diff --git a/deployments/tailscale/external-secret.yaml b/deployments/tailscale/external-secret.yaml deleted file mode 100644 index d6c9cef..0000000 --- a/deployments/tailscale/external-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tailscale-auth - namespace: tailscale -spec: - refreshInterval: 1h - secretStoreRef: - name: orion-vault - kind: ClusterSecretStore - target: - name: tailscale-auth - creationPolicy: Owner - data: - - secretKey: TS_AUTH_KEY - remoteRef: - key: Talos Cluster/tailscale - property: TS_AUTH_KEY diff --git a/deployments/tailscale/namespace.yaml b/deployments/tailscale/namespace.yaml index 9dc761e..7a8ddac 100644 --- a/deployments/tailscale/namespace.yaml +++ b/deployments/tailscale/namespace.yaml @@ -2,3 +2,5 @@ apiVersion: v1 kind: Namespace metadata: name: tailscale + labels: + kubernetes.io/metadata.name: tailscale \ No newline at end of file diff --git a/deployments/tailscale/operator/clusterrole.yaml b/deployments/tailscale/operator/clusterrole.yaml deleted file mode 100644 index a7782e3..0000000 --- a/deployments/tailscale/operator/clusterrole.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tailscale-operator -rules: - - apiGroups: [""] - resources: ["secrets", "configmaps", "services", "pods", "endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["apps"] - resources: ["deployments", "statefulsets", "daemonsets"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["tailscale.com"] - resources: ["*"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/deployments/tailscale/operator/deployment.yaml b/deployments/tailscale/operator/deployment.yaml deleted file mode 100644 index 7e0d039..0000000 --- a/deployments/tailscale/operator/deployment.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tailscale-operator - namespace: tailscale - labels: - app: tailscale-operator -spec: - replicas: 1 - selector: - matchLabels: - app: tailscale-operator - template: - metadata: - labels: - app: tailscale-operator - spec: - serviceAccountName: tailscale-operator - containers: - - name: operator - image: ghcr.io/tailscale/k8s-operator:v1.78.3 - imagePullPolicy: IfNotPresent - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CLIENT_ID_FILE - value: /etc/tailscale/oauth/client-id - - name: CLIENT_SECRET_FILE - value: /etc/tailscale/oauth/client-secret - volumeMounts: - - name: oauth-secret - mountPath: /etc/tailscale/oauth - readOnly: true - volumes: - - name: oauth-secret - secret: - secretName: tailscale-operator-secret diff --git a/deployments/tailscale/operator/external-secret.yaml b/deployments/tailscale/operator/external-secret.yaml deleted file mode 100644 index 2268e10..0000000 --- a/deployments/tailscale/operator/external-secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tailscale-operator-secret - namespace: tailscale -spec: - refreshInterval: 1h - secretStoreRef: - name: orion-vault - kind: ClusterSecretStore - target: - name: tailscale-operator-secret - creationPolicy: Owner - data: - - secretKey: client-id - remoteRef: - key: tailscale/operator - property: CLIENT_ID_FILE - - secretKey: client-secret - remoteRef: - key: tailscale/operator - property: CLIENT_SECRET_FILE diff --git a/deployments/tailscale/tailscale/clusterrole.yaml b/deployments/tailscale/tailscale/clusterrole.yaml new file mode 100644 index 0000000..09094fc --- /dev/null +++ b/deployments/tailscale/tailscale/clusterrole.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tailscale-operator +rules: + - apiGroups: [""] + resources: ["pods", "services", "secrets", "configmaps"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["deployments", "daemonsets", "statefulsets"] + verbs: ["*"] + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies", "ingresses"] + verbs: ["*"] \ No newline at end of file diff --git a/deployments/tailscale/operator/clusterrolebinding.yaml b/deployments/tailscale/tailscale/clusterrolebinding.yaml similarity index 91% rename from deployments/tailscale/operator/clusterrolebinding.yaml rename to deployments/tailscale/tailscale/clusterrolebinding.yaml index b2a8476..a0919a4 100644 --- a/deployments/tailscale/operator/clusterrolebinding.yaml +++ b/deployments/tailscale/tailscale/clusterrolebinding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: tailscale-operator - namespace: tailscale + namespace: tailscale \ No newline at end of file diff --git a/deployments/tailscale/tailscale/deployment.yaml b/deployments/tailscale/tailscale/deployment.yaml new file mode 100644 index 0000000..a9bad8f --- /dev/null +++ b/deployments/tailscale/tailscale/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tailscale-operator + namespace: tailscale + labels: + app: tailscale-operator +spec: + replicas: 1 + selector: + matchLabels: + app: tailscale-operator + template: + metadata: + labels: + app: tailscale-operator + spec: + serviceAccountName: tailscale-operator + containers: + - name: operator + image: ghcr.io/tailscale/operator:v1.70.0 + env: + - name: DEPLOY_TYPE + value: k8s + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + secret: + secretName: tailscale-operator-config \ No newline at end of file diff --git a/deployments/tailscale/tailscale/external-secret.yaml b/deployments/tailscale/tailscale/external-secret.yaml new file mode 100644 index 0000000..a594918 --- /dev/null +++ b/deployments/tailscale/tailscale/external-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: tailscale-operator + namespace: tailscale +spec: + refreshInterval: 1h + secretStoreRef: + name: vault + kind: SecretStore + target: + name: tailscale-operator + template: + engineVersion: v2 + data: + TS_AUTHKEY: "{{ .TS_AUTHKEY }}" + data: + - secretKey: TS_AUTHKEY + remoteRef: + key: secret/data/kubernetes/tailscale-operator + property: TS_AUTHKEY \ No newline at end of file diff --git a/deployments/tailscale/operator/serviceaccount.yaml b/deployments/tailscale/tailscale/serviceaccount.yaml similarity index 54% rename from deployments/tailscale/operator/serviceaccount.yaml rename to deployments/tailscale/tailscale/serviceaccount.yaml index 0798ebd..d272e5d 100644 --- a/deployments/tailscale/operator/serviceaccount.yaml +++ b/deployments/tailscale/tailscale/serviceaccount.yaml @@ -2,6 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: tailscale-operator - namespace: tailscale - labels: - app: tailscale-operator + namespace: tailscale \ No newline at end of file