From 11973aa7edf4b790da75dc255ec3c46f1a0340a0 Mon Sep 17 00:00:00 2001 From: Marcus Noble Date: Sat, 30 Mar 2024 16:03:20 +0000 Subject: [PATCH] Switch Civo to using new Tailscale proxy Signed-off-by: Marcus Noble --- manifests/proxy-civo/non-auth-proxy.yaml | 90 +++--------------------- 1 file changed, 8 insertions(+), 82 deletions(-) diff --git a/manifests/proxy-civo/non-auth-proxy.yaml b/manifests/proxy-civo/non-auth-proxy.yaml index 120f69c..8e151d3 100644 --- a/manifests/proxy-civo/non-auth-proxy.yaml +++ b/manifests/proxy-civo/non-auth-proxy.yaml @@ -25,49 +25,6 @@ data: "loki-distributed.proxy-civo.svc:80": "loki-loki.cluster.local" } --- -apiVersion: v1 -kind: Secret -metadata: - name: tailscale-internal-proxy - namespace: proxy-civo -type: Opaque ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tailscale-internal-proxy - labels: - app.kubernetes.io/name: tailscale ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tailscale-internal-proxy - labels: - app.kubernetes.io/name: tailscale -subjects: -- kind: ServiceAccount - name: "tailscale-internal-proxy" -roleRef: - kind: Role - name: tailscale-internal-proxy - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: tailscale-internal-proxy - labels: - app.kubernetes.io/name: tailscale -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] -- apiGroups: [""] - resourceNames: ["tailscale-internal-proxy"] - resources: ["secrets"] - verbs: ["get", "update"] ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -77,7 +34,7 @@ metadata: app: internal-proxy annotations: configmap.reloader.stakater.com/reload: "host-mappings" - secret.reloader.stakater.com/reload: "tailscale-internal-proxy" + secret.reloader.stakater.com/reload: "tailscale-auth" spec: replicas: 1 strategy: @@ -90,7 +47,6 @@ spec: labels: app: internal-proxy spec: - serviceAccountName: tailscale-internal-proxy dnsPolicy: ClusterFirst dnsConfig: nameservers: @@ -104,49 +60,19 @@ spec: value: talos.averagemarcus.github.beta.tailscale.net - name: PORT value: "8080" + - name: TS_AUTH_KEY + valueFrom: + secretKeyRef: + name: tailscale-auth + key: password + - name: TS_HOSTNAME + value: proxy-civo-internal-proxy ports: - containerPort: 8080 protocol: TCP volumeMounts: - name: host-mappings mountPath: /config/ - - name: tailscale - image: ghcr.io/tailscale/tailscale:v1.62 - imagePullPolicy: Always - tty: true - env: - - name: TS_AUTH_KEY - valueFrom: - secretKeyRef: - name: tailscale-auth - key: password - - name: TS_KUBE_SECRET - value: tailscale-internal-proxy - - name: TS_ACCEPT_DNS - value: "true" - - name: TS_EXTRA_ARGS - value: "--hostname=proxy-civo-internal-proxy" - securityContext: - capabilities: - add: - - NET_ADMIN - command: - - sh - - -c - - | - export PATH=$PATH:/tailscale/bin - if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi - if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi - echo "Starting tailscaled" - tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock & - PID=$! - echo "Running tailscale up" - tailscale --socket=/tmp/tailscaled.sock up \ - --accept-dns=${TS_ACCEPT_DNS} \ - --authkey=${TS_AUTH_KEY} \ - ${TS_EXTRA_ARGS} - echo "Re-enabling incoming traffic from the cluster" - wait ${PID} volumes: - name: host-mappings configMap: