dirsigler · tancou · May 3, 2024 · May 3, 2024 · May 3, 2024 · May 3, 2024
@@ -11,4 +11,4 @@ name: uptime-kuma
 sources:
   - https://github.com/louislam/uptime-kuma
 type: application
-version: 2.19.2
+version: 2.20.0
@@ -1,6 +1,6 @@
 # uptime-kuma
 
-![Version: 2.19.2](https://img.shields.io/badge/Version-2.19.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square)
+![Version: 2.20.0](https://img.shields.io/badge/Version-2.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square)
 
 A self-hosted Monitoring tool like "Uptime-Robot".
 
@@ -85,6 +85,14 @@ A self-hosted Monitoring tool like "Uptime-Robot".
 | serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector, only select Prometheus's with these labels (if not set, select any Prometheus) |
 | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping, only applicable for scheme https. |
 | strategy.type | string | `"Recreate"` |  |
+| tailscale.auth | string | `""` | Tailscale API auth key. See [Tailscale auth-keys](https://tailscale.com/kb/1085/auth-keys) |
+| tailscale.debugFirewallMode | string | `"auto"` | See [Tailscale firewall-mode](https://tailscale.com/kb/1294/firewall-mode) |
+| tailscale.enabled | bool   | `false` |  |
+| tailscale.hostname | string | `"uptime-kuma"` | Tailscale device name |
+| tailscale.pullPolicy | string | `"Always"` |  |
+| tailscale.repository | string | `"ghcr.io/tailscale/tailscale"` |  |
+| tailscale.tag | string | `"latest"` |  |
+| tailscale.userspace | bool   | `false` | Set to `false` to run tailscale as root, this allows direct access to tailnet. See [Tailscale #userspace-sidecar](https://tailscale.com/kb/1185/kubernetes#userspace-sidecar) |
 | tolerations | list | `[]` |  |
 | useDeploy | bool | `true` |  |
 | volume.accessMode | string | `"ReadWriteOnce"` |  |

@@ -54,7 +54,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "uptime-kuma.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
+{{- if or .Values.serviceAccount.create .Values.tailscale.enabled }}
 {{- default (include "uptime-kuma.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}

@@ -107,6 +107,36 @@ spec:
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+        {{- if .Values.tailscale.enabled }}
+        - name: ts-sidecar
+          imagePullPolicy: {{ .Values.tailscale.image.pullPolicy }}
+          image: "{{ .Values.tailscale.image.repository }}:{{ .Values.tailscale.image.tag }}"
+          securityContext:
+            {{- if .Values.tailscale.userspace }}
+            runAsUser: 1000
+            runAsGroup: 1000
+            {{- else }}
+            capabilities:
+              add:
+                - NET_ADMIN
+            {{- end }}
+          env:
+            - name: TS_HOSTNAME
+              value: {{ .Values.tailscale.hostname | quote}}
+            # Store the state in a k8s secret
+            - name: TS_KUBE_SECRET
+              value: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth"
+            - name: TS_USERSPACE
+              value: {{ .Values.tailscale.userspace | quote }}
+            - name: TS_DEBUG_FIREWALL_MODE
+              value: {{ .Values.tailscale.debugFirewallMode | quote }}
+            - name: TS_AUTHKEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth"
+                  key: TS_AUTHKEY
+                  optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

@@ -0,0 +1,32 @@
+{{- if .Values.tailscale.enabled -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "uptime-kuma.serviceAccountName" . }}
+  labels:
+    {{- include "uptime-kuma.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["secrets"]
+  # Create can not be restricted to a resource name.
+  verbs: ["create"]
+- apiGroups: [""] # "" indicates the core API group
+  resourceNames: ["{{ include "uptime-kuma.fullname" . }}-tailscale-auth"]
+  resources: ["secrets"]
+  verbs: ["get", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "uptime-kuma.serviceAccountName" . }}
+  labels:
+    {{- include "uptime-kuma.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "uptime-kuma.serviceAccountName" . | quote }}
+roleRef:
+  kind: Role
+  name: {{ include "uptime-kuma.serviceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
@@ -0,0 +1,10 @@
+{{- if .Values.tailscale.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "uptime-kuma.fullname" . }}-tailscale-auth
+  labels:
+    {{- include "uptime-kuma.labels" . | nindent 4 }}
+stringData:
+  TS_AUTHKEY: {{ .Values.tailscale.auth | quote }}
+{{- end -}}
@@ -1,4 +1,4 @@
-{{- if .Values.serviceAccount.create -}}
+{{- if or .Values.serviceAccount.create .Values.tailscale.enabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

@@ -83,6 +83,36 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+        {{- if .Values.tailscale.enabled }}
+        - name: ts-sidecar
+          imagePullPolicy: {{ .Values.tailscale.image.pullPolicy }}
+          image: "{{ .Values.tailscale.image.repository }}:{{ .Values.tailscale.image.tag }}"
+          securityContext:
+            {{- if .Values.tailscale.userspace }}
+            runAsUser: 1000
+            runAsGroup: 1000
+            {{- else }}
+            capabilities:
+              add:
+                - NET_ADMIN
+            {{- end }}
+          env:
+            - name: TS_HOSTNAME
+              value: {{ .Values.tailscale.hostname | quote}}
+            # Store the state in a k8s secret
+            - name: TS_KUBE_SECRET
+              value: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth"
+            - name: TS_USERSPACE
+              value: {{ .Values.tailscale.userspace | quote }}
+            - name: TS_DEBUG_FIREWALL_MODE
+              value: {{ .Values.tailscale.debugFirewallMode | quote }}
+            - name: TS_AUTHKEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ include "uptime-kuma.fullname" . }}-tailscale-auth"
+                  key: TS_AUTHKEY
+                  optional: true
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

@@ -33,6 +33,26 @@ podEnv:
   - name: "UPTIME_KUMA_PORT"
     value: "3001"
 
+tailscale:
+  enabled: false
+  image:
+    repository: ghcr.io/tailscale/tailscale
+    pullPolicy: Always
+    tag: "latest"
+  # -- userspace :
+  # When set to false, tailscale runs as root, it provides direct access to the tailnet, according to ACL
+  # When set to true, the network inside the pod is limited and user is not root
+  # In no root mode, you have to use an HTTP or SOCKS5 proxy in order to access the tailnet
+  # See https://tailscale.com/kb/1185/kubernetes#userspace-sidecar
+  userspace: false
+  # See https://tailscale.com/kb/1294/firewall-mode
+  debugFirewallMode: "auto"
+  # Tailscale API auth key
+  # See https://tailscale.com/kb/1085/auth-keys
+  auth: ""
+  # Tailscale device name
+  hostname: "uptime-kuma"
+
 podSecurityContext:
   {}
   # fsGroup: 2000