From 89ff635940252ee509692902f552bf9584f27d12 Mon Sep 17 00:00:00 2001
From: gitea-admin <admin@local>
Date: Sun, 17 May 2026 00:46:03 +0000
Subject: [PATCH] fix: migrate tailscale-operator to OAuth auth mode

---
 .../tailscale-operator/deployment.yaml        | 70 +++++++++----------
 1 file changed, 34 insertions(+), 36 deletions(-)

diff --git a/deployments/tailscale-operator/deployment.yaml b/deployments/tailscale-operator/deployment.yaml
index 8ef1592..204b9fb 100644
--- a/deployments/tailscale-operator/deployment.yaml
+++ b/deployments/tailscale-operator/deployment.yaml
@@ -15,41 +15,39 @@ spec:
       labels:
         app: tailscale-operator
     spec:
+      serviceAccountName: tailscale-operator
       containers:
-        - name: operator
-          image: ghcr.io/tailscale/operator:latest
-          ports:
-            - containerPort: 8080
-              name: http-metrics
-              protocol: TCP
-          env:
-            - name: TS_KUBE_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          envFrom:
-            - secretRef:
-                name: tailscale-operator-secret
-          volumeMounts:
-            - name: oauth-config
-              mountPath: /etc/tailscale/oauth
-              readOnly: true
+      - name: operator
+        image: ghcr.io/tailscale/k8s-operator:v1.78.3
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: TS_CLIENT_ID_FILE
+          value: /etc/tailscale/oauth/client.id
+        - name: TS_CLIENT_SECRET_FILE
+          value: /etc/tailscale/oauth/client.secret
+        volumeMounts:
+        - name: oauth-secret
+          mountPath: /etc/tailscale/oauth
+          readOnly: true
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
       volumes:
-        - name: oauth-config
-          secret:
-            secretName: tailscale-operator-secret
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: tailscale-operator
-  namespace: tailscale
-  labels:
-    app: tailscale-operator
-spec:
-  ports:
-    - port: 8080
-      name: http-metrics
-      targetPort: http-metrics
-  selector:
-    app: tailscale-operator
+      - name: oauth-secret
+        secret:
+          secretName: tailscale-operator-secret
+          items:
+          - key: client.id
+            path: client.id
+          - key: client.secret
+            path: client.secret