mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-25 02:02:51 +00:00 
			
		
		
		
	cmd/k8s-operator: allow to install operator via helm (#9920)
Initial helm manifests. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
		| @@ -0,0 +1,26 @@ | ||||
| # Copyright (c) Tailscale Inc & AUTHORS | ||||
| # SPDX-License-Identifier: BSD-3-Clause | ||||
|  | ||||
| {{ if eq .Values.apiServerProxyConfig.mode "true" }} | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   name: tailscale-auth-proxy | ||||
| rules: | ||||
| - apiGroups: [""] | ||||
|   resources: ["users", "groups"] | ||||
|   verbs: ["impersonate"] | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRoleBinding | ||||
| metadata: | ||||
|   name: tailscale-auth-proxy | ||||
| subjects: | ||||
| - kind: ServiceAccount | ||||
|   name: operator | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| roleRef: | ||||
|   kind: ClusterRole | ||||
|   name: tailscale-auth-proxy | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
| {{ end }} | ||||
							
								
								
									
										90
									
								
								cmd/k8s-operator/deploy/chart/templates/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										90
									
								
								cmd/k8s-operator/deploy/chart/templates/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,90 @@ | ||||
| # Copyright (c) Tailscale Inc & AUTHORS | ||||
| # SPDX-License-Identifier: BSD-3-Clause | ||||
|  | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: operator | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| spec: | ||||
|   replicas: 1 | ||||
|   strategy: | ||||
|     type: Recreate | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: operator | ||||
|   template: | ||||
|     metadata: | ||||
|       {{- with .Values.operatorConfig.podAnnotations }} | ||||
|       annotations: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       labels: | ||||
|         app: operator | ||||
|     spec: | ||||
|       {{- with .Values.imagePullSecrets }} | ||||
|       imagePullSecrets: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       serviceAccountName: operator | ||||
|       {{- with .Values.operatorConfig.podSecurityContext }} | ||||
|       securityContext: | ||||
|         {{- toYaml .Values.operatorConfig.podSecurityContext | nindent 8 }} | ||||
|       {{- end }} | ||||
|       volumes: | ||||
|       - name: oauth | ||||
|         secret: | ||||
|           secretName: operator-oauth | ||||
|       containers: | ||||
|         - name: operator | ||||
|           {{- with .Values.operatorConfig.securityContext }} | ||||
|           securityContext: | ||||
|             {{- toYaml . | nindent 12 }} | ||||
|           {{- end }} | ||||
|           {{- with .Values.operatorConfig.resources }} | ||||
|           resources: | ||||
|             {{- toYaml . | nindent 12 }} | ||||
|           {{- end }} | ||||
|           {{- $operatorTag:= printf ":%s" ( .Values.operatorConfig.image.tag | default .Chart.AppVersion )}} | ||||
|           image: {{ .Values.operatorConfig.image.repo }}{{- if .Values.operatorConfig.image.digest -}}{{ printf "@%s" .Values.operatorConfig.image.digest}}{{- else -}}{{ printf "%s" $operatorTag }}{{- end }} | ||||
|           imagePullPolicy: {{ .Values.operatorConfig.image.pullPolicy }} | ||||
|           env: | ||||
|             - name: OPERATOR_HOSTNAME | ||||
|               value: {{ .Values.operatorConfig.hostname }} | ||||
|             - name: OPERATOR_SECRET | ||||
|               value: operator | ||||
|             - name: OPERATOR_LOGGING | ||||
|               value: {{ .Values.operatorConfig.logging }} | ||||
|             - name: OPERATOR_NAMESPACE | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: metadata.namespace | ||||
|             - name: CLIENT_ID_FILE | ||||
|               value: /oauth/client_id | ||||
|             - name: CLIENT_SECRET_FILE | ||||
|               value: /oauth/client_secret | ||||
|             {{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}} | ||||
|             - name: PROXY_IMAGE | ||||
|               value: {{ .Values.proxyConfig.image.repo }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }} | ||||
|             - name: PROXY_TAGS | ||||
|               value: {{ .Values.proxyConfig.defaultTags }} | ||||
|             - name: APISERVER_PROXY | ||||
|               value: "{{ .Values.apiServerProxyConfig.mode }}" | ||||
|             - name: PROXY_FIREWALL_MODE | ||||
|               value: {{ .Values.proxyConfig.firewallMode }} | ||||
|           volumeMounts: | ||||
|           - name: oauth | ||||
|             mountPath: /oauth | ||||
|             readOnly: true | ||||
|       {{- with .Values.operatorConfig.nodeSelector }} | ||||
|       nodeSelector: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with .Values.operatorConfig.affinity }} | ||||
|       affinity: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with .Values.operatorConfig.tolerations }} | ||||
|       tolerations: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
							
