WIPirbekrm/proxycidrs

13 files changed, 152 insertions, 5 deletions

diff --git a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
index 1a1846439..54afffe05 100644
--- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
@@ -27,6 +27,9 @@ rules:
 - apiGroups: ["tailscale.com"]
   resources: ["dnsconfigs", "dnsconfigs/status"]
   verbs: ["get", "list", "watch", "update"]
+- apiGroups: ["tailscale.com"]
+  resources: ["clusterconfigs", "clusterconfigs/status"]
+  verbs: ["get", "list", "watch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -56,6 +59,13 @@ rules:
 - apiGroups: ["discovery.k8s.io"]
   resources: ["endpointslices"]
   verbs: ["get", "list", "watch"]
+- apiGroups:
+    - rbac.authorization.k8s.io
+  resources:
+    - roles
+    - rolebindings
+  verbs:
+    - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/cmd/k8s-operator/deploy/chart/templates/servicerecords.yaml b/cmd/k8s-operator/deploy/chart/templates/servicerecords.yaml
new file mode 100644
index 000000000..f88797e9e
--- /dev/null
+++ b/cmd/k8s-operator/deploy/chart/templates/servicerecords.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+data:
+kind: ConfigMap
+metadata:
+  name: servicerecords
\ No newline at end of file
diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_clusterconfigs.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_clusterconfigs.yaml
new file mode 100644
index 000000000..318238094
--- /dev/null
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_clusterconfigs.yaml
@@ -0,0 +1,66 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: clusterconfigs.tailscale.com
+spec:
+  group: tailscale.com
+  names:
+    kind: ClusterConfig
+    listKind: ClusterConfigList
+    plural: clusterconfigs
+    singular: clusterconfig
+  scope: Cluster
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: 'More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+              type: object
+              required:
+                - domain
+              properties:
+                domain:
+                  description: like 'foo.tailbd97a.ts.net' for services like 'my-svc.foo.tailbd97a.ts.net'. Or, should be just 'foo'?
+                  type: string
+            status:
+              description: ClusterConfigStatus describes the status of the ClusterConfig. This is set and managed by the Tailscale operator.
+              type: object
+              required:
+                - proxyNodes
+              properties:
+                proxyNodes:
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - magicDNSName
+                      - serviceCIDR
+                      - tailnetIPs
+                    properties:
+                      magicDNSName:
+                        type: string
+                      serviceCIDR:
+                        type: string
+                      tailnetIPs:
+                        type: array
+                        items:
+                          type: string
+      served: true
+      storage: true
+      subresources:
+        status: {}
diff --git a/cmd/k8s-operator/deploy/examples/clusterconfig.yaml b/cmd/k8s-operator/deploy/examples/clusterconfig.yaml
new file mode 100644
index 000000000..33b760514
--- /dev/null
+++ b/cmd/k8s-operator/deploy/examples/clusterconfig.yaml
@@ -0,0 +1,8 @@
+# It would be nice if users didn't need to apply this separately, but not sure
+# how to integrate this into the chart (post-render hook?)
+apiVersion: tailscale.com/v1alpha1
+kind: ClusterConfig
+metadata:
+  name: proxies
+spec:
+  domain: "foo.bar." # must have the dot at the moment
diff --git a/cmd/k8s-operator/deploy/examples/connector.yaml b/cmd/k8s-operator/deploy/examples/connector.yaml
index d29f27cf5..6a16469b7 100644
--- a/cmd/k8s-operator/deploy/examples/connector.yaml
+++ b/cmd/k8s-operator/deploy/examples/connector.yaml
@@ -14,6 +14,5 @@ spec:
   hostname: ts-prod
   subnetRouter:
     advertiseRoutes:
-    - "10.40.0.0/14"
-    - "192.168.0.0/14"
-  exitNode: true
+    - "10.0.0.0/8"
+  exitNode: false
diff --git a/cmd/k8s-operator/deploy/examples/dnsconfig.yaml b/cmd/k8s-operator/deploy/examples/dnsconfig.yaml
index eae6486db..3416ef0f0 100644
--- a/cmd/k8s-operator/deploy/examples/dnsconfig.yaml
+++ b/cmd/k8s-operator/deploy/examples/dnsconfig.yaml
@@ -5,5 +5,5 @@ metadata:
 spec:
   nameserver:
     image:
-      repo: tailscale/k8s-nameserver
-      tag: unstable-v1.65
+      repo: gcr.io/csi-test-290908/nameserver
+      tag: v0.0.23proxycidr
diff --git a/cmd/k8s-operator/deploy/manifests/nameserver/deploy.yaml b/cmd/k8s-operator/deploy/manifests/nameserver/deploy.yaml
index c3a16e03e..8251f8711 100644
--- a/cmd/k8s-operator/deploy/manifests/nameserver/deploy.yaml
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/deploy.yaml
@@ -28,6 +28,12 @@ spec:
         volumeMounts:
         - name: dnsrecords
           mountPath: /config
+        env:
+        - name: TS_AUTHKEY
+          valueFrom:   
+            secretKeyRef:
+              name: nameserver-key 
+              key: ts_auth_key
       restartPolicy: Always
       serviceAccount: nameserver
       serviceAccountName: nameserver
diff --git a/cmd/k8s-operator/deploy/manifests/nameserver/rbac.yaml b/cmd/k8s-operator/deploy/manifests/nameserver/rbac.yaml
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/rbac.yaml
diff --git a/cmd/k8s-operator/deploy/manifests/nameserver/role.yaml b/cmd/k8s-operator/deploy/manifests/nameserver/role.yaml
new file mode 100644
index 000000000..27e18e3a3
--- /dev/null
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/role.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: nameserver 
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - '*'
\ No newline at end of file
diff --git a/cmd/k8s-operator/deploy/manifests/nameserver/rolebinding.yaml b/cmd/k8s-operator/deploy/manifests/nameserver/rolebinding.yaml
new file mode 100644
index 000000000..ce28d5c5c
--- /dev/null
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/rolebinding.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: nameserver 
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nameserver
+subjects:
+- kind: ServiceAccount
+  name: nameserver 
\ No newline at end of file
diff --git a/cmd/k8s-operator/deploy/manifests/nameserver/secret.yaml b/cmd/k8s-operator/deploy/manifests/nameserver/secret.yaml
new file mode 100644
index 000000000..6cd554fa4
--- /dev/null
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/secret.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nameserver-key
\ No newline at end of file
diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml
index 78553542f..dfbaeb4a6 100644
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -27,6 +27,12 @@ metadata:
     name: proxies
     namespace: tailscale
 ---
+apiVersion: v1
+data: null
+kind: ConfigMap
+metadata:
+    name: servicerecords
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -1359,6 +1365,16 @@ rules:
         - list
         - watch
         - update
+    - apiGroups:
+        - tailscale.com
+      resources:
+        - clusterconfigs
+        - clusterconfigs/status
+      verbs:
+        - get
+        - list
+        - watch
+        - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -1402,6 +1418,13 @@ rules:
         - get
         - list
         - watch
+    - apiGroups:
+        - rbac.authorization.k8s.io
+      resources:
+        - roles
+        - rolebindings
+      verbs:
+        - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
diff --git a/cmd/k8s-operator/deploy/manifests/proxy.yaml b/cmd/k8s-operator/deploy/manifests/proxy.yaml
index a79d48d73..383f0d77a 100644
--- a/cmd/k8s-operator/deploy/manifests/proxy.yaml
+++ b/cmd/k8s-operator/deploy/manifests/proxy.yaml
@@ -26,6 +26,10 @@ spec:
           env:
             - name: TS_USERSPACE
               value: "false"
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
             - name: POD_IP
               valueFrom:
                 fieldRef: