apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tailscale
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
- apiGroups: [""]
  resourceNames: ["tailscale"]
  resources: ["secrets"]
  verbs: ["get", "update"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tailscale
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tailscale
subjects:
- kind: ServiceAccount
  name: tailscale
roleRef:
  kind: Role
  name: tailscale
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
  name: tailscale-auth
stringData:
  TS_AUTH_KEY: 3987bd130c13a8d01f3614185691b0bdf48599de8f2a3345
---
apiVersion: v1
kind: Pod
metadata:
  name: subnet-router
  labels:
    app: tailscale
spec:
  serviceAccountName: tailscale
  containers:
  - name: tailscale
    imagePullPolicy: Always
    image: "ghcr.io/tailscale/tailscale:latest"
    env:
    # Store the state in a k8s secret
    - name: TS_KUBE_SECRET
      value: tailscale
    - name: TS_USERSPACE
      value: "true"
    - name: TS_AUTH_KEY
      valueFrom:
        secretKeyRef:
          name: tailscale-auth
          key: TS_AUTH_KEY
          optional: true
    - name: TS_ROUTES
      value: "10.96.0.0/12,10.244.0.0/16"
    - name: TS_EXTRA_ARGS
      value: "--login-server https://headscale.tbrnt.ch"
    securityContext:
      runAsUser: 1000
      runAsGroup: 1000