History

Erich Blume e6cf7e47e0 All checks were successful Deploy Fly.io Proxy / deploy (push) Successful in 1m8s Details Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126 ) ## Summary - Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy - Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test - Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses - Switch Alloy push endpoints from `.ops.eblu.me` (Caddy) to `.tail8d86e.ts.net` (Tailscale Ingress) - Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly ## Manual step (not in PR) Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes. ## Deployment order 1. Pulumi ACLs — `mise run tailnet-preview && mise run tailnet-up` 2. OAuth client — Manual update in Tailscale admin console 3. K8s Ingresses — `argocd app sync apps && argocd app sync docs loki prometheus` 4. Fly.io proxy — `mise run fly-deploy` 5. Verify — `mise run services-check`, check Grafana dashboards ## Test plan - [ ] `mise run tailnet-preview` shows clean diff - [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions - [ ] After deploy: Grafana dashboards show continued log/metric flow - [ ] `curl -sf https://docs.eblu.me` returns 200 - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126		2026-02-08 21:54:18 -08:00
..
dnsconfig.yaml	K8s Migration Phase 1: Infrastructure Setup (#29 )	2026-01-19 09:49:52 -08:00
egress-forge.yaml	Add Caddy layer4 for Forgejo SSH (#56 )	2026-01-25 11:37:23 -08:00
external-secret.yaml	Switch all ExternalSecrets to creationPolicy: Owner	2026-01-28 20:27:16 -08:00
kustomization.yaml	Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126 )	2026-02-08 21:54:18 -08:00
operator.yaml	Pin ArgoCD to v3.2.6 (#44 )	2026-01-22 16:38:27 -08:00
proxyclass.yaml	Pin ArgoCD to v3.2.6 (#44 )	2026-01-22 16:38:27 -08:00
proxygroup-ingress.yaml	Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126 )	2026-02-08 21:54:18 -08:00
README.md	Add Caddy layer4 for Forgejo SSH (#56 )	2026-01-25 11:37:23 -08:00

README.md

Tailscale Kubernetes Operator

Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.

Source

operator.yaml - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
Secret block removed from operator.yaml - managed separately via secret.yaml.tpl
Image reference changed to fully-qualified docker.io/tailscale/k8s-operator:stable

Prerequisites

OAuth client in Tailscale admin console with:
- Devices: Core (Read & Write) - tag: tag:k8s-operator
- Auth Keys: Read & Write
- Services: Write
ACL with tag:k8s-operator owning tag:k8s (so operator can tag resources it creates)

Manual Bootstrap (Before ArgoCD)

Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.

# 1. Create namespace
kubectl create namespace tailscale

# 2. Apply OAuth secret (uses 1Password)
op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -

# 3. Apply manifests via kustomize
kubectl apply -k argocd/manifests/tailscale-operator/

Ongoing Management (After ArgoCD)

Once ArgoCD is running, the operator is managed by the tailscale-operator ArgoCD Application. ArgoCD pulls manifests from forge and applies them automatically.

ArgoCD CLI Commands

# Check application status
argocd app get tailscale-operator

# Trigger a sync (pull latest from forge and apply)
argocd app sync tailscale-operator

# Preview what would change without applying
argocd app diff tailscale-operator

# View deployment history
argocd app history tailscale-operator

# Hard refresh (clear cache and re-fetch from git)
argocd app get tailscale-operator --hard-refresh

Verification

# Check operator pod is running
kubectl get pods -n tailscale

# Check operator logs
kubectl logs -n tailscale -l app.kubernetes.io/name=operator

Files

File	Description
`kustomization.yaml`	Kustomize configuration for all manifests
`operator.yaml`	Operator deployment, CRDs, RBAC (secret removed)
`proxyclass.yaml`	ProxyClass with fully-qualified images
`dnsconfig.yaml`	DNSConfig for cluster-to-tailnet name resolution
`egress-forge.yaml`	Egress proxy for accessing forge on indri
`secret.yaml.tpl`	1Password template for OAuth credentials (manual)
`README.md`	This file

Notes

TODO: The OAuth secret (operator-oauth) is not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
Services using the Tailscale LoadBalancer should reference the ProxyClass:
```
annotations:
  tailscale.com/proxy-class: "default"
```
The egress proxy for forge is deprecated. Forge is now accessible via Caddy at forge.ops.eblu.me (HTTPS) and forge.ops.eblu.me:2222 (SSH), which pods can reach directly.