Expose Kubernetes API as Tailscale service (Step 0.14) (#27)

## Summary - Add `tag:k8s-api` to Pulumi ACLs and indri device tags - Configure Tailscale serve with TCP passthrough for k8s API at `k8s.tail8d86e.ts.net` - Update minikube role to include `k8s.tail8d86e.ts.net` in certificate SANs - Add `apiserver_port` config option (internal port 6443, dynamic host port with podman driver) - Document Step 0.14 in k8s-migration plan (added post-Phase 0 completion) The Kubernetes API is now accessible at `https://k8s.tail8d86e.ts.net` using TCP passthrough to preserve mTLS authentication. ## Deployment and Testing - [x] Pulumi ACLs applied - [x] Tailscale service created and approved in admin console - [x] Minikube cluster recreated with new cert SANs - [x] tailscale serve configured with TCP passthrough - [x] 1Password credentials updated with new certs - [x] Kubeconfig updated on gilbert - [x] `mise run indri-services-check` passes - [x] `kubectl --context=minikube-indri get nodes` works via Tailscale 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/27
2026-01-18 12:49:20 -08:00 · 2026-01-18 12:49:20 -08:00 · 3679124ebd
commit 3679124ebd
parent 19a82373d5
6 changed files with 246 additions and 3 deletions
--- a/ansible/roles/minikube/defaults/main.yml
+++ b/ansible/roles/minikube/defaults/main.yml
@ -9,6 +9,12 @@ minikube_container_runtime: cri-o

 # Remote access configuration
 # These allow kubectl from other machines (e.g., gilbert) to connect
+# k8s.tail8d86e.ts.net is exposed via Tailscale service (TCP passthrough)
 minikube_apiserver_names:
+  - k8s.tail8d86e.ts.net
  - indri
+# Note: apiserver_port is the INTERNAL container port; with podman driver,
+# the host port is dynamically assigned. Check actual port with:
+#   kubectl config view --minify -o jsonpath="{.clusters[0].cluster.server}"
+minikube_apiserver_port: 6443
 minikube_listen_address: "0.0.0.0"
--- a/ansible/roles/minikube/tasks/main.yml
+++ b/ansible/roles/minikube/tasks/main.yml
@ -6,7 +6,8 @@
 # If cluster fails to start, manually run on indri:
 #   minikube start --driver=podman --container-runtime=cri-o \
 #     --cpus=4 --memory=7800 --disk-size=200g \
-#     --apiserver-names=indri --listen-address=0.0.0.0
+#     --apiserver-names=k8s.tail8d86e.ts.net --apiserver-names=indri \
+#     --apiserver-port=6443 --listen-address=0.0.0.0

 - name: Install minikube via homebrew
  community.general.homebrew:
@ -37,6 +38,7 @@
      {% for name in minikube_apiserver_names %}
      --apiserver-names={{ name }}
      {% endfor %}
+      --apiserver-port={{ minikube_apiserver_port }}
      --listen-address={{ minikube_listen_address }}
  register: minikube_start
  changed_when: minikube_start.rc == 0
--- a/ansible/roles/tailscale_serve/defaults/main.yml
+++ b/ansible/roles/tailscale_serve/defaults/main.yml
@ -40,3 +40,11 @@ tailscale_serve_services:
    https:
      port: 443
      upstream: http://localhost:5050
+
+  # Kubernetes API server (TCP passthrough for mTLS)
+  # NOTE: Port is dynamic with podman driver - check with:
+  #   ssh indri "kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'"
+  - name: svc:k8s
+    tcp:
+      port: 443
+      upstream: tcp://localhost:44491