redaction (#1)

Add the redacted source file for demo purposes

Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1
Co-authored-by: Michael DiLeo <michael_dileo@proton.me>
Co-committed-by: Michael DiLeo <michael_dileo@proton.me>

manifests/infrastructure/tailscale/connector.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: tailscale.com/v1alpha1
+kind: Connector
+metadata:
+  name: cluster-subnet-router
+  namespace: tailscale-system
+spec:
+  subnetRouter:
+    advertiseRoutes:
+      - 10.244.0.0/16  # Pod network (Cilium)
+      - 10.96.0.0/12   # Service network
+      - 10.132.0.0/24  # VLAN network (NetCup Cloud)
+  hostname: keyboardvagabond-cluster
+  tags:
+    - tag:k8s-operator

manifests/infrastructure/tailscale/helm-release.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tailscale-operator
+  namespace: tailscale-system
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: tailscale-operator
+      version: "1.90.x"  # Update to match operator version
+      sourceRef:
+        kind: HelmRepository
+        name: tailscale
+        namespace: flux-system
+      interval: 1h
+  valuesFrom:
+    # OAuth credentials loaded from SOPS-encrypted secret
+    - kind: Secret
+      name: operator-oauth
+      valuesKey: values.yaml
+  values:
+    # Operator configuration
+    operator:
+      hostname: keyboardvagabond-operator
+      replicaCount: 2
+      image:
+        repository: tailscale/k8s-operator
+        tag: v1.90.8
+        pullPolicy: IfNotPresent
+      # Node anti-affinity to distribute operator pods across nodes
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - tailscale-operator
+              topologyKey: kubernetes.io/hostname
+    
+    # Metrics configuration
+    metrics:
+      enabled: false
+    
+    # Resource limits
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+

manifests/infrastructure/tailscale/helm-repository.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: tailscale
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://pkgs.tailscale.com/helmcharts
+

manifests/infrastructure/tailscale/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespace.yaml
+- helm-repository.yaml
+- oauth-secret.yaml
+- helm-release.yaml
+- connector.yaml

manifests/infrastructure/tailscale/namespace.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale-system
+  labels:
+    name: tailscale-system
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest
+

manifests/infrastructure/tailscale/oauth-secret.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: operator-oauth
+    namespace: tailscale-system
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:l4J1uUM02UHCgi+DkuxxrcHCi0oHFpElXHEiWRo+0oailKbsF0ymmDJiMCqV8U8Z,iv:OLeAQUJ/sc/k6hGSZ6+4ve+EOY6buxmGiAhUpP3JuHE=,tag:/jZX5Z3uCmJCyj64ANVlMw==,type:comment]
+    #ENC[AES256_GCM,data:uIs5Fz+0RWg8CyZ+/72vz6S/FuUw04oHGXBjuSRQraVLK2kHTsODVvGcKlgRTYcXMJ0y1WGT4k7+1rY=,iv:KaNK2b/E/XokrB29UAOuDo1isgToiyf9CGZT3E4FHhc=,tag:VgkUtLMC0yT+5hg5AmSChA==,type:comment]
+    #ENC[AES256_GCM,data:oGtvagHvq2ZOPBTcbmqm19uO8pKRYVfw71pz8/rVY5L0sQ855zIM3mF9DljI6VW96Nyp8X7ja6w95vdL8mp/P9P5F/6/8yg=,iv:d1GJvi+FZzz880LHxglFc7//wjwEtc7ialdhNYxHF8Q=,tag:QFBm27EqpYwCBplw7GG6/w==,type:comment]
+    values.yaml: ENC[AES256_GCM,data:gdKJYDUPBeVdFLXX1P5z3AlUhJQP0764xZKUapv4WtIyUYpxgIaH1MMjeGXPtcA4QIy1botx7+6L9rmdkqZyVpgfvr+QnITGDivsVvk0cyIVt24DBKrfIIKby2t+iHqSiOp65HMIubN4v3jYGHWMFcpa+NgbgJfJf8w=,iv:wQkXRUGSbYCM32t9HyyNrhFLiUgZ13WU8DXux5pBxQ8=,tag:I7K2Lh3mFlZm+Ewwx4Bnfw==,type:str]
+sops:
+    lastmodified: "2025-11-30T10:59:24Z"
+    mac: ENC[AES256_GCM,data:F21L/K6Lm3YEMaAzIBFBQjDX+Z6ypoKzmimMnmd+P6KlqC5bqKwOSjAvfNWi3pu9PYXzrSppiXKXgqRcYAkCtcrtbj2eLtHxWGnfOzrafGvdPvZSc8Wa24tl5It84faiGFAY4NvfZxARIeuaVg4USOOall2eZVK9QWZieTSPCzI=,iv:K3L8Q3NZ+t9WDLDSIIzbdlYdAeYgJb4TZTDMzw2Ghh0=,tag:ojfHbXsxEIXzKDuspSXVzw==,type:str]
+    pgp:
+        - created_at: "2025-11-23T16:59:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DZT3mpHTS/JgSAQdAdiFsCKasusASWyuSbRO1MrRhUyxie1YeUgbnV1oIoA0w
+            +naSOBv25nEhoc935K/OFVLXq4BWRQLKv4SMpmJ0wUMdA1+rgDhUEIaII7cElmzT
+            1GgBCQIQdrDXkUxJVkGDJLnzEcWmRObXAUaArSGMmoi5M8hHZRhP+y4p1GHutMUK
+            R2T/qPoo3rpDwm7C7QkN12wVoxXG9AkAccPEbWhBfaDfSw6U7OZ3ox66Zf+HRl6Z
+            OMw8OvHZo7IysA==
+            =og+X
+            -----END PGP MESSAGE-----
+          fp: B120595CA9A643B051731B32E67FF350227BA4E8
+        - created_at: "2025-11-23T16:59:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DSXzd60P2RKISAQdAirRUi6WF3ESRmk96UTXs5J7CDEPvD58tsF8ha7sjYUIw
+            ojqsvxA75AEJFEPWkE9haMp28u53LBGJLH6yNHPiCCzFmvIe72kwwP3Qu6kDEoCi
+            1GgBCQIQmaer/NtAyqkpQerecLSOYBPMZX54gXVDQMjF8GvjHe2TQnGP2HJXBmf4
+            PCj0j7VmG0sQXJz5xMpxWNxeHLv61M13FuyEcaS7FbSfxUJmTOH1BiJwMEsR9169
+            aDqO/SUTq6McNw==
+            =dA/R
+            -----END PGP MESSAGE-----
+          fp: 4A8AADB4EBAB9AF88EF7062373CECE06CC80D40C
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

manifests/infrastructure/tailscale/old-subnet-router/auth-secret.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: tailscale-auth
+    namespace: tailscale-system
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:nyftsojnYW8nOC1bWBYeb3FTKMTf5ByPXlcLWJPAKNNzaXmau1XQ,iv:tuZyJeQX0rNbE9JuxIHUYjOieowjgB0imXLsn72OLDs=,tag:OuERwRIhsfsBwD1CcTEgtw==,type:comment]
+    TS_AUTHKEY: ENC[AES256_GCM,data:C9hqhsByVr4647hWpEhl4sZp2kjGf7akEuvXqpfGHlT8n6KQ/8gm+Aq8DhJ2bnNoZXKf6viFg73VDujC+oFc0Q==,iv:xBlygAPmJbMds3bmHJH8iUISReA9Mn8673KJV0XbUCI=,tag:P7os4Iy1gR9sATtschmBzg==,type:str]
+sops:
+    lastmodified: "2025-08-08T18:18:54Z"
+    mac: ENC[AES256_GCM,data:sc0p3UF8Ukvfi6w3mCkzUpVwh2ZHhxOYAGAV08lCJOrVifvKQAoPgkkxQ0BCtOrQffSfLS0xNL3ir90G0VO7Fbj5zmKqJvJRLWX+mijtgsHXGT/SJdFw/57Yf3m/Q/t0RlMJWT/QbV0totmQPSisppPlaj6vOvCULJzVMvg3E3U=,iv:Qr5C9T12bwlAVIDSNW/EinGs3Qt0SRnxbp/j2rTFBWI=,tag:q7FCN9FDaGYJWoRy75wFrg==,type:str]
+    pgp:
+        - created_at: "2025-08-08T18:18:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DZT3mpHTS/JgSAQdARAKeYyvKR2Z0GAGwh7X3am/hYxfCeJHuvuA2g4oUpH8w
+            4oylMT02Z2mZrcsQ8EZz5LTb+B8bkxiBZjLcnPNFgEQPz2CyPd7yMkjt725HhagY
+            1GgBCQIQ30PaiRJZoWPA4eGArmtrq+eTaPs5L0TvVtsaQaZD0BjALc09e00Z7Mdq
+            rWc9Gf83f0ORxmBeyTOro8P/87BM5/6dixexsWiVBRZlSMrQyxEErAF5U7wxE+cx
+            ByAWdEkn0ihLqQ==
+            =uB0J
+            -----END PGP MESSAGE-----
+          fp: B120595CA9A643B051731B32E67FF350227BA4E8
+        - created_at: "2025-08-08T18:18:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DSXzd60P2RKISAQdA5Lblb1Tez9WUxPgqymTvY62n9hU+l4IZKEcolMUAARsw
+            xLZhmIhN0CYTp+iTdYbF7GCrIXaygP/lYO40EXxdB0Bg7MWdeXtq5k6Xgou6DU28
+            1GgBCQIQilh//0XeUk0SWyCN8TKSIAZWc5KQkDnJ/OYS5llFSqXCG846BnlDAYZ1
+            0RDkRIJDFIMhlfbJdFcgkSu5vE+4wVGGGJ1mkZINZcb/S4H9K+/dkgmC/ScfOvU8
+            H5Q6QjJrZB4zzw==
+            =1TpA
+            -----END PGP MESSAGE-----
+          fp: 4A8AADB4EBAB9AF88EF7062373CECE06CC80D40C
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

manifests/infrastructure/tailscale/old-subnet-router/kustomization.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespace.yaml
+# Legacy resources (not currently used - operator manages these now)
+# - auth-secret.yaml
+# - service-account.yaml
+# - rbac.yaml
+# - subnet-router-deployment.yaml
+# Operator-based resources
+- operator-helm/

manifests/infrastructure/tailscale/old-subnet-router/namespace.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale-system
+  labels:
+    name: tailscale-system
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest

manifests/infrastructure/tailscale/old-subnet-router/rbac.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale
+rules:
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["selfsubjectaccessreviews"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: tailscale
+  namespace: tailscale-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale
+  namespace: tailscale-system
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "list", "update", "patch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "get", "patch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale
+  namespace: tailscale-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: tailscale
+  namespace: tailscale-system

manifests/infrastructure/tailscale/old-subnet-router/service-account.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale
+  namespace: tailscale-system

manifests/infrastructure/tailscale/old-subnet-router/subnet-router-deployment.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: subnet-router
+  namespace: tailscale-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: subnet-router
+  template:
+    metadata:
+      labels:
+        app: subnet-router
+    spec:
+      serviceAccountName: tailscale
+      containers:
+      - name: tailscale
+        imagePullPolicy: Always
+        image: tailscale/tailscale:latest
+        env:
+        - name: TS_KUBE_SECRET
+          value: "tailscale-auth"
+        - name: TS_USERSPACE
+          value: "false"
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: TS_AUTHKEY
+        - name: TS_ROUTES
+          value: "10.244.0.0/16,10.96.0.0/12,10.132.0.0/24"
+        - name: TS_EXTRA_ARGS
+          value: "--advertise-tags=tag:k8s-operator"
+        - name: TS_HOSTNAME
+          value: "keyboardvagabond-cluster"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_UID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.uid
+        securityContext:
+          privileged: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi