fix(headscale): add networkpolicy support

2024-08-22 21:41:36 +02:00 · 2024-08-22 21:41:36 +02:00 · 6f18af3d01
commit 6f18af3d01
parent 24bbbe0bec
4 changed files with 110 additions and 2 deletions
--- a/headscale/Chart.yaml
+++ b/headscale/Chart.yaml
@ -3,7 +3,7 @@ name: headscale
 description: An open source, self-hosted implementation of the Tailscale control server.
 icon: https://raw.githubusercontent.com/juanfont/headscale/56a7b1e34952c3e0306a134b2be9b4277f5d8d6e/docs/logo/headscale3-dots.svg
 type: application
-version: 0.3.4
+version: 0.4.0
 # renovate: image=docker.io/headscale/headscale
 appVersion: "0.22.3"
 maintainers:
--- a/headscale/README.adoc
+++ b/headscale/README.adoc
@ -2,7 +2,7 @@

 = headscale

-image::https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square[Version: 0.3.4]
+image::https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square[Version: 0.4.0]
 image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
 image::https://img.shields.io/badge/AppVersion-0.22.3-informational?style=flat-square[AppVersion: 0.22.3]
 == Maintainers
@ -272,6 +272,41 @@ helm uninstall headscale-release
 | `""`
 |

+| networkPolicy.egress.enabled
+| bool
+| `false`
+| activate egress no networkpolicy
+
+| networkPolicy.egress.extra
+| list
+| `[]`
+| egress rules
+
+| networkPolicy.enabled
+| bool
+| `false`
+|
+
+| networkPolicy.ingress.derp
+| list
+| `[{"ipBlock":{"cidr":"0.0.0.0/0"}},{"ipBlock":{"cidr":"::/0"}}]`
+| ingress for derp
+
+| networkPolicy.ingress.grpc
+| list
+| `[]`
+| ingress for grpc port
+
+| networkPolicy.ingress.http
+| list
+| `[]`
+| ingress for http port (e.g. ingress-controller)
+
+| networkPolicy.ingress.metrics
+| list
+| `[]`
+| ingress for metrics port (e.g. prometheus)
+
 | nodeSelector
 | object
 | `{}`
--- a/headscale/templates/networkpolicy.yaml
+++ b/headscale/templates/networkpolicy.yaml
@ -0,0 +1,51 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "headscale.fullname" . }}
+  labels:
+    {{- include "headscale.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "headscale.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    {{- if .Values.networkPolicy.egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    {{- with .Values.networkPolicy.ingress.http }}
+    - ports:
+        - port: {{ $.Values.service.port.http }}
+          protocol: TCP
+      from:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.networkPolicy.ingress.metrics }}
+    - ports:
+        - port: {{ $.Values.service.port.metrics }}
+          protocol: TCP
+      from:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.networkPolicy.ingress.grpc }}
+    - ports:
+        - port: {{ $.Values.service.port.grpc }}
+          protocol: TCP
+      from:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.networkPolicy.ingress.derp }}
+    - ports:
+        - port: {{ $.Values.service.derp.port }}
+          protocol: TCP
+      from:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml .extra | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/headscale/values.yaml
+++ b/headscale/values.yaml
@ -160,6 +160,28 @@ service:
    annotations:
    port: 3478

+networkPolicy:
+  enabled: false
+  ingress:
+    # -- ingress for http port (e.g. ingress-controller)
+    http: []
+    # -- ingress for metrics port (e.g. prometheus)
+    metrics: []
+    # -- ingress for grpc port
+    grpc: []
+    # -- ingress for derp
+    derp:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+      - ipBlock:
+          cidr: ::/0
+
+  egress:
+    # -- activate egress no networkpolicy
+    enabled: false
+    # -- egress rules
+    extra: []
+
 ingress:
  enabled: false
  className: ""