From 440682a8ff8c31d6cd5735992aeb0d90063bbfa9 Mon Sep 17 00:00:00 2001
From: Martyn Ranyard <m@rtyn.berlin>
Date: Wed, 5 Mar 2025 17:34:34 +0000
Subject: [PATCH] Add the tailscale proxy for use by ISO downloaders

Signed-off-by: Martyn Ranyard <m@rtyn.berlin>
---
 .../tailscale-proxy/configmap.yaml            |  13 +++
 apps-kustomized/tailscale-proxy/deploy.yaml   | 102 ++++++++++++++++++
 apps-kustomized/tailscale-proxy/sa.yaml       |   4 +
 everything-app/tailscale-proxy.yaml           |  17 +++
 4 files changed, 136 insertions(+)
 create mode 100644 apps-kustomized/tailscale-proxy/configmap.yaml
 create mode 100644 apps-kustomized/tailscale-proxy/deploy.yaml
 create mode 100644 apps-kustomized/tailscale-proxy/sa.yaml
 create mode 100644 everything-app/tailscale-proxy.yaml

diff --git a/apps-kustomized/tailscale-proxy/configmap.yaml b/apps-kustomized/tailscale-proxy/configmap.yaml
new file mode 100644
index 0000000..18e2296
--- /dev/null
+++ b/apps-kustomized/tailscale-proxy/configmap.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tailscale-script
+data:
+  script.sh: |
+    tailscaled --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055 --tun=userspace-networking &
+    tailscale up --authkey=$TS_AUTHKEY --advertise-tags=tag:k8s --hostname k8s-tailscale-proxy &
+    sleep 3
+    echo "Waiting for $COUNTRY to do something"
+    while ! tailscale exit-node list 2>/dev/null | grep $COUNTRY >/dev/null; do echo -n . ;sleep 5; done
+    tailscale set --exit-node $(tailscale exit-node list | grep $COUNTRY | cut -f2 -d' ' | shuf | head -n1)
+    while true; do sleep 1; done
diff --git a/apps-kustomized/tailscale-proxy/deploy.yaml b/apps-kustomized/tailscale-proxy/deploy.yaml
new file mode 100644
index 0000000..de04c99
--- /dev/null
+++ b/apps-kustomized/tailscale-proxy/deploy.yaml
@@ -0,0 +1,102 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    deployment.kubernetes.io/revision: "20"
+  labels:
+    app: tailscale-proxy
+  name: tailscale-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tailscale-proxy
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: tailscale-proxy
+    spec:
+      containers:
+      - command:
+        - /bin/sh
+        - -c
+        - 'sh /script/script.sh'
+        env:
+        - name: TS_KUBE_SECRET
+          value: tailscale
+        - name: COUNTRY
+          value: Switzerland
+        - name: TS_AUTHKEY
+          valueFrom:
+            secretKeyRef:
+              key: TS_AUTHKEY
+              name: tailscale-auth
+        image: ghcr.io/tailscale/tailscale:v1.80.3
+        imagePullPolicy: IfNotPresent
+        startupProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - tailscale ip | grep ^100 > /dev/null
+          periodSeconds: 30
+          failureThreshold: 30
+        livenessProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - tailscale ip | grep ^100 > /dev/null
+          periodSeconds: 30
+          failureThreshold: 2
+        readinessProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - http_proxy=127.0.0.1:1055 wget -O- ifconfig.co/country 2>&1 | grep $COUNTRY > /dev/null
+          initialDelaySeconds: 60
+          periodSeconds: 60
+          failureThreshold: 3
+        name: tailscale
+        securityContext:
+          privileged: true
+          runAsGroup: 0
+          runAsUser: 0
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access-t4rzn
+          readOnly: true
+        - mountPath: /script
+          name: script
+      serviceAccount: tailscale
+      serviceAccountName: tailscale
+      volumes:
+      - name: script
+        configMap:
+          name: tailscale-script
+      - name: kube-api-access-t4rzn
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              expirationSeconds: 3607
+              path: token
+          - configMap:
+              items:
+              - key: ca.crt
+                path: ca.crt
+              name: kube-root-ca.crt
+          - downwardAPI:
+              items:
+              - fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+                path: namespace
diff --git a/apps-kustomized/tailscale-proxy/sa.yaml b/apps-kustomized/tailscale-proxy/sa.yaml
new file mode 100644
index 0000000..84dfe93
--- /dev/null
+++ b/apps-kustomized/tailscale-proxy/sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale
diff --git a/everything-app/tailscale-proxy.yaml b/everything-app/tailscale-proxy.yaml
new file mode 100644
index 0000000..f85396f
--- /dev/null
+++ b/everything-app/tailscale-proxy.yaml
@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tailscale-proxy
+  namespace: argocd
+spec:
+  destination:
+    namespace: tailscale-proxy
+    server: https://kubernetes.default.svc
+  project: apps
+  source:
+    path: apps-kustomized/tailscale-proxy
+    repoURL: https://git.martyn.berlin/martyn/infra4talos
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      selfHeal: true