscale/templates/_secret.tpl | 3 ++- charts/stable/tailscale/values.yaml | 24 +++++++---------- cspell.config.yaml | 1 + templates/questions/addons/vpn.yaml | 14 +++++++++- 7 files changed, 47 insertions(+), 29 deletions(-) diff --git a/charts/stable/tailscale/Chart.yaml b/charts/stable/tailscale/Chart.yaml index db18330d996..1cf4dddec5a 100644 --- a/charts/stable/tailscale/Chart.yaml +++ b/charts/stable/tailscale/Chart.yaml @@ -20,7 +20,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/stable/tailscale - https://hub.docker.com/r/tailscale/tailscale - https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh -version: 1.1.20 +version: 1.1.21 annotations: truecharts.org/catagories: | - network diff --git a/charts/stable/tailscale/questions.yaml b/charts/stable/tailscale/questions.yaml index f1ec62a4063..91553bd31a7 100644 --- a/charts/stable/tailscale/questions.yaml +++ b/charts/stable/tailscale/questions.yaml @@ -11,8 +11,8 @@ questions: # Include{controllerExpert} # Include{controllerExpertExtraArgs} - variable: tailscale - group: "Container Configuration" - label: "Tailscale Configuration" + group: Container Configuration + label: Tailscale Configuration schema: additional_attrs: true type: dict @@ -24,6 +24,12 @@ questions: type: string private: true default: "" + - variable: auth_once + label: Auth Once + description: Only attempt to log in if not already logged in. + schema: + type: boolean + default: true - variable: userspace label: Userspace description: Userspace Networking mode allows running Tailscale where you don't have access to create a VPN tunnel device. *Required for Exit Node/Accessing Local Routes* See How-To-Guide for more info @@ -50,6 +56,13 @@ questions: default: "" - variable: sock5_server label: Sock5 Server + description: The address on which to listen for SOCKS5 proxying into the tailscale net. + schema: + type: string + default: "" + - variable: outbound_http_proxy_listen + label: Outbound HTTP Proxy Listen + description: The address on which to listen for HTTP proxying into the tailscale net. schema: type: string default: "" @@ -81,16 +94,6 @@ questions: default: true # Include{serviceExpert} # Include{serviceList} -# Include{persistenceRoot} - - variable: config - label: App Config Storage - description: Stores the Application Configuration. - schema: - additional_attrs: true - type: dict - attrs: -# Include{persistenceBasic} -# Include{persistenceAdvanced} # Include{persistenceList} # Include{ingressRoot} - variable: main diff --git a/charts/stable/tailscale/templates/_configmap.tpl b/charts/stable/tailscale/templates/_configmap.tpl index 723613d5d97..d8433e3a809 100644 --- a/charts/stable/tailscale/templates/_configmap.tpl +++ b/charts/stable/tailscale/templates/_configmap.tpl @@ -26,8 +26,10 @@ metadata: {{- include "tc.common.labels" . | nindent 4 }} data: TS_KUBE_SECRET: {{ $secretName | squote }} + TS_SOCKET: /var/run/tailscale/tailscaled.sock TS_USERSPACE: {{ .Values.tailscale.userspace | quote }} TS_ACCEPT_DNS: {{ .Values.tailscale.accept_dns | quote }} + TS_AUTH_ONCE: {{ .Values.tailscale.auth_once | quote }} {{- with .Values.tailscale.routes }} TS_ROUTES: {{ . }} {{- end }} @@ -43,4 +45,7 @@ data: {{- with $customArgs }} TS_EXTRA_ARGS: {{ . | quote }} {{- end }} + {{- with .Values.tailscale.outbound_http_proxy_listen }} + TS_OUTBOUND_HTTP_PROXY_LISTEN: {{ . | quote }} + {{- end }} {{- end }} diff --git a/charts/stable/tailscale/templates/_secret.tpl b/charts/stable/tailscale/templates/_secret.tpl index 73c68d0b2c6..37e701f1c3e 100644 --- a/charts/stable/tailscale/templates/_secret.tpl +++ b/charts/stable/tailscale/templates/_secret.tpl @@ -14,6 +14,7 @@ metadata: {{- include "tc.common.labels" . | nindent 4 }} data: {{- with .Values.tailscale.authkey }} - TS_AUTH_KEY: {{ . | b64enc }} + {{/* Name of the authkey is crucial, don't change it */}} + authkey: {{ . | b64enc }} {{- end }} {{- end }} diff --git a/charts/stable/tailscale/values.yaml b/charts/stable/tailscale/values.yaml index b744d1140c7..2df2409358a 100644 --- a/charts/stable/tailscale/values.yaml +++ b/charts/stable/tailscale/values.yaml @@ -3,9 +3,8 @@ image: pullPolicy: IfNotPresent tag: v1.33.141@sha256:726ff19a7be12e9b88fd582edea075020833ebe707751194ee5dc82583a330e6 -command: ["ash", "/tailscale/run.sh"] - -tty: true +command: + - /usr/local/bin/containerboot securityContext: readOnlyRootFilesystem: false @@ -29,32 +28,32 @@ rbac: - apiGroups: - "" resources: - - "secrets" + - secrets verbs: - - "create" + - create - apiGroups: - "" resources: - - "secrets" + - secrets resourceNames: - '{{ printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }}' verbs: - - "get" - - "update" + - get + - update envFrom: - - secretRef: - name: '{{ include "tc.common.names.fullname" . }}-tailscale-secret' - configMapRef: name: '{{ include "tc.common.names.fullname" . }}-tailscale-config' tailscale: - authkey: "supersecret" + authkey: supersecret + auth_once: true userspace: true accept_dns: false routes: "" dest_ip: "" sock5_server: "" + outbound_http_proxy_listen: "" extra_args: "" daemon_extra_args: "" hostname: "" @@ -79,10 +78,7 @@ service: persistence: varrun: - enabled: false - config: enabled: true - mountPath: "/var/lib" tun: enabled: true type: hostPath diff --git a/cspell.config.yaml b/cspell.config.yaml index 3e7c2bb48a0..3873f52600d 100644 --- a/cspell.config.yaml +++ b/cspell.config.yaml @@ -191,6 +191,7 @@ words: - proto - proxyhttp - proxyhttps + - proxying - proxymetrics - puid - putregexhere diff --git a/templates/questions/addons/vpn.yaml b/templates/questions/addons/vpn.yaml index 9bdc00c415b..3db69f2e8f6 100644 --- a/templates/questions/addons/vpn.yaml +++ b/templates/questions/addons/vpn.yaml @@ -50,6 +50,12 @@ type: string private: true default: "" + - variable: auth_once + label: Auth Once + description: Only attempt to log in if not already logged in. + schema: + type: boolean + default: true - variable: accept_dns label: Accept DNS description: Accept DNS configuration from the admin console. @@ -76,7 +82,13 @@ default: "" - variable: sock5_server label: Sock5 Server - description: Sock5 Server + description: The address on which to listen for SOCKS5 proxying into the tailscale net. + schema: + type: string + default: "" + - variable: outbound_http_proxy_listen + label: Outbound HTTP Proxy Listen + description: The address on which to listen for HTTP proxying into the tailscale net. schema: type: string default: ""