mirror of
https://github.com/truecharts/library-charts.git
synced 2026-07-05 08:06:21 -03:00
feat(tailscale-addon): add tailscale-addon (#208)
* feat(tailscale-addon): add tailscale-addon * bump minor * add sock5 server config option * add source link * some updates * tpl * move var inside define * Update charts/common/templates/addons/vpn/tailscale/_container.tpl * add capability
This commit is contained in:
@@ -15,4 +15,4 @@ maintainers:
|
||||
name: common
|
||||
sources: null
|
||||
type: library
|
||||
version: 10.4.13
|
||||
version: 10.5.0
|
||||
|
||||
@@ -12,9 +12,11 @@ It will include / inject the required templates based on the given values.
|
||||
{{- include "tc.common.addon.wireguard" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- if eq "tailscale" .Values.addons.vpn.type -}}
|
||||
{{- include "tc.common.addon.tailscale" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{- $_ := set .Values.persistence "vpnconfig" .Values.addons.vpn.configFile -}}
|
||||
|
||||
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
11
charts/common/templates/addons/vpn/tailscale/_addon.tpl
Normal file
11
charts/common/templates/addons/vpn/tailscale/_addon.tpl
Normal file
@@ -0,0 +1,11 @@
|
||||
{{/*
|
||||
Template to render Tailscale addon. It will add the container to the list of additionalContainers.
|
||||
*/}}
|
||||
*/}}
|
||||
{{- define "tc.common.addon.tailscale" -}}
|
||||
{{/* Append the Tailscale container to the additionalContainers */}}
|
||||
{{- $container := fromYaml (include "tc.common.addon.tailscale.container" .) -}}
|
||||
{{- if $container -}}
|
||||
{{- $_ := set .Values.additionalContainers "addon-tailscale" $container -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
124
charts/common/templates/addons/vpn/tailscale/_container.tpl
Normal file
124
charts/common/templates/addons/vpn/tailscale/_container.tpl
Normal file
@@ -0,0 +1,124 @@
|
||||
{{/*
|
||||
The Tailscale sidecar container to be inserted.
|
||||
*/}}
|
||||
{{- define "tc.common.addon.tailscale.container" -}}
|
||||
{{- $secretName := printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }}
|
||||
name: tailscale
|
||||
image: "{{ .Values.tailscaleImage.repository }}:{{ .Values.tailscaleImage.tag }}"
|
||||
imagePullPolicy: {{ .Values.tailscaleImage.pullPolicy }}
|
||||
|
||||
command: ["ash", "/tailscale/run.sh"]
|
||||
|
||||
tty: true
|
||||
|
||||
# It should run rootless. But needs test
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
|
||||
serviceAccount:
|
||||
main:
|
||||
create: true
|
||||
|
||||
rbac:
|
||||
main:
|
||||
enabled: true
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- "secrets"
|
||||
verbs:
|
||||
- "create"
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- "secrets"
|
||||
resourceNames:
|
||||
- '{{ $secretName }}'
|
||||
verbs:
|
||||
- "get"
|
||||
- "update"
|
||||
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: {{ $secretName }}
|
||||
|
||||
env:
|
||||
- name: TS_KUBE_SECRET
|
||||
value: {{ $secretName }}
|
||||
- name: TS_USERSPACE
|
||||
value: {{ .Values.addons.vpn.tailscale.userspace | quote }}
|
||||
- name: TS_ACCEPT_DNS
|
||||
value: {{ .Values.addons.vpn.tailscale.accept_dns | quote }}
|
||||
{{- with .Values.addons.vpn.tailscale.routes }}
|
||||
- name: TS_ROUTES
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.addons.vpn.tailscale.dest_ip }}
|
||||
- name: TS_DEST_IP
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.addons.vpn.tailscale.sock5_server }}
|
||||
- name: TS_SOCKS5_SERVER
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.addons.vpn.tailscale.extra_args }}
|
||||
- name: TS_EXTRA_ARGS
|
||||
value: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.addons.vpn.tailscale.daemon_extra_args }}
|
||||
- name: TS_TAILSCALED_EXTRA_ARGS
|
||||
value: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- range $envList := .Values.addons.vpn.envList }}
|
||||
{{- if and $envList.name $envList.value }}
|
||||
- name: {{ $envList.name }}
|
||||
value: {{ $envList.value | quote }}
|
||||
{{- else }}
|
||||
{{- fail "Please specify name/value for VPN environment variable" }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
|
||||
{{- with .Values.addons.vpn.env }}
|
||||
{{- range $k, $v := . }}
|
||||
- name: {{ $k }}
|
||||
value: {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.addons.vpn.killSwitch }}
|
||||
- name: KILLSWITCH
|
||||
value: "true"
|
||||
{{- $excludednetworksv4 := "172.16.0.0/12"}}
|
||||
{{- range .Values.addons.vpn.excludedNetworks_IPv4 }}
|
||||
{{- $excludednetworksv4 = ( printf "%v;%v" $excludednetworksv4 . ) }}
|
||||
{{- end}}
|
||||
- name: KILLSWITCH_EXCLUDEDNETWORKS_IPV4
|
||||
value: {{ $excludednetworksv4 | quote }}
|
||||
{{- if .Values.addons.vpn.excludedNetworks_IPv6 }}
|
||||
{{- $excludednetworksv6 := ""}}
|
||||
{{- range .Values.addons.vpn.excludedNetworks_IPv4 }}
|
||||
{{- $excludednetworksv6 = ( printf "%v;%v" $excludednetworksv6 . ) }}
|
||||
{{- end}}
|
||||
- name: KILLSWITCH_EXCLUDEDNETWORKS_IPV6
|
||||
value: {{ .Values.addons.vpn.excludedNetworks_IPv6 | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.persistence.shared.mountPath }}
|
||||
name: shared
|
||||
{{- with .Values.addons.vpn.livenessProbe }}
|
||||
livenessProbe:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end -}}
|
||||
{{- with .Values.addons.vpn.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
19
charts/common/templates/addons/vpn/tailscale/_secret.tpl
Normal file
19
charts/common/templates/addons/vpn/tailscale/_secret.tpl
Normal file
@@ -0,0 +1,19 @@
|
||||
{{/* Define the secret */}}
|
||||
{{- define "tailscale.secret" -}}
|
||||
|
||||
{{- $secretName := printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }}
|
||||
|
||||
---
|
||||
{{/* This secrets are loaded on tailscale */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.addons.vpn.tailscale.authkey }}
|
||||
TS_AUTH_KEY: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -18,6 +18,16 @@ wireguardImage:
|
||||
# -- Specify the WireGuard image pull policy
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# -- Tailscale specific configuration
|
||||
# @default -- See below
|
||||
tailscaleImage:
|
||||
# -- Specify the Tailscale image
|
||||
repository: tccr.io/truecharts/tailscale
|
||||
# -- Specify the Tailscale image tag
|
||||
tag: v1.29.125@sha256:fb2ad07557c351805a126d0056be083fb67e3b22abae12a18c52f1461b55ca55
|
||||
# -- Specify the Tailscale image pull policy
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# -- promtail specific configuration
|
||||
# @default -- See below
|
||||
promtailImage:
|
||||
@@ -978,7 +988,7 @@ addons:
|
||||
# For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#wireguard-vpn)
|
||||
# @default -- See values.yaml
|
||||
vpn:
|
||||
# -- Specify the VPN type. Valid options are disabled, openvpn or wireguard
|
||||
# -- Specify the VPN type. Valid options are disabled, openvpn, wireguard or tailscale
|
||||
type: disabled
|
||||
|
||||
# -- OpenVPN specific configuration
|
||||
@@ -989,6 +999,22 @@ addons:
|
||||
username: ""
|
||||
password: ""
|
||||
|
||||
# -- Tailscale specific configuration
|
||||
# @default -- See below
|
||||
# See more info for the configuration
|
||||
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
|
||||
tailscale:
|
||||
# -- Auth key to connect to the VPN Service
|
||||
authkey: ""
|
||||
# As a sidecar, it should only need to run in userspace
|
||||
userspace: true
|
||||
accept_dns: false
|
||||
routes: ""
|
||||
dest_ip: ""
|
||||
sock5_server: ""
|
||||
extra_args: ""
|
||||
daemon_extra_args: ""
|
||||
|
||||
killSwitch: true
|
||||
excludedNetworks_IPv4: []
|
||||
excludedNetworks_IPv6: []
|
||||
|
||||
Reference in New Issue
Block a user