feat(tailscale-addon): add tailscale-addon (#208)

* feat(tailscale-addon): add tailscale-addon

* bump minor

* add sock5 server config option

* add source link

* some updates

* tpl

* move var inside define

* Update charts/common/templates/addons/vpn/tailscale/_container.tpl

* add capability
This commit is contained in:
Stavros Kois
2022-08-23 01:10:12 +03:00
committed by GitHub
parent 655f20f20b
commit 8f62096ba2
6 changed files with 185 additions and 3 deletions

View File

@@ -15,4 +15,4 @@ maintainers:
name: common
sources: null
type: library
version: 10.4.13
version: 10.5.0

View File

@@ -12,9 +12,11 @@ It will include / inject the required templates based on the given values.
{{- include "tc.common.addon.wireguard" . }}
{{- end -}}
{{- if eq "tailscale" .Values.addons.vpn.type -}}
{{- include "tc.common.addon.tailscale" . }}
{{- end -}}
{{- $_ := set .Values.persistence "vpnconfig" .Values.addons.vpn.configFile -}}
{{- end -}}
{{- end -}}

View File

@@ -0,0 +1,11 @@
{{/*
Template to render Tailscale addon. It will add the container to the list of additionalContainers.
*/}}
*/}}
{{- define "tc.common.addon.tailscale" -}}
{{/* Append the Tailscale container to the additionalContainers */}}
{{- $container := fromYaml (include "tc.common.addon.tailscale.container" .) -}}
{{- if $container -}}
{{- $_ := set .Values.additionalContainers "addon-tailscale" $container -}}
{{- end -}}
{{- end -}}

View File

@@ -0,0 +1,124 @@
{{/*
The Tailscale sidecar container to be inserted.
*/}}
{{- define "tc.common.addon.tailscale.container" -}}
{{- $secretName := printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }}
name: tailscale
image: "{{ .Values.tailscaleImage.repository }}:{{ .Values.tailscaleImage.tag }}"
imagePullPolicy: {{ .Values.tailscaleImage.pullPolicy }}
command: ["ash", "/tailscale/run.sh"]
tty: true
# It should run rootless. But needs test
securityContext:
runAsUser: 1000
runAsGroup: 1000
capabilities:
add:
- NET_ADMIN
serviceAccount:
main:
create: true
rbac:
main:
enabled: true
rules:
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "create"
- apiGroups:
- ""
resources:
- "secrets"
resourceNames:
- '{{ $secretName }}'
verbs:
- "get"
- "update"
envFrom:
- secretRef:
name: {{ $secretName }}
env:
- name: TS_KUBE_SECRET
value: {{ $secretName }}
- name: TS_USERSPACE
value: {{ .Values.addons.vpn.tailscale.userspace | quote }}
- name: TS_ACCEPT_DNS
value: {{ .Values.addons.vpn.tailscale.accept_dns | quote }}
{{- with .Values.addons.vpn.tailscale.routes }}
- name: TS_ROUTES
value: {{ . }}
{{- end }}
{{- with .Values.addons.vpn.tailscale.dest_ip }}
- name: TS_DEST_IP
value: {{ . }}
{{- end }}
{{- with .Values.addons.vpn.tailscale.sock5_server }}
- name: TS_SOCKS5_SERVER
value: {{ . }}
{{- end }}
{{- with .Values.addons.vpn.tailscale.extra_args }}
- name: TS_EXTRA_ARGS
value: {{ . | quote }}
{{- end }}
{{- with .Values.addons.vpn.tailscale.daemon_extra_args }}
- name: TS_TAILSCALED_EXTRA_ARGS
value: {{ . | quote }}
{{- end }}
{{- range $envList := .Values.addons.vpn.envList }}
{{- if and $envList.name $envList.value }}
- name: {{ $envList.name }}
value: {{ $envList.value | quote }}
{{- else }}
{{- fail "Please specify name/value for VPN environment variable" }}
{{- end }}
{{- end}}
{{- with .Values.addons.vpn.env }}
{{- range $k, $v := . }}
- name: {{ $k }}
value: {{ $v | quote }}
{{- end }}
{{- end }}
{{- if .Values.addons.vpn.killSwitch }}
- name: KILLSWITCH
value: "true"
{{- $excludednetworksv4 := "172.16.0.0/12"}}
{{- range .Values.addons.vpn.excludedNetworks_IPv4 }}
{{- $excludednetworksv4 = ( printf "%v;%v" $excludednetworksv4 . ) }}
{{- end}}
- name: KILLSWITCH_EXCLUDEDNETWORKS_IPV4
value: {{ $excludednetworksv4 | quote }}
{{- if .Values.addons.vpn.excludedNetworks_IPv6 }}
{{- $excludednetworksv6 := ""}}
{{- range .Values.addons.vpn.excludedNetworks_IPv4 }}
{{- $excludednetworksv6 = ( printf "%v;%v" $excludednetworksv6 . ) }}
{{- end}}
- name: KILLSWITCH_EXCLUDEDNETWORKS_IPV6
value: {{ .Values.addons.vpn.excludedNetworks_IPv6 | quote }}
{{- end }}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.persistence.shared.mountPath }}
name: shared
{{- with .Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- with .Values.addons.vpn.resources }}
resources:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,19 @@
{{/* Define the secret */}}
{{- define "tailscale.secret" -}}
{{- $secretName := printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }}
---
{{/* This secrets are loaded on tailscale */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $secretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.addons.vpn.tailscale.authkey }}
TS_AUTH_KEY: {{ . | b64enc }}
{{- end }}
{{- end }}

View File

@@ -18,6 +18,16 @@ wireguardImage:
# -- Specify the WireGuard image pull policy
pullPolicy: IfNotPresent
# -- Tailscale specific configuration
# @default -- See below
tailscaleImage:
# -- Specify the Tailscale image
repository: tccr.io/truecharts/tailscale
# -- Specify the Tailscale image tag
tag: v1.29.125@sha256:fb2ad07557c351805a126d0056be083fb67e3b22abae12a18c52f1461b55ca55
# -- Specify the Tailscale image pull policy
pullPolicy: IfNotPresent
# -- promtail specific configuration
# @default -- See below
promtailImage:
@@ -978,7 +988,7 @@ addons:
# For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#wireguard-vpn)
# @default -- See values.yaml
vpn:
# -- Specify the VPN type. Valid options are disabled, openvpn or wireguard
# -- Specify the VPN type. Valid options are disabled, openvpn, wireguard or tailscale
type: disabled
# -- OpenVPN specific configuration
@@ -989,6 +999,22 @@ addons:
username: ""
password: ""
# -- Tailscale specific configuration
# @default -- See below
# See more info for the configuration
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
tailscale:
# -- Auth key to connect to the VPN Service
authkey: ""
# As a sidecar, it should only need to run in userspace
userspace: true
accept_dns: false
routes: ""
dest_ip: ""
sock5_server: ""
extra_args: ""
daemon_extra_args: ""
killSwitch: true
excludedNetworks_IPv4: []
excludedNetworks_IPv6: []