cmd/k8s-operator: add support for running an auth proxy

Updates #5055

Signed-off-by: Maisem Ali <maisem@tailscale.com>

cmd/k8s-operator/manifests/authproxy-rbac.yaml

@@ -0,0 +1,24 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-auth-proxy
+rules:
+- apiGroups: [""]
+  resources: ["users"]
+  verbs: ["impersonate"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-auth-proxy
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: tailscale
+roleRef:
+  kind: ClusterRole
+  name: tailscale-auth-proxy
+  apiGroup: rbac.authorization.k8s.io

cmd/k8s-operator/manifests/operator.yaml

@@ -148,6 +148,8 @@ spec:
               value: tailscale/tailscale:unstable
             - name: PROXY_TAGS
               value: tag:k8s
+            - name: AUTH_PROXY
+              value: "false"
           volumeMounts:
           - name: oauth
             mountPath: /oauth