From b626678907d0701a7fc4be5974f1666c48c6996a Mon Sep 17 00:00:00 2001 From: WrenIX Date: Sat, 21 Sep 2024 17:11:35 +0200 Subject: [PATCH] fix(headscale)!: update to v0.23.0 with breaking changes --- headscale-ui/Chart.yaml | 4 +- headscale/Chart.yaml | 6 +-- headscale/templates/deployment.yaml | 1 - headscale/templates/jobs.yaml | 65 ++++++++++++++++------------- headscale/values.yaml | 29 +++++++------ 5 files changed, 56 insertions(+), 49 deletions(-) diff --git a/headscale-ui/Chart.yaml b/headscale-ui/Chart.yaml index 5ce6be0..f8a7fe6 100644 --- a/headscale-ui/Chart.yaml +++ b/headscale-ui/Chart.yaml @@ -3,9 +3,9 @@ name: headscale-ui description: A simple Headscale web UI for small-scale deployments. icon: https://raw.githubusercontent.com/gurucomputing/headscale-ui/master/static/favicon.png type: application -version: 0.2.0 +version: 0.2.1 # renovate: image=ghcr.io/gurucomputing/headscale-ui -appVersion: "2024.02.24-beta1" +appVersion: "2024.10.10" maintainers: - name: WrenIX url: https://wrenix.eu diff --git a/headscale/Chart.yaml b/headscale/Chart.yaml index 3224f12..b461907 100644 --- a/headscale/Chart.yaml +++ b/headscale/Chart.yaml @@ -3,9 +3,9 @@ name: headscale description: An open source, self-hosted implementation of the Tailscale control server. icon: https://raw.githubusercontent.com/juanfont/headscale/56a7b1e34952c3e0306a134b2be9b4277f5d8d6e/docs/logo/headscale3-dots.svg type: application -version: 0.4.0 -# renovate: image=docker.io/headscale/headscale -appVersion: "0.22.3" +version: 1.0.0 +# renovate: image=ghcr.io/headscale/headscale +appVersion: "0.23.0" maintainers: - name: WrenIX url: https://wrenix.eu diff --git a/headscale/templates/deployment.yaml b/headscale/templates/deployment.yaml index 981420f..5786363 100644 --- a/headscale/templates/deployment.yaml +++ b/headscale/templates/deployment.yaml @@ -40,7 +40,6 @@ spec: {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: - - "headscale" - "serve" ports: - name: http diff --git a/headscale/templates/jobs.yaml b/headscale/templates/jobs.yaml index 92d46de..40ad74e 100644 --- a/headscale/templates/jobs.yaml +++ b/headscale/templates/jobs.yaml @@ -76,34 +76,10 @@ spec: spec: restartPolicy: "Never" serviceAccount: {{ $name }} - containers: - - name: upload-key - image: bitnami/kubectl - command: - - sh - - -c - - | - # check if key already exists - key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['wireguard.key']}" 2> /dev/null) - [ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1 - [ -n "$key" ] && echo "Key already created, exiting." && exit 0 - # wait for wireguard key - while [ ! -f /etc/headscale/secrets/wireguard.key ]; do - echo "Waiting for wireguard key.." - sleep 5; - done - # update secret - kubectl patch secret {{ $secretName }} -p "{\"data\":{\"wireguard.key\":\"$(base64 /etc/headscale/secrets/wireguard.key | tr -d '\n')\"}}" - kubectl patch secret {{ $secretName }} -p "{\"data\":{\"noise.key\":\"$(base64 /etc/headscale/secrets/noise.key | tr -d '\n')\"}}" - [ $? -ne 0 ] && echo "Failed to update secret." && exit 1 - echo "Signing key successfully created." - volumeMounts: - - mountPath: /etc/headscale/secrets - name: secrets - readOnly: true + initContainers: - name: generate-key {{- with .Values.image }} - image: "{{ .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}" + image: "{{ .