tailscale-operator OAuth token 401, new ts-proxies don't provision #42
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#42
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally filed by @coilysiren on 2026-05-20T06:16:12Z - https://github.com/coilysiren/infrastructure/issues/198
The tailscale operator on kai-server is failing to provision new ts-proxies. Every reconcile against a Service with
tailscale.com/expose: "true"returns 401 Unauthorized fromapi.tailscale.com/api/v2/tailnet/-/keys:Surfaced today while bootstrapping repo-recall: the Deployment is
2/2 Running, the Service has the right annotations, but no ts-proxy stands up in thetailscalenamespace.The operator is also failing for
default/null-service, so the token is invalid org-wide, not specific to repo-recall. Pre-existing exposures (forgejo, coilysiren-backend, galaxy-gen, eco-mcp-app, eco-spec-tracker) keep working because their tailnet keys were provisioned earlier and persisted as Secrets.Operator Secret is presumably the OAuth client credentials managed by
terraform/tailscale-oidc/(or similar). Rotate / re-create, then bounce the operator. Anything new that wants tailnet exposure is blocked until this lands.