History

Erich Blume b3747f6c95 All checks were successful Build Container / build (push) Successful in 8s Details Tier 1 version bumps (#186 ) ## Summary Audit and upgrade of all deployed images, helm charts, and custom container Dockerfiles to latest stable versions. This PR covers Tier 1 (low-risk minor/patch bumps only). ### Upstream images \| Image \| Old \| New \| \|-------\|-----\|-----\| \| kube-state-metrics \| v2.13.0 \| v2.18.0 \| \| prometheus \| v3.2.1 \| v3.9.1 \| \| loki \| 3.3.2 \| 3.6.5 \| \| alloy \| v1.5.1 \| v1.13.1 \| \| tailscale (proxy + operator) \| v1.92.5 \| v1.94.1 \| \| navidrome \| :latest \| v0.60.3 (pinned) \| ### Helm charts \| Chart \| Old \| New \| \|-------\|-----\|-----\| \| CloudNativePG \| v0.27.0 \| v0.27.1 \| \| 1Password Connect \| 2.2.1 \| 2.3.0 \| ### Custom containers (Dockerfiles updated, images not yet tagged) \| Container \| Changes \| New tag \| \|-----------\|---------\|---------\| \| miniflux \| 2.2.16→2.2.17 (security), alpine 3.22 \| v1.1.0 \| \| kubectl \| v1.34.1→v1.34.4, alpine 3.22 \| v1.1.0 \| \| kiwix-serve \| alpine 3.22 \| v1.1.0 \| \| nettest \| alpine 3.22 \| v0.14.0 \| \| transmission \| alpine 3.22, pkg 4.0.6-r4 \| v1.1.0 \| All custom containers verified with local `dagger call build`. ### Deferred to Tier 2 (separate PRs) - Forgejo runner 6→12 (major version scheme change) - Docker DinD 27→29 - Grafana chart 8→11 (repo migration) - External Secrets 1→2 (breaking changes) - Python 3.12→3.13, Elixir 1.18→1.19, Node 22→24 - Transmission 4.0.6→4.1.0 (not in Alpine yet) ## Deployment After merge: 1. Tag custom containers: `mise run container-tag-and-release <name> <version>` for each 2. Wait for CI builds to complete 3. `argocd app sync apps` then sync individual apps, or let ArgoCD auto-detect Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/186		2026-02-13 17:16:37 -08:00
..
dnsconfig.yaml	K8s Migration Phase 1: Infrastructure Setup (#29 )	2026-01-19 09:49:52 -08:00
egress-forge.yaml	Add Caddy layer4 for Forgejo SSH (#56 )	2026-01-25 11:37:23 -08:00
external-secret.yaml	Switch all ExternalSecrets to creationPolicy: Owner	2026-01-28 20:27:16 -08:00
kustomization.yaml	Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126 )	2026-02-08 21:54:18 -08:00
operator.yaml	Tier 1 version bumps (#186 )	2026-02-13 17:16:37 -08:00
proxyclass.yaml	Tier 1 version bumps (#186 )	2026-02-13 17:16:37 -08:00
proxygroup-ingress.yaml	Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126 )	2026-02-08 21:54:18 -08:00
README.md	Add Caddy layer4 for Forgejo SSH (#56 )	2026-01-25 11:37:23 -08:00

README.md

Tailscale Kubernetes Operator

Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.

Source

operator.yaml - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
Secret block removed from operator.yaml - managed separately via secret.yaml.tpl
Image reference changed to fully-qualified docker.io/tailscale/k8s-operator:stable

Prerequisites

OAuth client in Tailscale admin console with:
- Devices: Core (Read & Write) - tag: tag:k8s-operator
- Auth Keys: Read & Write
- Services: Write
ACL with tag:k8s-operator owning tag:k8s (so operator can tag resources it creates)

Manual Bootstrap (Before ArgoCD)

Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.

# 1. Create namespace
kubectl create namespace tailscale

# 2. Apply OAuth secret (uses 1Password)
op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -

# 3. Apply manifests via kustomize
kubectl apply -k argocd/manifests/tailscale-operator/

Ongoing Management (After ArgoCD)

Once ArgoCD is running, the operator is managed by the tailscale-operator ArgoCD Application. ArgoCD pulls manifests from forge and applies them automatically.

ArgoCD CLI Commands

# Check application status
argocd app get tailscale-operator

# Trigger a sync (pull latest from forge and apply)
argocd app sync tailscale-operator

# Preview what would change without applying
argocd app diff tailscale-operator

# View deployment history
argocd app history tailscale-operator

# Hard refresh (clear cache and re-fetch from git)
argocd app get tailscale-operator --hard-refresh

Verification

# Check operator pod is running
kubectl get pods -n tailscale

# Check operator logs
kubectl logs -n tailscale -l app.kubernetes.io/name=operator

Files

File	Description
`kustomization.yaml`	Kustomize configuration for all manifests
`operator.yaml`	Operator deployment, CRDs, RBAC (secret removed)
`proxyclass.yaml`	ProxyClass with fully-qualified images
`dnsconfig.yaml`	DNSConfig for cluster-to-tailnet name resolution
`egress-forge.yaml`	Egress proxy for accessing forge on indri
`secret.yaml.tpl`	1Password template for OAuth credentials (manual)
`README.md`	This file

Notes

TODO: The OAuth secret (operator-oauth) is not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
Services using the Tailscale LoadBalancer should reference the ProxyClass:
```
annotations:
  tailscale.com/proxy-class: "default"
```
The egress proxy for forge is deprecated. Forge is now accessible via Caddy at forge.ops.eblu.me (HTTPS) and forge.ops.eblu.me:2222 (SSH), which pods can reach directly.