headscale/k8s/README.md
Casey Marshall c64d756ea7
Add k8s deployment, standalone app Dockerfile.
Tested with Rancher k3s. See k8s/README.md for site configuration and
deployment instructions.

Add cert-manager, tls, remote headscale script.
2021-06-18 12:45:21 -05:00

2.9 KiB

Deploying Headscale on Kubernetes

This directory contains Kustomize templates that deploy Headscale in various configurations.

These templates currently support Rancher k3s. Other clusters may require adaptation, especially around volume claims and ingress.

Commands below assume this directory is your current working directory.

Generate secrets and site configuration

Run ./init.bash to generate keys, passwords, and site configuration files.

Edit base/site/public.env, changing public-hostname to the public DNS name that will be used for your headscale deployment.

Set public-proto to "https" if you're planning to use TLS & Let's Encrypt.

Configure DERP servers by editing base/site/derp.yaml if needed.

Add the image to the registry

You'll somehow need to get headscale:latest into your cluster image registry.

An easy way to do this with k3s:

  • Reconfigure k3s to use docker instead of containerd (k3s server --docker)
  • docker build -t headscale:latest .. from here

Create the namespace

If it doesn't already exist, kubectl create ns headscale.

Deploy headscale

sqlite

kubectl -n headscale apply -k ./sqlite

postgres

kubectl -n headscale apply -k ./postgres

TLS & Let's Encrypt

Test a staging certificate with your configured DNS name and Let's Encrypt.

kubectl -n headscale apply -k ./staging-tls

Replace with a production certificate.

kubectl -n headscale apply -k ./production-tls

Static / custom TLS certificates

Only Let's Encrypt is supported. If you need other TLS settings, modify or patch the ingress.

Administration

Use the wrapper script to remotely operate headscale to perform administrative tasks like creating namespaces, authkeys, etc.

[c@nix-slate:~/Projects/headscale/k8s]$ ./headscale.bash 

headscale is an open source implementation of the Tailscale control server

Juan Font Alonso <juanfontalonso@gmail.com> - 2021
https://gitlab.com/juanfont/headscale

Usage:
  headscale [command]

Available Commands:
  help        Help about any command
  namespace   Manage the namespaces of Headscale
  node        Manage the nodes of Headscale
  preauthkey  Handle the preauthkeys in Headscale
  routes      Manage the routes of Headscale
  serve       Launches the headscale server
  version     Print the version.

Flags:
  -h, --help            help for headscale
  -o, --output string   Output format. Empty for human-readable, 'json' or 'json-line'

Use "headscale [command] --help" for more information about a command.

TODO / Ideas

  • Github action to publish the docker image
  • Interpolate email: option to the ClusterIssuer from site configuration. This probably needs to be done with a transformer, kustomize vars don't seem to work.
  • Add kustomize examples for cloud-native ingress, load balancer
  • CockroachDB for the backend
  • DERP server deployment
  • Tor hidden service