charts/proxy/templates/install.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ .Values.name }}
  namespace: {{ .Release.Namespace }}
data:
  nginx.conf: |
    {{ .Values.config | nindent 4 }}
---
{{- if .Values.vpn.enabled }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .Values.name }}-vpn-pre-auth-key
  namespace: {{ .Release.Namespace }}
stringData:
  authkey: {{ .Values.vpn.preAuthKey }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Values.name }}
  namespace: {{ .Release.Namespace }}
spec:
  selector:
    matchLabels:
      app: proxy
  replicas: 1
  template:
    metadata:
      labels:
        app: proxy
    spec:
      serviceAccountName: {{ .Values.name }}-proxy
      volumes:
      - name: config
        configMap:
          name: {{ .Values.name }}
      containers:
      - name: proxy
        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        ports:
          {{- range .Values.ports }}
          - name: {{ .name }}
            containerPort: {{ .value }}
            protocol: {{ .protocol }}
          {{- end }}
        volumeMounts:
        - name: config
          mountPath: /etc/nginx
      {{- if .Values.vpn.enabled }}
      - name: tailscale
        image: {{ .Values.vpn.image.repository }}:{{ .Values.vpn.image.tag }}
        imagePullPolicy: {{ .Values.vpn.image.pullPolicy }}
        securityContext:
          privileged: true
          capabilities:
            add:
            - NET_ADMIN
        env:
        - name: TS_KUBE_SECRET
          value: {{ .Values.name }}-vpn-pre-auth-key
        - name: TS_HOSTNAME
          value: {{ .Values.vpn.hostname }}
        - name: TS_USERSPACE
          value: "false"
        - name: TS_ACCEPT_DNS
          value: "true"
        - name: TS_EXTRA_ARGS
          value: --login-server={{ .Values.vpn.loginServer }}
      {{- end }}
---
apiVersion: v1
kind: Service
metadata:
  name: {{ .Values.name }}
  namespace: {{ .Release.Namespace }}
spec:
  type: ClusterIP
  selector:
    app: proxy
  ports:
    {{- range .Values.ports }}
    - name: {{ .name }}
      port: {{ .value }}
      targetPort: {{ .name }}
      protocol: {{ .protocol }}
    {{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.name }}-proxy
  namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .Values.name }}-proxy
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]
  # Create can not be restricted to a resource name.
  verbs: ["create"]
- apiGroups: [""] # "" indicates the core API group
  resourceNames: ["{{ .Values.name }}-vpn-pre-auth-key"]
  resources: ["secrets"]
  verbs: ["get", "update", "patch"]
- apiGroups: [""] # "" indicates the core API group
  resources: ["events"]
  verbs: ["get", "create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ .Values.name }}-proxy
  namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
  name: {{ .Values.name }}-proxy
roleRef:
  kind: Role
  name: {{ .Values.name }}-proxy
  apiGroup: rbac.authorization.k8s.io