midwitmoneymgmt/m3-infra
2
1
Fork 0
Code Issues Pull requests Projects Releases Activity Actions

Auto-approve container bridge subnet route for CI runners #27

Merged
AlexCaswen merged 2 commits from ci-container-subnet-route into main 2026-05-07 06:12:13 +00:00
Conversation 3 Commits 2 Files changed 2 +18 -3
AlexCaswen commented 2026-05-07 06:06:30 +00:00 (Migrated from gitlab.com)
Copy link

What

Enables the container bridge subnet (10.121.25.0/24) as a Tailscale subnet route, allowing CI runners and other tailnet devices to reach containers directly.

Fixes the context deadline exceeded error in !26 where CI runners couldn't reach local Grafana at 10.121.25.50:3000.

Changes

acl.hujson:

  • Add 10.121.25.0/24 to autoApprovers.routes for tag:m3

incus.tf:

  • Add data.tailscale_device.m3_incus_os to look up the IncusOS host
  • Add tailscale_device_subnet_routes.container_bridge to approve 10.121.25.0/24

Device-side requirement

The Tailscale provider can only approve routes — the device must advertise them. Ensure the IncusOS host is configured to advertise:

tailscale set --advertise-routes=10.121.25.0/24

Once advertised, the autoApprovers ACL and tailscale_device_subnet_routes resource both ensure approval.

Security

Only tag:m3 devices can advertise this route. The tag:ci grant already allows CI to reach tag:m3 on all ports — this just makes the container IPs routable.

## What Enables the container bridge subnet (`10.121.25.0/24`) as a Tailscale subnet route, allowing CI runners and other tailnet devices to reach containers directly. Fixes the `context deadline exceeded` error in !26 where CI runners couldn't reach local Grafana at `10.121.25.50:3000`. ## Changes **acl.hujson:** - Add `10.121.25.0/24` to `autoApprovers.routes` for `tag:m3` **incus.tf:** - Add `data.tailscale_device.m3_incus_os` to look up the IncusOS host - Add `tailscale_device_subnet_routes.container_bridge` to approve `10.121.25.0/24` ## Device-side requirement The Tailscale provider can only approve routes — the device must advertise them. Ensure the IncusOS host is configured to advertise: ``` tailscale set --advertise-routes=10.121.25.0/24 ``` Once advertised, the `autoApprovers` ACL and `tailscale_device_subnet_routes` resource both ensure approval. ## Security Only `tag:m3` devices can advertise this route. The `tag:ci` grant already allows CI to reach `tag:m3` on all ports — this just makes the container IPs routable.
AlexCaswen commented 2026-05-07 06:09:08 +00:00 (Migrated from gitlab.com)
Copy link

added 1 commit

  • d4656ad3 - Add Tailscale subnet route approval for container bridge

Compare with previous version

added 1 commit <ul><li>d4656ad3 - Add Tailscale subnet route approval for container bridge</li></ul> [Compare with previous version](/AlexCaswen/m3-infra/-/merge_requests/27/diffs?diff_id=1787073760&start_sha=64a31a19b13c2923ce0d4770c971f2b57b2b4360)
AlexCaswen commented 2026-05-07 06:09:24 +00:00 (Migrated from gitlab.com)
Copy link

changed the description

changed the description
AlexCaswen (Migrated from gitlab.com) merged commit 6e04469e93 into main 2026-05-07 06:12:13 +00:00
AlexCaswen commented 2026-05-07 06:12:15 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in commit 6e04469e93

mentioned in commit 6e04469e93442046c634d771649e6c5be415a965
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
IaC

   
admin

   
agent-containers

   
automation

   
blockchain

   
cleanup

   
data

   
documentation

   
hardware

   
hotfix

   
infrastructure

   
maintenance

   
metrics

   
ml

   
monitoring

   
networking

   
resilience

   
security

   
tailscale

   
trading
No labels
IaC
admin
agent-containers
automation
blockchain
cleanup
data
documentation
hardware
hotfix
infrastructure
maintenance
metrics
ml
monitoring
networking
resilience
security
tailscale
trading
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
midwitmoneymgmt/m3-infra!27
No description provided.