samcday · samcday · May 1, 2026 · May 1, 2026 · May 1, 2026
diff --git a/apps/node-joiner/join.sh b/apps/node-joiner/join.sh
@@ -24,7 +24,7 @@ APISERVER_HOST=${APISERVER_URL%%:*}
 
 sshpass -p "$NODE_PASSWORD" ssh $SSH_OPTS "root@$NODE_IP" bash -s <<EOF
 exec 2>&1
-set -uxo pipefail
+set -euo pipefail
 # cloud-init exits 2 on "recoverable error" for cosmetic module warnings,
 # which Ubuntu 24.04 reliably trips. Treat any exit as "wait complete".
 cloud-init status --wait || true
@@ -38,5 +38,5 @@ tailscale up --accept-routes --login-server=${HEADSCALE_URL} --auth-key=${TS_AUT
 APISERVER_IP=\$(getent hosts ${APISERVER_HOST} | awk '{print \$1; exit}')
 echo "\${APISERVER_IP} ${APISERVER_HOST}" >> /etc/hosts
 
-kubeadm join ${APISERVER_URL} --token ${BOOTSTRAP_TOKEN} --discovery-token-ca-cert-hash sha256:${CA_HASH}
+kubeadm join ${APISERVER_URL} --node-name ${NODE_NAME} --token ${BOOTSTRAP_TOKEN} --discovery-token-ca-cert-hash sha256:${CA_HASH}
 EOF
diff --git a/charts/k8s-control-plane/templates/apiserver/advertise-address.yaml b/charts/k8s-control-plane/templates/apiserver/advertise-address.yaml
@@ -15,7 +15,13 @@ spec:
             - pipefail
             - -c
             - |
+              {{- if $.Values.externalHostname }}
+              until ip=$(getent ahostsv4 {{ $.Values.externalHostname | quote }} | awk '{print $1; exit}') && [[ -n "$ip" ]]; do
+                sleep 5
+              done
+              {{- else }}
               ip=$(kubectl get svc apiserver -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+              {{- end }}
               kubectl create configmap advertise-address --from-literal=value="$ip" --dry-run=client --output yaml \
                 | kubectl apply -f-
               kubectl patch cert apiserver --type merge -p "{\"spec\":{\"ipAddresses\":[\"$ip\",\"{{ $.Values.serviceIP }}\"]}}"

diff --git a/hub/cluster/cloud-cluster/edge-au-east-apiserver-proxy.yaml b/hub/cluster/cloud-cluster/edge-au-east-apiserver-proxy.yaml
@@ -0,0 +1,107 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: edge-au-east-apiserver-proxy
+  namespace: cloud-cluster
+spec:
+  chart:
+    spec:
+      chart: charts/resources
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: GitRepository
+        name: infra
+        namespace: flux-system
+  dependsOn:
+    - name: edge-foundation
+  driftDetection:
+    mode: enabled
+  interval: 1h
+  kubeConfig:
+    secretRef:
+      name: admin-kubeconfig
+  storageNamespace: edge
+  targetNamespace: edge
+  valuesFrom:
+    - kind: Secret
+      name: edge-au-east-apiserver-ts-auth
+      valuesKey: authkey
+      targetPath: apiserverTsAuth.stringData.authkey
+  values:
+    apiserverTsAuth:
+      kind: Secret
+      metadata:
+        name: apiserver-ts-auth
+      stringData:
+        authkey: ""
+    apiserverTsState:
+      kind: Secret
+      metadata:
+        name: apiserver-ts-state
+      type: Opaque
+    tsApiserverServiceAccount:
+      kind: ServiceAccount
+      metadata:
+        name: ts-apiserver
+    tsApiserverRole:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: Role
+      metadata:
+        name: ts-apiserver
+      rules:
+        - apiGroups: [""]
+          resourceNames: [apiserver-ts-state]
+          resources: [secrets]
+          verbs: [get, update, patch]
+    tsApiserverRoleBinding:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      metadata:
+        name: ts-apiserver
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: Role
+        name: ts-apiserver
+      subjects:
+        - kind: ServiceAccount
+          name: ts-apiserver
+    tsApiserver:
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: ts-apiserver
+      spec:
+        replicas: 1
+        strategy:
+          type: Recreate
+        selector:
+          matchLabels:
+            app: ts-apiserver
+        template:
+          metadata:
+            labels:
+              app: ts-apiserver
+          spec:
+            serviceAccountName: ts-apiserver
+            containers:
+              - name: tailscale
+                image: ghcr.io/tailscale/tailscale:v1.86.5
+                env:
+                  - name: TS_DEST_IP
+                    value: "172.27.23.43"
+                  - name: TS_EXTRA_ARGS
+                    value: --login-server=https://headscale.tail22d0a0.ts.net
+                  - name: TS_HOSTNAME
+                    value: edge-au-east-apiserver
+                  - name: TS_AUTHKEY
+                    valueFrom:
+                      secretKeyRef:
+                        name: apiserver-ts-auth
+                        key: authkey
+                  - name: TS_KUBE_SECRET
+                    value: apiserver-ts-state
+                  - name: TS_USERSPACE
+                    value: "false"
+                securityContext:
+                  capabilities:
+                    add: [NET_ADMIN]
diff --git a/hub/cluster/cloud-cluster/edge-au-east-control-plane-values.yaml b/hub/cluster/cloud-cluster/edge-au-east-control-plane-values.yaml
@@ -0,0 +1,47 @@
+apiServer:
+  service:
+    spec:
+      clusterIP: 172.27.23.43
+      type: ClusterIP
+bootstrapTokens:
+  - extraGroups: [system:bootstrappers:kubeadm:default-node-token]
+    # token ID+secret is set from HelmRelease spec.valuesFrom
+clusterCIDRs: [172.24.0.0/16]
+clusterDNS: [172.23.0.10]
+clusterName: edge-au-east
+etcd:
+  clientSecret:
+    create: false
+    name: au-east-apiserver-etcd-client
+  endpoints:
+    - https://etcd-0.etcd.etcd.svc:2379
+    - https://etcd-1.etcd.etcd.svc:2379
+    - https://etcd-2.etcd.etcd.svc:2379
+  prefix: /edge:au-east/
+externalHostname: edge-au-east-apiserver.tailnet.hub.samcday.com
+konnectivity:
+  agent:
+    image: registry.k8s.io/kas-network-proxy/proxy-agent:v0.34.0
+  server:
+    image: registry.k8s.io/kas-network-proxy/proxy-server:v0.34.0
+parentClusterDomain: cluster.local
+scheduler:
+  config:
+    profiles:
+      - pluginConfig:
+          - name: NodeResourcesFit
+            args:
+              scoringStrategy:
+                type: MostAllocated
+                resources:
+                  - name: cpu
+                    weight: 1
+                  - name: memory
+                    weight: 100
+  deployment:
+    spec:
+      replicas: 1
+      strategy:
+        type: Recreate
+serviceCIDRs: [172.23.0.0/16]
+serviceIP: 172.23.0.1
diff --git a/hub/cluster/cloud-cluster/edge-au-east-control-plane.yaml b/hub/cluster/cloud-cluster/edge-au-east-control-plane.yaml
@@ -0,0 +1,37 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: edge-au-east-control-plane
+  namespace: cloud-cluster
+spec:
+  chart:
+    spec:
+      chart: charts/k8s-control-plane
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: GitRepository
+        name: infra
+        namespace: flux-system
+  dependsOn:
+    - name: edge-foundation
+  interval: 1h
+  kubeConfig:
+    secretRef:
+      name: admin-kubeconfig
+  storageNamespace: edge
+  targetNamespace: edge
+  upgrade:
+    # Jobs in this chart have ttlSecondsAfterFinished and get GC'd between chart
+    # upgrades; force recreates missing resources instead of failing to patch.
+    force: true
+  valuesFrom:
+    - kind: ConfigMap
+      name: edge-au-east-control-plane-values
+    - kind: Secret
+      name: edge-au-east-node-bootstrap-token
+      valuesKey: id
+      targetPath: bootstrapTokens[0].id
+    - kind: Secret
+      name: edge-au-east-node-bootstrap-token
+      valuesKey: secret
+      targetPath: bootstrapTokens[0].secret
diff --git a/hub/cluster/cloud-cluster/edge-au-east-node-bootstrap-token.yaml b/hub/cluster/cloud-cluster/edge-au-east-node-bootstrap-token.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: edge-au-east-node-bootstrap-token
+    namespace: cloud-cluster
+stringData:
+    id: ENC[AES256_GCM,data:+ZyXTr0S,iv:1MeaBsV9vSi4bjup9TNJIsEHg/F9XbhVG7Kd6/Z7Ubw=,tag:JlF9SQvB2IYAQ8szaK2LvA==,type:str]
+    secret: ENC[AES256_GCM,data:sd2haB4qgp9zcwGoWRI9lQ==,iv:9rWQDn7ewiJjHIezzvfRqQhI6oWX1JdVF2RPO8WWGQE=,tag:ef+4FOAeWLON3VCF8vK34Q==,type:str]
+    token: ENC[AES256_GCM,data:GmNgZHQo6cS7I5713AWiIkukMvwHaoY=,iv:plflI1eitJpsRPws3obYW26uESysAG//AI/+wLdPoo8=,tag:xsPte2NtBT/EIVaZS70IaA==,type:str]
+sops:
+    age:
+        - recipient: age1tu8l2llfk32g0c4mvklqazjkj977h9xwvx3ntwt2ucdert8sufgq2g8mgs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYUhEbmIwbHBudi9jQ1kw
+            ZDdEWUZpWitObVZpUUdNSFloWVFDS0d3N1M4CnB4RmhlOXBYWHErUTVsT3VEd2lh
+            cVlXbmdrNDBZbVFlOEc0OG91dUEvV2cKLS0tIFN0M1R4T1FqN2MrVE8rZGZhbTlm
+            b3JIb2t2NG81c2JhemdTZ1kxUnZuZVkK43Jbw6lWmKqDljo/gkt4yvJ6Zh0HSCJN
+            sji/xyq8gtPV3h5R4qG7wIEAJFR31WiU8t2DBe7F56+2qC8s58YHdg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14taxy23wzym2r9jndzsq5h8dx2f5cj5vtusfet2ggjjepp8pkfdqf6mus0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL0xtVEZjeUN6TjgxMmlN
+            aVU0cDMwQjdDVklBcm1ud1lRSlFuamIweUdBCkxVRWg0MTVjUlplZU42R0dqZGlO
+            WXl6RDZMQktSekdLNjFEamF1RWFnNDAKLS0tIHNuUlU5emdySU5maGtHNE1zcitk
+            MnZ3RjRnbzJQOG5aQjQxcThYT3pJbTAKB8tH4XQ8pPVkguib9478JR3BOFAw/KhF
+            NIbLPosI4CWt7HIJwDl8NfD/W+jow+HhQ/BihU17qOSSRc9EM5oC7g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-01T04:33:17Z"
+    mac: ENC[AES256_GCM,data:YbhWGBJRj19cCD3Z7tTJDEkP+M6ju1MMz823SUqc1/ARGH37mq3tdu+AAEljixO/aewfbvQFBlFkNkCEUoSMhdTuhdcJAajq/pQPVjJeqRmoyuFulWLhrSPCAxHm+e5dXKhHUNoixJv2JoVQp0B5LgjV+zPvqZ1ni7qSEJcGI6s=,iv:63GbyrMi1RkTbLCIQ1VgyN4Mr2oOdd2AUeH6M4Q7mL8=,tag:wVcFum/UlEVwwCUQzTBJSw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0