diff options
| -rw-r--r-- | cmd/k8s-operator/deploy/chart/Chart.yaml | 32 | ||||
| -rw-r--r-- | cmd/k8s-operator/deploy/chart/templates/deployment.yaml | 6 | ||||
| -rw-r--r-- | cmd/k8s-operator/deploy/chart/values.yaml | 7 | ||||
| -rwxr-xr-x | tool/helm | 69 | ||||
| -rw-r--r-- | tool/helm.rev | 1 |
5 files changed, 97 insertions, 18 deletions
diff --git a/cmd/k8s-operator/deploy/chart/Chart.yaml b/cmd/k8s-operator/deploy/chart/Chart.yaml index de54e4275..278e8f871 100644 --- a/cmd/k8s-operator/deploy/chart/Chart.yaml +++ b/cmd/k8s-operator/deploy/chart/Chart.yaml @@ -4,24 +4,26 @@ apiVersion: v1 name: tailscale-operator description: A Helm chart for Tailscale Kubernetes operator +home: https://github.com/tailscale/tailscale + +keywords: + - "tailscale" + - "vpn" + - "ingress" + - "egress" + - "wireguard" + +sources: +- https://github.com/tailscale/tailscale -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) +maintainers: + - name: tailscale-maintainers + url: https://tailscale.com/ + +# version will be set to Tailscale repo tag (without 'v') at release time. version: 0.1.0 -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. +# appVersion will be set to Tailscale repo tag at release time. appVersion: "unstable" diff --git a/cmd/k8s-operator/deploy/chart/templates/deployment.yaml b/cmd/k8s-operator/deploy/chart/templates/deployment.yaml index f43690570..fc39baff1 100644 --- a/cmd/k8s-operator/deploy/chart/templates/deployment.yaml +++ b/cmd/k8s-operator/deploy/chart/templates/deployment.yaml @@ -45,7 +45,8 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - image: {{ .Values.operatorConfig.image.repo }}:{{ .Values.operatorConfig.image.tag | default .Chart.AppVersion }} + {{- $operatorTag:= printf ":%s" ( .Values.operatorConfig.image.tag | default .Chart.AppVersion )}} + image: {{ .Values.operatorConfig.image.repo }}{{- if .Values.operatorConfig.image.digest -}}{{ printf "@%s" .Values.operatorConfig.image.digest}}{{- else -}}{{ printf "%s" $operatorTag }}{{- end }} imagePullPolicy: {{ .Values.operatorConfig.image.pullPolicy }} env: - name: OPERATOR_HOSTNAME @@ -62,8 +63,9 @@ spec: value: /oauth/client_id - name: CLIENT_SECRET_FILE value: /oauth/client_secret + {{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}} - name: PROXY_IMAGE - value: {{ .Values.proxyConfig.image.repo }}:{{ .Values.proxyConfig.image.tag | default .Chart.AppVersion }} + value: {{ .Values.proxyConfig.image.repo }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }} - name: PROXY_TAGS value: {{ .Values.proxyConfig.defaultTags }} - name: APISERVER_PROXY diff --git a/cmd/k8s-operator/deploy/chart/values.yaml b/cmd/k8s-operator/deploy/chart/values.yaml index 85ee36edc..893e6c395 100644 --- a/cmd/k8s-operator/deploy/chart/values.yaml +++ b/cmd/k8s-operator/deploy/chart/values.yaml @@ -11,8 +11,10 @@ operatorConfig: image: repo: tailscale/k8s-operator - # Overrides the image tag whose default is the chart appVersion. + # Digest will be prioritized over tag. If neither are set appVersion will be + # used. tag: "" + digest: "" logging: "info" hostname: "tailscale-operator" nodeSelector: @@ -26,7 +28,10 @@ operatorConfig: proxyConfig: image: repo: tailscale/tailscale + # Digest will be prioritized over tag. If neither are set appVersion will be + # used. tag: "" + digest: "" # ACL tag that operator will tag proxies with. Operator must be made owner of # these tags # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator diff --git a/tool/helm b/tool/helm new file mode 100755 index 000000000..3f9a9dfd5 --- /dev/null +++ b/tool/helm @@ -0,0 +1,69 @@ +#!/usr/bin/env bash + +# installs $(cat ./helm.rev) version of helm as $HOME/.cache/tailscale-helm + +set -euo pipefail + +if [[ "${CI:-}" == "true" ]]; then + set -x +fi + +( + if [[ "${CI:-}" == "true" ]]; then + set -x + fi + + repo_root="${BASH_SOURCE%/*}/../" + cd "$repo_root" + + cachedir="$HOME/.cache/tailscale-helm" + tarball="${cachedir}.tar.gz" + + read -r want_rev < "$(dirname "$0")/helm.rev" + + got_rev="" + if [[ -x "${cachedir}/helm" ]]; then + got_rev=$("${cachedir}/helm" version --short) + got_rev="${got_rev#v}" # trim the leading 'v' + got_rev="${got_rev%+*}" # trim the trailing '+" followed by a commit SHA' + + + fi + + if [[ "$want_rev" != "$got_rev" ]]; then + rm -rf "$cachedir" "$tarball" + if [[ -n "${IN_NIX_SHELL:-}" ]]; then + nix_helm="$(which -a helm | grep /nix/store | head -1)" + nix_helm="${nix_helm%/helm}" + nix_helm_rev="${nix_helm##*-}" + if [[ "$nix_helm_rev" != "$want_rev" ]]; then + echo "Wrong helm version in Nix, got $nix_helm_rev want $want_rev" >&2 + exit 1 + fi + ln -sf "$nix_helm" "$cachedir" + else + # works for linux and darwin + # https://github.com/helm/helm/releases + OS=$(uname -s | tr A-Z a-z) + ARCH=$(uname -m) + if [ "$ARCH" = "x86_64" ]; then + ARCH="amd64" + fi + if [ "$ARCH" = "aarch64" ]; then + ARCH="arm64" + fi + mkdir -p "$cachedir" + # When running on GitHub in CI, the below curl sometimes fails with + # INTERNAL_ERROR after finishing the download. The most common cause + # of INTERNAL_ERROR is glitches in intermediate hosts handling of + # HTTP/2 forwarding, so forcing HTTP 1.1 often fixes the issue. See + # https://github.com/tailscale/tailscale/issues/8988 + curl -f -L --http1.1 -o "$tarball" -sSL "https://get.helm.sh/helm-v${want_rev}-${OS}-${ARCH}.tar.gz" + (cd "$cachedir" && tar --strip-components=1 -xf "$tarball") + rm -f "$tarball" + fi + fi +) + +export PATH="$HOME/.cache/tailscale-helm:$PATH" +exec "$HOME/.cache/tailscale-helm/helm" "$@" diff --git a/tool/helm.rev b/tool/helm.rev new file mode 100644 index 000000000..c10780c62 --- /dev/null +++ b/tool/helm.rev @@ -0,0 +1 @@ +3.13.1 |