diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index f99cacf9..ad9c16ec 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -15,4 +15,4 @@ maintainers: name: common sources: null type: library -version: 10.4.13 +version: 10.5.0 diff --git a/charts/common/templates/addons/vpn/_vpn.tpl b/charts/common/templates/addons/vpn/_vpn.tpl index 5f6d59da..d3d1e944 100644 --- a/charts/common/templates/addons/vpn/_vpn.tpl +++ b/charts/common/templates/addons/vpn/_vpn.tpl @@ -12,9 +12,11 @@ It will include / inject the required templates based on the given values. {{- include "tc.common.addon.wireguard" . }} {{- end -}} + {{- if eq "tailscale" .Values.addons.vpn.type -}} + {{- include "tc.common.addon.tailscale" . }} + {{- end -}} {{- $_ := set .Values.persistence "vpnconfig" .Values.addons.vpn.configFile -}} - {{- end -}} {{- end -}} diff --git a/charts/common/templates/addons/vpn/tailscale/_addon.tpl b/charts/common/templates/addons/vpn/tailscale/_addon.tpl new file mode 100644 index 00000000..c88270c8 --- /dev/null +++ b/charts/common/templates/addons/vpn/tailscale/_addon.tpl @@ -0,0 +1,11 @@ +{{/* +Template to render Tailscale addon. It will add the container to the list of additionalContainers. +*/}} +*/}} +{{- define "tc.common.addon.tailscale" -}} + {{/* Append the Tailscale container to the additionalContainers */}} + {{- $container := fromYaml (include "tc.common.addon.tailscale.container" .) -}} + {{- if $container -}} + {{- $_ := set .Values.additionalContainers "addon-tailscale" $container -}} + {{- end -}} +{{- end -}} diff --git a/charts/common/templates/addons/vpn/tailscale/_container.tpl b/charts/common/templates/addons/vpn/tailscale/_container.tpl new file mode 100644 index 00000000..8ab22813 --- /dev/null +++ b/charts/common/templates/addons/vpn/tailscale/_container.tpl @@ -0,0 +1,124 @@ +{{/* +The Tailscale sidecar container to be inserted. +*/}} +{{- define "tc.common.addon.tailscale.container" -}} +{{- $secretName := printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }} +name: tailscale +image: "{{ .Values.tailscaleImage.repository }}:{{ .Values.tailscaleImage.tag }}" +imagePullPolicy: {{ .Values.tailscaleImage.pullPolicy }} + +command: ["ash", "/tailscale/run.sh"] + +tty: true + +# It should run rootless. But needs test +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + add: + - NET_ADMIN + +serviceAccount: + main: + create: true + +rbac: + main: + enabled: true + rules: + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "create" + - apiGroups: + - "" + resources: + - "secrets" + resourceNames: + - '{{ $secretName }}' + verbs: + - "get" + - "update" + +envFrom: + - secretRef: + name: {{ $secretName }} + +env: + - name: TS_KUBE_SECRET + value: {{ $secretName }} + - name: TS_USERSPACE + value: {{ .Values.addons.vpn.tailscale.userspace | quote }} + - name: TS_ACCEPT_DNS + value: {{ .Values.addons.vpn.tailscale.accept_dns | quote }} + {{- with .Values.addons.vpn.tailscale.routes }} + - name: TS_ROUTES + value: {{ . }} + {{- end }} + {{- with .Values.addons.vpn.tailscale.dest_ip }} + - name: TS_DEST_IP + value: {{ . }} + {{- end }} + {{- with .Values.addons.vpn.tailscale.sock5_server }} + - name: TS_SOCKS5_SERVER + value: {{ . }} + {{- end }} + {{- with .Values.addons.vpn.tailscale.extra_args }} + - name: TS_EXTRA_ARGS + value: {{ . | quote }} + {{- end }} + {{- with .Values.addons.vpn.tailscale.daemon_extra_args }} + - name: TS_TAILSCALED_EXTRA_ARGS + value: {{ . | quote }} + {{- end }} + +{{- range $envList := .Values.addons.vpn.envList }} + {{- if and $envList.name $envList.value }} + - name: {{ $envList.name }} + value: {{ $envList.value | quote }} + {{- else }} + {{- fail "Please specify name/value for VPN environment variable" }} + {{- end }} +{{- end}} + +{{- with .Values.addons.vpn.env }} +{{- range $k, $v := . }} + - name: {{ $k }} + value: {{ $v | quote }} +{{- end }} +{{- end }} + +{{- if .Values.addons.vpn.killSwitch }} + - name: KILLSWITCH + value: "true" + {{- $excludednetworksv4 := "172.16.0.0/12"}} + {{- range .Values.addons.vpn.excludedNetworks_IPv4 }} + {{- $excludednetworksv4 = ( printf "%v;%v" $excludednetworksv4 . ) }} + {{- end}} + - name: KILLSWITCH_EXCLUDEDNETWORKS_IPV4 + value: {{ $excludednetworksv4 | quote }} +{{- if .Values.addons.vpn.excludedNetworks_IPv6 }} + {{- $excludednetworksv6 := ""}} + {{- range .Values.addons.vpn.excludedNetworks_IPv4 }} + {{- $excludednetworksv6 = ( printf "%v;%v" $excludednetworksv6 . ) }} + {{- end}} + - name: KILLSWITCH_EXCLUDEDNETWORKS_IPV6 + value: {{ .Values.addons.vpn.excludedNetworks_IPv6 | quote }} +{{- end }} +{{- end }} + +volumeMounts: + - mountPath: {{ .Values.persistence.shared.mountPath }} + name: shared +{{- with .Values.addons.vpn.livenessProbe }} +livenessProbe: + {{- toYaml . | nindent 2 }} +{{- end -}} +{{- with .Values.addons.vpn.resources }} +resources: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/common/templates/addons/vpn/tailscale/_secret.tpl b/charts/common/templates/addons/vpn/tailscale/_secret.tpl new file mode 100644 index 00000000..eedd6829 --- /dev/null +++ b/charts/common/templates/addons/vpn/tailscale/_secret.tpl @@ -0,0 +1,19 @@ +{{/* Define the secret */}} +{{- define "tailscale.secret" -}} + +{{- $secretName := printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }} + +--- +{{/* This secrets are loaded on tailscale */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $secretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{- with .Values.addons.vpn.tailscale.authkey }} + TS_AUTH_KEY: {{ . | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/common/values.yaml b/charts/common/values.yaml index f18d89d4..ba66e35e 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -18,6 +18,16 @@ wireguardImage: # -- Specify the WireGuard image pull policy pullPolicy: IfNotPresent +# -- Tailscale specific configuration +# @default -- See below +tailscaleImage: + # -- Specify the Tailscale image + repository: tccr.io/truecharts/tailscale + # -- Specify the Tailscale image tag + tag: v1.29.125@sha256:fb2ad07557c351805a126d0056be083fb67e3b22abae12a18c52f1461b55ca55 + # -- Specify the Tailscale image pull policy + pullPolicy: IfNotPresent + # -- promtail specific configuration # @default -- See below promtailImage: @@ -978,7 +988,7 @@ addons: # For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#wireguard-vpn) # @default -- See values.yaml vpn: - # -- Specify the VPN type. Valid options are disabled, openvpn or wireguard + # -- Specify the VPN type. Valid options are disabled, openvpn, wireguard or tailscale type: disabled # -- OpenVPN specific configuration @@ -989,6 +999,22 @@ addons: username: "" password: "" + # -- Tailscale specific configuration + # @default -- See below + # See more info for the configuration + # https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh + tailscale: + # -- Auth key to connect to the VPN Service + authkey: "" + # As a sidecar, it should only need to run in userspace + userspace: true + accept_dns: false + routes: "" + dest_ip: "" + sock5_server: "" + extra_args: "" + daemon_extra_args: "" + killSwitch: true excludedNetworks_IPv4: [] excludedNetworks_IPv6: []