fix: make tailscale operator non-blocking by default and gate observability patching on readiness

2026-03-03 21:47:16 +00:00
parent 213c1fb4e4
commit 2bbf05cdca
3 changed files with 26 additions and 4 deletions
--- a/ansible/roles/observability/tasks/main.yml
+++ b/ansible/roles/observability/tasks/main.yml
@@ -214,8 +214,7 @@
          Note: Ensure Tailscale Kubernetes Operator is installed first
  when:
-    - tailscale_oauth_client_id | default('') | length > 0
+    - tailscale_operator_ready | default(false) | bool
    - tailscale_oauth_client_secret | default('') | length > 0
 - name: Show observability access details (fallback)
  debug:
@@ -231,4 +230,4 @@
      Loki: Disabled
      {% endif %}
  when:
-    - tailscale_oauth_client_id | default('') | length == 0 or tailscale_oauth_client_secret | default('') | length == 0
+    - not (tailscale_operator_ready | default(false) | bool)
--- a/ansible/roles/tailscale-operator/defaults/main.yml
+++ b/ansible/roles/tailscale-operator/defaults/main.yml
@@ -8,6 +8,8 @@ tailscale_oauth_client_secret: ""
 tailscale_operator_default_tags:
  - "tag:k8s-operator"
 tailscale_operator_required: false
 tailscale_operator_node_selector:
  kubernetes.io/hostname: "k8s-cluster-cp-1"
--- a/ansible/roles/tailscale-operator/tasks/main.yml
+++ b/ansible/roles/tailscale-operator/tasks/main.yml
@@ -2,6 +2,7 @@
 - name: Determine if Tailscale operator is enabled
  set_fact:
    tailscale_operator_enabled: "{{ (tailscale_oauth_client_id | default('') | length) > 0 and (tailscale_oauth_client_secret | default('') | length) > 0 }}"
    tailscale_operator_ready: false
  changed_when: false
 - name: Skip Tailscale operator when OAuth credentials are missing
@@ -125,7 +126,27 @@
      Operator log excerpt:
      {{ tailscale_operator_logs.stdout | default('n/a') }}
-  when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
+  when:
    - tailscale_operator_required | bool
    - "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
 - name: Warn when Tailscale OAuth permissions are insufficient (non-blocking)
  debug:
    msg: |
      Tailscale operator is not ready due to OAuth/tag permissions.
      Continuing deployment because tailscale_operator_required=false.
      Operator log excerpt:
      {{ tailscale_operator_logs.stdout | default('n/a') }}
  when:
    - not (tailscale_operator_required | bool)
    - "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
 - name: Mark Tailscale operator ready when rollout succeeds and no auth errors
  set_fact:
    tailscale_operator_ready: true
  when:
    - tailscale_rollout.rc == 0
    - "tailscale_operator_logs.stdout is not defined or (('does not have enough permissions' not in tailscale_operator_logs.stdout) and ('Status: 403' not in tailscale_operator_logs.stdout) and ('invalid or not permitted' not in tailscale_operator_logs.stdout) and ('Status: 400' not in tailscale_operator_logs.stdout))"
 - name: Warn if Tailscale operator is not ready yet
  debug: