Give Terraform CI tailnet access for the Proxmox provider

The bpg/proxmox provider has to reach london-a's API and node, which only
live on the tailnet, during plan and apply. Add a setup-tailnet composite
action (Tailscale via the CI OAuth client + the deploy SSH key in an agent)
and use it in the terraform plan/apply and validate workflows. Pin the
provider's node SSH address to london-a's Tailscale IP so it isn't reached
via the API-reported LAN address.
This commit is contained in:
Rasmus Wejlgaard 2026-06-21 18:20:02 +01:00
parent 3e4297f3d6
commit d2ec024e6a
4 changed files with 66 additions and 0 deletions

View file

@ -0,0 +1,35 @@
name: Set up tailnet + SSH
description: >-
Join Tailscale and load the deploy SSH key into an agent, so tofu's Proxmox
(bpg) provider can reach london-a's API and node over the tailnet.
inputs:
tailscale-client-id:
required: true
tailscale-audience:
required: true
ssh-private-key:
required: true
runs:
using: composite
steps:
- name: Set up Tailscale
uses: tailscale/github-action@v4
with:
oauth-client-id: ${{ inputs.tailscale-client-id }}
audience: ${{ inputs.tailscale-audience }}
tags: tag:ci
- name: Load SSH key into agent
shell: bash
run: |
mkdir -p ~/.ssh
echo "${{ inputs.ssh-private-key }}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
# Persist the agent for later steps (bpg uses SSH_AUTH_SOCK).
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"
echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV"
ssh-keyscan -H 100.122.180.98 >> ~/.ssh/known_hosts 2>/dev/null || true

View file

@ -34,6 +34,14 @@ jobs:
- name: Set backend credentials - name: Set backend credentials
uses: ./.github/actions/tofu-backend-creds uses: ./.github/actions/tofu-backend-creds
# Proxmox (bpg) provider reaches london-a over the tailnet.
- name: Set up tailnet + SSH
uses: ./.github/actions/setup-tailnet
with:
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: tofu init - name: tofu init
working-directory: terraform/ working-directory: terraform/
run: tofu init run: tofu init
@ -69,6 +77,14 @@ jobs:
- name: Set backend credentials - name: Set backend credentials
uses: ./.github/actions/tofu-backend-creds uses: ./.github/actions/tofu-backend-creds
# Proxmox (bpg) provider reaches london-a over the tailnet.
- name: Set up tailnet + SSH
uses: ./.github/actions/setup-tailnet
with:
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: tofu init - name: tofu init
working-directory: terraform/ working-directory: terraform/
run: tofu init run: tofu init

View file

@ -61,6 +61,15 @@ jobs:
if: github.actor != 'dependabot[bot]' if: github.actor != 'dependabot[bot]'
uses: ./.github/actions/tofu-backend-creds uses: ./.github/actions/tofu-backend-creds
# Proxmox (bpg) provider reaches london-a over the tailnet during plan.
- name: Set up tailnet + SSH
if: github.actor != 'dependabot[bot]'
uses: ./.github/actions/setup-tailnet
with:
tailscale-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
tailscale-audience: ${{ secrets.TAILSCALE_AUDIENCE }}
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: tofu init - name: tofu init
if: github.actor != 'dependabot[bot]' if: github.actor != 'dependabot[bot]'
working-directory: terraform/ working-directory: terraform/

View file

@ -60,8 +60,14 @@ provider "proxmox" {
insecure = true # self-signed PVE cert insecure = true # self-signed PVE cert
# Uploading the cloud-init snippet needs node-level access; SSH to root@london-a. # Uploading the cloud-init snippet needs node-level access; SSH to root@london-a.
# Pin the node's SSH address to its Tailscale IP (the API-reported LAN IP isn't
# reachable from CI runners on the tailnet).
ssh { ssh {
agent = true agent = true
username = "root" username = "root"
node {
name = "london-a"
address = "100.122.180.98"
}
} }
} }