platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity
Files
36f0f11ef6bfbc6505949776b1618caea6aa426c
manifests/values/headscale/values/values.yaml
T

354 lines
16 KiB
YAML
Raw Blame History

image:
repository: ghcr.io/juanfont/headscale
pullPolicy: IfNotPresent
tag: v0.27.1
args: ["serve"]
env:
HEADSCALE_DNS_BASE_DOMAIN: "ts.obx"
# HACK: Workaround for fortigate block of WG udp port
HEADSCALE_RANDOMIZE_CLIENT_PORT: "true"
HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true"
HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de"
HEADSCALE_OIDC_CLIENT_SECRET: "dPW8Q~1rctY-D0Ih.A1-1KqLl0uj1rX_ixNTcbrh"
# -- Split DNS for obx and ts.obx
HEADSCALE_DNS_NAMESERVERS_SPLIT: |
{
"obx": ["10.255.241.210"]
}
# -- Node IPv4 prefixes
HEADSCALE_PREFIXES_V4: "100.64.0.0/10"
# -- Node IPv6 prefixes
HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48"
# -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
HEADSCALE_DNS_MAGIC_DNS: "true"
# -- List of DNS servers to expose to clients.
HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1"
HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default"
HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true"
HEADSCALE_DERP_UPDATE_FREQUENCY: "24h"
HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m"
ingress:
main:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTP
hosts:
- host: headscale.svc.oceanbox.io
paths:
- path: /
tls:
- secretName: headscale-tls
hosts:
- headscale.svc.oceanbox.io
persistence:
config:
enabled: true
mountPath: /etc/headscale
retain: true
# storageClass: ""
# accessMode: ReadWriteOnce
# size: 1Gi
# -- Enable and configure postgresql database subchart under this key.
# @default -- See [values.yaml](./values.yaml)
postgresql:
enabled: false
auth:
database: headscale
postgresPassword: changeme
primary:
persistence:
enabled: false
# storageClass: ""
# size: 8Gi
serviceMonitor:
main:
# -- Enables or disables the serviceMonitor.
enabled: true
# -- Configures the endpoints for the serviceMonitor.
# @default -- See [values.yaml](./values.yaml)
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 30s
scrapeTimeout: 10s
configMaps:
acl:
enabled: true
data:
policy: |
{
// groups are collections of users having a common scope. A user can be in multiple groups
// groups cannot be composed of groups
"groups": {
"group:admin": [
"jonas.juselius@oceanbox.io",
"Moritz.Jorg@oceanbox.io",
"simen.kirkvik@oceanbox.io",
"stig.r.jensen@oceanbox.io",
"ole.tytlandsvik@oceanbox.io",
],
"group:devops": [
"radovan.bast@oceanbox.io",
],
"group:oceanographer": [
"frank.gaardsted@oceanbox.io",
"ole.anders.nost@oceanbox.io",
"helge.avlesen@oceanbox.io",
"isa.rosso@oceanbox.io",
"jonathan.lilly@oceanbox.io",
"faith.iha@oceanbox.io",
],
"group:manager": [
"svenn.hanssen@oceanbox.io",
],
"group:marketing": [
"hilde.iversen@oceanbox.io",
"pal.herstad@oceanbox.io",
],
"group:dev": [],
"group:intern": [
"haavahak@stud.ntnu.no",
],
},
// tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
// This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
// and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
"tagOwners": {
"tag:k8s": [ "group:admin" ],
"tag:hpc": [ "group:admin" ],
"tag:mumindalen": [ "group:admin" ],
"tag:hel1": [ "group:admin" ],
},
// hosts should be defined using its IP addresses and a subnet mask.
// to define a single host, use a /32 mask. You cannot use DNS entries here,
// as they're prone to be hijacked by replacing their IP addresses.
// see https://github.com/tailscale/tailscale/issues/3800 for more information.
