inject tailscale sidecar into k8up pod
This commit is contained in:
parent
41747bfc33
commit
8b6f58b89d
60
system/k8up/tailscale-injector-clusterpolicy.yaml
Normal file
60
system/k8up/tailscale-injector-clusterpolicy.yaml
Normal file
|
@ -0,0 +1,60 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: inject-tailscale
|
||||
spec:
|
||||
rules:
|
||||
- name: inject-tailscale
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
selector:
|
||||
matchLabels:
|
||||
k8upjob: "true"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
shareProcessNamespace: true
|
||||
containers:
|
||||
- name: ts-sidecar
|
||||
imagePullPolicy: IfNotPresent
|
||||
image: ghcr.io/tailscale/tailscale:v1.30
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
export PATH=$PATH:/tailscale/bin
|
||||
set -e
|
||||
|
||||
if [[ ! -d /dev/net ]]; then
|
||||
mkdir -p /dev/net
|
||||
fi
|
||||
if [[ ! -c /dev/net/tun ]]; then
|
||||
mknod /dev/net/tun c 10 200
|
||||
fi
|
||||
|
||||
echo "Starting tailscaled in background"
|
||||
tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp &
|
||||
TS_PID=$!
|
||||
|
||||
echo "Running tailscale up"
|
||||
tailscale --socket=/tmp/tailscaled.sock up --authkey=${TS_AUTH_KEY} --accept-dns=false --login-server https://headscale.tbrnt.ch
|
||||
|
||||
echo "Waiting for K8up to exit"
|
||||
while pidof k8up > /dev/null; do sleep 1; done
|
||||
|
||||
echo "K8up ended - stopping tailscale"
|
||||
kill -s SIGINT $TS_PID
|
||||
wait ${TS_PID}
|
||||
env:
|
||||
- name: TS_AUTH_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: tailscale-auth-backup
|
||||
key: TS_AUTH_KEY
|
||||
optional: true
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
Loading…
Reference in a new issue