diff --git a/kubernetes/apps/tailscale/tailscale/cluster/connector.yaml b/kubernetes/apps/tailscale/tailscale/cluster/connector.yaml
index e69de29b..e4307d4a 100644
--- a/kubernetes/apps/tailscale/tailscale/cluster/connector.yaml
+++ b/kubernetes/apps/tailscale/tailscale/cluster/connector.yaml
@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/tailscale.com/connector_v1alpha1.json
+apiVersion: tailscale.com/v1alpha1
+kind: Connector
+metadata:
+  name: connector
+spec:
+  hostname: theshire-connector
+  exitNode: true
+  proxyClass: kernel-org-tun
+  subnetRouter:
+    advertiseRoutes:
+      - "10.5.0.0/16" # load-balancers
+      - "10.4.0.0/16" # services
diff --git a/kubernetes/apps/tailscale/tailscale/cluster/kustomization.yaml b/kubernetes/apps/tailscale/tailscale/cluster/kustomization.yaml
new file mode 100644
index 00000000..e364e2c3
--- /dev/null
+++ b/kubernetes/apps/tailscale/tailscale/cluster/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./connector.yaml
+  - ./proxyclass.yaml
diff --git a/kubernetes/apps/tailscale/tailscale/cluster/proxygroup.yaml b/kubernetes/apps/tailscale/tailscale/cluster/proxyclass.yaml
similarity index 87%
rename from kubernetes/apps/tailscale/tailscale/cluster/proxygroup.yaml
rename to kubernetes/apps/tailscale/tailscale/cluster/proxyclass.yaml
index de148d35..264ac856 100644
--- a/kubernetes/apps/tailscale/tailscale/cluster/proxygroup.yaml
+++ b/kubernetes/apps/tailscale/tailscale/cluster/proxyclass.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://ks.hsn.dev/tailscale.com/proxyclass_v1alpha1.json
 apiVersion: tailscale.com/v1alpha1
 kind: ProxyClass
 metadata:
diff --git a/kubernetes/apps/tailscale/tailscale/externalsecret.yaml b/kubernetes/apps/tailscale/tailscale/operator/externalsecret.yaml
similarity index 68%
rename from kubernetes/apps/tailscale/tailscale/externalsecret.yaml
rename to kubernetes/apps/tailscale/tailscale/operator/externalsecret.yaml
index 06d91e70..069724d9 100644
--- a/kubernetes/apps/tailscale/tailscale/externalsecret.yaml
+++ b/kubernetes/apps/tailscale/tailscale/operator/externalsecret.yaml
@@ -10,6 +10,11 @@ spec:
     name: onepassword-connect
   target:
     name: k8s-operator-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        OAUTH_CLIENT_ID: "{{ .k8s-theshire-oauth-clientid }}"
+        OAUTH_CLIENT_SECRET: "{{ .k8s-theshire-oauth-clientsecret }}"
   dataFrom:
     - extract:
         key: k8s-operator-oauth
diff --git a/kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml b/kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml
index e9c02958..9a3367d7 100644
--- a/kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml
+++ b/kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml
@@ -20,6 +20,15 @@ spec:
     crds: CreateReplace
   upgrade:
     crds: CreateReplace
+  valuesFrom:
+    - kind: Secret
+      name: k8s-operator-oauth-secret
+      valuesKey: OAUTH_CLIENT_ID
+      targetPath: oauth.clientId
+    - kind: Secret
+      name: k8s-operator-oauth-secret
+      valuesKey: OAUTH_CLIENT_SECRET
+      targetPath: oauth.clientSecret
   values:
     operatorConfig:
       defaultTags:
diff --git a/kubernetes/apps/tailscale/tailscale/operator/kustomization.yaml b/kubernetes/apps/tailscale/tailscale/operator/kustomization.yaml
new file mode 100644
index 00000000..4eed917b
--- /dev/null
+++ b/kubernetes/apps/tailscale/tailscale/operator/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml