From 2767a7d4cb415c06a2187f1e89979910f38df50b Mon Sep 17 00:00:00 2001
From: chaosinthecrd <tom@tmlabs.co.uk>
Date: Tue, 6 May 2025 15:32:07 +0100
Subject: [PATCH] k8s-operator: adding conditions

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
---
 cmd/k8s-operator/operator.go                  |  1 +
 cmd/k8s-operator/svc-for-pg.go                | 38 +++++++++++++------
 k8s-operator/apis/v1alpha1/types_connector.go |  3 ++
 3 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/cmd/k8s-operator/operator.go b/cmd/k8s-operator/operator.go
index 5e5914807..8865bc5f7 100644
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -382,6 +382,7 @@ func runReconcilers(opts reconcilerOpts) {
 			Client:      mgr.GetClient(),
 			logger:      opts.log.Named("service-pg-reconciler"),
 			lc:          lc,
+			clock:       tstime.DefaultClock{},
 			operatorID:  id,
 			tsNamespace: opts.tailscaleNamespace,
 		})
diff --git a/cmd/k8s-operator/svc-for-pg.go b/cmd/k8s-operator/svc-for-pg.go
index ddac24170..f90ae72b4 100644
--- a/cmd/k8s-operator/svc-for-pg.go
+++ b/cmd/k8s-operator/svc-for-pg.go
@@ -37,21 +37,24 @@ import (
 	"tailscale.com/util/set"
 )
 
-const finalizerName = "tailscale.com/service-pg-finalizer"
+const (
+	finalizerName = "tailscale.com/service-pg-finalizer"
 
-// ensure LoadBalancer Service's status is set
+	reasonIngressSvcInvalid              = "IngressSvcInvalid"
+	reasonIngressSvcValid                = "IngressSvcValid"
+	reasonIngressSvcConfigured           = "IngressSvcConfigured"
+	reasonIngressSvcNoBackendsConfigured = "IngressSvcNoBackendsConfigured"
+	reasonIngressSvcCreationFailed       = "IngressSvcCreationFailed"
+)
+
+// ensure LoadBalancer Service's status is set x
+// set finalizer x
+// cleanup x
+// hostname change - cleanup x
+// failover (testing) x
 // ensure the right conditions on Services are set
-// reconcile on proxygroup changes
 // metrics
-// unit tests - operator
-// unit tests - containerboot
-// unit tests - iptables
-// unit tests - nftables
 // multi-cluster
-// set finalizer
-// cleanup
-// hostname change - cleanup
-// failover (testing)
 // can we refactor?
 
 // var gaugePGServiceResources = clientmetric.NewGauge(kubetypes.MetricServicePGResourceCount)
@@ -164,6 +167,7 @@ func (r *HAServiceReconciler) maybeProvision(ctx context.Context, hostname strin
 		logger.Infof("[unexpected] no ProxyGroup annotation, skipping VIPService provisioning")
 		return false, nil
 	}
+
 	logger = logger.With("ProxyGroup", pgName)
 
 	pg := &tsapi.ProxyGroup{}
@@ -184,7 +188,7 @@ func (r *HAServiceReconciler) maybeProvision(ctx context.Context, hostname strin
 		msg := fmt.Sprintf("unable to provision proxy resources: invalid Service: %s", strings.Join(violations, ", "))
 		r.recorder.Event(svc, corev1.EventTypeWarning, "INVALIDSERVICE", msg)
 		r.logger.Error(msg)
-		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyInvalid, msg, r.clock, logger)
+		tsoperator.SetServiceCondition(svc, tsapi.IngressSvcValid, metav1.ConditionFalse, reasonIngressSvcInvalid, msg, r.clock, logger)
 		return false, nil
 	}
 
@@ -247,6 +251,7 @@ func (r *HAServiceReconciler) maybeProvision(ctx context.Context, hostname strin
 		msg := fmt.Sprintf("error ensuring ownership of VIPService %s: %v. %s", hostname, err, instr)
 		logger.Warn(msg)
 		r.recorder.Event(svc, corev1.EventTypeWarning, "InvalidVIPService", msg)
+		tsoperator.SetServiceCondition(svc, tsapi.IngressSvcValid, metav1.ConditionFalse, reasonIngressSvcInvalid, msg, r.clock, logger)
 		return false, nil
 	}
 
@@ -365,7 +370,12 @@ func (r *HAServiceReconciler) maybeProvision(ctx context.Context, hostname strin
 		return false, fmt.Errorf("failed to get number of advertised Pods: %w", err)
 	}
 
+	// NOTE: if there are no pods advertising, we want to set 'svc.Status.LoadBalancer.Ingress' to nil"
 	var lbs []corev1.LoadBalancerIngress
+	conditionStatus := metav1.ConditionFalse
+	conditionType := tsapi.IngressSvcConfigured
+	conditionReason := reasonIngressSvcNoBackendsConfigured
+	conditionMessage := fmt.Sprintf("%d/%d proxy backends ready and advertising", count, *pg.Spec.Replicas)
 	if count != 0 {
 		dnsName, err := r.dnsNameForService(ctx, serviceName)
 		if err != nil {
@@ -378,8 +388,12 @@ func (r *HAServiceReconciler) maybeProvision(ctx context.Context, hostname strin
 				IP:       vipv4.String(),
 			},
 		}
+
+		conditionStatus = metav1.ConditionTrue
+		conditionReason = reasonIngressSvcConfigured
 	}
 
+	tsoperator.SetServiceCondition(svc, conditionType, conditionStatus, conditionReason, conditionMessage, r.clock, logger)
 	svc.Status.LoadBalancer.Ingress = lbs
 
 	// if apiequality.Semantic.DeepEqual(oldStatus, &ing.Status) {
diff --git a/k8s-operator/apis/v1alpha1/types_connector.go b/k8s-operator/apis/v1alpha1/types_connector.go
index a26c9b542..b8b7a935e 100644
--- a/k8s-operator/apis/v1alpha1/types_connector.go
+++ b/k8s-operator/apis/v1alpha1/types_connector.go
@@ -222,4 +222,7 @@ const (
 	// on a ProxyGroup.
 	// Set to true if the service is ready to route cluster traffic.
 	EgressSvcReady ConditionType = `TailscaleEgressSvcReady`
+
+	IngressSvcValid      ConditionType = `TailscaleIngressSvcValid`
+	IngressSvcConfigured ConditionType = `TailscaleIngressSvcConfigured`
 )