fix: harden Tailscale operator rollout with preflight and diagnostics

ansible/roles/tailscale-operator/defaults/main.yml

@@ -5,4 +5,5 @@ tailscale_operator_version: "1.95.91"
 tailscale_oauth_client_id: ""
 tailscale_oauth_client_secret: ""
 
-tailscale_operator_hostname: ""
+tailscale_operator_default_tags:
+  - "tag:k8s-operator"

ansible/roles/tailscale-operator/tasks/main.yml

@@ -1,4 +1,18 @@
 ---
+- name: Determine if Tailscale operator is enabled
+  set_fact:
+    tailscale_operator_enabled: "{{ (tailscale_oauth_client_id | default('') | length) > 0 and (tailscale_oauth_client_secret | default('') | length) > 0 }}"
+  changed_when: false
+
+- name: Skip Tailscale operator when OAuth credentials are missing
+  debug:
+    msg: "Skipping Tailscale Kubernetes Operator: set TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET to enable it."
+  when: not tailscale_operator_enabled
+
+- name: End Tailscale operator role when disabled
+  meta: end_host
+  when: not tailscale_operator_enabled
+
 - name: Check if Helm is installed
   command: helm version --short
   register: helm_check
@@ -32,6 +46,15 @@
     dest: /tmp/tailscale-operator-values.yaml
     mode: "0644"
 
+- name: Create or update Tailscale operator OAuth secret
+  shell: >-
+    kubectl -n {{ tailscale_operator_namespace }} create secret generic operator-oauth
+    --from-literal=client_id='{{ tailscale_oauth_client_id }}'
+    --from-literal=client_secret='{{ tailscale_oauth_client_secret }}'
+    --dry-run=client -o yaml | kubectl apply -f -
+  register: oauth_secret_result
+  changed_when: "'created' in oauth_secret_result.stdout or 'configured' in oauth_secret_result.stdout"
+
 - name: Install Tailscale Kubernetes Operator
   command: >-
     helm upgrade --install tailscale-operator tailscale/tailscale-operator
@@ -39,9 +62,39 @@
     --version {{ tailscale_operator_version }}
     --values /tmp/tailscale-operator-values.yaml
     --wait
-    --timeout 5m
+    --timeout 10m
+  register: tailscale_install
+  failed_when: false
   changed_when: true
 
-- name: Wait for Tailscale operator to be ready
-  command: kubectl -n {{ tailscale_operator_namespace }} rollout status deployment/tailscale-operator --timeout=5m
+- name: Show Tailscale operator pods on install failure
+  command: kubectl -n {{ tailscale_operator_namespace }} get pods -o wide
+  register: tailscale_pods
+  changed_when: false
+  failed_when: false
+  when: tailscale_install.rc != 0
+
+- name: Show Tailscale operator events on install failure
+  command: kubectl -n {{ tailscale_operator_namespace }} get events --sort-by=.lastTimestamp
+  register: tailscale_events
+  changed_when: false
+  failed_when: false
+  when: tailscale_install.rc != 0
+
+- name: Fail with Tailscale operator diagnostics
+  fail:
+    msg: |
+      Tailscale operator install failed.
+      Helm stderr:
+      {{ tailscale_install.stderr | default('') }}
+
+      Pods:
+      {{ tailscale_pods.stdout | default('n/a') }}
+
+      Events:
+      {{ tailscale_events.stdout | default('n/a') }}
+  when: tailscale_install.rc != 0
+
+- name: Wait for Tailscale operator to be ready
+  command: kubectl -n {{ tailscale_operator_namespace }} rollout status deployment/operator --timeout=5m
   changed_when: false

ansible/roles/tailscale-operator/templates/operator-values.yaml.j2

@@ -1,12 +1,10 @@
-oauth:
-  clientId: "{{ tailscale_oauth_client_id }}"
-  clientSecret: "{{ tailscale_oauth_client_secret }}"
-
 apiServerProxyConfig:
   mode: "true"
 
 operatorConfig:
   defaultTags:
-    - "tag:k8s-operator"
+{% for tag in tailscale_operator_default_tags %}
+    - "{{ tag }}"
+{% endfor %}
 
 installCRDs: true