mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-01 14:05:39 +00:00
76904b82e7
This implements the same functionality as the former run.sh, but in Go and with a little better awareness of tailscaled's lifecycle. Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had where it would unconditionally try to reauth every time if you gave it an authkey, rather than try to use it only if auth is actually needed. This makes it a bit nicer to deploy these containers in automation, since you don't have to run the container once, then go and edit its definition to remove authkeys. Signed-off-by: David Anderson <danderson@tailscale.com>
50 lines
1.3 KiB
YAML
50 lines
1.3 KiB
YAML
# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
|
# Use of this source code is governed by a BSD-style
|
|
# license that can be found in the LICENSE file.
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: proxy
|
|
spec:
|
|
serviceAccountName: "{{SA_NAME}}"
|
|
initContainers:
|
|
# In order to run as a proxy we need to enable IP Forwarding inside
|
|
# the container. The `net.ipv4.ip_forward` sysctl is not allowlisted
|
|
# in Kubelet by default.
|
|
- name: sysctler
|
|
image: busybox
|
|
securityContext:
|
|
privileged: true
|
|
command: ["/bin/sh"]
|
|
args:
|
|
- -c
|
|
- sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
|
|
resources:
|
|
requests:
|
|
cpu: 1m
|
|
memory: 1Mi
|
|
containers:
|
|
- name: tailscale
|
|
imagePullPolicy: Always
|
|
image: "ghcr.io/tailscale/tailscale:latest"
|
|
env:
|
|
# Store the state in a k8s secret
|
|
- name: TS_KUBE_SECRET
|
|
value: "{{TS_KUBE_SECRET}}"
|
|
- name: TS_USERSPACE
|
|
value: "false"
|
|
- name: TS_AUTH_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: tailscale-auth
|
|
key: TS_AUTH_KEY
|
|
optional: true
|
|
- name: TS_DEST_IP
|
|
value: "{{TS_DEST_IP}}"
|
|
- name: TS_AUTH_ONCE
|
|
value: "true"
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|