webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cmd/k8s-operator: fixes helm template for oauth secret volume mount (#18230)

Browse Source 
Fixes #18228

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
This commit is contained in:
Tom Meadows
2025-12-17 20:58:47 +01:00
committed by GitHub
parent 323604b76c
commit b21cba0921
2 changed files with 27 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/k8s-operator/deploy/chart/templates/deployment.yaml
+26 -22
View File
@@ -34,17 +34,11 @@ spec:
securityContext: securityContext:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- if or .Values.oauth.clientSecret .Values.oauth.audience }}
volumes: volumes:
{{- if .Values.oauth.clientSecret }} {{- if .Values.oauthSecretVolume }}
- name: oauth - name: oauth
{{- with .Values.oauthSecretVolume }} {{- toYaml .Values.oauthSecretVolume | nindent 10 }}
{{- toYaml . | nindent 10 }} {{- else if .Values.oauth.audience }}
{{- else }}
secret:
secretName: operator-oauth
{{- end }}
{{- else }}
- name: oidc-jwt - name: oidc-jwt
projected: projected:
defaultMode: 420 defaultMode: 420
@@ -53,8 +47,11 @@ spec:
audience: {{ .Values.oauth.audience }} audience: {{ .Values.oauth.audience }}
expirationSeconds: 3600 expirationSeconds: 3600
path: token path: token
{{- else }}
- name: oauth
secret:
secretName: operator-oauth
{{- end }} {{- end }}
{{- end }}
containers: containers:
- name: operator - name: operator
{{- with .Values.operatorConfig.securityContext }} {{- with .Values.operatorConfig.securityContext }}
@@ -85,7 +82,7 @@ spec:
value: {{ .Values.loginServer }} value: {{ .Values.loginServer }}
- name: OPERATOR_INGRESS_CLASS_NAME - name: OPERATOR_INGRESS_CLASS_NAME
value: {{ .Values.ingressClass.name }} value: {{ .Values.ingressClass.name }}
{{- if .Values.oauth.clientSecret }} {{- if .Values.oauthSecretVolume }}
- name: CLIENT_ID_FILE - name: CLIENT_ID_FILE
value: /oauth/client_id value: /oauth/client_id
- name: CLIENT_SECRET_FILE - name: CLIENT_SECRET_FILE
@@ -93,6 +90,11 @@ spec:
{{- else if .Values.oauth.audience }} {{- else if .Values.oauth.audience }}
- name: CLIENT_ID - name: CLIENT_ID
value: {{ .Values.oauth.clientId }} value: {{ .Values.oauth.clientId }}
{{- else }}
- name: CLIENT_ID_FILE
value: /oauth/client_id
- name: CLIENT_SECRET_FILE
value: /oauth/client_secret
{{- end }} {{- end }}
{{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}} {{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}}
- name: PROXY_IMAGE - name: PROXY_IMAGE
@@ -118,18 +120,20 @@ spec:
{{- with .Values.operatorConfig.extraEnv }} {{- with .Values.operatorConfig.extraEnv }}
{{- toYaml . | nindent 12 }} {{- toYaml . | nindent 12 }}
{{- end }} {{- end }}
{{- if or .Values.oauth.clientSecret .Values.oauth.audience }}
volumeMounts: volumeMounts:
{{- if .Values.oauth.clientSecret }} {{- if .Values.oauthSecretVolume }}
- name: oauth - name: oauth
mountPath: /oauth mountPath: /oauth
readOnly: true readOnly: true
{{- else }} {{- else if .Values.oauth.audience }}
- name: oidc-jwt - name: oidc-jwt
mountPath: /var/run/secrets/tailscale/serviceaccount mountPath: /var/run/secrets/tailscale/serviceaccount
readOnly: true readOnly: true
{{- end }} {{- else }}
{{- end }} - name: oauth
mountPath: /oauth
readOnly: true
{{- end }}
{{- with .Values.operatorConfig.nodeSelector }} {{- with .Values.operatorConfig.nodeSelector }}
nodeSelector: nodeSelector:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
cmd/k8s-operator/deploy/chart/templates/oauth-secret.yaml
+1 -1
View File
@@ -1,7 +1,7 @@
# Copyright (c) Tailscale Inc & AUTHORS # Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause # SPDX-License-Identifier: BSD-3-Clause
{{ if and .Values.oauth .Values.oauth.clientId .Values.oauth.clientSecret -}} {{ if and .Values.oauth .Values.oauth.clientId (not .Values.oauth.audience) -}}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata: