Upgrade Tailscale operator v1.94.2 → v1.96.3 #304

Merged

eblume merged 1 commit from upgrade-tailscale-operator-1.96.3 into main

2026-03-22 19:31:22 -07:00

eblume commented

2026-03-22 19:29:42 -07:00

Owner

Summary

Bump Tailscale operator, proxy containers, and init containers from v1.94.2 to v1.96.3 across both clusters (indri + ringtail via shared base kustomization)
Replace hand-rolled until tailscale status polling loop in fly/start.sh with tailscale wait --timeout 60s (new in v1.96.2)
Stamp kube-state-metrics review date (already current at v2.18.0)

Notable upstream changes (v1.94.2 → v1.96.3)

Go upgraded from 1.25 to 1.26
tailscale wait command — blocks until daemon is running + interface has IP
AuthKey policy now applies only when users are not logged in (behavioral change)
Peer Relay improvements (metrics, EC2 IMDS, UDP socket scaling)
UPnP stability fixes

Deploy plan

Merge PR
Sync tailscale-operator on indri: argocd app sync tailscale-operator
Sync tailscale-operator on ringtail: argocd app sync tailscale-operator-ringtail --server ringtail...
Verify proxy pods roll with new image: kubectl --context=minikube-indri -n tailscale get pods
Verify ingress connectivity (spot-check a few *.tail8d86e.ts.net services)
Rebuild + deploy Fly proxy container (separate step, picks up tailscale wait change)

Test plan

ArgoCD diff looks clean for both apps before sync
Proxy pods on indri come up healthy with v1.96.3 images
Proxy pods on ringtail come up healthy with v1.96.3 images
Tailscale ingress services remain reachable (e.g., grafana, prometheus)
Fly proxy rebuild deploys successfully with tailscale wait

🤖 Generated with Claude Code

## Summary - Bump Tailscale operator, proxy containers, and init containers from v1.94.2 to v1.96.3 across both clusters (indri + ringtail via shared base kustomization) - Replace hand-rolled `until tailscale status` polling loop in `fly/start.sh` with `tailscale wait --timeout 60s` (new in v1.96.2) - Stamp kube-state-metrics review date (already current at v2.18.0) ## Notable upstream changes (v1.94.2 → v1.96.3) - Go upgraded from 1.25 to 1.26 - `tailscale wait` command — blocks until daemon is running + interface has IP - AuthKey policy now applies only when users are not logged in (behavioral change) - Peer Relay improvements (metrics, EC2 IMDS, UDP socket scaling) - UPnP stability fixes ## Deploy plan 1. Merge PR 2. Sync tailscale-operator on indri: `argocd app sync tailscale-operator` 3. Sync tailscale-operator on ringtail: `argocd app sync tailscale-operator-ringtail --server ringtail...` 4. Verify proxy pods roll with new image: `kubectl --context=minikube-indri -n tailscale get pods` 5. Verify ingress connectivity (spot-check a few `*.tail8d86e.ts.net` services) 6. Rebuild + deploy Fly proxy container (separate step, picks up `tailscale wait` change) ## Test plan - [ ] ArgoCD diff looks clean for both apps before sync - [ ] Proxy pods on indri come up healthy with v1.96.3 images - [ ] Proxy pods on ringtail come up healthy with v1.96.3 images - [ ] Tailscale ingress services remain reachable (e.g., grafana, prometheus) - [ ] Fly proxy rebuild deploys successfully with `tailscale wait` 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit

2026-03-22 19:29:42 -07:00

Upgrade Tailscale operator v1.94.2 → v1.96.3 bcd732e23f

Bumps operator, proxy container, and init container images across both
clusters (indri + ringtail share the base kustomization). Replaces the
hand-rolled polling loop in the Fly proxy start script with
`tailscale wait --timeout 60s` for proper daemon/interface readiness.

Also stamps kube-state-metrics review date (already current at v2.18.0).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>