From cb1b83907bec2d7de1875eedcdcdbfcbfb6cb5b4 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Sat, 9 May 2026 19:03:17 +0000 Subject: [PATCH 1/5] feat: deploy Tailscale Operator for remote cluster access --- tailscale/namespace.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 tailscale/namespace.yaml diff --git a/tailscale/namespace.yaml b/tailscale/namespace.yaml new file mode 100644 index 0000000..521e2db --- /dev/null +++ b/tailscale/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tailscale + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator From b0042e5510c54105f36f870fd9c5ee920bfd1496 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Sat, 9 May 2026 19:03:18 +0000 Subject: [PATCH 2/5] feat: deploy Tailscale Operator for remote cluster access --- tailscale/rbac.yaml | 48 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 tailscale/rbac.yaml diff --git a/tailscale/rbac.yaml b/tailscale/rbac.yaml new file mode 100644 index 0000000..8712bbd --- /dev/null +++ b/tailscale/rbac.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tailscale-operator + namespace: tailscale + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tailscale-operator + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator +rules: +- apiGroups: [''] + resources: ['secrets', 'services', 'endpoints'] + verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] +- apiGroups: [''] + resources: ['nodes'] + verbs: ['get', 'list', 'update', 'patch'] +- apiGroups: ['apps'] + resources: ['daemonsets'] + verbs: ['get', 'list', 'watch'] +- apiGroups: ['tailscale.com'] + resources: ['*'] + verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] +- apiGroups: ['coordination.k8s.io'] + resources: ['leases'] + verbs: ['get', 'create', 'update'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tailscale-operator + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tailscale-operator +subjects: +- kind: ServiceAccount + name: tailscale-operator + namespace: tailscale From 5fe154d80d0e6f5c423b8c033a22d9ecb42ccc83 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Sat, 9 May 2026 19:03:18 +0000 Subject: [PATCH 3/5] feat: deploy Tailscale Operator for remote cluster access --- tailscale/deployment.yaml | 66 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 tailscale/deployment.yaml diff --git a/tailscale/deployment.yaml b/tailscale/deployment.yaml new file mode 100644 index 0000000..dae6204 --- /dev/null +++ b/tailscale/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tailscale-operator + namespace: tailscale + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator + template: + metadata: + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator + spec: + serviceAccountName: tailscale-operator + securityContext: + runAsNonRoot: true + containers: + - name: operator + image: ghcr.io/tailscale/operator:v1.76.0 + args: + - --hostname=$(POD_NAME) + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: tailscale-operator-secret + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists From b3527c2b16bbcc1052449ee1633e869512c5ea7e Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Sat, 9 May 2026 19:03:18 +0000 Subject: [PATCH 4/5] feat: deploy Tailscale Operator for remote cluster access --- tailscale/service.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 tailscale/service.yaml diff --git a/tailscale/service.yaml b/tailscale/service.yaml new file mode 100644 index 0000000..d31be8f --- /dev/null +++ b/tailscale/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: tailscale-operator + namespace: tailscale + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator +spec: + type: ClusterIP + ports: + - name: metrics + port: 8080 + targetPort: 8080 + protocol: TCP + selector: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator From 16e2b4e9b238d3f80ea826c899f32cd44ee23610 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Sat, 9 May 2026 19:03:18 +0000 Subject: [PATCH 5/5] feat: deploy Tailscale Operator for remote cluster access --- tailscale/auth-secret.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 tailscale/auth-secret.yaml diff --git a/tailscale/auth-secret.yaml b/tailscale/auth-secret.yaml new file mode 100644 index 0000000..b8302e5 --- /dev/null +++ b/tailscale/auth-secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: tailscale-operator-secret + namespace: tailscale + labels: + app.kubernetes.io/name: tailscale + app.kubernetes.io/component: operator +type: Opaque +data: + # TODO: Fill in the Tailscale auth key (base64 encoded) + authkey: PLACEHOLDER