								
								
									
										13
									
								
								cmd/k8s-operator/deploy/chart/templates/oauth-secret.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								cmd/k8s-operator/deploy/chart/templates/oauth-secret.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| # Copyright (c) Tailscale Inc & AUTHORS | ||||
| # SPDX-License-Identifier: BSD-3-Clause | ||||
|  | ||||
| {{ if and .Values.oauth .Values.oauth.clientId -}} | ||||
| apiVersion: v1 | ||||
| kind: Secret | ||||
| metadata: | ||||
|   name: operator-oauth | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| stringData: | ||||
|   client_id: {{ .Values.oauth.clientId }} | ||||
|   client_secret: {{ .Values.oauth.clientSecret }} | ||||
| {{- end -}} | ||||
							
								
								
									
										60
									
								
								cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										60
									
								
								cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,60 @@ | ||||
| # Copyright (c) Tailscale Inc & AUTHORS | ||||
| # SPDX-License-Identifier: BSD-3-Clause | ||||
|  | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: operator | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   name: tailscale-operator | ||||
| rules: | ||||
| - apiGroups: [""] | ||||
|   resources: ["events", "services", "services/status"] | ||||
|   verbs: ["*"] | ||||
| - apiGroups: ["networking.k8s.io"] | ||||
|   resources: ["ingresses", "ingresses/status"] | ||||
|   verbs: ["*"] | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRoleBinding | ||||
| metadata: | ||||
|   name: tailscale-operator | ||||
| subjects: | ||||
| - kind: ServiceAccount | ||||
|   name: operator | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| roleRef: | ||||
|   kind: ClusterRole | ||||
|   name: tailscale-operator | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: Role | ||||
| metadata: | ||||
|   name: operator | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| rules: | ||||
| - apiGroups: [""] | ||||
|   resources: ["secrets"] | ||||
|   verbs: ["*"] | ||||
| - apiGroups: ["apps"] | ||||
|   resources: ["statefulsets"] | ||||
|   verbs: ["*"] | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: RoleBinding | ||||
| metadata: | ||||
|   name: operator | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| subjects: | ||||
| - kind: ServiceAccount | ||||
|   name: operator | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| roleRef: | ||||
|   kind: Role | ||||
|   name: operator | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
							
								
								
									
										32
									
								
								cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| # Copyright (c) Tailscale Inc & AUTHORS | ||||
| # SPDX-License-Identifier: BSD-3-Clause | ||||
|  | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: proxies | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: Role | ||||
| metadata: | ||||
|   name: proxies | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| rules: | ||||
| - apiGroups: [""] | ||||
|   resources: ["secrets"] | ||||
|   verbs: ["*"] | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: RoleBinding | ||||
| metadata: | ||||
|   name: proxies | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| subjects: | ||||
| - kind: ServiceAccount | ||||
|   name: proxies | ||||
|   namespace: {{ .Release.Namespace }} | ||||
| roleRef: | ||||
|   kind: Role | ||||
|   name: proxies | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
		Reference in New Issue
	
	Block a user
	 Irbe Krumina
					Irbe Krumina