eblume/blumeops
1
1
Fork 0
Code Issues Pull requests 1 Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/tailscale-operator/README.md
Erich Blume 1184b4de1d Add Caddy layer4 for Forgejo SSH (#56) 
## Summary
- Add layer4 TCP proxy configuration to Caddyfile template for SSH services
- Configure Forgejo SSH on port 2222 → localhost:2200
- Switch HTTPS from port 8443 (testing) to 443 (production)
- Requires Caddy rebuilt with `github.com/mholt/caddy-l4` plugin

## What This Enables
Git+SSH access via `forge.ops.eblu.me:2222` is now accessible from:
- Tailnet clients (gilbert)
- Docker containers on indri
- Kubernetes pods in minikube

This solves the DNS resolution issues where containers couldn't reach Tailscale MagicDNS names.

## Testing Done
- [x] Caddy rebuilt with layer4 plugin
- [x] Validated Caddyfile syntax
- [x] Cleared `svc:forge` from tailscale serve
- [x] Verified HTTPS works: `curl https://forge.ops.eblu.me`
- [x] Verified SSH works: `ssh -p 2222 forgejo@forge.ops.eblu.me`
- [x] Verified git clone works via new endpoint
- [x] Verified minikube pods can reach both HTTPS and SSH endpoints

## Deployment
Caddy is already running with the new config on indri. This PR captures the ansible changes.

## Next Steps
- Update zk docs with new git remote format
- Migrate registry and other services to Caddy
- Retire tailscale_services ansible role

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/56
2026-01-25 11:37:23 -08:00

90 lines
2.9 KiB
Markdown
Raw Blame History

# Tailscale Kubernetes Operator
Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.
## Source
- `operator.yaml` - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
- Secret block removed from `operator.yaml` - managed separately via `secret.yaml.tpl`
- Image reference changed to fully-qualified `docker.io/tailscale/k8s-operator:stable`
## Prerequisites
1. OAuth client in Tailscale admin console with:
- Devices: Core (Read & Write) - tag: `tag:k8s-operator`
- Auth Keys: Read & Write
- Services: Write
2. ACL with `tag:k8s-operator` owning `tag:k8s` (so operator can tag resources it creates)
## Manual Bootstrap (Before ArgoCD)
Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.
```bash
# 1. Create namespace
kubectl create namespace tailscale
# 2. Apply OAuth secret (uses 1Password)
op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -
# 3. Apply manifests via kustomize
kubectl apply -k argocd/manifests/tailscale-operator/
```
## Ongoing Management (After ArgoCD)
Once ArgoCD is running, the operator is managed by the `tailscale-operator` ArgoCD Application.
ArgoCD pulls manifests from forge and applies them automatically.
## ArgoCD CLI Commands
```bash
# Check application status
argocd app get tailscale-operator
# Trigger a sync (pull latest from forge and apply)
argocd app sync tailscale-operator
# Preview what would change without applying
argocd app diff tailscale-operator
# View deployment history
argocd app history tailscale-operator
# Hard refresh (clear cache and re-fetch from git)
argocd app get tailscale-operator --hard-refresh
```
## Verification
```bash
# Check operator pod is running
kubectl get pods -n tailscale
# Check operator logs
kubectl logs -n tailscale -l app.kubernetes.io/name=operator
```
## Files
| File | Description |
|------|-------------|
| `kustomization.yaml` | Kustomize configuration for all manifests |
| `operator.yaml` | Operator deployment, CRDs, RBAC (secret removed) |
| `proxyclass.yaml` | ProxyClass with fully-qualified images |
| `dnsconfig.yaml` | DNSConfig for cluster-to-tailnet name resolution |
| `egress-forge.yaml` | Egress proxy for accessing forge on indri |
| `secret.yaml.tpl` | 1Password template for OAuth credentials (manual) |
| `README.md` | This file |
## Notes
- **TODO:** The OAuth secret (`operator-oauth`) is not managed by ArgoCD and must be applied
manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
- Services using the Tailscale LoadBalancer should reference the ProxyClass:
```yaml
annotations:
tailscale.com/proxy-class: "default"
```
- The egress proxy for forge is **deprecated**. Forge is now accessible via Caddy at
`forge.ops.eblu.me` (HTTPS) and `forge.ops.eblu.me:2222` (SSH), which pods can reach directly.
Reference in a new issue View git blame Copy permalink