David Anderson b2d4abf25a cmd/k8s-operator: add a kubernetes operator.
This was initially developed in a separate repo, but for build/release
reasons and because go module management limits the damage of importing
k8s things now, moving it into this repo.

At time of commit, the operator enables exposing services over tailscale,
with the 'tailscale' loadBalancerClass. It also currently requires an
unreleased feature to access the Tailscale API, so is not usable yet.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-12-12 13:20:02 -08:00

115 lines
2.4 KiB
YAML

# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
apiVersion: v1
kind: ServiceAccount
metadata:
name: proxies
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: proxies
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: proxies
subjects:
- kind: ServiceAccount
name: proxies
roleRef:
kind: Role
name: proxies
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tailscale-operator
rules:
- apiGroups: [""]
resources: ["services", "services/status"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tailscale-operator
subjects:
- kind: ServiceAccount
name: operator
namespace: default
roleRef:
kind: ClusterRole
name: tailscale-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: operator
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: operator
subjects:
- kind: ServiceAccount
name: operator
roleRef:
kind: Role
name: operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tailscale-operator
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: tailscale-operator
template:
metadata:
labels:
app: tailscale-operator
spec:
serviceAccountName: operator
containers:
- name: tailscale-operator
image: tailscale/k8s-operator:latest
resources:
requests:
cpu: 500m
memory: 100Mi
env:
- name: OPERATOR_HOSTNAME
value: tailscale-operator
- name: OPERATOR_SECRET
value: tailscale-operator
- name: PROXY_IMAGE
value: tailscale/tailscale:latest
- name: PROXY_TAGS
value: tag:k8s