cmd/{containerboot,k8s-operator},kube/kubetypes: kube Ingress L7 proxies only advertise HTTPS endpoint when ready (#14171)

cmd/containerboot,kube/kubetypes,cmd/k8s-operator: detect if Ingress is created in a tailnet that has no HTTPS

This attempts to make Kubernetes Operator L7 Ingress setup failures more explicit:
- the Ingress resource now only advertises HTTPS endpoint via status.ingress.loadBalancer.hostname when/if the proxy has succesfully loaded serve config
- the proxy attempts to catch cases where HTTPS is disabled for the tailnet and logs a warning

Updates tailscale/tailscale#12079
Updates tailscale/tailscale#10407

Signed-off-by: Irbe Krumina <irbe@tailscale.com>

kube/kubetypes/types.go

@@ -27,4 +27,19 @@ const (
 	MetricEgressServiceCount             = "k8s_egress_service_resources"
 	MetricProxyGroupEgressCount          = "k8s_proxygroup_egress_resources"
 	MetricProxyGroupIngressCount         = "k8s_proxygroup_ingress_resources"
+
+	// Keys that containerboot writes to state file that can be used to determine its state.
+	// fields set in Tailscale state Secret. These are mostly used by the Tailscale Kubernetes operator to determine
+	// the state of this tailscale device.
+	KeyDeviceID   string = "device_id"   // node stable ID of the device
+	KeyDeviceFQDN string = "device_fqdn" // device's tailnet hostname
+	KeyDeviceIPs  string = "device_ips"  // device's tailnet IPs
+	KeyPodUID     string = "pod_uid"     // Pod UID
+	// KeyCapVer contains Tailscale capability version of this proxy instance.
+	KeyCapVer string = "tailscale_capver"
+	// KeyHTTPSEndpoint is a name of a field that can be set to the value of any HTTPS endpoint currently exposed by
+	// this device to the tailnet. This is used by the Kubernetes operator Ingress proxy to communicate to the operator
+	// that cluster workloads behind the Ingress can now be accessed via the given DNS name over HTTPS.
+	KeyHTTPSEndpoint string = "https_endpoint"
+	ValueNoHTTPS     string = "no-https"
 )