kube/certs: discover TLS domains from TCP TerminateTLS handlers (#19020)

After #18179 switched to L4 TCPForward, EnsureCertLoops found no
domains since it only checked service.Web entries. Certs were never
provisioned, leaving kube-apiserver ProxyGroups stuck at 0/N ready.

Fixes #19019

Signed-off-by: Raj Singh <raj@tailscale.com>
This commit is contained in:
Raj Singh
2026-03-17 12:35:39 -05:00
committed by GitHub
parent b3c6184f9f
commit a565833998
2 changed files with 45 additions and 0 deletions
+7
View File
@@ -53,6 +53,7 @@ func (cm *CertManager) EnsureCertLoops(ctx context.Context, sc *ipn.ServeConfig)
currentDomains := make(map[string]bool)
const httpsPort = "443"
for _, service := range sc.Services {
// L7 Web handlers (HA Ingress).
for hostPort := range service.Web {
domain, port, err := net.SplitHostPort(string(hostPort))
if err != nil {
@@ -63,6 +64,12 @@ func (cm *CertManager) EnsureCertLoops(ctx context.Context, sc *ipn.ServeConfig)
}
currentDomains[domain] = true
}
// L4 TCP handlers with TLS termination (kube-apiserver proxy).
for _, handler := range service.TCP {
if handler != nil && handler.TerminateTLS != "" {
currentDomains[handler.TerminateTLS] = true
}
}
}
cm.mu.Lock()
defer cm.mu.Unlock()