Add Tailscale operator configuration and Helm resources

ams0 · ams0 · commit 86248bfe053e · 2026-03-15T00:55:24.000+01:00
diff --git a/gitops/apps/tailscale/kustomization.yaml b/gitops/apps/tailscale/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - tailscale-helmrepo.yaml
+  - tailscale-helmrelease.yaml
diff --git a/gitops/apps/tailscale/namespace.yaml b/gitops/apps/tailscale/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale
+  labels:
+    name: tailscale
diff --git a/gitops/apps/tailscale/tailscale-helmrelease.yaml b/gitops/apps/tailscale/tailscale-helmrelease.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tailscale
+  namespace: flux-system
+  labels:
+    app: tailscale
+spec:
+  interval: 10m
+  timeout: 5m
+  targetNamespace: tailscale
+  chart:
+    spec:
+      chart: tailscale-operator
+      sourceRef:
+        kind: HelmRepository
+        name: tailscale
+        namespace: flux-system
+      interval: 5m0s
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  valuesFrom:
+    - kind: Secret
+      name: tailscale-oauth
+      targetPath: oauth.clientId
+      valuesKey: oauth.clientId
+    - kind: Secret
+      name: tailscale-oauth
+      targetPath: oauth.clientSecret
+      valuesKey: oauth.clientSecret
diff --git a/gitops/apps/tailscale/tailscale-helmrepo.yaml b/gitops/apps/tailscale/tailscale-helmrepo.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: tailscale
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://pkgs.tailscale.com/helmcharts
diff --git a/group_vars/oracle_hosts/main.yml b/group_vars/oracle_hosts/main.yml
@@ -57,6 +57,10 @@ datadog_logs_enabled: true
 datadog_process_agent_enabled: true
 datadog_apm_enabled: false
 
+# Tailscale operator configuration
+tailscale_operator_oauth_client_id: "{{ vault_tailscale_operator_oauth_client_id }}"
+tailscale_operator_oauth_client_secret: "{{ vault_tailscale_operator_oauth_client_secret }}"
+
 # Omni configuration
 omni_oidc_client_secret: "{{ vault_omni_oidc_client_secret }}"
 omni_etcd_encryption_key: "{{ vault_omni_etcd_encryption_key }}"
diff --git a/group_vars/oracle_hosts/vault.yml b/group_vars/oracle_hosts/vault.yml
diff --git a/roles/flux/tasks/main.yml b/roles/flux/tasks/main.yml
@@ -202,6 +202,24 @@
   no_log: true
   when: omni_oidc_check.rc != 0
 
+- name: Create tailscale namespace if not exists
+  shell: kubectl create namespace tailscale --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: false
+
+- name: Check if tailscale OAuth secret exists
+  shell: kubectl -n flux-system get secret tailscale-oauth
+  register: tailscale_oauth_check
+  failed_when: false
+  changed_when: false
+
+- name: Create tailscale OAuth secret
+  shell: |
+    kubectl -n flux-system create secret generic tailscale-oauth \
+      --from-literal=oauth.clientId="{{ tailscale_operator_oauth_client_id }}" \
+      --from-literal=oauth.clientSecret="{{ tailscale_operator_oauth_client_secret }}"
+  no_log: true
+  when: tailscale_oauth_check.rc != 0
+
 - name: Create openclaw namespace if not exists
   shell: kubectl create namespace openclaw --dry-run=client -o yaml | kubectl apply -f -
   changed_when: false
