apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: tailscaled
  namespace: tailscale
  labels:
    app: tailscale
spec:
  selector:
    matchLabels:
      app: tailscale
  template:
    metadata:
      labels:
        app: tailscale
    spec:
      hostNetwork: true
      serviceAccountName: tailscale
      containers:
        - name: tailscale
          image: tailscale/tailscale:latest
          env:
            - name: TS_KUBE_SECRET
              value: "tailscale-auth"
            - name: TS_STATE_DIR
              value: "/var/lib/tailscale"
          envFrom:
            - secretRef:
                name: tailscale-auth
          volumeMounts:
            - name: var-lib-tailscale
              mountPath: /var/lib/tailscale
            - name: tailscale-tmp
              mountPath: /tmp
            - name: dev-tun
              mountPath: /dev/net/tun
              readOnly: true
          securityContext:
            privileged: true
            capabilities:
              add: ["NET_ADMIN", "NET_RAW"]
          resources:
            requests:
              cpu: 50m
              memory: 100Mi
            limits:
              memory: 200Mi
      volumes:
        - name: var-lib-tailscale
          persistentVolumeClaim:
            claimName: tailscale
        - name: tailscale-tmp
          emptyDir: {}
        - name: dev-tun
          hostPath:
            path: /dev/net/tun