eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints #126

Merged
eblume merged 7 commits from restrict-flyio-proxy-acl into main 2026-02-08 21:54:19 -08:00
Conversation 0 Commits 7 Files changed 30 +151 -56

7 commits

Author SHA1 Message Date
Erich Blume
54db8643a1 Update docs to reflect public service routing via Fly.io 
- security-model: Replace "no public access" with Fly.io proxy description
- routing: Add *.eblu.me as third DNS domain for public services
- architecture: Add Fly.io to network layer and service routing table
- CLAUDE.md: Add public routing domain to routing table
- gandi: Add public CNAME records section
- tailscale-operator: Document ProxyGroup, VIP routing, per-Ingress tags
- flyio-proxy: Clarify why Alloy uses direct Tailscale endpoints (ACL)
- Remove hardcoded Tailscale IP (100.98.163.89) from docs, use DNS names

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 21:53:07 -08:00
Erich Blume
716f1f0cfa Keep Alloy on direct Tailscale Ingress endpoints 
Revert the Caddy endpoint change — flyio-proxy ACLs only allow
tag:flyio-target, so Alloy can't reach Caddy on indri (tag:homelab).
The direct Tailscale Ingress endpoints (loki/prometheus.tail8d86e.ts.net)
are tagged tag:flyio-target specifically for this purpose.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 21:46:09 -08:00
Erich Blume
5b464eaf60 Add autoApprovers for VIP services, revert Alloy to Caddy endpoints 
- Add autoApprovers so ProxyGroup pods (tag:k8s) can auto-approve VIP
  service routes, as required by Tailscale multi-cluster Ingress docs
- Revert Alloy endpoints from direct Tailscale Ingress back to Caddy
  (*.ops.eblu.me) to decouple observability from VIP routing
- Update changelog to reflect final state

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 21:40:58 -08:00
Erich Blume
d1885083fc Fix Prometheus and Loki Ingress host matching for ProxyGroup 
Remove explicit `host:` field from Ingress rules. With ProxyGroup-based
Tailscale Ingresses, the Host header contains the FQDN (e.g.,
prometheus.tail8d86e.ts.net) which doesn't match the short name
(prometheus), causing 404s.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 21:35:34 -08:00
Erich Blume
c1898f01f8 Fix ProxyGroup type casing: Ingress -> ingress 
The CRD validation requires lowercase type values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 12:15:12 -08:00
Erich Blume
756f2dff13 Migrate Tailscale Ingresses to shared ProxyGroup for per-Ingress tagging 
The legacy per-Ingress StatefulSet proxy model silently ignores the
tailscale.com/tags annotation, so tag:flyio-target was never applied
to docs/loki/prometheus — breaking the restricted ACL. This adds a
ProxyGroup (type: Ingress, 2 replicas) and annotates all 12 Ingresses
with tailscale.com/proxy-group: "ingress" to enable per-Ingress tag
overrides and restore connectivity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 12:13:04 -08:00
Erich Blume
e152b1b071 Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints 
Replace broad tag:k8s and tag:homelab grants with a new tag:flyio-target
tag that services must explicitly opt into. Alloy now pushes logs/metrics
directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 11:34:34 -08:00