---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tailscale-ingress-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tailscale-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - "secrets"
    verbs:
      - "get"
      - "watch"
      - "list"
      - "create"
      - "update"
  - apiGroups:
      - ""
    resources:
      - "services"
      - "configmaps"
    verbs:
      - "get"
      - "watch"
      - "list"
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - "ingresses"
    verbs:
      - "get"
      - "watch"
      - "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tailscale-ingress-controller-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tailscale-ingress-controller
subjects:
  - kind: ServiceAccount
    name: tailscale-ingress-controller
    namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tailscale-ingress-controller
  namespace: default
  labels:
    app: ingress-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-controller
  template:
    metadata:
      labels:
        app: ingress-controller
    spec:
      serviceAccountName: tailscale-ingress-controller
      containers:
        - name: tailscale-ingress-controller
          image: valentinalexeev/tailscale-ingress-controller:latest
          resources:
            requests:
              cpu: "0.1"
              memory: "64Mi"
            limits:
              cpu: "0.1"
              memory: "128Mi"
          env:
            - name: TS_AUTHKEY
              valueFrom:
                secretKeyRef:
                  name: tailscale-auth
                  key: key
            - name: TCP_SERVICES_CONFIGMAP
              value: tcp-services