From 4456f77af71367e52565a76dd58a796fa108e3f8 Mon Sep 17 00:00:00 2001
From: Tom Meadows <tom@tmlabs.co.uk>
Date: Mon, 9 Jun 2025 11:13:03 +0100
Subject: [PATCH] cmd/k8s-operator: explicitly set tcp on VIPService port
 configuration for Ingress with ProxyGroup (#16199)

Updates tailscale/corp#24795

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
---
 cmd/k8s-operator/ingress-for-pg.go      |  4 ++--
 cmd/k8s-operator/ingress-for-pg_test.go | 14 +++++++-------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/cmd/k8s-operator/ingress-for-pg.go b/cmd/k8s-operator/ingress-for-pg.go
index 4779014f3..66d74292b 100644
--- a/cmd/k8s-operator/ingress-for-pg.go
+++ b/cmd/k8s-operator/ingress-for-pg.go
@@ -318,9 +318,9 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		tags = strings.Split(tstr, ",")
 	}
 
-	tsSvcPorts := []string{"443"} // always 443 for Ingress
+	tsSvcPorts := []string{"tcp:443"} // always 443 for Ingress
 	if isHTTPEndpointEnabled(ing) {
-		tsSvcPorts = append(tsSvcPorts, "80")
+		tsSvcPorts = append(tsSvcPorts, "tcp:80")
 	}
 
 	tsSvc := &tailscale.VIPService{
diff --git a/cmd/k8s-operator/ingress-for-pg_test.go b/cmd/k8s-operator/ingress-for-pg_test.go
index 9ce90f771..b487d660c 100644
--- a/cmd/k8s-operator/ingress-for-pg_test.go
+++ b/cmd/k8s-operator/ingress-for-pg_test.go
@@ -68,7 +68,7 @@ func TestIngressPGReconciler(t *testing.T) {
 	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
 	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:my-svc", false)
-	verifyTailscaleService(t, ft, "svc:my-svc", []string{"443"})
+	verifyTailscaleService(t, ft, "svc:my-svc", []string{"tcp:443"})
 	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
 
 	// Verify that Role and RoleBinding have been created for the first Ingress.
@@ -130,7 +130,7 @@ func TestIngressPGReconciler(t *testing.T) {
 	populateTLSSecret(context.Background(), fc, "test-pg", "my-other-svc.ts.net")
 	expectReconciled(t, ingPGR, "default", "my-other-ingress")
 	verifyServeConfig(t, fc, "svc:my-other-svc", false)
-	verifyTailscaleService(t, ft, "svc:my-other-svc", []string{"443"})
+	verifyTailscaleService(t, ft, "svc:my-other-svc", []string{"tcp:443"})
 
 	// Verify that Role and RoleBinding have been created for the first Ingress.
 	// Do not verify the cert Secret as that was already verified implicitly above.
@@ -139,7 +139,7 @@ func TestIngressPGReconciler(t *testing.T) {
 
 	// Verify first Ingress is still working
 	verifyServeConfig(t, fc, "svc:my-svc", false)
-	verifyTailscaleService(t, ft, "svc:my-svc", []string{"443"})
+	verifyTailscaleService(t, ft, "svc:my-svc", []string{"tcp:443"})
 
 	verifyTailscaledConfig(t, fc, []string{"svc:my-svc", "svc:my-other-svc"})
 
@@ -244,7 +244,7 @@ func TestIngressPGReconciler_UpdateIngressHostname(t *testing.T) {
 	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
 	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:my-svc", false)
-	verifyTailscaleService(t, ft, "svc:my-svc", []string{"443"})
+	verifyTailscaleService(t, ft, "svc:my-svc", []string{"tcp:443"})
 	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
 
 	// Update the Ingress hostname and make sure the original Tailscale Service is deleted.
@@ -255,7 +255,7 @@ func TestIngressPGReconciler_UpdateIngressHostname(t *testing.T) {
 	populateTLSSecret(context.Background(), fc, "test-pg", "updated-svc.ts.net")
 	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:updated-svc", false)
-	verifyTailscaleService(t, ft, "svc:updated-svc", []string{"443"})
+	verifyTailscaleService(t, ft, "svc:updated-svc", []string{"tcp:443"})
 	verifyTailscaledConfig(t, fc, []string{"svc:updated-svc"})
 
 	_, err := ft.GetVIPService(context.Background(), tailcfg.ServiceName("svc:my-svc"))
@@ -476,7 +476,7 @@ func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {
 	expectReconciled(t, ingPGR, "default", "test-ingress")
 	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyTailscaleService(t, ft, "svc:my-svc", []string{"80", "443"})
+	verifyTailscaleService(t, ft, "svc:my-svc", []string{"tcp:80", "tcp:443"})
 	verifyServeConfig(t, fc, "svc:my-svc", true)
 
 	// Verify Ingress status
@@ -529,7 +529,7 @@ func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {
 
 	// Verify reconciliation after removing HTTP
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyTailscaleService(t, ft, "svc:my-svc", []string{"443"})
+	verifyTailscaleService(t, ft, "svc:my-svc", []string{"tcp:443"})
 	verifyServeConfig(t, fc, "svc:my-svc", false)
 
 	// Verify Ingress status