- Add proxy-class annotation to use default ProxyClass
- Fixes CRI-O image name resolution issue
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Expose k8s-pg.tail8d86e.ts.net for testing during migration
- Temporary service until Phase 4 when pg.tail8d86e.ts.net switches
- Update README with connection info and cleanup notes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create blumeops-pg Cluster with CloudNativePG
- Add eblume superuser role (matches current brew pg setup)
- Configure pg_hba for password auth from any IP (Tailscale handles security)
- Add secret template for eblume password from 1Password
- Create ArgoCD Application with manual sync policy
- Update Phase 1 plan with implementation notes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CloudNativePG Application using multi-source Helm pattern
- Helm chart from upstream cloudnative-pg repo
- Values file from our git repo for customization
- Manual sync policy consistent with other workload apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add argocd CLI to Brewfile
- Create argocd.yaml for ArgoCD self-management (manual sync)
- Create apps.yaml app-of-apps root (auto-sync for Application resources)
- Convert tailscale-operator to kustomize
- Update READMEs with bootstrap steps and ArgoCD CLI commands
- Change all workload Applications to manual sync policy
App-of-apps auto-syncs to pick up new Application manifests, but child
apps require manual sync for actual workload deployments.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds ArgoCD Application to manage Tailscale operator from forge:
- ArgoCD Application sourced from internal Forgejo via SSH
- DNS config for cluster-to-tailnet name resolution
- Egress proxy for accessing forge on indri
- ACL grants for k8s workloads to reach forge (ports 3001, 2200)
- Template for repository secret with 1Password SSH key reference
Key discovery: 1Password op read requires ?ssh-format=openssh parameter
to get keys in OpenSSH format that ArgoCD's SSH client can read.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Uses kustomize with remote base from upstream ArgoCD
- Adds Tailscale LoadBalancer service for external access
- Exposed at https://argocd.tail8d86e.ts.net
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CRI-O cannot resolve short image names like 'tailscale/tailscale:stable'.
The ProxyClass 'default' sets fully-qualified image references.
Services must use annotation: tailscale.com/proxy-class: "default"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
