diff --git a/deployments/tailscale/clusterrole.yaml b/deployments/tailscale/clusterrole.yaml new file mode 100644 index 0000000..ebad7cc --- /dev/null +++ b/deployments/tailscale/clusterrole.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tailscale-operator + labels: + app: tailscale-operator +rules: +- apiGroups: [""] + resources: ["pods", "services", "secrets", "configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["deployments", "statefulsets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/deployments/tailscale/clusterrolebinding.yaml b/deployments/tailscale/clusterrolebinding.yaml new file mode 100644 index 0000000..98c5651 --- /dev/null +++ b/deployments/tailscale/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tailscale-operator + labels: + app: tailscale-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tailscale-operator +subjects: +- kind: ServiceAccount + name: tailscale-operator + namespace: apps diff --git a/deployments/tailscale/configmap.yaml b/deployments/tailscale/configmap.yaml new file mode 100644 index 0000000..12cb8e4 --- /dev/null +++ b/deployments/tailscale/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: tailscale-operator + namespace: apps + labels: + app: tailscale-operator +data: + TS_KUBE_OBJECT_STORE: "true" diff --git a/deployments/tailscale/deployment.yaml b/deployments/tailscale/deployment.yaml new file mode 100644 index 0000000..a1f427d --- /dev/null +++ b/deployments/tailscale/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tailscale-operator + namespace: apps + labels: + app: tailscale-operator +spec: + replicas: 1 + selector: + matchLabels: + app: tailscale-operator + template: + metadata: + labels: + app: tailscale-operator + spec: + serviceAccountName: tailscale-operator + containers: + - name: operator + image: ghcr.io/tailscale/k8s-operator:1.72.0 + env: + - name: TS_AUTH_KEY + valueFrom: + secretKeyRef: + name: tailscale-auth + key: TS_AUTH_KEY + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi diff --git a/deployments/tailscale/external-secret.yaml b/deployments/tailscale/external-secret.yaml index 7a13d02..941bcb4 100644 --- a/deployments/tailscale/external-secret.yaml +++ b/deployments/tailscale/external-secret.yaml @@ -2,20 +2,17 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: tailscale-auth - namespace: tailscale + namespace: apps labels: - app: tailscale - managed-by: orion + app: tailscale-operator spec: - refreshInterval: "1h" + refreshInterval: 1h secretStoreRef: name: orion-vault kind: ClusterSecretStore target: name: tailscale-auth creationPolicy: Owner - template: - type: Opaque data: - secretKey: TS_AUTH_KEY remoteRef: diff --git a/deployments/tailscale/namespace.yaml b/deployments/tailscale/namespace.yaml new file mode 100644 index 0000000..d4cdd11 --- /dev/null +++ b/deployments/tailscale/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: apps + labels: + name: apps diff --git a/deployments/tailscale/serviceaccount.yaml b/deployments/tailscale/serviceaccount.yaml new file mode 100644 index 0000000..78ddc41 --- /dev/null +++ b/deployments/tailscale/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tailscale-operator + namespace: apps + labels: + app: tailscale-operator