feat: route observability through one tailscale endpoint

README.md

@@ -225,14 +225,14 @@ Flux deploys a lightweight observability stack in the `observability` namespace:
 
 Grafana content is managed as code via ConfigMaps in `infrastructure/addons/observability-content/` (Flux), migrated from `ansible/roles/observability-content/`.
 
-Grafana and Prometheus are exposed via Tailscale (`loadBalancerClass: tailscale`) when the Tailscale Kubernetes Operator is healthy.
+Grafana and Prometheus are exposed through a single Tailscale front door backed by Traefik when the Tailscale Kubernetes Operator is healthy.
 
 ### Access Grafana and Prometheus
 
 Preferred (when Tailscale Operator is healthy):
 
-- Grafana: `http://grafana` (or `http://grafana.<your-tailnet>`)
-- Prometheus: `http://prometheus` (or `http://prometheus.<your-tailnet>`)
+- Grafana: `http://observability/grafana/` (or `http://observability.<your-tailnet>/grafana/`)
+- Prometheus: `http://observability/prometheus/` (or `http://observability.<your-tailnet>/prometheus/`)
 
 Fallback (port-forward from a tailnet-connected machine):
 

infrastructure/addons/observability/grafana-ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  namespace: observability
+spec:
+  ingressClassName: traefik
+  rules:
+    - http:
+        paths:
+          - path: /grafana
+            pathType: Prefix
+            backend:
+              service:
+                name: observability-kube-prometheus-stack-grafana
+                port:
+                  number: 80

infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml

@@ -24,16 +24,16 @@ spec:
   values:
     grafana:
       enabled: true
+      grafana.ini:
+        server:
+          root_url: http://observability/grafana/
+          serve_from_sub_path: true
       persistence:
         enabled: true
         storageClassName: local-path
         size: 5Gi
       service:
-        type: LoadBalancer
-        loadBalancerClass: tailscale
-        annotations:
-          tailscale.com/hostname: grafana
-          tailscale.com/proxy-class: infra-stable
+        type: ClusterIP
       sidecar:
         datasources:
           enabled: true
@@ -45,12 +45,10 @@ spec:
           searchNamespace: observability
     prometheus:
       service:
-        type: LoadBalancer
-        loadBalancerClass: tailscale
-        annotations:
-          tailscale.com/hostname: prometheus
-          tailscale.com/proxy-class: infra-stable
+        type: ClusterIP
       prometheusSpec:
+        externalUrl: http://observability/prometheus/
+        routePrefix: /prometheus/
         retention: 7d
         storageSpec:
           volumeClaimTemplate:

infrastructure/addons/observability/kustomization.yaml

@@ -2,6 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
+  - traefik-tailscale-service.yaml
+  - grafana-ingress.yaml
+  - prometheus-ingress.yaml
   - helmrepository-prometheus-community.yaml
   - helmrepository-grafana.yaml
   - helmrelease-kube-prometheus-stack.yaml

infrastructure/addons/observability/prometheus-ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prometheus
+  namespace: observability
+spec:
+  ingressClassName: traefik
+  rules:
+    - http:
+        paths:
+          - path: /prometheus
+            pathType: Prefix
+            backend:
+              service:
+                name: observability-kube-prometh-prometheus
+                port:
+                  number: 9090

infrastructure/addons/observability/traefik-tailscale-service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-tailscale
+  namespace: kube-system
+  annotations:
+    tailscale.com/hostname: observability
+    tailscale.com/proxy-class: infra-stable
+spec:
+  type: LoadBalancer
+  loadBalancerClass: tailscale
+  selector:
+    app.kubernetes.io/instance: traefik-kube-system
+    app.kubernetes.io/name: traefik
+  ports:
+    - name: web
+      port: 80
+      protocol: TCP
+      targetPort: web
+    - name: websecure
+      port: 443
+      protocol: TCP
+      targetPort: websecure