# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause

# Operator oauth credentials. If set a Kubernetes Secret with the provided
# values will be created in the operator namespace. If unset a Secret named
# operator-oauth must be precreated.
oauth: {}
  # clientId: ""
  # clientSecret: ""

# enableConnector determines whether the operator should reconcile
# connector.tailscale.com custom resources. If set to true you have to install
# connector CRD in a separate step.
# You can do so by running 'kubectl apply -f ./cmd/k8s-operator/deploy/crds'.
enableConnector: "false"

operatorConfig:
  image:
    repo: tailscale/k8s-operator
    # Digest will be prioritized over tag. If neither are set appVersion will be
    # used.
    tag: ""
    digest: ""
    pullPolicy: Always
  logging: "info"
  hostname: "tailscale-operator"
  nodeSelector:
    kubernetes.io/os: linux

  resources: {}

  podAnnotations: {}

  tolerations: []

  affinity: {}

  podSecurityContext: {}

  securityContext: {}

# proxyConfig contains configuraton that will be applied to any ingress/egress
# proxies created by the operator.
# https://tailscale.com/kb/1236/kubernetes-operator/#cluster-ingress
# https://tailscale.com/kb/1236/kubernetes-operator/#cluster-egress
proxyConfig:
  image:
    repo: tailscale/tailscale
    # Digest will be prioritized over tag. If neither are set appVersion will be
    # used.
    tag: ""
    digest: ""
  # ACL tag that operator will tag proxies with. Operator must be made owner of
  # these tags
  # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator
  defaultTags: tag:k8s
  firewallMode: auto

# apiServerProxyConfig allows to configure whether the operator should expose
# Kubernetes API server.
# https://tailscale.com/kb/1236/kubernetes-operator/#accessing-the-kubernetes-control-plane-using-an-api-server-proxy
apiServerProxyConfig:
  mode: "false" # "true", "false", "noauth"

imagePullSecrets: []