fix: migrate tailscale-operator to OAuth auth mode

2026-05-17 00:46:03 +00:00
33 changed files with 144 additions and 644 deletions
@@ -1,29 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: excalidraw
-  namespace: apps
-  labels:
-    app: excalidraw
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: excalidraw
-  template:
-    metadata:
-      labels:
-        app: excalidraw
-    spec:
-      containers:
-        - name: excalidraw
-          image: excalidraw/excalidraw:latest
-          ports:
-            - containerPort: 80
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
@@ -1,26 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: excalidraw
-  namespace: apps
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  ingressClassName: traefik
-  tls:
-    - hosts:
-        - excalidraw.khalisio.com
-      secretName: excalidraw-tls
-  rules:
-    - host: excalidraw.khalisio.com
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: excalidraw
-                port:
-                  number: 80
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: excalidraw
-  namespace: apps
-spec:
-  selector:
-    app: excalidraw
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-  type: ClusterIP
@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: bazarr
-  namespace: media
-  labels:
-    app: bazarr
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: bazarr
-  template:
-    metadata:
-      labels:
-        app: bazarr
-    spec:
-      containers:
-        - name: bazarr
-          image: lscr.io/linuxserver/bazarr:1.5.0
-          ports:
-            - containerPort: 6767
-          env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
-            - name: TZ
-              value: "America/New_York"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-          volumeMounts:
-            - name: config
-              mountPath: /config
-            - name: media
-              mountPath: /media
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: bazarr-config
-        - name: media
-          persistentVolumeClaim:
-            claimName: media-data
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: bazarr-config
-  namespace: media
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: bazarr
-  namespace: media
-  labels:
-    app: bazarr
-spec:
-  type: ClusterIP
-  ports:
-    - port: 6767
-      targetPort: 6767
-      protocol: TCP
-  selector:
-    app: bazarr
@@ -1,56 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: emby
-  namespace: media
-  labels:
-    app: emby
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: emby
-  template:
-    metadata:
-      labels:
-        app: emby
-    spec:
-      containers:
-        - name: emby
-          image: lscr.io/linuxserver/emby:latest
-          ports:
-            - containerPort: 8096
-          env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
-            - name: TZ
-              value: "America/New_York"
-          resources:
-            requests:
-              cpu: 500m
-              memory: 1Gi
-            limits:
-              cpu: "2"
-              memory: 2Gi
-          volumeMounts:
-            - name: config
-              mountPath: /config
-            # TODO: Update mount path to your actual media storage location
-            - name: media-movies
-              mountPath: /media/movies
-            - name: media-tv
-              mountPath: /media/tv
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: emby-config
-        - name: media-movies
-          # TODO: Change to your actual storage (NFS, local path, etc.)
-          emptyDir: {}
-        - name: media-tv
-          emptyDir: {}
-        - name: media
-          persistentVolumeClaim:
-            claimName: media-data
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: emby-config
-  namespace: media
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 20Gi
@@ -1,20 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: emby
-  namespace: media
-  labels:
-    app: emby
-spec:
-  type: ClusterIP
-  ports:
-    - port: 8096
-      targetPort: 8096
-      protocol: TCP
-      name: http
-    - port: 8920
-      targetPort: 8920
-      protocol: TCP
-      name: https
-  selector:
-    app: emby
@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: lidarr
-  namespace: media
-  labels:
-    app: lidarr
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: lidarr
-  template:
-    metadata:
-      labels:
-        app: lidarr
-    spec:
-      containers:
-        - name: lidarr
-          image: lscr.io/linuxserver/lidarr:2.7.0
-          ports:
-            - containerPort: 8686
-          env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
-            - name: TZ
-              value: "America/New_York"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-          volumeMounts:
-            - name: config
-              mountPath: /config
-            - name: media
-              mountPath: /media
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: lidarr-config
-        - name: media
-          persistentVolumeClaim:
-            claimName: media-data
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: lidarr-config
-  namespace: media
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: lidarr
-  namespace: media
-  labels:
-    app: lidarr
-spec:
-  type: ClusterIP
-  ports:
-    - port: 8686
-      targetPort: 8686
-      protocol: TCP
-  selector:
-    app: lidarr
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: media
-  labels:
-    app.kubernetes.io/managed-by: orion
-    team: media
@@ -1,43 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: prowlarr
-  namespace: media
-  labels:
-    app: prowlarr
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: prowlarr
-  template:
-    metadata:
-      labels:
-        app: prowlarr
-    spec:
-      containers:
-        - name: prowlarr
-          image: lscr.io/linuxserver/prowlarr:1.29.0
-          ports:
-            - containerPort: 9696
-          env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
-            - name: TZ
-              value: "America/New_York"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-          volumeMounts:
-            - name: config
-              mountPath: /config
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: prowlarr-config
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: prowlarr-config
-  namespace: media
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 2Gi
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: prowlarr
-  namespace: media
-  labels:
-    app: prowlarr
-spec:
-  type: ClusterIP
-  ports:
-    - port: 9696
-      targetPort: 9696
-      protocol: TCP
-  selector:
-    app: prowlarr
@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: radarr
-  namespace: media
-  labels:
-    app: radarr
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: radarr
-  template:
-    metadata:
-      labels:
-        app: radarr
-    spec:
-      containers:
-        - name: radarr
-          image: lscr.io/linuxserver/radarr:5.15.0
-          ports:
-            - containerPort: 7878
-          env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
-            - name: TZ
-              value: "America/New_York"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-          volumeMounts:
