Erich Blume 739f2f7da5 Rename ProxyClass to crio-compat with documentation

- Rename from generic "default" to descriptive "crio-compat"
- Add detailed comments explaining why this ProxyClass exists
- Update all Service/Ingress annotations to use new name
- Remove invalid `default: true` field (not a real ProxyClass field)

The ProxyClass exists because CRI-O cannot resolve short image names.
Each Tailscale Service/Ingress needs the annotation to use it.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-19 09:40:11 -08:00

2.9 KiB

Raw Blame History

Tailscale Kubernetes Operator

Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.

Source

operator.yaml - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
Secret block removed from operator.yaml - managed separately via secret.yaml.tpl
Image reference changed to fully-qualified docker.io/tailscale/k8s-operator:stable for CRI-O compatibility

Prerequisites

OAuth client in Tailscale admin console with:
- Devices: Core (Read & Write) - tag: tag:k8s-operator
- Auth Keys: Read & Write
- Services: Write
ACL with tag:k8s-operator owning tag:k8s (so operator can tag resources it creates)

Manual Bootstrap (Before ArgoCD)

Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.

# 1. Create namespace
kubectl create namespace tailscale

# 2. Apply OAuth secret (uses 1Password)
op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -

# 3. Apply manifests via kustomize
kubectl apply -k argocd/manifests/tailscale-operator/

Ongoing Management (After ArgoCD)

Once ArgoCD is running, the operator is managed by the tailscale-operator ArgoCD Application. ArgoCD pulls manifests from forge and applies them automatically.

ArgoCD CLI Commands

# Check application status
argocd app get tailscale-operator

# Trigger a sync (pull latest from forge and apply)
argocd app sync tailscale-operator

# Preview what would change without applying
argocd app diff tailscale-operator

# View deployment history
argocd app history tailscale-operator

# Hard refresh (clear cache and re-fetch from git)
argocd app get tailscale-operator --hard-refresh

Verification

# Check operator pod is running
kubectl get pods -n tailscale

# Check operator logs
kubectl logs -n tailscale -l app.kubernetes.io/name=operator

Files

File	Description
`kustomization.yaml`	Kustomize configuration for all manifests
`operator.yaml`	Operator deployment, CRDs, RBAC (secret removed)
`proxyclass.yaml`	ProxyClass with fully-qualified images for CRI-O
`dnsconfig.yaml`	DNSConfig for cluster-to-tailnet name resolution
`egress-forge.yaml`	Egress proxy for accessing forge on indri
`secret.yaml.tpl`	1Password template for OAuth credentials (manual)
`README.md`	This file

Notes

TODO: The OAuth secret (operator-oauth) is not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
Services using the Tailscale LoadBalancer must reference the ProxyClass:
```
annotations:
  tailscale.com/proxy-class: "crio-compat"
```
The egress proxy for forge targets indri.tail8d86e.ts.net directly (not forge.tail8d86e.ts.net) because Tailscale Serve hostnames are virtual and only work via the Tailscale client.

2.9 KiB Raw Blame History