From e466488a2a68176569a98f59e0ace8c9896b6b92 Mon Sep 17 00:00:00 2001
From: David Bond <davidsbond@users.noreply.github.com>
Date: Mon, 29 Sep 2025 12:38:15 +0100
Subject: [PATCH] cmd/k8s-operator: add replica support to nameserver (#17246)

This commit modifies the `DNSConfig` custom resource to allow specifying
a replica count when deploying a nameserver. This allows deploying
nameservers in a HA configuration.

Updates https://github.com/tailscale/corp/issues/32589

Signed-off-by: David Bond <davidsbond93@gmail.com>
---
 .../deploy/crds/tailscale.com_dnsconfigs.yaml        |  5 +++++
 cmd/k8s-operator/deploy/manifests/operator.yaml      |  5 +++++
 cmd/k8s-operator/nameserver.go                       | 12 ++++++++++--
 cmd/k8s-operator/nameserver_test.go                  |  3 +++
 k8s-operator/api.md                                  |  1 +
 k8s-operator/apis/v1alpha1/types_tsdnsconfig.go      |  4 ++++
 k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go  |  5 +++++
 7 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
index b047e11a7..43ebaecec 100644
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
@@ -100,6 +100,11 @@ spec:
                         tag:
                           description: Tag defaults to unstable.
                           type: string
+                    replicas:
+                      description: Replicas specifies how many Pods to create. Defaults to 1.
+                      type: integer
+                      format: int32
+                      minimum: 0
                     service:
                       description: Service configuration.
                       type: object
diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml
index 8b3c206c8..9c19554aa 100644
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -431,6 +431,11 @@ spec:
                                                 description: Tag defaults to unstable.
                                                 type: string
                                         type: object
+                                    replicas:
+                                        description: Replicas specifies how many Pods to create. Defaults to 1.
+                                        format: int32
+                                        minimum: 0
+                                        type: integer
                                     service:
                                         description: Service configuration.
                                         properties:
diff --git a/cmd/k8s-operator/nameserver.go b/cmd/k8s-operator/nameserver.go
index 983a28c91..3618642e1 100644
--- a/cmd/k8s-operator/nameserver.go
+++ b/cmd/k8s-operator/nameserver.go
@@ -30,6 +30,7 @@ import (
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tstime"
+	"tailscale.com/types/ptr"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/set"
 )
@@ -130,7 +131,7 @@ func (a *NameserverReconciler) Reconcile(ctx context.Context, req reconcile.Requ
 			return setStatus(&dnsCfg, metav1.ConditionFalse, reasonNameserverCreationFailed, msg)
 		}
 	}
-	if err := a.maybeProvision(ctx, &dnsCfg, logger); err != nil {
+	if err = a.maybeProvision(ctx, &dnsCfg); err != nil {
 		if strings.Contains(err.Error(), optimisticLockErrorMsg) {
 			logger.Infof("optimistic lock error, retrying: %s", err)
 			return reconcile.Result{}, nil
@@ -167,7 +168,7 @@ func nameserverResourceLabels(name, namespace string) map[string]string {
 	return labels
 }
 
-func (a *NameserverReconciler) maybeProvision(ctx context.Context, tsDNSCfg *tsapi.DNSConfig, logger *zap.SugaredLogger) error {
+func (a *NameserverReconciler) maybeProvision(ctx context.Context, tsDNSCfg *tsapi.DNSConfig) error {
 	labels := nameserverResourceLabels(tsDNSCfg.Name, a.tsNamespace)
 	dCfg := &deployConfig{
 		ownerRefs: []metav1.OwnerReference{*metav1.NewControllerRef(tsDNSCfg, tsapi.SchemeGroupVersion.WithKind("DNSConfig"))},
@@ -175,6 +176,11 @@ func (a *NameserverReconciler) maybeProvision(ctx context.Context, tsDNSCfg *tsa
 		labels:    labels,
 		imageRepo: defaultNameserverImageRepo,
 		imageTag:  defaultNameserverImageTag,
+		replicas:  1,
+	}
+
+	if tsDNSCfg.Spec.Nameserver.Replicas != nil {
+		dCfg.replicas = *tsDNSCfg.Spec.Nameserver.Replicas
 	}
 	if tsDNSCfg.Spec.Nameserver.Image != nil && tsDNSCfg.Spec.Nameserver.Image.Repo != "" {
 		dCfg.imageRepo = tsDNSCfg.Spec.Nameserver.Image.Repo
@@ -211,6 +217,7 @@ type deployable struct {
 }
 
