Expose Kubernetes API as Tailscale service (Step 0.14) #27

Merged

eblume merged 1 commit from feature/k8s-tailscale-service into main 2026-01-18 12:49:21 -08:00

Conversation 0 Commits 1 Files changed 6 +246 -3

eblume commented 2026-01-18 12:49:01 -08:00

Owner

Copy link

Summary

• Add tag:k8s-api to Pulumi ACLs and indri device tags
• Configure Tailscale serve with TCP passthrough for k8s API at k8s.tail8d86e.ts.net
• Update minikube role to include k8s.tail8d86e.ts.net in certificate SANs
• Add apiserver_port config option (internal port 6443, dynamic host port with podman driver)
• Document Step 0.14 in k8s-migration plan (added post-Phase 0 completion)

The Kubernetes API is now accessible at https://k8s.tail8d86e.ts.net using TCP passthrough to preserve mTLS authentication.

Deployment and Testing

• Pulumi ACLs applied
• Tailscale service created and approved in admin console
• Minikube cluster recreated with new cert SANs
• tailscale serve configured with TCP passthrough
• 1Password credentials updated with new certs
• Kubeconfig updated on gilbert
• mise run indri-services-check passes
• kubectl --context=minikube-indri get nodes works via Tailscale

🤖 Generated with Claude Code

## Summary - Add `tag:k8s-api` to Pulumi ACLs and indri device tags - Configure Tailscale serve with TCP passthrough for k8s API at `k8s.tail8d86e.ts.net` - Update minikube role to include `k8s.tail8d86e.ts.net` in certificate SANs - Add `apiserver_port` config option (internal port 6443, dynamic host port with podman driver) - Document Step 0.14 in k8s-migration plan (added post-Phase 0 completion) The Kubernetes API is now accessible at `https://k8s.tail8d86e.ts.net` using TCP passthrough to preserve mTLS authentication. ## Deployment and Testing - [x] Pulumi ACLs applied - [x] Tailscale service created and approved in admin console - [x] Minikube cluster recreated with new cert SANs - [x] tailscale serve configured with TCP passthrough - [x] 1Password credentials updated with new certs - [x] Kubeconfig updated on gilbert - [x] `mise run indri-services-check` passes - [x] `kubectl --context=minikube-indri get nodes` works via Tailscale 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-01-18 12:49:01 -08:00

Expose Kubernetes API as Tailscale service (Step 0.14) ... 32ef455280

- Add tag:k8s-api to Pulumi ACLs and indri device tags
- Configure tailscale serve with TCP passthrough for k8s API
- Update minikube role to use k8s.tail8d86e.ts.net in cert SANs
- Add apiserver_port config (internal port 6443, dynamic host port)
- Document Step 0.14 in k8s-migration plan

The k8s API is now accessible at https://k8s.tail8d86e.ts.net using
TCP passthrough to preserve mTLS authentication.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume merged commit 3679124ebd into main 2026-01-18 12:49:21 -08:00

eblume referenced this pull request from a commit 2026-01-18 12:49:22 -08:00

Expose Kubernetes API as Tailscale service (Step 0.14) (#27)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!27

No description provided.