chore: remove Tailscale operator and all related manifests

test

.gitea/workflows/validate.yaml

@@ -0,0 +1,58 @@
+name: Validate Manifests
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install kubeconform
+        run: |
+          curl -sL https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz \
+            | tar xz -C /usr/local/bin
+          chmod +x /usr/local/bin/kubeconform
+
+      - name: Schema validation (kubeconform)
+        run: |
+          find . -name '*.yaml' -o -name '*.yml' \
+            | grep -v '\.gitea/' \
+            | sort \
+            | xargs kubeconform \
+                -strict \
+                -ignore-missing-schemas \
+                -kubernetes-version 1.30.0 \
+                -summary
+
+      - name: Install kubectl
+        run: |
+          K8S_VER=$(curl -sL https://dl.k8s.io/release/stable.txt)
+          curl -sLO "https://dl.k8s.io/release/${K8S_VER}/bin/linux/amd64/kubectl"
+          chmod +x kubectl && mv kubectl /usr/local/bin/kubectl
+
+      - name: Server-side dry-run (CRD existence check)
+        env:
+          KUBECONFIG_DATA: ${{ secrets.KUBECONFIG }}
+        run: |
+          echo "$KUBECONFIG_DATA" | base64 -d > /tmp/kube.yaml
+          # Apply all YAML files in sorted order — server-side dry-run rejects
+          # any apiVersion/Kind whose CRD is not installed in the cluster.
+          find . -name '*.yaml' -o -name '*.yml' \
+            | grep -v '\.gitea/' \
+            | sort \
+            | xargs -I{} kubectl apply \
+                --dry-run=server \
+                --kubeconfig /tmp/kube.yaml \
+                -f {} 2>&1 \
+            | tee /tmp/dryrun.log
+          rm -f /tmp/kube.yaml
+          # Fail if any "no kind is registered" or "no matches for kind" errors
+          if grep -qE "no kind is registered|no matches for kind|unknown field" /tmp/dryrun.log; then
+            echo "❌ Dry-run found unknown resources or fields — manifests reference CRDs not installed in the cluster"
+            exit 1
+          fi
+          echo "✅ All manifests passed server-side dry-run"

infra/tailscale/deployment.yaml

@@ -1,34 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: tailscale-operator
-  namespace: tailscale
-  labels:
-    app.kubernetes.io/name: tailscale-operator
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: tailscale-operator
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: tailscale-operator
-    spec:
-      serviceAccountName: tailscale-operator
-      containers:
-        - name: operator
-          image: ghcr.io/tailscale/kubernetes-operator:v1.70.1
-          env:
-            - name: TS_AUTH_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: tailscale-auth
-                  key: TS_AUTH_KEY
-          resources:
-            requests:
-              cpu: 50m
-              memory: 64Mi
-            limits:
-              cpu: 100m
-              memory: 128Mi

infra/tailscale/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tailscale
-  labels:
-    app.kubernetes.io/name: tailscale

infra/tailscale/rbac.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tailscale-operator
-  namespace: tailscale
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: tailscale-operator
-rules:
-  - apiGroups: ["apps"]
-    resources: ["deployments", "statefulsets", "daemonsets"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["services", "endpoints"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: ["policy.tailscale.com"]
-    resources: ["tailnets", "tailscales"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["policy.tailscale.com"]
-    resources: ["tailnets/status", "tailscales/status"]
-    verbs: ["get", "update", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: tailscale-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: tailscale-operator
-subjects:
-  - kind: ServiceAccount
-    name: tailscale-operator
-    namespace: tailscale

infra/tailscale/tailnet-cr.yaml

@@ -1,9 +0,0 @@
-apiVersion: policy.tailscale.com/v1alpha1
-kind: Tailnet
-metadata:
-  name: default
-  namespace: tailscale
-spec:
-  tagAuths:
-    - tag: k8s-tailscale-operator
-      approved: true

tailscale/daemonset.yaml

@@ -1,56 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: tailscaled
-  namespace: tailscale
-  labels:
-    app: tailscale
-spec:
-  selector:
-    matchLabels:
-      app: tailscale
-  template:
-    metadata:
-      labels:
-        app: tailscale
-    spec:
-      hostNetwork: true
-      serviceAccountName: tailscale
-      containers:
-        - name: tailscale
-          image: tailscale/tailscale:latest
-          env:
-            - name: TS_KUBE_SECRET
-              value: "tailscale-auth"
-            - name: TS_STATE_DIR
-              value: "/var/lib/tailscale"
-          envFrom:
-            - secretRef:
-                name: tailscale-auth
-          volumeMounts:
-            - name: var-lib-tailscale
-              mountPath: /var/lib/tailscale
-            - name: tailscale-tmp
-              mountPath: /tmp
-            - name: dev-tun
-              mountPath: /dev/net/tun
-              readOnly: true
-          securityContext:
-            privileged: true
-            capabilities:
-              add: ["NET_ADMIN", "NET_RAW"]
-          resources:
-            requests:
-              cpu: 50m
-              memory: 100Mi
-            limits:
-              memory: 200Mi
-      volumes:
-        - name: var-lib-tailscale
-          persistentVolumeClaim:
-            claimName: tailscale
-        - name: tailscale-tmp
-          emptyDir: {}
-        - name: dev-tun
-          hostPath:
-            path: /dev/net/tun

tailscale/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tailscale
-  labels:
-    app: tailscale

tailscale/pvc.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: tailscale
-  namespace: tailscale
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 1Gi

tailscale/rbac.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tailscale
-  namespace: tailscale
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: tailscale
-rules:
-  - apiGroups: [""]
-    resources: ["pods", "services", "endpoints", "namespaces", "secrets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["tailnet.tailscale.com"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: tailscale
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: tailscale
-subjects:
-  - kind: ServiceAccount
-    name: tailscale
-    namespace: tailscale

tailscale/tailnet.yaml

@@ -1,13 +0,0 @@
-apiVersion: tailnet.tailscale.com/v1alpha1
-kind: Tailnet
-metadata:
-  name: talos-cluster
-  namespace: tailscale
-spec:
-  tagExposes: []
-  dnsMode: "Split"
-  users:
-    - name: cluster-admin
-      selector:
-        matchLabels:
-          tailscale.com/managed: "true"