From 54771fa847ca0f1053db97654b4b802e9a975dea Mon Sep 17 00:00:00 2001
From: Alex Lebens <alexanderlebens@gmail.com>
Date: Sun, 2 Mar 2025 23:04:08 -0600
Subject: [PATCH] add tailscale

---
 .../services/tailscale-operator/Chart.yaml    | 23 ++++++++
 .../templates/connector.yaml                  | 19 +++++++
 .../templates/dns-config.yaml                 | 16 ++++++
 .../templates/external-secrets.yaml           | 30 +++++++++++
 .../templates/namespace.yaml                  |  8 +++
 .../templates/proxy-class.yaml                | 52 +++++++++++++++++++
 .../services/tailscale-operator/values.yaml   | 21 ++++++++
 7 files changed, 169 insertions(+)
 create mode 100644 clusters/cl01tl/services/tailscale-operator/Chart.yaml
 create mode 100644 clusters/cl01tl/services/tailscale-operator/templates/connector.yaml
 create mode 100644 clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml
 create mode 100644 clusters/cl01tl/services/tailscale-operator/templates/external-secrets.yaml
 create mode 100644 clusters/cl01tl/services/tailscale-operator/templates/namespace.yaml
 create mode 100644 clusters/cl01tl/services/tailscale-operator/templates/proxy-class.yaml
 create mode 100644 clusters/cl01tl/services/tailscale-operator/values.yaml

diff --git a/clusters/cl01tl/services/tailscale-operator/Chart.yaml b/clusters/cl01tl/services/tailscale-operator/Chart.yaml
new file mode 100644
index 000000000..b91034364
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: tailscale-operator
+version: 1.0.0
+description: Tailscale Operator
+keywords:
+  - tailscale-operator
+  - tailscale
+  - wireguard
+  - vpn
+  - kubernetes
+home: https://wiki.alexlebens.dev/doc/tailscale-operator-u9TCoCqP12
+sources:
+  - https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy
+  - https://hub.docker.com/r/tailscale/k8s-operator
+  - https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/chart
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: tailscale-operator
+    version: 1.80.0
+    repository: https://pkgs.tailscale.com/helmcharts
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/tailscale.png
+appVersion: v1.80.0
diff --git a/clusters/cl01tl/services/tailscale-operator/templates/connector.yaml b/clusters/cl01tl/services/tailscale-operator/templates/connector.yaml
new file mode 100644
index 000000000..0a51d611e
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/templates/connector.yaml
@@ -0,0 +1,19 @@
+apiVersion: tailscale.com/v1alpha1
+kind: Connector
+metadata:
+  name: subnet-router-local
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: subnet-router-local
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: tailscale
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  hostname: subnet-router-local-cl01tl
+  proxyClass: default
+  subnetRouter:
+    advertiseRoutes:
+      - 192.168.1.0/24
+      - 10.230.0.0/24
+      - 10.232.0.0/22
diff --git a/clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml b/clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml
new file mode 100644
index 000000000..2a93cc17a
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml
@@ -0,0 +1,16 @@
+apiVersion: tailscale.com/v1alpha1
+kind: DNSConfig
+metadata:
+  name: ts-dns
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ts-dns
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: tailscale
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  nameserver:
+    image:
+      repo: tailscale/k8s-nameserver
+      tag: unstable-v1.81.44
diff --git a/clusters/cl01tl/services/tailscale-operator/templates/external-secrets.yaml b/clusters/cl01tl/services/tailscale-operator/templates/external-secrets.yaml
new file mode 100644
index 000000000..9c05f69ad
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/templates/external-secrets.yaml
@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: operator-oauth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: operator-oauth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: client_id
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /tailscale/k8s-operator
+        metadataPolicy: None
+        property: clientId
+    - secretKey: client_secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /tailscale/k8s-operator
+        metadataPolicy: None
+        property: clientSecret
diff --git a/clusters/cl01tl/services/tailscale-operator/templates/namespace.yaml b/clusters/cl01tl/services/tailscale-operator/templates/namespace.yaml
new file mode 100644
index 000000000..d8e00a849
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/templates/namespace.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale-operator
+  labels:
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/clusters/cl01tl/services/tailscale-operator/templates/proxy-class.yaml b/clusters/cl01tl/services/tailscale-operator/templates/proxy-class.yaml
new file mode 100644
index 000000000..60435ae42
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/templates/proxy-class.yaml
@@ -0,0 +1,52 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: default
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: proxy
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  metrics:
+    enable: true
+    serviceMonitor:
+      enable: true
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        resources:
+          limits:
+            squat.ai/tun: "1"
+      tailscaleInitContainer:
+        resources:
+          limits:
+            squat.ai/tun: "1"
+
+---
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: no-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: no-metrics
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: proxy
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  metrics:
+    enable: false
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        resources:
+          limits:
+            squat.ai/tun: "1"
+      tailscaleInitContainer:
+        resources:
+          limits:
+            squat.ai/tun: "1"
diff --git a/clusters/cl01tl/services/tailscale-operator/values.yaml b/clusters/cl01tl/services/tailscale-operator/values.yaml
new file mode 100644
index 000000000..33961aad6
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/values.yaml
@@ -0,0 +1,21 @@
+tailscale-operator:
+  oauth: {}
+  installCRDs: true
+  operatorConfig:
+    defaultTags:
+      - "tag:k8s-operator"
+    logging: info
+    hostname: tailscale-operator-cl01tl
+    nodeSelector:
+      kubernetes.io/os: linux
+    operatorConfig:
+      securityContext:
+        capabilities:
+          add:
+            - NET_ADMIN
+  proxyConfig:
+    defaultTags: "tag:k8s"
+    firewallMode: auto
+    defaultProxyClass: "default"
+  apiServerProxyConfig:
+    mode: "false"