From a2c7345e43d8ccb0510b7a0ee504a4ede71372b5 Mon Sep 17 00:00:00 2001
From: gitea-admin <admin@local>
Date: Sun, 17 May 2026 01:01:51 +0000
Subject: [PATCH] feat: migrate tailscale-operator to OAuth auth mode

---
 .../tailscale-operator/deployment.yaml        | 61 +++++++++++--------
 1 file changed, 37 insertions(+), 24 deletions(-)

diff --git a/deployments/tailscale-operator/deployment.yaml b/deployments/tailscale-operator/deployment.yaml
index ac342eb..b1dcc33 100644
--- a/deployments/tailscale-operator/deployment.yaml
+++ b/deployments/tailscale-operator/deployment.yaml
@@ -1,10 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: tailscale-operator
-  namespace: tailscale
   labels:
     app: tailscale-operator
+  name: tailscale-operator
+  namespace: tailscale
 spec:
   replicas: 1
   selector:
@@ -17,26 +17,39 @@ spec:
     spec:
       serviceAccountName: tailscale-operator
       containers:
-      - name: operator
-        image: ghcr.io/tailscale/k8s-operator:v1.78.3
-        env:
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: TS_CLIENT_ID_FILE
-          value: /etc/tailscale/oauth/client-id
-        - name: TS_CLIENT_SECRET_FILE
-          value: /etc/tailscale/oauth/client-secret
-        volumeMounts:
-        - name: oauth-secret
-          mountPath: /etc/tailscale/oauth
-          readOnly: true
+        - name: operator
+          image: ghcr.io/tailscale/k8s-operator:v1.78.3
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: TS_CLIENT_ID_FILE
+              value: /etc/tailscale/oauth/client-id
+            - name: TS_CLIENT_SECRET_FILE
+              value: /etc/tailscale/oauth/client-secret
+          volumeMounts:
+            - name: oauth-secret
+              mountPath: /etc/tailscale/oauth
+              readOnly: true
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
       volumes:
-      - name: oauth-secret
-        secret:
-          secretName: tailscale-operator-secret
+        - name: oauth-secret
+          secret:
+            secretName: tailscale-operator-secret
+            defaultMode: 0600
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      schedulerName: default
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
\ No newline at end of file
-- 
2.52.0