From 73a933a41af1f7998e44a7757aa88f8a8c73cfc3 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 01:07:01 +0000 Subject: [PATCH 01/16] feat: deploy Tailscale Operator for tailnet management --- tailscale/namespace.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tailscale/namespace.yaml b/tailscale/namespace.yaml index 521e2db..10c4655 100644 --- a/tailscale/namespace.yaml +++ b/tailscale/namespace.yaml @@ -4,4 +4,4 @@ metadata: name: tailscale labels: app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator + app.kubernetes.io/part-of: tailscale-operator \ No newline at end of file -- 2.52.0 From f925eae344a6754fe20d7839d8aba97307d31c2f Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 01:07:01 +0000 Subject: [PATCH 02/16] feat: deploy Tailscale Operator for tailnet management --- tailscale/operator-rbac.yaml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 tailscale/operator-rbac.yaml diff --git a/tailscale/operator-rbac.yaml b/tailscale/operator-rbac.yaml new file mode 100644 index 0000000..f8f031f --- /dev/null +++ b/tailscale/operator-rbac.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tailscale-operator + namespace: tailscale +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tailscale-operator +rules: +- apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["apps"] + resources: ["deployments", "daemonsets"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["operator.tailscale.com"] + resources: ["*"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tailscale-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tailscale-operator +subjects: +- kind: ServiceAccount + name: tailscale-operator + namespace: tailscale \ No newline at end of file -- 2.52.0 From 63f92ade2855337c267670393b44aa8427fba317 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 01:07:01 +0000 Subject: [PATCH 03/16] feat: deploy Tailscale Operator for tailnet management --- tailscale/operator-deployment.yaml | 67 ++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 tailscale/operator-deployment.yaml diff --git a/tailscale/operator-deployment.yaml b/tailscale/operator-deployment.yaml new file mode 100644 index 0000000..638380e --- /dev/null +++ b/tailscale/operator-deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tailscale-operator + namespace: tailscale + labels: + app.kubernetes.io/name: tailscale-operator +spec: + replicas: 1 + selector: + matchLabels: + app: tailscale-operator + template: + metadata: + labels: + app: tailscale-operator + spec: + serviceAccountName: tailscale-operator + containers: + - name: operator + image: ghcr.io/tailscale/kubernetes-operator:latest + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TAILSCALE_API_CLIENT_ID + valueFrom: + secretKeyRef: + name: tailscale-operator + key: client-id + - name: TAILSCALE_API_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: tailscale-operator + key: client-secret + - name: TAILSCALE_AUTH_KEY + valueFrom: + secretKeyRef: + name: tailscale-operator + key: auth-key + ports: + - name: http + containerPort: 8080 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 250m + memory: 256Mi + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 \ No newline at end of file -- 2.52.0 From 9691ba28275e525f4f561a2a2a4681f1934c9280 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 01:50:07 +0000 Subject: [PATCH 04/16] fix: correct ExternalSecret path, name, and key to match deployment --- tailscale/external-secrets/tailscale-auth.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tailscale/external-secrets/tailscale-auth.yaml b/tailscale/external-secrets/tailscale-auth.yaml index 918080f..85491a1 100644 --- a/tailscale/external-secrets/tailscale-auth.yaml +++ b/tailscale/external-secrets/tailscale-auth.yaml @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: tailscale-auth + name: tailscale-operator namespace: tailscale spec: refreshInterval: 1h @@ -9,10 +9,10 @@ spec: name: orion-vault kind: ClusterSecretStore target: - name: tailscale-auth + name: tailscale-operator creationPolicy: Owner data: - - secretKey: TS_AUTH_KEY + - secretKey: auth-key remoteRef: - key: secret/tailscale + key: secret/Talos Cluster/tailscale property: TS_AUTH_KEY -- 2.52.0 From cca85815d2655bf6594433d0e3cc2a5ab84eb3f1 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 01:50:17 +0000 Subject: [PATCH 05/16] fix: remove non-existent OAuth credential refs, auth key only --- tailscale/operator-deployment.yaml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tailscale/operator-deployment.yaml b/tailscale/operator-deployment.yaml index 638380e..af736d5 100644 --- a/tailscale/operator-deployment.yaml +++ b/tailscale/operator-deployment.yaml @@ -28,16 +28,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: TAILSCALE_API_CLIENT_ID - valueFrom: - secretKeyRef: - name: tailscale-operator - key: client-id - - name: TAILSCALE_API_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: tailscale-operator - key: client-secret - name: TAILSCALE_AUTH_KEY valueFrom: secretKeyRef: @@ -64,4 +54,4 @@ spec: path: /healthz port: 8080 initialDelaySeconds: 10 - periodSeconds: 30 \ No newline at end of file + periodSeconds: 30 -- 2.52.0 From 8ab62024adbb94e3c9bbb84e2d3f71ca8485f225 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:00:48 +0000 Subject: [PATCH 06/16] fix: relocate operator manifests to deployments/tailscale/operator/ --- .../tailscale/operator/deployment.yaml | 32 ++++++++++++++++--- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/deployments/tailscale/operator/deployment.yaml b/deployments/tailscale/operator/deployment.yaml index e3fc711..af736d5 100644 --- a/deployments/tailscale/operator/deployment.yaml +++ b/deployments/tailscale/operator/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: tailscale-operator namespace: tailscale labels: - app: tailscale-operator + app.kubernetes.io/name: tailscale-operator spec: replicas: 1 selector: @@ -18,7 +18,7 @@ spec: serviceAccountName: tailscale-operator containers: - name: operator - image: ghcr.io/tailscale/k8s-operator:v1.78.3 + image: ghcr.io/tailscale/kubernetes-operator:latest env: - name: POD_NAME valueFrom: @@ -28,8 +28,30 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: TS_AUTH_KEY + - name: TAILSCALE_AUTH_KEY valueFrom: secretKeyRef: - name: tailscale-auth - key: TS_AUTH_KEY \ No newline at end of file + name: tailscale-operator + key: auth-key + ports: + - name: http + containerPort: 8080 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 250m + memory: 256Mi + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 -- 2.52.0 From 36b95768e9cb62b999fa8874cd67b527e9d948c5 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:00:49 +0000 Subject: [PATCH 07/16] fix: relocate operator manifests to deployments/tailscale/operator/ --- deployments/tailscale/operator/rbac.yaml | 39 ++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 deployments/tailscale/operator/rbac.yaml diff --git a/deployments/tailscale/operator/rbac.yaml b/deployments/tailscale/operator/rbac.yaml new file mode 100644 index 0000000..6b913d3 --- /dev/null +++ b/deployments/tailscale/operator/rbac.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tailscale-operator + namespace: tailscale +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tailscale-operator +rules: +- apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["apps"] + resources: ["deployments", "daemonsets"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["operator.tailscale.com"] + resources: ["*"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tailscale-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tailscale-operator +subjects: +- kind: ServiceAccount + name: tailscale-operator + namespace: tailscale -- 2.52.0 From 711be643ffce4dd5356b5966d8f0ba992fd8dd0e Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:00:49 +0000 Subject: [PATCH 08/16] fix: relocate operator manifests to deployments/tailscale/operator/ --- .../external-secrets/tailscale-auth.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 deployments/tailscale/external-secrets/tailscale-auth.yaml diff --git a/deployments/tailscale/external-secrets/tailscale-auth.yaml b/deployments/tailscale/external-secrets/tailscale-auth.yaml new file mode 100644 index 0000000..85491a1 --- /dev/null +++ b/deployments/tailscale/external-secrets/tailscale-auth.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: tailscale-operator + namespace: tailscale +spec: + refreshInterval: 1h + secretStoreRef: + name: orion-vault + kind: ClusterSecretStore + target: + name: tailscale-operator + creationPolicy: Owner + data: + - secretKey: auth-key + remoteRef: + key: secret/Talos Cluster/tailscale + property: TS_AUTH_KEY -- 2.52.0 From 751b4c80f213416b0a2895d4d06dc7e3e2657f08 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:06 +0000 Subject: [PATCH 09/16] chore: remove files from wrong root tailscale/ dir --- tailscale/namespace.yaml | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 tailscale/namespace.yaml diff --git a/tailscale/namespace.yaml b/tailscale/namespace.yaml deleted file mode 100644 index 10c4655..0000000 --- a/tailscale/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/part-of: tailscale-operator \ No newline at end of file -- 2.52.0 From a90d4fbd4d694876ec4793686f17b0d76a747802 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:06 +0000 Subject: [PATCH 10/16] chore: remove files from wrong root tailscale/ dir --- tailscale/operator-deployment.yaml | 57 ------------------------------ 1 file changed, 57 deletions(-) delete mode 100644 tailscale/operator-deployment.yaml diff --git a/tailscale/operator-deployment.yaml b/tailscale/operator-deployment.yaml deleted file mode 100644 index af736d5..0000000 --- a/tailscale/operator-deployment.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app.kubernetes.io/name: tailscale-operator -spec: - replicas: 1 - selector: - matchLabels: - app: tailscale-operator - template: - metadata: - labels: - app: tailscale-operator - spec: - serviceAccountName: tailscale-operator - containers: - - name: operator - image: ghcr.io/tailscale/kubernetes-operator:latest - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: TAILSCALE_AUTH_KEY - valueFrom: - secretKeyRef: - name: tailscale-operator - key: auth-key - ports: - - name: http - containerPort: 8080 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 250m - memory: 256Mi - readinessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 30 -- 2.52.0 From 5383783db111df5b43fd88da7b7e7b20f9d38fe1 Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:07 +0000 Subject: [PATCH 11/16] chore: remove files from wrong root tailscale/ dir --- tailscale/operator-rbac.yaml | 39 ------------------------------------ 1 file changed, 39 deletions(-) delete mode 100644 tailscale/operator-rbac.yaml diff --git a/tailscale/operator-rbac.yaml b/tailscale/operator-rbac.yaml deleted file mode 100644 index f8f031f..0000000 --- a/tailscale/operator-rbac.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tailscale-operator - namespace: tailscale ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tailscale-operator -rules: -- apiGroups: [""] - resources: ["secrets", "configmaps"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] -- apiGroups: [""] - resources: ["pods", "services"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] -- apiGroups: ["apps"] - resources: ["deployments", "daemonsets"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] -- apiGroups: ["operator.tailscale.com"] - resources: ["*"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch", "patch", "list"] -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tailscale-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tailscale-operator -subjects: -- kind: ServiceAccount - name: tailscale-operator - namespace: tailscale \ No newline at end of file -- 2.52.0 From 8a5d4d761e2d42eed16a3a915844925ccc8757ec Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:07 +0000 Subject: [PATCH 12/16] chore: remove files from wrong root tailscale/ dir --- tailscale/auth-secret.yaml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 tailscale/auth-secret.yaml diff --git a/tailscale/auth-secret.yaml b/tailscale/auth-secret.yaml deleted file mode 100644 index b8302e5..0000000 --- a/tailscale/auth-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: tailscale-operator-secret - namespace: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -type: Opaque -data: - # TODO: Fill in the Tailscale auth key (base64 encoded) - authkey: PLACEHOLDER -- 2.52.0 From 534c11dfa2b6382feb611da962f9f37134edd91b Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:08 +0000 Subject: [PATCH 13/16] chore: remove files from wrong root tailscale/ dir --- tailscale/deployment.yaml | 35 ----------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 tailscale/deployment.yaml diff --git a/tailscale/deployment.yaml b/tailscale/deployment.yaml deleted file mode 100644 index 3e62399..0000000 --- a/tailscale/deployment.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app: tailscale-operator -spec: - replicas: 1 - selector: - matchLabels: - app: tailscale-operator - template: - metadata: - labels: - app: tailscale-operator - spec: - serviceAccountName: tailscale-operator - containers: - - name: operator - image: ghcr.io/tailscale/k8s-operator:v1.78.3 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: TS_AUTH_KEY - valueFrom: - secretKeyRef: - key: TS_AUTH_KEY - name: tailscale-auth -- 2.52.0 From 74b96640784a5f54cada0b5178c202007fa477bf Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:08 +0000 Subject: [PATCH 14/16] chore: remove files from wrong root tailscale/ dir --- tailscale/external-secrets/tailscale-auth.yaml | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 tailscale/external-secrets/tailscale-auth.yaml diff --git a/tailscale/external-secrets/tailscale-auth.yaml b/tailscale/external-secrets/tailscale-auth.yaml deleted file mode 100644 index 85491a1..0000000 --- a/tailscale/external-secrets/tailscale-auth.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: tailscale-operator - namespace: tailscale -spec: - refreshInterval: 1h - secretStoreRef: - name: orion-vault - kind: ClusterSecretStore - target: - name: tailscale-operator - creationPolicy: Owner - data: - - secretKey: auth-key - remoteRef: - key: secret/Talos Cluster/tailscale - property: TS_AUTH_KEY -- 2.52.0 From 8ee3ca36c5a370b71104b42de9b6d0e6fd13ad0b Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:09 +0000 Subject: [PATCH 15/16] chore: remove files from wrong root tailscale/ dir --- tailscale/rbac.yaml | 48 --------------------------------------------- 1 file changed, 48 deletions(-) delete mode 100644 tailscale/rbac.yaml diff --git a/tailscale/rbac.yaml b/tailscale/rbac.yaml deleted file mode 100644 index 8712bbd..0000000 --- a/tailscale/rbac.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tailscale-operator - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -rules: -- apiGroups: [''] - resources: ['secrets', 'services', 'endpoints'] - verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] -- apiGroups: [''] - resources: ['nodes'] - verbs: ['get', 'list', 'update', 'patch'] -- apiGroups: ['apps'] - resources: ['daemonsets'] - verbs: ['get', 'list', 'watch'] -- apiGroups: ['tailscale.com'] - resources: ['*'] - verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] -- apiGroups: ['coordination.k8s.io'] - resources: ['leases'] - verbs: ['get', 'create', 'update'] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tailscale-operator - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tailscale-operator -subjects: -- kind: ServiceAccount - name: tailscale-operator - namespace: tailscale -- 2.52.0 From 91b3ec7be4481033c90cfb35115f951cb61dc61d Mon Sep 17 00:00:00 2001 From: gitea-admin Date: Fri, 15 May 2026 02:01:09 +0000 Subject: [PATCH 16/16] chore: remove files from wrong root tailscale/ dir --- tailscale/service.yaml | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 tailscale/service.yaml diff --git a/tailscale/service.yaml b/tailscale/service.yaml deleted file mode 100644 index d31be8f..0000000 --- a/tailscale/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -spec: - type: ClusterIP - ports: - - name: metrics - port: 8080 - targetPort: 8080 - protocol: TCP - selector: - app.kubernetes.io/name: tailscale - app.kubernetes.io/component: operator -- 2.52.0