cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a new ProxyClass custom resource (#11074)

* cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource.

ProxyClass custom resource can be used to specify customizations
for the proxy resources created by the operator.

Add a reconciler that validates ProxyClass resources
and sets a Ready condition to True or False with a corresponding reason and message.
This is required because some fields (labels and annotations)
require complex validations that cannot be performed at custom resource apply time.
Reconcilers that use the ProxyClass to configure proxy resources are expected to
verify that the ProxyClass is Ready and not proceed with resource creation
if configuration from a ProxyClass that is not yet Ready is required.

If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet.

If a tailscale Ingress has a tailscale.com/proxy-class annotation
and the referenced ProxyClass custom resource is available and Ready,
apply configuration from the ProxyClass to the proxy resources
that will be created for the Ingress.

Add a new .proxyClass field to the Connector spec.
If connector.spec.proxyClass is set to a ProxyClass that is available and Ready,
apply configuration from the ProxyClass to the proxy resources created for the Connector.

Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml


Signed-off-by: Irbe Krumina <irbe@tailscale.com>

k8s-operator/conditions.go

@@ -7,6 +7,7 @@ package kube
 
 import (
 	"slices"
+	"time"
 
 	"go.uber.org/zap"
 	xslices "golang.org/x/exp/slices"
@@ -17,8 +18,28 @@ import (
 
 // SetConnectorCondition ensures that Connector status has a condition with the
 // given attributes. LastTransitionTime gets set every time condition's status
-// changes
+// changes.
 func SetConnectorCondition(cn *tsapi.Connector, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) {
+	conds := updateCondition(cn.Status.Conditions, conditionType, status, reason, message, gen, clock, logger)
+	cn.Status.Conditions = conds
+}
+
+// RemoveConnectorCondition will remove condition of the given type.
+func RemoveConnectorCondition(conn *tsapi.Connector, conditionType tsapi.ConnectorConditionType) {
+	conn.Status.Conditions = slices.DeleteFunc(conn.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
+		return cond.Type == conditionType
+	})
+}
+
+// SetProxyClassCondition ensures that ProxyClass status has a condition with the
+// given attributes. LastTransitionTime gets set every time condition's status
+// changes.
+func SetProxyClassCondition(pc *tsapi.ProxyClass, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) {
+	conds := updateCondition(pc.Status.Conditions, conditionType, status, reason, message, gen, clock, logger)
+	pc.Status.Conditions = conds
+}
+
+func updateCondition(conds []tsapi.ConnectorCondition, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) []tsapi.ConnectorCondition {
 	newCondition := tsapi.ConnectorCondition{
 		Type:               conditionType,
 		Status:             status,
@@ -27,34 +48,37 @@ func SetConnectorCondition(cn *tsapi.Connector, conditionType tsapi.ConnectorCon
 		ObservedGeneration: gen,
 	}
 
-	nowTime := metav1.NewTime(clock.Now())
+	nowTime := metav1.NewTime(clock.Now().Truncate(time.Second))
 	newCondition.LastTransitionTime = &nowTime
 
-	idx := xslices.IndexFunc(cn.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
+	idx := xslices.IndexFunc(conds, func(cond tsapi.ConnectorCondition) bool {
 		return cond.Type == conditionType
 	})
 
 	if idx == -1 {
-		cn.Status.Conditions = append(cn.Status.Conditions, newCondition)
-		return
+		conds = append(conds, newCondition)
+		return conds
 	}
 
-	// Update the existing condition
-	cond := cn.Status.Conditions[idx]
+	cond := conds[idx] // update the existing condition
 	// If this update doesn't contain a state transition, we don't update
-	// the conditions LastTransitionTime to Now()
+	// the conditions LastTransitionTime to Now().
 	if cond.Status == status {
 		newCondition.LastTransitionTime = cond.LastTransitionTime
 	} else {
-		logger.Info("Status change for Connector condition %s from %s to %s", conditionType, cond.Status, status)
+		logger.Infof("Status change for condition %s from %s to %s", conditionType, cond.Status, status)
 	}
-
-	cn.Status.Conditions[idx] = newCondition
+	conds[idx] = newCondition
+	return conds
 }
 
-// RemoveConnectorCondition will remove condition of the given type
-func RemoveConnectorCondition(conn *tsapi.Connector, conditionType tsapi.ConnectorConditionType) {
-	conn.Status.Conditions = slices.DeleteFunc(conn.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
-		return cond.Type == conditionType
+func ProxyClassIsReady(pc *tsapi.ProxyClass) bool {
+	idx := xslices.IndexFunc(pc.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
+		return cond.Type == tsapi.ProxyClassready
 	})
+	if idx == -1 {
+		return false
+	}
+	cond := pc.Status.Conditions[idx]
+	return cond.Status == metav1.ConditionTrue && cond.ObservedGeneration == pc.Generation
 }