From 06c1356f1ef019f6e4ceeac04b6ffd6742ec8484 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Thu, 5 Mar 2026 00:43:29 +0000
Subject: [PATCH] feat: expose flux observability services over tailscale

---
 README.md                                            |  4 ++--
 .../helmrelease-kube-prometheus-stack.yaml           | 12 ++++++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 30e8f10..7e05130 100644
--- a/README.md
+++ b/README.md
@@ -217,7 +217,7 @@ Ansible `site.yml` now skips `observability` and `observability-content` roles b
 
 ## Observability Stack
 
-The Ansible playbook deploys a lightweight observability stack in the `observability` namespace:
+Flux deploys a lightweight observability stack in the `observability` namespace:
 
 - `kube-prometheus-stack` (Prometheus + Grafana)
 - `loki`
@@ -225,7 +225,7 @@ The Ansible playbook deploys a lightweight observability stack in the `observabi
 
 Grafana content is managed as code via ConfigMaps in `infrastructure/addons/observability-content/` (Flux), migrated from `ansible/roles/observability-content/`.
 
-Services are kept internal by default, with optional declarative Tailscale exposure when the Tailscale Kubernetes Operator is healthy.
+Grafana and Prometheus are exposed via Tailscale (`loadBalancerClass: tailscale`) when the Tailscale Kubernetes Operator is healthy.
 
 ### Access Grafana and Prometheus
 
diff --git a/infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml b/infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml
index 2adcb62..b0931c1 100644
--- a/infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml
+++ b/infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml
@@ -29,7 +29,11 @@ spec:
         storageClassName: local-path
         size: 5Gi
       service:
-        type: ClusterIP
+        type: LoadBalancer
+        loadBalancerClass: tailscale
+        annotations:
+          tailscale.com/hostname: grafana
+          tailscale.com/proxy-class: infra-stable
       sidecar:
         datasources:
           enabled: true
@@ -41,7 +45,11 @@ spec:
           searchNamespace: observability
     prometheus:
       service:
-        type: ClusterIP
+        type: LoadBalancer
+        loadBalancerClass: tailscale
+        annotations:
+          tailscale.com/hostname: prometheus
+          tailscale.com/proxy-class: infra-stable
       prometheusSpec:
         retention: 7d
         storageSpec: