cmd/{k8s-operator,k8s-proxy}: apply accept-routes configuration to k8s-proxy (#16522)

This commit modifies the k8s-operator and k8s-proxy to support passing down the accept-routes configuration from the proxy class as a configuration value read and used by the k8s-proxy when ran as a distinct container managed by the operator. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>
2025-07-16 10:38:39 +00:00 · 2025-07-10 15:53:01 +01:00 · 2025-07-10 15:53:01 +01:00 · d0cafc0a67
commit d0cafc0a67
parent 2b665c370c
3 changed files with 20 additions and 4 deletions
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@ -820,6 +820,10 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 				cfg.ServerURL = &r.loginServer
 			}

+			if proxyClass != nil && proxyClass.Spec.TailscaleConfig != nil {
+				cfg.AcceptRoutes = &proxyClass.Spec.TailscaleConfig.AcceptRoutes
+			}
+
 			cfgB, err := json.Marshal(cfg)
 			if err != nil {
 				return nil, fmt.Errorf("error marshalling k8s-proxy config: %w", err)
--- a/cmd/k8s-proxy/k8s-proxy.go
+++ b/cmd/k8s-proxy/k8s-proxy.go
@ -114,12 +114,13 @@ func run(logger *zap.SugaredLogger) error {

 	group, groupCtx := errgroup.WithContext(ctx)

-	// Setup for updating state keys.
-	if podUID != "" {
 	lc, err := ts.LocalClient()
 	if err != nil {
 		return fmt.Errorf("error getting local client: %w", err)
 	}
+
+	// Setup for updating state keys.
+	if podUID != "" {
 		w, err := lc.WatchIPNBus(groupCtx, ipn.NotifyInitialNetMap)
 		if err != nil {
 			return fmt.Errorf("error watching IPN bus: %w", err)
@ -135,6 +136,16 @@ func run(logger *zap.SugaredLogger) error {
 		})
 	}

+	if cfg.Parsed.AcceptRoutes != nil {
+		_, err = lc.EditPrefs(groupCtx, &ipn.MaskedPrefs{
+			RouteAllSet: true,
+			Prefs:       ipn.Prefs{RouteAll: *cfg.Parsed.AcceptRoutes},
+		})
+		if err != nil {
+			return fmt.Errorf("error editing prefs: %w", err)
+		}
+	}
+
 	// Setup for the API server proxy.
 	restConfig, err := getRestConfig(logger)
 	if err != nil {
--- a/kube/k8s-proxy/conf/conf.go
+++ b/kube/k8s-proxy/conf/conf.go
@ -54,6 +54,7 @@ type ConfigV1Alpha1 struct {
 	App           *string        `json:",omitempty"` // e.g. kubetypes.AppProxyGroupKubeAPIServer
 	KubeAPIServer *KubeAPIServer `json:",omitempty"` // Config specific to the API Server proxy.
 	ServerURL     *string        `json:",omitempty"` // URL of the Tailscale coordination server.
+	AcceptRoutes  *bool          `json:",omitempty"` // Accepts routes advertised by other Tailscale nodes.
 }

 type KubeAPIServer struct {