michael_dileo/Keybard-Vagabond-Demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add source code and readme

Browse Source
This commit is contained in:
Michael DiLeo
2025-12-24 14:35:17 +01:00
parent 7c92e1e610
commit 74324d5a1b
331 changed files with 39272 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
manifests/infrastructure/tailscale/connector.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
name: cluster-subnet-router
namespace: tailscale-system
spec:
subnetRouter:
advertiseRoutes:
- 10.244.0.0/16 # Pod network (Cilium)
- 10.96.0.0/12 # Service network
- 10.132.0.0/24 # VLAN network (NetCup Cloud)
hostname: keyboardvagabond-cluster
tags:
- tag:k8s-operator

59
manifests/infrastructure/tailscale/helm-release.yaml Normal file
View File

@@ -0,0 +1,59 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: tailscale-operator
namespace: tailscale-system
spec:
interval: 10m
timeout: 5m
chart:
spec:
chart: tailscale-operator
version: "1.90.x" # Update to match operator version
sourceRef:
kind: HelmRepository
name: tailscale
namespace: flux-system
interval: 1h
valuesFrom:
# OAuth credentials loaded from SOPS-encrypted secret
- kind: Secret
name: operator-oauth
valuesKey: values.yaml
values:
# Operator configuration
operator:
hostname: keyboardvagabond-operator
replicaCount: 2
image:
repository: tailscale/k8s-operator
tag: v1.90.8
pullPolicy: IfNotPresent
# Node anti-affinity to distribute operator pods across nodes
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- tailscale-operator
topologyKey: kubernetes.io/hostname
# Metrics configuration
metrics:
enabled: false
# Resource limits
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi

10
manifests/infrastructure/tailscale/helm-repository.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: tailscale
namespace: flux-system
spec:
interval: 1h
url: https://pkgs.tailscale.com/helmcharts

9
manifests/infrastructure/tailscale/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helm-repository.yaml
- oauth-secret.yaml
- helm-release.yaml
- connector.yaml

10
manifests/infrastructure/tailscale/namespace.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: tailscale-system
labels:
name: tailscale-system
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest

