tailscale proxy

murrayju · murrayju · commit 17a30aa15a00 · 2025-08-21T12:08:59.000-04:00
diff --git a/README.md b/README.md
@@ -150,6 +150,11 @@ kubectl -n savannah-system create secret generic tiger-docs-mcp-server-logfire \
   --dry-run=client \
   --from-literal=token="pylf_v1_us_" \
   -o yaml | kubeseal -o yaml
+
+kubectl -n savannah-system create secret generic tiger-docs-mcp-server-tailscale \
+  --dry-run=client \
+  --from-literal=authkey="tskey-auth-" \
+  -o yaml | kubeseal -o yaml
 ```
 
 Update `./chart/values/dev.yaml` with the output.
diff --git a/chart/templates/sealed-secret-tailscale.yaml b/chart/templates/sealed-secret-tailscale.yaml
@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: {{ .Values.name }}-tailscale
+  namespace: {{ .Release.Namespace }}
+spec:
+  encryptedData:
+    authkey: {{ .Values.tailscale.authkey }}
+  template:
+    metadata:
+      creationTimestamp: null
+      name: {{ .Values.name }}-tailscale
+      namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml
@@ -2,24 +2,15 @@
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: {{ .Values.name }}.ops.dev.timescale.com
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
-    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
-    service.beta.kubernetes.io/aws-load-balancer-type: nlb
   namespace: {{ .Release.Namespace }}
   name: {{ .Values.name }}
   labels:
     app: {{ .Values.name }}
-    app.kubernetes.io/name: {{ .Values.name }}
 spec:
   selector:
     app: {{ .Values.name }}
   ports:
     - port: {{ .Values.servicePort }}
       targetPort: {{ .Values.containerPort }}
       protocol: TCP
-  type: LoadBalancer
-  sessionAffinity: None
-  externalTrafficPolicy: Local
-  internalTrafficPolicy: Cluster
+  type: ClusterIP
diff --git a/chart/templates/tailscale-service-account.yaml b/chart/templates/tailscale-service-account.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.name }}-tailscale
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.name }}-tailscale
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["secrets"]
+  # Create can not be restricted to a resource name.
+  verbs: ["create"]
+- apiGroups: [""] # "" indicates the core API group
+  resourceNames: ["{{ .Values.name }}-tailscale"]
+  resources: ["secrets"]
+  verbs: ["get", "update", "patch"]
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["events"]
+  verbs: ["get", "create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.name }}-tailscale
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.name }}-tailscale
+roleRef:
+  kind: Role
+  name: {{ .Values.name }}-tailscale
+  apiGroup: rbac.authorization.k8s.io
diff --git a/chart/templates/tailscale.yaml b/chart/templates/tailscale.yaml
@@ -0,0 +1,100 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ .Values.name }}-tailscale
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.name }}-tailscale
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.name }}-tailscale
+    spec:
+      serviceAccountName: {{ .Values.name }}-tailscale
+      containers:
+      - name: {{ .Values.name }}-tailscale
+        image: tailscale/tailscale:latest
+        env:
+        - name: TS_AUTHKEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.name }}-tailscale
+              key: authkey
+        - name: TS_KUBE_SECRET
+          value: {{ .Values.name }}-tailscale
+        - name: TS_HOSTNAME
+          value: {{ .Values.name }}
+        - name: TS_SERVE_CONFIG
+          value: /config/ts-serve-config.json
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_UID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.uid
+        volumeMounts:
+        - name: serve-config
+          mountPath: /config
+          readOnly: true
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+      volumes:
+      - name: serve-config
+        configMap:
+          name: {{ .Values.name }}-tailscale-serve-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ .Values.name }}-tailscale-serve-config
+data:
+  ts-serve-config.json: |
+    {
+      "TCP": {
+        "80": {
+          "HTTP": true
+        },
+        "443": {
+          "HTTPS": true
+        }
+      },
+      "Web": {
+        "{{ .Values.name }}.{{ .Values.tailscale.tailnet }}:443": {
+          "Handlers": {
+            "/": {
+              "Proxy": "http://{{ .Values.name }}:80"
+            }
+          }
+        },
+        "{{ .Values.name }}.{{ .Values.tailscale.tailnet }}:80": {
+          "Handlers": {
+            "/": {
+              "Proxy": "http://{{ .Values.name }}:80"
+            }
+          }
+        },
+        "{{ .Values.name }}:80": {
+          "Handlers": {
+            "/": {
+              "Proxy": "http://{{ .Values.name }}:80"
+            }
+          }
+        },
+        ":80": {
+          "Handlers": {
+            "/": {
+              "Proxy": "http://{{ .Values.name }}:80"
+            }
+          }
+        }
+      }
+    }
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -33,6 +33,10 @@ logfire:
   tracesEndpoint: https://logfire-api.pydantic.dev/v1/traces
   logsEndpoint: https://logfire-api.pydantic.dev/v1/logs
 
+tailscale:
+  authkey: ''
+  tailnet: tail9d164.ts.net
+
 instrumentation:
   otlpEndpoint: http://tracing-collector:4317
   enabled: false
diff --git a/chart/values/dev.yaml b/chart/values/dev.yaml
@@ -8,5 +8,7 @@ openai:
   apiKey: AgA3XsyrGrYYGsouyAD58P5UnEo9E1B7kOcUVIhy/gX5xTD553Gvu0v8h2Evt9cvYqZZzBkLrUT85FGN9cvkaglgsBYkpCWgpgCE76U177vZXPI3788CfxFUmbMEDDsmdhmCztq3iL+JvudvScCWI4VOsOaYRGORanQRYTX8URE4FAXA0Kwi3KUACd3dAhaLf83EM3JKzBS9i/TPOR9XXrBjQSVqXazaMr/q6YuXgZHJV1lSL33mG12CVxtQJhf8NGAqRPAB1QrdNyXc1qqXRDFsUqn4RZe8yAhFjfIcJBNHrINp/e+Wp3JFg2Z2wcl04/hrojTGQ9xO7stdt/SsdA9jrA8H3O5ELyah/52c6otMpfPPu9C+/JOQeWWL7MRX4HpHkjW2yuyIiXL8ZNNTjgzIXvORDADF3lgDkNjoi4lPYaBqt2JH5cF5c/r8gwg5xDDZJo/p0JIbkxSxH0HzRb6zYV7UQOAe+CWFdT3GZybgUvRs6MFyqq9pFl3EAvwdbTZswXvg4J7oYN8YOJP/FB9VAx3dcxIGoVuW0km2fPJ8xVxxRQ5N4z02a9f7rIu211gisi3PBRSNNFJuOrBW5ynH4OucxX8auqXN3EmLTCtVAOpHih0ijnJYQlLKAUtuAlMxsA38SKJ+ScDYeMXWMgM0E133zYE6q6b+os4lW4OL05O4W3gCHHbRNbtoUl4UqZ2UWmm4pq4P/ilRWzxCfEcqtOQr/fKIo/TdcST+x0FC1rblS4RlJr07W2AsC82Evn1YcQMWtZN+KEmD3wuBWHLmpZ7XMsBCb0wQpGPDm6Am6uQYH49zeQz4WN6CF1cVcf117lzlxQCA4SaWOpvEgmu9VJyOY9OF+k4MSgOaa0w94vfsqRZeCje2Ssew7608/zHejwy+sA0WjSJXvwIgkGVIr3FRoKdcsg==
 logfire:
   token: AgBgcK/ZuWC78Ws1QHkotvvSqK4KOXSP9cuyZOH+Y7j7Ae8+/PAuFzIge/jRMFoCPzg+9oi15k7diiUV23N52Q5XHewkSjWU58DUEextchpB+yo9U/dU9MN0W/Nih02ij1cct10IDJ5tbmojETC9SUkvfXw0YyVl1fd4MhNVHfIvTO8F8v2ke12beNUuOrmJtPwFw+BWWlvNezp5QdKlMJFyo6C5NaHMrXYSOrQcgGzVuopCLZsIAPVfnAkoPHvSKHsra4ff+EtsqK68bacNChqF/nxq/cUGfSWV0Q+7a4zoGFadXqOtbLluIFAV01cliSsH4Ady3c3MK2W8UD5e8l9uYEZjpBmsA8C5Z8RfHECRUd7Abys3HW0ReXe/g0mQJZb+8Zy3z/gWcNkYqUXyFnKi8QTXzK2q8Msqi/iFyuH7NQF2Up/Iqc6XpxPn7tbNVLHphW6eynakmJLHhSIBn6/klRRN5weXIZVZ8hU8WNKeQOhLfWzKkRhifXsFSJ6GeSel0yLHhCWoaOskw2KNm4CqxaDKsQcsYAneVn15G7fNvkZ7w9Y2cyylVFrG4rsFPtNbKLDv4KArfACw9uI79AwAvBZD3wPefIYByFtkR6bEXUAVqzX8+JR2wZBzCY1tt6gW3ufnDhI66McW/bz22PIPgjxyhM/CbCGCZHsDWWTGbg5q1rMbTwNZdNGsiePHSGxcwhK+GJptTyJ3bp1InVppDvMqee5OenwdnMDgJCH03sU0BwK9uM/AuxRQ4CSeknr4mUaPr5Pc
+tailscale:
+  authkey: AgBUvW6t3VLq12NBC2FrmNE00HmTj8enoJBk/ePvHj7FmTqg2RbAFSwHEoCQo74kLKV/fT4ONYhdOf8OY9xcRogNYCfxkqwMOYQ0Udsk6hQlBmz63GQDkrxk2a41az+iT8tHywLSVVdBGpahgLSS+O0r0V/1gOo7tyQJyfWmMVAg6Krey8ROlVrdP/uT+6Sqd5UddpqIwpEmJS4AFREdkPTx5ihBM8oMv5UnHKvJaUtuZtDWnbM6KpxAFX7Eis1E0B/5LnjI2nPhRR7jZ4Uz2z9WWaXubnk7EQ52sojvQWZ0Kdq4v7UAMUnrAbicx0cQcD9GCvzzy5GORUHK7DYm+v6J8SOPWKJnrDkHWGj39lqiOx6LW220CmTGIjsyPl7Qhly8JQRecQo3GdCe4Hv0mIGKQZwF08XzTc90bto98hh41MygKqh+cbpLaSYXzJzaHnurIBvXcVXMkrGw2dV+YKtYjIt0mV9oMylz00gVnR67OuO7xz5bTSH4EKZq1cTnwZxlH30ssZ7zEpIboKoVabV47CBYRPU2YDugRgtb240Ll0M7k4K3cOGSq4JhsbB1T/RPWOix5KLzSnC+cdIJMl0S4kmc2P1pzxJ2TjxBZxD41D/WsszB9gdfPu8VolHRAQ6/juFttUfi3+HSwGU0yb3Zdx0qLOf7JTsDPmHR8Jo1xLGwDeQ9o2wsI4z/5upL/imvHk/ZGY3CSE5O0Tm72t18G9B+grnjcjC89chH5to2W880PF8xDgprIfS/aCPdihmCjATbfPBv5orgbkrjuA==
 instrumentation:
   enabled: true
