From 889a24bb9dde0da8da3524122d349189c95888b6 Mon Sep 17 00:00:00 2001
From: Tom Proctor <tomhjp@users.noreply.github.com>
Date: Thu, 17 Jul 2025 19:23:53 +0100
Subject: [PATCH] make ProxyGroupReady condition for kube-apiserver dependent
 on Service readiness

Change-Id: I951bcb9035521861bf3ca0ce037800692b23c77d
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
---
 cmd/k8s-operator/proxygroup.go |  6 ++++++
 k8s-operator/conditions.go     | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/cmd/k8s-operator/proxygroup.go b/cmd/k8s-operator/proxygroup.go
index cb9f2a497..065863e7a 100644
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -466,6 +466,12 @@ func (r *ProxyGroupReconciler) maybeUpdateStatus(ctx context.Context, logger *za
 	case len(devices) < desiredReplicas:
 	case len(devices) > desiredReplicas:
 		message = fmt.Sprintf("waiting for %d ProxyGroup pods to shut down", len(devices)-desiredReplicas)
+	case pg.Spec.Type == tsapi.ProxyGroupTypeKubernetesAPIServer && !tsoperator.ProxyGroupTailscaleServiceValid(pg):
+		reason = reasonProxyGroupInvalid
+		message = "waiting for configured Tailscale Service to be marked valid"
+	case pg.Spec.Type == tsapi.ProxyGroupTypeKubernetesAPIServer && !tsoperator.ProxyGroupTailscaleServiceConfigured(pg):
+		reason = reasonProxyGroupCreating
+		message = "waiting for proxies to start advertising the configured Tailscale Service"
 	default:
 		status = metav1.ConditionTrue
 		reason = reasonProxyGroupReady
diff --git a/k8s-operator/conditions.go b/k8s-operator/conditions.go
index f6858c005..c8307661f 100644
--- a/k8s-operator/conditions.go
+++ b/k8s-operator/conditions.go
@@ -146,6 +146,16 @@ func ProxyGroupAvailable(pg *tsapi.ProxyGroup) bool {
 	return cond != nil && cond.Status == metav1.ConditionTrue
 }
 
+func ProxyGroupTailscaleServiceValid(pg *tsapi.ProxyGroup) bool {
+	cond := proxyGroupCondition(pg, tsapi.PGTailscaleServiceValid)
+	return cond != nil && cond.Status == metav1.ConditionTrue && cond.ObservedGeneration == pg.Generation
+}
+
+func ProxyGroupTailscaleServiceConfigured(pg *tsapi.ProxyGroup) bool {
+	cond := proxyGroupCondition(pg, tsapi.PGTailscaleServiceConfigured)
+	return cond != nil && cond.Status == metav1.ConditionTrue && cond.ObservedGeneration == pg.Generation
+}
+
 func proxyGroupCondition(pg *tsapi.ProxyGroup, condType tsapi.ConditionType) *metav1.Condition {
 	idx := xslices.IndexFunc(pg.Status.Conditions, func(cond metav1.Condition) bool {
 		return cond.Type == string(condType)