From 3390013b09fa3fa64310a4e351ef855cde3e7d7b Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Tue, 24 Jun 2025 19:28:27 +0100 Subject: [PATCH] cmd/k8s-operator: add event filter that checks for a ProxyGroup annotation on Ingresses and Services Adds an event filter on the service-pg-reconciler and ingress-pg-reconciler to only reconcile when the resource in question has a ProxyGroup annotation. This was added after errors were being thrown on the ingress-pg-reconciler while testing an Ingress without a ProxyGroup annotation. Signed-off-by: chaosinthecrd --- cmd/k8s-operator/operator.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/cmd/k8s-operator/operator.go b/cmd/k8s-operator/operator.go index a08dd4da8..efe6b6d68 100644 --- a/cmd/k8s-operator/operator.go +++ b/cmd/k8s-operator/operator.go @@ -39,6 +39,7 @@ import ( kzap "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/manager/signals" + "sigs.k8s.io/controller-runtime/pkg/predicate" "sigs.k8s.io/controller-runtime/pkg/reconcile" "tailscale.com/client/local" "tailscale.com/client/tailscale" @@ -349,6 +350,7 @@ func runReconcilers(opts reconcilerOpts) { err = builder. ControllerManagedBy(mgr). For(&networkingv1.Ingress{}). + WithEventFilter(ingressProxyGroupResourceFilterPredicate()). Named("ingress-pg-reconciler"). Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))). Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(HAIngressesFromSecret(mgr.GetClient(), startlog))). @@ -375,6 +377,7 @@ func runReconcilers(opts reconcilerOpts) { err = builder. ControllerManagedBy(mgr). For(&corev1.Service{}). + WithEventFilter(serviceProxyGroupResourceFilterPredicate()). Named("service-pg-reconciler"). Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(HAServicesFromSecret(mgr.GetClient(), startlog))). Watches(&tsapi.ProxyGroup{}, ingressProxyGroupFilter). @@ -1382,6 +1385,30 @@ func indexPGIngresses(o client.Object) []string { return []string{o.GetAnnotations()[AnnotationProxyGroup]} } +// predicate function for filtering to ensure we *don't* reconcile on tailscale managed Kubernetes Ingresses that don't have a ProxyGroup annotation +func ingressProxyGroupResourceFilterPredicate() predicate.Predicate { + return predicate.NewPredicateFuncs(func(object client.Object) bool { + if ing, ok := object.(*networkingv1.Ingress); !ok { + return false + } else { + _, ok := ing.Annotations[AnnotationProxyGroup] + return ok + } + }) +} + +// predicate function for filtering to ensure we *don't* reconcile on tailscale managed Kubernetes Services that don't have a ProxyGroup annotation +func serviceProxyGroupResourceFilterPredicate() predicate.Predicate { + return predicate.NewPredicateFuncs(func(object client.Object) bool { + if svc, ok := object.(*corev1.Service); !ok { + return false + } else { + _, ok := svc.Annotations[AnnotationProxyGroup] + return ok + } + }) +} + // serviceHandlerForIngressPG returns a handler for Service events that ensures that if the Service // associated with an event is a backend Service for a tailscale Ingress with ProxyGroup annotation, // the associated Ingress gets reconciled.