Set dns policy to ClusterFirstWithHostNet

Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>

cmd/k8s-operator/deploy/chart/templates/deployment.yaml

@@ -1,6 +1,5 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -25,6 +24,10 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.operatorConfig.hostNetwork.enabled }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -48,6 +51,11 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if .Values.operatorConfig.port.enabled }}
+          ports:
+            - containerPort: {{ .Values.operatorConfig.port.containerPort }}
+              protocol: UDP
+          {{- end }}
           {{- with .Values.operatorConfig.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
@@ -72,6 +80,10 @@ spec:
               value: /oauth/client_id
             - name: CLIENT_SECRET_FILE
               value: /oauth/client_secret
+            {{- if .Values.operatorConfig.port.enabled }}
+            - name: TS_PORT
+              value: {{ .Values.operatorConfig.port.containerPort | quote }}
+            {{- end }}
             {{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}}
             - name: PROXY_IMAGE
               value: {{ coalesce .Values.proxyConfig.image.repo .Values.proxyConfig.image.repository }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }}
@@ -111,4 +123,4 @@ spec:
       {{- with .Values.operatorConfig.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}

cmd/k8s-operator/deploy/chart/values.yaml

@@ -37,6 +37,15 @@ operatorConfig:
   defaultTags:
     - "tag:k8s-operator"
 
+  # Manual configuration of tsnet port. If unset, a random port is selected.
+  port:
+    enabled: false
+    containerPort: 8080
+
+  # Optional host network configuration. Likely only needed for public Kubernetes nodes
+  hostNetwork:
+    enabled: false
+
   image:
     # Repository defaults to DockerHub, but images are also synced to ghcr.io/tailscale/k8s-operator.
     repository: tailscale/k8s-operator

ipn/ipnlocal/cert.go

@@ -556,7 +556,6 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger
 	}
 
 	logf("requesting cert...")
-	traceACME(csr)
 	der, _, err := ac.CreateOrderCert(ctx, order.FinalizeURL, csr, true)
 	if err != nil {
 		return nil, fmt.Errorf("CreateOrder: %v", err)
@@ -579,10 +578,10 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger
 }
 
 // certRequest generates a CSR for the given common name cn and optional SANs.
-func certRequest(key crypto.Signer, name string, ext []pkix.Extension) ([]byte, error) {
+func certRequest(key crypto.Signer, cn string, ext []pkix.Extension, san ...string) ([]byte, error) {
 	req := &x509.CertificateRequest{
-		Subject:         pkix.Name{CommonName: name},
-		DNSNames:        []string{name},
+		Subject:         pkix.Name{CommonName: cn},
+		DNSNames:        san,
 		ExtraExtensions: ext,
 	}
 	return x509.CreateCertificateRequest(rand.Reader, req, key)

util/execqueue/execqueue.go

@@ -7,11 +7,7 @@ package execqueue
 import (
 	"context"
 	"errors"
-	"expvar"
-	"fmt"
 	"sync"
-	"sync/atomic"
-	"time"
 )
 
 type ExecQueue struct {
@@ -20,36 +16,9 @@ type ExecQueue struct {
 	inFlight   bool          // whether a goroutine is running q.run
 	doneWaiter chan struct{} // non-nil if waiter is waiting, then closed
 	queue      []func()
-
-	// metrics follow
-	metricsRegisterOnce  sync.Once
-	metricInserts        expvar.Int
-	metricRemovals       expvar.Int
-	metricQueueLastDrain expvar.Int // unix millis
-}
-
-// This is extremely silly but is for debugging
-var metricsCounter atomic.Int64
-
-// registerMetrics registers the queue's metrics with expvar, using a unique name.
-func (q *ExecQueue) registerMetrics() {
-	q.metricsRegisterOnce.Do(func() {
-		m := new(expvar.Map).Init()
-		m.Set("inserts", &q.metricInserts)
-		m.Set("removals", &q.metricRemovals)
-		m.Set("length", expvar.Func(func() any {
-			return q.metricInserts.Value() - q.metricRemovals.Value()
-		}))
-		m.Set("last_drain", &q.metricQueueLastDrain)
-
-		name := fmt.Sprintf("execqueue-%d", metricsCounter.Add(1))
-		expvar.Publish(name, m)
-	})
 }
 
 func (q *ExecQueue) Add(f func()) {
-	q.registerMetrics()
-
 	q.mu.Lock()
 	defer q.mu.Unlock()
 	if q.closed {
@@ -57,7 +26,6 @@ func (q *ExecQueue) Add(f func()) {
 	}
 	if q.inFlight {
 		q.queue = append(q.queue, f)
-		q.metricInserts.Add(1)
 	} else {
 		q.inFlight = true
 		go q.run(f)
@@ -67,8 +35,6 @@ func (q *ExecQueue) Add(f func()) {
 // RunSync waits for the queue to be drained and then synchronously runs f.
 // It returns an error if the queue is closed before f is run or ctx expires.
 func (q *ExecQueue) RunSync(ctx context.Context, f func()) error {
-	q.registerMetrics()
-
 	for {
 		if err := q.Wait(ctx); err != nil {
 			return err
@@ -95,13 +61,11 @@ func (q *ExecQueue) run(f func()) {
 		f := q.queue[0]
 		q.queue[0] = nil
 		q.queue = q.queue[1:]
-		q.metricRemovals.Add(1)
 		q.mu.Unlock()
 		f()
 		q.mu.Lock()
 	}
 	q.inFlight = false
-	q.metricQueueLastDrain.Set(int64(time.Now().UnixMilli()))
 	q.queue = nil
 	if q.doneWaiter != nil {
 		close(q.doneWaiter)
@@ -112,8 +76,6 @@ func (q *ExecQueue) run(f func()) {
 
 // Shutdown asynchronously signals the queue to stop.
 func (q *ExecQueue) Shutdown() {
-	q.registerMetrics()
-
 	q.mu.Lock()
 	defer q.mu.Unlock()
 	q.closed = true
@@ -121,8 +83,6 @@ func (q *ExecQueue) Shutdown() {
 
 // Wait waits for the queue to be empty.
 func (q *ExecQueue) Wait(ctx context.Context) error {
-	q.registerMetrics()
-
 	q.mu.Lock()
 	waitCh := q.doneWaiter
 	if q.inFlight && waitCh == nil {