tailscale-operator OAuth token 401, new ts-proxies don't provision #42

Closed
opened 2026-05-23 20:54:32 +00:00 by coilysiren · 0 comments
Owner

Originally filed by @coilysiren on 2026-05-20T06:16:12Z - https://github.com/coilysiren/infrastructure/issues/198

The tailscale operator on kai-server is failing to provision new ts-proxies. Every reconcile against a Service with tailscale.com/expose: "true" returns 401 Unauthorized from api.tailscale.com/api/v2/tailnet/-/keys:

failed to provision: failed to create or get API key secret:
Post "https://api.tailscale.com/api/v2/tailnet/-/keys":
oauth2: cannot fetch token: 401 Unauthorized
Response: {"message":"API token invalid"}

Surfaced today while bootstrapping repo-recall: the Deployment is 2/2 Running, the Service has the right annotations, but no ts-proxy stands up in the tailscale namespace.

The operator is also failing for default/null-service, so the token is invalid org-wide, not specific to repo-recall. Pre-existing exposures (forgejo, coilysiren-backend, galaxy-gen, eco-mcp-app, eco-spec-tracker) keep working because their tailnet keys were provisioned earlier and persisted as Secrets.

Operator Secret is presumably the OAuth client credentials managed by terraform/tailscale-oidc/ (or similar). Rotate / re-create, then bounce the operator. Anything new that wants tailnet exposure is blocked until this lands.

_Originally filed by @coilysiren on 2026-05-20T06:16:12Z - [https://github.com/coilysiren/infrastructure/issues/198](https://github.com/coilysiren/infrastructure/issues/198)_ The tailscale operator on kai-server is failing to provision new ts-proxies. Every reconcile against a Service with `tailscale.com/expose: "true"` returns 401 Unauthorized from `api.tailscale.com/api/v2/tailnet/-/keys`: ``` failed to provision: failed to create or get API key secret: Post "https://api.tailscale.com/api/v2/tailnet/-/keys": oauth2: cannot fetch token: 401 Unauthorized Response: {"message":"API token invalid"} ``` Surfaced today while bootstrapping repo-recall: the Deployment is `2/2 Running`, the Service has the right annotations, but no ts-proxy stands up in the `tailscale` namespace. The operator is also failing for `default/null-service`, so the token is invalid org-wide, not specific to repo-recall. Pre-existing exposures (forgejo, coilysiren-backend, galaxy-gen, eco-mcp-app, eco-spec-tracker) keep working because their tailnet keys were provisioned earlier and persisted as Secrets. Operator Secret is presumably the OAuth client credentials managed by `terraform/tailscale-oidc/` (or similar). Rotate / re-create, then bounce the operator. Anything new that wants tailnet exposure is blocked until this lands.
coilysiren added
P1
and removed
P2
labels 2026-06-17 08:40:35 +00:00
Sign in to join this conversation.
No description provided.