Fix Rancher: remove conflicting LoadBalancer, add HTTPS port-forward, use tailscale serve only

ansible/roles/private-access/tasks/main.yml

@@ -35,18 +35,30 @@
     unit_local_port: 19001
     unit_remote_port: 9001
 
-- name: Create systemd unit for Rancher private access
+- name: Create systemd unit for Rancher HTTP private access
   template:
     src: kubectl-port-forward.service.j2
     dest: /etc/systemd/system/k8s-portforward-rancher.service
     mode: "0644"
   vars:
-    unit_description: Port-forward Rancher for Tailscale access
+    unit_description: Port-forward Rancher HTTP for Tailscale access
     unit_namespace: cattle-system
     unit_target: svc/cattle-system-rancher
     unit_local_port: 19442
     unit_remote_port: 80
 
+- name: Create systemd unit for Rancher HTTPS private access
+  template:
+    src: kubectl-port-forward.service.j2
+    dest: /etc/systemd/system/k8s-portforward-rancher-https.service
+    mode: "0644"
+  vars:
+    unit_description: Port-forward Rancher HTTPS for Tailscale access
+    unit_namespace: cattle-system
+    unit_target: svc/cattle-system-rancher
+    unit_local_port: 19443
+    unit_remote_port: 443
+
 - name: Reload systemd
   systemd:
     daemon_reload: true
@@ -61,6 +73,7 @@
     - k8s-portforward-prometheus.service
     - k8s-portforward-flux-ui.service
     - k8s-portforward-rancher.service
+    - k8s-portforward-rancher-https.service
 
 - name: Configure Tailscale Serve for private access endpoints
   shell: >-
@@ -68,5 +81,6 @@
     tailscale serve --bg --tcp={{ private_access_grafana_port }} tcp://127.0.0.1:13080 &&
     tailscale serve --bg --tcp={{ private_access_prometheus_port }} tcp://127.0.0.1:19090 &&
     tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001 &&
-    tailscale serve --bg --tcp={{ private_access_rancher_port }} tcp://127.0.0.1:19442
+    tailscale serve --bg --tcp={{ private_access_rancher_port }} tcp://127.0.0.1:19442 &&
+    tailscale serve --bg --tcp=9443 tcp://127.0.0.1:19443
   changed_when: true

infrastructure/addons/rancher/helmrelease-rancher.yaml

@@ -22,11 +22,9 @@ spec:
     remediation:
       retries: 3
   values:
-    hostname: k8s-cluster-cp-1.silverside-gopher.ts.net
+    hostname: k8s-cluster-cp-1-1.silverside-gopher.ts.net
     tls: external
     replicas: 1
-    bootstrapPassword: ""
-    existingSecret: rancher-bootstrap-password
     extraEnv:
       - name: CATTLE_PROMETHEUS_METRICS
         value: "true"

infrastructure/addons/rancher/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
   - namespace.yaml
   - helmrepository-rancher.yaml
   - helmrelease-rancher.yaml
-  - service-rancher-tailscale.yaml
   - rancher-bootstrap-password-externalsecret.yaml

infrastructure/addons/rancher/service-rancher-tailscale.yaml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: rancher-tailscale
-  namespace: cattle-system
-  annotations:
-    tailscale.com/hostname: k8s-cluster-cp-1-rancher
-    tailscale.com/proxy-class: infra-stable
-spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app: cattle-system-rancher
-  ports:
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: 444