--- apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }} labels: {{- include "common.app.labels" . | nindent 4 }} spec: replicas: 1 selector: matchLabels: {{- include "common.app.labels" . | nindent 6 }} template: metadata: labels: {{- include "common.app.labels" . | nindent 8 }} spec: containers: {{- range $forward := .Values.socat.config.forwards }} - name: {{ $forward.name }} image: "{{ $.Values.socat.image }}:{{ $.Values.socat.imageVersion }}" command: - socat - TCP-LISTEN:{{ $forward.port }},fork,reuseaddr - TCP:{{ $forward.target }}:{{ $forward.targetPort }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL {{- if or (eq (int $forward.port) 80) (eq (int $forward.port) 443) }} add: {{/*Allow binding to :80 and :443 in the container*/}} - NET_BIND_SERVICE {{- end }} runAsUser: 10001 runAsGroup: 10001 readOnlyRootFilesystem: true {{- end }} - name: tailscale image: "{{ .Values.tailscale.image }}:{{ .Values.tailscale.imageVersion }}" env: - name: TS_USERSPACE value: "true" - name: TS_STATE_DIR value: /var/lib/tailscale - name: TS_AUTH_KEY valueFrom: secretKeyRef: key: token name: {{ .Values.tailscale.config.secret.secretName }} - name: TS_NO_LOGS_NO_SUPPORT value: "true" {{/*Don't try to reauth all the time*/}} - name: TS_AUTH_ONCE value: "true" {{/*Prevent tailscale from connecting to the cluster*/}} - name: KUBERNETES_SERVICE_HOST value: "" - name: TS_EXTRA_ARGS value: "--advertise-tags={{ .Values.tailscale.config.tag }} --login-server {{ .Values.tailscale.config.loginServer }} --hostname {{ .Values.tailscale.config.hostname }}" - name: TS_HEALTHCHECK_ADDR_PORT value: "0.0.0.0:9999" readinessProbe: httpGet: port: 9999 path: /healthz scheme: HTTP initialDelaySeconds: 5 failureThreshold: 5 livenessProbe: httpGet: port: 9999 path: /healthz scheme: HTTP failureThreshold: 5 volumeMounts: - mountPath: /var/lib/tailscale name: state securityContext: capabilities: drop: - ALL volumes: - name: state {{- .Values.tailscale.mounts.state | toYaml | nindent 10 }}