Service resolution fixed, tailscale update

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yaml

@@ -10,16 +10,17 @@ jobs:
   docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-qemu-action@v3
 
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-buildx-action@v3
 
-      - uses: docker/login-action@v1
+      - uses: docker/login-action@v3
         with:
-          username: mewil
+          username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@v5
         with:
           push: true
-          tags: mewil/tailscale-ingress-controller:latest
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ vars.DOCKERHUB_USERNAME }}/${{ vars.DOCKERHUB_REPO }}:stable

Dockerfile

@@ -1,12 +1,12 @@
-FROM golang:1.19-alpine as builder
+FROM golang:1.24-alpine as builder
 
 RUN apk add --update \
     ca-certificates \
     git \
   && rm -rf /var/cache/apk/*
 
 ENV CGO_ENABLED=0
-WORKDIR /go/src/github.com/mewil/tailscale-ingress-controller
+WORKDIR /go/src/github.com/valentinalexeev/tailscale-ingress-controller
 COPY go.mod go.sum ./
 RUN go mod download
 

LICENSE

@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2022 Michael Wilson
+Copyright (c) 2023 Valentin A. Alekseev
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -0,0 +1,18 @@
+VARIANT?=latest
+VARIANT_SUFFIX=
+REGISTRY?=valentinalexeev
+
+ifneq (${VARIANT},latest)
+VARIANT_SUFFIX=-${VARIANT}
+endif
+
+build:
+	docker build -t ${REGISTRY}/tailscale-ingress-controller:${VARIANT} --push .
+
+deploy:
+	kubectl apply -f demo/ingress-controller${VARIANT_SUFFIX}.yaml
+
+remove:
+	kubectl delete -f demo/ingress-controller${VARIANT_SUFFIX}.yaml
+
+redeploy: remove deploy

README.md

@@ -5,7 +5,7 @@ The controller will [create a Tailscale node](https://tailscale.com/blog/tsnet-v
 
 Try it out by applying the resources in the demo directory:
 ```
-git clone https://github.com/mewil/tailscale-ingress-controller
+git clone https://github.com/valentinalexeev/tailscale-ingress-controller
 cd tailscale-ingress-controller/demo
 export TS_AUTHKEY=<your authkey>
 sed "s/\$TS_AUTHKEY/$TS_AUTHKEY/g" * | kubectl apply -f -
@@ -18,10 +18,64 @@ If all goes well, you should be able to access the hello world HTTP demo service
 The demo manifests create a demo backend deployment and service, a demo ingress resource, a deployment for the ingress controller, and a secret for your Tailscale key.
 The controller will create a Tailscale node with the hostname `demo` and proxy traffic from the Tailscale network to the backend Kubernetes service.
 
-The controller proxy server will also parse the remote IP address from Tailscale and add `X-Webauth-User` and `X-Webauth-Name` HTTP headers to the request before forwarding it for the Tailscale login name and display name, respectively.
+### Tailscale SSO
+As Tailscale provides authentication information as part of the requests the Ingress Controller is able to supply this information to the services.
+
+The controller proxy server will parse the remote IP address from Tailscale and add `X-Webauth-User` and `X-Webauth-Name` HTTP headers to the request before forwarding it for the Tailscale login name and display name, respectively.
+
+The services can be configured to use the provided headers as SSO credentials. See sample use case on [How To Seamlessly Authenticate to Grafana using Tailscale](https://tailscale.com/blog/grafana-auth/)
+
+### TLS support
+Tailscale provides native HTTPS implementation with certificates by Let's Encrypt. 
+
 If the host is also listed in the `tls` section of the Ingress spec (see comment in the example Ingress to try it), then the Tailscale node will proxy requests from port 443 instead of 80 and [automatically generate a certificate for itself](https://tailscale.com/blog/tls-certs/).
 
+### Funnel support
+The Ingress Controller allows the use of [Tailscale Funnel](https://tailscale.com/kb/1223/tailscale-funnel/) to expose services to the public network.
+
+Unlike HTTPS support, to enable Funnel for an Ingress point a custom annotation ``tailscale.com/funnel: "true"`` needs to be added to the resource definition.
+```yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tailscale-ingress-funnel
+  labels:
+    tailscale.com/funnel: "true"
+spec:
+  rules:
+    - host: demo-funnel
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: demo-backend
+                port:
+                  number: 8080
+```
+
+Please refer to the Tailscale documentation on additional opt-in actions (nodeAttrs and ACL tag set-up) required to make Funnel enabled for the services.
+
+### TCP service support
+The TCP support was inspired by the ``ingress-nginx`` and relies on a dedicated ConfigMap with a mapping between virtual Tailscale nodes and kubernetes services.
+
+To configure ``tailscale-ingress-controller`` to proxy TCP requests the following settings must be done:
+* Create a new ConfigMap that will include service mappings. The notation of the config map is the following:
+```yaml
+...
+data:
+  # <Host>.<Port>: [<Namespace>/]<Service>:<Port>
+  # A sample mapping to allow connection to the Clickhouse native port (deployed from a Bitnami Helm chart)
+  clickhouse.9000: clickhouse/clickhouse-1687979852:9000
+```
+* Deploy controller with an additional environment variable ``TCP_SERVICES_CONFIGMAP`` set to the name of the newly created ConfigMap.
+
 ## Future Work
-- Store Tailscale state in a Kubernetes Secret
 - Support Ingress Classes
 - High Availability
+
+## Authors
+- Michael Wilson http://github.com/mewil
+- Valentin Alekseev http://github.com/valentinalexeev