keyshot-dev · zlepper · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -10,7 +10,7 @@ on:
       - ".github/workflows/docker-image.yml"
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: digizuite.azurecr.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -32,8 +32,8 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.DIGIZUITE_DEV_ACR_USERNAME }}
+          password: ${{ secrets.DIGIZUITE_DEV_ACR_PASSWORD }}
 
       - name: Docker meta
         id: meta

diff --git a/charts/tailscale-outbound-proxy/Chart.yaml b/charts/tailscale-outbound-proxy/Chart.yaml
@@ -5,9 +5,9 @@ home: https://github.com/digizuite/tailscale-outbound-proxy
 keywords:
   - operator
   - tailscale
-kubeVersion: ">= 1.25.0-0"
+kubeVersion: ">= 1.30.0-0"
 name: tailscale-outbound-proxy-operator
 sources:
  - https://github.com/digizuite/tailscale-outbound-proxy
-version: 0.0.7
+version: 0.0.8
 icon: https://github.com/digizuite/tailscale-outbound-proxy/raw/master/tailscale-logo-black.png
diff --git a/charts/tailscale-outbound-proxy/templates/crds.yaml b/charts/tailscale-outbound-proxy/templates/crds.yaml
@@ -74,6 +74,14 @@ spec:
               proxyStateSecretName:
                 description: The secret to use for storing tailscales state. You do not have to create this secret yourself.
                 type: string
+              replacedServiceTailscaleImage:
+                description: A custom image to use for the tailscale proxy
+                nullable: true
+                type: string
+              replacedServiceTailscaleImagePullSecret:
+                description: A pull secret to use for the custom image. Do note proxies are started in the same namespace as this CRD instance, meaning the pull secret should be in the same namespace as this CRD instance.
+                nullable: true
+                type: string
               serviceAccount:
                 description: The service account the proxy pod should use.
                 type: string

diff --git a/charts/tailscale-outbound-proxy/templates/operator.yaml b/charts/tailscale-outbound-proxy/templates/operator.yaml
@@ -175,10 +175,12 @@ spec:
         app.kubernetes.io/part-of: tailscale-outbound-proxy
     spec:
       serviceAccountName: tailscale-outbound-proxy
+      imagePullSecrets:
+        - name: {{ .Values.operator.imagePullSecret }}
       containers:
         - name: operator
-          image: ghcr.io/digizuite/tailscale-outbound-proxy:master
-          imagePullPolicy: Always
+          image: {{ .Values.operator.image }}
+          imagePullPolicy: {{ .Values.operator.imagePullPolicy }}
           env:
             - name: RUST_LOG
               value: "info"

diff --git a/charts/tailscale-outbound-proxy/values.yaml b/charts/tailscale-outbound-proxy/values.yaml
@@ -1,5 +1,8 @@
 operator:
   enable: true
+  imagePullPolicy: Always
+  image: digizuite.azurecr.io/digizuite/tailscale-outbound-proxy:master
+  imagePullSecret: ""
   resources:
     limits:
       cpu: 100m

diff --git a/src/replace_service_reconciler.rs b/src/replace_service_reconciler.rs
@@ -4,8 +4,8 @@ use crate::{ContextData, Error};
 use anyhow::{anyhow, Result};
 use k8s_openapi::api::apps::v1::{Deployment, DeploymentSpec, DeploymentStrategy, ReplicaSet};
 use k8s_openapi::api::core::v1::{
-    Capabilities, Container, Endpoints, EnvVar, EnvVarSource, Pod, PodSpec, PodTemplateSpec,
-    Secret, SecretKeySelector, SecurityContext, Service, ServicePort, ServiceSpec,
+    Capabilities, Container, Endpoints, EnvVar, EnvVarSource, LocalObjectReference, Pod, PodSpec,
+    PodTemplateSpec, Secret, SecretKeySelector, SecurityContext, Service, ServicePort, ServiceSpec,
 };
 use k8s_openapi::apimachinery::pkg::apis::meta::v1::{LabelSelector, ObjectMeta, OwnerReference};
 use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
@@ -404,9 +404,20 @@ async fn ensure_tailscale_proxy(
                             ]),
                             ..Default::default()
                         }]),
+                        image_pull_secrets: resource
+                            .spec
+                            .replaced_service_tailscale_image_pull_secret
+                            .clone()
+                            .map(|s| vec![LocalObjectReference { name: s }]),
                         containers: vec![Container {
                             name: "tailscale".to_string(),
-                            image: Some("ghcr.io/digizuite/tailscale-fix:master".to_string()),
+                            image: resource
+                                .spec
+                                .replaced_service_tailscale_image
+                                .clone()
+                                .or_else(|| {
+                                    Some("ghcr.io/digizuite/tailscale-fix:master".to_string())
+                                }),
                             image_pull_policy: Some("Always".to_string()),
                             security_context: Some(SecurityContext {
                                 capabilities: Some(Capabilities {
@@ -447,7 +458,8 @@ async fn ensure_tailscale_proxy(
                                     name: "TS_AUTHKEY".to_string(),
                                     value_from: Some(EnvVarSource {
                                         secret_key_ref: Some(SecretKeySelector {
-                                            name: tailscale_proxy_secret_state_secret_name.to_string(),
+                                            name: tailscale_proxy_secret_state_secret_name
+                                                .to_string(),
                                             optional: Some(false),
                                             key: "TS_AUTHKEY".to_string(),
                                         }),
@@ -929,6 +941,6 @@ async fn change_keda_replicas(
                 Err(api_error.into())
             }
         }
-        Err(e) => Err(e.into())
+        Err(e) => Err(e.into()),
     }
 }
diff --git a/src/replaced_service.rs b/src/replaced_service.rs
@@ -51,6 +51,14 @@ pub struct ReplacedServiceSpec {
 
     /// The name of a keda scaled object that might prevent downscaling of a deployment
     pub keda_scale_object_name: Option<String>,
+
+    /// A custom image to use for the tailscale proxy
+    pub replaced_service_tailscale_image: Option<String>,
+
+    /// A pull secret to use for the custom image. Do note proxies are started in the same
+    /// namespace as this CRD instance, meaning the pull secret should be in the same
+    /// namespace as this CRD instance.
+    pub replaced_service_tailscale_image_pull_secret: Option<String>
 }
 
 #[derive(Serialize, Deserialize, Debug, PartialEq, Clone, JsonSchema, Default)]