Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126)
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
## Summary - Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy - Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test - Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses - Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress) - Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly ## Manual step (not in PR) Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes. ## Deployment order 1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up` 2. **OAuth client** — Manual update in Tailscale admin console 3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus` 4. **Fly.io proxy** — `mise run fly-deploy` 5. **Verify** — `mise run services-check`, check Grafana dashboards ## Test plan - [ ] `mise run tailnet-preview` shows clean diff - [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions - [ ] After deploy: Grafana dashboards show continued log/metric flow - [ ] `curl -sf https://docs.eblu.me` returns 200 - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
This commit is contained in:
parent
7f41621c7f
commit
e6cf7e47e0
30 changed files with 151 additions and 56 deletions
|
|
@ -61,10 +61,10 @@
|
|||
},
|
||||
|
||||
// --- Fly.io proxy ---
|
||||
// Public reverse proxy can reach k8s services and Caddy on HTTPS
|
||||
// Public reverse proxy can only reach explicitly tagged endpoints
|
||||
{
|
||||
"src": ["tag:flyio-proxy"],
|
||||
"dst": ["tag:k8s", "tag:homelab"],
|
||||
"dst": ["tag:flyio-target"],
|
||||
"ip": ["tcp:443"],
|
||||
},
|
||||
|
||||
|
|
@ -126,6 +126,15 @@
|
|||
},
|
||||
],
|
||||
|
||||
// ============== Auto Approvers ==============
|
||||
// Allow ProxyGroup pods (tag:k8s) to auto-approve VIP Services
|
||||
// Required for multi-cluster Ingress per Tailscale docs
|
||||
"autoApprovers": {
|
||||
"services": {
|
||||
"tag:k8s": ["tag:k8s"],
|
||||
},
|
||||
},
|
||||
|
||||
// ============== Tag Owners ==============
|
||||
"tagOwners": {
|
||||
"tag:blumeops": ["autogroup:admin", "tag:blumeops"],
|
||||
|
|
@ -145,6 +154,7 @@
|
|||
"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
|
||||
"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
|
||||
"tag:flyio-proxy": ["autogroup:admin", "tag:blumeops"],
|
||||
"tag:flyio-target": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
|
||||
},
|
||||
|
||||
// ============== ACL Tests ==============
|
||||
|
|
@ -175,11 +185,11 @@
|
|||
"src": "tag:ci-gateway",
|
||||
"accept": ["tag:registry:443"],
|
||||
},
|
||||
// Fly.io proxy can reach k8s and Caddy on indri (HTTPS only), nothing else
|
||||
// Fly.io proxy can only reach flyio-target tagged endpoints, nothing else
|
||||
{
|
||||
"src": "tag:flyio-proxy",
|
||||
"accept": ["tag:k8s:443", "tag:homelab:443"],
|
||||
"deny": ["tag:homelab:22", "tag:nas:445", "tag:registry:443"],
|
||||
"accept": ["tag:flyio-target:443"],
|
||||
"deny": ["tag:k8s:443", "tag:homelab:443", "tag:homelab:22", "tag:nas:445", "tag:registry:443"],
|
||||
},
|
||||
],
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue