apiVersion: v1 kind: Namespace metadata: name: auth-proxy --- apiVersion: v1 kind: Secret metadata: name: auth-proxy namespace: auth-proxy annotations: kube-1password: mr6spkkx7n3memkbute6ojaarm kube-1password/vault: Kubernetes type: Opaque --- apiVersion: v1 kind: Secret metadata: name: tailscale-auth namespace: auth-proxy annotations: kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y kube-1password/vault: Kubernetes type: Opaque --- apiVersion: v1 kind: Secret metadata: name: tailscale-auth-proxy type: Opaque --- apiVersion: v1 kind: ServiceAccount metadata: name: tailscale-auth-proxy labels: app.kubernetes.io/name: tailscale --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tailscale-auth-proxy labels: app.kubernetes.io/name: tailscale subjects: - kind: ServiceAccount name: "tailscale-auth-proxy" roleRef: kind: Role name: tailscale-auth-proxy apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tailscale-auth-proxy labels: app.kubernetes.io/name: tailscale rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create"] - apiGroups: [""] resourceNames: ["tailscale-auth-proxy"] resources: ["secrets"] verbs: ["get", "update"] --- apiVersion: apps/v1 kind: Deployment metadata: name: auth-proxy namespace: auth-proxy labels: app: auth-proxy annotations: secret.reloader.stakater.com/reload: "tailscale-auth" spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: auth-proxy template: metadata: labels: app: auth-proxy spec: serviceAccountName: tailscale-auth-proxy dnsPolicy: ClusterFirst dnsConfig: nameservers: - 100.100.100.100 initContainers: - name: sysctler image: busybox securityContext: privileged: true command: ["/bin/sh"] args: - -c - | sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.forwarding=1 sysctl -w net.ipv6.conf.all.disable_ipv6=0 resources: requests: cpu: 1m memory: 1Mi containers: - name: oauth-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 args: - --cookie-secure=false - --provider=oidc - --provider-display-name=Auth0 - --upstream=http://talos.averagemarcus.github.beta.tailscale.net - --http-address=0.0.0.0:8080 - --email-domain=* - --pass-basic-auth=false - --pass-access-token=false - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT - --cookie-expire=336h0m0s env: - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: key: username name: auth-proxy - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: password name: auth-proxy ports: - containerPort: 8080 protocol: TCP resources: limits: memory: 50Mi requests: memory: 50Mi - name: tailscale image: ghcr.io/tailscale/tailscale:v1.61 imagePullPolicy: Always env: - name: TS_AUTH_KEY valueFrom: secretKeyRef: name: tailscale-auth key: password - name: TS_KUBE_SECRET value: tailscale-auth-proxy - name: TS_ACCEPT_DNS value: "true" - name: TS_EXTRA_ARGS value: "--hostname=auth-proxy-oauth2" securityContext: capabilities: add: - NET_ADMIN command: - sh - -c - | export PATH=$PATH:/tailscale/bin if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi echo "Starting tailscaled" tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock & PID=$! echo "Running tailscale up" tailscale --socket=/tmp/tailscaled.sock up \ --accept-dns=${TS_ACCEPT_DNS} \ --authkey=${TS_AUTH_KEY} \ ${TS_EXTRA_ARGS} echo "Re-enabling incoming traffic from the cluster" wait ${PID} --- apiVersion: v1 kind: Service metadata: name: auth-proxy namespace: auth-proxy labels: app: auth-proxy spec: ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: auth-proxy type: ClusterIP