Tom Proctor
d4c5b278b3
The feature is currently in private alpha, so requires a tailnet feature
flag. Initially focuses on supporting the operator's own auth, because the
operator is the only device we maintain that uses static long-lived
credentials. All other operator-created devices use single-use auth keys.
Testing steps:
* Create a cluster with an API server accessible over public internet
* kubectl get --raw /.well-known/openid-configuration | jq '.issuer'
* Create a federated OAuth client in the Tailscale admin console with:
* The issuer from the previous step
* Subject claim `system:serviceaccount:tailscale:operator`
* Write scopes services, devices:core, auth_keys
* Tag tag:k8s-operator
* Allow the Tailscale control plane to get the public portion of
the ServiceAccount token signing key without authentication:
* kubectl create clusterrolebinding oidc-discovery \
--clusterrole=system:service-account-issuer-discovery \
--group=system:unauthenticated
* helm install --set oauth.clientId=... --set oauth.audience=...
Updates #17457
Change-Id: Ib29c85ba97b093c70b002f4f41793ffc02e6c6e9
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
145 lines
5.2 KiB
YAML
145 lines
5.2 KiB
YAML
# Copyright (c) Tailscale Inc & AUTHORS
|
|
# SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: operator
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: operator
|
|
template:
|
|
metadata:
|
|
{{- with .Values.operatorConfig.podAnnotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
app: operator
|
|
{{- with .Values.operatorConfig.podLabels }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: operator
|
|
{{- with .Values.operatorConfig.podSecurityContext }}
|
|
securityContext:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if or .Values.oauth.clientSecret .Values.oauth.audience }}
|
|
volumes:
|
|
{{- if .Values.oauth.clientSecret }}
|
|
- name: oauth
|
|
{{- with .Values.oauthSecretVolume }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- else }}
|
|
secret:
|
|
secretName: operator-oauth
|
|
{{- end }}
|
|
{{- else }}
|
|
- name: oidc-jwt
|
|
projected:
|
|
defaultMode: 420
|
|
sources:
|
|
- serviceAccountToken:
|
|
audience: {{ .Values.oauth.audience }}
|
|
expirationSeconds: 3600
|
|
path: token
|
|
{{- end }}
|
|
{{- end }}
|
|
containers:
|
|
- name: operator
|
|
{{- with .Values.operatorConfig.securityContext }}
|
|
securityContext:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.operatorConfig.resources }}
|
|
resources:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- $operatorTag:= printf ":%s" ( .Values.operatorConfig.image.tag | default .Chart.AppVersion )}}
|
|
image: {{ coalesce .Values.operatorConfig.image.repo .Values.operatorConfig.image.repository }}{{- if .Values.operatorConfig.image.digest -}}{{ printf "@%s" .Values.operatorConfig.image.digest}}{{- else -}}{{ printf "%s" $operatorTag }}{{- end }}
|
|
imagePullPolicy: {{ .Values.operatorConfig.image.pullPolicy }}
|
|
env:
|
|
- name: OPERATOR_INITIAL_TAGS
|
|
value: {{ join "," .Values.operatorConfig.defaultTags }}
|
|
- name: OPERATOR_HOSTNAME
|
|
value: {{ .Values.operatorConfig.hostname }}
|
|
- name: OPERATOR_SECRET
|
|
value: operator
|
|
- name: OPERATOR_LOGGING
|
|
value: {{ .Values.operatorConfig.logging }}
|
|
- name: OPERATOR_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: OPERATOR_LOGIN_SERVER
|
|
value: {{ .Values.loginServer }}
|
|
- name: OPERATOR_INGRESS_CLASS_NAME
|
|
value: {{ .Values.ingressClass.name }}
|
|
{{- if .Values.oauth.clientSecret }}
|
|
- name: CLIENT_ID_FILE
|
|
value: /oauth/client_id
|
|
- name: CLIENT_SECRET_FILE
|
|
value: /oauth/client_secret
|
|
{{- else if .Values.oauth.audience }}
|
|
- name: CLIENT_ID
|
|
value: {{ .Values.oauth.clientId }}
|
|
{{- end }}
|
|
{{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}}
|
|
- name: PROXY_IMAGE
|
|
value: {{ coalesce .Values.proxyConfig.image.repo .Values.proxyConfig.image.repository }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }}
|
|
- name: PROXY_TAGS
|
|
value: {{ .Values.proxyConfig.defaultTags }}
|
|
- name: APISERVER_PROXY
|
|
value: "{{ .Values.apiServerProxyConfig.mode }}"
|
|
- name: PROXY_FIREWALL_MODE
|
|
value: {{ .Values.proxyConfig.firewallMode }}
|
|
{{- if .Values.proxyConfig.defaultProxyClass }}
|
|
- name: PROXY_DEFAULT_CLASS
|
|
value: {{ .Values.proxyConfig.defaultProxyClass }}
|
|
{{- end }}
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: POD_UID
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.uid
|
|
{{- with .Values.operatorConfig.extraEnv }}
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- if or .Values.oauth.clientSecret .Values.oauth.audience }}
|
|
volumeMounts:
|
|
{{- if .Values.oauth.clientSecret }}
|
|
- name: oauth
|
|
mountPath: /oauth
|
|
readOnly: true
|
|
{{- else }}
|
|
- name: oidc-jwt
|
|
mountPath: /var/run/secrets/tailscale/serviceaccount
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.operatorConfig.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.operatorConfig.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.operatorConfig.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|