eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/ansible/roles/tailscale_serve/defaults/main.yml
Erich Blume 3679124ebd Expose Kubernetes API as Tailscale service (Step 0.14) (#27) 
## Summary
- Add `tag:k8s-api` to Pulumi ACLs and indri device tags
- Configure Tailscale serve with TCP passthrough for k8s API at `k8s.tail8d86e.ts.net`
- Update minikube role to include `k8s.tail8d86e.ts.net` in certificate SANs
- Add `apiserver_port` config option (internal port 6443, dynamic host port with podman driver)
- Document Step 0.14 in k8s-migration plan (added post-Phase 0 completion)

The Kubernetes API is now accessible at `https://k8s.tail8d86e.ts.net` using TCP passthrough to preserve mTLS authentication.

## Deployment and Testing
- [x] Pulumi ACLs applied
- [x] Tailscale service created and approved in admin console
- [x] Minikube cluster recreated with new cert SANs
- [x] tailscale serve configured with TCP passthrough
- [x] 1Password credentials updated with new certs
- [x] Kubeconfig updated on gilbert
- [x] `mise run indri-services-check` passes
- [x] `kubectl --context=minikube-indri get nodes` works via Tailscale

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/27
2026-01-18 12:49:20 -08:00

50 lines
1.1 KiB
YAML
Raw Blame History

---
# Tailscale serve configuration for this host
# Each service maps a Tailscale service name to local endpoints
tailscale_serve_services:
- name: svc:grafana
https:
port: 443
upstream: http://localhost:3000
- name: svc:forge
https:
port: 443
upstream: http://localhost:3001
tcp:
port: 22
upstream: tcp://localhost:2200
- name: svc:kiwix
https:
port: 443
upstream: http://localhost:5501
- name: svc:pypi
https:
port: 443
upstream: http://127.0.0.1:3141
- name: svc:pg
tcp:
port: 5432
upstream: tcp://localhost:5432
- name: svc:feed
https:
port: 443
upstream: http://localhost:8080
- name: svc:registry
https:
port: 443
upstream: http://localhost:5050
# Kubernetes API server (TCP passthrough for mTLS)
# NOTE: Port is dynamic with podman driver - check with:
# ssh indri "kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'"
- name: svc:k8s
tcp:
port: 443
upstream: tcp://localhost:44491
Reference in a new issue View git blame Copy permalink