From a29e42135b793660e4e658aa4f2bc8155420de36 Mon Sep 17 00:00:00 2001
From: David Bond <davidsbond@users.noreply.github.com>
Date: Wed, 29 Apr 2026 15:56:33 +0100
Subject: [PATCH] cmd/k8s-operator: add nodeSelector to `DNSConfig` resource
 (#19429)

This commit modifies the `DNSConfig` resource to allow customisation of
the `spec.nodeSelector` field in the nameserver pods.

Closes: https://github.com/tailscale/tailscale/issues/19419

Signed-off-by: David Bond <davidsbond93@gmail.com>
---
 .../deploy/crds/tailscale.com_dnsconfigs.yaml |  5 +++++
 .../deploy/manifests/operator.yaml            |  5 +++++
 cmd/k8s-operator/nameserver.go                | 21 +++++++++++--------
 cmd/k8s-operator/nameserver_test.go           |  6 ++++++
 k8s-operator/api.md                           |  1 +
 .../apis/v1alpha1/types_tsdnsconfig.go        |  3 +++
 .../apis/v1alpha1/zz_generated.deepcopy.go    |  7 +++++++
 7 files changed, 39 insertions(+), 9 deletions(-)

diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
index d54b0eca0..4d6422ede 100644
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
@@ -977,6 +977,11 @@ spec:
                                           Empty topologyKey is not allowed.
                                         type: string
                                   x-kubernetes-list-type: atomic
+                        nodeSelector:
+                          description: If specified, applies node selector rules to the pods deployed by the DNSConfig resource.
+                          type: object
+                          additionalProperties:
+                            type: string
                         tolerations:
                           description: If specified, applies tolerations to the pods deployed by the DNSConfig resource.
                           type: array
diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml
index d3c2e74de..07c9f3af3 100644
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -1315,6 +1315,11 @@ spec:
                                                                 x-kubernetes-list-type: atomic
                                                         type: object
                                                 type: object
+                                            nodeSelector:
+                                                additionalProperties:
+                                                    type: string
+                                                description: If specified, applies node selector rules to the pods deployed by the DNSConfig resource.
+                                                type: object
                                             tolerations:
                                                 description: If specified, applies tolerations to the pods deployed by the DNSConfig resource.
                                                 items:
diff --git a/cmd/k8s-operator/nameserver.go b/cmd/k8s-operator/nameserver.go
index 9a5b98ed1..f5565e5d3 100644
--- a/cmd/k8s-operator/nameserver.go
+++ b/cmd/k8s-operator/nameserver.go
@@ -191,6 +191,7 @@ func (a *NameserverReconciler) maybeProvision(ctx context.Context, tsDNSCfg *tsa
 	if tsDNSCfg.Spec.Nameserver.Pod != nil {
 		dCfg.tolerations = tsDNSCfg.Spec.Nameserver.Pod.Tolerations
 		dCfg.affinity = tsDNSCfg.Spec.Nameserver.Pod.Affinity
+		dCfg.nodeSelector = tsDNSCfg.Spec.Nameserver.Pod.NodeSelector
 	}
 
 	for _, deployable := range []deployable{saDeployable, deployDeployable, svcDeployable, cmDeployable} {
@@ -218,15 +219,16 @@ type deployable struct {
 }
 
 type deployConfig struct {
-	replicas    int32
-	imageRepo   string
-	imageTag    string
-	labels      map[string]string
-	ownerRefs   []metav1.OwnerReference
-	namespace   string
-	clusterIP   string
-	tolerations []corev1.Toleration
-	affinity    *corev1.Affinity
+	replicas     int32
+	imageRepo    string
+	imageTag     string
+	labels       map[string]string
+	ownerRefs    []metav1.OwnerReference
+	namespace    string
+	clusterIP    string
+	tolerations  []corev1.Toleration
+	affinity     *corev1.Affinity
+	nodeSelector map[string]string
 }
 
 var (
@@ -253,6 +255,7 @@ var (
 			d.ObjectMeta.OwnerReferences = cfg.ownerRefs
 			d.Spec.Template.Spec.Tolerations = cfg.tolerations
 			d.Spec.Template.Spec.Affinity = cfg.affinity
+			d.Spec.Template.Spec.NodeSelector = cfg.nodeSelector
 			updateF := func(oldD *appsv1.Deployment) {
 				oldD.Spec = d.Spec
 			}
diff --git a/cmd/k8s-operator/nameserver_test.go b/cmd/k8s-operator/nameserver_test.go
index aa2a294c5..3ec00d5ed 100644
--- a/cmd/k8s-operator/nameserver_test.go
+++ b/cmd/k8s-operator/nameserver_test.go
@@ -43,6 +43,9 @@ func TestNameserverReconciler(t *testing.T) {
 					ClusterIP: "5.4.3.2",
 				},
 				Pod: &tsapi.NameserverPod{
+					NodeSelector: map[string]string{
+						"foo": "bar",
+					},
 					Tolerations: []corev1.Toleration{
 						{
 							Key:      "some-key",
@@ -131,6 +134,9 @@ func TestNameserverReconciler(t *testing.T) {
 				},
 			},
 		}
+		wantsDeploy.Spec.Template.Spec.NodeSelector = map[string]string{
+			"foo": "bar",
+		}
 
 		expectEqual(t, fc, wantsDeploy)
 	})
diff --git a/k8s-operator/api.md b/k8s-operator/api.md
index 7bd60ed5d..9101c95ca 100644
--- a/k8s-operator/api.md
+++ b/k8s-operator/api.md
@@ -484,6 +484,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.3/#toleration-v1-core) array_ | If specified, applies tolerations to the pods deployed by the DNSConfig resource. |  |  |
 | `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.3/#affinity-v1-core)_ | If specified, applies affinity rules to the pods deployed by the DNSConfig resource. |  |  |
+| `nodeSelector` _object (keys:string, values:string)_ | If specified, applies node selector rules to the pods deployed by the DNSConfig resource. |  |  |
 
 
 #### NameserverService
diff --git a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
index 3a44afbdc..529114c2e 100644
--- a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
+++ b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
@@ -116,6 +116,9 @@ type NameserverPod struct {
 	// If specified, applies affinity rules to the pods deployed by the DNSConfig resource.
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitzero"`
+	// If specified, applies node selector rules to the pods deployed by the DNSConfig resource.
+	// +optional
+	NodeSelector map[string]string `json:"nodeSelector,omitzero"`
 }
 
 type DNSConfigStatus struct {
diff --git a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
index 22e7b733b..b401c6d87 100644
--- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
@@ -474,6 +474,13 @@ func (in *NameserverPod) DeepCopyInto(out *NameserverPod) {
 		*out = new(corev1.Affinity)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameserverPod.