From 17dac7ea278c049a4c3cd672d383ad87ab86a069 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Mar 2026 08:17:24 -0800
Subject: [PATCH] =?UTF-8?q?Fix=20forge=20ExternalName=20=E2=86=92=20Cluste?=
 =?UTF-8?q?rIP+Endpoints=20for=20Tailscale=20Ingress?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Tailscale ingress operator requires backends with a ClusterIP.
ExternalName services don't have one, causing "invalid ClusterIP"
errors. Replace with a headless Service + manual Endpoints pointing
to indri's Tailscale IP (100.98.163.89).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../svc-forge-external.yaml                   | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/argocd/manifests/tailscale-operator/svc-forge-external.yaml b/argocd/manifests/tailscale-operator/svc-forge-external.yaml
index 2812acf..9dbcade 100644
--- a/argocd/manifests/tailscale-operator/svc-forge-external.yaml
+++ b/argocd/manifests/tailscale-operator/svc-forge-external.yaml
@@ -1,13 +1,28 @@
 ---
+# Headless service + manual Endpoints to route to Forgejo on indri.
+# ExternalName services don't have a ClusterIP, which the Tailscale
+# ingress operator requires. This pattern creates a real ClusterIP
+# that forwards to indri's Tailscale IP.
 apiVersion: v1
 kind: Service
 metadata:
   name: forge-external
   namespace: tailscale
 spec:
-  type: ExternalName
-  externalName: indri.tail8d86e.ts.net
   ports:
     - name: http
       port: 3001
       protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: forge-external
+  namespace: tailscale
+subsets:
+  - addresses:
+      - ip: 100.98.163.89
+    ports:
+      - name: http
+        port: 3001
+        protocol: TCP