From 794891c6b76eb581b3dc2200fee95036633c14ff Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Fri, 21 Oct 2022 10:07:06 +0200 Subject: [PATCH] Add example Tailscale subnet-router deployment Showcase how the service-observer can be used to dynamically advertise services in a tailnet. --- README.md | 2 + examples/subnet-router.yaml | 156 ++++++++++++++++++++++++++++++++++++ 2 files changed, 158 insertions(+) create mode 100644 examples/subnet-router.yaml diff --git a/README.md b/README.md index c79f484..d9006d7 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,5 @@ The observer expects to run in a context with a working Kubernetes configuration The environment variable `TARGET_NAMESPACE` must be set to the namespace in which the observer should watch services. The environment variable `TAILSCALE_API_URL` can be used to provide a custom URL for the Tailscale client's HTTP API. By default, the observer expects the API to be reachable at `http://localhost:8088`. + +See the [subnet-router.yaml](./examples/subnet-router.yaml) for an example deployment. diff --git a/examples/subnet-router.yaml b/examples/subnet-router.yaml new file mode 100644 index 0000000..dc2504b --- /dev/null +++ b/examples/subnet-router.yaml @@ -0,0 +1,156 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tailscale +--- +apiVersion: v1 +kind: Secret +metadata: + name: tailscale +data: {} +--- +apiVersion: v1 +kind: Secret +metadata: + name: tailscale-auth +stringData: + # Set to a Auth key for the desired tailnet generated in the Tailscale admin panel + TS_AUTH_KEY: +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tailscale +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - tailscale + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tailscale +subjects: + - kind: ServiceAccount + name: tailscale +roleRef: + kind: Role + name: tailscale + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tailscale-namespace-router +spec: + minReadySeconds: 15 + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: tailscale-namespace-router + strategy: + type: Recreate + template: + metadata: + labels: + app: tailscale-namespace-router + spec: + containers: + - env: + - name: TS_KUBE_SECRET + value: tailscale + - name: TS_USERSPACE + value: "true" + - name: TS_AUTH_KEY + valueFrom: + secretKeyRef: + key: TS_AUTH_KEY + name: tailscale-auth + optional: true + - name: HOME + value: /home/tailscale + - name: TS_SOCKET + value: /var/run/tailscaled/tailscaled.sock + image: ghcr.io/tailscale/tailscale:latest + name: tailscale + resources: + requests: + cpu: 40m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /home/tailscale + name: home + - mountPath: /var/run/tailscaled + name: socket + - command: + - /usr/local/bin/tailscale + - --socket=/var/run/tailscaled/tailscaled.sock + - web + image: ghcr.io/tailscale/tailscale:latest + name: tailscale-web + resources: + requests: + cpu: 10m + memory: 50Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/tailscaled + name: socket + - image: ghcr.io/appuio/tailscale-service-observer:latest + env: + - name: TARGET_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + name: service-observer + resources: + requests: + cpu: 10m + memory: 50Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /home/tailscale + name: home + serviceAccountName: tailscale + volumes: + - emptyDir: {} + name: home + - emptyDir: {} + name: socket