cmd/k8s-operator: migrate to tailscale-client-go-v2 (#19010)
This commit modifies the kubernetes operator to use the `tailscale-client-go-v2` package instead of the internal tailscale client it was previously using. This now gives us the ability to expand out custom resources and features as they become available via the API module. The tailnet reconciler has also been modified to manage clients as tailnets are created and removed, providing each subsequent reconciler with a single `ClientProvider` that obtains a tailscale client for the respective tailnet by name, or the operator's default when presented with a blank string. Fixes: https://github.com/tailscale/corp/issues/38418 Signed-off-by: David Bond <davidsbond93@gmail.com>
This commit is contained in:
David Bond
GitHub
@@ -8,7 +8,7 @@ package main
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"sync"
|
||||
"time"
|
||||
@@ -16,16 +16,13 @@ import (
|
||||
"go.uber.org/zap"
|
||||
"golang.org/x/oauth2"
|
||||
"golang.org/x/oauth2/clientcredentials"
|
||||
"tailscale.com/internal/client/tailscale"
|
||||
"tailscale.com/client/tailscale/v2"
|
||||
|
||||
"tailscale.com/ipn"
|
||||
"tailscale.com/tailcfg"
|
||||
)
|
||||
|
||||
// defaultTailnet is a value that can be used in Tailscale API calls instead of tailnet name to indicate that the API
|
||||
// call should be performed on the default tailnet for the provided credentials.
|
||||
const (
|
||||
defaultTailnet = "-"
|
||||
oidcJWTPath = "/var/run/secrets/tailscale/serviceaccount/token"
|
||||
oidcJWTPath = "/var/run/secrets/tailscale/serviceaccount/token"
|
||||
)
|
||||
|
||||
func newTSClient(logger *zap.SugaredLogger, clientID, clientIDPath, clientSecretPath, loginServer string) (*tailscale.Client, error) {
|
||||
@@ -34,24 +31,31 @@ func newTSClient(logger *zap.SugaredLogger, clientID, clientIDPath, clientSecret
|
||||
baseURL = loginServer
|
||||
}
|
||||
|
||||
var httpClient *http.Client
|
||||
base, err := url.Parse(baseURL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
client := &tailscale.Client{
|
||||
UserAgent: "tailscale-k8s-operator",
|
||||
BaseURL: base,
|
||||
}
|
||||
|
||||
if clientID == "" {
|
||||
// Use static client credentials mounted to disk.
|
||||
id, err := os.ReadFile(clientIDPath)
|
||||
clientIDBytes, err := os.ReadFile(clientIDPath)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading client ID %q: %w", clientIDPath, err)
|
||||
}
|
||||
secret, err := os.ReadFile(clientSecretPath)
|
||||
clientSecretBytes, err := os.ReadFile(clientSecretPath)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("reading client secret %q: %w", clientSecretPath, err)
|
||||
}
|
||||
credentials := clientcredentials.Config{
|
||||
ClientID: string(id),
|
||||
ClientSecret: string(secret),
|
||||
TokenURL: fmt.Sprintf("%s%s", baseURL, "/api/v2/oauth/token"),
|
||||
|
||||
client.Auth = &tailscale.OAuth{
|
||||
ClientID: string(clientIDBytes),
|
||||
ClientSecret: string(clientSecretBytes),
|
||||
}
|
||||
tokenSrc := credentials.TokenSource(context.Background())
|
||||
httpClient = oauth2.NewClient(context.Background(), tokenSrc)
|
||||
} else {
|
||||
// Use workload identity federation.
|
||||
tokenSrc := &jwtTokenSource{
|
||||
@@ -62,34 +66,21 @@ func newTSClient(logger *zap.SugaredLogger, clientID, clientIDPath, clientSecret
|
||||
TokenURL: fmt.Sprintf("%s%s", baseURL, "/api/v2/oauth/token-exchange"),
|
||||
},
|
||||
}
|
||||
httpClient = &http.Client{
|
||||
Transport: &oauth2.Transport{
|
||||
Source: tokenSrc,
|
||||
|
||||
client.Auth = &tailscale.IdentityFederation{
|
||||
ClientID: clientID,
|
||||
IDTokenFunc: func() (string, error) {
|
||||
token, err := tokenSrc.Token()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return token.AccessToken, nil
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
c := tailscale.NewClient(defaultTailnet, nil)
|
||||
c.UserAgent = "tailscale-k8s-operator"
|
||||
c.HTTPClient = httpClient
|
||||
if loginServer != "" {
|
||||
c.BaseURL = loginServer
|
||||
}
|
||||
return c, nil
|
||||
}
|
||||
|
||||
type tsClient interface {
|
||||
CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
|
||||
Device(ctx context.Context, deviceID string, fields *tailscale.DeviceFieldsOpts) (*tailscale.Device, error)
|
||||
DeleteDevice(ctx context.Context, nodeStableID string) error
|
||||
// GetVIPService is a method for getting a Tailscale Service. VIPService is the original name for Tailscale Service.
|
||||
GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*tailscale.VIPService, error)
|
||||
// ListVIPServices is a method for listing all Tailscale Services. VIPService is the original name for Tailscale Service.
|
||||
ListVIPServices(ctx context.Context) (*tailscale.VIPServiceList, error)
|
||||
// CreateOrUpdateVIPService is a method for creating or updating a Tailscale Service.
|
||||
CreateOrUpdateVIPService(ctx context.Context, svc *tailscale.VIPService) error
|
||||
// DeleteVIPService is a method for deleting a Tailscale Service.
|
||||
DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error
|
||||
return client, nil
|
||||
}
|
||||
|
||||
// jwtTokenSource implements the [oauth2.TokenSource] interface, but with the
|
||||
|
||||
Reference in New Issue
Block a user