From c9a032c6ecc0d1aa74fb2e00a45b2b08cca4a639 Mon Sep 17 00:00:00 2001 From: Marcus Noble Date: Sat, 30 Mar 2024 16:33:28 +0000 Subject: [PATCH] Attempt to use new tailscale proxy for non-auth ingress Signed-off-by: Marcus Noble --- manifests/auth-proxy/internal-proxy.yaml | 20 +++++++- manifests/auth-proxy/non-auth-proxy.yaml | 65 ++---------------------- 2 files changed, 22 insertions(+), 63 deletions(-) diff --git a/manifests/auth-proxy/internal-proxy.yaml b/manifests/auth-proxy/internal-proxy.yaml index 27beaa0..96044fb 100644 --- a/manifests/auth-proxy/internal-proxy.yaml +++ b/manifests/auth-proxy/internal-proxy.yaml @@ -13,7 +13,8 @@ data: "loki.auth-proxy.svc": "loki-write.cluster.local", "loki.auth-proxy.svc:80": "loki-write.cluster.local", "loki-distributed.auth-proxy.svc": "loki-loki.cluster.local", - "loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local" + "loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local", + "hello-world.cluster.fun": "hello-world.cluster.fun" } --- apiVersion: apps/v1 @@ -72,6 +73,23 @@ spec: --- apiVersion: v1 kind: Service +metadata: + name: tailscale-proxy + namespace: auth-proxy + labels: + app: internal-proxy +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: internal-proxy + type: ClusterIP +--- +apiVersion: v1 +kind: Service metadata: name: tekton-el namespace: auth-proxy diff --git a/manifests/auth-proxy/non-auth-proxy.yaml b/manifests/auth-proxy/non-auth-proxy.yaml index 8f2e58b..2a5a083 100644 --- a/manifests/auth-proxy/non-auth-proxy.yaml +++ b/manifests/auth-proxy/non-auth-proxy.yaml @@ -108,43 +108,6 @@ spec: memory: 50Mi requests: memory: 50Mi - - name: tailscale - image: ghcr.io/tailscale/tailscale:v1.62 - imagePullPolicy: Always - tty: true - env: - - name: TS_AUTH_KEY - valueFrom: - secretKeyRef: - name: tailscale-auth - key: password - - name: TS_KUBE_SECRET - value: tailscale-non-auth-proxy - - name: TS_ACCEPT_DNS - value: "true" - - name: TS_EXTRA_ARGS - value: "--hostname=non-auth-proxy" - securityContext: - capabilities: - add: - - NET_ADMIN - command: - - sh - - -c - - | - export PATH=$PATH:/tailscale/bin - if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi - if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi - echo "Starting tailscaled" - tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock & - PID=$! - echo "Running tailscale up" - tailscale --socket=/tmp/tailscaled.sock up \ - --accept-dns=${TS_ACCEPT_DNS} \ - --authkey=${TS_AUTH_KEY} \ - ${TS_EXTRA_ARGS} - echo "Re-enabling incoming traffic from the cluster" - wait ${PID} --- apiVersion: v1 kind: Service @@ -176,38 +139,16 @@ spec: ingressClassName: nginx tls: - hosts: - # - home.cluster.fun - - tasks.cluster.fun - - api.tasks.cluster.fun + - hello-world.cluster.fun secretName: non-auth-proxy-ingress rules: - # - host: home.cluster.fun - # http: - # paths: - # - path: / - # pathType: ImplementationSpecific - # backend: - # service: - # name: non-auth-proxy - # port: - # name: http - - host: tasks.cluster.fun + - host: hello-world.cluster.fun http: paths: - path: / pathType: ImplementationSpecific backend: service: - name: non-auth-proxy - port: - name: http - - host: api.tasks.cluster.fun - http: - paths: - - path: / - pathType: ImplementationSpecific - backend: - service: - name: non-auth-proxy + name: tailscale-proxy port: name: http