Adds tailscale and alternative secrets retrieval (#2977)

ops/k8s-operators/common/tailscale/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./tailscale-operator.yaml

ops/k8s-operators/common/tailscale/tailscale-operator.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale-operator
+  labels:
+    toolkit.fluxcd.io/tenant: ops
+    opensource.observer/cert-inject: "enabled"
+    kube-secrets-init.doit-intl.com/enable-mutation: "true"
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: tailscale-operator
+  namespace: tailscale-operator
+spec:
+  interval: 24h
+  url: https://pkgs.tailscale.com/helmcharts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tailscale-operator
+  namespace: tailscale-operator
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: tailscale-operator
+      version: "*"
+      sourceRef:
+        kind: HelmRepository
+        name: tailscale-operator
+        namespace: tailscale-operator
+      interval: 1h

ops/k8s-operators/gke/secrets-store-csi-driver/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./secrets-store-csi-driver.yaml

ops/k8s-operators/gke/secrets-store-csi-driver/secrets-store-csi-driver.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: secrets-store-csi-driver
+  labels:
+    toolkit.fluxcd.io/tenant: ops
+    opensource.observer/cert-inject: "enabled"
+    kube-secrets-init.doit-intl.com/enable-mutation: "true"
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: secrets-store-csi-driver
+  namespace: secrets-store-csi-driver
+spec:
+  interval: 24h
+  url: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: csi-secrets-store
+  namespace: secrets-store-csi-driver
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: secrets-store-csi-driver
+      version: "1.4.8"
+      sourceRef:
+        kind: HelmRepository
+        name: secrets-store-csi-driver
+        namespace: secrets-store-csi-driver
+      interval: 1h

ops/k8s-operators/gke/tailscale/custom-helm-values.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tailscale-operator
+spec:
+  values:
+    oauthSecretVolume:
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: tailscale-operator-oauth-secret

ops/k8s-operators/gke/tailscale/kustomization.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secrets-provider.yaml
+  - ../../common/tailscale-operator
+namespace: tailscale
+patches:
+  - path: ./custom-helm-values.yaml
+    target:
+      kind: HelmRelease
+    options:
+      allowNameChange: true

ops/k8s-operators/gke/tailscale/secrets-provider.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: tailscale-operator-oauth-secret
+spec:
+  provider: gcp
+  parameters:
+    secrets: |
+      - resourceName: "projects/opensource-observer/secrets/tailscale-operator-client-id/versions/latest"
+        path: "client_id"
+      - resourceName: "projects/opensource-observer/secrets/tailscale-operator-client-secret/versions/latest"
+        path: "client_secret"