Switch to Tailscale OAuth key#2045
Conversation
Replace the Tailscale API key in traefik.yml with a freshly minted one so that the new Celery VM can connect to Tailscale and the Flower dashboard becomes available. Note: Tailscale auth keys are valid for a max of 90 days. After this period, the host will not disconnect itself from the network, but the key won't be valid to connect new hosts to the network.
Rather than using a Tailscale Auth key (which is valid for a maximum of 90 days) to connect the Celery VM to Tailscale so that the Flower dashboard becomes available, use an OAuth key (which is indefinitely valid). Tailscale requires assigning tags when connecting via OAuth: define the `galaxy` tag so that any node where the Tailscale role runs is assigned this tag when it connects to the Tailscale network. Connect every node as an ephemeral host, so that they are dynamically added to and removed from the Tailscale network.
|
@gsaudade99 I will try this out manually before merging it. |
|
Cool, this looks really nice. I would also update the outdated role - now is a collection - if you already hands on with it ... I also understand if not sense we would need to make sure that traefik-proxy playbook also run ... |
Upgrade here #2047. |
|
@gsaudade99 Would you mind reviewing again? 6fb89fd makes the use of the OAuth key global. The idea is that anything we connect to the tailnet will use this key (and will be tagged with the |
Extend the scope of the Tailscale OAuth key to the whole infrastructure rather than just Celery.
gsaudade99
left a comment
gsaudade99
left a comment
There was a problem hiding this comment.
The rest the setup looks good
| @@ -0,0 +1,10 @@ | |||
| $ANSIBLE_VAULT;1.1;AES256 | |||
There was a problem hiding this comment.
Should we move this to secret_group_vars directory?
There was a problem hiding this comment.
Files in the group_vars/ directory are automatically discovered by Ansible. It is thus then not necessary to include those files under vars_files: in the playbooks and they follow the variable precedence rules.
Files in the folder secret_group_vars are not automatically discovered nor managed by Ansible, they have to be explicitly included under vars_files: in the playbooks, and do not allow to exploit the variable precedence rules to override values (they belong to level 14).
| roles: | ||
| - geerlingguy.repo-epel | ||
| # - artis3n.tailscale # broken (invalid API key) | ||
| - role: artis3n.tailscale |
There was a problem hiding this comment.
Change this to match the collection.
There is also missing the import of group_vars/tailscale.yml
There was a problem hiding this comment.
Variables under group_vars/ do not need to be imported #2045 (comment). For the collection I have created the other, independent PR #2047.
2 participants
Rather than using a Tailscale Auth key (which is valid for a maximum of 90 days) to connect the Celery VM to Tailscale so that the Flower dashboard becomes available, use an OAuth key (which is indefinitely valid).
Tailscale requires assigning tags when connecting via OAuth: define the
galaxytag so that any node where the Tailscale role runs is assigned this tag when it connects to the Tailscale network. Connect every node as an ephemeral host, so that they are dynamically added to and removed from the Tailscale network.Supersedes #2044.