infra4talos/apps-kustomized/tailscale-proxy/deploy.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: tailscale-proxy
  name: tailscale-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tailscale-proxy
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: tailscale-proxy
    spec:
      containers:
      - command:
        - /bin/sh
        - -c
        - 'sh /script/script.sh'
        env:
        - name: TS_KUBE_SECRET
          value: tailscale
        - name: COUNTRY
          value: Switzerland
        - name: TS_AUTHKEY
          valueFrom:
            secretKeyRef:
              key: TS_AUTHKEY
              name: tailscale-auth
        image: ghcr.io/tailscale/tailscale:v1.80.3
        imagePullPolicy: IfNotPresent
        startupProbe:
          exec:
            command:
              - /bin/sh
              - -c
              - tailscale ip | grep ^100 > /dev/null
          periodSeconds: 30
          failureThreshold: 30
        livenessProbe:
          exec:
            command:
              - /bin/sh
              - -c
              - tailscale ip | grep ^100 > /dev/null
          periodSeconds: 30
          failureThreshold: 2
        readinessProbe:
          exec:
            command:
              - /bin/sh
              - -c
              - http_proxy=127.0.0.1:1055 wget -O- ifconfig.co/country 2>&1 | grep $COUNTRY > /dev/null
          initialDelaySeconds: 60
          periodSeconds: 60
          failureThreshold: 3
        name: tailscale
        securityContext:
          privileged: true
          runAsGroup: 0
          runAsUser: 0
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: kube-api-access-t4rzn
          readOnly: true
        - mountPath: /script
          name: script
      serviceAccount: tailscale
      serviceAccountName: tailscale
      volumes:
      - name: script
        configMap:
          name: tailscale-script
      - name: kube-api-access-t4rzn
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              items:
              - key: ca.crt
                path: ca.crt
              name: kube-root-ca.crt
          - downwardAPI:
              items:
              - fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
                path: namespace