-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube: allow overriding client api server URL via ENV #12115
Conversation
39bc9b4
to
f9d1259
Compare
Hi @ChandonPierre thank you for the PR. Agree that we should fix #11397, thank you for picking that up. We should though, instead of introducing extra env var for kube api server address, allow for those values to be read from the default kube env vars I am not sure if this will fix your issue. Do you expect the API server's TLS cert to contain the address that you want to use? |
It does, yes; the API server has the correct DNS SAN. I've built this branch and tested it in my environment.
Yes, this makes more sense
I'm less convinced on this one - On the surface, it doesn't seem to me like this would introduce breaking functionality? This appears to be how |
It should always be defined, but in practice, we have seen various non-standard environments and I am weary of breaking folks' custom configurations (i.e non-operator kube deployments). |
7c24f2d
to
5c3933f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ChandonPierre I've left a couple comments to restructure the PR, let me know if that makes sense. Apart from that the change in general makes sense and thanks again for picking this up 👍🏼
kube/client.go
Outdated
} | ||
return defaultValue | ||
|
||
saPath = "/var/run/secrets/kubernetes.io/serviceaccount" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of doing this, can we have the caller to read the env var (in that case it would be the containerboot client here). We could add a new New(opts ClientOpts)
function and deprecate the old one. ClientOpts
could have a URL
field.
In containerboot, we can read in the env var here-ish and resolve the URL before creating new client.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of doing this, can we have the caller to read the env var (in that case it would be the containerboot client here). We could add a new
New(opts ClientOpts)
function and deprecate the old one.ClientOpts
could have aURL
field.In containerboot, we can read in the env var here-ish and resolve the URL before creating new client.
Having thought about this abit, I can't really envision doing this in a way that's DRY. I do feel like some of this would be simpler using client-go
.
Since there's already a code path for reading the host from env for unit-tests and we want to gate this functionality around a feature flag anyway, I feel that the simplest solution is to use SetURL
for this as well: ab5fbed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do feel like some of this would be simpler using client-go
It definitely would, the reason why we don't do that is to keep the size smaller (the container image is used not just on kube)
I feel that the simplest solution is to use SetURL for this as well: ab5fbed
There is another kube client that gets initiated when state storage is a Kubernetes Secret
, here to read/update the Secret
. Your PR now only updates the client that is initiated to check the Secret
permissions, whilst the client for state store will still use the default URL. (This code is a little bit convoluted as it has grown naturally and at some point will need refactor, but right now we are low bandwidth).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see; seems like tests are handled differently there
recycled the same approach in 8da0086; still not very DRY I'm afraid
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates @ChandonPierre .
still not very DRY I'm afraid
I think this is the best we can get without a bigger refactor of the state.
Happy for this one to go in just one more nit- can we change os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") != ""
-> os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") == "true"
or something like that to not have folks wonder what value needs to be used & how to unset?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is the best we can get without a bigger refactor of the state.
Agreed.
Happy for this one to go in just one more nit- can we change
os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") != ""
->os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") == "true"
or something like that to not have folks wonder what value needs to be used & how to unset?
Done in 659e3fb + squashed commits
8da0086
to
659e3fb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good thanks!
There is the typo mentioned + could you please reference #11397 in the commit message (i.e Updates tailscale/tailscale#11397
like here f227083)? That will fix the issuebot failure. I am not sure why the DCO check is failing as your commit looks signed.
Apart from that, happy for this to go in, thank you for your patience working on this
659e3fb
to
6dda8e8
Compare
…erver URL via ENV Updates tailscale#11397 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
6dda8e8
to
c56e938
Compare
Updated :) I double checked my profile settings, not sure why DCO is picking up the obfuscated address |
Thanks again for working on this @ChandonPierre , glad we got this one in. I've cut a dev Helm chart/container images, if that helps with your testing (chart version "1.67.63", app version "unstable-v1.67.63") Additionally (as I remember you mostly needed this change for a workaround to use the operator in a cluster with a CGNAT Pod CIDR range?), we've had a couple more users reports on this and might look into whether there is anything else we can do to not drop packets received on proxy Pod IPs. |
Thanks! We'll get this validated
Our environment is a bit unique in that the API server endpoint (and a few other control-plane services) exist in the CGNAT range. Happy to help with testing if it's helpful - feel free to shoot over an e-mail to coordinate. |
In our environment, the endpoint for
kubernetes.default.svc
is in the RFC6598 address range. This conflicts with the range Tailscale uses for node address assignment; additionally, the proxy pod drops traffic to addresses in this range that are not from thetailscale
interface:iifname != "tailscale0*" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
Previously we worked around this by setting
--netfilter-mode=off
but as of #11238 this has become more challenging.I would like to instead override the address
containerboot
uses to talk to the kubernetes api server and point it to something not in the RFC6598 range. Having tested this locally it does appear to resolve my issue (wherecontainerboot
cannotPOST
tokubernetes.default.svc
)Closes #11397