summaryrefslogtreecommitdiffhomepage
path: root/cmd/k8s-operator/proxygroup_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/k8s-operator/proxygroup_test.go')
-rw-r--r--cmd/k8s-operator/proxygroup_test.go76
1 files changed, 74 insertions, 2 deletions
diff --git a/cmd/k8s-operator/proxygroup_test.go b/cmd/k8s-operator/proxygroup_test.go
index 29100de1d..1f1a39ab0 100644
--- a/cmd/k8s-operator/proxygroup_test.go
+++ b/cmd/k8s-operator/proxygroup_test.go
@@ -24,6 +24,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
"tailscale.com/client/tailscale"
+ "tailscale.com/ipn"
tsoperator "tailscale.com/k8s-operator"
tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
"tailscale.com/kube/kubetypes"
@@ -246,7 +247,6 @@ func TestProxyGroup(t *testing.T) {
// The fake client does not clean up objects whose owner has been
// deleted, so we can't test for the owned resources getting deleted.
})
-
}
func TestProxyGroupTypes(t *testing.T) {
@@ -416,6 +416,7 @@ func TestProxyGroupTypes(t *testing.T) {
}
verifyEnvVar(t, sts, "TS_INTERNAL_APP", kubetypes.AppProxyGroupIngress)
verifyEnvVar(t, sts, "TS_SERVE_CONFIG", "/etc/proxies/serve-config.json")
+ verifyEnvVar(t, sts, "TS_EXPERIMENTAL_CERT_SHARE", "true")
// Verify ConfigMap volume mount
cmName := fmt.Sprintf("%s-ingress-config", pg.Name)
@@ -446,6 +447,77 @@ func TestProxyGroupTypes(t *testing.T) {
})
}
+func TestIngressAdvertiseServicesConfigPreserved(t *testing.T) {
+ fc := fake.NewClientBuilder().
+ WithScheme(tsapi.GlobalScheme).
+ Build()
+ reconciler := &ProxyGroupReconciler{
+ tsNamespace: tsNamespace,
+ proxyImage: testProxyImage,
+ Client: fc,
+ l: zap.Must(zap.NewDevelopment()).Sugar(),
+ tsClient: &fakeTSClient{},
+ clock: tstest.NewClock(tstest.ClockOpts{}),
+ }
+
+ existingServices := []string{"svc1", "svc2"}
+ existingConfigBytes, err := json.Marshal(ipn.ConfigVAlpha{
+ AdvertiseServices: existingServices,
+ Version: "should-get-overwritten",
+ })
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ const pgName = "test-ingress"
+ mustCreate(t, fc, &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: pgConfigSecretName(pgName, 0),
+ Namespace: tsNamespace,
+ },
+ Data: map[string][]byte{
+ tsoperator.TailscaledConfigFileName(106): existingConfigBytes,
+ },
+ })
+
+ mustCreate(t, fc, &tsapi.ProxyGroup{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: pgName,
+ UID: "test-ingress-uid",
+ },
+ Spec: tsapi.ProxyGroupSpec{
+ Type: tsapi.ProxyGroupTypeIngress,
+ Replicas: ptr.To[int32](1),
+ },
+ })
+ expectReconciled(t, reconciler, "", pgName)
+
+ expectedConfigBytes, err := json.Marshal(ipn.ConfigVAlpha{
+ // Preserved.
+ AdvertiseServices: existingServices,
+
+ // Everything else got updated in the reconcile:
+ Version: "alpha0",
+ AcceptDNS: "false",
+ AcceptRoutes: "false",
+ Locked: "false",
+ Hostname: ptr.To(fmt.Sprintf("%s-%d", pgName, 0)),
+ })
+ if err != nil {
+ t.Fatal(err)
+ }
+ expectEqual(t, fc, &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: pgConfigSecretName(pgName, 0),
+ Namespace: tsNamespace,
+ ResourceVersion: "2",
+ },
+ Data: map[string][]byte{
+ tsoperator.TailscaledConfigFileName(106): expectedConfigBytes,
+ },
+ })
+}
+
func verifyProxyGroupCounts(t *testing.T, r *ProxyGroupReconciler, wantIngress, wantEgress int) {
t.Helper()
if r.ingressProxyGroups.Len() != wantIngress {
@@ -501,7 +573,7 @@ func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.Prox
for i := range pgReplicas(pg) {
expectedSecrets = append(expectedSecrets,
fmt.Sprintf("%s-%d", pg.Name, i),
- fmt.Sprintf("%s-%d-config", pg.Name, i),
+ pgConfigSecretName(pg.Name, i),
)
}
}
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.