"hosts": {
"ingress.ekman.tos": "10.255.241.99/32",
"ingress.ceph.tos": "10.255.241.10/32",
"ingress.ceph.vtn": "172.16.239.50/32",
"ingress.adm.ceph.vtn": "172.16.239.51/32",
"ingress.oceanbox.tos": "10.255.241.11/32",
"manage.ekman.tos": "10.255.241.99/32",
"k8s.oceanbox.tos": "10.255.241.200/32",
"k8s.ekman.tos": "10.255.241.99/32",
"k8s.ceph.tos": "10.255.241.29/32",
"printer.office.tos": "10.132.46.108/32",
"office.tos.net": "10.132.46.0/24",
"dc.tos.net": "10.255.241.0/24",
"100gbe.tos.net": "10.255.244.0/24",
"mgmt.tos.net": "10.255.240.0/24",
"dc.vtn.net": "172.16.239.0/24",
"mgmt.vtn.net": "172.16.238.0/24",
"dc.hel1.net": "10.0.1.0/24",
},
"acls": [
{
"action": "accept",
"src": [
"group:admin",
"tag:mumindalen",
],
"dst": [
"tag:hpc:*",
"tag:hel1:*",
"tag:mumindalen:*",
"dc.tos.net:*",
"mgmt.tos.net:*",
"office.tos.net:*",
"dc.vtn.net:*",
"mgmt.vtn.net:*",
"dc.hel1.net:*",
"100.64.0.0/10:*",
]
},
{
"action": "accept",
"src": [
"tag:hpc",
],
"dst": [
"tag:hpc:22",
"tag:mumindalen:22",
"100.64.0.0/10:22",
]
},
{
"action": "accept",
"src": [ "group:devops" ],
"dst": [
"k8s.oceanbox.tos:6443",
"k8s.ekman.tos:6443",
"tag:hpc:*",
"tag:hel1:*",
"tag:mumindalen:*",
"dc.tos.net:*",
"dc.hel1.net:*",
]
},
{
"action": "accept",
"src": [
"group:oceanographer",
"group:manager",
"group:marketing",
],
"dst": [
"tag:mumindalen:*",
"tag:hpc:22,80,443",
"dc.tos.net:22,80,443",
"dc.hel1.net:443",
]
},
{
"action": "accept",
"src": [
"group:intern",
],
"dst": [
"tag:hpc:22,80,443",
]
},
{
"action": "accept",
"src": [ "*" ],
"dst": [ "autogroup:internet:*", ]
},
{ "action": "accept", "src": [ "*" ], "dst": [ "autogroup:internet:*", ] },
{ "action": "accept", "src": [ "radovan.bast@oceanbox.io", ], "dst": [ "radovan.bast@oceanbox.io:*", ] },
{ "action": "accept", "src": [ "ole.tytlandsvik@oceanbox.io" ], "dst": [ "ole.tytlandsvik@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "frank.gaardsted@oceanbox.io" ], "dst": [ "frank.gaardsted@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "ole.anders.nost@oceanbox.io" ], "dst": [ "ole.anders.nost@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "helge.avlesen@oceanbox.io" ], "dst": [ "helge.avlesen@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "isa.rosso@oceanbox.io" ], "dst": [ "isa.rosso@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "jonathan.lilly@oceanbox.io" ], "dst": [ "jonathan.lilly@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "jonas.juselius@oceanbox.io" ], "dst": [ "jonas.juselius@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "Moritz.Jorg@oceanbox.io" ], "dst": [ "Moritz.Jorg@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "simen.kirkvik@oceanbox.io" ], "dst": [ "simen.kirkvik@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "stig.r.jensen@oceanbox.io" ], "dst": [ "stig.r.jensen@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "svenn.hanssen@oceanbox.io" ], "dst": [ "svenn.hanssen@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "hilde.iversen@oceanbox.io" ], "dst": [ "hilde.iversen@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "pal.herstad@oceanbox.io" ], "dst": [ "pal.herstad@oceanbox.io:*" ] },
{ "action": "accept", "src": [ "faith.iha@oceanbox.io" ], "dst": [ "faith.iha@oceanbox.io:*" ] },
// s/"\([^"]*\)"/{ "action": "accept", "src": [ "\1" ], "dst": [ "\1:*" ] },
]
}
dns:
enabled: true
data:
records: |
[
{ "name": "maps.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "maps.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "codex.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "codex.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "dapr.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "umami.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "openfga.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "openfga.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "cache.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "makai.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "makai.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "slurm.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "slurm-gateway.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "yolo-registry.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "argocd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "prometheus.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "alertmanager.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "grafana.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "slurmrestd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "sorcrerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "plume.data.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "slurm-agent.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "kueue.dev.tos.obx", "type": "A", "value": "10.255.241.99" },
{ "name": "slurm-agent.rossby.oceanbox.io", "type": "A", "value": "172.16.239.222" },
{ "name": "argocd.adm.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "grafana.adm.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "prometheus.adm.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "alertmanager.adm.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "slurm-agent.adm.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "kueue.dev.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "dashboard.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "grafana.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "s3.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "prometheus.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "alertmanager.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "hubble.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "codex.dev.tos.obx", "type": "A", "value": "10.255.241.11" },
{ "name": "dashboard.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
{ "name": "grafana.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
{ "name": "s3.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
{ "name": "prometheus.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
{ "name": "alertmanager.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
{ "name": "hubble.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
{ "name": "dashboard.ceph.vtn.obx", "type": "A", "value": "172.16.239.50" },
{ "name": "grafana.ceph.vtn.obx", "type": "A", "value": "172.16.239.50" },
{ "name": "prometheus.ceph.vtn.obx", "type": "A", "value": "172.16.239.50" },
{ "name": "alertmanager.ceph.vtn.obx", "type": "A", "value": "172.16.239.50" },
{ "name": "hubble.ceph.vtn.obx", "type": "A", "value": "172.16.239.50" },
{ "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "jonas-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "stig-sorcerer.dev.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "stig-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "radovan-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "radovan-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "mrtz-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "mrtz-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "mrtz-sorcerer.dev.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "mrtz-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "simkir-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "simkir-codex.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "simkir-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "simkir-sorcerer.dev.vtn.obx", "type": "A", "value": "172.16.239.221" },
{ "name": "simkir-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "ole-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "ole-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
]
Reference in New Issue View Git Blame Copy Permalink