From 7402e16cf4d80e140e748ed19723a36746bde665 Mon Sep 17 00:00:00 2001
From: gitea-admin <admin@local>
Date: Sun, 17 May 2026 01:58:52 +0000
Subject: [PATCH] feat: add ExternalSecret for tailscale operator OAuth
 credentials

---
 .../tailscale/operator/external-secret.yaml   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 deployments/tailscale/operator/external-secret.yaml

diff --git a/deployments/tailscale/operator/external-secret.yaml b/deployments/tailscale/operator/external-secret.yaml
new file mode 100644
index 0000000..2268e10
--- /dev/null
+++ b/deployments/tailscale/operator/external-secret.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tailscale-operator-secret
+  namespace: tailscale
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: orion-vault
+    kind: ClusterSecretStore
+  target:
+    name: tailscale-operator-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: tailscale/operator
+        property: CLIENT_ID_FILE
+    - secretKey: client-secret
+      remoteRef:
+        key: tailscale/operator
+        property: CLIENT_SECRET_FILE