HomeInfra/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: detect tailscale tag permission errors and clean access output
Some checks failed
Deploy Cluster / Terraform (push) Successful in 46s
Details
Deploy Cluster / Ansible (push) Failing after 14m7s
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-03-03 08:51:25 +00:00
parent 414ac73c25
commit 213c1fb4e4
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ansible/roles/observability/tasks/main.yml
View File

@@ -201,17 +201,17 @@
debug:
msg: |
Observability stack deployed with Tailscale access!
Grafana: http://grafana{% if grafana_lb_ip.stdout | default('') | length > 0 %} (or http://{{ grafana_lb_ip.stdout }}){% endif %}
Prometheus: http://prometheus{% if prometheus_lb_ip.stdout | default('') | length > 0 %} (or http://{{ prometheus_lb_ip.stdout }}){% endif %}
Login: admin / {{ grafana_password_effective }}
Access via:
- MagicDNS: http://grafana or http://prometheus (if enabled)
- Direct endpoint: {% if grafana_lb_ip.stdout | default('') | length > 0 %}http://{{ grafana_lb_ip.stdout }}{% else %}(pending){% endif %} / {% if prometheus_lb_ip.stdout | default('') | length > 0 %}http://{{ prometheus_lb_ip.stdout }}{% else %}(pending){% endif %}
- Tailnet FQDN: http://grafana.{{ tailscale_tailnet | default('tailnet.ts.net') }}
Note: Ensure Tailscale Kubernetes Operator is installed first
when:
- tailscale_oauth_client_id | default('') | length > 0

6
ansible/roles/tailscale-operator/tasks/main.yml
View File

@@ -115,17 +115,17 @@
- name: Fail when Tailscale OAuth permissions are insufficient
fail:
msg: |
Tailscale operator started but cannot create auth keys (403 permission error).
Tailscale operator started but cannot create auth keys (OAuth/tag permission error).
Fix your Tailscale OAuth client/tag permissions.
Required checks in Tailscale admin:
- OAuth client has devices:core write access
- OAuth client has devices:core, auth_keys, and services write access
- OAuth client can create tagged devices for: {{ tailscale_operator_default_tags | join(', ') }}
- ACL/tag ownership allows those tags for this OAuth client
Operator log excerpt:
{{ tailscale_operator_logs.stdout | default('n/a') }}
when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout)"
when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
- name: Warn if Tailscale operator is not ready yet
debug: