HomeInfra/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: fail fast on tailscale oauth 403 with actionable message
All checks were successful
Deploy Cluster / Terraform (push) Successful in 46s
Details
Deploy Cluster / Ansible (push) Successful in 27m37s
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-03-02 23:57:53 +00:00
parent 542d7a6be5
commit 414ac73c25
1 changed files with 40 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
ansible/roles/tailscale-operator/tasks/main.yml
View File

@@ -61,8 +61,7 @@
--namespace {{ tailscale_operator_namespace }} --namespace {{ tailscale_operator_namespace }}
--version {{ tailscale_operator_version }} --version {{ tailscale_operator_version }}
--values /tmp/tailscale-operator-values.yaml --values /tmp/tailscale-operator-values.yaml
--wait --timeout 5m
--timeout 10m
register: tailscale_install register: tailscale_install
failed_when: false failed_when: false
changed_when: true changed_when: true
@@ -97,4 +96,43 @@
- name: Wait for Tailscale operator to be ready - name: Wait for Tailscale operator to be ready
command: kubectl -n {{ tailscale_operator_namespace }} rollout status deployment/operator --timeout=5m command: kubectl -n {{ tailscale_operator_namespace }} rollout status deployment/operator --timeout=5m
register: tailscale_rollout
failed_when: false
changed_when: false changed_when: false
- name: Show Tailscale operator deployment status
command: kubectl -n {{ tailscale_operator_namespace }} get deployment operator -o wide
register: tailscale_deploy
changed_when: false
failed_when: false
- name: Get Tailscale operator logs
command: kubectl -n {{ tailscale_operator_namespace }} logs deployment/operator --tail=200
register: tailscale_operator_logs
changed_when: false
failed_when: false
- name: Fail when Tailscale OAuth permissions are insufficient
fail:
msg: |
Tailscale operator started but cannot create auth keys (403 permission error).
Fix your Tailscale OAuth client/tag permissions.
Required checks in Tailscale admin:
- OAuth client has devices:core write access
- OAuth client can create tagged devices for: {{ tailscale_operator_default_tags | join(', ') }}
- ACL/tag ownership allows those tags for this OAuth client
Operator log excerpt:
{{ tailscale_operator_logs.stdout | default('n/a') }}
when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout)"
- name: Warn if Tailscale operator is not ready yet
debug:
msg: |
Tailscale operator deployment is still converging.
This is non-blocking for CI; service endpoints may appear shortly.
Rollout output:
{{ tailscale_rollout.stdout | default('') }}
{{ tailscale_deploy.stdout | default('') }}
when: tailscale_rollout.rc != 0