Retired tailscale-operator still deployed with a dead OAuth token #30
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#30
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally filed by @coilysiren on 2026-05-22T08:21:09Z - https://github.com/coilysiren/infrastructure/issues/238
The tailscale-operator helm release was retired in favor of per-pod ts sidecars (see
terraform/tailscale-oidc/main.tfandterraform/tailscale-devices/), but the operator Deployment is still running in thetailscalenamespace on kai-server.Its
operator-oauthsecret holds an expired OAuth client. Any Service annotatedtailscale.com/exposenow fails reconcile with401 Unauthorized: API token invalid. Stale proxies (coilysiren-backend-service,forgejo,vmsingle) have already gone offline because the operator can no longer re-mint their keys.Action
tailscale-operatorhelm release.ts-*proxy StatefulSets and theoperator/operator-oauthsecrets in thetailscalenamespace.docs/architecture.md- it still draws the operator in the backend data path; the current pattern is the in-pod ts sidecar.Surfaced while adding a ClusterIP for desktop DB-client access in coilysiren/backend#79.
Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag:
burndown-2026-06.