apiVersion: v1 kind: Secret metadata: name: tailscale-non-auth-proxy namespace: auth-proxy type: Opaque --- apiVersion: v1 kind: ServiceAccount metadata: name: tailscale-non-auth-proxy labels: app.kubernetes.io/name: tailscale --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tailscale-non-auth-proxy labels: app.kubernetes.io/name: tailscale subjects: - kind: ServiceAccount name: "tailscale-non-auth-proxy" roleRef: kind: Role name: tailscale-non-auth-proxy apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tailscale-non-auth-proxy labels: app.kubernetes.io/name: tailscale rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create"] - apiGroups: [""] resourceNames: ["tailscale-non-auth-proxy"] resources: ["secrets"] verbs: ["get", "update"] --- apiVersion: apps/v1 kind: Deployment metadata: name: non-auth-proxy namespace: auth-proxy labels: app: non-auth-proxy spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: non-auth-proxy template: metadata: labels: app: non-auth-proxy spec: serviceAccountName: tailscale-non-auth-proxy dnsPolicy: ClusterFirst dnsConfig: nameservers: - 100.100.100.100 containers: - name: oauth-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 args: - --cookie-secure=false - --provider=oidc - --provider-display-name=Auth0 - --upstream=http://talos.averagemarcus.github.beta.tailscale.net - --http-address=0.0.0.0:8080 - --email-domain=* - --pass-basic-auth=false - --pass-access-token=false - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT - --cookie-expire=336h0m0s - --trusted-ip=0.0.0.0/0 env: - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: key: username name: auth-proxy - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: password name: auth-proxy ports: - containerPort: 8080 protocol: TCP resources: limits: memory: 50Mi requests: memory: 50Mi - name: tailscale image: ghcr.io/tailscale/tailscale:v1.42 imagePullPolicy: Always tty: true env: - name: TS_AUTH_KEY valueFrom: secretKeyRef: name: tailscale-auth key: password - name: TS_KUBE_SECRET value: tailscale-non-auth-proxy - name: TS_ACCEPT_DNS value: "true" - name: TS_EXTRA_ARGS value: "--hostname=non-auth-proxy" securityContext: capabilities: add: - NET_ADMIN command: - sh - -c - | export PATH=$PATH:/tailscale/bin if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi echo "Starting tailscaled" tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock & PID=$! echo "Running tailscale up" tailscale --socket=/tmp/tailscaled.sock up \ --accept-dns=${TS_ACCEPT_DNS} \ --authkey=${TS_AUTH_KEY} \ ${TS_EXTRA_ARGS} echo "Re-enabling incoming traffic from the cluster" wait ${PID} --- apiVersion: v1 kind: Service metadata: name: non-auth-proxy namespace: auth-proxy labels: app: non-auth-proxy spec: ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: non-auth-proxy type: ClusterIP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: non-auth-proxy namespace: auth-proxy annotations: cert-manager.io/cluster-issuer: letsencrypt nginx.ingress.kubernetes.io/force-ssl-redirect: "true" spec: ingressClassName: nginx tls: - hosts: - home.cluster.fun - tasks.cluster.fun - api.tasks.cluster.fun secretName: non-auth-proxy-ingress rules: - host: home.cluster.fun http: paths: - path: / pathType: ImplementationSpecific backend: service: name: non-auth-proxy port: name: http - host: tasks.cluster.fun http: paths: - path: / pathType: ImplementationSpecific backend: service: name: non-auth-proxy port: name: http - host: api.tasks.cluster.fun http: paths: - path: / pathType: ImplementationSpecific backend: service: name: non-auth-proxy port: name: http