Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 4557dc0f42f18e964f3e39327f971d639a348b04^! / .
commit4557dc0f42f18e964f3e39327f971d639a348b04[log] [tgz]
authorgio <gio@v1.dodo.cloud>Fri Oct 04 19:29:25 2024 +0400
committergio <gio@v1.dodo.cloud>Fri Oct 04 19:29:25 2024 +0400
treebaa112210af95d26c0f43ff00b14c6cf6508c69a
parent1afc3cdd8264c87d3b029ae7f8e82939e73286d1 [diff]
PrivateNetwork: Setup secrets ACL for both of the tailscale clients.

Change-Id: I671b66ba06712b6842aa47cb2607b2a46ce0e0d4

diff --git a/charts/tailscale-proxy/Chart.yaml b/charts/tailscale-proxy/Chart.yaml
index a87d9d7..a92ef36 100644
--- a/charts/tailscale-proxy/Chart.yaml
+++ b/charts/tailscale-proxy/Chart.yaml

@@ -2,5 +2,5 @@
 name: tailscale-proxy
 description: A Helm chart to run tailscale node
 type: application
-version: 0.0.1
-appVersion: "0.0.1"
+version: 0.0.2
+appVersion: "0.0.2"

diff --git a/charts/tailscale-proxy/templates/install.yaml b/charts/tailscale-proxy/templates/install.yaml
index f85f753..d1f5a7c 100644
--- a/charts/tailscale-proxy/templates/install.yaml
+++ b/charts/tailscale-proxy/templates/install.yaml

@@ -1,17 +1,3 @@
-# apiVersion: v1
-# kind: PersistentVolumeClaim
-# metadata:
-#   name: tailscale
-#   namespace: {{ .Release.Namespace }}
-#   annotations:
-#     helm.sh/resource-policy: keep
-# spec:
-#   accessModes:
-#     - ReadWriteOnce
-#   resources:
-#     requests:
-#       storage: 1Gi
----
 apiVersion: headscale.dodo.cloud/v1
 kind: HeadscaleUser
 metadata:
@@ -39,10 +25,6 @@
       labels:
         app: tailscale
     spec:
-      # volumes:
-      # - name: tailscale
-      #   persistentVolumeClaim:
-      #     claimName: tailscale
       containers:
       - name: tailscale
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
@@ -55,13 +37,6 @@
         env:
         - name: TS_KUBE_SECRET
           value: {{ .Values.preAuthKeySecret }}
-        # - name: TS_STATE_DIR
-        #   value: /tailscale-state
-        # - name: TS_AUTHKEY
-        #   valueFrom:
-        #     secretKeyRef:
-        #       name: {{ .Values.preAuthKeySecret }}
-        #       key: key
         - name: TS_HOSTNAME
           value: {{ .Values.hostname }}
         {{- if .Values.ipSubnet }}
@@ -70,30 +45,3 @@
         {{- end }}
         - name: TS_EXTRA_ARGS
           value: --login-server={{ .Values.loginServer }}
-        # volumeMounts:
-        # - name: tailscale
-        #   mountPath: /tailscale-state
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: secrets
-  namespace: {{ .Release.Namespace }}
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "watch", "list", "patch", "update"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: secrets
-  namespace: {{ .Release.Namespace }}
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: Role
-  name: secrets
-  apiGroup: rbac.authorization.k8s.io

diff --git a/core/installer/values-tmpl/private-network.cue b/core/installer/values-tmpl/private-network.cue
index 653da67..c22e5fc 100644
--- a/core/installer/values-tmpl/private-network.cue
+++ b/core/installer/values-tmpl/private-network.cue

@@ -38,6 +38,12 @@
 	}
 
 	charts: {
+		"access-secrets": {
+			kind: "GitRepository"
+			address: "https://code.v1.dodo.cloud/helm-charts"
+			branch: "main"
+			path: "charts/access-secrets"
+		}
 		"ingress-nginx": {
 			kind: "GitRepository"
 			address: "https://code.v1.dodo.cloud/helm-charts"
@@ -61,6 +67,18 @@
 	_ingressPrivate: "\(global.id)-ingress-private"
 
 	helm: {
+		"access-secrets": {
+			chart: charts["access-secrets"]
+			values: {
+				serviceAccountName: "default"
+			}
+		}
+		"access-secrets-nginx": {
+			chart: charts["access-secrets"]
+			values: {
+				serviceAccountName: "\(global.id)-nginx-private"
+			}
+		}
 		"ingress-nginx": {
 			chart: charts["ingress-nginx"]
 			values: {