eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Migrate Tailscale Ingresses to shared ProxyGroup for per-Ingress tagging

Browse source 
The legacy per-Ingress StatefulSet proxy model silently ignores the
tailscale.com/tags annotation, so tag:flyio-target was never applied
to docs/loki/prometheus — breaking the restricted ACL. This adds a
ProxyGroup (type: Ingress, 2 replicas) and annotates all 12 Ingresses
with tailscale.com/proxy-group: "ingress" to enable per-Ingress tag
overrides and restore connectivity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-02-08 12:13:04 -08:00
commit 756f2dff13
15 changed files with 24 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
argocd/manifests/argocd/service-tailscale.yaml
View file

@ -11,6 +11,7 @@ metadata:
namespace: argocd
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "ArgoCD"
gethomepage.dev/group: "Infrastructure"

1
argocd/manifests/devpi/ingress-tailscale.yaml
View file

@ -5,6 +5,7 @@ metadata:
namespace: devpi
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "PyPI"
gethomepage.dev/group: "Infrastructure"

1
argocd/manifests/docs/ingress-tailscale.yaml
View file

@ -6,6 +6,7 @@ metadata:
namespace: docs
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
tailscale.com/tags: "tag:k8s,tag:flyio-target"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Docs"

1
argocd/manifests/grafana-config/ingress-tailscale.yaml
View file

@ -9,6 +9,7 @@ metadata:
namespace: monitoring
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Grafana"
gethomepage.dev/group: "Observability"

1
argocd/manifests/immich/ingress-tailscale.yaml
View file

@ -8,6 +8,7 @@ metadata:
namespace: immich
annotations:
tailscale.com/funnel: "false"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Immich"
gethomepage.dev/group: "Apps"

1
argocd/manifests/kiwix/ingress-tailscale.yaml
View file

@ -6,6 +6,7 @@ metadata:
namespace: kiwix
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Kiwix"
gethomepage.dev/group: "Apps"

1
argocd/manifests/loki/ingress-tailscale.yaml
View file

@ -7,6 +7,7 @@ metadata:
namespace: monitoring
annotations:
tailscale.com/funnel: "false"
tailscale.com/proxy-group: "ingress"
tailscale.com/tags: "tag:k8s,tag:flyio-target"
gethomepage.dev/enabled: "false"
spec:

1
argocd/manifests/miniflux/ingress-tailscale.yaml
View file

@ -5,6 +5,7 @@ metadata:
namespace: miniflux
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Miniflux"
gethomepage.dev/group: "Apps"

1
argocd/manifests/navidrome/ingress-tailscale.yaml
View file

@ -6,6 +6,7 @@ metadata:
namespace: navidrome
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "DJ"
gethomepage.dev/group: "Apps"

1
argocd/manifests/prometheus/ingress-tailscale.yaml
View file

@ -7,6 +7,7 @@ metadata:
namespace: monitoring
annotations:
tailscale.com/funnel: "false"
tailscale.com/proxy-group: "ingress"
tailscale.com/tags: "tag:k8s,tag:flyio-target"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Prometheus"

1
argocd/manifests/tailscale-operator/kustomization.yaml
View file

@ -6,6 +6,7 @@ namespace: tailscale
resources:
- operator.yaml
- proxyclass.yaml
- proxygroup-ingress.yaml
- dnsconfig.yaml
- egress-forge.yaml
- external-secret.yaml

10
argocd/manifests/tailscale-operator/proxygroup-ingress.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: tailscale.com/v1alpha1
kind: ProxyGroup
metadata:
name: ingress
spec:
type: Ingress
replicas: 2
proxyClass: default
tags:
- tag:k8s

1
argocd/manifests/teslamate/ingress-tailscale.yaml
View file

@ -5,6 +5,7 @@ metadata:
namespace: teslamate
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "TeslaMate"
gethomepage.dev/group: "Apps"

1
argocd/manifests/torrent/ingress-tailscale.yaml
View file

@ -6,6 +6,7 @@ metadata:
namespace: torrent
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Transmission"
gethomepage.dev/group: "Apps"

2
docs/changelog.d/restrict-flyio-proxy-acl.infra.md
View file

@ -1 +1 @@
Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Alloy now pushes logs/metrics directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy.
Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Alloy now pushes logs/metrics directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy. Migrate all Tailscale Ingresses to a shared ProxyGroup to enable per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus).