diff --git a/ansible/roles/observability/tasks/main.yml b/ansible/roles/observability/tasks/main.yml
index e74bbc2..29d37f6 100644
--- a/ansible/roles/observability/tasks/main.yml
+++ b/ansible/roles/observability/tasks/main.yml
@@ -214,8 +214,7 @@
 
           Note: Ensure Tailscale Kubernetes Operator is installed first
   when:
-    - tailscale_oauth_client_id | default('') | length > 0
-    - tailscale_oauth_client_secret | default('') | length > 0
+    - tailscale_operator_ready | default(false) | bool
 
 - name: Show observability access details (fallback)
   debug:
@@ -231,4 +230,4 @@
       Loki: Disabled
       {% endif %}
   when:
-    - tailscale_oauth_client_id | default('') | length == 0 or tailscale_oauth_client_secret | default('') | length == 0
+    - not (tailscale_operator_ready | default(false) | bool)
diff --git a/ansible/roles/tailscale-operator/defaults/main.yml b/ansible/roles/tailscale-operator/defaults/main.yml
index 77f28ab..50d7a65 100644
--- a/ansible/roles/tailscale-operator/defaults/main.yml
+++ b/ansible/roles/tailscale-operator/defaults/main.yml
@@ -8,6 +8,8 @@ tailscale_oauth_client_secret: ""
 tailscale_operator_default_tags:
   - "tag:k8s-operator"
 
+tailscale_operator_required: false
+
 tailscale_operator_node_selector:
   kubernetes.io/hostname: "k8s-cluster-cp-1"
 
diff --git a/ansible/roles/tailscale-operator/tasks/main.yml b/ansible/roles/tailscale-operator/tasks/main.yml
index 26c9841..33eaa06 100644
--- a/ansible/roles/tailscale-operator/tasks/main.yml
+++ b/ansible/roles/tailscale-operator/tasks/main.yml
@@ -2,6 +2,7 @@
 - name: Determine if Tailscale operator is enabled
   set_fact:
     tailscale_operator_enabled: "{{ (tailscale_oauth_client_id | default('') | length) > 0 and (tailscale_oauth_client_secret | default('') | length) > 0 }}"
+    tailscale_operator_ready: false
   changed_when: false
 
 - name: Skip Tailscale operator when OAuth credentials are missing
@@ -125,7 +126,27 @@
 
       Operator log excerpt:
       {{ tailscale_operator_logs.stdout | default('n/a') }}
-  when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
+  when:
+    - tailscale_operator_required | bool
+    - "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
+
+- name: Warn when Tailscale OAuth permissions are insufficient (non-blocking)
+  debug:
+    msg: |
+      Tailscale operator is not ready due to OAuth/tag permissions.
+      Continuing deployment because tailscale_operator_required=false.
+      Operator log excerpt:
+      {{ tailscale_operator_logs.stdout | default('n/a') }}
+  when:
+    - not (tailscale_operator_required | bool)
+    - "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
+
+- name: Mark Tailscale operator ready when rollout succeeds and no auth errors
+  set_fact:
+    tailscale_operator_ready: true
+  when:
+    - tailscale_rollout.rc == 0
+    - "tailscale_operator_logs.stdout is not defined or (('does not have enough permissions' not in tailscale_operator_logs.stdout) and ('Status: 403' not in tailscale_operator_logs.stdout) and ('invalid or not permitted' not in tailscale_operator_logs.stdout) and ('Status: 400' not in tailscale_operator_logs.stdout))"
 
 - name: Warn if Tailscale operator is not ready yet
   debug: