Skip to content

Commit

Permalink
Add example Tailscale subnet-router deployment
Browse files Browse the repository at this point in the history 
Showcase how the service-observer can be used to dynamically advertise
services in a tailnet.
  • Loading branch information
@simu
simu committed Oct 21, 2022
1 parent acc7460 commit 794891c
Show file tree
Hide file tree
Showing 2 changed files with 158 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,5 @@ The observer expects to run in a context with a working Kubernetes configuration
The environment variable `TARGET_NAMESPACE` must be set to the namespace in which the observer should watch services.
The environment variable `TAILSCALE_API_URL` can be used to provide a custom URL for the Tailscale client's HTTP API.
By default, the observer expects the API to be reachable at `http://localhost:8088`.

See the [subnet-router.yaml](./examples/subnet-router.yaml) for an example deployment.
156 changes: 156 additions & 0 deletions examples/subnet-router.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale
---
apiVersion: v1
kind: Secret
metadata:
name: tailscale
data: {}
---
apiVersion: v1
kind: Secret
metadata:
name: tailscale-auth
stringData:
# Set to a Auth key for the desired tailnet generated in the Tailscale admin panel
TS_AUTH_KEY: <YOUR-TS-AUTH-KEY>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tailscale
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- tailscale
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tailscale
subjects:
- kind: ServiceAccount
name: tailscale
roleRef:
kind: Role
name: tailscale
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tailscale-namespace-router
spec:
minReadySeconds: 15
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: tailscale-namespace-router
strategy:
type: Recreate
template:
metadata:
labels:
app: tailscale-namespace-router
spec:
containers:
- env:
- name: TS_KUBE_SECRET
value: tailscale
- name: TS_USERSPACE
value: "true"
- name: TS_AUTH_KEY
valueFrom:
secretKeyRef:
key: TS_AUTH_KEY
name: tailscale-auth
optional: true
- name: HOME
value: /home/tailscale
- name: TS_SOCKET
value: /var/run/tailscaled/tailscaled.sock
image: ghcr.io/tailscale/tailscale:latest
name: tailscale
resources:
requests:
cpu: 40m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /home/tailscale
name: home
- mountPath: /var/run/tailscaled
name: socket
- command:
- /usr/local/bin/tailscale
- --socket=/var/run/tailscaled/tailscaled.sock
- web
image: ghcr.io/tailscale/tailscale:latest
name: tailscale-web
resources:
requests:
cpu: 10m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/tailscaled
name: socket
- image: ghcr.io/appuio/tailscale-service-observer:latest
env:
- name: TARGET_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
name: service-observer
resources:
requests:
cpu: 10m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /home/tailscale
name: home
serviceAccountName: tailscale
volumes:
- emptyDir: {}
name: home
- emptyDir: {}
name: socket

0 comments on commit 794891c

Please sign in to comment.