From 5b5141f1d184a521da9dd1dea26f17c2d15da76f Mon Sep 17 00:00:00 2001 From: Sebastian Nickel Date: Tue, 17 Dec 2024 15:06:41 +0100 Subject: [PATCH 1/2] revert DNSconfig change --- .../deploy/chart/templates/dns-config.yaml | 13 ------------- cmd/k8s-operator/deploy/chart/values.yaml | 12 ------------ 2 files changed, 25 deletions(-) delete mode 100644 cmd/k8s-operator/deploy/chart/templates/dns-config.yaml diff --git a/cmd/k8s-operator/deploy/chart/templates/dns-config.yaml b/cmd/k8s-operator/deploy/chart/templates/dns-config.yaml deleted file mode 100644 index e74948062505a..0000000000000 --- a/cmd/k8s-operator/deploy/chart/templates/dns-config.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{ if .Values.dnsConfig.enabled }} -apiVersion: tailscale.com/v1alpha1 -kind: DNSConfig -metadata: - name: dnsconfig - namespace: {{ .Release.Namespace }} -spec: - domain: {{ .Values.dnsConfig.domain | quote }} - nameserver: - image: - repo: {{ .Values.dnsConfig.image.repo | quote }} - tag: {{ .Values.dnsConfig.image.tag | default .Chart.AppVersion }} -{{ end }} diff --git a/cmd/k8s-operator/deploy/chart/values.yaml b/cmd/k8s-operator/deploy/chart/values.yaml index 4cfbdee2dab6a..e6f4cada44de7 100644 --- a/cmd/k8s-operator/deploy/chart/values.yaml +++ b/cmd/k8s-operator/deploy/chart/values.yaml @@ -90,15 +90,3 @@ apiServerProxyConfig: mode: "false" # "true", "false", "noauth" imagePullSecrets: [] - -# dnsConfig allows to deploy the k8s-nameserver which allows to use magicDNS -# names. -dnsConfig: - enabled: false - image: - repo: "tailscale/k8s-nameserver" - ## tag can be used to overwrite the tag of the container image to be used. - ## By default the appVersion will be used. - tag: "" - ## domain allows to customize the magicDNS domain. - domain: "ts.net" From 38f58ea5d2d4a926d73fe7bf9a8946f853d95765 Mon Sep 17 00:00:00 2001 From: Sebastian Nickel Date: Tue, 17 Dec 2024 15:25:25 +0100 Subject: [PATCH 2/2] allow to attach labels to the nameserver pod --- .../deploy/crds/tailscale.com_dnsconfigs.yaml | 7 +++++++ cmd/k8s-operator/deploy/manifests/operator.yaml | 7 +++++++ cmd/k8s-operator/nameserver.go | 13 +++++++++++-- k8s-operator/api.md | 1 + k8s-operator/apis/v1alpha1/types_tsdnsconfig.go | 4 ++++ k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go | 7 +++++++ 6 files changed, 37 insertions(+), 2 deletions(-) diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml index fd6093b00d8a3..aa4a32d6b1dda 100644 --- a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml +++ b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml @@ -103,6 +103,13 @@ spec: tag: description: Tag defaults to unstable. type: string + podLabels: + description: |- + PodLabels are the labels which will be attached to the nameserver + pod. They can be used to define network policies. + type: object + additionalProperties: + type: string status: description: |- Status describes the status of the DNSConfig. This is set diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml index 9777d328502ed..7d86072d07594 100644 --- a/cmd/k8s-operator/deploy/manifests/operator.yaml +++ b/cmd/k8s-operator/deploy/manifests/operator.yaml @@ -348,6 +348,13 @@ spec: type: string type: object type: object + podLabels: + additionalProperties: + type: string + description: |- + PodLabels are the labels which will be attached to the nameserver + pod. They can be used to define network policies. + type: object required: - nameserver type: object diff --git a/cmd/k8s-operator/nameserver.go b/cmd/k8s-operator/nameserver.go index 02f5912a15e4e..5c8ea1e439424 100644 --- a/cmd/k8s-operator/nameserver.go +++ b/cmd/k8s-operator/nameserver.go @@ -163,11 +163,12 @@ func nameserverResourceLabels(name, namespace string) map[string]string { } func (a *NameserverReconciler) maybeProvision(ctx context.Context, tsDNSCfg *tsapi.DNSConfig, logger *zap.SugaredLogger) error { - labels := nameserverResourceLabels(tsDNSCfg.Name, a.tsNamespace) + resourceLabels := nameserverResourceLabels(tsDNSCfg.Name, a.tsNamespace) dCfg := &deployConfig{ ownerRefs: []metav1.OwnerReference{*metav1.NewControllerRef(tsDNSCfg, tsapi.SchemeGroupVersion.WithKind("DNSConfig"))}, namespace: a.tsNamespace, - labels: labels, + labels: resourceLabels, + podLabels: tsDNSCfg.Spec.PodLabels, imageRepo: defaultNameserverImageRepo, imageTag: defaultNameserverImageTag, } @@ -208,6 +209,7 @@ type deployConfig struct { imageRepo string imageTag string labels map[string]string + podLabels map[string]string ownerRefs []metav1.OwnerReference namespace string domain string @@ -237,6 +239,13 @@ var ( d.ObjectMeta.Namespace = cfg.namespace d.ObjectMeta.Labels = cfg.labels d.ObjectMeta.OwnerReferences = cfg.ownerRefs + if d.Spec.Template.Labels == nil { + d.Spec.Template.Labels = make(map[string]string) + } + for key, value := range cfg.podLabels { + d.Spec.Template.Labels[key] = value + } + updateF := func(oldD *appsv1.Deployment) { oldD.Spec = d.Spec } diff --git a/k8s-operator/api.md b/k8s-operator/api.md index 913d5b9bf9fe4..80f1fd7a959aa 100644 --- a/k8s-operator/api.md +++ b/k8s-operator/api.md @@ -212,6 +212,7 @@ _Appears in:_ | --- | --- | --- | --- | | `nameserver` _[Nameserver](#nameserver)_ | Configuration for a nameserver that can resolve ts.net DNS names
associated with in-cluster proxies for Tailscale egress Services and
Tailscale Ingresses. The operator will always deploy this nameserver
when a DNSConfig is applied. | | | | `domain` _string_ | Domain is the domain for which DNS entries will be resolved. If left
empty, the default of the k8s-nameserver will be used. | | | +| `podLabels` _object (keys:string, values:string)_ | PodLabels are the labels which will be attached to the nameserver
pod. They can be used to define network policies. | | | #### DNSConfigStatus diff --git a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go index d58214511b7d7..03e4ef957080e 100644 --- a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go +++ b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go @@ -79,6 +79,10 @@ type DNSConfigSpec struct { // empty, the default of the k8s-nameserver will be used. // +optional Domain string `json:"domain"` + // PodLabels are the labels which will be attached to the nameserver + // pod. They can be used to define network policies. + // +optional + PodLabels map[string]string `json:"podLabels,omitempty"` } type Nameserver struct { diff --git a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go index ba4ff40e46dd5..b861cc013a819 100644 --- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go +++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go @@ -217,6 +217,13 @@ func (in *DNSConfigSpec) DeepCopyInto(out *DNSConfigSpec) { *out = new(Nameserver) (*in).DeepCopyInto(*out) } + if in.PodLabels != nil { + in, out := &in.PodLabels, &out.PodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSConfigSpec.