Expose Felix webhooks over Tailscale

[claytono]

Includes the Hermes agent upgrade from the Renovate branch and exposes the enabled Felix webhook adapter over Tailscale only.

Adds a dedicated felix-webhook service on port 8644, a Tailscale ingress at felix-webhook.cow-banjo.ts.net, and the Tailscale ACL tag owner needed for tag:felix.

[Copilot]

Pull request overview

This PR exposes Felix’s webhook adapter via the Tailscale ingress class (intended to be reachable as felix-webhook.cow-banjo.ts.net) and updates the Felix deployment to publish the webhook port. It also adds the required Tailscale ACL tag ownership so the Kubernetes operator can assign the new tag:felix.

Changes:

• Add tag:felix to Tailscale ACL tagOwners to allow tag:k8s-operator to assign it.
• Expose a new felix-webhook Service on port 8644 and add a Tailscale Ingress targeting it.
• Update the Felix deployment to expose container port 8644 and bump hermes-agent to v2026.6.19.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
opentofu/tailscale.tf	Adds tag:felix ownership so the k8s operator can tag the new Tailscale-exposed endpoint.
kubernetes/felix/deployment.yaml	Bumps Hermes agent image and exposes the new webhook port on the pod.
kubernetes/felix/service-webhook.yaml	Introduces a dedicated ClusterIP service exposing port 8644 to the pod’s named webhook port.
kubernetes/felix/tailscale-ingress-webhook.yaml	Adds a Tailscale Ingress routing /webhooks to the felix-webhook service.
kubernetes/felix/kustomization.yaml	Wires the new Service and Tailscale Ingress into the Felix kustomization resources list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 76e53a0d-44f2-4d4f-87ae-c40d2eb0db32

📥 Commits

Reviewing files that changed from the base of the PR and between f14e544 and 4c04fee.

📒 Files selected for processing (5)

• kubernetes/felix/deployment.yaml
• kubernetes/felix/kustomization.yaml
• kubernetes/felix/service-webhook.yaml
• kubernetes/felix/tailscale-ingress-webhook.yaml
• opentofu/tailscale.tf

---

Walkthrough

The Felix hermes container image is updated, the pod template adds a webhook port, and new Kubernetes and Tailscale manifests expose /webhooks through a felix-webhook Service and Ingress. Tailscale ACL ownership for tag:felix is added.

Changes

Felix webhook exposure

Layer / File(s)	Summary
Pod webhook port kubernetes/felix/deployment.yaml	The hermes container image is updated, and the pod template declares a webhook port on 8644 alongside gateway on 8642.
Webhook exposure wiring kubernetes/felix/service-webhook.yaml, kubernetes/felix/tailscale-ingress-webhook.yaml, kubernetes/felix/kustomization.yaml, opentofu/tailscale.tf	A new felix-webhook Service and felix-webhook-tailscale Ingress route /webhooks to port 8644, the kustomization includes the new manifests, and tag:felix ownership is added in Tailscale ACLs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: exposing Felix webhooks over Tailscale.
Description check	✅ Passed	The description matches the changeset by mentioning the Hermes upgrade, Felix webhook service, Tailscale ingress, and ACL update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch felix-hermes-webhook-tailscale

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4c04feed22

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enable the webhook adapter before exposing it

In environments recreated from this repo (for example a fresh Felix PVC with no manual ~/.hermes/config.yaml), this only publishes port 8644; Hermes documents WEBHOOK_ENABLED as defaulting to false (https://hermes-agent.nousresearch.com/docs/user-guide/messaging/webhooks#environment-variables), and the Deployment/ExternalSecret still only provide API/Slack settings. The new Service/Ingress will therefore forward Tailscale requests to a port where the webhook server was never started, so /webhooks/... will fail until the webhook enable/secret config is supplied to the pod.

Useful? React with 👍 / 👎.