Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints #126

Merged

eblume merged 7 commits from restrict-flyio-proxy-acl into main 2026-02-08 21:54:19 -08:00

Conversation 0 Commits 7 Files changed 30 +151 -56

eblume commented 2026-02-08 11:35:06 -08:00

Owner

Copy link

Summary

• Introduce tag:flyio-target so services must explicitly opt in to be reachable by the fly.io proxy
• Replace broad tag:k8s and tag:homelab grants with the new tag in the ACL rule and test
• Add tailscale.com/tags: "tag:k8s,tag:flyio-target" annotation to docs, loki, and prometheus Ingresses
• Switch Alloy push endpoints from *.ops.eblu.me (Caddy) to *.tail8d86e.ts.net (Tailscale Ingress)
• Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly

Manual step (not in PR)

Update the k8s operator OAuth client in the Tailscale admin console to include tag:flyio-target in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.

Deployment order

1. Pulumi ACLs — mise run tailnet-preview && mise run tailnet-up
2. OAuth client — Manual update in Tailscale admin console
3. K8s Ingresses — argocd app sync apps && argocd app sync docs loki prometheus
4. Fly.io proxy — mise run fly-deploy
5. Verify — mise run services-check, check Grafana dashboards

Test plan

• mise run tailnet-preview shows clean diff
• argocd app diff docs, argocd app diff loki, argocd app diff prometheus show only annotation additions
• After deploy: Grafana dashboards show continued log/metric flow
• curl -sf https://docs.eblu.me returns 200
• mise run services-check passes

🤖 Generated with Claude Code

## Summary - Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy - Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test - Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses - Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress) - Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly ## Manual step (not in PR) Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes. ## Deployment order 1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up` 2. **OAuth client** — Manual update in Tailscale admin console 3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus` 4. **Fly.io proxy** — `mise run fly-deploy` 5. **Verify** — `mise run services-check`, check Grafana dashboards ## Test plan - [ ] `mise run tailnet-preview` shows clean diff - [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions - [ ] After deploy: Grafana dashboards show continued log/metric flow - [ ] `curl -sf https://docs.eblu.me` returns 200 - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-02-08 11:35:07 -08:00

Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints ... e152b1b071

Replace broad tag:k8s and tag:homelab grants with a new tag:flyio-target
tag that services must explicitly opt into. Alloy now pushes logs/metrics
directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-08 12:13:39 -08:00

Migrate Tailscale Ingresses to shared ProxyGroup for per-Ingress tagging ... 756f2dff13

The legacy per-Ingress StatefulSet proxy model silently ignores the
tailscale.com/tags annotation, so tag:flyio-target was never applied
to docs/loki/prometheus — breaking the restricted ACL. This adds a
ProxyGroup (type: Ingress, 2 replicas) and annotates all 12 Ingresses
with tailscale.com/proxy-group: "ingress" to enable per-Ingress tag
overrides and restore connectivity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-08 12:15:20 -08:00

Fix ProxyGroup type casing: Ingress -> ingress ... c1898f01f8

The CRD validation requires lowercase type values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-08 21:35:42 -08:00

Fix Prometheus and Loki Ingress host matching for ProxyGroup ... d1885083fc

Remove explicit `host:` field from Ingress rules. With ProxyGroup-based
Tailscale Ingresses, the Host header contains the FQDN (e.g.,
prometheus.tail8d86e.ts.net) which doesn't match the short name
(prometheus), causing 404s.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-08 21:41:07 -08:00

Add autoApprovers for VIP services, revert Alloy to Caddy endpoints ... 5b464eaf60

- Add autoApprovers so ProxyGroup pods (tag:k8s) can auto-approve VIP
  service routes, as required by Tailscale multi-cluster Ingress docs
- Revert Alloy endpoints from direct Tailscale Ingress back to Caddy
  (*.ops.eblu.me) to decouple observability from VIP routing
- Update changelog to reflect final state

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 2 commits 2026-02-08 21:53:17 -08:00

Keep Alloy on direct Tailscale Ingress endpoints ... 716f1f0cfa

Revert the Caddy endpoint change — flyio-proxy ACLs only allow
tag:flyio-target, so Alloy can't reach Caddy on indri (tag:homelab).
The direct Tailscale Ingress endpoints (loki/prometheus.tail8d86e.ts.net)
are tagged tag:flyio-target specifically for this purpose.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Update docs to reflect public service routing via Fly.io ... 54db8643a1

- security-model: Replace "no public access" with Fly.io proxy description
- routing: Add *.eblu.me as third DNS domain for public services
- architecture: Add Fly.io to network layer and service routing table
- CLAUDE.md: Add public routing domain to routing table
- gandi: Add public CNAME records section
- tailscale-operator: Document ProxyGroup, VIP routing, per-Ingress tags
- flyio-proxy: Clarify why Alloy uses direct Tailscale endpoints (ACL)
- Remove hardcoded Tailscale IP (100.98.163.89) from docs, use DNS names

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume merged commit e6cf7e47e0 into main 2026-02-08 21:54:19 -08:00

eblume referenced this pull request from a commit 2026-02-08 21:54:21 -08:00

Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!126

No description provided.