cmd/k8s-operator: add event filter that checks for a ProxyGroup annotation on Ingresses and Services

Adds an event filter on the service-pg-reconciler and ingress-pg-reconciler to only reconcile when the resource in question has a ProxyGroup annotation. This was added after errors were being thrown on the ingress-pg-reconciler while testing an Ingress without a ProxyGroup annotation. Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
2025-07-28 23:04:10 +00:00 · 2025-06-24 19:28:27 +01:00 · 2025-06-24 19:28:27 +01:00 · 3390013b09
commit 3390013b09
parent 4a1fc378d1
1 changed files with 27 additions and 0 deletions
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@ -39,6 +39,7 @@ import (
 	kzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"tailscale.com/client/local"
 	"tailscale.com/client/tailscale"
@ -349,6 +350,7 @@ func runReconcilers(opts reconcilerOpts) {
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&networkingv1.Ingress{}).
+		WithEventFilter(ingressProxyGroupResourceFilterPredicate()).
 		Named("ingress-pg-reconciler").
 		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))).
 		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(HAIngressesFromSecret(mgr.GetClient(), startlog))).
@ -375,6 +377,7 @@ func runReconcilers(opts reconcilerOpts) {
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&corev1.Service{}).
+		WithEventFilter(serviceProxyGroupResourceFilterPredicate()).
 		Named("service-pg-reconciler").
 		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(HAServicesFromSecret(mgr.GetClient(), startlog))).
 		Watches(&tsapi.ProxyGroup{}, ingressProxyGroupFilter).
@ -1382,6 +1385,30 @@ func indexPGIngresses(o client.Object) []string {
 	return []string{o.GetAnnotations()[AnnotationProxyGroup]}
 }

+// predicate function for filtering to ensure we *don't* reconcile on tailscale managed Kubernetes Ingresses that don't have a ProxyGroup annotation
+func ingressProxyGroupResourceFilterPredicate() predicate.Predicate {
+	return predicate.NewPredicateFuncs(func(object client.Object) bool {
+		if ing, ok := object.(*networkingv1.Ingress); !ok {
+			return false
+		} else {
+			_, ok := ing.Annotations[AnnotationProxyGroup]
+			return ok
+		}
+	})
+}
+
+// predicate function for filtering to ensure we *don't* reconcile on tailscale managed Kubernetes Services that don't have a ProxyGroup annotation
+func serviceProxyGroupResourceFilterPredicate() predicate.Predicate {
+	return predicate.NewPredicateFuncs(func(object client.Object) bool {
+		if svc, ok := object.(*corev1.Service); !ok {
+			return false
+		} else {
+			_, ok := svc.Annotations[AnnotationProxyGroup]
+			return ok
+		}
+	})
+}
+
 // serviceHandlerForIngressPG returns a handler for Service events that ensures that if the Service
 // associated with an event is a backend Service for a tailscale Ingress with ProxyGroup annotation,
 // the associated Ingress gets reconciled.