internal-headscale: Add Chart

2025-10-13 20:09:02 +02:00
parent 9cf72e7de2
commit 19efca2c1f
5 changed files with 143 additions and 0 deletions
--- a/internal-headscale/templates/deployment.yaml
+++ b/internal-headscale/templates/deployment.yaml
@@ -0,0 +1,83 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  labels: {{- include "common.app.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {{- include "common.app.labels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{- include "common.app.labels" . | nindent 8 }}
+    spec:
+      containers:
+        {{- range $forward := .Values.socat.config.forwards }}
+        - name: {{ $forward.name }}
+          image: "{{ $.Values.socat.image }}:{{ $.Values.socat.imageVersion }}"
+          command:
+            - socat
+            - TCP-LISTEN:{{ $forward.port }},fork,reuseaddr
+            - TCP:{{ $forward.target }}:{{ $forward.targetPort }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+              {{- if or (eq (int $forward.port) 80) (eq (int $forward.port) 443) }}
+              add:
+                {{/*Allow binding to :80 and :443 in the container*/}}
+                - NET_BIND_SERVICE
+              {{- end }}
+            runAsUser: 10001
+            runAsGroup: 10001
+            readOnlyRootFilesystem: true
+        {{- end }}
+        - name: tailscale
+          image: "{{ .Values.tailscale.image }}:{{ .Values.tailscale.imageVersion }}"
+          env:
+            - name: TS_USERSPACE
+              value: "true"
+            - name: TS_STATE_DIR
+              value: /var/lib/tailscale
+            - name: TS_AUTH_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: token
+                  name: {{ .Values.tailscale.config.secret.secretName }}
+            - name: TS_NO_LOGS_NO_SUPPORT
+              value: "true"
+            {{/*Don't try to reauth all the time*/}}
+            - name: TS_AUTH_ONCE
+              value: "true"
+            {{/*Prevent tailscale from connecting to the cluster*/}}
+            - name: KUBERNETES_SERVICE_HOST
+              value: ""
+            - name: TS_EXTRA_ARGS
+              value: "--advertise-tags={{ .Values.tailscale.config.tag }} --login-server {{ .Values.tailscale.config.loginServer }} --hostname {{ .Values.tailscale.config.hostname }}"
+            - name: TS_HEALTHCHECK_ADDR_PORT
+              value: "0.0.0.0:9999"
+          readinessProbe:
+            httpGet:
+              port: 9999
+              path: /healthz
+              scheme: HTTP
+            initialDelaySeconds: 5
+            failureThreshold: 5
+          livenessProbe:
+            httpGet:
+              port: 9999
+              path: /healthz
+              scheme: HTTP
+            failureThreshold: 5
+          volumeMounts:
+            - mountPath: /var/lib/tailscale
+              name: state
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: state
+          {{- .Values.tailscale.mounts.state | toYaml | nindent 10 }}