cmd/k8s-proxy: use L4 TCPForward instead of L7 HTTP proxy (#18179)

considerable latency was seen when using k8s-proxy with ProxyGroup in the kubernetes operator. Switching to L4 TCPForward solves this. Fixes tailscale#18171 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>
2026-03-05 13:47:54 -05:00
parent 1b53c00f2b
commit 19e2c8c49f
3 changed files with 21 additions and 14 deletions
@@ -50,6 +50,12 @@ import (
 	"tailscale.com/tsnet"
 )

+const (
+	// proxyProtocolV2 enables PROXY protocol v2 to preserve original client
+	// connection info after TLS termination.
+	proxyProtocolV2 = 2
+)
+
 func main() {
 	encoderCfg := zap.NewProductionEncoderConfig()
 	encoderCfg.EncodeTime = zapcore.RFC3339TimeEncoder
@@ -441,24 +447,16 @@ func setServeConfig(ctx context.Context, lc *local.Client, cm *certs.CertManager
 	if err != nil {
 		return fmt.Errorf("error getting local client status: %w", err)
 	}
-	serviceHostPort := ipn.HostPort(fmt.Sprintf("%s.%s:443", name.WithoutPrefix(), status.CurrentTailnet.MagicDNSSuffix))
+	serviceSNI := fmt.Sprintf("%s.%s", name.WithoutPrefix(), status.CurrentTailnet.MagicDNSSuffix)

 	serveConfig := ipn.ServeConfig{
-		// Configure for the Service hostname.
 		Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
 			name: {
 				TCP: map[uint16]*ipn.TCPPortHandler{
 					443: {
-						HTTPS: true,
-					},
-				},
-				Web: map[ipn.HostPort]*ipn.WebServerConfig{
-					serviceHostPort: {
-						Handlers: map[string]*ipn.HTTPHandler{
-							"/": {
-								Proxy: "http://localhost:80",
-							},
-						},
+						TCPForward:    "localhost:80",
+						TerminateTLS:  serviceSNI,
+						ProxyProtocol: proxyProtocolV2,
 					},
 				},
 			},