Add tailscale sidecar (#112)

bryopsida · web-flow · commit 32741b1ff981 · 2023-04-02T21:14:29.000-05:00
* add tailscale sidecar

* update doc table

* add new line
diff --git a/charts/k8s-dev-pod/Chart.yaml b/charts/k8s-dev-pod/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: k8s-dev-pod
 description: A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets
 type: application
-version: 0.1.10
+version: 0.2.0
 appVersion: "0.1.0"
 maintainers:
   - name: Bryopsida
diff --git a/charts/k8s-dev-pod/README.md b/charts/k8s-dev-pod/README.md
@@ -1,6 +1,6 @@
 # k8s-dev-pod
 
-![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
 
 A Helm chart for deploying a dev environment inside a K8S cluster that is compatible with Visual Studio Code remote targets
 
@@ -21,6 +21,11 @@ A Helm chart for deploying a dev environment inside a K8S cluster that is compat
 | ingressEnabled | bool | `false` |  |
 | ingressPort | int | `3022` |  |
 | passwordLoginEnabled | bool | `true` |  |
+| tailscale.authKey | string | `nil` |  |
+| tailscale.enabled | bool | `false` |  |
+| tailscale.image.pullPolicy | string | `"Always"` |  |
+| tailscale.image.repo | string | `"ghcr.io/tailscale/tailscale"` |  |
+| tailscale.image.tag | string | `"latest"` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/charts/k8s-dev-pod/templates/deployment.yaml b/charts/k8s-dev-pod/templates/deployment.yaml
@@ -34,6 +34,9 @@ spec:
       {{- if .Values.volumes }}
       {{- toYaml .Values.volumes | nindent 8 }}
       {{- end }}
+      {{- if .Values.tailscale.enabled }}
+      serviceAccountName: "tailscale-sa"
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -62,6 +65,26 @@ spec:
             {{- if .Values.volumeMounts }}
             {{- toYaml .Values.volumeMounts | nindent 12 }}
             {{- end }}
+        {{- if .Values.tailscale.enabled }}
+        - name: tailscale
+          image: "{{ .Values.tailscale.image.repo }}:{{ .Values.tailscale.image.tag }}"
+          imagePullPolicy: "{{ .Values.tailscale.image.pullPolicy }}"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+          env:
+            # Store the state in a k8s secret
+          - name: TS_KUBE_SECRET
+            value: "tailscale-state"
+          - name: TS_USERSPACE
+            value: "true"
+          - name: TS_AUTHKEY
+            valueFrom:
+              secretKeyRef:
+                name: tailscale-auth
+                key: TS_AUTHKEY
+                optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/k8s-dev-pod/templates/tailscale.yaml b/charts/k8s-dev-pod/templates/tailscale.yaml
@@ -0,0 +1,50 @@
+{{- if .Values.tailscale.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-sa
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: "tailscale-sa"
+roleRef:
+  kind: Role
+  name: tailscale
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["secrets"]
+  # Create can not be restricted to a resource name.
+  verbs: ["create"]
+- apiGroups: [""] # "" indicates the core API group
+  resourceNames: ["tailscale-state"]
+  resources: ["secrets"]
+  verbs: ["get", "update", "patch"]
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-state
+  namespace: {{ .Release.Namespace}}
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-auth
+  namespace: {{ .Release.Namespace}}
+data:
+  TS_AUTHKEY: {{ (required "When tailscale.enabled is true, a value must be provided for tailscale.authKey!" .Values.tailscale.authKey) | b64enc }}
+{{- end }}
diff --git a/charts/k8s-dev-pod/values.yaml b/charts/k8s-dev-pod/values.yaml
@@ -6,3 +6,10 @@ homeSize: 20
 ingressEnabled: false
 ingressPort: 3022
 passwordLoginEnabled: true
+tailscale:
+  enabled: false
+  image:
+    repo: ghcr.io/tailscale/tailscale
+    tag: latest
+    pullPolicy: Always
+  authKey: ~
