blumeops/argocd/manifests/tailscale-operator/README.md

# Tailscale Kubernetes Operator

Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.

## Source

- `operator.yaml` - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
- Secret block removed from `operator.yaml` - managed separately via `secret.yaml.tpl`
- Image reference changed to fully-qualified `docker.io/tailscale/k8s-operator:stable`

## Prerequisites

1. OAuth client in Tailscale admin console with:
   - Devices: Core (Read & Write) - tag: `tag:k8s-operator`
   - Auth Keys: Read & Write
   - Services: Write
2. ACL with `tag:k8s-operator` owning `tag:k8s` (so operator can tag resources it creates)

## Manual Bootstrap (Before ArgoCD)

Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.

```bash
# 1. Create namespace
kubectl create namespace tailscale

# 2. Apply OAuth secret (uses 1Password)
op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -

# 3. Apply manifests via kustomize
kubectl apply -k argocd/manifests/tailscale-operator/
```

## Ongoing Management (After ArgoCD)

Once ArgoCD is running, the operator is managed by the `tailscale-operator` ArgoCD Application.
ArgoCD pulls manifests from forge and applies them automatically.

## ArgoCD CLI Commands

```bash
# Check application status
argocd app get tailscale-operator

# Trigger a sync (pull latest from forge and apply)
argocd app sync tailscale-operator

# Preview what would change without applying
argocd app diff tailscale-operator

# View deployment history
argocd app history tailscale-operator

# Hard refresh (clear cache and re-fetch from git)
argocd app get tailscale-operator --hard-refresh
```

## Verification

```bash
# Check operator pod is running
kubectl get pods -n tailscale

# Check operator logs
kubectl logs -n tailscale -l app.kubernetes.io/name=operator
```

## Files

| File | Description |
|------|-------------|
| `kustomization.yaml` | Kustomize configuration for all manifests |
| `operator.yaml` | Operator deployment, CRDs, RBAC (secret removed) |
| `proxyclass.yaml` | ProxyClass with fully-qualified images |
| `dnsconfig.yaml` | DNSConfig for cluster-to-tailnet name resolution |
| `egress-forge.yaml` | Egress proxy for accessing forge on indri |
| `secret.yaml.tpl` | 1Password template for OAuth credentials (manual) |
| `README.md` | This file |

## Notes

- **TODO:** The OAuth secret (`operator-oauth`) is not managed by ArgoCD and must be applied
  manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
- Services using the Tailscale LoadBalancer should reference the ProxyClass:
  ```yaml
  annotations:
    tailscale.com/proxy-class: "default"
  ```
- The egress proxy for forge targets `indri.tail8d86e.ts.net` directly (not `forge.tail8d86e.ts.net`)
  because Tailscale Serve hostnames are virtual and only work via the Tailscale client.
K8s Migration Phase 1: Infrastructure Setup (#29) ## Summary - Split k8s migration plan into phases folder for easier navigation - Added `tag:k8s` to Pulumi ACLs for Kubernetes workloads - Phase 1 work in progress ## Phase 1 Goals - Tailscale Kubernetes Operator - CloudNativePG Operator - PostgreSQL cluster for future app migrations ## Deployment and Testing - [ ] Review Phase 1 plan - [ ] `mise run tailnet-preview` to verify ACL changes - [ ] `mise run tailnet-up` to apply ACL changes - [ ] Create Tailscale OAuth client (manual) - [ ] Deploy operators and PostgreSQL cluster 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/29 2026-01-19 09:49:52 -08:00			`# Tailscale Kubernetes Operator`

			`Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.`

			`## Source`

			- `operator.yaml` - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
			- Secret block removed from `operator.yaml` - managed separately via `secret.yaml.tpl`
P5.1: Migrate minikube from podman to QEMU2 driver (#38) ## Summary - Migrate minikube from podman driver to qemu2 driver for proper NFS/SMB volume mount support - Update ansible minikube role with qemu installation and containerd runtime - Remove podman role dependency from indri.yml - Add synology user creation steps and post-migration zot reconfiguration notes ## Why Phase 6 (Kiwix/Transmission migration) was blocked because the podman driver lacks kernel capabilities for filesystem mounts. QEMU2 creates an actual VM with full mount support. ## Deployment and Testing - [ ] Create k8s-storage user on Synology DSM - [ ] Store credentials in 1Password (synology-k8s-storage) - [ ] Export current k8s state - [ ] Stop and delete podman-based minikube cluster - [ ] Run ansible to create QEMU2 cluster - [ ] Test NFS volume mount with test pod - [ ] Redeploy ArgoCD and all apps - [ ] Verify all services healthy - [ ] Reconfigure zot registry mirrors for containerd (post-migration) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/38 2026-01-21 16:03:37 -08:00			- Image reference changed to fully-qualified `docker.io/tailscale/k8s-operator:stable`
K8s Migration Phase 1: Infrastructure Setup (#29) ## Summary - Split k8s migration plan into phases folder for easier navigation - Added `tag:k8s` to Pulumi ACLs for Kubernetes workloads - Phase 1 work in progress ## Phase 1 Goals - Tailscale Kubernetes Operator - CloudNativePG Operator - PostgreSQL cluster for future app migrations ## Deployment and Testing - [ ] Review Phase 1 plan - [ ] `mise run tailnet-preview` to verify ACL changes - [ ] `mise run tailnet-up` to apply ACL changes - [ ] Create Tailscale OAuth client (manual) - [ ] Deploy operators and PostgreSQL cluster 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/29 2026-01-19 09:49:52 -08:00
			`## Prerequisites`

			`1. OAuth client in Tailscale admin console with:`
			- Devices: Core (Read & Write) - tag: `tag:k8s-operator`
			`- Auth Keys: Read & Write`
			`- Services: Write`
			2. ACL with `tag:k8s-operator` owning `tag:k8s` (so operator can tag resources it creates)

			`## Manual Bootstrap (Before ArgoCD)`

			`Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.`

			```bash
			`# 1. Create namespace`
			`kubectl create namespace tailscale`

			`# 2. Apply OAuth secret (uses 1Password)`
			`op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl \| kubectl apply -f -`

			`# 3. Apply manifests via kustomize`
			`kubectl apply -k argocd/manifests/tailscale-operator/`
			```

			`## Ongoing Management (After ArgoCD)`

			Once ArgoCD is running, the operator is managed by the `tailscale-operator` ArgoCD Application.
			`ArgoCD pulls manifests from forge and applies them automatically.`

			`## ArgoCD CLI Commands`

			```bash
			`# Check application status`
			`argocd app get tailscale-operator`

			`# Trigger a sync (pull latest from forge and apply)`
			`argocd app sync tailscale-operator`

			`# Preview what would change without applying`
			`argocd app diff tailscale-operator`

			`# View deployment history`
			`argocd app history tailscale-operator`

			`# Hard refresh (clear cache and re-fetch from git)`
			`argocd app get tailscale-operator --hard-refresh`
			```

			`## Verification`

			```bash
			`# Check operator pod is running`
			`kubectl get pods -n tailscale`

			`# Check operator logs`
			`kubectl logs -n tailscale -l app.kubernetes.io/name=operator`
			```

			`## Files`

			`\| File \| Description \|`
			`\|------\|-------------\|`
			\| `kustomization.yaml` \| Kustomize configuration for all manifests \|
			\| `operator.yaml` \| Operator deployment, CRDs, RBAC (secret removed) \|
P5.1: Migrate minikube from podman to QEMU2 driver (#38) ## Summary - Migrate minikube from podman driver to qemu2 driver for proper NFS/SMB volume mount support - Update ansible minikube role with qemu installation and containerd runtime - Remove podman role dependency from indri.yml - Add synology user creation steps and post-migration zot reconfiguration notes ## Why Phase 6 (Kiwix/Transmission migration) was blocked because the podman driver lacks kernel capabilities for filesystem mounts. QEMU2 creates an actual VM with full mount support. ## Deployment and Testing - [ ] Create k8s-storage user on Synology DSM - [ ] Store credentials in 1Password (synology-k8s-storage) - [ ] Export current k8s state - [ ] Stop and delete podman-based minikube cluster - [ ] Run ansible to create QEMU2 cluster - [ ] Test NFS volume mount with test pod - [ ] Redeploy ArgoCD and all apps - [ ] Verify all services healthy - [ ] Reconfigure zot registry mirrors for containerd (post-migration) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/38 2026-01-21 16:03:37 -08:00			\| `proxyclass.yaml` \| ProxyClass with fully-qualified images \|
K8s Migration Phase 1: Infrastructure Setup (#29) ## Summary - Split k8s migration plan into phases folder for easier navigation - Added `tag:k8s` to Pulumi ACLs for Kubernetes workloads - Phase 1 work in progress ## Phase 1 Goals - Tailscale Kubernetes Operator - CloudNativePG Operator - PostgreSQL cluster for future app migrations ## Deployment and Testing - [ ] Review Phase 1 plan - [ ] `mise run tailnet-preview` to verify ACL changes - [ ] `mise run tailnet-up` to apply ACL changes - [ ] Create Tailscale OAuth client (manual) - [ ] Deploy operators and PostgreSQL cluster 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/29 2026-01-19 09:49:52 -08:00			\| `dnsconfig.yaml` \| DNSConfig for cluster-to-tailnet name resolution \|
			\| `egress-forge.yaml` \| Egress proxy for accessing forge on indri \|
			\| `secret.yaml.tpl` \| 1Password template for OAuth credentials (manual) \|
			\| `README.md` \| This file \|