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}-debug" {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: @@ -111,16 +87,45 @@ spec: - -c - | set -e - /bin/headscale generate private-key | tail -1 | sed 's/privkey://' > /etc/headscale/secrets/wireguard.key - chown 1001:1001 /etc/headscale/secrets/wireguard.key - /bin/headscale generate private-key | tail -1 | sed 's/privkey://' > /etc/headscale/secrets/noise.key - chown 1001:1001 /etc/headscale/secrets/noise.key + echo "generate private-keys" + headscale generate private-key --output json > /etc/headscale/secrets/wireguard.json + headscale generate private-key --output json > /etc/headscale/secrets/noise.json + headscale generate private-key --output json > /etc/headscale/secrets/derp.json + ls /etc/headscale/secrets/ volumeMounts: - name: config mountPath: "/etc/headscale" readOnly: true - mountPath: "/etc/headscale/secrets" name: secrets + containers: + - name: upload-key + image: bitnami/kubectl + command: + - sh + - -c + - | + # check if key already exists + key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data}" 2> /dev/null) + [ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1 + if ! echo $key | jq -e 'has("wireguard.key")' 2> /dev/null ; then + echo "store wireguard.key" + kubectl patch secret {{ $secretName }} -p "{\"data\":{\"wireguard.key\":\"$(jq -r '.["private_key"] | split(":")[1] | @base64' /etc/headscale/secrets/wireguard.json)\"}}" + fi + if ! echo $key | jq -e 'has("noise.key")' 2> /dev/null ; then + echo "store noise.key" + kubectl patch secret {{ $secretName }} -p "{\"data\":{\"noise.key\":\"$(jq -r '.["private_key"] | split(":")[1] | @base64' /etc/headscale/secrets/noise.json)\"}}" + fi + if ! echo $key | jq -e 'has("derp.key")' 2> /dev/null ; then + echo "store derp.key" + kubectl patch secret {{ $secretName }} -p "{\"data\":{\"derp.key\":\"$(jq -r '.["private_key"] | split(":")[1] | @base64' /etc/headscale/secrets/derp.json)\"}}" + fi + [ $? -ne 0 ] && echo "Failed to update secret." && exit 1 + echo "Signing key successfully created." + volumeMounts: + - mountPath: /etc/headscale/secrets + name: secrets + readOnly: true volumes: - name: config secret: diff --git a/headscale/values.yaml b/headscale/values.yaml index 63cf39e..f06189e 100644 --- a/headscale/values.yaml +++ b/headscale/values.yaml @@ -38,19 +38,17 @@ headscale: server_url: http://127.0.0.1:8080 # SQLite config - db_type: sqlite3 - - # For production: - db_path: /var/lib/headscale/db.sqlite - - # # Postgres config - # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. - # db_type: postgres - # db_host: localhost - # db_port: 5432 - # db_name: headscale - # db_user: foo - # db_pass: bar + database: + type: sqlite + sqlite: + # For production: + path: /var/lib/headscale/db.sqlite + postgres: + host: localhost + port: 5432 + name: headscale + user: foo + pass: bar private_key_path: "/etc/headscale/secrets/wireguard.key" noise: private_key_path: "/etc/headscale/secrets/noise.key" @@ -59,6 +57,10 @@ headscale: ## Use already defined certificates: tls_cert_path: "/etc/headscale/certs/tls.crt" tls_key_path: "/etc/headscale/certs/tls.key" + prefixes: + v6: fd7a:115c:a1e0::/48 + v4: 100.64.0.0/10 + allocation: sequential derp: server: enabled: true @@ -66,6 +68,7 @@ headscale: region_code: "headscale" region_name: "Headscale Embedded DERP" stun_listen_addr: "0.0.0.0:3478" + private_key_path: "/etc/headscale/secrets/derp.key" urls: [] # - https://controlplane.tailscale.com/derpmap/default paths: []