eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints #126

Merged
eblume merged 7 commits from restrict-flyio-proxy-acl into main 2026-02-08 21:54:19 -08:00
Conversation 0 Commits 7 Files changed 30 +14 -5
3 changed files with 14 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 5b464eaf60 - Show all commits

Add autoApprovers for VIP services, revert Alloy to Caddy endpoints

Prev Next 
- Add autoApprovers so ProxyGroup pods (tag:k8s) can auto-approve VIP
  service routes, as required by Tailscale multi-cluster Ingress docs
- Revert Alloy endpoints from direct Tailscale Ingress back to Caddy
  (*.ops.eblu.me) to decouple observability from VIP routing
- Update changelog to reflect final state

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-08 21:40:58 -08:00
commit 5b464eaf60

2
docs/changelog.d/restrict-flyio-proxy-acl.infra.md
View file

@ -1 +1 @@
Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Alloy now pushes logs/metrics directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy. Migrate all Tailscale Ingresses to a shared ProxyGroup to enable per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus).
Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Migrate all Tailscale Ingresses to a shared ProxyGroup with per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus). Add `autoApprovers` for VIP service routes. Enable `--accept-routes` on indri for ProxyGroup VIP routing.

8
fly/alloy.river
View file

@ -94,10 +94,10 @@ loki.relabel "instance" {
}
}
// Write logs to Loki via Tailscale Ingress (direct, bypasses Caddy)
// Write logs to Loki via Caddy reverse proxy
loki.write "loki" {
endpoint {
url = "https://loki.tail8d86e.ts.net/loki/api/v1/push"
url = "https://loki.ops.eblu.me/loki/api/v1/push"
}
}
@ -134,9 +134,9 @@ prometheus.relabel "instance" {
}
}
// Push metrics to Prometheus via Tailscale Ingress (direct, bypasses Caddy)
// Push metrics to Prometheus via Caddy reverse proxy
prometheus.remote_write "prometheus" {
endpoint {
url = "https://prometheus.tail8d86e.ts.net/api/v1/write"
url = "https://prometheus.ops.eblu.me/api/v1/write"
}
}

9
pulumi/tailscale/policy.hujson
View file

@ -126,6 +126,15 @@
},
],
// ============== Auto Approvers ==============
// Allow ProxyGroup pods (tag:k8s) to auto-approve VIP Services
// Required for multi-cluster Ingress per Tailscale docs
"autoApprovers": {
"services": {
"tag:k8s": ["tag:k8s"],
},
},
// ============== Tag Owners ==============
"tagOwners": {
"tag:blumeops": ["autogroup:admin", "tag:blumeops"],