diff --git a/tailscale/external-secrets/tailscale-auth.yaml b/deployments/tailscale/external-secrets/tailscale-auth.yaml similarity index 69% rename from tailscale/external-secrets/tailscale-auth.yaml rename to deployments/tailscale/external-secrets/tailscale-auth.yaml index 918080f..85491a1 100644 --- a/tailscale/external-secrets/tailscale-auth.yaml +++ b/deployments/tailscale/external-secrets/tailscale-auth.yaml @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: tailscale-auth + name: tailscale-operator namespace: tailscale spec: refreshInterval: 1h @@ -9,10 +9,10 @@ spec: name: orion-vault kind: ClusterSecretStore target: - name: tailscale-auth + name: tailscale-operator creationPolicy: Owner data: - - secretKey: TS_AUTH_KEY + - secretKey: auth-key remoteRef: - key: secret/tailscale + key: secret/Talos Cluster/tailscale property: TS_AUTH_KEY diff --git a/deployments/tailscale/operator/deployment.yaml b/deployments/tailscale/operator/deployment.yaml index e3fc711..af736d5 100644 --- a/deployments/tailscale/operator/deployment.yaml +++ b/deployments/tailscale/operator/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: tailscale-operator namespace: tailscale labels: - app: tailscale-operator + app.kubernetes.io/name: tailscale-operator spec: replicas: 1 selector: @@ -18,7 +18,7 @@ spec: serviceAccountName: tailscale-operator containers: - name: operator - image: ghcr.io/tailscale/k8s-operator:v1.78.3 + image: ghcr.io/tailscale/kubernetes-operator:latest env: - name: POD_NAME valueFrom: @@ -28,8 +28,30 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: TS_AUTH_KEY + - name: TAILSCALE_AUTH_KEY valueFrom: secretKeyRef: - name: tailscale-auth - key: TS_AUTH_KEY \ No newline at end of file + name: tailscale-operator + key: auth-key + ports: + - name: http + containerPort: 8080 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 250m + memory: 256Mi + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 diff --git a/deployments/tailscale/operator/rbac.yaml b/deployments/tailscale/operator/rbac.yaml new file mode 100644 index 0000000..6b913d3 --- /dev/null +++ b/deployments/tailscale/operator/rbac.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tailscale-operator + namespace: tailscale +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tailscale-operator +rules: +- apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["apps"] + resources: ["deployments", "daemonsets"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["operator.tailscale.com"] + resources: ["*"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tailscale-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tailscale-operator +subjects: +- kind: ServiceAccount + name: tailscale-operator + namespace: tailscale diff --git a/tailscale/auth-secret.yaml b/tailscale/auth-secret.yaml deleted file mode 100644 index b8302e5..0000000 --- a/tailscale/auth-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: tailscale-operator-secret - namespace: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -type: Opaque -data: - # TODO: Fill in the Tailscale auth key (base64 encoded) - authkey: PLACEHOLDER diff --git a/tailscale/deployment.yaml b/tailscale/deployment.yaml deleted file mode 100644 index 3e62399..0000000 --- a/tailscale/deployment.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app: tailscale-operator -spec: - replicas: 1 - selector: - matchLabels: - app: tailscale-operator - template: - metadata: - labels: - app: tailscale-operator - spec: - serviceAccountName: tailscale-operator - containers: - - name: operator - image: ghcr.io/tailscale/k8s-operator:v1.78.3 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: TS_AUTH_KEY - valueFrom: - secretKeyRef: - key: TS_AUTH_KEY - name: tailscale-auth diff --git a/tailscale/namespace.yaml b/tailscale/namespace.yaml deleted file mode 100644 index 521e2db..0000000 --- a/tailscale/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator diff --git a/tailscale/rbac.yaml b/tailscale/rbac.yaml deleted file mode 100644 index 8712bbd..0000000 --- a/tailscale/rbac.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tailscale-operator - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -rules: -- apiGroups: [''] - resources: ['secrets', 'services', 'endpoints'] - verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] -- apiGroups: [''] - resources: ['nodes'] - verbs: ['get', 'list', 'update', 'patch'] -- apiGroups: ['apps'] - resources: ['daemonsets'] - verbs: ['get', 'list', 'watch'] -- apiGroups: ['tailscale.com'] - resources: ['*'] - verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] -- apiGroups: ['coordination.k8s.io'] - resources: ['leases'] - verbs: ['get', 'create', 'update'] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tailscale-operator - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tailscale-operator -subjects: -- kind: ServiceAccount - name: tailscale-operator - namespace: tailscale diff --git a/tailscale/service.yaml b/tailscale/service.yaml deleted file mode 100644 index d31be8f..0000000 --- a/tailscale/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -spec: - type: ClusterIP - ports: - - name: metrics - port: 8080 - targetPort: 8080 - protocol: TCP - selector: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator