fix: make tailscale operator non-blocking by default and gate observability patching on readiness
This commit is contained in:
@@ -214,8 +214,7 @@
|
||||
|
||||
Note: Ensure Tailscale Kubernetes Operator is installed first
|
||||
when:
|
||||
- tailscale_oauth_client_id | default('') | length > 0
|
||||
- tailscale_oauth_client_secret | default('') | length > 0
|
||||
- tailscale_operator_ready | default(false) | bool
|
||||
|
||||
- name: Show observability access details (fallback)
|
||||
debug:
|
||||
@@ -231,4 +230,4 @@
|
||||
Loki: Disabled
|
||||
{% endif %}
|
||||
when:
|
||||
- tailscale_oauth_client_id | default('') | length == 0 or tailscale_oauth_client_secret | default('') | length == 0
|
||||
- not (tailscale_operator_ready | default(false) | bool)
|
||||
|
||||
@@ -8,6 +8,8 @@ tailscale_oauth_client_secret: ""
|
||||
tailscale_operator_default_tags:
|
||||
- "tag:k8s-operator"
|
||||
|
||||
tailscale_operator_required: false
|
||||
|
||||
tailscale_operator_node_selector:
|
||||
kubernetes.io/hostname: "k8s-cluster-cp-1"
|
||||
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
- name: Determine if Tailscale operator is enabled
|
||||
set_fact:
|
||||
tailscale_operator_enabled: "{{ (tailscale_oauth_client_id | default('') | length) > 0 and (tailscale_oauth_client_secret | default('') | length) > 0 }}"
|
||||
tailscale_operator_ready: false
|
||||
changed_when: false
|
||||
|
||||
- name: Skip Tailscale operator when OAuth credentials are missing
|
||||
@@ -125,7 +126,27 @@
|
||||
|
||||
Operator log excerpt:
|
||||
{{ tailscale_operator_logs.stdout | default('n/a') }}
|
||||
when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
|
||||
when:
|
||||
- tailscale_operator_required | bool
|
||||
- "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
|
||||
|
||||
- name: Warn when Tailscale OAuth permissions are insufficient (non-blocking)
|
||||
debug:
|
||||
msg: |
|
||||
Tailscale operator is not ready due to OAuth/tag permissions.
|
||||
Continuing deployment because tailscale_operator_required=false.
|
||||
Operator log excerpt:
|
||||
{{ tailscale_operator_logs.stdout | default('n/a') }}
|
||||
when:
|
||||
- not (tailscale_operator_required | bool)
|
||||
- "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
|
||||
|
||||
- name: Mark Tailscale operator ready when rollout succeeds and no auth errors
|
||||
set_fact:
|
||||
tailscale_operator_ready: true
|
||||
when:
|
||||
- tailscale_rollout.rc == 0
|
||||
- "tailscale_operator_logs.stdout is not defined or (('does not have enough permissions' not in tailscale_operator_logs.stdout) and ('Status: 403' not in tailscale_operator_logs.stdout) and ('invalid or not permitted' not in tailscale_operator_logs.stdout) and ('Status: 400' not in tailscale_operator_logs.stdout))"
|
||||
|
||||
- name: Warn if Tailscale operator is not ready yet
|
||||
debug:
|
||||
|
||||
Reference in New Issue
Block a user