installer: combine private ingress and proxy into private-network
diff --git a/core/headscale/main.go b/core/headscale/main.go
index 1ca4f6b..942d71a 100644
--- a/core/headscale/main.go
+++ b/core/headscale/main.go
@@ -17,19 +17,26 @@
var acls = flag.String("acls", "", "Path to the headscale acls file")
var domain = flag.String("domain", "", "Environment domain")
-// TODO(gio): ingress-private user name must be configurable
+// TODO(gio): make internal network cidr and proxy user configurable
const defaultACLs = `
{
"autoApprovers": {
"routes": {
- "10.1.0.0/24": ["private-network-proxy@{{ .Domain }}"],
+ // "10.1.0.0/24": ["private-network-proxy@{{ .Domain }}"],
+ "10.1.0.0/24": ["*"],
},
},
"acls": [
- { // Everyone can access ingress-private service
+ { // Everyone has passthough access to private-network-proxy node
"action": "accept",
"src": ["*"],
- "dst": ["10.1.0.0/24:*"],
+ "dst": ["10.1.0.0/24:*", "private-network-proxy:0"],
+ },
+ ],
+ "tests": [
+ {
+ "src": "*",
+ "accept": ["10.1.0.1:80", "10.1.0.1:443"],
},
],
}
diff --git a/core/installer/app.go b/core/installer/app.go
index 4935169..f732e8e 100644
--- a/core/installer/app.go
+++ b/core/installer/app.go
@@ -103,7 +103,6 @@
CreateAppCoreAuth(valuesTmpls, tmpls),
CreateAppHeadscale(valuesTmpls, tmpls),
CreateAppHeadscaleUser(valuesTmpls, tmpls),
- CreateAppTailscaleProxy(valuesTmpls, tmpls),
CreateMetallbIPAddressPool(valuesTmpls, tmpls),
CreateEnvManager(valuesTmpls, tmpls),
CreateWelcome(valuesTmpls, tmpls),
@@ -142,18 +141,19 @@
// TODO(gio): service account needs permission to create/update secret
func CreateAppIngressPrivate(fs embed.FS, tmpls *template.Template) App {
- schema, err := fs.ReadFile("values-tmpl/ingress-private.jsonschema")
+ schema, err := fs.ReadFile("values-tmpl/private-network.jsonschema")
if err != nil {
panic(err)
}
return App{
- "ingress-private",
- []string{"ingress-private"},
+ "private-network",
+ []string{"ingress-private"}, // TODO(gio): rename to private network
[]*template.Template{
tmpls.Lookup("ingress-private.yaml"),
+ tmpls.Lookup("tailscale-proxy.yaml"),
},
string(schema),
- tmpls.Lookup("ingress-private.md"),
+ tmpls.Lookup("private-network.md"),
}
}
@@ -400,22 +400,6 @@
}
}
-func CreateAppTailscaleProxy(fs embed.FS, tmpls *template.Template) App {
- schema, err := fs.ReadFile("values-tmpl/tailscale-proxy.jsonschema")
- if err != nil {
- panic(err)
- }
- return App{
- "tailscale-proxy",
- []string{"tailscale-proxy"},
- []*template.Template{
- tmpls.Lookup("tailscale-proxy.yaml"),
- },
- string(schema),
- tmpls.Lookup("tailscale-proxy.md"),
- }
-}
-
func CreateMetallbIPAddressPool(fs embed.FS, tmpls *template.Template) App {
schema, err := fs.ReadFile("values-tmpl/metallb-ipaddresspool.jsonschema")
if err != nil {
diff --git a/core/installer/values-tmpl/ingress-private.jsonschema b/core/installer/values-tmpl/ingress-private.jsonschema
deleted file mode 100644
index f42d895..0000000
--- a/core/installer/values-tmpl/ingress-private.jsonschema
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- "type": "object",
- "properties": {
- },
- "additionalProperties": false
-}
diff --git a/core/installer/values-tmpl/private-network.jsonschema b/core/installer/values-tmpl/private-network.jsonschema
new file mode 100644
index 0000000..7f40a40
--- /dev/null
+++ b/core/installer/values-tmpl/private-network.jsonschema
@@ -0,0 +1,14 @@
+{
+ "type": "object",
+ "properties": {
+ "PrivateNetwork": {
+ "type": "object",
+ "properties": {
+ "Hostname": { "type": "string", "default": "10.1.0.1" },
+ "Username": { "type": "string", "default": "example" },
+ "IPSubnet": { "type": "string", "default": "10.1.0.1" }
+ }
+ }
+ },
+ "additionalProperties": false
+}
diff --git a/core/installer/values-tmpl/ingress-private.md b/core/installer/values-tmpl/private-network.md
similarity index 100%
rename from core/installer/values-tmpl/ingress-private.md
rename to core/installer/values-tmpl/private-network.md
diff --git a/core/installer/values-tmpl/tailscale-proxy.jsonschema b/core/installer/values-tmpl/tailscale-proxy.jsonschema
deleted file mode 100644
index 11f57c6..0000000
--- a/core/installer/values-tmpl/tailscale-proxy.jsonschema
+++ /dev/null
@@ -1,9 +0,0 @@
-{
- "type": "object",
- "properties": {
- "Username": { "type": "string", "default": "example" },
- "IPSubnet": { "type": "string", "default": "10.1.0.1" },
- "HostnameSuffix": { "type": "string", "default": "10.1.0.1" }
- },
- "additionalProperties": false
-}
diff --git a/core/installer/values-tmpl/tailscale-proxy.md b/core/installer/values-tmpl/tailscale-proxy.md
deleted file mode 100644
index 14a1db6..0000000
--- a/core/installer/values-tmpl/tailscale-proxy.md
+++ /dev/null
@@ -1,2 +0,0 @@
-hostname: {{ .Global.PCloudEnvName }}-{{ .Global.Id }}-internal-proxy
-loginServer: headscale.{{ .Global.Domain }}
diff --git a/core/installer/values-tmpl/tailscale-proxy.yaml b/core/installer/values-tmpl/tailscale-proxy.yaml
index 904f850..047c196 100644
--- a/core/installer/values-tmpl/tailscale-proxy.yaml
+++ b/core/installer/values-tmpl/tailscale-proxy.yaml
@@ -16,9 +16,9 @@
namespace: {{ .Global.Id }}
interval: 1m0s
values:
- hostname: {{ .Values.Hostname}}
+ hostname: {{ .Values.PrivateNetwork.Hostname}}
apiServer: http://headscale-api.{{ .Global.Id }}-app-headscale.svc.cluster.local
loginServer: https://headscale.{{ .Global.Domain }} # TODO(gio): take headscale subdomain from configuration
- ipSubnet: {{ .Values.IPSubnet }}
- username: {{ .Values.Username }}
+ ipSubnet: {{ .Values.PrivateNetwork.IPSubnet }}
+ username: {{ .Values.PrivateNetwork.Username }} # TODO(gio): maybe install headscale-user chart separately?
preAuthKeySecret: headscale-preauth-key
diff --git a/core/installer/welcome/env.go b/core/installer/welcome/env.go
index 3d3e332..bafa813 100644
--- a/core/installer/welcome/env.go
+++ b/core/installer/welcome/env.go
@@ -542,27 +542,19 @@
}
}
{
- app, err := appsRepo.Find("ingress-private")
- if err != nil {
- return err
- }
- if err := appManager.Install(*app, nsGen, emptySuffixGen, map[string]any{}); err != nil {
- return err
- }
- }
- {
- app, err := appsRepo.Find("tailscale-proxy")
+ app, err := appsRepo.Find("private-network")
if err != nil {
return err
}
if err := appManager.Install(*app, nsGen, emptySuffixGen, map[string]any{
- "Hostname": "private-network-proxy",
- "Username": "private-network-proxy",
- "IPSubnet": "10.1.0.0/24",
+ "PrivateNetwork": map[string]any{
+ "Hostname": "private-network-proxy",
+ "Username": "private-network-proxy",
+ "IPSubnet": "10.1.0.0/24",
+ },
}); err != nil {
return err
}
- // TODO(giolekva): headscale accept routes
}
{
app, err := appsRepo.Find("certificate-issuer-public")