diff --git a/pkg/render/typha.go b/pkg/render/typha.go index b5b8d181ab..95082f475a 100644 --- a/pkg/render/typha.go +++ b/pkg/render/typha.go @@ -16,6 +16,7 @@ package render import ( "fmt" + "slices" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -666,6 +667,14 @@ func (c *typhaComponent) typhaEnvVarsNonClusterHost() []corev1.EnvVar { envVars = replaceOrAppendEnvVar(envVars, "TYPHA_CLIENTCN", c.cfg.TLS.NodeNonClusterHostCommonName) envVars = replaceOrAppendEnvVar(envVars, "TYPHA_CLIENTURISAN", c.cfg.TLS.NodeNonClusterHostURISAN) + // NCH Typha runs pod-networked, so the host-network apiserver endpoint + // (e.g. MKE's proxy.local) may not be reachable. Strip the inherited env + // vars so we fall back to the default kubernetes Service that kubelet + // injects into every pod. + envVars = slices.DeleteFunc(envVars, func(e corev1.EnvVar) bool { + return e.Name == "KUBERNETES_SERVICE_HOST" || e.Name == "KUBERNETES_SERVICE_PORT" + }) + // Tell the health aggregator to listen on all interfaces. envVars = append(envVars, corev1.EnvVar{Name: "TYPHA_HEALTHHOST", Value: "0.0.0.0"}) return envVars diff --git a/pkg/render/typha_test.go b/pkg/render/typha_test.go index 9c0b91f887..ee2063fc53 100644 --- a/pkg/render/typha_test.go +++ b/pkg/render/typha_test.go @@ -199,6 +199,27 @@ var _ = Describe("Typha rendering tests", func() { Expect(d.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Host).To(BeEmpty()) }) + It("should strip the host-network apiserver endpoint from the non-cluster-host Typha", func() { + cfg.K8sServiceEp = k8sapi.ServiceEndpoint{Host: "proxy.local", Port: "6444"} + + component := render.Typha(&cfg) + resources, _ := component.Objects() + + // NCH Typha is pod-networked; let kubelet's default service injection take over. + d := rtest.GetResource(resources, "calico-typha-noncluster-host", "calico-system", "apps", "v1", "Deployment").(*appsv1.Deployment) + for _, e := range d.Spec.Template.Spec.Containers[0].Env { + Expect(e.Name).ToNot(Equal("KUBERNETES_SERVICE_HOST")) + Expect(e.Name).ToNot(Equal("KUBERNETES_SERVICE_PORT")) + } + + // The host-networked Typha still gets the configured endpoint. + dMain := rtest.GetResource(resources, "calico-typha", "calico-system", "apps", "v1", "Deployment").(*appsv1.Deployment) + Expect(dMain.Spec.Template.Spec.Containers[0].Env).To(ContainElements( + corev1.EnvVar{Name: "KUBERNETES_SERVICE_HOST", Value: "proxy.local"}, + corev1.EnvVar{Name: "KUBERNETES_SERVICE_PORT", Value: "6444"}, + )) + }) + It("should use custom client common name when specified for non-cluster host Typha deployment", func() { cfg.TLS.NodeNonClusterHostCommonName = "custom-nch-cn" component := render.Typha(&cfg)