From 68dbd2e5b72c1a0fe2f481b3e6a2e4a9be73285c Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 18 Apr 2026 05:48:26 +0000
Subject: [PATCH] fix: Reserve Tailscale service hostnames and tag exposed
 proxies

Reserve grafana/prometheus/flux alongside rancher during rebuild cleanup so
stale tailnet devices do not force -1 hostnames. Tag the exposed Tailscale
services so operator-managed proxies are provisioned with explicit prod/service
tags from the tailnet policy.
---
 ansible/site.yml                                               | 3 +++
 infrastructure/addons/flux-ui/flux-tailscale-service.yaml      | 1 +
 .../addons/observability/grafana-tailscale-service.yaml        | 1 +
 .../addons/observability/prometheus-tailscale-service.yaml     | 1 +
 infrastructure/addons/rancher/rancher-tailscale-service.yaml   | 1 +
 5 files changed, 7 insertions(+)

diff --git a/ansible/site.yml b/ansible/site.yml
index bc83025..9dc5c25 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -122,6 +122,9 @@
   vars:
     tailscale_reserved_hostnames:
       - rancher
+      - grafana
+      - prometheus
+      - flux
 
   roles:
     - tailscale-cleanup
diff --git a/infrastructure/addons/flux-ui/flux-tailscale-service.yaml b/infrastructure/addons/flux-ui/flux-tailscale-service.yaml
index c1e3fe5..886fea7 100644
--- a/infrastructure/addons/flux-ui/flux-tailscale-service.yaml
+++ b/infrastructure/addons/flux-ui/flux-tailscale-service.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: flux-system
   annotations:
     tailscale.com/hostname: flux
+    tailscale.com/tags: "tag:prod,tag:flux"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer
diff --git a/infrastructure/addons/observability/grafana-tailscale-service.yaml b/infrastructure/addons/observability/grafana-tailscale-service.yaml
index 9ab48d4..7f3d63b 100644
--- a/infrastructure/addons/observability/grafana-tailscale-service.yaml
+++ b/infrastructure/addons/observability/grafana-tailscale-service.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: observability
   annotations:
     tailscale.com/hostname: grafana
+    tailscale.com/tags: "tag:prod,tag:grafana"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer
diff --git a/infrastructure/addons/observability/prometheus-tailscale-service.yaml b/infrastructure/addons/observability/prometheus-tailscale-service.yaml
index 3e641f3..b9ac908 100644
--- a/infrastructure/addons/observability/prometheus-tailscale-service.yaml
+++ b/infrastructure/addons/observability/prometheus-tailscale-service.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: observability
   annotations:
     tailscale.com/hostname: prometheus
+    tailscale.com/tags: "tag:prod,tag:prometheus"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer
diff --git a/infrastructure/addons/rancher/rancher-tailscale-service.yaml b/infrastructure/addons/rancher/rancher-tailscale-service.yaml
index 7cda20e..5b6f764 100644
--- a/infrastructure/addons/rancher/rancher-tailscale-service.yaml
+++ b/infrastructure/addons/rancher/rancher-tailscale-service.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: cattle-system
   annotations:
     tailscale.com/hostname: rancher
+    tailscale.com/tags: "tag:prod,tag:rancher"
     tailscale.com/proxy-class: infra-stable
 spec:
   type: LoadBalancer