Localize the Tailscale operator stack (k8s-operator + indri ProxyClass) #374

Merged

eblume merged 2 commits from localize-tailscale-operator into main 2026-06-09 17:45:31 -07:00

Conversation 0 Commits 2 Files changed 8 +307 -12

eblume commented 2026-06-09 16:40:07 -07:00

Owner

Copy link

Weekly non-local-container task: localize the Tailscale operator stack on both clusters.

What

• containers/tailscale-operator/ (new) — builds cmd/k8s-operator v1.94.2 from the forge mirror, mirroring upstream's mkctr recipe (/usr/local/bin/operator, ts_kube,ts_package_container go tags, version stamps). container.py (dagger) for indri/arm64; default.nix for ringtail/amd64.
• containers/tailscale/container.py (new) — dagger/arm64 build of the proxy image (containerboot), mirroring the upstream Dockerfile (iptables-legacy symlinks, /tailscale/run.sh compat). Ringtail already consumes the existing nix build; this completes parity for indri.
• Version pinned at v1.94.2 (same as currently deployed) — this PR is a pure supply-chain swap, no version change. v1.96.x is avoided deliberately (MagicDNS-in-containers regression).
• Docs-first: tailscale-operator card gains Local Images and Rollout Safety sections.

Rollout plan (after image builds)

1. Manifest commit: per-overlay images: override for the operator + ProxyClass strategic-merge patch on indri (kustomize images: can't touch CR fields).
2. argocd app set tailscale-operator --revision <branch> && argocd app sync — indri first, verify, then ringtail.
3. Shadow-device safety: device identity lives in the tailscale state Secrets; an image swap re-uses existing node keys, so no -1 clones. State Secrets are not touched. Post-sync verification: pod health, device names unchanged, mise run services-check.

Follow-ups (not this PR)

• dnsconfig nameserver image (tailscale/k8s-nameserver:stable) still upstream.

🤖 Generated with Claude Code

Weekly non-local-container task: localize the Tailscale operator stack on **both clusters**. ## What - **`containers/tailscale-operator/`** (new) — builds `cmd/k8s-operator` v1.94.2 from the forge mirror, mirroring upstream's mkctr recipe (`/usr/local/bin/operator`, `ts_kube,ts_package_container` go tags, version stamps). `container.py` (dagger) for indri/arm64; `default.nix` for ringtail/amd64. - **`containers/tailscale/container.py`** (new) — dagger/arm64 build of the proxy image (containerboot), mirroring the upstream Dockerfile (iptables-legacy symlinks, `/tailscale/run.sh` compat). Ringtail already consumes the existing nix build; this completes parity for indri. - **Version pinned at v1.94.2** (same as currently deployed) — this PR is a pure supply-chain swap, no version change. v1.96.x is avoided deliberately (MagicDNS-in-containers regression). - Docs-first: tailscale-operator card gains **Local Images** and **Rollout Safety** sections. ## Rollout plan (after image builds) 1. Manifest commit: per-overlay `images:` override for the operator + ProxyClass strategic-merge patch on indri (kustomize `images:` can't touch CR fields). 2. `argocd app set tailscale-operator --revision <branch> && argocd app sync` — indri first, verify, then ringtail. 3. **Shadow-device safety**: device identity lives in the tailscale state Secrets; an image swap re-uses existing node keys, so no `-1` clones. State Secrets are not touched. Post-sync verification: pod health, device names unchanged, `mise run services-check`. ## Follow-ups (not this PR) - `dnsconfig` nameserver image (`tailscale/k8s-nameserver:stable`) still upstream. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-06-09 16:40:08 -07:00

Localize tailscale operator stack: docs + container builds ... ac40a18f3f

Docs-first for C1: tailscale-operator card gains Local Images and
Rollout Safety sections (device identity lives in state Secrets; image
swaps don't re-register devices).

New containers/tailscale-operator (container.py for indri/arm64,
default.nix for ringtail/amd64) builds cmd/k8s-operator from the forge
mirror, mirroring upstream's mkctr recipe. containers/tailscale gains a
container.py so indri's ProxyClass can use a local arm64 proxy image
(ringtail already consumes the nix build).

Manifest updates follow once images are built and tagged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

eblume added 1 commit 2026-06-09 16:56:49 -07:00

Point tailscale-operator manifests at local images ... af0fce2a05

indri overlay: operator images: override (dagger/arm64 tag) + ProxyClass
strategic-merge patch for the proxy image (kustomize images: cannot
rewrite CR fields). ringtail overlay: operator images: override (-nix
tag); its proxy image is already local and unchanged.

Both overlays validated with kubectl kustomize. Images built from this
branch (runs 583/584); same v1.94.2 as currently deployed — pure
supply-chain swap.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

eblume merged commit d03ed337a9 into main 2026-06-09 17:45:31 -07:00

eblume referenced this pull request from a commit 2026-06-09 17:45:34 -07:00

Localize the Tailscale operator stack (k8s-operator + indri ProxyClass) (#374)

eblume referenced this pull request from a commit 2026-06-09 17:56:09 -07:00

C0: tailscale-operator manifests to [main] image tags

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!374

No description provided.