feat(derp): optimize the derp chart template

charts/tailscale-derp/Chart.yaml

@@ -9,5 +9,5 @@ maintainers:
     email: admin@dev.cm
     url: https://github.com/devcm-repo
 icon: https://tailscale.com/files/apple-touch-icon.png
-version: 0.0.2
+version: 0.0.3
 appVersion: 1.68.0

charts/tailscale-derp/README.md

@@ -28,9 +28,14 @@ nodeSelector:
 | `image.pullPolicy` | Kubernetes pullPolicy to use for starting the container image. | `IfNotPresent` |
 | `service.type` | Kubernetes Service type. | `LoadBalancer` |
 | `service.annotations` | A map/dict of Kubernetes Service annotations. | `{}` |
+| `hostNetwork` | This service will be disabled when hostNetwork is enableds. | `false` |
 | `nodeSelector` | A map/dict of Kubernetes Pod nodeSelector node labels. | `{}` |
+| `extraVolumes` | Extra volumes to add to the deployment. | `[]` |
+| `extraVolumeMounts` | Extra volume mounts to add to the container. Normally used with `extraVolumes`. | `[]` |
 | `affinity` | A map/dict of Kubernetes Pod affinity rules. | `{}` |
-| `tailscale.hostname` | Tailscale hostname | `Release.Name` |
-| `tailscale.auth_key` | Tailscale auth_key | `''` |
-| `drep.hostname` | Derp server hostname | `'derp.examples.com'` |
-| `drep.verify_clients` | Derp server will enable authentication | `true` |
+| `derp.hostname` | Derp server hostname. | `'derp.examples.com'` |
+| `derp.verify_clients` | Derp server will enable authentication. | `true` |
+| `derp.certdir` | Start a derper with your own certificate. | `` |
+| `derp.http_port` | The port on which to serve HTTP. Set to -1 to disable. | `80` |
+| `derp.https_port` | The port on which to serve HTTPS. | `443` |
+| `derp.stun_port` | The UDP port on which to serve STUN. | `3478` |

charts/tailscale-derp/templates/deployment.yml

@@ -21,20 +21,54 @@ spec:
       affinity: {{- toYaml .Values.affinity | nindent 8 }}
       {{- end }}
       containers:
-        name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+        - name: "{{ .Release.Name }}-{{ .Chart.Name }}"
           image: "{{ .Values.image.name }}:v{{ .Chart.AppVersion }}"
           ports:
-            - containerPort: 80
-            - containerPort: 443
-            - containerPort: 3478
-          env:
-            - name: TAILSCALE_HOSTNAME
-              value: "{{ or .Values.tailscale.hostname .Release.Name }}"
-            - name: TAILSCALE_AUTH_KEY
-              value: "{{ .Values.tailscale.auth_key }}"
-            - name: TAILSCALE_DERP_HOSTNAME
-              value: "{{ .Values.drep.hostname }}"
-            - name: TAILSCALE_DERP_ADDR
-              value: "{{ .Values.drep.addr }}"
-            - name: TAILSCALE_DERP_VERIFY_CLIENTS
-              value: "{{ .Values.drep.verify_clients }}"
+            {{- if gt (int .Values.derp.http_port) -1 }}
+            - name: http
+              hostPort: {{ .Values.derp.http_port }}
+              containerPort: {{ .Values.derp.http_port }}
+              protocol: TCP
+            {{- end }}
+            - name: https
+              hostPort: {{ .Values.derp.https_port }}
+              containerPort: {{ .Values.derp.https_port }}
+              protocol: TCP
+            - name: stun
+              hostPort: {{ .Values.derp.stun_port }}
+              containerPort: {{ .Values.derp.stun_port }}
+              protocol: UDP
+          args:
+            - "--hostname={{ .Values.derp.hostname }}"
+            - "--verify-clients={{ .Values.derp.verify_clients }}"
+            {{- if .Values.derp.certdir }}
+            - "--certmode=manual"
+            - "--certdir={{ .Values.derp.certdir }}"
+            {{- end }}
+            {{- if .Values.derp.http_port }}
+            - "--http-port={{ .Values.derp.http_port }}"
+            {{- end }}
+            {{- if .Values.derp.https_port }}
+            - "--a=:{{ .Values.derp.https_port }}"
+            {{- end }}
+            {{- if .Values.derp.stun_port }}
+            - "--stun-port={{ .Values.derp.stun_port }}"
+            {{- end }}
+          volumeMounts:
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- if .Values.derp.verify_clients }}
+            - mountPath: /var/run/tailscale/tailscaled.sock
+              name: tailscale-socket
+            {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      volumes:
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- if .Values.derp.verify_clients }}
+        - hostPath:
+            path: /run/tailscale/tailscaled.sock
+            type: Socket
+          name: tailscale-socket
+        {{- end }}
+

charts/tailscale-derp/templates/service.yml

@@ -1,3 +1,4 @@
+{{- if not .Values.hostNetwork }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -10,12 +11,16 @@ spec:
   selector:
     app: "{{ .Release.Name }}-{{ .Chart.Name }}"
   ports:
+    {{- if gt (int .Values.derp.http_port) -1 }}
     - name: http
-      port: 80
-      targetPort: 80
+      port: {{ .Values.derp.http_port }}
+      targetPort: {{ .Values.derp.http_port }}
+    {{- end }}
     - name: https
-      port: 443
-      targetPort: 443
+      port: {{ .Values.derp.https_port }}
+      targetPort: {{ .Values.derp.https_port }}
     - name: stun
-      port: 3478
-      targetPort: 3478
+      port: {{ .Values.derp.stun_port }}
+      targetPort: {{ .Values.derp.stun_port }}
+      protocol: UDP
+{{- end }}

charts/tailscale-derp/values.yaml

@@ -6,15 +6,15 @@ service:
   type: ClusterIP
   annotations: {}
 
+hostNetwork: false
+
 nodeSelector: {}
 
 affinity: {}
 
-tailscale:
-# hostname: ''
-  auth_key: ''
-
-drep:
+derp:
   hostname: derp.examples.com
-# addr: ''
-  verify_clients: true
+  verify_clients: false
+  http_port: 80
+  https_port: 443
+  stun_port: 3478