-            - name: config
-              mountPath: /config
-            - name: media
-              mountPath: /media
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: radarr-config
-        - name: media
-          persistentVolumeClaim:
-            claimName: media-data
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: radarr-config
-  namespace: media
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: radarr
-  namespace: media
-  labels:
-    app: radarr
-spec:
-  type: ClusterIP
-  ports:
-    - port: 7878
-      targetPort: 7878
-      protocol: TCP
-  selector:
-    app: radarr
@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: readarr
-  namespace: media
-  labels:
-    app: readarr
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: readarr
-  template:
-    metadata:
-      labels:
-        app: readarr
-    spec:
-      containers:
-        - name: readarr
-          image: lscr.io/linuxserver/readarr:0.4.0
-          ports:
-            - containerPort: 8787
-          env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
-            - name: TZ
-              value: "America/New_York"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-          volumeMounts:
-            - name: config
-              mountPath: /config
-            - name: media
-              mountPath: /media
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: readarr-config
-        - name: media
-          persistentVolumeClaim:
-            claimName: media-data
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: readarr-config
-  namespace: media
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: readarr
-  namespace: media
-  labels:
-    app: readarr
-spec:
-  type: ClusterIP
-  ports:
-    - port: 8787
-      targetPort: 8787
-      protocol: TCP
-  selector:
-    app: readarr
@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: sonarr
-  namespace: media
-  labels:
-    app: sonarr
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: sonarr
-  template:
-    metadata:
-      labels:
-        app: sonarr
-    spec:
-      containers:
-        - name: sonarr
-          image: lscr.io/linuxserver/sonarr:4.0.11
-          ports:
-            - containerPort: 8989
-          env:
-            - name: PUID
-              value: "1000"
-            - name: PGID
-              value: "1000"
-            - name: TZ
-              value: "America/New_York"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-          volumeMounts:
-            - name: config
-              mountPath: /config
-            - name: media
-              mountPath: /media
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: sonarr-config
-        - name: media
-          persistentVolumeClaim:
-            claimName: media-data
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: sonarr-config
-  namespace: media
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: sonarr
-  namespace: media
-  labels:
-    app: sonarr
-spec:
-  type: ClusterIP
-  ports:
-    - port: 8989
-      targetPort: 8989
-      protocol: TCP
-  selector:
-    app: sonarr
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: apps
-  labels:
-    name: apps
@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+  labels:
+    app: tailscale-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tailscale-operator
+  template:
+    metadata:
+      labels:
+        app: tailscale-operator
+    spec:
+      serviceAccountName: tailscale-operator
+      containers:
+      - name: operator
+        image: ghcr.io/tailscale/k8s-operator:v1.78.3
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: TS_CLIENT_ID_FILE
+          value: /etc/tailscale/oauth/client.id
+        - name: TS_CLIENT_SECRET_FILE
+          value: /etc/tailscale/oauth/client.secret
+        volumeMounts:
+        - name: oauth-secret
+          mountPath: /etc/tailscale/oauth
+          readOnly: true
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      volumes:
+      - name: oauth-secret
+        secret:
+          secretName: tailscale-operator-secret
+          items:
+          - key: client.id
+            path: client.id
+          - key: client.secret
+            path: client.secret
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale-operator
+    app.kubernetes.io/part-of: infrastructure
+    management: gitops
+    managed-by: orion
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale-operator
+    app.kubernetes.io/part-of: infrastructure
+    management: gitops
+    managed-by: orion
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tailscale-operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tailscale-operator
+    spec:
+      serviceAccountName: tailscale-operator
+      containers:
+        - name: operator
+          image: ghcr.io/tailscale/k8s-operator:1.78.1
+          env:
+            - name: TS_AUTH_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: tailscale-auth
+                  key: TS_AUTH_KEY
+            - name: TS_USERSPACE
+              value: "true"
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 100m
+              memory: 128Mi
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: tailscale-auth
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tailscale
@@ -19,19 +19,20 @@ spec:
      containers:
      - name: operator
        image: ghcr.io/tailscale/k8s-operator:v1.78.3
-        imagePullPolicy: IfNotPresent
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
+              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
+              apiVersion: v1
              fieldPath: metadata.namespace
-        - name: CLIENT_ID_FILE
+        - name: TS_CLIENT_ID_FILE
          value: /etc/tailscale/oauth/client-id
-        - name: CLIENT_SECRET_FILE
+        - name: TS_CLIENT_SECRET_FILE
          value: /etc/tailscale/oauth/client-secret
        volumeMounts:
        - name: oauth-secret
@@ -1,22 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: tailscale-operator-secret
-  namespace: tailscale
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: orion-vault
-    kind: ClusterSecretStore
-  target:
-    name: tailscale-operator-secret
-    creationPolicy: Owner
-  data:
-    - secretKey: client-id
-      remoteRef:
-        key: tailscale/operator
-        property: CLIENT_ID_FILE
-    - secretKey: client-secret
-      remoteRef:
-        key: tailscale/operator
-        property: CLIENT_SECRET_FILE
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tailscale-operator
+  template:
+    metadata:
+      labels:
+        app: tailscale-operator
+    spec:
+      containers:
+      - name: operator
+        image: ghcr.io/tailscale/k8s-operator:latest
+        env:
+        - name: TS_K8S_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: TS_K8S_SECRET
+          value: tailscale-operator-secret
+        - name: TS_CLIENT_ID_FILE
+          value: /etc/tailscale/oauth/client-id
+        - name: TS_CLIENT_SECRET_FILE
+          value: /etc/tailscale/oauth/client-secret
+        volumeMounts:
+        - name: oauth-secret
+          mountPath: /etc/tailscale/oauth
+          readOnly: true
+      volumes:
+      - name: oauth-secret
+        secret:
+          secretName: tailscale-operator-secret