TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-03-28 12:02:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/k8s-operator: move the operator into its own namespace.

Browse Source 
The operator creates a fair bit of internal cluster state to manage proxying,
dumping it all in the default namespace is handy for development but rude
for production.

Updates #502

Signed-off-by: David Anderson <danderson@tailscale.com>
This commit is contained in:
David Anderson 2022-12-14 15:41:26 -08:00 committed by Dave Anderson
parent 56f7da0cfd
commit 8171eb600c
2 changed files with 33 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
cmd/k8s-operator/manifests/operator.yaml
View File

@ -2,17 +2,24 @@
# Use of this source code is governed by a BSD-style # Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file. # license that can be found in the LICENSE file.
apiVersion: v1
kind: Namespace
metadata:
name: tailscale
---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: proxies name: proxies
namespace: tailscale
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: proxies name: proxies
namespace: tailscale
rules: rules:
- apiGroups: [""] # "" indicates the core API group - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["*"] verbs: ["*"]
--- ---
@ -20,9 +27,11 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: proxies name: proxies
namespace: tailscale
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: proxies name: proxies
namespace: tailscale
roleRef: roleRef:
kind: Role kind: Role
name: proxies name: proxies
@ -32,6 +41,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: operator name: operator
namespace: tailscale
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
@ -49,7 +59,7 @@ metadata:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: operator name: operator
namespace: default namespace: tailscale
roleRef: roleRef:
kind: ClusterRole kind: ClusterRole
name: tailscale-operator name: tailscale-operator
@ -59,8 +69,9 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: operator name: operator
namespace: tailscale
rules: rules:
- apiGroups: [""] # "" indicates the core API group - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["*"] verbs: ["*"]
- apiGroups: ["apps"] - apiGroups: ["apps"]
@ -71,9 +82,11 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: operator name: operator
namespace: tailscale
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: operator name: operator
namespace: tailscale
roleRef: roleRef:
kind: Role kind: Role
name: operator name: operator
@ -82,7 +95,8 @@ roleRef:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: tailscale-operator-oauth name: operator-oauth
namespace: tailscale
stringData: stringData:
client_id: # SET CLIENT ID HERE client_id: # SET CLIENT ID HERE
client_secret: # SET CLIENT SECRET HERE client_secret: # SET CLIENT SECRET HERE
@ -90,26 +104,27 @@ stringData:
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: tailscale-operator name: operator
namespace: tailscale
spec: spec:
replicas: 1 replicas: 1
strategy: strategy:
type: Recreate type: Recreate
selector: selector:
matchLabels: matchLabels:
app: tailscale-operator app: operator
template: template:
metadata: metadata:
labels: labels:
app: tailscale-operator app: operator
spec: spec:
serviceAccountName: operator serviceAccountName: operator
volumes: volumes:
- name: oauth - name: oauth
secret: secret:
secretName: tailscale-operator-oauth secretName: operator-oauth
containers: containers:
- name: tailscale-operator - name: operator
image: tailscale/k8s-operator:latest image: tailscale/k8s-operator:latest
resources: resources:
requests: requests:
@ -119,7 +134,13 @@ spec:
- name: OPERATOR_HOSTNAME - name: OPERATOR_HOSTNAME
value: tailscale-operator value: tailscale-operator
- name: OPERATOR_SECRET - name: OPERATOR_SECRET
value: tailscale-operator value: operator
- name: OPERATOR_LOGGING
value: info
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CLIENT_ID_FILE - name: CLIENT_ID_FILE
value: /oauth/client_id value: /oauth/client_id
- name: CLIENT_SECRET_FILE - name: CLIENT_SECRET_FILE
@ -131,4 +152,4 @@ spec:
volumeMounts: volumeMounts:
- name: oauth - name: oauth
mountPath: /oauth mountPath: /oauth
readOnly: true readOnly: true

2
cmd/k8s-operator/operator.go
View File

@ -54,7 +54,7 @@ func main() {
hostname = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator") hostname = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
kubeSecret = defaultEnv("OPERATOR_SECRET", "") kubeSecret = defaultEnv("OPERATOR_SECRET", "")
operatorTags = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator") operatorTags = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
tsNamespace = defaultEnv("OPERATOR_NAMESPACE", "default") tsNamespace = defaultEnv("OPERATOR_NAMESPACE", "")
tslogging = defaultEnv("OPERATOR_LOGGING", "info") tslogging = defaultEnv("OPERATOR_LOGGING", "info")
clientIDPath = defaultEnv("CLIENT_ID_FILE", "") clientIDPath = defaultEnv("CLIENT_ID_FILE", "")
clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "") clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")