Add autoApprovers for VIP services, revert Alloy to Caddy endpoints

- Add autoApprovers so ProxyGroup pods (tag:k8s) can auto-approve VIP service routes, as required by Tailscale multi-cluster Ingress docs - Revert Alloy endpoints from direct Tailscale Ingress back to Caddy (*.ops.eblu.me) to decouple observability from VIP routing - Update changelog to reflect final state Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 21:40:58 -08:00 · 2026-02-08 21:40:58 -08:00 · 5b464eaf60
commit 5b464eaf60
parent d1885083fc
3 changed files with 14 additions and 5 deletions
--- a/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
+++ b/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
@ -1 +1 @@
-Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Alloy now pushes logs/metrics directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy. Migrate all Tailscale Ingresses to a shared ProxyGroup to enable per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus).
+Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Migrate all Tailscale Ingresses to a shared ProxyGroup with per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus). Add `autoApprovers` for VIP service routes. Enable `--accept-routes` on indri for ProxyGroup VIP routing.
--- a/fly/alloy.river
+++ b/fly/alloy.river
@ -94,10 +94,10 @@ loki.relabel "instance" {
  }
 }

-// Write logs to Loki via Tailscale Ingress (direct, bypasses Caddy)
+// Write logs to Loki via Caddy reverse proxy
 loki.write "loki" {
  endpoint {
-    url = "https://loki.tail8d86e.ts.net/loki/api/v1/push"
+    url = "https://loki.ops.eblu.me/loki/api/v1/push"
  }
 }

@ -134,9 +134,9 @@ prometheus.relabel "instance" {
  }
 }

-// Push metrics to Prometheus via Tailscale Ingress (direct, bypasses Caddy)
+// Push metrics to Prometheus via Caddy reverse proxy
 prometheus.remote_write "prometheus" {
  endpoint {
-    url = "https://prometheus.tail8d86e.ts.net/api/v1/write"
+    url = "https://prometheus.ops.eblu.me/api/v1/write"
  }
 }
--- a/pulumi/tailscale/policy.hujson
+++ b/pulumi/tailscale/policy.hujson
@ -126,6 +126,15 @@
 		},
 	],

+	// ============== Auto Approvers ==============
+	// Allow ProxyGroup pods (tag:k8s) to auto-approve VIP Services
+	// Required for multi-cluster Ingress per Tailscale docs
+	"autoApprovers": {
+		"services": {
+			"tag:k8s": ["tag:k8s"],
+		},
+	},
+
 	// ============== Tag Owners ==============
 	"tagOwners": {
 		"tag:blumeops": ["autogroup:admin", "tag:blumeops"],