From fb632036e38dc5f2e0b32d5d99513f4dfb15ffa2 Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Tue, 12 Dec 2023 00:51:20 +0500
Subject: [PATCH] cmd/k8s-operator: drop https:// in capName

Add the new format but keep respecting the old one.

Updates #4217

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 cmd/k8s-operator/proxy.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/cmd/k8s-operator/proxy.go b/cmd/k8s-operator/proxy.go
index 6de1f71e2..9a6526cc9 100644
--- a/cmd/k8s-operator/proxy.go
+++ b/cmd/k8s-operator/proxy.go
@@ -218,7 +218,10 @@ func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLo
 	}
 }
 
-const capabilityName = "https://tailscale.com/cap/kubernetes"
+const (
+	capabilityName    = "tailscale.com/cap/kubernetes"
+	oldCapabilityName = "https://" + capabilityName
+)
 
 type capRule struct {
 	// Impersonate is a list of rules that specify how to impersonate the caller
@@ -239,6 +242,10 @@ func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
 	log = log.With("remote", r.RemoteAddr)
 	who := whoIsFromRequest(r)
 	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName)
+	if len(rules) == 0 && err == nil {
+		// Try the old capability name for backwards compatibility.
+		rules, err = tailcfg.UnmarshalCapJSON[capRule](who.CapMap, oldCapabilityName)
+	}
 	if err != nil {
 		return fmt.Errorf("failed to unmarshal capability: %v", err)
 	}