 type deployConfig struct {
+	replicas  int32
 	imageRepo string
 	imageTag  string
 	labels    map[string]string
@@ -236,6 +243,7 @@ var (
 			if err := yaml.Unmarshal(deployYaml, &d); err != nil {
 				return fmt.Errorf("error unmarshalling Deployment yaml: %w", err)
 			}
+			d.Spec.Replicas = ptr.To(cfg.replicas)
 			d.Spec.Template.Spec.Containers[0].Image = fmt.Sprintf("%s:%s", cfg.imageRepo, cfg.imageTag)
 			d.ObjectMeta.Namespace = cfg.namespace
 			d.ObjectMeta.Labels = cfg.labels
diff --git a/cmd/k8s-operator/nameserver_test.go b/cmd/k8s-operator/nameserver_test.go
index 55a998ac3..88e48b753 100644
--- a/cmd/k8s-operator/nameserver_test.go
+++ b/cmd/k8s-operator/nameserver_test.go
@@ -22,6 +22,7 @@ import (
 	operatorutils "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/tstest"
+	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
 )
 
@@ -33,6 +34,7 @@ func TestNameserverReconciler(t *testing.T) {
 		},
 		Spec: tsapi.DNSConfigSpec{
 			Nameserver: &tsapi.Nameserver{
+				Replicas: ptr.To[int32](3),
 				Image: &tsapi.NameserverImage{
 					Repo: "test",
 					Tag:  "v0.0.1",
@@ -74,6 +76,7 @@ func TestNameserverReconciler(t *testing.T) {
 		}
 		wantsDeploy.OwnerReferences = []metav1.OwnerReference{*ownerReference}
 		wantsDeploy.Spec.Template.Spec.Containers[0].Image = "test:v0.0.1"
+		wantsDeploy.Spec.Replicas = ptr.To[int32](3)
 		wantsDeploy.Namespace = tsNamespace
 		wantsDeploy.ObjectMeta.Labels = nameserverLabels
 		expectEqual(t, fc, wantsDeploy)
diff --git a/k8s-operator/api.md b/k8s-operator/api.md
index 180231bfa..b1c56c068 100644
--- a/k8s-operator/api.md
+++ b/k8s-operator/api.md
@@ -443,6 +443,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `image` _[NameserverImage](#nameserverimage)_ | Nameserver image. Defaults to tailscale/k8s-nameserver:unstable. |  |  |
 | `service` _[NameserverService](#nameserverservice)_ | Service configuration. |  |  |
+| `replicas` _integer_ | Replicas specifies how many Pods to create. Defaults to 1. |  | Minimum: 0 <br /> |
 
 
 #### NameserverImage
diff --git a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
index 0b0f1eb5c..4d8d569f6 100644
--- a/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
+++ b/k8s-operator/apis/v1alpha1/types_tsdnsconfig.go
@@ -84,6 +84,10 @@ type Nameserver struct {
 	// Service configuration.
 	// +optional
 	Service *NameserverService `json:"service,omitempty"`
+	// Replicas specifies how many Pods to create. Defaults to 1.
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	Replicas *int32 `json:"replicas,omitempty"`
 }
 
 type NameserverImage struct {
diff --git a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
index d7a90ad0f..3fd64c28e 100644
--- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
@@ -422,6 +422,11 @@ func (in *Nameserver) DeepCopyInto(out *Nameserver) {
 		*out = new(NameserverService)
 		**out = **in
 	}
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		*out = new(int32)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Nameserver.