Fix Rancher access: add kubectl port-forward + tailscale serve setup

2026-03-24 20:01:57 +00:00
parent 47b384a337
commit 60ceac4624
7 changed files with 35 additions and 60 deletions
--- a/ansible/roles/private-access/tasks/main.yml
+++ b/ansible/roles/private-access/tasks/main.yml
@@ -35,6 +35,18 @@
    unit_local_port: 19001
    unit_remote_port: 9001

+- name: Create systemd unit for Rancher private access
+  template:
+    src: kubectl-port-forward.service.j2
+    dest: /etc/systemd/system/k8s-portforward-rancher.service
+    mode: "0644"
+  vars:
+    unit_description: Port-forward Rancher for Tailscale access
+    unit_namespace: cattle-system
+    unit_target: svc/rancher
+    unit_local_port: 19442
+    unit_remote_port: 80
+
 - name: Reload systemd
  systemd:
    daemon_reload: true
@@ -48,11 +60,13 @@
    - k8s-portforward-grafana.service
    - k8s-portforward-prometheus.service
    - k8s-portforward-flux-ui.service
+    - k8s-portforward-rancher.service

 - name: Configure Tailscale Serve for private access endpoints
  shell: >-
    tailscale serve reset &&
    tailscale serve --bg --tcp={{ private_access_grafana_port }} tcp://127.0.0.1:13080 &&
    tailscale serve --bg --tcp={{ private_access_prometheus_port }} tcp://127.0.0.1:19090 &&
-    tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001
+    tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001 &&
+    tailscale serve --bg --tcp={{ private_access_rancher_port }} tcp://127.0.0.1:19442
  changed_when: true
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -116,6 +116,7 @@
    private_access_grafana_port: 30080
    private_access_prometheus_port: 30990
    private_access_flux_port: 30901
+    private_access_rancher_port: 9442

  roles:
    - private-access
--- a/infrastructure/addons/rancher/ingress-rancher.yaml
+++ b/infrastructure/addons/rancher/ingress-rancher.yaml
@@ -1,26 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: rancher
-  namespace: cattle-system
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: rancher
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
-spec:
-  ingressClassName: traefik
-  rules:
-    - host: k8s-cluster-cp-1.silverside-gopher.ts.net
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: rancher
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - k8s-cluster-cp-1.silverside-gopher.ts.net
-      secretName: rancher-tls
--- a/infrastructure/addons/rancher/kustomization.yaml
+++ b/infrastructure/addons/rancher/kustomization.yaml
@@ -4,5 +4,5 @@ resources:
  - namespace.yaml
  - helmrepository-rancher.yaml
  - helmrelease-rancher.yaml
-  - ingress-rancher.yaml
+  - service-rancher-tailscale.yaml
  - rancher-bootstrap-password-externalsecret.yaml
--- a/infrastructure/addons/rancher/service-rancher-tailscale.yaml
+++ b/infrastructure/addons/rancher/service-rancher-tailscale.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: rancher-tailscale
+  namespace: cattle-system
+  annotations:
+    tailscale.com/hostname: k8s-cluster-cp-1-rancher
+    tailscale.com/proxy-class: infra-stable
+spec:
+  type: LoadBalancer
+  loadBalancerClass: tailscale
+  selector:
+    app: rancher
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
--- a/infrastructure/addons/traefik-config/kustomization.yaml
+++ b/infrastructure/addons/traefik-config/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - helmchartconfig-traefik.yaml
-  - service-traefik-tailscale.yaml
--- a/infrastructure/addons/traefik-config/service-traefik-tailscale.yaml
+++ b/infrastructure/addons/traefik-config/service-traefik-tailscale.yaml
@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik-tailscale
-  namespace: kube-system
-  annotations:
-    tailscale.com/hostname: k8s-cluster-cp-1
-    tailscale.com/proxy-class: infra-stable
-spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app.kubernetes.io/instance: traefik-kube-system
-    app.kubernetes.io/name: traefik
-  ports:
-    - name: web
-      port: 80
-      protocol: TCP
-      targetPort: web
-    - name: websecure
-      port: 443
-      protocol: TCP
-      targetPort: websecure
-    - name: flux
-      port: 9001
-      protocol: TCP
-      targetPort: 9001
-    - name: rancher
-      port: 9442
-      protocol: TCP
-      targetPort: 9442