allow to customize domain validation

This allows to customize the FQDN validation of tailscale services.

Author: thirdeyenick

cmd/k8s-operator/egress-services.go

@@ -524,13 +524,6 @@ func (esr *egressSvcsReconciler) validateClusterResources(ctx context.Context, s
 		tsoperator.RemoveServiceCondition(svc, tsapi.EgressSvcConfigured)
 		return false, err
 	}
-	if !tsoperator.ProxyGroupIsReady(pg) {
-		l.Infof("ProxyGroup %s is not ready, waiting...", proxyGroupName)
-		tsoperator.SetServiceCondition(svc, tsapi.EgressSvcValid, metav1.ConditionUnknown, reasonProxyGroupNotReady, reasonProxyGroupNotReady, esr.clock, l)
-		tsoperator.RemoveServiceCondition(svc, tsapi.EgressSvcConfigured)
-		return false, nil
-	}
-
 	if violations := validateEgressService(svc, pg, esr.validationOpts); len(violations) > 0 {
 		msg := fmt.Sprintf("invalid egress Service: %s", strings.Join(violations, ", "))
 		esr.recorder.Event(svc, corev1.EventTypeWarning, "INVALIDSERVICE", msg)
@@ -539,6 +532,11 @@ func (esr *egressSvcsReconciler) validateClusterResources(ctx context.Context, s
 		tsoperator.RemoveServiceCondition(svc, tsapi.EgressSvcConfigured)
 		return false, nil
 	}
+	if !tsoperator.ProxyGroupIsReady(pg) {
+		tsoperator.SetServiceCondition(svc, tsapi.EgressSvcValid, metav1.ConditionUnknown, reasonProxyGroupNotReady, reasonProxyGroupNotReady, esr.clock, l)
+		tsoperator.RemoveServiceCondition(svc, tsapi.EgressSvcConfigured)
+	}
+
 	l.Debugf("egress service is valid")
 	tsoperator.SetServiceCondition(svc, tsapi.EgressSvcValid, metav1.ConditionTrue, reasonEgressSvcValid, reasonEgressSvcValid, esr.clock, l)
 	return true, nil

cmd/k8s-operator/operator.go

@@ -404,16 +404,17 @@ func runReconcilers(opts reconcilerOpts) {
 		Watches(&tsapi.ProxyGroup{}, ingressProxyGroupFilter).
 		Watches(&discoveryv1.EndpointSlice{}, ingressSvcFromEpsFilter).
 		Complete(&HAServiceReconciler{
-			recorder:    eventRecorder,
-			tsClient:    opts.tsClient,
-			tsnetServer: opts.tsServer,
-			defaultTags: strings.Split(opts.proxyTags, ","),
-			Client:      mgr.GetClient(),
-			logger:      opts.log.Named("service-pg-reconciler"),
-			lc:          lc,
-			clock:       tstime.DefaultClock{},
-			operatorID:  id,
-			tsNamespace: opts.tailscaleNamespace,
+			recorder:       eventRecorder,
+			tsClient:       opts.tsClient,
+			tsnetServer:    opts.tsServer,
+			defaultTags:    strings.Split(opts.proxyTags, ","),
+			Client:         mgr.GetClient(),
+			logger:         opts.log.Named("service-pg-reconciler"),
+			lc:             lc,
+			clock:          tstime.DefaultClock{},
+			operatorID:     id,
+			tsNamespace:    opts.tailscaleNamespace,
+			validationOpts: opts.validationOpts,
 		})
 	if err != nil {
 		startlog.Fatalf("could not create service-pg-reconciler: %v", err)

cmd/k8s-operator/operator_test.go

@@ -1378,7 +1378,6 @@ func TestTailscaledConfigfileHash(t *testing.T) {
 		},
 	})
 
-	expectReconciled(t, sr, "default", "test")
 	expectReconciled(t, sr, "default", "test")
 
 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")

cmd/k8s-operator/sts.go

@@ -136,8 +136,6 @@ type tailscaleSTSConfig struct {
 
 	proxyType string
 
-	ControlURL string
-
 	// Connector specifies a configuration of a Connector instance if that's
 	// what this StatefulSet should be created for.
 	Connector *connector

cmd/k8s-operator/svc-for-pg.go

@@ -66,6 +66,8 @@ type HAServiceReconciler struct {
 	defaultTags           []string
 	operatorID            string // stableID of the operator's Tailscale device
 
+	validationOpts validationOpts
+
 	clock tstime.Clock
 
 	mu sync.Mutex // protects following
@@ -170,7 +172,7 @@ func (r *HAServiceReconciler) maybeProvision(ctx context.Context, hostname strin
 	}
 
 	// Validate Service configuration
-	if violations := validateService(svc); len(violations) > 0 {
+	if violations := validateService(svc, r.validationOpts); len(violations) > 0 {
 		msg := fmt.Sprintf("unable to provision proxy resources: invalid Service: %s", strings.Join(violations, ", "))
 		r.recorder.Event(svc, corev1.EventTypeWarning, "INVALIDSERVICE", msg)
 		r.logger.Error(msg)