use labels more consistent with existing proxies

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-02-27 02:37:38 +00:00 · 2024-10-04 20:45:47 +01:00 · 2024-10-04 20:45:47 +01:00 · 101bd89efd
commit 101bd89efd
parent e1d2b459b1
3 changed files with 25 additions and 13 deletions
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@ -329,7 +329,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 			ObjectMeta: metav1.ObjectMeta{
 				Name:            fmt.Sprintf("%s-%d-config", pg.Name, i),
 				Namespace:       r.tsNamespace,
-				Labels:          secretLabels("proxygroup", pg.Name, "config"),
+				Labels:          pgSecretLabels(pg.Name, "config"),
 				OwnerReferences: pgOwnerReference(pg),
 			},
 		}
@ -444,7 +444,7 @@ func (r *ProxyGroupReconciler) validate(_ *tsapi.ProxyGroup) error {
 func (r *ProxyGroupReconciler) getNodeMetadata(ctx context.Context, pg *tsapi.ProxyGroup) (metadata []nodeMetadata, _ error) {
 	// List all state secrets owned by this ProxyGroup.
 	secrets := &corev1.SecretList{}
-	if err := r.List(ctx, secrets, client.InNamespace(r.tsNamespace), client.MatchingLabels(secretLabels("proxygroup", pg.Name, "state"))); err != nil {
+	if err := r.List(ctx, secrets, client.InNamespace(r.tsNamespace), client.MatchingLabels(pgSecretLabels(pg.Name, "state"))); err != nil {
 		return nil, fmt.Errorf("failed to list state Secrets: %w", err)
 	}
 	for _, secret := range secrets.Items {
--- a/cmd/k8s-operator/proxygroup_specs.go
+++ b/cmd/k8s-operator/proxygroup_specs.go
@ -16,8 +16,6 @@ import (
 	"tailscale.com/types/ptr"
 )
 const labelSecretType = "tailscale.com/secret-type"
 // Returns the base StatefulSet definition for a ProxyGroup. A ProxyClass may be
 // applied over the top after.
 func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, cfgHash string) *appsv1.StatefulSet {
@ -25,19 +23,19 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, cfgHash string) *apps
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Spec: appsv1.StatefulSetSpec{
 			Replicas: ptr.To(pgReplicas(pg)),
 			Selector: &metav1.LabelSelector{
-				MatchLabels: labels("proxygroup", pg.Name, nil),
+				MatchLabels: pgLabels(pg.Name, nil),
 			},
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:                       pg.Name,
 					Namespace:                  namespace,
-					Labels:                     labels("proxygroup", pg.Name, nil),
+					Labels:                     pgLabels(pg.Name, nil),
 					DeletionGracePeriodSeconds: ptr.To[int64](10),
 					Annotations: map[string]string{
 						podAnnotationLastSetConfigFileHash: cfgHash,
@ -113,7 +111,7 @@ func pgServiceAccount(pg *tsapi.ProxyGroup, namespace string) *corev1.ServiceAcc
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 	}
@ -124,7 +122,7 @@ func pgRole(pg *tsapi.ProxyGroup, namespace string) *rbacv1.Role {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Rules: []rbacv1.PolicyRule{
@ -155,7 +153,7 @@ func pgRoleBinding(pg *tsapi.ProxyGroup, namespace string) *rbacv1.RoleBinding {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pg.Name,
 			Namespace:       namespace,
-			Labels:          labels("proxygroup", pg.Name, nil),
+			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Subjects: []rbacv1.Subject{
@ -178,7 +176,7 @@ func pgStateSecrets(pg *tsapi.ProxyGroup, namespace string) (secrets []*corev1.S
 			ObjectMeta: metav1.ObjectMeta{
 				Name:            fmt.Sprintf("%s-%d", pg.Name, i),
 				Namespace:       namespace,
-				Labels:          secretLabels("proxygroup", pg.Name, "state"),
+				Labels:          pgSecretLabels(pg.Name, "state"),
 				OwnerReferences: pgOwnerReference(pg),
 			},
 		})
@ -187,12 +185,25 @@ func pgStateSecrets(pg *tsapi.ProxyGroup, namespace string) (secrets []*corev1.S
 	return secrets
 }
-func secretLabels(app, instance, typ string) map[string]string {
+func pgSecretLabels(pgName, typ string) map[string]string {
-	return labels(app, instance, map[string]string{
+	return pgLabels(pgName, map[string]string{
 		labelSecretType: typ, // "config" or "state".
 	})
 }
 func pgLabels(pgName string, customLabels map[string]string) map[string]string {
 	l := make(map[string]string, len(customLabels)+3)
 	for k, v := range customLabels {
 		l[k] = v
 	}
 	l[LabelManaged] = "true"
 	l[LabelParentType] = "ProxyGroup"
 	l[LabelParentName] = pgName
 	return l
 }
 func pgEnv(_ *tsapi.ProxyGroup) []corev1.EnvVar {
 	envs := []corev1.EnvVar{
 		{
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@ -47,6 +47,7 @@ const (
 	LabelParentType      = "tailscale.com/parent-resource-type"
 	LabelParentName      = "tailscale.com/parent-resource"
 	LabelParentNamespace = "tailscale.com/parent-resource-ns"
 	labelSecretType      = "tailscale.com/secret-type" // "config" or "state".
 	// LabelProxyClass can be set by users on Connectors, tailscale
 	// Ingresses and Services that define cluster ingress or cluster egress,