Access & consoles

Three ways you reach Ultron Infra: kubectl (private, over Tailscale), the Argo CD UI, and the Keycloak admin console. The Kubernetes API is never public.

kubectl over Tailscale

The Kubernetes API is Tailscale-only — there is no public 6443. On dev machines, ultron resolves to the node’s Tailscale IP.

# Be on the tailnet first
tailscale status

# kubeconfig points at ultron's Tailscale address (a 100.x IP)
kubectl get nodes
kubectl get applications -n argocd     # Argo CD app health

Caution

If kubectl hangs or the cert won’t verify, your DNS is resolving ultron to its public IP instead of the Tailscale 100.x address. The API server’s TLS SAN only covers the Tailscale IP and the ultron name (set via --tls-san at install). Reconnect Tailscale and retry.

Argo CD UI

https://argocd.<auth-domain>

Runs behind Traefik (server.insecure: true, TLS terminated at the edge). Use it to view sync status, diffs, and to trigger a manual sync if you don’t want to wait for the poll. Initial admin password:

kubectl -n argocd get secret argocd-initial-admin-secret \
  -o jsonpath='{.data.password}' | base64 -d

Keycloak admin console

The platform auth instance:

https://auth.<auth-domain>/admin

The admin credentials are generated by the Keycloak operator into the instance’s <instance>-initial-admin Secret:

kubectl -n keycloak get secret <instance>-initial-admin \
  -o jsonpath='{.data.username}' | base64 -d; echo
kubectl -n keycloak get secret <instance>-initial-admin \
  -o jsonpath='{.data.password}' | base64 -d; echo

From there you manage each app’s realm and its clients. Realm config lives in the Keycloak Postgres DB (which is backed up) — see Disaster recovery for how to recreate it on a rebuild.