Erich Blume
2e46f99820
Some checks failed
Deploy Fly.io Proxy / deploy (push) Failing after 7m0s
## Summary - Bump Tailscale operator, proxy containers, and init containers from v1.94.2 to v1.96.3 across both clusters (indri + ringtail via shared base kustomization) - Replace hand-rolled `until tailscale status` polling loop in `fly/start.sh` with `tailscale wait --timeout 60s` (new in v1.96.2) - Stamp kube-state-metrics review date (already current at v2.18.0) ## Notable upstream changes (v1.94.2 → v1.96.3) - Go upgraded from 1.25 to 1.26 - `tailscale wait` command — blocks until daemon is running + interface has IP - AuthKey policy now applies only when users are not logged in (behavioral change) - Peer Relay improvements (metrics, EC2 IMDS, UDP socket scaling) - UPnP stability fixes ## Deploy plan 1. Merge PR 2. Sync tailscale-operator on indri: `argocd app sync tailscale-operator` 3. Sync tailscale-operator on ringtail: `argocd app sync tailscale-operator-ringtail --server ringtail...` 4. Verify proxy pods roll with new image: `kubectl --context=minikube-indri -n tailscale get pods` 5. Verify ingress connectivity (spot-check a few `*.tail8d86e.ts.net` services) 6. Rebuild + deploy Fly proxy container (separate step, picks up `tailscale wait` change) ## Test plan - [ ] ArgoCD diff looks clean for both apps before sync - [ ] Proxy pods on indri come up healthy with v1.96.3 images - [ ] Proxy pods on ringtail come up healthy with v1.96.3 images - [ ] Tailscale ingress services remain reachable (e.g., grafana, prometheus) - [ ] Fly proxy rebuild deploys successfully with `tailscale wait` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #304
37 lines
1.2 KiB
Bash
37 lines
1.2 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
# Connect to tailnet first — nginx needs MagicDNS for upstream resolution.
|
|
# With bluegreen deploys, the old machine serves traffic until this one is
|
|
# fully ready. Fly.io runs Firecracker microVMs that support TUN devices
|
|
# natively — no need for --tun=userspace-networking.
|
|
tailscaled --statedir=/var/lib/tailscale &
|
|
sleep 2
|
|
tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
|
|
tailscale wait --timeout 60s
|
|
echo "Tailscale connected"
|
|
|
|
# Ensure fail2ban deny file exists before nginx starts
|
|
touch /etc/nginx/forge-deny.conf
|
|
|
|
# Start nginx — MagicDNS is available, health check passes immediately.
|
|
nginx -g "daemon off;" &
|
|
NGINX_PID=$!
|
|
echo "Nginx started"
|
|
|
|
# Start fail2ban for login brute-force protection.
|
|
# Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive.
|
|
if fail2ban-server -b; then
|
|
echo "fail2ban started"
|
|
else
|
|
echo "WARNING: fail2ban failed to start (nginx rate limiting still active)"
|
|
fi
|
|
|
|
# Start Alloy for observability (logs → Loki, metrics → Prometheus)
|
|
alloy run /etc/alloy/config.alloy \
|
|
--server.http.listen-addr=127.0.0.1:12345 \
|
|
--storage.path=/tmp/alloy-data &
|
|
echo "Alloy started"
|
|
|
|
# Block on nginx — container exits if nginx stops
|
|
wait $NGINX_PID
|