41
manifests/infrastructure/tailscale/oauth-secret.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: v1
kind: Secret
metadata:
name: operator-oauth
namespace: tailscale-system
type: Opaque
stringData:
#ENC[AES256_GCM,data:l4J1uUM02UHCgi+DkuxxrcHCi0oHFpElXHEiWRo+0oailKbsF0ymmDJiMCqV8U8Z,iv:OLeAQUJ/sc/k6hGSZ6+4ve+EOY6buxmGiAhUpP3JuHE=,tag:/jZX5Z3uCmJCyj64ANVlMw==,type:comment]
#ENC[AES256_GCM,data:uIs5Fz+0RWg8CyZ+/72vz6S/FuUw04oHGXBjuSRQraVLK2kHTsODVvGcKlgRTYcXMJ0y1WGT4k7+1rY=,iv:KaNK2b/E/XokrB29UAOuDo1isgToiyf9CGZT3E4FHhc=,tag:VgkUtLMC0yT+5hg5AmSChA==,type:comment]
#ENC[AES256_GCM,data:oGtvagHvq2ZOPBTcbmqm19uO8pKRYVfw71pz8/rVY5L0sQ855zIM3mF9DljI6VW96Nyp8X7ja6w95vdL8mp/P9P5F/6/8yg=,iv:d1GJvi+FZzz880LHxglFc7//wjwEtc7ialdhNYxHF8Q=,tag:QFBm27EqpYwCBplw7GG6/w==,type:comment]
values.yaml: ENC[AES256_GCM,data:gdKJYDUPBeVdFLXX1P5z3AlUhJQP0764xZKUapv4WtIyUYpxgIaH1MMjeGXPtcA4QIy1botx7+6L9rmdkqZyVpgfvr+QnITGDivsVvk0cyIVt24DBKrfIIKby2t+iHqSiOp65HMIubN4v3jYGHWMFcpa+NgbgJfJf8w=,iv:wQkXRUGSbYCM32t9HyyNrhFLiUgZ13WU8DXux5pBxQ8=,tag:I7K2Lh3mFlZm+Ewwx4Bnfw==,type:str]
sops:
lastmodified: "2025-11-30T10:59:24Z"
mac: ENC[AES256_GCM,data:F21L/K6Lm3YEMaAzIBFBQjDX+Z6ypoKzmimMnmd+P6KlqC5bqKwOSjAvfNWi3pu9PYXzrSppiXKXgqRcYAkCtcrtbj2eLtHxWGnfOzrafGvdPvZSc8Wa24tl5It84faiGFAY4NvfZxARIeuaVg4USOOall2eZVK9QWZieTSPCzI=,iv:K3L8Q3NZ+t9WDLDSIIzbdlYdAeYgJb4TZTDMzw2Ghh0=,tag:ojfHbXsxEIXzKDuspSXVzw==,type:str]
pgp:
- created_at: "2025-11-23T16:59:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DZT3mpHTS/JgSAQdAdiFsCKasusASWyuSbRO1MrRhUyxie1YeUgbnV1oIoA0w
+naSOBv25nEhoc935K/OFVLXq4BWRQLKv4SMpmJ0wUMdA1+rgDhUEIaII7cElmzT
1GgBCQIQdrDXkUxJVkGDJLnzEcWmRObXAUaArSGMmoi5M8hHZRhP+y4p1GHutMUK
R2T/qPoo3rpDwm7C7QkN12wVoxXG9AkAccPEbWhBfaDfSw6U7OZ3ox66Zf+HRl6Z
OMw8OvHZo7IysA==
=og+X
-----END PGP MESSAGE-----
fp: B120595CA9A643B051731B32E67FF350227BA4E8
- created_at: "2025-11-23T16:59:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DSXzd60P2RKISAQdAirRUi6WF3ESRmk96UTXs5J7CDEPvD58tsF8ha7sjYUIw
ojqsvxA75AEJFEPWkE9haMp28u53LBGJLH6yNHPiCCzFmvIe72kwwP3Qu6kDEoCi
1GgBCQIQmaer/NtAyqkpQerecLSOYBPMZX54gXVDQMjF8GvjHe2TQnGP2HJXBmf4
PCj0j7VmG0sQXJz5xMpxWNxeHLv61M13FuyEcaS7FbSfxUJmTOH1BiJwMEsR9169
aDqO/SUTq6McNw==
=dA/R
-----END PGP MESSAGE-----
fp: 4A8AADB4EBAB9AF88EF7062373CECE06CC80D40C
encrypted_regex: ^(data|stringData)$
version: 3.10.2

39
manifests/infrastructure/tailscale/old-subnet-router/auth-secret.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: v1
kind: Secret
metadata:
name: tailscale-auth
namespace: tailscale-system
type: Opaque
stringData:
#ENC[AES256_GCM,data:nyftsojnYW8nOC1bWBYeb3FTKMTf5ByPXlcLWJPAKNNzaXmau1XQ,iv:tuZyJeQX0rNbE9JuxIHUYjOieowjgB0imXLsn72OLDs=,tag:OuERwRIhsfsBwD1CcTEgtw==,type:comment]
TS_AUTHKEY: ENC[AES256_GCM,data:C9hqhsByVr4647hWpEhl4sZp2kjGf7akEuvXqpfGHlT8n6KQ/8gm+Aq8DhJ2bnNoZXKf6viFg73VDujC+oFc0Q==,iv:xBlygAPmJbMds3bmHJH8iUISReA9Mn8673KJV0XbUCI=,tag:P7os4Iy1gR9sATtschmBzg==,type:str]
sops:
lastmodified: "2025-08-08T18:18:54Z"
mac: ENC[AES256_GCM,data:sc0p3UF8Ukvfi6w3mCkzUpVwh2ZHhxOYAGAV08lCJOrVifvKQAoPgkkxQ0BCtOrQffSfLS0xNL3ir90G0VO7Fbj5zmKqJvJRLWX+mijtgsHXGT/SJdFw/57Yf3m/Q/t0RlMJWT/QbV0totmQPSisppPlaj6vOvCULJzVMvg3E3U=,iv:Qr5C9T12bwlAVIDSNW/EinGs3Qt0SRnxbp/j2rTFBWI=,tag:q7FCN9FDaGYJWoRy75wFrg==,type:str]
pgp:
- created_at: "2025-08-08T18:18:54Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DZT3mpHTS/JgSAQdARAKeYyvKR2Z0GAGwh7X3am/hYxfCeJHuvuA2g4oUpH8w
4oylMT02Z2mZrcsQ8EZz5LTb+B8bkxiBZjLcnPNFgEQPz2CyPd7yMkjt725HhagY
1GgBCQIQ30PaiRJZoWPA4eGArmtrq+eTaPs5L0TvVtsaQaZD0BjALc09e00Z7Mdq
rWc9Gf83f0ORxmBeyTOro8P/87BM5/6dixexsWiVBRZlSMrQyxEErAF5U7wxE+cx
ByAWdEkn0ihLqQ==
=uB0J
-----END PGP MESSAGE-----
fp: B120595CA9A643B051731B32E67FF350227BA4E8
- created_at: "2025-08-08T18:18:54Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DSXzd60P2RKISAQdA5Lblb1Tez9WUxPgqymTvY62n9hU+l4IZKEcolMUAARsw
xLZhmIhN0CYTp+iTdYbF7GCrIXaygP/lYO40EXxdB0Bg7MWdeXtq5k6Xgou6DU28
1GgBCQIQilh//0XeUk0SWyCN8TKSIAZWc5KQkDnJ/OYS5llFSqXCG846BnlDAYZ1
0RDkRIJDFIMhlfbJdFcgkSu5vE+4wVGGGJ1mkZINZcb/S4H9K+/dkgmC/ScfOvU8
H5Q6QjJrZB4zzw==
=1TpA
-----END PGP MESSAGE-----
fp: 4A8AADB4EBAB9AF88EF7062373CECE06CC80D40C
encrypted_regex: ^(data|stringData)$
version: 3.10.2

12
manifests/infrastructure/tailscale/old-subnet-router/kustomization.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
# Legacy resources (not currently used - operator manages these now)
# - auth-secret.yaml
# - service-account.yaml
# - rbac.yaml
# - subnet-router-deployment.yaml
# Operator-based resources
- operator-helm/

9
manifests/infrastructure/tailscale/old-subnet-router/namespace.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: tailscale-system
labels:
name: tailscale-system
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest

55
manifests/infrastructure/tailscale/old-subnet-router/rbac.yaml Normal file
View File

@@ -0,0 +1,55 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tailscale
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["selfsubjectaccessreviews"]
verbs: ["create"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tailscale
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tailscale
subjects:
- kind: ServiceAccount
name: tailscale
namespace: tailscale-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tailscale
namespace: tailscale-system
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "list", "update", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "get", "patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tailscale
namespace: tailscale-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tailscale
subjects:
- kind: ServiceAccount
name: tailscale
namespace: tailscale-system

6
manifests/infrastructure/tailscale/old-subnet-router/service-account.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale
namespace: tailscale-system

54
manifests/infrastructure/tailscale/old-subnet-router/subnet-router-deployment.yaml Normal file
View File

@@ -0,0 +1,54 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: subnet-router
namespace: tailscale-system
spec:
replicas: 1
selector:
matchLabels:
app: subnet-router
template:
metadata:
labels:
app: subnet-router
spec:
serviceAccountName: tailscale
containers:
- name: tailscale
imagePullPolicy: Always
image: tailscale/tailscale:latest
env:
- name: TS_KUBE_SECRET
value: "tailscale-auth"
- name: TS_USERSPACE
value: "false"
- name: TS_AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: TS_AUTHKEY
- name: TS_ROUTES
value: "10.244.0.0/16,10.96.0.0/12,10.132.0.0/24"
- name: TS_EXTRA_ARGS
value: "--advertise-tags=tag:k8s-operator"
- name: TS_HOSTNAME
value: "keyboardvagabond-cluster"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
securityContext:
privileged: true
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi