Unable to get subnet-router to authenticate with auth-key secret

I’m trying to install a subnet-router in my k8s cluster following the directions here but I can’t get it to work properly. I created the secret with an auth key and ran make rbac as instructed. I then run make subnet-router also as instructed. A screenshot from portainer shows the ENV variables appear to be set correctly:

However, when I check the logs it is still asking me to authenticate via URL:

...
2022/09/04 20:49:16 Received auth URL: https://login.tailsc...
2022/09/04 20:49:16 popBrowserAuthNow: url=true
2022/09/04 20:49:16 blockEngineUpdates(true)
2022/09/04 20:49:16 stopEngineAndWait...
2022/09/04 20:49:16 requestEngineStatusAndWait
2022/09/04 20:49:16 requestEngineStatusAndWait: waiting...
2022/09/04 20:49:16 requestEngineStatusAndWait: got status update.
2022/09/04 20:49:16 stopEngineAndWait: done.
To authenticate, visit:
	https://login.tailscale.com/a/hidden-to-be-safe
2022/09/04 20:49:16 control: doLogin(regen=false, hasUrl=true)
2022/09/04 20:49:16 control: RegisterReq: onode= node=[Q5ysx] fup=true

If I do that then it does authenticate and add the subnet-router to my list of machines however the pod immediately terminates and never gets back to a running state. Here is a snippets of the logs:

/tailscale/run.sh: set: line 7: can't access tty; job control turned off
Starting tailscaled
Running tailscale up
2022/09/04 20:54:25 logtail started
...
2022/09/04 20:54:26 wgengine: Reconfig: configuring userspace WireGuard config (with 0/25 peers)
2022/09/04 20:54:26 wgengine: Reconfig: configuring router
2022/09/04 20:54:26 wgengine: Reconfig: configuring DNS
2022/09/04 20:54:26 dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:26}
2022/09/04 20:54:26 dns: Resolvercfg: {Routes:{} Hosts:26 LocalDomains:[]}
2022/09/04 20:54:26 dns: OScfg: {Hosts:[] Nameservers:[] SearchDomains:[] MatchDomains:[]}
2022/09/04 20:54:26 peerapi: serving on http://100.99.0.100:35114
2022/09/04 20:54:26 peerapi: serving on http://[fd7a:115c:a1e0:ab12:4843:cd96:6263:64]:35114
2022/09/04 20:54:26 magicsock: home is now derp-1 (nyc)
2022/09/04 20:54:26 magicsock: adding connection to derp-1 for home-keep-alive
2022/09/04 20:54:26 magicsock: 1 active derp conns: derp-1=cr0s,wr0s
2022/09/04 20:54:26 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
2022/09/04 20:54:26 derphttp.Client.Connect: connecting to derp-1 (nyc)
2022/09/04 20:54:26 control: NetInfo: NetInfo{varies=true hairpin=false ipv6=true udp=true icmpv4=false derp=#1 portmap= link=""}
2022/09/04 20:54:26 magicsock: endpoints changed: 96.230.118.211:45482 (stun), [::ffff:96.230.118.211]:16852 (stun), 10.42.4.77:41582 (local)
/tailscale/run.sh: fg: line 85: job (null) not created under job control

I’m not sure what I’m doing wrong to cause it to not authenticate automatically via the auth key secret and why the pod won’t stay running when I do auth via the url. Any advice would be appreciated.