Yep, I know, it’s a bad title. I’ll try to elaborate.
I’m following (roughly) the “Sample Proxy” section of the Kubernetes docs. Rather than check out the files and use the makefile, I copied the proxy YAML file and the RBAC files (what even are those called?) and manually substituted in the right values, after creating an nginx service as well:
❯ kubectl create deployment nginx --image nginx
deployment.apps/nginx created
❯ kubectl expose deployment nginx --port 80
service/nginx exposed
❯ kubectl get svc nginx -o=jsonpath='{.spec.clusterIP}'
10.43.72.233
I set that IP in the proxy.yaml
file, as well as setting the TS_KUBE_SECRET
to tailscale-auth-key
as well as setting the serviceAccountName
to my tailscale acct.
❯ kubectl get secrets
NAME TYPE DATA AGE
tailscale-auth-key Opaque 5 20h
I got that running:
❯ kubectl apply -f k8s/proxy.yaml
pod/proxy created
And now I can see it in tailscale:
❯ tailscale status | grep proxy
100.90.90.35 proxy offby1@ linux -
❯ tailscale ping proxy
pong from proxy (100.90.90.35) via DERP(sea) in 11ms
pong from proxy (100.90.90.35) via DERP(sea) in 26ms
pong from proxy (100.90.90.35) via DERP(sea) in 13ms
pong from proxy (100.90.90.35) via 192.168.5.167:59653 in 6ms
However, when I try to curl
it, it simply hangs (yes, I have magicDNS):
❯ curl http://proxy/
# ... wait forever here
If I look at the proxy
logs, I see this as soon as I run curl
(100.113.157.9 is my laptop’s tailscape IP):
2022/12/13 02:39:39 wgengine: idle peer [NwM5W] now active, reconfiguring WireGuard
2022/12/13 02:39:39 wgengine: Reconfig: configuring userspace WireGuard config (with 1/14 peers)
2022/12/13 02:39:39 magicsock: disco: node [NwM5W] d:7af7c3ee54fbc194 now using 192.168.2.12:41641
2022/12/13 02:39:39 Accept: TCP{100.113.157.9:60069 > 100.90.90.35:80} 64 tcp ok
2022/12/13 02:39:40 Accept: TCP{100.113.157.9:60069 > 100.90.90.35:80} 64 tcp ok
2022/12/13 02:39:41 Accept: TCP{100.113.157.9:60069 > 100.90.90.35:80} 64 tcp ok
2022/12/13 02:39:50 Accept: TCP{100.113.157.9:60069 > 100.90.90.35:80} 64 tcp ok
And I don’t see anything in the nginx container.
I’ve confirmed that I can connect to the nginx container from the proxy:
❯ kubectl exec --stdin --tty proxy -- /bin/sh
Defaulted container "tailscale" out of: tailscale, sysctler (init)
/ # nc 10.43.72.233 80
GET /
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
So… why is the proxy not working? I’ve clearly missed something.