Merge pull request #274 from danmanners/feature/tailscale

Adding tailscale operator

manifests/workloads/applicationset.yaml

@@ -48,6 +48,9 @@ spec:
       - appName: webssh
         namespace: webssh
         targetRev: main
+      - appName: tailscale
+        namespace: networking
+        targetRev: main
   template:
     metadata:
       name: '{{appName}}'

manifests/workloads/tailscale/deployment.yaml

@@ -0,0 +1,62 @@
+# https://github.com/tailscale/tailscale/blob/ed1b935238a7c6cce3aa4865aa13181eb679361a/cmd/k8s-operator/deploy/chart/templates/deployment.yaml
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: operator
+  namespace: networking
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: operator
+  template:
+    metadata:
+      labels:
+        app: operator
+    spec:
+      serviceAccountName: operator
+      securityContext: {}
+      volumes:
+      - name: oauth
+        secret:
+          secretName: operator-oauth
+      containers:
+      - name: operator
+        securityContext: {}
+        resources: {}
+        image: k8s-operator:replaceme
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: OPERATOR_HOSTNAME
+          value: tailscale-operator
+        - name: OPERATOR_SECRET
+          value: operator
+        - name: OPERATOR_LOGGING
+          value: info # warning, info, debug
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CLIENT_ID_FILE
+          value: /oauth/client_id
+        - name: CLIENT_SECRET_FILE
+          value: /oauth/client_secret
+        - name: PROXY_IMAGE
+          value: tailscale-image:replaceme
+        - name: PROXY_TAGS
+          value: tag:k8s
+        - name: APISERVER_PROXY
+          value: "true"
+        - name: PROXY_FIREWALL_MODE
+          value: auto # Leave this for now
+        volumeMounts:
+        - name: oauth
+          mountPath: /oauth
+          readOnly: true
+      nodeSelector:
+        kubernetes.io/os: linux

manifests/workloads/tailscale/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking
+
+resources:
+- deployment.yaml
+- rbac-apiserverproxy.yaml
+- rbac-operator.yaml
+- rbac-proxy.yaml
+- secret.yaml
+
+images:
+- name: k8s-operator:replaceme
+  newName: core.harbor.homelab.danmanners.com/docker.io/tailscale/k8s-operator
+  newTag: unstable-v1.53
+- name: k8s-operator:replaceme
+  newName: core.harbor.homelab.danmanners.com/docker.io/tailscale/k8s-operator
+  newTag: unstable-v1.53

manifests/workloads/tailscale/rbac-apiserverproxy.yaml

@@ -0,0 +1,22 @@
+# https://github.com/tailscale/tailscale/blob/ed1b935238a7c6cce3aa4865aa13181eb679361a/cmd/k8s-operator/deploy/chart/templates/apiserverproxy-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-auth-proxy
+rules:
+- apiGroups: [""]
+  resources: ["users", "groups"]
+  verbs: ["impersonate"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-auth-proxy
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: networking
+roleRef:
+  kind: ClusterRole
+  name: tailscale-auth-proxy
+  apiGroup: rbac.authorization.k8s.io

manifests/workloads/tailscale/rbac-operator.yaml

@@ -0,0 +1,58 @@
+# https://github.com/tailscale/tailscale/blob/ed1b935238a7c6cce3aa4865aa13181eb679361a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: operator
+  namespace: networking
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-operator
+rules:
+- apiGroups: [""]
+  resources: ["events", "services", "services/status"]
+  verbs: ["*"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses", "ingresses/status"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-operator
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: networking
+roleRef:
+  kind: ClusterRole
+  name: tailscale-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operator
+  namespace: networking
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["statefulsets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operator
+  namespace: networking
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: networking
+roleRef:
+  kind: Role
+  name: operator
+  apiGroup: rbac.authorization.k8s.io

manifests/workloads/tailscale/rbac-proxy.yaml

@@ -0,0 +1,30 @@
+# https://github.com/tailscale/tailscale/blob/ed1b935238a7c6cce3aa4865aa13181eb679361a/cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: proxies
+  namespace: networking
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: proxies
+  namespace: networking
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: proxies
+  namespace: networking
+subjects:
+- kind: ServiceAccount
+  name: proxies
+  namespace: networking
+roleRef:
+  kind: Role
+  name: proxies
+  apiGroup: rbac.authorization.k8s.io

manifests/workloads/tailscale/readme.md

@@ -0,0 +1,5 @@
+# Quick Notes
+
+Maybe this works, maybe it doesn't? We'll figure it out. We're all adults here.
+
+## _I think..._

manifests/workloads/tailscale/secret.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: operator-oauth
+  namespace: networking
+spec:
+  encryptedData:
+    client_id: AgC8znoyK/FK7WtxRjGJUe/2VKPe9ntWr9lwNE4N8ryottkwqRwH7PBu3jxIixQlN/hmPgBHVXToFp4R5fesiSPF66nhB6yyveEEpd/l4PRO4pGnycn+diUnW1Cbed/tNMXwwINNgdlaaWnbv5/9Skh0dd8KPSglB1rqg81TaSwcoLmx3BfSGQak9S7vkOCmtjyXcyJ5rXnn4QnBJpucu+8KahdvzUapIoH82O6FE/KRpBUe4pDFoealzBZFbPZLUBTWJ8667KSgMMO4Jioajy7oB5Rdk51z5x1SafhQIVP8MrvG2uy69l/GV7LB7svcYyoTHF1UUY7OV4t/SjQAHgc9HaGOFKghmwA2zMEVLdFvnQomZnl7UP4gMpgwBPXZ5RLYwWxhNF2QUcQIVQYvyZQw1NQ5/dhn5KaHds+mI+riMGgtOk6eCGUfgU37SGdv1pqkcFkXgTcbNI9rVEVgieCTJ47ZQchqftX3oUyz/Q5Ro8lTj4DLx3n37csjA8ql1ULX8OY1xzbHQLyS7PYUf+31iX7F44puHZfhzE0frYAkAdJfwc3M9oq/v7PPudzu7CpyXEMLDmRiUedFW+BVVtMuga3IP4TZeGbJdD+7/+2EIEpWMq67VOFj2jQqgUUt9SONWpaV2z2gZVZonp/jRRvSqm8Fqvc/gwsSru/2sp665lKu38p5+YJ4bhoA2o6jx+CpqjnUKK1AE9RwJ9E=
+    client_secret: AgB0CtviwIiJakVih7e82hcAaYJlTYDtkTgSmwnmrE6VUPE/luXdJ5EWjuxc2AeavcxLk1+oKe0UteYDDLhHCx0eVAwo+53zx+n4arHFCrB2FN1Hvu/E/Mld7EzRADO9QTYYGBS+ELs63f6BAj4D3yFZeaKum5ii5kxOilFAKPPQvInNU8AIR7RAiintLqK7F8k0VuceIijF2iWthfruC+zR3EBe/sZxFmiF22ie0TBfSUW6KBXPAUbl8SIOLLpy2xf8ejetdW+LGBSRjSFfy9VmUR7l+v8/WzNbhK8Ywz8Nx4kYM/s2H2DUnTjS/DdiQ4FmpK/4QMtqZHo2h1JhbXWluEEh5Oalq8dFJESSOKZ+IO1r64qPqqoyjdPNTybc5qxKw4JvI0yHa80PWUdhXkeCEuIhSL4bS+F+Tm6szxMvyJIoq17xuiOR1gVHmXBA/7LFluVmHry/SzC/MxjJaKl7YKwicht3S/L8LPC8CAdfpahtZaZen292dltPMYcgEYh9TgjQaQE/oELzZaOqPNgrBAlkBK+xJWBFtUs8Da4BPxX8zHCYcraLRRrwivmpBUh9qV8RzkCHTHosliUf42XMcOmioe1ezzvNZNkolS68MenfwWZ8afk1d5S3xJ8/NPflEqYtZKZXb+TF9jiSkaPdoiQrP4kR9eGA/d/JVcBmUv0lAgW3jwtN0XcmxINrLDjEUsCu/SpWtWS5o6aLzOlbpVXouFryiR7Ifd0O1X9syn7PMT7WinSLATXPfKc0TJ9ZbG8qdYEXjWIz
+  template:
+    metadata:
+      creationTimestamp: null
+      name: operator-oauth
+      namespace: networking
+    type: Opaque