headscale: Add headscale Chart

common/templates/_templates.tpl

@@ -1,5 +1,5 @@
 {{- define "common.app.labels" -}}
-app.kubernetes.io/name: {{ .name }}
-app.kubernetes.io/version: {{ .version }}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/version: {{ .Chart.Version }}
 app.kubernetes.io/managed-by: Helm
 {{- end }}

headscale/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

headscale/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: file://../common/
+  version: 0.1.0
+digest: sha256:32af153d0dda4cde05d135c6a839d2c49c8a2e65b8ecf7b819f24e5c3fbf6721
+generated: "2025-10-12T00:43:28.36846097+02:00"

headscale/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: headscale
+description: A Helm chart for headscale
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+dependencies:
+  - name: common
+    version: 0.1.0
+    repository: file://../common/

headscale/templates/configmap.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Values.namespace }}
+  name: headscale
+  labels: {{ include "common.app.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- .Values.config | toYaml | nindent 4 }}
+  {{- if .Values.extraConfig }}
+  {{- .Values.extraConfig | toYaml | nindent 2 }}
+  {{- end }}

headscale/templates/deployment.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: {{ .Values.namespace }}
+  name: headscale
+  labels: {{ include "common.app.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {{ include "common.app.labels" . | nindent 6 }}
+  template:
+    spec:
+      containers:
+        - name: headscale
+          image: "{{ .Values.image }}:{{ .Values.imageTag }}"
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+            - containerPort: 9090
+              name: metrics
+              protocol: TCP
+          args:
+            - --config
+            - /etc/headscale/config/config.yaml
+            - serve
+          volumeMounts:
+            - mountPath: /etc/headscale/config
+              name: config
+              readOnly: true
+            - mountPath: /var/run
+              name: tmp
+            {{- if .Values.secrets }}
+            - mountPath: /etc/headscale/secrets
+              name: secrets
+              readOnly: true
+            {{- end }}
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: config
+          configMap:
+            name: headscale
+        - name: tmp
+          emptyDir:
+            medium: Memory
+        - name: data
+          {{- .Values.mounts.data | toYaml | nindent 10 }}
+        {{- if .Values.secrets }}
+        - name: secrets
+          secret:
+            secretName: {{ .Values.secrets.secretName }}
+        {{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10000
+        runAsGroup: 10000

headscale/values.yaml

@@ -0,0 +1,20 @@
+namespace: default
+image: ghcr.io/juanfont/headscale
+imageTag: 0.26.1
+
+mounts:
+  data:
+    persistentVolumeClaim:
+      claimName: test-claim
+
+secrets:
+  secretName: test-secrets
+
+config:
+  # ...
+
+extraConfig:
+  extra_dns.json: |
+    {
+      "test": "test"
+    }