From 414ac73c25b537c53ce9a047fbbe6b6fcb4fd983 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Mon, 2 Mar 2026 23:57:53 +0000
Subject: [PATCH] fix: fail fast on tailscale oauth 403 with actionable message

---
 .../roles/tailscale-operator/tasks/main.yml   | 42 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/tailscale-operator/tasks/main.yml b/ansible/roles/tailscale-operator/tasks/main.yml
index 9ebc900..8e8cc0c 100644
--- a/ansible/roles/tailscale-operator/tasks/main.yml
+++ b/ansible/roles/tailscale-operator/tasks/main.yml
@@ -61,8 +61,7 @@
     --namespace {{ tailscale_operator_namespace }}
     --version {{ tailscale_operator_version }}
     --values /tmp/tailscale-operator-values.yaml
-    --wait
-    --timeout 10m
+    --timeout 5m
   register: tailscale_install
   failed_when: false
   changed_when: true
@@ -97,4 +96,43 @@
 
 - name: Wait for Tailscale operator to be ready
   command: kubectl -n {{ tailscale_operator_namespace }} rollout status deployment/operator --timeout=5m
+  register: tailscale_rollout
+  failed_when: false
   changed_when: false
+
+- name: Show Tailscale operator deployment status
+  command: kubectl -n {{ tailscale_operator_namespace }} get deployment operator -o wide
+  register: tailscale_deploy
+  changed_when: false
+  failed_when: false
+
+- name: Get Tailscale operator logs
+  command: kubectl -n {{ tailscale_operator_namespace }} logs deployment/operator --tail=200
+  register: tailscale_operator_logs
+  changed_when: false
+  failed_when: false
+
+- name: Fail when Tailscale OAuth permissions are insufficient
+  fail:
+    msg: |
+      Tailscale operator started but cannot create auth keys (403 permission error).
+      Fix your Tailscale OAuth client/tag permissions.
+
+      Required checks in Tailscale admin:
+      - OAuth client has devices:core write access
+      - OAuth client can create tagged devices for: {{ tailscale_operator_default_tags | join(', ') }}
+      - ACL/tag ownership allows those tags for this OAuth client
+
+      Operator log excerpt:
+      {{ tailscale_operator_logs.stdout | default('n/a') }}
+  when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout)"
+
+- name: Warn if Tailscale operator is not ready yet
+  debug:
+    msg: |
+      Tailscale operator deployment is still converging.
+      This is non-blocking for CI; service endpoints may appear shortly.
+      Rollout output:
+      {{ tailscale_rollout.stdout | default('') }}
+      {{ tailscale_deploy.stdout | default('') }}
+  when: tailscale_rollout.rc != 0