AverageMarcus/cluster.fun
1
0
Fork 0
Code Issues 1 Pull Requests 2 Releases Activity

Attempt to use new tailscale proxy for non-auth ingress

Browse Source 
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
This commit is contained in:
Marcus Noble 2024-03-30 16:33:28 +00:00
parent e825fe3283
commit c9a032c6ec
Signed by: AverageMarcus
GPG Key ID: B8F2DB8A7AEBAF78
2 changed files with 22 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
manifests/auth-proxy/internal-proxy.yaml
View File

@ -13,7 +13,8 @@ data:
"loki.auth-proxy.svc": "loki-write.cluster.local", "loki.auth-proxy.svc": "loki-write.cluster.local",
"loki.auth-proxy.svc:80": "loki-write.cluster.local", "loki.auth-proxy.svc:80": "loki-write.cluster.local",
"loki-distributed.auth-proxy.svc": "loki-loki.cluster.local", "loki-distributed.auth-proxy.svc": "loki-loki.cluster.local",
"loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local" "loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local",
"hello-world.cluster.fun": "hello-world.cluster.fun"
} }
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
@ -72,6 +73,23 @@ spec:
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata:
name: tailscale-proxy
namespace: auth-proxy
labels:
app: internal-proxy
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: internal-proxy
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata: metadata:
name: tekton-el name: tekton-el
namespace: auth-proxy namespace: auth-proxy

65
manifests/auth-proxy/non-auth-proxy.yaml
View File

@ -108,43 +108,6 @@ spec:
memory: 50Mi memory: 50Mi
requests: requests:
memory: 50Mi memory: 50Mi
- name: tailscale
image: ghcr.io/tailscale/tailscale:v1.62
imagePullPolicy: Always
tty: true
env:
- name: TS_AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: password
- name: TS_KUBE_SECRET
value: tailscale-non-auth-proxy
- name: TS_ACCEPT_DNS
value: "true"
- name: TS_EXTRA_ARGS
value: "--hostname=non-auth-proxy"
securityContext:
capabilities:
add:
- NET_ADMIN
command:
- sh
- -c
- |
export PATH=$PATH:/tailscale/bin
if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
echo "Starting tailscaled"
tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
PID=$!
echo "Running tailscale up"
tailscale --socket=/tmp/tailscaled.sock up \
--accept-dns=${TS_ACCEPT_DNS} \
--authkey=${TS_AUTH_KEY} \
${TS_EXTRA_ARGS}
echo "Re-enabling incoming traffic from the cluster"
wait ${PID}
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -176,38 +139,16 @@ spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
# - home.cluster.fun - hello-world.cluster.fun
- tasks.cluster.fun
- api.tasks.cluster.fun
secretName: non-auth-proxy-ingress secretName: non-auth-proxy-ingress
rules: rules:
# - host: home.cluster.fun - host: hello-world.cluster.fun
# http:
# paths:
# - path: /
# pathType: ImplementationSpecific
# backend:
# service:
# name: non-auth-proxy
# port:
# name: http
- host: tasks.cluster.fun
http: http:
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific pathType: ImplementationSpecific
backend: backend:
service: service:
name: non-auth-proxy name: tailscale-proxy
port:
name: http
- host: api.tasks.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: non-auth-proxy
port: port:
name: http name: http