feat: stabilize tailscale observability exposure with declarative proxy class

ansible/roles/tailscale-operator/defaults/main.yml

@@ -8,6 +8,8 @@ tailscale_oauth_client_secret: ""
 tailscale_operator_default_tags:
   - "tag:k8s"
 
+tailscale_proxyclass_name: "infra-stable"
+
 tailscale_operator_required: false
 
 tailscale_operator_node_selector:

ansible/roles/tailscale-operator/tasks/main.yml

@@ -157,3 +157,15 @@
       {{ tailscale_rollout.stdout | default('') }}
       {{ tailscale_deploy.stdout | default('') }}
   when: tailscale_rollout.rc != 0
+
+- name: Write Tailscale default ProxyClass manifest
+  template:
+    src: proxyclass.yaml.j2
+    dest: /tmp/tailscale-proxyclass.yaml
+    mode: "0644"
+  when: tailscale_operator_ready | default(false) | bool
+
+- name: Apply Tailscale default ProxyClass
+  command: kubectl apply -f /tmp/tailscale-proxyclass.yaml
+  changed_when: true
+  when: tailscale_operator_ready | default(false) | bool

ansible/roles/tailscale-operator/templates/operator-values.yaml.j2

@@ -21,3 +21,4 @@ installCRDs: true
 
 proxyConfig:
   defaultTags: "{{ tailscale_operator_default_tags | join(',') }}"
+  defaultProxyClass: "{{ tailscale_proxyclass_name }}"

ansible/roles/tailscale-operator/templates/proxyclass.yaml.j2

@@ -0,0 +1,17 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: {{ tailscale_proxyclass_name }}
+spec:
+  statefulSet:
+    pod:
+      nodeSelector:
+{% for key, value in tailscale_operator_node_selector.items() %}
+        {{ key }}: "{{ value }}"
+{% endfor %}
+      tolerations:
+{% for tol in tailscale_operator_tolerations %}
+      - key: "{{ tol.key }}"
+        operator: "{{ tol.operator }}"
+        effect: "{{ tol.effect }}"
+{% endfor %}