Add Tailscale operator manifests (Phase 1 Step 3)

Added: - argocd/manifests/tailscale-operator/operator.yaml - from Tailscale repo - Removed embedded secret (managed separately) - Changed image to docker.io/tailscale/k8s-operator:stable for CRI-O - argocd/manifests/tailscale-operator/secret.yaml.tpl - 1Password template - argocd/manifests/tailscale-operator/README.md - deployment instructions - .yamllint.yaml - exclude third-party operator.yaml files OAuth client requires tag:k8s-operator on Devices write scope. The operator assigns tag:k8s to resources it creates via ACL ownership. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-18 18:33:29 -08:00 · 2026-01-18 18:33:29 -08:00 · e017117449
commit e017117449
parent 91cd7260fd
4 changed files with 5452 additions and 0 deletions
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@ -27,3 +27,5 @@ rules:
 ignore:
  - .venv/
  - pulumi/.venv/
+  # Third-party k8s manifests with non-standard formatting
+  - argocd/manifests/*/operator.yaml
--- a/argocd/manifests/tailscale-operator/README.md
+++ b/argocd/manifests/tailscale-operator/README.md
@ -0,0 +1,50 @@
+# Tailscale Kubernetes Operator
+
+Manifests for the Tailscale Kubernetes Operator, sourced from Tailscale's official repository.
+
+**Note:** These are currently raw manifests from Tailscale, not yet kustomized. Once kustomized, this directory will include a `kustomization.yaml` and any necessary patches.
+
+## Source
+
+- `operator.yaml` - Static manifest from https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/manifests
+- Secret block removed from `operator.yaml` - managed separately via `secret.yaml.tpl`
+- Image reference changed to fully-qualified `docker.io/tailscale/k8s-operator:stable` for CRI-O compatibility
+
+## Prerequisites
+
+1. OAuth client in Tailscale admin console with:
+   - Devices: Core (Read & Write) - tag: `tag:k8s-operator`
+   - Auth Keys: Read & Write
+   - Services: Write
+2. ACL with `tag:k8s-operator` owning `tag:k8s` (so operator can tag resources it creates)
+
+## Deployment
+
+```bash
+# 1. Create namespace
+kubectl create namespace tailscale
+
+# 2. Apply the OAuth secret (uses 1Password for credential resolution)
+op inject -i argocd/manifests/tailscale-operator/secret.yaml.tpl | kubectl apply -f -
+
+# 3. Apply the operator
+kubectl apply -f argocd/manifests/tailscale-operator/operator.yaml
+```
+
+## Verification
+
+```bash
+# Check operator pod is running
+kubectl get pods -n tailscale
+
+# Check operator logs
+kubectl logs -n tailscale -l app.kubernetes.io/name=operator
+```
+
+## Files
+
+| File | Description |
+|------|-------------|
+| `operator.yaml` | Operator deployment, CRDs, RBAC (secret removed) |
+| `secret.yaml.tpl` | 1Password template for OAuth credentials |
+| `README.md` | This file |
--- a/argocd/manifests/tailscale-operator/operator.yaml
+++ b/argocd/manifests/tailscale-operator/operator.yaml
--- a/argocd/manifests/tailscale-operator/secret.yaml.tpl
+++ b/argocd/manifests/tailscale-operator/secret.yaml.tpl
@ -0,0 +1,14 @@
+# Tailscale Operator OAuth Secret
+# This template is processed by `op inject` to resolve 1Password references.
+#
+# Usage:
+#   op inject -i secret.yaml.tpl | kubectl apply -f -
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  name: operator-oauth
+  namespace: tailscale
+stringData:
+  client_id: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/2it22lavwgbxdskoaxanej354q/client-id }}"
+  client_secret: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/2it22lavwgbxdskoaxanej354q/client-secret }}"