diff --git a/headscale/Chart.yaml b/headscale/Chart.yaml index 5878996..3224f12 100644 --- a/headscale/Chart.yaml +++ b/headscale/Chart.yaml @@ -3,7 +3,7 @@ name: headscale description: An open source, self-hosted implementation of the Tailscale control server. icon: https://raw.githubusercontent.com/juanfont/headscale/56a7b1e34952c3e0306a134b2be9b4277f5d8d6e/docs/logo/headscale3-dots.svg type: application -version: 0.3.4 +version: 0.4.0 # renovate: image=docker.io/headscale/headscale appVersion: "0.22.3" maintainers: diff --git a/headscale/README.adoc b/headscale/README.adoc index bda3a3f..af1405c 100644 --- a/headscale/README.adoc +++ b/headscale/README.adoc @@ -2,7 +2,7 @@ = headscale -image::https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square[Version: 0.3.4] +image::https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square[Version: 0.4.0] image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application] image::https://img.shields.io/badge/AppVersion-0.22.3-informational?style=flat-square[AppVersion: 0.22.3] == Maintainers @@ -272,6 +272,41 @@ helm uninstall headscale-release | `""` | +| networkPolicy.egress.enabled +| bool +| `false` +| activate egress no networkpolicy + +| networkPolicy.egress.extra +| list +| `[]` +| egress rules + +| networkPolicy.enabled +| bool +| `false` +| + +| networkPolicy.ingress.derp +| list +| `[{"ipBlock":{"cidr":"0.0.0.0/0"}},{"ipBlock":{"cidr":"::/0"}}]` +| ingress for derp + +| networkPolicy.ingress.grpc +| list +| `[]` +| ingress for grpc port + +| networkPolicy.ingress.http +| list +| `[]` +| ingress for http port (e.g. ingress-controller) + +| networkPolicy.ingress.metrics +| list +| `[]` +| ingress for metrics port (e.g. prometheus) + | nodeSelector | object | `{}` diff --git a/headscale/templates/networkpolicy.yaml b/headscale/templates/networkpolicy.yaml new file mode 100644 index 0000000..c908973 --- /dev/null +++ b/headscale/templates/networkpolicy.yaml @@ -0,0 +1,51 @@ +{{- if .Values.networkPolicy.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "headscale.fullname" . }} + labels: + {{- include "headscale.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "headscale.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + {{- if .Values.networkPolicy.egress.enabled }} + - Egress + {{- end }} + ingress: + {{- with .Values.networkPolicy.ingress.http }} + - ports: + - port: {{ $.Values.service.port.http }} + protocol: TCP + from: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.networkPolicy.ingress.metrics }} + - ports: + - port: {{ $.Values.service.port.metrics }} + protocol: TCP + from: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.networkPolicy.ingress.grpc }} + - ports: + - port: {{ $.Values.service.port.grpc }} + protocol: TCP + from: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.networkPolicy.ingress.derp }} + - ports: + - port: {{ $.Values.service.derp.port }} + protocol: TCP + from: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.networkPolicy.egress }} + egress: + {{- toYaml .extra | nindent 4 }} + {{- end }} +{{- end }} diff --git a/headscale/values.yaml b/headscale/values.yaml index 6de3d02..63cf39e 100644 --- a/headscale/values.yaml +++ b/headscale/values.yaml @@ -160,6 +160,28 @@ service: annotations: port: 3478 +networkPolicy: + enabled: false + ingress: + # -- ingress for http port (e.g. ingress-controller) + http: [] + # -- ingress for metrics port (e.g. prometheus) + metrics: [] + # -- ingress for grpc port + grpc: [] + # -- ingress for derp + derp: + - ipBlock: + cidr: 0.0.0.0/0 + - ipBlock: + cidr: ::/0 + + egress: + # -- activate egress no networkpolicy + enabled: false + # -- egress rules + extra: [] + ingress: enabled: false className: ""