update
diff --git a/charts/proxy/templates/install.yaml b/charts/proxy/templates/install.yaml
index 177bc04..fc385cc 100644
--- a/charts/proxy/templates/install.yaml
+++ b/charts/proxy/templates/install.yaml
@@ -7,6 +7,16 @@
nginx.conf: |
{{ .Values.config | nindent 4 }}
---
+{{- if .Values.vpn.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.name }}-vpn-pre-auth-key
+ namespace: {{ .Release.Namespace }}
+stringData:
+ TS_AUTHKEY: {{ .Values.vpn.preAuthKey }}
+{{- end }}
+---
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -22,6 +32,7 @@
labels:
app: proxy
spec:
+ serviceAccountName: {{ .Values.name }}-proxy
containers:
- name: proxy
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
@@ -39,6 +50,23 @@
- name: config
configMap:
name: {{ .Values.name }}
+ {{- if .Values.vpn.enabled }}
+ - name: tailscale
+ image: {{ .Values.vpn.image.repository }}:{{ .Values.vpn.image.tag }}
+ imagePullPolicy: {{ .Values.vpn.image.pullPolicy }}
+ securityContext:
+ privileged: true
+ capabilities:
+ add:
+ - NET_ADMIN
+ env:
+ - name: TS_KUBE_SECRET
+ value: {{ .Values.name }}-vpn-pre-auth-key
+ - name: TS_HOSTNAME
+ value: {{ .Values.vpn.hostname }}
+ - name: TS_EXTRA_ARGS
+ value: --login-server={{ .Values.vpn.loginServer }}
+ {{- end }}
---
apiVersion: v1
kind: Service
@@ -56,3 +84,38 @@
targetPort: {{ .name }}
protocol: {{ .protocol }}
{{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ .Values.name }}-proxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ .Values.name }}-proxy
+ namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""] # "" indicates the core API group
+ resources: ["secrets"]
+ # Create can not be restricted to a resource name.
+ verbs: ["create"]
+- apiGroups: [""] # "" indicates the core API group
+ resourceNames: ["{{ .Values.name }}-vpn-pre-auth-key"]
+ resources: ["secrets"]
+ verbs: ["get", "update", "patch"]
+- apiGroups: [""] # "" indicates the core API group
+ resources: ["events"]
+ verbs: ["get", "create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ .Values.name }}-proxy
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.name }}-proxy
+roleRef:
+ kind: Role
+ name: {{ .Values.name }}-proxy
+ apiGroup: rbac.authorization.k8s.io
diff --git a/charts/proxy/values.yaml b/charts/proxy/values.yaml
index 6764883..a701c3e 100644
--- a/charts/proxy/values.yaml
+++ b/charts/proxy/values.yaml
@@ -11,3 +11,12 @@
- name: API
value: 9090
protocol: UDP
+vpn:
+ enabled: false
+ image:
+ repository: tailscale/tailscale
+ tag: v1.42.0
+ pullPolicy: IfNotPresent
+ preAuthKey: ""
+ loginServer: ""
+ hostname: ""