feat: support secret store csi for Tailscale

skyloud · Aug 11, 2024 · 6801474 · 6801474
1 parent 68941e0
commit 6801474
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/charts/tailscale-operator/Chart.yaml b/charts/tailscale-operator/Chart.yaml
@@ -15,4 +15,4 @@ name: tailscale-operator
 sources:
 - https://github.com/tailscale/tailscale
 type: application
-version: 1.70.0
+version: 1.70.1
diff --git a/charts/tailscale-operator/templates/deployment.yaml b/charts/tailscale-operator/templates/deployment.yaml
@@ -35,9 +35,18 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+      {{- if .Values.operatorConfig.secretStore.enabled -}}
+      - name: oauth
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: {{ .Values.operatorConfig.secretStore.secretStore }}
+      {{- else -}}
       - name: oauth
         secret:
           secretName: operator-oauth
+      {{- end -}}
       containers:
         - name: operator
           {{- with .Values.operatorConfig.securityContext }}
@@ -65,9 +74,17 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
             - name: CLIENT_ID_FILE
+              {{- if .Values.operatorConfig.secretStore.enabled -}}
+              value: /oauth/{{ .Values.operatorConfig.secretStore.paths.clientId }}
+              {{- else -}}
               value: /oauth/client_id
+              {{- end -}}
             - name: CLIENT_SECRET_FILE
+              {{- if .Values.operatorConfig.secretStore.enabled -}}
+              value: /oauth/{{ .Values.operatorConfig.secretStore.paths.clientSecret }}
+              {{- else -}}
               value: /oauth/client_secret
+              {{- end -}}
             {{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}}
             - name: PROXY_IMAGE
               value: {{ coalesce .Values.proxyConfig.image.repo .Values.proxyConfig.image.repository }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }}

diff --git a/charts/tailscale-operator/values.yaml b/charts/tailscale-operator/values.yaml
@@ -3,7 +3,7 @@
 
 # Operator oauth credentials. If set a Kubernetes Secret with the provided
 # values will be created in the operator namespace. If unset a Secret named
-# operator-oauth must be precreated.
+# operator-oauth must be precreated or use the secretStore configuration.
 oauth: {}
   # clientId: ""
   # clientSecret: ""
@@ -48,6 +48,13 @@ operatorConfig:
 
   securityContext: {}
 
+  secretStore:
+    enabled: false
+    secretStore: operator-oauth
+    paths:
+      clientId: clientId
+      clientSecret: clientSecret
+
 # proxyConfig contains configuraton that will be applied to any ingress/egress
 # proxies created by the operator.
 # https://tailscale.com/kb/1236/kubernetes-operator/#cluster-ingress