Skip to content

feat(common): add settings property to addons schema #44937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Crow-Control merged 2 commits into from
Feb 14, 2026
Merged

feat(common): add settings property to addons schema #44937

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
442eea4
refactor(common): move tailscale settings to settings object
Copilot Feb 14, 2026
8ade385
feat(common): add settings property to addons schema
Copilot Feb 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 7 additions & 10 deletions charts/library/common-test/tests/addons/tailscale_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,8 @@ tests:
addons:
tailscale:
enabled: true
container:
env:
TS_AUTH_KEY: something
settings:
authkey: something
asserts:
- hasDocuments:
count: 2
Expand Down Expand Up @@ -143,10 +142,9 @@ tests:
addons:
tailscale:
enabled: true
container:
env:
TS_AUTH_KEY: something
TS_USERSPACE: false
settings:
authkey: something
userspace: false
asserts:
- hasDocuments:
count: 2
Expand Down Expand Up @@ -238,9 +236,8 @@ tests:
addons:
tailscale:
enabled: true
container:
env:
TS_AUTH_KEY: something
settings:
authkey: something
asserts:
- hasDocuments:
count: 2
Expand Down
33 changes: 12 additions & 21 deletions charts/library/common/complete-values-structure.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1647,17 +1647,18 @@ addons:
enabled: false
targetSelector:
- "main"
config: ""
authkey: ""
userspace: true
auth_once: true
accept_dns: false
routes: ""
dest_ip: ""
sock5_server: ""
extra_args: ""
daemon_extra_args: ""
outbound_http_proxy_listen: ""
settings:
config: ""
authkey: ""
userspace: true
auth_once: true
accept_dns: false
routes: ""
dest_ip: ""
sock5_server: ""
extra_args: ""
daemon_extra_args: ""
outbound_http_proxy_listen: ""
annotations: {}
container:
enabled: true
Expand All @@ -1677,16 +1678,6 @@ addons:
TS_KUBE_SECRET: ""
TS_SOCKET: "/var/run/tailscale/tailscaled.sock"
TS_STATE_DIR: "/var/lib/tailscale/state"
TS_USERSPACE: true
TS_AUTH_ONCE: true
TS_ACCEPT_DNS: false
TS_AUTH_KEY: ""
TS_TAILSCALED_EXTRA_ARGS: ""
TS_EXTRA_ARGS: ""
TS_SOCKS5_SERVER: ""
TS_DEST_IP: ""
TS_ROUTES: ""
TS_OUTBOUND_HTTP_PROXY_LISTEN: ""
securityContext:
capabilities:
add:
Expand Down
6 changes: 6 additions & 0 deletions charts/library/common/schemas/addons.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@
"properties": {},
"additionalProperties": true,
"description": "Define additional options for the ingress See ingress options in the [ingress](/truecharts-common/ingress) section."
},
"settings": {
"type": "object",
"properties": {},
"additionalProperties": true,
"description": "Addon-specific settings that vary by addon type"
}
},
"additionalProperties": true,
Expand Down
93 changes: 50 additions & 43 deletions charts/library/common/schemas/addons/tailscale.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,6 @@
},
"description": "Addons to the workloads"
},
"config": {
"type": "string",
"description": "Configuration for `addons.tailscale.config`."
},
"container": {
"type": "object",
"properties": {
Expand Down Expand Up @@ -133,45 +129,56 @@
"additionalProperties": true,
"description": "Addons to the workloads"
},
"authkey": {
"type": "string",
"description": "Configuration for `addons.tailscale.authkey`."
},
"userspace": {
"type": "boolean",
"description": "Configuration for `addons.tailscale.userspace`."
},
"auth_once": {
"type": "boolean",
"description": "Configuration for `addons.tailscale.auth_once`."
},
"accept_dns": {
"type": "boolean",
"description": "Configuration for `addons.tailscale.accept_dns`."
},
"routes": {
"type": "string",
"description": "Configuration for `addons.tailscale.routes`."
},
"dest_ip": {
"type": "string",
"description": "Configuration for `addons.tailscale.dest_ip`."
},
"sock5_server": {
"type": "string",
"description": "Configuration for `addons.tailscale.sock5_server`."
},
"extra_args": {
"type": "string",
"description": "Configuration for `addons.tailscale.extra_args`."
},
"daemon_extra_args": {
"type": "string",
"description": "Configuration for `addons.tailscale.daemon_extra_args`."
},
"outbound_http_proxy_listen": {
"type": "string",
"description": "Configuration for `addons.tailscale.outbound_http_proxy_listen`."
"settings": {
"type": "object",
"properties": {
"config": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.config`."
},
"authkey": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.authkey`."
},
"userspace": {
"type": "boolean",
"description": "Configuration for `addons.tailscale.settings.userspace`."
},
"auth_once": {
"type": "boolean",
"description": "Configuration for `addons.tailscale.settings.auth_once`."
},
"accept_dns": {
"type": "boolean",
"description": "Configuration for `addons.tailscale.settings.accept_dns`."
},
"routes": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.routes`."
},
"dest_ip": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.dest_ip`."
},
"sock5_server": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.sock5_server`."
},
"extra_args": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.extra_args`."
},
"daemon_extra_args": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.daemon_extra_args`."
},
"outbound_http_proxy_listen": {
"type": "string",
"description": "Configuration for `addons.tailscale.settings.outbound_http_proxy_listen`."
}
},
"additionalProperties": true,
"description": "Tailscale settings"
},
"annotations": {
"type": "object",
Expand Down
41 changes: 40 additions & 1 deletion charts/library/common/templates/addons/_tailscale.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,52 @@ It will include / inject the required templates based on the given values.
{{- define "tc.v1.common.addon.tailscale" -}}
{{- $ts := $.Values.addons.tailscale -}}
{{- if $ts.enabled -}}
{{- $settings := $ts.settings | default dict -}}
Copy link

