redaction (#1)

Add the redacted source file for demo purposes

Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1
Co-authored-by: Michael DiLeo <michael_dileo@proton.me>
Co-committed-by: Michael DiLeo <michael_dileo@proton.me>

manifests/infrastructure/tailscale/old-subnet-router/auth-secret.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: tailscale-auth
+    namespace: tailscale-system
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:nyftsojnYW8nOC1bWBYeb3FTKMTf5ByPXlcLWJPAKNNzaXmau1XQ,iv:tuZyJeQX0rNbE9JuxIHUYjOieowjgB0imXLsn72OLDs=,tag:OuERwRIhsfsBwD1CcTEgtw==,type:comment]
+    TS_AUTHKEY: ENC[AES256_GCM,data:C9hqhsByVr4647hWpEhl4sZp2kjGf7akEuvXqpfGHlT8n6KQ/8gm+Aq8DhJ2bnNoZXKf6viFg73VDujC+oFc0Q==,iv:xBlygAPmJbMds3bmHJH8iUISReA9Mn8673KJV0XbUCI=,tag:P7os4Iy1gR9sATtschmBzg==,type:str]
+sops:
+    lastmodified: "2025-08-08T18:18:54Z"
+    mac: ENC[AES256_GCM,data:sc0p3UF8Ukvfi6w3mCkzUpVwh2ZHhxOYAGAV08lCJOrVifvKQAoPgkkxQ0BCtOrQffSfLS0xNL3ir90G0VO7Fbj5zmKqJvJRLWX+mijtgsHXGT/SJdFw/57Yf3m/Q/t0RlMJWT/QbV0totmQPSisppPlaj6vOvCULJzVMvg3E3U=,iv:Qr5C9T12bwlAVIDSNW/EinGs3Qt0SRnxbp/j2rTFBWI=,tag:q7FCN9FDaGYJWoRy75wFrg==,type:str]
+    pgp:
+        - created_at: "2025-08-08T18:18:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DZT3mpHTS/JgSAQdARAKeYyvKR2Z0GAGwh7X3am/hYxfCeJHuvuA2g4oUpH8w
+            4oylMT02Z2mZrcsQ8EZz5LTb+B8bkxiBZjLcnPNFgEQPz2CyPd7yMkjt725HhagY
+            1GgBCQIQ30PaiRJZoWPA4eGArmtrq+eTaPs5L0TvVtsaQaZD0BjALc09e00Z7Mdq
+            rWc9Gf83f0ORxmBeyTOro8P/87BM5/6dixexsWiVBRZlSMrQyxEErAF5U7wxE+cx
+            ByAWdEkn0ihLqQ==
+            =uB0J
+            -----END PGP MESSAGE-----
+          fp: B120595CA9A643B051731B32E67FF350227BA4E8
+        - created_at: "2025-08-08T18:18:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DSXzd60P2RKISAQdA5Lblb1Tez9WUxPgqymTvY62n9hU+l4IZKEcolMUAARsw
+            xLZhmIhN0CYTp+iTdYbF7GCrIXaygP/lYO40EXxdB0Bg7MWdeXtq5k6Xgou6DU28
+            1GgBCQIQilh//0XeUk0SWyCN8TKSIAZWc5KQkDnJ/OYS5llFSqXCG846BnlDAYZ1
+            0RDkRIJDFIMhlfbJdFcgkSu5vE+4wVGGGJ1mkZINZcb/S4H9K+/dkgmC/ScfOvU8
+            H5Q6QjJrZB4zzw==
+            =1TpA
+            -----END PGP MESSAGE-----
+          fp: 4A8AADB4EBAB9AF88EF7062373CECE06CC80D40C
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

manifests/infrastructure/tailscale/old-subnet-router/kustomization.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespace.yaml
+# Legacy resources (not currently used - operator manages these now)
+# - auth-secret.yaml
+# - service-account.yaml
+# - rbac.yaml
+# - subnet-router-deployment.yaml
+# Operator-based resources
+- operator-helm/

manifests/infrastructure/tailscale/old-subnet-router/namespace.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale-system
+  labels:
+    name: tailscale-system
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest

manifests/infrastructure/tailscale/old-subnet-router/rbac.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale
+rules:
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["selfsubjectaccessreviews"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: tailscale
+  namespace: tailscale-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale
+  namespace: tailscale-system
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "list", "update", "patch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "get", "patch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale
+  namespace: tailscale-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: tailscale
+  namespace: tailscale-system

manifests/infrastructure/tailscale/old-subnet-router/service-account.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale
+  namespace: tailscale-system

manifests/infrastructure/tailscale/old-subnet-router/subnet-router-deployment.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: subnet-router
+  namespace: tailscale-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: subnet-router
+  template:
+    metadata:
+      labels:
+        app: subnet-router
+    spec:
+      serviceAccountName: tailscale
+      containers:
+      - name: tailscale
+        imagePullPolicy: Always
+        image: tailscale/tailscale:latest
+        env:
+        - name: TS_KUBE_SECRET
+          value: "tailscale-auth"
+        - name: TS_USERSPACE
+          value: "false"
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: TS_AUTHKEY
+        - name: TS_ROUTES
+          value: "10.244.0.0/16,10.96.0.0/12,10.132.0.0/24"
+        - name: TS_EXTRA_ARGS
+          value: "--advertise-tags=tag:k8s-operator"
+        - name: TS_HOSTNAME
+          value: "keyboardvagabond-cluster"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_UID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.uid
+        securityContext:
+          privileged: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi