infra/homelab/tailscale-serve/deployment.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-tailscale-serve
spec:
  selector:
    matchLabels:
      app: nginx-tailscale-serve
  template:
    metadata:
      labels:
        app: nginx-tailscale-serve
    spec:
      initContainers:
      - name: tailscale-init
        image: icr.gmem.ca/tailscale
        resources:
          requests:
            memory: "1Mi"
            cpu: "1m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        env:
          - name: MODE
            value: "cert"
          - name: TAILSCALE_CERT_FILE
            value: "/tailscale/cert"
          - name: TAILSCALE_CERT_KEY
            value: "/tailscale/key"
          - name: TAILSCALE_CERT_DOMAIN
            value: "kubernetes-test.chimera-blues.ts.net"
          - name: TAILSCALE_HOSTNAME
            value: "kubernetes-test"
          - name: TAILSCALED_TUN
            value: "userspace-networking"
          - name: TAILSCALED_STATE
            value: "/tailscale/tailscaled.state"
          - name: TAILSCALE_AUTH_KEY
            valueFrom:
              secretKeyRef:
                name: tailscale-auth
                key: TS_AUTH_KEY
                optional: true
        volumeMounts:
        - name: data
          mountPath: /tailscale
      containers:
      - name: nginx
        image: nginx
        resources:
          limits:
            memory: "32Mi"
            cpu: "100m"
          requests:
            memory: "16Mi"
            cpu: "1m"
        ports:
        - containerPort: 80
      - name: tailscale-serve
        image: icr.gmem.ca/tailscale
        resources:
          requests:
            memory: "1Mi"
            cpu: "1m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        env:
          - name: TAILSCALE_HOSTNAME
            value: "kubernetes-test"
          - name: TAILSCALED_TUN
            value: "userspace-networking"
          - name: TAILSCALE_FUNNEL_PROXY
            value: "80"
          - name: TAILSCALED_STATE
            value: "/tailscale/tailscaled.state"
          - name: TAILSCALE_AUTH_KEY
            valueFrom:
              secretKeyRef:
                name: tailscale-auth
                key: TS_AUTH_KEY
                optional: true
        volumeMounts:
        - name: data
          mountPath: /tailscale
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: tailscale-state
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: tailscale-state
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: nfs-client
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-tailscale-serve
spec:
  selector:
    app: nginx-tailscale-serve
  ports:
  - port: 80
    targetPort: 80