From d0cafc0a6776397d9a346dde60962c679062a21c Mon Sep 17 00:00:00 2001
From: David Bond <davidsbond@users.noreply.github.com>
Date: Thu, 10 Jul 2025 15:53:01 +0100
Subject: [PATCH] cmd/{k8s-operator,k8s-proxy}: apply accept-routes
 configuration to k8s-proxy (#16522)

This commit modifies the k8s-operator and k8s-proxy to support passing down
the accept-routes configuration from the proxy class as a configuration value
read and used by the k8s-proxy when ran as a distinct container managed by
the operator.

Updates #13358

Signed-off-by: David Bond <davidsbond93@gmail.com>
---
 cmd/k8s-operator/proxygroup.go |  4 ++++
 cmd/k8s-proxy/k8s-proxy.go     | 19 +++++++++++++++----
 kube/k8s-proxy/conf/conf.go    |  1 +
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/cmd/k8s-operator/proxygroup.go b/cmd/k8s-operator/proxygroup.go
index 7b8a0754e..66b6c96e3 100644
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -820,6 +820,10 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 				cfg.ServerURL = &r.loginServer
 			}
 
+			if proxyClass != nil && proxyClass.Spec.TailscaleConfig != nil {
+				cfg.AcceptRoutes = &proxyClass.Spec.TailscaleConfig.AcceptRoutes
+			}
+
 			cfgB, err := json.Marshal(cfg)
 			if err != nil {
 				return nil, fmt.Errorf("error marshalling k8s-proxy config: %w", err)
diff --git a/cmd/k8s-proxy/k8s-proxy.go b/cmd/k8s-proxy/k8s-proxy.go
index 81a5a8483..7dcf6c2ab 100644
--- a/cmd/k8s-proxy/k8s-proxy.go
+++ b/cmd/k8s-proxy/k8s-proxy.go
@@ -114,12 +114,13 @@ func run(logger *zap.SugaredLogger) error {
 
 	group, groupCtx := errgroup.WithContext(ctx)
 
+	lc, err := ts.LocalClient()
+	if err != nil {
+		return fmt.Errorf("error getting local client: %w", err)
+	}
+
 	// Setup for updating state keys.
 	if podUID != "" {
-		lc, err := ts.LocalClient()
-		if err != nil {
-			return fmt.Errorf("error getting local client: %w", err)
-		}
 		w, err := lc.WatchIPNBus(groupCtx, ipn.NotifyInitialNetMap)
 		if err != nil {
 			return fmt.Errorf("error watching IPN bus: %w", err)
@@ -135,6 +136,16 @@ func run(logger *zap.SugaredLogger) error {
 		})
 	}
 
+	if cfg.Parsed.AcceptRoutes != nil {
+		_, err = lc.EditPrefs(groupCtx, &ipn.MaskedPrefs{
+			RouteAllSet: true,
+			Prefs:       ipn.Prefs{RouteAll: *cfg.Parsed.AcceptRoutes},
+		})
+		if err != nil {
+			return fmt.Errorf("error editing prefs: %w", err)
+		}
+	}
+
 	// Setup for the API server proxy.
 	restConfig, err := getRestConfig(logger)
 	if err != nil {
diff --git a/kube/k8s-proxy/conf/conf.go b/kube/k8s-proxy/conf/conf.go
index 2901e7b44..fba4a39a4 100644
--- a/kube/k8s-proxy/conf/conf.go
+++ b/kube/k8s-proxy/conf/conf.go
@@ -54,6 +54,7 @@ type ConfigV1Alpha1 struct {
 	App           *string        `json:",omitempty"` // e.g. kubetypes.AppProxyGroupKubeAPIServer
 	KubeAPIServer *KubeAPIServer `json:",omitempty"` // Config specific to the API Server proxy.
 	ServerURL     *string        `json:",omitempty"` // URL of the Tailscale coordination server.
+	AcceptRoutes  *bool          `json:",omitempty"` // Accepts routes advertised by other Tailscale nodes.
 }
 
 type KubeAPIServer struct {