History

Erich Blume d03ed337a9 Localize the Tailscale operator stack (k8s-operator + indri ProxyClass) (#374 ) Weekly non-local-container task: localize the Tailscale operator stack on both clusters. ## What - `containers/tailscale-operator/` (new) — builds `cmd/k8s-operator` v1.94.2 from the forge mirror, mirroring upstream's mkctr recipe (`/usr/local/bin/operator`, `ts_kube,ts_package_container` go tags, version stamps). `container.py` (dagger) for indri/arm64; `default.nix` for ringtail/amd64. - `containers/tailscale/container.py` (new) — dagger/arm64 build of the proxy image (containerboot), mirroring the upstream Dockerfile (iptables-legacy symlinks, `/tailscale/run.sh` compat). Ringtail already consumes the existing nix build; this completes parity for indri. - Version pinned at v1.94.2 (same as currently deployed) — this PR is a pure supply-chain swap, no version change. v1.96.x is avoided deliberately (MagicDNS-in-containers regression). - Docs-first: tailscale-operator card gains Local Images and Rollout Safety sections. ## Rollout plan (after image builds) 1. Manifest commit: per-overlay `images:` override for the operator + ProxyClass strategic-merge patch on indri (kustomize `images:` can't touch CR fields). 2. `argocd app set tailscale-operator --revision <branch> && argocd app sync` — indri first, verify, then ringtail. 3. Shadow-device safety: device identity lives in the tailscale state Secrets; an image swap re-uses existing node keys, so no `-1` clones. State Secrets are not touched. Post-sync verification: pod health, device names unchanged, `mise run services-check`. ## Follow-ups (not this PR) - `dnsconfig` nameserver image (`tailscale/k8s-nameserver:stable`) still upstream. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #374		2026-06-09 17:45:23 -07:00
..
endpoints-forge.yaml	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
external-secret.yaml	Switch all ExternalSecrets to creationPolicy: Owner	2026-01-28 20:27:16 -08:00
ingress-forge.yaml	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
kustomization.yaml	Localize the Tailscale operator stack (k8s-operator + indri ProxyClass) (#374 )	2026-06-09 17:45:23 -07:00
proxyclass-image.yaml	Localize the Tailscale operator stack (k8s-operator + indri ProxyClass) (#374 )	2026-06-09 17:45:23 -07:00
proxygroup-ingress.yaml	Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126 )	2026-02-08 21:54:18 -08:00
README.md	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
svc-forge-external.yaml	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00

README.md

Tailscale Kubernetes Operator

Manifests for the Tailscale Kubernetes Operator, managed via ArgoCD.

Source

operator.yaml - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
Secret block removed from operator.yaml - managed separately via secret.yaml.tpl
Image reference changed to fully-qualified docker.io/tailscale/k8s-operator:stable

Prerequisites

OAuth client in Tailscale admin console with:
- Devices: Core (Read & Write) - tag: tag:k8s-operator
- Auth Keys: Read & Write
- Services: Write
ACL with tag:k8s-operator owning tag:k8s (so operator can tag resources it creates)

Manual Bootstrap (Before ArgoCD)

Tailscale operator must be deployed before ArgoCD since ArgoCD uses Tailscale for ingress.

# 1. Create namespace
kubectl create namespace tailscale

# 2. Apply OAuth secret (uses 1Password)
op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -

# 3. Apply manifests via kustomize
kubectl apply -k argocd/manifests/tailscale-operator/

Ongoing Management (After ArgoCD)

Once ArgoCD is running, the operator is managed by the tailscale-operator ArgoCD Application. ArgoCD pulls manifests from forge and applies them automatically.

ArgoCD CLI Commands

# Check application status
argocd app get tailscale-operator

# Trigger a sync (pull latest from forge and apply)
argocd app sync tailscale-operator

# Preview what would change without applying
argocd app diff tailscale-operator

# View deployment history
argocd app history tailscale-operator

# Hard refresh (clear cache and re-fetch from git)
argocd app get tailscale-operator --hard-refresh

Verification

# Check operator pod is running
kubectl get pods -n tailscale

# Check operator logs
kubectl logs -n tailscale -l app.kubernetes.io/name=operator

Files

File	Description
`kustomization.yaml`	Kustomize configuration for all manifests
`operator.yaml`	Operator deployment, CRDs, RBAC (secret removed)
`proxyclass.yaml`	ProxyClass with fully-qualified images
`dnsconfig.yaml`	DNSConfig for cluster-to-tailnet name resolution
`secret.yaml.tpl`	1Password template for OAuth credentials (manual)
`README.md`	This file

Notes

TODO: The OAuth secret (operator-oauth) is not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets).
Services using the Tailscale LoadBalancer should reference the ProxyClass:
```
annotations:
  tailscale.com/proxy-class: "default"
```