kube: allow overriding client api server URL via ENV #12115
Conversation
ChandonPierre
force-pushed
the
cpierre/kube-client
branch
2 times, most recently
from
39bc9b4
to
f9d1259
Compare
|
Hi @ChandonPierre thank you for the PR. Agree that we should fix #11397, thank you for picking that up. We should though, instead of introducing extra env var for kube api server address, allow for those values to be read from the default kube env vars I am not sure if this will fix your issue. Do you expect the API server's TLS cert to contain the address that you want to use? |
It does, yes; the API server has the correct DNS SAN. I've built this branch and tested it in my environment.
Yes, this makes more sense
I'm less convinced on this one - On the surface, it doesn't seem to me like this would introduce breaking functionality? This appears to be how |
|
It should always be defined, but in practice, we have seen various non-standard environments and I am weary of breaking folks' custom configurations (i.e non-operator kube deployments). |
ChandonPierre
force-pushed
the
cpierre/kube-client
branch
from
7c24f2d
to
5c3933f
Compare
There was a problem hiding this comment.
Thanks @ChandonPierre I've left a couple comments to restructure the PR, let me know if that makes sense. Apart from that the change in general makes sense and thanks again for picking this up 👍🏼
kube/client.go
Outdated
| } | ||
| return defaultValue | ||
|
|
||
| saPath = "/var/run/secrets/kubernetes.io/serviceaccount" |
There was a problem hiding this comment.
Instead of doing this, can we have the caller to read the env var (in that case it would be the containerboot client here). We could add a new New(opts ClientOpts) function and deprecate the old one. ClientOpts could have a URL field.
In containerboot, we can read in the env var here-ish and resolve the URL before creating new client.
There was a problem hiding this comment.
Instead of doing this, can we have the caller to read the env var (in that case it would be the containerboot client here). We could add a new
New(opts ClientOpts)function and deprecate the old one.ClientOptscould have aURLfield.In containerboot, we can read in the env var here-ish and resolve the URL before creating new client.
Having thought about this abit, I can't really envision doing this in a way that's DRY. I do feel like some of this would be simpler using client-go.
Since there's already a code path for reading the host from env for unit-tests and we want to gate this functionality around a feature flag anyway, I feel that the simplest solution is to use SetURL for this as well: ab5fbed
There was a problem hiding this comment.
I do feel like some of this would be simpler using client-go
It definitely would, the reason why we don't do that is to keep the size smaller (the container image is used not just on kube)
I feel that the simplest solution is to use SetURL for this as well: ab5fbed
There is another kube client that gets initiated when state storage is a Kubernetes Secret, here to read/update the Secret. Your PR now only updates the client that is initiated to check the Secret permissions, whilst the client for state store will still use the default URL. (This code is a little bit convoluted as it has grown naturally and at some point will need refactor, but right now we are low bandwidth).
There was a problem hiding this comment.
I see; seems like tests are handled differently there
recycled the same approach in 8da0086; still not very DRY I'm afraid
There was a problem hiding this comment.
Thanks for the updates @ChandonPierre .
still not very DRY I'm afraid
I think this is the best we can get without a bigger refactor of the state.
Happy for this one to go in just one more nit- can we change os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") != "" -> os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") == "true" or something like that to not have folks wonder what value needs to be used & how to unset?
There was a problem hiding this comment.
I think this is the best we can get without a bigger refactor of the state.
Agreed.
Happy for this one to go in just one more nit- can we change
os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") != ""->os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") == "true"or something like that to not have folks wonder what value needs to be used & how to unset?
Done in 659e3fb + squashed commits
ChandonPierre
force-pushed
the
cpierre/kube-client
branch
3 times, most recently
from
8da0086
to
659e3fb
Compare
There was a problem hiding this comment.
Looks good thanks!
There is the typo mentioned + could you please reference #11397 in the commit message (i.e Updates tailscale/tailscale#11397 like here f227083)? That will fix the issuebot failure. I am not sure why the DCO check is failing as your commit looks signed.
Apart from that, happy for this to go in, thank you for your patience working on this
ChandonPierre
force-pushed
the
cpierre/kube-client
branch
from
659e3fb
to
6dda8e8
Compare
…erver URL via ENV Updates tailscale#11397 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
ChandonPierre
force-pushed
the
cpierre/kube-client
branch
from
6dda8e8
to
c56e938
Compare
Updated :) I double checked my profile settings, not sure why DCO is picking up the obfuscated address |
|
Thanks again for working on this @ChandonPierre , glad we got this one in. I've cut a dev Helm chart/container images, if that helps with your testing (chart version "1.67.63", app version "unstable-v1.67.63") Additionally (as I remember you mostly needed this change for a workaround to use the operator in a cluster with a CGNAT Pod CIDR range?), we've had a couple more users reports on this and might look into whether there is anything else we can do to not drop packets received on proxy Pod IPs. |
Thanks! We'll get this validated
Our environment is a bit unique in that the API server endpoint (and a few other control-plane services) exist in the CGNAT range. Happy to help with testing if it's helpful - feel free to shoot over an e-mail to coordinate. |
In our environment, the endpoint for
kubernetes.default.svcis in the RFC6598 address range. This conflicts with the range Tailscale uses for node address assignment; additionally, the proxy pod drops traffic to addresses in this range that are not from thetailscaleinterface:iifname != "tailscale0*" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 dropPreviously we worked around this by setting
--netfilter-mode=offbut as of #11238 this has become more challenging.I would like to instead override the address
containerbootuses to talk to the kubernetes api server and point it to something not in the RFC6598 range. Having tested this locally it does appear to resolve my issue (wherecontainerbootcannotPOSTtokubernetes.default.svc)Closes #11397