# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
apiVersion: v1
kind: Pod
metadata:
  name: proxy
spec:
  serviceAccountName: "{{SA_NAME}}"
  initContainers:
    # In order to run as a proxy we need to enable IP Forwarding inside
    # the container. The `net.ipv4.ip_forward` sysctl is not allowlisted
    # in Kubelet by default.
  - name: sysctler
    image: busybox
    securityContext:
      privileged: true
    command: ["/bin/sh"]
    args:
      - -c
      - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
    resources:
      requests:
        cpu: 1m
        memory: 1Mi
  containers:
  - name: tailscale
    imagePullPolicy: Always
    image: "ghcr.io/tailscale/tailscale:latest"
    env:
    # Store the state in a k8s secret
    - name: TS_KUBE_SECRET
      value: "{{TS_KUBE_SECRET}}"
    - name: TS_USERSPACE
      value: "false"
    - name: TS_AUTHKEY
      valueFrom:
        secretKeyRef:
          name: tailscale-auth
          key: TS_AUTHKEY
          optional: true
    - name: TS_DEST_IP
      value: "{{TS_DEST_IP}}"
    - name: TS_AUTH_ONCE
      value: "true"
    securityContext:
      capabilities:
        add:
        - NET_ADMIN