[tunnel] --skip-insecure-verify + --public-addr flags

Author: dilyevsky

cmd/tunnelproxy/main.go

@@ -48,10 +48,10 @@ var (
 jwksURLs = flag.String("jwks_urls", "", "Comma-separated URLs of the JWKS endpoints.")
 
 tunnelNodeSelector = flag.String("label_selector", "", "Label selector for TunnelNode objects.")
-
-extIPv6SubnetSize = flag.Int("ext_ipv6_subnet_size", 64, "IPv6 subnet size.")
-extIPv6Ifc = flag.String("ext_ipv6_ifc", "", "IPv6 interface name.")
-cksumRecalc = flag.Bool("cksum_recalc", false, "Recalculate checksum.")
+publicAddr = flag.String("public_addr", "", "Public address of the tunnel proxy.")
+extIPv6SubnetSize  = flag.Int("ext_ipv6_subnet_size", 64, "IPv6 subnet size.")
+extIPv6Ifc  = flag.String("ext_ipv6_ifc", "", "IPv6 interface name.")
+cksumRecalc  = flag.Bool("cksum_recalc", false, "Recalculate checksum.")
 )
 
 func main() {
@@ -136,6 +136,7 @@ func main() {
 r,
 tunnel.WithExternalIPv6Prefix(extIPv6Prefix),
 tunnel.WithLabelSelector(*tunnelNodeSelector),
+tunnel.WithPublicAddr(*publicAddr),
 )
 g.Go(func() error {
 log.Infof("Starting Tunnel Proxy server")

pkg/cmd/tunnel/cmd.go

@@ -215,6 +215,7 @@ func init() {
 updateCmd.Flags().StringVarP(&tunnelNodeFile, "file", "f", "", "Path to the TunnelNode file to update.")
 tunnelRunCmd.Flags().StringVarP(&tunnelNodePcapPath, "pcap", "p", "", "Path to the TunnelNode file to create.")
 tunnelRunCmd.Flags().StringVarP(&tunnelModeS, "mode", "m", "user", "Mode to run the TunnelNode in.")
+tunnelRunCmd.Flags().BoolVar(&insecureSkipVerify, "insecure-skip-verify", false, "Skip TLS certificate verification")
 
 tunnelCmd.AddCommand(createCmd)
 tunnelCmd.AddCommand(getCmd)

pkg/cmd/tunnel/run.go

@@ -45,6 +45,7 @@ var (
 tunnelNodePcapPath string
 tunnelModeS string
 tunnelMode tunnel.TunnelClientMode
+insecureSkipVerify bool
 )
 
 func init() {
@@ -229,7 +230,7 @@ func (t *tunnelNodeReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 cOpts = append(cOpts, tunnel.WithServerAddr(srvAddr))
 }
 }
-if t.cfg.IsLocalMode {
+if t.cfg.IsLocalMode || insecureSkipVerify {
 cOpts = append(cOpts, tunnel.WithInsecureSkipVerify(true))
 }
 

pkg/tunnel/server.go

@@ -9,6 +9,7 @@ import (
 "net"
 "net/http"
 "net/netip"
+"slices"
 "strings"
 "time"
 
@@ -47,6 +48,7 @@ type TunnelServerOption func(*tunnelServerOptions)
 
 type tunnelServerOptions struct {
 proxyAddr string
+publicAddr string
 ulaPrefix netip.Prefix
 certPath string
 keyPath string
@@ -58,6 +60,7 @@ type tunnelServerOptions struct {
 func defaultServerOptions() *tunnelServerOptions {
 return &tunnelServerOptions{
 proxyAddr: "0.0.0.0:9443",
+publicAddr: "",
 ulaPrefix: netip.MustParsePrefix("fd00::/64"),
 certPath: "/etc/apoxy/certs/tunnelproxy.crt",
 keyPath: "/etc/apoxy/certs/tunnelproxy.key",
@@ -74,6 +77,14 @@ func WithProxyAddr(addr string) TunnelServerOption {
 }
 }
 
+// WithPublicAddr sets the address tunnel proxy is reachable at. This
+// address will be set on the TunnelNode objects that this proxy is serving.
+func WithPublicAddr(addr string) TunnelServerOption {
+return func(o *tunnelServerOptions) {
+o.publicAddr = addr
+}
+}
+
 // WithULAPrefix sets the Unique Local Address prefix.
 func WithULAPrefix(prefix netip.Prefix) TunnelServerOption {
 return func(o *tunnelServerOptions) {
@@ -472,6 +483,19 @@ func (t *TunnelServer) reconcile(ctx context.Context, request reconcile.Request)
 return reconcile.Result{}, nil
 }
 
+if t.options.publicAddr != "" {
+var updated bool
+if !slices.Contains(node.Status.Addresses, t.options.publicAddr) {
+node.Status.Addresses = append(node.Status.Addresses, t.options.publicAddr)
+updated = true
+}
+if updated {
+if err := t.Status().Update(ctx, node); err != nil {
+return reconcile.Result{}, fmt.Errorf("failed to update TunnelNode status: %w", err)
+}
+}
+}
+
 t.AddTunnelNode(node)
 
 return ctrl.Result{}, nil