infra-charts/internal-headscale/templates/deployment.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}
  labels: {{- include "common.app.labels" . | nindent 4 }}
spec:
  replicas: 1
  selector:
    matchLabels: {{- include "common.app.labels" . | nindent 6 }}
  template:
    metadata:
      labels: {{- include "common.app.labels" . | nindent 8 }}
    spec:
      containers:
        {{- range $forward := .Values.socat.config.forwards }}
        - name: {{ $forward.name }}
          image: "{{ $.Values.socat.image }}:{{ $.Values.socat.imageVersion }}"
          command:
            - socat
            - TCP-LISTEN:{{ $forward.port }},fork,reuseaddr
            - TCP:{{ $forward.target }}:{{ $forward.targetPort }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
              {{- if or (eq (int $forward.port) 80) (eq (int $forward.port) 443) }}
              add:
                {{/*Allow binding to :80 and :443 in the container*/}}
                - NET_BIND_SERVICE
              {{- end }}
            runAsUser: 10001
            runAsGroup: 10001
            readOnlyRootFilesystem: true
        {{- end }}
        - name: tailscale
          image: "{{ .Values.tailscale.image }}:{{ .Values.tailscale.imageVersion }}"
          env:
            - name: TS_USERSPACE
              value: "true"
            - name: TS_STATE_DIR
              value: /var/lib/tailscale
            - name: TS_AUTH_KEY
              valueFrom:
                secretKeyRef:
                  key: token
                  name: {{ .Values.tailscale.config.secret.secretName }}
            - name: TS_NO_LOGS_NO_SUPPORT
              value: "true"
            {{/*Don't try to reauth all the time*/}}
            - name: TS_AUTH_ONCE
              value: "true"
            {{/*Prevent tailscale from connecting to the cluster*/}}
            - name: KUBERNETES_SERVICE_HOST
              value: ""
            - name: TS_EXTRA_ARGS
              value: "--advertise-tags={{ .Values.tailscale.config.tag }} --login-server {{ .Values.tailscale.config.loginServer }} --hostname {{ .Values.tailscale.config.hostname }}"
            - name: TS_HEALTHCHECK_ADDR_PORT
              value: "0.0.0.0:9999"
          readinessProbe:
            httpGet:
              port: 9999
              path: /healthz
              scheme: HTTP
            initialDelaySeconds: 5
            failureThreshold: 5
          livenessProbe:
            httpGet:
              port: 9999
              path: /healthz
              scheme: HTTP
            failureThreshold: 5
          volumeMounts:
            - mountPath: /var/lib/tailscale
              name: state
          securityContext:
            capabilities:
              drop:
                - ALL
      volumes:
        - name: state
          {{- .Values.tailscale.mounts.state | toYaml | nindent 10 }}