tailscale/cmd/k8s-operator/deploy/chart/values.yaml

# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause

# Operator oauth credentials. If set a Kubernetes Secret with the provided
# values will be created in the operator namespace. If unset a Secret named
# operator-oauth must be precreated or oauthSecretVolume needs to be adjusted.
# This block will be overridden by oauthSecretVolume, if set.
oauth: {}
  # clientId: ""
  # clientSecret: ""

# Secret volume.
# If set it defines the volume the oauth secrets will be mounted from.
# The volume needs to contain two files named `client_id` and `client_secret`.
# If unset the volume will reference the Secret named operator-oauth.
# This block will override the oauth block.
oauthSecretVolume: {}
  # csi:
  #   driver: secrets-store.csi.k8s.io
  #   readOnly: true
  #   volumeAttributes:
  #     secretProviderClass: tailscale-oauth
  #
  ## NAME is pre-defined!

# installCRDs determines whether tailscale.com CRDs should be installed as part
# of chart installation. We do not use Helm's CRD installation mechanism as that
# does not allow for upgrading CRDs.
# https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
installCRDs: true

operatorConfig:
  # ACL tag that operator will be tagged with. Operator must be made owner of
  # these tags
  # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator
  # Multiple tags are defined as array items and passed to the operator as a comma-separated string
  defaultTags:
    - "tag:k8s-operator"

  image:
    # Repository defaults to DockerHub, but images are also synced to ghcr.io/tailscale/k8s-operator.
    repository: tailscale/k8s-operator
    # Digest will be prioritized over tag. If neither are set appVersion will be
    # used.
    tag: ""
    digest: ""
    pullPolicy: Always
  logging: "info" # info, debug, dev
  hostname: "tailscale-operator"
  nodeSelector:
    kubernetes.io/os: linux

  resources: {}

  podAnnotations: {}
  podLabels: {}

  serviceAccountAnnotations: {}
  # eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/tailscale-operator-role

  tolerations: []

  affinity: {}

  podSecurityContext: {}

  securityContext: {}

  extraEnv: []
  # - name: EXTRA_VAR1
  #   value: "value1"
  # - name: EXTRA_VAR2
  #   value: "value2"

# In the case that you already have a tailscale ingressclass in your cluster (or vcluster), you can disable the creation here
ingressClass:
  enabled: true

# proxyConfig contains configuraton that will be applied to any ingress/egress
# proxies created by the operator.
# https://tailscale.com/kb/1439/kubernetes-operator-cluster-ingress
# https://tailscale.com/kb/1438/kubernetes-operator-cluster-egress
# Note that this section contains only a few global configuration options and
# will not be updated with more configuration options in the future.
# If you need more configuration options, take a look at ProxyClass:
# https://tailscale.com/kb/1445/kubernetes-operator-customization#cluster-resource-customization-using-proxyclass-custom-resource
proxyConfig:
  image:
    # Repository defaults to DockerHub, but images are also synced to ghcr.io/tailscale/tailscale.
    repository: tailscale/tailscale
    # Digest will be prioritized over tag. If neither are set appVersion will be
    # used.
    tag: ""
    digest: ""
  # ACL tag that operator will tag proxies with. Operator must be made owner of
  # these tags
  # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator
  # Multiple tags can be passed as a comma-separated string i.e 'tag:k8s-proxies,tag:prod'.
  # Note that if you pass multiple tags to this field via `--set` flag to helm upgrade/install commands you must escape the comma (for example, "tag:k8s-proxies\,tag:prod"). See https://github.com/helm/helm/issues/1556
  defaultTags: "tag:k8s"
  firewallMode: auto
  # If defined, this proxy class will be used as the default proxy class for
  # service and ingress resources that do not have a proxy class defined. It
  # does not apply to Connector resources.
  defaultProxyClass: ""

# apiServerProxyConfig allows to configure whether the operator should expose
# Kubernetes API server.
# https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy
apiServerProxyConfig:
  mode: "false" # "true", "false", "noauth"

imagePullSecrets: []