69 lines
1.4 KiB
YAML
69 lines
1.4 KiB
YAML
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: tailscale
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["create"]
|
|
- apiGroups: [""]
|
|
resourceNames: ["tailscale"]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "update"]
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: tailscale
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: tailscale
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: tailscale
|
|
roleRef:
|
|
kind: Role
|
|
name: tailscale
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: tailscale-auth
|
|
stringData:
|
|
TS_AUTH_KEY: 3987bd130c13a8d01f3614185691b0bdf48599de8f2a3345
|
|
---
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: subnet-router
|
|
labels:
|
|
app: tailscale
|
|
spec:
|
|
serviceAccountName: tailscale
|
|
containers:
|
|
- name: tailscale
|
|
imagePullPolicy: Always
|
|
image: "ghcr.io/tailscale/tailscale:latest"
|
|
env:
|
|
# Store the state in a k8s secret
|
|
- name: TS_KUBE_SECRET
|
|
value: tailscale
|
|
- name: TS_USERSPACE
|
|
value: "true"
|
|
- name: TS_AUTH_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: tailscale-auth
|
|
key: TS_AUTH_KEY
|
|
optional: true
|
|
- name: TS_ROUTES
|
|
value: "10.96.0.0/12,10.244.0.0/16"
|
|
- name: TS_EXTRA_ARGS
|
|
value: "--login-server https://headscale.tbrnt.ch"
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|