-
-
Notifications
You must be signed in to change notification settings - Fork 617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Persist tailscale state #15911
Comments
Looks like 50%-ish of the work is there already. |
Best to actually read the code if you link to it. |
True that. Couldnt we just create a new k8s RBAC role and bind the RBAC role to whatever kuberentes service account the app is using. Binding a new role shouldnt effect the app. |
That means that every app that uses the tailscale sidecar will have access to that secret. |
No I dont. Good point. What about a new service account just for tailscale sidecar? |
SA is bound to the pod. If it was run on another pod this wouldnt be an issue, but then tailscale is on a different network than your app. |
Good point again. What about making a tiny PVC to store the tailscale state? |
That's a possible solution yes. |
The tailscale state file is one single JSON file. {
"$schema": "http://json-schema.org/draft-06/schema#",
"$ref": "#/definitions/tailscale01",
"definitions": {
"tailscale01": {
"type": "object",
"additionalProperties": false,
"properties": {
"_current-profile": {
"type": "string"
},
"_machinekey": {
"type": "string"
},
"_profiles": {
"type": "string"
},
"_serve/470c": {
"type": "string"
},
"profile-470c": {
"type": "string"
}
},
"required": [
"_current-profile",
"_machinekey",
"_profiles",
"_serve/470c",
"profile-470c"
],
"title": "tailscale01"
}
}
} |
@Ornias1993 I'm fine with a 1-10Mi pvc. what do you think? EDIT: scaled down pvc size |
Tailscale file size is approx EDIT: The state file does contain secrets. Is there a way to encrypt the file and decrypt on the fly? Or something similar? |
@stavros-k Much rather use secrets with namespaced rbac. Sneaking in persistence into something that can be stateless seems like a bad practice. |
dotfiles in a secret volume fits the bill! |
Can we please not linking random stuff? :) |
Namespaced would be anyway. But still all other containers on that pod will have access to that secret, since the SA will be mounted to the POD. |
No it will be mounted in a container: apiVersion: v1
kind: Secret
metadata:
name: dotfile-secret
data:
.secret-file: dmFsdWUtMg0KDQo=
---
apiVersion: v1
kind: Pod
metadata:
name: secret-dotfiles-pod
spec:
volumes:
- name: secret-volume
secret:
secretName: dotfile-secret
containers:
- name: dotfile-test-container
image: registry.k8s.io/busybox
command:
- ls
- "-l"
- "/etc/secret-volume"
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: "/etc/secret-volume" |
So, you mount it in the container. How would Tailscale WRITE its state to that? |
Like any other file. EDIT: If the file is updated then the k8s secret is also updated. |
But its not like any other file. kubernetes/kubernetes#62099 (comment) |
Dang. What about Truechart supporting Tailscale k8s operator? |
Feel free to do the work :) But afaik its still ALPHA Solution(s) have been layed out few messages ago. |
Lets just go with the miniscule PVC. I'll wait for the tailscale kuberentes operator to become mature. I will do the work at that time. |
@delaman Let me stop you right there, from wasting more time. @stavros-k Setup a pretty limited RBAC, but I don't care much about the container secret leaking to other containers tbh. But default to secret please, we should evade defaulting to using persistence. |
Sorry I can't spend time on this any time soon. |
@Ornias1993 Mentioned being okay with a toggle switch. Maybe adding the PVC version now then the RBAC version later? |
I agree it's not a priority any-time-soon. |
You don't seem to be getting it: And we as maintainers, are both not going to do it, as it's not a priority priority at-all. |
Closed in favor of: |
Is your feature request related to a problem?
The hostname I set does not persist. For example if I set the hostname to cool-app after the pod restarts for whatever reason the hostname is changed to to cool-app-1. The number increases every time.
Describe the solution you'd like
Add a tick box that adds the tailscale state to a kuberentes secret. tailscale kuberentes secret feature.
Describe alternatives you've considered
Mounting a path in the tailscale container. This option is not supported with truechart's vpn feature.
Additional context
No response
I've read and agree with the following
The text was updated successfully, but these errors were encountered: