tailscale/cmd/k8s-operator/manifests/operator.yaml

# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: proxies
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: proxies
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: proxies
subjects:
- kind: ServiceAccount
  name: proxies
roleRef:
  kind: Role
  name: proxies
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tailscale-operator
rules:
- apiGroups: [""]
  resources: ["services", "services/status"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tailscale-operator
subjects:
- kind: ServiceAccount
  name: operator
  namespace: default
roleRef:
  kind: ClusterRole
  name: tailscale-operator
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: operator
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]
  verbs: ["*"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: operator
subjects:
- kind: ServiceAccount
  name: operator
roleRef:
  kind: Role
  name: operator
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tailscale-operator
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: tailscale-operator
  template:
    metadata:
      labels:
        app: tailscale-operator
    spec:
      serviceAccountName: operator
      containers:
        - name: tailscale-operator
          image: tailscale/k8s-operator:latest
          resources:
            requests:
              cpu: 500m
              memory: 100Mi
          env:
            - name: OPERATOR_HOSTNAME
              value: tailscale-operator
            - name: OPERATOR_SECRET
              value: tailscale-operator
            - name: PROXY_IMAGE
              value: tailscale/tailscale:latest
            - name: PROXY_TAGS
              value: tag:k8s
cmd/k8s-operator: add a kubernetes operator. This was initially developed in a separate repo, but for build/release reasons and because go module management limits the damage of importing k8s things now, moving it into this repo. At time of commit, the operator enables exposing services over tailscale, with the 'tailscale' loadBalancerClass. It also currently requires an unreleased feature to access the Tailscale API, so is not usable yet. Updates #502. Signed-off-by: David Anderson <danderson@tailscale.com> 2022-12-12 19:15:34 +00:00			`# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.`
			`# Use of this source code is governed by a BSD-style`
			`# license that can be found in the LICENSE file.`

			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: proxies`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: proxies`
			`rules:`
			`- apiGroups: [""] # "" indicates the core API group`
			`resources: ["secrets"]`
			`verbs: ["*"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: proxies`
			`subjects:`
			`- kind: ServiceAccount`
			`name: proxies`
			`roleRef:`
			`kind: Role`
			`name: proxies`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: operator`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: tailscale-operator`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["services", "services/status"]`
			`verbs: ["*"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: tailscale-operator`
			`subjects:`
			`- kind: ServiceAccount`
			`name: operator`
			`namespace: default`
			`roleRef:`
			`kind: ClusterRole`
			`name: tailscale-operator`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: operator`
			`rules:`
			`- apiGroups: [""] # "" indicates the core API group`
			`resources: ["secrets"]`
			`verbs: ["*"]`
			`- apiGroups: ["apps"]`
			`resources: ["statefulsets"]`
			`verbs: ["*"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: operator`
			`subjects:`
			`- kind: ServiceAccount`
			`name: operator`
			`roleRef:`
			`kind: Role`
			`name: operator`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: tailscale-operator`
			`spec:`
			`replicas: 1`
			`strategy:`
			`type: Recreate`
			`selector:`
			`matchLabels:`
			`app: tailscale-operator`
			`template:`
			`metadata:`
			`labels:`
			`app: tailscale-operator`
			`spec:`
			`serviceAccountName: operator`
			`containers:`
			`- name: tailscale-operator`
			`image: tailscale/k8s-operator:latest`
			`resources:`
			`requests:`
			`cpu: 500m`
			`memory: 100Mi`
			`env:`
			`- name: OPERATOR_HOSTNAME`
			`value: tailscale-operator`
			`- name: OPERATOR_SECRET`
			`value: tailscale-operator`
			`- name: PROXY_IMAGE`
			`value: tailscale/tailscale:latest`
			`- name: PROXY_TAGS`
			`value: tag:k8s`