Copilot AI Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states "maintaining backward compatibility through additionalProperties" but this is inaccurate. The additionalProperties: true in the schema only allows extra keys to be present without validation errors; it does not provide backward compatibility for the old configuration structure. The template code does not implement any fallback logic to read from the old structure (addons.tailscale.authkey) when the new structure (addons.tailscale.settings.authkey) is not present. This is a breaking API change that requires users to migrate their configuration.

Copilot uses AI. Check for mistakes.

{{/* Merge settings into environment variables */}}
{{- $env := $ts.container.env | default dict -}}
{{- if $settings.config -}}
{{- $_ := set $env "TS_CONFIG" $settings.config -}}
{{- end -}}
{{- if $settings.authkey -}}
{{- $_ := set $env "TS_AUTH_KEY" $settings.authkey -}}
{{- end -}}
{{- if hasKey $settings "userspace" -}}
{{- $_ := set $env "TS_USERSPACE" $settings.userspace -}}
{{- end -}}
{{- if hasKey $settings "auth_once" -}}
{{- $_ := set $env "TS_AUTH_ONCE" $settings.auth_once -}}
{{- end -}}
{{- if hasKey $settings "accept_dns" -}}
{{- $_ := set $env "TS_ACCEPT_DNS" $settings.accept_dns -}}
{{- end -}}
{{- if $settings.routes -}}
{{- $_ := set $env "TS_ROUTES" $settings.routes -}}
{{- end -}}
{{- if $settings.dest_ip -}}
{{- $_ := set $env "TS_DEST_IP" $settings.dest_ip -}}
{{- end -}}
{{- if $settings.sock5_server -}}
{{- $_ := set $env "TS_SOCKS5_SERVER" $settings.sock5_server -}}
{{- end -}}
{{- if $settings.extra_args -}}
{{- $_ := set $env "TS_EXTRA_ARGS" $settings.extra_args -}}
{{- end -}}
{{- if $settings.daemon_extra_args -}}
{{- $_ := set $env "TS_TAILSCALED_EXTRA_ARGS" $settings.daemon_extra_args -}}
{{- end -}}
{{- if $settings.outbound_http_proxy_listen -}}
{{- $_ := set $env "TS_OUTBOUND_HTTP_PROXY_LISTEN" $settings.outbound_http_proxy_listen -}}
{{- end -}}
Comment on lines +10 to +44
Copy link

Copilot AI Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This template introduces a breaking change by moving all settings to the settings property without providing backward compatibility for the old structure where settings were at the top level of addons.tailscale.*.

For example, users with addons.tailscale.authkey: "key" will find their configuration silently ignored, as the template now only reads from addons.tailscale.settings.authkey. Consider adding fallback logic to support both old and new structures during a transition period, or clearly document this as a breaking change in the Chart.yaml version and CHANGELOG.

Example fallback logic:

{{- $authkey := $settings.authkey | default $ts.authkey -}}
{{- if $authkey -}}
  {{- $_ := set $env "TS_AUTH_KEY" $authkey -}}
{{- end -}}
Suggested change
{{/* Merge settings into environment variables */}}
{{- $env := $ts.container.env | default dict -}}
{{- if $settings.config -}}
{{- $_ := set $env "TS_CONFIG" $settings.config -}}
{{- end -}}
{{- if $settings.authkey -}}
{{- $_ := set $env "TS_AUTH_KEY" $settings.authkey -}}
{{- end -}}
{{- if hasKey $settings "userspace" -}}
{{- $_ := set $env "TS_USERSPACE" $settings.userspace -}}
{{- end -}}
{{- if hasKey $settings "auth_once" -}}
{{- $_ := set $env "TS_AUTH_ONCE" $settings.auth_once -}}
{{- end -}}
{{- if hasKey $settings "accept_dns" -}}
{{- $_ := set $env "TS_ACCEPT_DNS" $settings.accept_dns -}}
{{- end -}}
{{- if $settings.routes -}}
{{- $_ := set $env "TS_ROUTES" $settings.routes -}}
{{- end -}}
{{- if $settings.dest_ip -}}
{{- $_ := set $env "TS_DEST_IP" $settings.dest_ip -}}
{{- end -}}
{{- if $settings.sock5_server -}}
{{- $_ := set $env "TS_SOCKS5_SERVER" $settings.sock5_server -}}
{{- end -}}
{{- if $settings.extra_args -}}
{{- $_ := set $env "TS_EXTRA_ARGS" $settings.extra_args -}}
{{- end -}}
{{- if $settings.daemon_extra_args -}}
{{- $_ := set $env "TS_TAILSCALED_EXTRA_ARGS" $settings.daemon_extra_args -}}
{{- end -}}
{{- if $settings.outbound_http_proxy_listen -}}
{{- $_ := set $env "TS_OUTBOUND_HTTP_PROXY_LISTEN" $settings.outbound_http_proxy_listen -}}
{{- end -}}
{{/* Merge settings into environment variables (with backward-compatible fallbacks) */}}
{{- $env := $ts.container.env | default dict -}}
{{- $config := $settings.config | default $ts.config -}}
{{- if $config -}}
{{- $_ := set $env "TS_CONFIG" $config -}}
{{- end -}}
{{- $authkey := $settings.authkey | default $ts.authkey -}}
{{- if $authkey -}}
{{- $_ := set $env "TS_AUTH_KEY" $authkey -}}
{{- end -}}
{{- if or (hasKey $settings "userspace") (hasKey $ts "userspace") -}}
{{- $_ := set $env "TS_USERSPACE" ($settings.userspace | default $ts.userspace) -}}
{{- end -}}
{{- if or (hasKey $settings "auth_once") (hasKey $ts "auth_once") -}}
{{- $_ := set $env "TS_AUTH_ONCE" ($settings.auth_once | default $ts.auth_once) -}}
{{- end -}}
{{- if or (hasKey $settings "accept_dns") (hasKey $ts "accept_dns") -}}
{{- $_ := set $env "TS_ACCEPT_DNS" ($settings.accept_dns | default $ts.accept_dns) -}}
{{- end -}}
{{- $routes := $settings.routes | default $ts.routes -}}
{{- if $routes -}}
{{- $_ := set $env "TS_ROUTES" $routes -}}
{{- end -}}
{{- $destIP := $settings.dest_ip | default $ts.dest_ip -}}
{{- if $destIP -}}
{{- $_ := set $env "TS_DEST_IP" $destIP -}}
{{- end -}}
{{- $socks5 := $settings.sock5_server | default $ts.sock5_server -}}
{{- if $socks5 -}}
{{- $_ := set $env "TS_SOCKS5_SERVER" $socks5 -}}
{{- end -}}
{{- $extraArgs := $settings.extra_args | default $ts.extra_args -}}
{{- if $extraArgs -}}
{{- $_ := set $env "TS_EXTRA_ARGS" $extraArgs -}}
{{- end -}}
{{- $daemonExtraArgs := $settings.daemon_extra_args | default $ts.daemon_extra_args -}}
{{- if $daemonExtraArgs -}}
{{- $_ := set $env "TS_TAILSCALED_EXTRA_ARGS" $daemonExtraArgs -}}
{{- end -}}
{{- $outboundProxy := $settings.outbound_http_proxy_listen | default $ts.outbound_http_proxy_listen -}}
{{- if $outboundProxy -}}
{{- $_ := set $env "TS_OUTBOUND_HTTP_PROXY_LISTEN" $outboundProxy -}}
{{- end -}}

Copilot uses AI. Check for mistakes.
{{- $_ := set $ts.container "env" $env -}}

{{- $secContext := dict -}}
{{- $_ := set $secContext "runAsUser" 0 -}}
{{- $_ := set $secContext "runAsGroup" 0 -}}
{{- $_ := set $secContext "runAsNonRoot" true -}}
{{- $_ := set $secContext "readOnlyRootFilesystem" false -}}

{{- if and $ts.container.env ($ts.container.env.TS_USERSPACE) -}}
{{- if and $env ($env.TS_USERSPACE) -}}
{{- $_ := set $secContext "runAsUser" 1000 -}}
{{- $_ := set $secContext "runAsGroup" 1000 -}}
{{- $_ := set $secContext "runAsNonRoot" false -}}
Expand Down
40 changes: 16 additions & 24 deletions charts/library/common/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1026,8 +1026,6 @@ addons:
enabled: false
targetSelector:
- main
# -- you can directly specify the config file here
config: ""
container:
enabled: true
imageSelector: "tailscaleImage"
Expand All @@ -1051,34 +1049,28 @@ addons:
TS_KUBE_SECRET: ""
TS_SOCKET: /var/run/tailscale/tailscaled.sock
TS_STATE_DIR: /var/lib/tailscale/state
TS_USERSPACE: true
TS_AUTH_ONCE: true
TS_ACCEPT_DNS: false
TS_AUTH_KEY: ""
TS_TAILSCALED_EXTRA_ARGS: ""
TS_EXTRA_ARGS: ""
TS_SOCKS5_SERVER: ""
TS_DEST_IP: ""
TS_ROUTES: ""
TS_OUTBOUND_HTTP_PROXY_LISTEN: ""
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW

# -- Auth key to connect to the VPN Service
authkey: ""
# As a sidecar, it should only need to run in userspace
userspace: true
auth_once: true
accept_dns: false
routes: ""
dest_ip: ""
sock5_server: ""
extra_args: ""
daemon_extra_args: ""
outbound_http_proxy_listen: ""
# -- Tailscale settings
settings:
# -- you can directly specify the config file here
config: ""
# -- Auth key to connect to the VPN Service
authkey: ""
# As a sidecar, it should only need to run in userspace
userspace: true
auth_once: true
accept_dns: false
routes: ""
dest_ip: ""
sock5_server: ""
Copy link

Copilot AI Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The field name sock5_server appears to be a typo and should likely be socks5_server to correctly reference the SOCKS5 protocol. While this typo exists in the current codebase, since this PR is already introducing a breaking change to the addon structure, it would be an opportune time to fix this naming issue. This would require:

  1. Renaming sock5_server to socks5_server in values.yaml
  2. Updating the corresponding template reference
  3. Updating the schema
  4. Noting in documentation that users should migrate from the old field name

However, if backward compatibility is prioritized, the template could check for both field names during a transition period.

Suggested change
sock5_server: ""
socks5_server: ""

Copilot uses AI. Check for mistakes.
extra_args: ""
daemon_extra_args: ""
outbound_http_proxy_listen: ""
Comment on lines +1058 to +1073
Copy link

Copilot AI Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation in charts/library/common/docs/addons.md should be updated to document the new addons.$addon.settings property. This is a significant structural change that users need to know about. Consider adding a section similar to the existing sections for container, service, and ingress that explains:

  1. The purpose of the settings property
  2. That it contains addon-specific configuration
  3. That different addons have different settings (reference addon-specific documentation or values.yaml for details)
  4. An example showing how to use it

This would help users understand the new structure and how to migrate from the old configuration format.

Copilot uses AI. Check for mistakes.
# -- Annotations for tailscale sidecar
annotations: {}

Expand Down