-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FR: Customize kube api address #11397
Comments
Do you see this in operator's logs? Or, in one of proxy's logs? The operator itself uses controller-runtime client with a client-go mechanism for retrieving api-server address etc. It does not use the client that you linked. However, the proxies that we create do. If possible, we should try to auto-detect the address. |
@irbekrm Thank you for the response! Yeah, I think there's only one container in the pod |
I went through the Dockerfile for tailscale repo and found that it only builds the image for tailscale, but not the operator. Do you know where's the script/Dockerfile to build the operator? @irbekrm Since I couldn't build and testing locally, here's one suggestion of change for detecting and updating the kube server address: (looks like I couldn't create the PR)
I refer to this function in config.go: link. In this way, we can dynamically update the kube service address easily. Please help to review if this one is feasible. Thank you! @irbekrm |
…erver URL via ENV Updates tailscale#11397 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
…erver URL via ENV Updates tailscale#11397 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
What are you trying to do?
We're using a cloud provider and their cluster's ca certificate has a customized address and it's different (for example: https://kube.cloud.dev) from the default one: https://kubernetes.default.svc.
By default, the certificate looks like this:
`* Server certificate:
In our case, it looks like this:
`* Server certificate:
When I was trying to install tailscale operator, it has the following error:
failed to verify certificate: x509: certificate is valid for *.kube.cloud.dev, not kubernetes.default.svc
In this case, we would like the tailscale operator to support reading from the environment variables: KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT. While KUBERNETES_SERVICE_HOST can be kube.cloud.dev and KUBERNETES_SERVICE_PORT can be 443.
How should we solve this?
Just as I mentioned above, just enable the setting of these two environment variables: KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT and read the value and set it here: https://github.com/tailscale/tailscale/blob/main/kube/client.go#L31. In this way, the issue can be solved.
What is the impact of not solving this?
After enabling this feature, tailscale operator can enable the customized kube server address, other than https://kubernetes.default.svc. This can give the user more freedom.
Anything else?
No response
The text was updated successfully, but these errors were encountered: