From 27fa2ad868f0e1bf48614dd97b7fde9cd00fa93d Mon Sep 17 00:00:00 2001
From: Tom Proctor <tomhjp@users.noreply.github.com>
Date: Wed, 9 Jul 2025 09:37:45 +0100
Subject: [PATCH] cmd/k8s-operator: don't require generation for Available
 condition (#16497)

The observed generation was set to always 0 in #16429, but this had the
knock-on effect of other controllers considering ProxyGroups never ready
because the observed generation is never up to date in
proxyGroupCondition. Make sure the ProxyGroupAvailable function does not
requires the observed generation to be up to date, and add testing
coverage to catch regressions.

Updates #16327

Change-Id: I42f50ad47dd81cc2d3c3ce2cd7b252160bb58e40

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
---
 cmd/k8s-operator/proxygroup_test.go | 30 +++++++++++++++++++++++------
 k8s-operator/conditions.go          | 13 +++++++------
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/cmd/k8s-operator/proxygroup_test.go b/cmd/k8s-operator/proxygroup_test.go
index c58e427aa..6f143c056 100644
--- a/cmd/k8s-operator/proxygroup_test.go
+++ b/cmd/k8s-operator/proxygroup_test.go
@@ -28,6 +28,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	kube "tailscale.com/k8s-operator"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
@@ -815,6 +816,7 @@ func TestProxyGroup(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Finalizers: []string{"tailscale.com/finalizer"},
+			Generation: 1,
 		},
 		Spec: tsapi.ProxyGroupSpec{
 			Type: tsapi.ProxyGroupTypeEgress,
@@ -856,9 +858,12 @@ func TestProxyGroup(t *testing.T) {
 		expectReconciled(t, reconciler, "", pg.Name)
 
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupAvailable, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
-		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "the ProxyGroup's ProxyClass \"default-pc\" is not yet in a ready state, waiting...", 0, cl, zl.Sugar())
+		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "the ProxyGroup's ProxyClass \"default-pc\" is not yet in a ready state, waiting...", 1, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, false, pc)
+		if kube.ProxyGroupAvailable(pg) {
+			t.Fatal("expected ProxyGroup to not be available")
+		}
 	})
 
 	t.Run("observe_ProxyGroupCreating_status_reason", func(t *testing.T) {
@@ -874,13 +879,19 @@ func TestProxyGroup(t *testing.T) {
 		if err := fc.Status().Update(t.Context(), pc); err != nil {
 			t.Fatal(err)
 		}
-
+		pg.ObjectMeta.Generation = 2
+		mustUpdate(t, fc, "", pg.Name, func(p *tsapi.ProxyGroup) {
+			p.ObjectMeta.Generation = pg.ObjectMeta.Generation
+		})
 		expectReconciled(t, reconciler, "", pg.Name)
 
-		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
+		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 2, cl, zl.Sugar())
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupAvailable, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, pc)
+		if kube.ProxyGroupAvailable(pg) {
+			t.Fatal("expected ProxyGroup to not be available")
+		}
 		if expected := 1; reconciler.egressProxyGroups.Len() != expected {
 			t.Fatalf("expected %d egress ProxyGroups, got %d", expected, reconciler.egressProxyGroups.Len())
 		}
@@ -902,6 +913,10 @@ func TestProxyGroup(t *testing.T) {
 
 	t.Run("simulate_successful_device_auth", func(t *testing.T) {
 		addNodeIDToStateSecrets(t, fc, pg)
+		pg.ObjectMeta.Generation = 3
+		mustUpdate(t, fc, "", pg.Name, func(p *tsapi.ProxyGroup) {
+			p.ObjectMeta.Generation = pg.ObjectMeta.Generation
+		})
 		expectReconciled(t, reconciler, "", pg.Name)
 
 		pg.Status.Devices = []tsapi.TailnetDevice{
@@ -914,10 +929,13 @@ func TestProxyGroup(t *testing.T) {
 				TailnetIPs: []string{"1.2.3.4", "::1"},
 			},
 		}
-		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady, 0, cl, zl.Sugar())
+		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady, 3, cl, zl.Sugar())
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupAvailable, metav1.ConditionTrue, reasonProxyGroupAvailable, "2/2 ProxyGroup pods running", 0, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, pc)
+		if !kube.ProxyGroupAvailable(pg) {
+			t.Fatal("expected ProxyGroup to be available")
+		}
 	})
 
 	t.Run("scale_up_to_3", func(t *testing.T) {
@@ -926,14 +944,14 @@ func TestProxyGroup(t *testing.T) {
 			p.Spec = pg.Spec
 		})
 		expectReconciled(t, reconciler, "", pg.Name)
-		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "2/3 ProxyGroup pods running", 0, cl, zl.Sugar())
+		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "2/3 ProxyGroup pods running", 3, cl, zl.Sugar())
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupAvailable, metav1.ConditionTrue, reasonProxyGroupCreating, "2/3 ProxyGroup pods running", 0, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, pc)
 
 		addNodeIDToStateSecrets(t, fc, pg)
 		expectReconciled(t, reconciler, "", pg.Name)
-		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady, 0, cl, zl.Sugar())
+		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady, 3, cl, zl.Sugar())
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupAvailable, metav1.ConditionTrue, reasonProxyGroupAvailable, "3/3 ProxyGroup pods running", 0, cl, zl.Sugar())
 		pg.Status.Devices = append(pg.Status.Devices, tsapi.TailnetDevice{
 			Hostname:   "hostname-nodeid-2",
diff --git a/k8s-operator/conditions.go b/k8s-operator/conditions.go
index 1d30f352c..f6858c005 100644
--- a/k8s-operator/conditions.go
+++ b/k8s-operator/conditions.go
@@ -137,22 +137,23 @@ func ProxyClassIsReady(pc *tsapi.ProxyClass) bool {
 }
 
 func ProxyGroupIsReady(pg *tsapi.ProxyGroup) bool {
-	return proxyGroupCondition(pg, tsapi.ProxyGroupReady)
+	cond := proxyGroupCondition(pg, tsapi.ProxyGroupReady)
+	return cond != nil && cond.Status == metav1.ConditionTrue && cond.ObservedGeneration == pg.Generation
 }
 
 func ProxyGroupAvailable(pg *tsapi.ProxyGroup) bool {
-	return proxyGroupCondition(pg, tsapi.ProxyGroupAvailable)
+	cond := proxyGroupCondition(pg, tsapi.ProxyGroupAvailable)
+	return cond != nil && cond.Status == metav1.ConditionTrue
 }
 
-func proxyGroupCondition(pg *tsapi.ProxyGroup, condType tsapi.ConditionType) bool {
+func proxyGroupCondition(pg *tsapi.ProxyGroup, condType tsapi.ConditionType) *metav1.Condition {
 	idx := xslices.IndexFunc(pg.Status.Conditions, func(cond metav1.Condition) bool {
 		return cond.Type == string(condType)
 	})
 	if idx == -1 {
-		return false
+		return nil
 	}
-	cond := pg.Status.Conditions[idx]
-	return cond.Status == metav1.ConditionTrue && cond.ObservedGeneration == pg.Generation
+	return &pg.Status.Conditions[idx]
 }
 
 func DNSCfgIsReady(cfg *tsapi.DNSConfig) bool {