diff options
| author | David Anderson <danderson@tailscale.com> | 2022-10-21 16:25:11 -0700 |
|---|---|---|
| committer | David Anderson <danderson@tailscale.com> | 2022-10-21 16:40:51 -0700 |
| commit | 124535dd2b26af4b66ffa8fb8cf46cfb49718ff0 (patch) | |
| tree | 1902941620cefda8142bad71b17393ec3f982d83 | |
| parent | 42d9e7171ce291542899cf4575a93a73cc264aad (diff) | |
| download | tailscale-danderson/k8s.tar.xz tailscale-danderson/k8s.zip | |
docs/k8s: record the Tailscale device ID in a k8s annotation.danderson/k8s
When a Tailscale pod comes up with k8s state storage, if it successfully
authenticates it records its device ID in the tailscale.com/device-id annotation
on the state secret.
Signed-off-by: David Anderson <danderson@tailscale.com>
| -rw-r--r-- | Dockerfile | 2 | ||||
| -rw-r--r-- | Dockerfile.base | 2 | ||||
| -rwxr-xr-x | docs/k8s/run.sh | 19 |
3 files changed, 20 insertions, 3 deletions
diff --git a/Dockerfile b/Dockerfile index 5ff271233..a73ae170a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -69,7 +69,7 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\ -v ./cmd/tailscale ./cmd/tailscaled FROM alpine:3.16 -RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables +RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables jq curl COPY --from=build-env /go/bin/* /usr/local/bin/ COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/ diff --git a/Dockerfile.base b/Dockerfile.base index bf675921c..d8fa29cf2 100644 --- a/Dockerfile.base +++ b/Dockerfile.base @@ -3,4 +3,4 @@ # license that can be found in the LICENSE file. FROM alpine:3.16 -RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables +RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables jq curl diff --git a/docs/k8s/run.sh b/docs/k8s/run.sh index 765f536ab..df541f9ac 100755 --- a/docs/k8s/run.sh +++ b/docs/k8s/run.sh @@ -89,5 +89,22 @@ if [[ ! -z "${TS_DEST_IP}" ]]; then iptables -t nat -I PREROUTING -d "$(tailscale --socket=${TS_SOCKET} ip -4)" -j DNAT --to-destination "${TS_DEST_IP}" fi +if [[ ! -z "${TS_KUBE_SECRET}" ]]; then + DEVICE_ID=$(tailscale --socket="${TS_SOCKET}" status --json | jq -r .Self.ID) + echo "Device ID is $DEVICE_ID" + NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) + TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) + if ! curl -s -X PATCH \ + --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + -H "Authorization: Bearer $TOKEN" \ + -H "Accept: application/json" \ + -H "Content-Type: application/strategic-merge-patch+json" \ + --data-raw "{\"data\":{\"device_id\": \"$DEVICE_ID\"}}" \ + "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/namespaces/${NS}/secrets/${TS_KUBE_SECRET}?fieldManager=kubectl-patch" >/dev/null; then + echo "Failed to record Tailscale device ID" + exit 1 + fi +fi + echo "Waiting for tailscaled to exit" -wait ${PID}
\ No newline at end of file +wait ${PID} |