261 lines
10 KiB
YAML
261 lines
10 KiB
YAML
image:
|
|
repository: ghcr.io/juanfont/headscale
|
|
pullPolicy: IfNotPresent
|
|
tag: v0.25.1
|
|
|
|
args: [ "serve" ]
|
|
|
|
env:
|
|
HEADSCALE_DNS_BASE_DOMAIN: "obx.hs"
|
|
|
|
HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true"
|
|
HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
|
|
HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de"
|
|
HEADSCALE_OIDC_CLIENT_SECRET: "dPW8Q~1rctY-D0Ih.A1-1KqLl0uj1rX_ixNTcbrh"
|
|
|
|
# -- Node IPv4 prefixes
|
|
HEADSCALE_PREFIXES_V4: "100.64.0.0/10"
|
|
# -- Node IPv6 prefixes
|
|
HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48"
|
|
|
|
# -- List of DNS servers to expose to clients.
|
|
HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1"
|
|
# -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
|
|
HEADSCALE_DNS_MAGIC_DNS: "true"
|
|
|
|
HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default"
|
|
HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true"
|
|
HEADSCALE_DERP_UPDATE_FREQUENCY: "24h"
|
|
|
|
HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m"
|
|
|
|
ingress:
|
|
main:
|
|
enabled: true
|
|
className: "nginx"
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-production
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
|
hosts:
|
|
- host: headscale.svc.oceanbox.io
|
|
paths:
|
|
- path: /
|
|
tls:
|
|
- secretName: headscale-tls
|
|
hosts:
|
|
- headscale.svc.oceanbox.io
|
|
|
|
persistence:
|
|
config:
|
|
enabled: true
|
|
mountPath: /etc/headscale
|
|
retain: true
|
|
# storageClass: ""
|
|
# accessMode: ReadWriteOnce
|
|
# size: 1Gi
|
|
|
|
# -- Enable and configure postgresql database subchart under this key.
|
|
# For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/main/bitnami/postgresql)
|
|
# @default -- See [values.yaml](./values.yaml)
|
|
postgresql:
|
|
enabled: false
|
|
auth:
|
|
database: headscale
|
|
postgresPassword: changeme
|
|
primary:
|
|
persistence:
|
|
enabled: false
|
|
# storageClass: ""
|
|
# size: 8Gi
|
|
|
|
serviceMonitor:
|
|
main:
|
|
# -- Enables or disables the serviceMonitor.
|
|
enabled: true
|
|
# -- Configures the endpoints for the serviceMonitor.
|
|
# @default -- See [values.yaml](./values.yaml)
|
|
endpoints:
|
|
- port: metrics
|
|
scheme: http
|
|
path: /metrics
|
|
interval: 30s
|
|
scrapeTimeout: 10s
|
|
|
|
configMaps:
|
|
acl:
|
|
enabled: true
|
|
data:
|
|
policy: |
|
|
{
|
|
// groups are collections of users having a common scope. A user can be in multiple groups
|
|
// groups cannot be composed of groups
|
|
"groups": {
|
|
"group:admin": [
|
|
"jonas.juselius@oceanbox.io",
|
|
"Moritz.Jorg@oceanbox.io",
|
|
"system-tos",
|
|
],
|
|
"group:devops": [
|
|
"jonas.juselius@oceanbox.io",
|
|
"Moritz.Jorg@oceanbox.io",
|
|
"stig.r.jensen@oceanbox.io",
|
|
"radovan.bast@oceanbox.io",
|
|
"simen.kirkvik@oceanbox.io",
|
|
"Ole.Tytlandsvik@tromso.serit.no",
|
|
],
|
|
"group:oceanographer": [
|
|
"frank.gaardsted@oceanbox.io",
|
|
"ole.anders.nost@oceanbox.io",
|
|
"helge.avlesen@oceanbox.io",
|
|
"isa.rosso@oceanbox.io",
|
|
"jonathan.lilly@oceanbox.io",
|
|
],
|
|
"group:manager": [
|
|
"svenn.hanssen@oceanbox.io",
|
|
"hilde.iversen@oceanbox.io",
|
|
],
|
|
"group:dev": [],
|
|
"group:intern": [],
|
|
},
|
|
// tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
|
|
// This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
|
|
// and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
|
|
"tagOwners": {
|
|
"tag:k8s": [ "group:admin" ],
|
|
"tag:hpc": [ "group:admin" ],
|
|
},
|
|
// hosts should be defined using its IP addresses and a subnet mask.
|
|
// to define a single host, use a /32 mask. You cannot use DNS entries here,
|
|
// as they're prone to be hijacked by replacing their IP addresses.
|
|
// see https://github.com/tailscale/tailscale/issues/3800 for more information.
|
|
"hosts": {
|
|
"ingress.ekman.tos": "10.255.241.99/32",
|
|
"ingress.ceph.tos": "10.255.241.10/32",
|
|
"ingress.oceanbox.tos": "10.255.241.11/32",
|
|
"frontend.ekman.tos": "10.255.241.99/32",
|
|
"k8s.oceanbox.tos": "10.255.241.200/32",
|
|
"k8s.ekman.tos": "10.255.241.99/32",
|
|
"k8s.ceph.tos": "10.255.241.29/32",
|
|
"printer.office.tos": "10.132.46.108/32",
|
|
"net.office.tos": "10.132.46.0/24",
|
|
"net.dc.tos": "10.255.241.0/24",
|
|
"net.ceph.tos": "10.255.244.0/24",
|
|
"net.mgmt.tos": "10.255.240.0/24"
|
|
},
|
|
"acls": [
|
|
{
|
|
"action": "accept",
|
|
"src": [
|
|
"group:admin",
|
|
"group:devops",
|
|
"group:oceanographer",
|
|
"group:manager",
|
|
"group:dev",
|
|
],
|
|
"dst": [ "mumindalen:0" ]
|
|
},
|
|
{
|
|
"action": "accept",
|
|
"src": [ "group:admin" ],
|
|
"dst": [
|
|
"net.dc.tos:*",
|
|
"net.mgmt.tos:*",
|
|
"net.ceph.tos:*",
|
|
"net.office.tos:*",
|
|
]
|
|
},
|
|
{
|
|
"action": "accept",
|
|
"src": [ "group:devops" ],
|
|
"dst": [
|
|
"k8s.oceanbox.tos:6443",
|
|
"k8s.ekman.tos:4443",
|
|
]
|
|
},
|
|
{
|
|
"action": "accept",
|
|
"src": [
|
|
"group:admin",
|
|
"group:devops",
|
|
"group:oceanographer",
|
|
"group:manager",
|
|
"group:dev",
|
|
],
|
|
"dst": [
|
|
"ingress.oceanbox.tos:443",
|
|
"ingress.ekman.tos:443",
|
|
"printer.office.tos:631",
|
|
"10.255.241.99/32:22",
|
|
"10.255.241.100/32:22",
|
|
]
|
|
},
|
|
{
|
|
"action": "accept",
|
|
"src": [
|
|
"group:admin",
|
|
"group:devops",
|
|
"group:oceanographer",
|
|
"group:manager",
|
|
"group:dev",
|
|
],
|
|
"dst": [
|
|
"100.64.0.1/24:*",
|
|
"autogroup:internet:*",
|
|
]
|
|
},
|
|
]
|
|
}
|
|
dns:
|
|
enabled: true
|
|
data:
|
|
records: |
|
|
[
|
|
{ "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
|
|
{ "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
|
|
{ "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "openfga.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
|
|
{ "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "yolo-registry.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "openfga.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
|
|
{ "name": "argocd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "prometheus.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "alertmanager.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "grafana.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "slurmrestd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "sorcrerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
|
|
{ "name": "dashboard.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
|
|
{ "name": "grafana.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
|
|
{ "name": "s3.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
|
|
{ "name": "prometheus.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
|
|
{ "name": "alertmanager.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
|
|
{ "name": "huble.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
|
|
|
|
{ "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "radovan-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "radovan-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "moritz-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "moritz-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "simen-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "simen-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
|
|
{ "name": "ole-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
|
|
{ "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
|
|
]
|
|
|