C1: mirror tailscale container locally for ringtail proxyclass #347

Merged

eblume merged 3 commits from mirror-tailscale-container into main

2026-05-06 06:50:42 -07:00

eblume commented

2026-05-06 06:43:30 -07:00

Owner

Summary

Adds the first cut of a local nix build for docker.io/tailscale/tailscale and rewires only the ringtail tailscale-operator overlay to use it. Indri's overlay continues pulling upstream — minikube on indri is being decommissioned in favor of ringtail's k3s, so investing in dual-cluster routing here would be wasted churn.

Changes

containers/tailscale/default.nix — buildGoModule over cmd/tailscale, cmd/tailscaled, cmd/containerboot; packaged via dockerTools.buildLayeredImage with cacert, iptables (legacy symlink to match upstream Synology compat), iproute2, tzdata, busybox.
argocd/manifests/tailscale-operator-ringtail/kustomization.yaml — kustomize images: rewrite swapping docker.io/tailscale/tailscale → registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix.
docs/changelog.d/mirror-tailscale-container.infra.md — fragment.

Pin rationale

v1.94.2 matches service-versions.yaml:96 and the current ProxyClass exactly — this PR is "make it local," not "upgrade tailscale." Version bumps come as follow-up C0/C1 changes once we decide to test newer (v1.96.x had a Fly-side MagicDNS regression; v1.98.0 is current upstream stable).

Test plan

Image built successfully on ringtail nix-container-builder (run #528).
Image visible in registry: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix.
Deploy from branch: argocd app set tailscale-operator-ringtail --revision mirror-tailscale-container && argocd app sync tailscale-operator-ringtail.
Verify proxy pods restart with new image and existing tailnet ingresses (e.g., authentik, immich, tempo) keep resolving.
After merge: rebuild on main SHA, update kustomization, run services-check.

🤖 Generated with Claude Code

## Summary Adds the first cut of a local nix build for `docker.io/tailscale/tailscale` and rewires only the ringtail tailscale-operator overlay to use it. Indri's overlay continues pulling upstream — minikube on indri is being decommissioned in favor of ringtail's k3s, so investing in dual-cluster routing here would be wasted churn. ## Changes - `containers/tailscale/default.nix` — `buildGoModule` over `cmd/tailscale`, `cmd/tailscaled`, `cmd/containerboot`; packaged via `dockerTools.buildLayeredImage` with `cacert`, `iptables` (legacy symlink to match upstream Synology compat), `iproute2`, `tzdata`, `busybox`. - `argocd/manifests/tailscale-operator-ringtail/kustomization.yaml` — kustomize `images:` rewrite swapping `docker.io/tailscale/tailscale` → `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`. - `docs/changelog.d/mirror-tailscale-container.infra.md` — fragment. ## Pin rationale v1.94.2 matches `service-versions.yaml:96` and the current ProxyClass exactly — this PR is "make it local," not "upgrade tailscale." Version bumps come as follow-up C0/C1 changes once we decide to test newer (v1.96.x had a Fly-side MagicDNS regression; v1.98.0 is current upstream stable). ## Test plan - [x] Image built successfully on ringtail nix-container-builder (run #528). - [x] Image visible in registry: `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`. - [ ] Deploy from branch: `argocd app set tailscale-operator-ringtail --revision mirror-tailscale-container && argocd app sync tailscale-operator-ringtail`. - [ ] Verify proxy pods restart with new image and existing tailnet ingresses (e.g., authentik, immich, tempo) keep resolving. - [ ] After merge: rebuild on main SHA, update kustomization, run `services-check`. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 2 commits

2026-05-06 06:43:30 -07:00

C1: add containers/tailscale (nix) for ringtail proxyclass 67af7a8e60

Local mirror of docker.io/tailscale/tailscale, pinned at v1.94.2 to match
service-versions.yaml and current ringtail proxyclass. Nix-only build via
ringtail's nix-container-builder runner; mirrors upstream Dockerfile
contents (tailscale, tailscaled, containerboot binaries plus iptables,
iproute2, ca-certificates).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

C1: rewrite ringtail proxyclass image to local tailscale container 3bc9990355

Adds a kustomize images: rewrite scoped to tailscale-operator-ringtail,
pointing docker.io/tailscale/tailscale at registry.ops.eblu.me's
v1.94.2-67af7a8-nix build. Indri's tailscale-operator overlay is
unchanged — it continues pulling upstream until the k3s migration
retires the indri minikube cluster.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

eblume added 1 commit

2026-05-06 06:46:44 -07:00

C1: switch to strategic merge patch for proxyclass image rewrite 4381e1d86f

Kustomize's images: directive only rewrites image fields on built-in k8s
kinds (Pod, Deployment, etc.), not on custom resources like ProxyClass.
The first attempt left the rendered ProxyClass pointing at upstream
docker.io. Replaces it with a strategic merge patch over
spec.statefulSet.pod.tailscale{Container,InitContainer}.image.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>