cmd/k8s-operator: allow to install operator via helm (#9920)

Initial helm manifests.

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>

cmd/k8s-operator/deploy/chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cmd/k8s-operator/deploy/chart/Chart.yaml

@@ -0,0 +1,29 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+apiVersion: v1
+name: tailscale-operator
+description: A Helm chart for Tailscale Kubernetes operator
+home: https://github.com/tailscale/tailscale
+
+keywords:
+  - "tailscale"
+  - "vpn"
+  - "ingress"
+  - "egress"
+  - "wireguard"
+
+sources:
+- https://github.com/tailscale/tailscale
+
+type: application
+
+maintainers:
+  - name: tailscale-maintainers
+    url: https://tailscale.com/
+
+# version will be set to Tailscale repo tag (without 'v') at release time.
+version: 0.1.0
+
+# appVersion will be set to Tailscale repo tag at release time.
+appVersion: "unstable"

cmd/k8s-operator/deploy/chart/templates/apiserverproxy-rbac.yaml

@@ -0,0 +1,26 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+{{ if eq .Values.apiServerProxyConfig.mode "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-auth-proxy
+rules:
+- apiGroups: [""]
+  resources: ["users", "groups"]
+  verbs: ["impersonate"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-auth-proxy
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: tailscale-auth-proxy
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}

cmd/k8s-operator/deploy/chart/templates/deployment.yaml

@@ -0,0 +1,90 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: operator
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: operator
+  template:
+    metadata:
+      {{- with .Values.operatorConfig.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: operator
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: operator
+      {{- with .Values.operatorConfig.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.operatorConfig.podSecurityContext | nindent 8 }}
+      {{- end }}
+      volumes:
+      - name: oauth
+        secret:
+          secretName: operator-oauth
+      containers:
+        - name: operator
+          {{- with .Values.operatorConfig.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.operatorConfig.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- $operatorTag:= printf ":%s" ( .Values.operatorConfig.image.tag | default .Chart.AppVersion )}}
+          image: {{ .Values.operatorConfig.image.repo }}{{- if .Values.operatorConfig.image.digest -}}{{ printf "@%s" .Values.operatorConfig.image.digest}}{{- else -}}{{ printf "%s" $operatorTag }}{{- end }}
+          imagePullPolicy: {{ .Values.operatorConfig.image.pullPolicy }}
+          env:
+            - name: OPERATOR_HOSTNAME
+              value: {{ .Values.operatorConfig.hostname }}
+            - name: OPERATOR_SECRET
+              value: operator
+            - name: OPERATOR_LOGGING
+              value: {{ .Values.operatorConfig.logging }}
+            - name: OPERATOR_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: CLIENT_ID_FILE
+              value: /oauth/client_id
+            - name: CLIENT_SECRET_FILE
+              value: /oauth/client_secret
+            {{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}}
+            - name: PROXY_IMAGE
+              value: {{ .Values.proxyConfig.image.repo }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }}
+            - name: PROXY_TAGS
+              value: {{ .Values.proxyConfig.defaultTags }}
+            - name: APISERVER_PROXY
+              value: "{{ .Values.apiServerProxyConfig.mode }}"
+            - name: PROXY_FIREWALL_MODE
+              value: {{ .Values.proxyConfig.firewallMode }}
+          volumeMounts:
+          - name: oauth
+            mountPath: /oauth
+            readOnly: true
+      {{- with .Values.operatorConfig.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.operatorConfig.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.operatorConfig.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

cmd/k8s-operator/deploy/chart/templates/oauth-secret.yaml

@@ -0,0 +1,13 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+{{ if and .Values.oauth .Values.oauth.clientId -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: operator-oauth
+  namespace: {{ .Release.Namespace }}
+stringData:
+  client_id: {{ .Values.oauth.clientId }}
+  client_secret: {{ .Values.oauth.clientSecret }}
+{{- end -}}

cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml

@@ -0,0 +1,60 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: operator
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-operator
+rules:
+- apiGroups: [""]
+  resources: ["events", "services", "services/status"]
+  verbs: ["*"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses", "ingresses/status"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-operator
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: tailscale-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operator
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["statefulsets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operator
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: operator
+  apiGroup: rbac.authorization.k8s.io

cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: proxies
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: proxies
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: proxies
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: proxies
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: proxies
+  apiGroup: rbac.authorization.k8s.io

cmd/k8s-operator/deploy/chart/values.yaml

@@ -0,0 +1,45 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Operator oauth credentials. If set a Kubernetes Secret with the provided
+# values will be created in the operator namespace. If unset a Secret named
+# operator-oauth must be precreated.
+# oauth:
+#   clientId: ""
+#   clientSecret: ""
+
+operatorConfig:
+  image:
+    repo: tailscale/k8s-operator
+    # Digest will be prioritized over tag. If neither are set appVersion will be
+    # used.
+    tag: ""
+    digest: ""
+  logging: "info"
+  hostname: "tailscale-operator"
+  nodeSelector:
+    kubernetes.io/os: linux
+
+
+# proxyConfig contains configuraton that will be applied to any ingress/egress
+# proxies created by the operator.
+# https://tailscale.com/kb/1236/kubernetes-operator/#cluster-ingress
+# https://tailscale.com/kb/1236/kubernetes-operator/#cluster-egress
+proxyConfig:
+  image:
+    repo: tailscale/tailscale
+    # Digest will be prioritized over tag. If neither are set appVersion will be
+    # used.
+    tag: ""
+    digest: ""
+  # ACL tag that operator will tag proxies with. Operator must be made owner of
+  # these tags
+  # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator
+  defaultTags: tag:k8s
+  firewallMode: auto
+
+# apiServerProxyConfig allows to configure whether the operator should expose
+# Kubernetes API server.
+# https://tailscale.com/kb/1236/kubernetes-operator/#accessing-the-kubernetes-control-plane-using-an-api-server-proxy
+apiServerProxyConfig:
+  mode: "false" # "true", "false", "noauth"

cmd/k8s-operator/sts.go

@@ -307,10 +307,10 @@ func (a *tailscaleSTSReconciler) newAuthKey(ctx context.Context, tags []string)
 	return key, nil
 }
 
-//go:embed manifests/proxy.yaml
+//go:embed deploy/manifests/proxy.yaml
 var proxyYaml []byte
 
-//go:embed manifests/userspace-proxy.yaml
+//go:embed deploy/manifests/userspace-proxy.yaml
 var userspaceProxyYaml []byte
 
 func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {