From f028efbdf9ee3a3a80761911ee4b57058efd66d3 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 19 Feb 2026 09:32:13 -0800
Subject: [PATCH] Allow k8s-operator OAuth client to self-assign
 tag:k8s-operator

The tagOwners for tag:k8s-operator didn't include tag:k8s-operator
itself, so the OAuth client (tagged tag:k8s-operator) couldn't create
auth keys for its own tag. Indri worked only due to cached login state.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pulumi/tailscale/policy.hujson | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pulumi/tailscale/policy.hujson b/pulumi/tailscale/policy.hujson
index e24ca48..e6ddb85 100644
--- a/pulumi/tailscale/policy.hujson
+++ b/pulumi/tailscale/policy.hujson
@@ -158,7 +158,7 @@
 		"tag:feed": ["autogroup:admin", "tag:blumeops"],
 		"tag:registry": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
-		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
+		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
 		"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
 		"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
 		"tag:flyio-proxy": ["autogroup:admin", "tag:blumeops"],