From 1d10d493225cb1d452d45887b6425dae74ec368f Mon Sep 17 00:00:00 2001 From: zlepper Date: Thu, 27 Feb 2025 14:17:57 +0100 Subject: [PATCH 1/3] Move image to ACR This will require some tweaks in the deployment manager --- charts/tailscale-outbound-proxy/Chart.yaml | 4 ++-- .../templates/crds.yaml | 8 +++++++ .../templates/operator.yaml | 6 +++-- charts/tailscale-outbound-proxy/values.yaml | 3 +++ src/replace_service_reconciler.rs | 22 ++++++++++++++----- src/replaced_service.rs | 8 +++++++ 6 files changed, 42 insertions(+), 9 deletions(-) diff --git a/charts/tailscale-outbound-proxy/Chart.yaml b/charts/tailscale-outbound-proxy/Chart.yaml index 4596787..306bd90 100644 --- a/charts/tailscale-outbound-proxy/Chart.yaml +++ b/charts/tailscale-outbound-proxy/Chart.yaml @@ -5,9 +5,9 @@ home: https://github.com/digizuite/tailscale-outbound-proxy keywords: - operator - tailscale -kubeVersion: ">= 1.25.0-0" +kubeVersion: ">= 1.30.0-0" name: tailscale-outbound-proxy-operator sources: - https://github.com/digizuite/tailscale-outbound-proxy -version: 0.0.7 +version: 0.0.8 icon: https://github.com/digizuite/tailscale-outbound-proxy/raw/master/tailscale-logo-black.png \ No newline at end of file diff --git a/charts/tailscale-outbound-proxy/templates/crds.yaml b/charts/tailscale-outbound-proxy/templates/crds.yaml index bea269d..5b84759 100644 --- a/charts/tailscale-outbound-proxy/templates/crds.yaml +++ b/charts/tailscale-outbound-proxy/templates/crds.yaml @@ -74,6 +74,14 @@ spec: proxyStateSecretName: description: The secret to use for storing tailscales state. You do not have to create this secret yourself. type: string + replacedServiceTailscaleImage: + description: A custom image to use for the tailscale proxy + nullable: true + type: string + replacedServiceTailscaleImagePullSecret: + description: A pull secret to use for the custom image. Do note proxies are started in the same namespace as this CRD instance, meaning the pull secret should be in the same namespace as this CRD instance. + nullable: true + type: string serviceAccount: description: The service account the proxy pod should use. type: string diff --git a/charts/tailscale-outbound-proxy/templates/operator.yaml b/charts/tailscale-outbound-proxy/templates/operator.yaml index d52fc25..ea1115e 100644 --- a/charts/tailscale-outbound-proxy/templates/operator.yaml +++ b/charts/tailscale-outbound-proxy/templates/operator.yaml @@ -175,10 +175,12 @@ spec: app.kubernetes.io/part-of: tailscale-outbound-proxy spec: serviceAccountName: tailscale-outbound-proxy + imagePullSecrets: + - name: {{ .Values.operator.imagePullSecret }} containers: - name: operator - image: ghcr.io/digizuite/tailscale-outbound-proxy:master - imagePullPolicy: Always + image: {{ .Values.operator.image }} + imagePullPolicy: {{ .Values.operator.imagePullPolicy }} env: - name: RUST_LOG value: "info" diff --git a/charts/tailscale-outbound-proxy/values.yaml b/charts/tailscale-outbound-proxy/values.yaml index 7c8b333..53ed4c1 100644 --- a/charts/tailscale-outbound-proxy/values.yaml +++ b/charts/tailscale-outbound-proxy/values.yaml @@ -1,5 +1,8 @@ operator: enable: true + imagePullPolicy: Always + image: digizuite.azurecr.io/digizuite/tailscale-outbound-proxy:master + imagePullSecret: "" resources: limits: cpu: 100m diff --git a/src/replace_service_reconciler.rs b/src/replace_service_reconciler.rs index 6172e5d..747c57f 100644 --- a/src/replace_service_reconciler.rs +++ b/src/replace_service_reconciler.rs @@ -4,8 +4,8 @@ use crate::{ContextData, Error}; use anyhow::{anyhow, Result}; use k8s_openapi::api::apps::v1::{Deployment, DeploymentSpec, DeploymentStrategy, ReplicaSet}; use k8s_openapi::api::core::v1::{ - Capabilities, Container, Endpoints, EnvVar, EnvVarSource, Pod, PodSpec, PodTemplateSpec, - Secret, SecretKeySelector, SecurityContext, Service, ServicePort, ServiceSpec, + Capabilities, Container, Endpoints, EnvVar, EnvVarSource, LocalObjectReference, Pod, PodSpec, + PodTemplateSpec, Secret, SecretKeySelector, SecurityContext, Service, ServicePort, ServiceSpec, }; use k8s_openapi::apimachinery::pkg::apis::meta::v1::{LabelSelector, ObjectMeta, OwnerReference}; use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString; @@ -404,9 +404,20 @@ async fn ensure_tailscale_proxy( ]), ..Default::default() }]), + image_pull_secrets: resource + .spec + .replaced_service_tailscale_image_pull_secret + .clone() + .map(|s| vec![LocalObjectReference { name: s }]), containers: vec![Container { name: "tailscale".to_string(), - image: Some("ghcr.io/digizuite/tailscale-fix:master".to_string()), + image: resource + .spec + .replaced_service_tailscale_image + .clone() + .or_else(|| { + Some("ghcr.io/digizuite/tailscale-fix:master".to_string()) + }), image_pull_policy: Some("Always".to_string()), security_context: Some(SecurityContext { capabilities: Some(Capabilities { @@ -447,7 +458,8 @@ async fn ensure_tailscale_proxy( name: "TS_AUTHKEY".to_string(), value_from: Some(EnvVarSource { secret_key_ref: Some(SecretKeySelector { - name: tailscale_proxy_secret_state_secret_name.to_string(), + name: tailscale_proxy_secret_state_secret_name + .to_string(), optional: Some(false), key: "TS_AUTHKEY".to_string(), }), @@ -929,6 +941,6 @@ async fn change_keda_replicas( Err(api_error.into()) } } - Err(e) => Err(e.into()) + Err(e) => Err(e.into()), } } diff --git a/src/replaced_service.rs b/src/replaced_service.rs index c6e69a2..b5d4d87 100644 --- a/src/replaced_service.rs +++ b/src/replaced_service.rs @@ -51,6 +51,14 @@ pub struct ReplacedServiceSpec { /// The name of a keda scaled object that might prevent downscaling of a deployment pub keda_scale_object_name: Option, + + /// A custom image to use for the tailscale proxy + pub replaced_service_tailscale_image: Option, + + /// A pull secret to use for the custom image. Do note proxies are started in the same + /// namespace as this CRD instance, meaning the pull secret should be in the same + /// namespace as this CRD instance. + pub replaced_service_tailscale_image_pull_secret: Option } #[derive(Serialize, Deserialize, Debug, PartialEq, Clone, JsonSchema, Default)] From 14459e817a7118445f62c94164ff4f7e03d6c9e3 Mon Sep 17 00:00:00 2001 From: zlepper Date: Thu, 27 Feb 2025 14:23:47 +0100 Subject: [PATCH 2/3] Remember to update that --- .github/workflows/docker-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 1ced485..93391f2 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -10,7 +10,7 @@ on: - ".github/workflows/docker-image.yml" env: - REGISTRY: ghcr.io + REGISTRY: digizuite.azurecr.io IMAGE_NAME: ${{ github.repository }} jobs: From f8f799f66347dc4abca71fa3585faa40026add73 Mon Sep 17 00:00:00 2001 From: zlepper Date: Thu, 27 Feb 2025 14:26:39 +0100 Subject: [PATCH 3/3] YEt even more --- .github/workflows/docker-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 93391f2..ea8a4b0 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -32,8 +32,8 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ secrets.DIGIZUITE_DEV_ACR_USERNAME }} + password: ${{ secrets.DIGIZUITE_DEV_ACR_PASSWORD }} - name: Docker meta id: meta