apiVersion: apps/v1
kind: Deployment
metadata:
  name: tailscale-operator
  namespace: tailscale
  labels:
    app.kubernetes.io/name: tailscale-operator
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: tailscale-operator
  template:
    metadata:
      labels:
        app.kubernetes.io/name: tailscale-operator
    spec:
      serviceAccountName: tailscale-operator
      containers:
        - name: operator
          image: ghcr.io/tailscale/kubernetes-operator:latest
          ports:
            - containerPort: 8080
              name: http
          env:
            - name: TS_USERSPACE
              value: "true"
            - name: TS_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: TS_TOKEN_SECRET_NAME
              value: tailscale-operator-secret
          envFrom:
            - secretRef:
                name: tailscale-operator-secret
          volumeMounts:
            - name: oauth-secret
              mountPath: /etc/tailscale/oauth
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
      volumes:
        - name: oauth-secret
          secret:
            secretName: tailscale-operator-secret