			`## Notes`

			- TODO: The OAuth secret (`operator-oauth`) is not managed by ArgoCD and must be applied
			`manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).`
P5.1: Migrate minikube from podman to QEMU2 driver (#38) ## Summary - Migrate minikube from podman driver to qemu2 driver for proper NFS/SMB volume mount support - Update ansible minikube role with qemu installation and containerd runtime - Remove podman role dependency from indri.yml - Add synology user creation steps and post-migration zot reconfiguration notes ## Why Phase 6 (Kiwix/Transmission migration) was blocked because the podman driver lacks kernel capabilities for filesystem mounts. QEMU2 creates an actual VM with full mount support. ## Deployment and Testing - [ ] Create k8s-storage user on Synology DSM - [ ] Store credentials in 1Password (synology-k8s-storage) - [ ] Export current k8s state - [ ] Stop and delete podman-based minikube cluster - [ ] Run ansible to create QEMU2 cluster - [ ] Test NFS volume mount with test pod - [ ] Redeploy ArgoCD and all apps - [ ] Verify all services healthy - [ ] Reconfigure zot registry mirrors for containerd (post-migration) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/38 2026-01-21 16:03:37 -08:00			`- Services using the Tailscale LoadBalancer should reference the ProxyClass:`
K8s Migration Phase 1: Infrastructure Setup (#29) ## Summary - Split k8s migration plan into phases folder for easier navigation - Added `tag:k8s` to Pulumi ACLs for Kubernetes workloads - Phase 1 work in progress ## Phase 1 Goals - Tailscale Kubernetes Operator - CloudNativePG Operator - PostgreSQL cluster for future app migrations ## Deployment and Testing - [ ] Review Phase 1 plan - [ ] `mise run tailnet-preview` to verify ACL changes - [ ] `mise run tailnet-up` to apply ACL changes - [ ] Create Tailscale OAuth client (manual) - [ ] Deploy operators and PostgreSQL cluster 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/29 2026-01-19 09:49:52 -08:00			```yaml
			`annotations:`
P5.1: Migrate minikube from podman to QEMU2 driver (#38) ## Summary - Migrate minikube from podman driver to qemu2 driver for proper NFS/SMB volume mount support - Update ansible minikube role with qemu installation and containerd runtime - Remove podman role dependency from indri.yml - Add synology user creation steps and post-migration zot reconfiguration notes ## Why Phase 6 (Kiwix/Transmission migration) was blocked because the podman driver lacks kernel capabilities for filesystem mounts. QEMU2 creates an actual VM with full mount support. ## Deployment and Testing - [ ] Create k8s-storage user on Synology DSM - [ ] Store credentials in 1Password (synology-k8s-storage) - [ ] Export current k8s state - [ ] Stop and delete podman-based minikube cluster - [ ] Run ansible to create QEMU2 cluster - [ ] Test NFS volume mount with test pod - [ ] Redeploy ArgoCD and all apps - [ ] Verify all services healthy - [ ] Reconfigure zot registry mirrors for containerd (post-migration) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/38 2026-01-21 16:03:37 -08:00			`tailscale.com/proxy-class: "default"`
K8s Migration Phase 1: Infrastructure Setup (#29) ## Summary - Split k8s migration plan into phases folder for easier navigation - Added `tag:k8s` to Pulumi ACLs for Kubernetes workloads - Phase 1 work in progress ## Phase 1 Goals - Tailscale Kubernetes Operator - CloudNativePG Operator - PostgreSQL cluster for future app migrations ## Deployment and Testing - [ ] Review Phase 1 plan - [ ] `mise run tailnet-preview` to verify ACL changes - [ ] `mise run tailnet-up` to apply ACL changes - [ ] Create Tailscale OAuth client (manual) - [ ] Deploy operators and PostgreSQL cluster 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/29 2026-01-19 09:49:52 -08:00			```
			- The egress proxy for forge targets `indri.tail8d86e.ts.net` directly (not `forge.tail8d86e.ts.net`)
			`because Tailscale Serve hostnames are virtual and only work via the Tailscale client.`