From b094cc1da3706047c4f6bb7e7ef0caa077a12dd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tancr=C3=A8de=20SUARD?= Date: Fri, 3 May 2024 19:27:59 +0200 Subject: [PATCH 1/5] Add tailscale sidecar support --- charts/uptime-kuma/templates/_helpers.tpl | 2 +- charts/uptime-kuma/templates/deployment.yaml | 30 +++++++++++++++++ .../uptime-kuma/templates/rbac-tailscale.yaml | 32 +++++++++++++++++++ .../templates/secret-tailscale.yaml | 10 ++++++ .../uptime-kuma/templates/serviceaccount.yaml | 2 +- charts/uptime-kuma/values.yaml | 20 ++++++++++++ 6 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 charts/uptime-kuma/templates/rbac-tailscale.yaml create mode 100644 charts/uptime-kuma/templates/secret-tailscale.yaml diff --git a/charts/uptime-kuma/templates/_helpers.tpl b/charts/uptime-kuma/templates/_helpers.tpl index c37be21..47b2166 100644 --- a/charts/uptime-kuma/templates/_helpers.tpl +++ b/charts/uptime-kuma/templates/_helpers.tpl @@ -54,7 +54,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "uptime-kuma.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} +{{- if or .Values.serviceAccount.create .Values.tailscale.enabled }} {{- default (include "uptime-kuma.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} diff --git a/charts/uptime-kuma/templates/deployment.yaml b/charts/uptime-kuma/templates/deployment.yaml index 3157101..560f082 100644 --- a/charts/uptime-kuma/templates/deployment.yaml +++ b/charts/uptime-kuma/templates/deployment.yaml @@ -107,6 +107,36 @@ spec: {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.tailscale.enabled }} + - name: ts-sidecar + imagePullPolicy: {{ .Values.tailscale.image.pullPolicy }} + image: "{{ .Values.tailscale.image.repository }}:{{ .Values.tailscale.image.tag }}" + securityContext: + {{- if .Values.tailscale.userspace }} + runAsUser: 1000 + runAsGroup: 1000 + {{- else }} + capabilities: + add: + - NET_ADMIN + {{- end }} + env: + - name: TS_HOSTNAME + value: {{ .Values.tailscale.hostname | quote}} + # Store the state in a k8s secret + - name: TS_KUBE_SECRET + value: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth" + - name: TS_USERSPACE + value: {{ .Values.tailscale.userspace | quote }} + - name: TS_DEBUG_FIREWALL_MODE + value: {{ .Values.tailscale.debugFirewallMode | quote }} + - name: TS_AUTHKEY + valueFrom: + secretKeyRef: + name: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth" + key: TS_AUTHKEY + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/uptime-kuma/templates/rbac-tailscale.yaml b/charts/uptime-kuma/templates/rbac-tailscale.yaml new file mode 100644 index 0000000..e5c6aa2 --- /dev/null +++ b/charts/uptime-kuma/templates/rbac-tailscale.yaml @@ -0,0 +1,32 @@ +{{- if .Values.tailscale.enabled -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "uptime-kuma.serviceAccountName" . }} + labels: + {{- include "uptime-kuma.labels" . | nindent 4 }} +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["secrets"] + # Create can not be restricted to a resource name. + verbs: ["create"] +- apiGroups: [""] # "" indicates the core API group + resourceNames: ["{{ include "uptime-kuma.fullname" . }}-tailscale-auth"] + resources: ["secrets"] + verbs: ["get", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "uptime-kuma.serviceAccountName" . }} + labels: + {{- include "uptime-kuma.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "uptime-kuma.serviceAccountName" . | quote }} +roleRef: + kind: Role + name: {{ include "uptime-kuma.serviceAccountName" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/uptime-kuma/templates/secret-tailscale.yaml b/charts/uptime-kuma/templates/secret-tailscale.yaml new file mode 100644 index 0000000..965fda7 --- /dev/null +++ b/charts/uptime-kuma/templates/secret-tailscale.yaml @@ -0,0 +1,10 @@ +{{- if .Values.tailscale.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "uptime-kuma.fullname" . }}-tailscale-auth + labels: + {{- include "uptime-kuma.labels" . | nindent 4 }} +stringData: + TS_AUTHKEY: {{ .Values.tailscale.auth | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/uptime-kuma/templates/serviceaccount.yaml b/charts/uptime-kuma/templates/serviceaccount.yaml index 77a13d3..934cf7c 100644 --- a/charts/uptime-kuma/templates/serviceaccount.yaml +++ b/charts/uptime-kuma/templates/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if .Values.serviceAccount.create -}} +{{- if or .Values.serviceAccount.create .Values.tailscale.enabled -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/uptime-kuma/values.yaml b/charts/uptime-kuma/values.yaml index 0c5c830..93077c6 100644 --- a/charts/uptime-kuma/values.yaml +++ b/charts/uptime-kuma/values.yaml @@ -33,6 +33,26 @@ podEnv: - name: "UPTIME_KUMA_PORT" value: "3001" +tailscale: + enabled: false + image: + repository: ghcr.io/tailscale/tailscale + pullPolicy: Always + tag: "latest" + # -- userspace : + # When set to false, tailscale runs as root, it provides direct access to the tailnet, according to ACL + # When set to true, the network inside the pod is limited and user is not root + # In no root mode, you have to use an HTTP or SOCKS5 proxy in order to access the tailnet + # See https://tailscale.com/kb/1185/kubernetes#userspace-sidecar + userspace: false + # See https://tailscale.com/kb/1294/firewall-mode + debugFirewallMode: "auto" + # Tailscale API auth key + # See https://tailscale.com/kb/1085/auth-keys + auth: "" + # Tailscale device name + hostname: "uptime-kuma" + podSecurityContext: {} # fsGroup: 2000 From 333f4ba11efeb79603a676e5fc4cb5378dad3964 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tancr=C3=A8de=20SUARD?= Date: Fri, 3 May 2024 19:42:37 +0200 Subject: [PATCH 2/5] Update readme --- charts/uptime-kuma/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/uptime-kuma/README.md b/charts/uptime-kuma/README.md index a7fd437..de471c4 100644 --- a/charts/uptime-kuma/README.md +++ b/charts/uptime-kuma/README.md @@ -91,6 +91,14 @@ A self-hosted Monitoring tool like "Uptime-Robot". | volume.enabled | bool | `true` | | | volume.existingClaim | string | `""` | | | volume.size | string | `"4Gi"` | | +| tailscale.enabled | bool | `false` | | +| tailscale.repository | string | `"ghcr.io/tailscale/tailscale"` | | +| tailscale.tag | string | `"latest"` | | +| tailscale.pullPolicy | string | `"Always"` | | +| tailscale.userspace | bool | `false` | Set to `false` to run tailscale as root, this allows direct access to tailnet. See [Tailscale #userspace-sidecar](https://tailscale.com/kb/1185/kubernetes#userspace-sidecar) | +| tailscale.debugFirewallMode | string | `"auto"` | See [Tailscale firewall-mode](https://tailscale.com/kb/1294/firewall-mode) | +| tailscale.auth | string | `""` | Tailscale API auth key. See [Tailscale auth-keys](https://tailscale.com/kb/1085/auth-keys) | +| tailscale.hostname | string | `"uptime-kuma"` | Tailscale device name | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From bfd17805564a0f08ca1f7478ed66e489a69a9daa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tancr=C3=A8de=20SUARD?= Date: Fri, 3 May 2024 19:45:21 +0200 Subject: [PATCH 3/5] Add tailscale sidecar to statefulset --- charts/uptime-kuma/templates/statefulset.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/charts/uptime-kuma/templates/statefulset.yaml b/charts/uptime-kuma/templates/statefulset.yaml index a30e644..a1fbb1c 100644 --- a/charts/uptime-kuma/templates/statefulset.yaml +++ b/charts/uptime-kuma/templates/statefulset.yaml @@ -83,6 +83,36 @@ spec: {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.tailscale.enabled }} + - name: ts-sidecar + imagePullPolicy: {{ .Values.tailscale.image.pullPolicy }} + image: "{{ .Values.tailscale.image.repository }}:{{ .Values.tailscale.image.tag }}" + securityContext: + {{- if .Values.tailscale.userspace }} + runAsUser: 1000 + runAsGroup: 1000 + {{- else }} + capabilities: + add: + - NET_ADMIN + {{- end }} + env: + - name: TS_HOSTNAME + value: {{ .Values.tailscale.hostname | quote}} + # Store the state in a k8s secret + - name: TS_KUBE_SECRET + value: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth" + - name: TS_USERSPACE + value: {{ .Values.tailscale.userspace | quote }} + - name: TS_DEBUG_FIREWALL_MODE + value: {{ .Values.tailscale.debugFirewallMode | quote }} + - name: TS_AUTHKEY + valueFrom: + secretKeyRef: + name: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth" + key: TS_AUTHKEY + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} From 61ed2af7422821d2fdb5a960ce81073699e800f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tancr=C3=A8de=20SUARD?= Date: Fri, 3 May 2024 20:33:46 +0200 Subject: [PATCH 4/5] Sort Readme values documentation --- charts/uptime-kuma/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/uptime-kuma/README.md b/charts/uptime-kuma/README.md index de471c4..1b5d63e 100644 --- a/charts/uptime-kuma/README.md +++ b/charts/uptime-kuma/README.md @@ -85,20 +85,20 @@ A self-hosted Monitoring tool like "Uptime-Robot". | serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector, only select Prometheus's with these labels (if not set, select any Prometheus) | | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping, only applicable for scheme https. | | strategy.type | string | `"Recreate"` | | +| tailscale.auth | string | `""` | Tailscale API auth key. See [Tailscale auth-keys](https://tailscale.com/kb/1085/auth-keys) | +| tailscale.debugFirewallMode | string | `"auto"` | See [Tailscale firewall-mode](https://tailscale.com/kb/1294/firewall-mode) | +| tailscale.enabled | bool | `false` | | +| tailscale.hostname | string | `"uptime-kuma"` | Tailscale device name | +| tailscale.pullPolicy | string | `"Always"` | | +| tailscale.repository | string | `"ghcr.io/tailscale/tailscale"` | | +| tailscale.tag | string | `"latest"` | | +| tailscale.userspace | bool | `false` | Set to `false` to run tailscale as root, this allows direct access to tailnet. See [Tailscale #userspace-sidecar](https://tailscale.com/kb/1185/kubernetes#userspace-sidecar) | | tolerations | list | `[]` | | | useDeploy | bool | `true` | | | volume.accessMode | string | `"ReadWriteOnce"` | | | volume.enabled | bool | `true` | | | volume.existingClaim | string | `""` | | | volume.size | string | `"4Gi"` | | -| tailscale.enabled | bool | `false` | | -| tailscale.repository | string | `"ghcr.io/tailscale/tailscale"` | | -| tailscale.tag | string | `"latest"` | | -| tailscale.pullPolicy | string | `"Always"` | | -| tailscale.userspace | bool | `false` | Set to `false` to run tailscale as root, this allows direct access to tailnet. See [Tailscale #userspace-sidecar](https://tailscale.com/kb/1185/kubernetes#userspace-sidecar) | -| tailscale.debugFirewallMode | string | `"auto"` | See [Tailscale firewall-mode](https://tailscale.com/kb/1294/firewall-mode) | -| tailscale.auth | string | `""` | Tailscale API auth key. See [Tailscale auth-keys](https://tailscale.com/kb/1085/auth-keys) | -| tailscale.hostname | string | `"uptime-kuma"` | Tailscale device name | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From 088990febc83e848bfd6d7741e6910cef048ba59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tancr=C3=A8de=20SUARD?= Date: Tue, 30 Jul 2024 16:54:06 +0200 Subject: [PATCH 5/5] Rebase and bump version --- charts/uptime-kuma/Chart.yaml | 2 +- charts/uptime-kuma/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/uptime-kuma/Chart.yaml b/charts/uptime-kuma/Chart.yaml index ad5ddf2..4b5c3bf 100644 --- a/charts/uptime-kuma/Chart.yaml +++ b/charts/uptime-kuma/Chart.yaml @@ -11,4 +11,4 @@ name: uptime-kuma sources: - https://github.com/louislam/uptime-kuma type: application -version: 2.19.2 +version: 2.20.0 diff --git a/charts/uptime-kuma/README.md b/charts/uptime-kuma/README.md index 1b5d63e..14a1c72 100644 --- a/charts/uptime-kuma/README.md +++ b/charts/uptime-kuma/README.md @@ -1,6 +1,6 @@ # uptime-kuma -![Version: 2.19.2](https://img.shields.io/badge/Version-2.19.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square) +![Version: 2.20.0](https://img.shields.io/badge/Version-2.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square) A self-hosted Monitoring tool like "Uptime-Robot".