fix: harden Tailscale operator rollout with preflight and diagnostics

2026-03-02 21:39:47 +00:00
parent f6e159406a
commit 63247b79a6
5 changed files with 70 additions and 11 deletions
--- a/ansible/roles/tailscale-operator/tasks/main.yml
+++ b/ansible/roles/tailscale-operator/tasks/main.yml
@@ -1,4 +1,18 @@
 ---
+- name: Determine if Tailscale operator is enabled
+  set_fact:
+    tailscale_operator_enabled: "{{ (tailscale_oauth_client_id | default('') | length) > 0 and (tailscale_oauth_client_secret | default('') | length) > 0 }}"
+  changed_when: false
+
+- name: Skip Tailscale operator when OAuth credentials are missing
+  debug:
+    msg: "Skipping Tailscale Kubernetes Operator: set TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET to enable it."
+  when: not tailscale_operator_enabled
+
+- name: End Tailscale operator role when disabled
+  meta: end_host
+  when: not tailscale_operator_enabled
+
 - name: Check if Helm is installed
  command: helm version --short
  register: helm_check
@@ -32,6 +46,15 @@
    dest: /tmp/tailscale-operator-values.yaml
    mode: "0644"

+- name: Create or update Tailscale operator OAuth secret
+  shell: >-
+    kubectl -n {{ tailscale_operator_namespace }} create secret generic operator-oauth
+    --from-literal=client_id='{{ tailscale_oauth_client_id }}'
+    --from-literal=client_secret='{{ tailscale_oauth_client_secret }}'
+    --dry-run=client -o yaml | kubectl apply -f -
+  register: oauth_secret_result
+  changed_when: "'created' in oauth_secret_result.stdout or 'configured' in oauth_secret_result.stdout"
+
 - name: Install Tailscale Kubernetes Operator
  command: >-
    helm upgrade --install tailscale-operator tailscale/tailscale-operator
@@ -39,9 +62,39 @@
    --version {{ tailscale_operator_version }}
    --values /tmp/tailscale-operator-values.yaml
    --wait
-    --timeout 5m
+    --timeout 10m
+  register: tailscale_install
+  failed_when: false
  changed_when: true

- name: Wait for Tailscale operator to be ready
-  command: kubectl -n {{ tailscale_operator_namespace }} rollout status deployment/tailscale-operator --timeout=5m
+- name: Show Tailscale operator pods on install failure
+  command: kubectl -n {{ tailscale_operator_namespace }} get pods -o wide
+  register: tailscale_pods
+  changed_when: false
+  failed_when: false
+  when: tailscale_install.rc != 0
+
+- name: Show Tailscale operator events on install failure
+  command: kubectl -n {{ tailscale_operator_namespace }} get events --sort-by=.lastTimestamp
+  register: tailscale_events
+  changed_when: false
+  failed_when: false
+  when: tailscale_install.rc != 0
+
+- name: Fail with Tailscale operator diagnostics
+  fail:
+    msg: |
+      Tailscale operator install failed.
+      Helm stderr:
+      {{ tailscale_install.stderr | default('') }}
+
+      Pods:
+      {{ tailscale_pods.stdout | default('n/a') }}
+
+      Events:
+      {{ tailscale_events.stdout | default('n/a') }}
+  when: tailscale_install.rc != 0
+
+- name: Wait for Tailscale operator to be ready
+  command: kubectl -n {{ tailscale_operator_namespace }} rollout status deployment/operator --timeout=5m
  changed_when: false