feat(container): add support for verify-clients

Docker/Dockerfile

@@ -4,6 +4,8 @@ ARG VERSION=${VERSION:-v1.68.0}
 # https://tailscale.com/kb/1118/custom-derp-servers/
 RUN go install tailscale.com/cmd/derper@${VERSION}
 RUN go install tailscale.com/cmd/derpprobe@${VERSION}
+RUN go install tailscale.com/cmd/tailscaled@${VERSION}
+RUN go install tailscale.com/cmd/tailscale@${VERSION}
 
 FROM ubuntu:noble
 WORKDIR /app
@@ -12,6 +14,8 @@ ARG DEBIAN_FRONTEND=noninteractive
 
 COPY --from=builder /go/bin/derper .
 COPY --from=builder /go/bin/derpprobe .
+COPY --from=builder /go/bin/tailscaled .
+COPY --from=builder /go/bin/tailscale .
 COPY Docker/entrypoint.sh /app/entrypoint.sh
 COPY Docker/healthprobe.sh /app/healthprobe.sh
 

Docker/entrypoint.sh

@@ -1,26 +1,54 @@
 #!/bin/bash
 
-# Initialize the command with the executable
-CMD="/app/derper"
+# Initialize the commands with the executables
+DERP_CMD="/app/derper"
+TSD_CMD="/app/tailscaled"
+TS_CMD="/app/tailscale up"
 
 # Generate derpmap
 jq -n --arg hostname "${DERP_HOSTNAME}" '{"Regions":{"900":{"RegionID":900,"Nodes":[{"Name":"900","HostName":$hostname}]}}}' > /app/derpmap.json
 
 # Loop through all environment variables
 for VAR in $(env); do
-  # Check if the variable starts with DERP_
-  if [[ $VAR == DERP_* ]]; then
-    # Extract the name and value
-    VAR_NAME=$(echo "$VAR" | cut -d= -f1)
-    VAR_VALUE=$(echo "$VAR" | cut -d= -f2-)
+  # Check if the variable starts with DERP_, TSD_, or TS_
+  case "$VAR" in
+    DERP_*|TSD_*|TS_*)
+      # Extract the name and value
+      VAR_NAME=$(echo "$VAR" | cut -d= -f1)
+      VAR_VALUE=$(echo "$VAR" | cut -d= -f2-)
+
+      # Convert the variable name to an argument name
+      # Remove the prefix, replace underscores with dashes, and convert to lowercase
+      ARG_NAME=$(echo "$VAR_NAME" | sed -E 's/^(DERP_|TSD_|TS_)//; s/_/-/g; y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/')
+
+      # Append the argument to command based on argument name
+      case "$VAR_NAME" in
+        DERP_*)
+          DERP_CMD="$DERP_CMD --$ARG_NAME=$VAR_VALUE"
+          echo "Adding $ARG_NAME=$VAR_VALUE to DERP_CMD"
+          ;;
+        TSD_*)
+          TSD_CMD="$TSD_CMD --$ARG_NAME=$VAR_VALUE"
+          echo "Adding $ARG_NAME=$VAR_VALUE to TSD_CMD"
+          ;;
+        TS_*)
+          TS_CMD="$TS_CMD --$ARG_NAME=$VAR_VALUE"
+          # We don't want to log the auth key
+          echo "Adding $ARG_NAME to TS_CMD"
+          ;;
+      esac
+      ;;
+  esac
 
-    # Convert the variable name to lowercase and replace underscores with hyphens
-    ARG_NAME=$(echo "$VAR_NAME" | sed 's/^DERP_//' | tr '[:upper:]' '[:lower:]' | tr '_' '-')
-
-    # Append the argument to the command
-    CMD="$CMD --$ARG_NAME=$VAR_VALUE"
-  fi
 done
 
-# Execute the command
-exec $CMD
+# Start tailscaled and call tailscale up if we need to verify clients
+if [[ $DERP_VERIFY_CLIENTS == "true" ]]; then
+  # Start and background tailscaled
+  setsid $TSD_CMD > /dev/stdout 2> /dev/stderr &
+  # Start and background tailscale up
+  setsid $TS_CMD > /dev/stdout 2> /dev/stderr &
+fi
+
+# Execute the derper
+exec $DERP_CMD

Docker/healthprobe.sh

@@ -9,7 +9,20 @@ if [[ "$response" -lt "200" ]] || [[ "$response" -ge "400" ]]; then
     exit 1
 fi
 
-/app/derpprobe --derp-map file:///app/derpmap.json  --once
+
+if [[ $DERP_VERIFY_CLIENTS == "true" ]];
+  then
+    DERP_MAP="local"
+    if ! /app/tailscale status --peers=false --json | grep -q 'Online.*true'
+      then
+        echo "Tailscale is not online and DERP_VERIFY_CLIENTS is true"
+        exit 1
+      fi; 
+  else
+    DERP_MAP="file:///app/derpmap.json"
+fi
+
+/app/derpprobe --derp-map $DERP_MAP --once
 
 if [ $? -ne 0 ]; then
   echo "Error: derpprobe failed"

chart/tailscale-derp/values.yaml

@@ -41,6 +41,7 @@ env:
         resource: limits.memory
   - name: DERP_HOSTNAME
     value: '{{ include "tailscale-derp.hostname" . }}'
+  # // Pass extra arguments to derper
   # - name: DERP_CERTMODE
   #   value: "manual"
   # - name: DERP_CERTDIR
@@ -53,9 +54,16 @@ env:
   #   value: "80"
   # - name: DERP_STUN
   #   value: "true"
-  # - name: DERP_DERP
+  # - name: DERP_VERIFY_CLIENTS
   #   value: "true"
-
+  # // Pass arguments to tailscaled when using verify-clients
+  # - name: TSD_TUN
+  #   value: "userspace-networking" # unprivileged
+  # - name: TSD_STATE
+  #   value: "mem:" # ephemeral
+  # // Pass arguments to tailscale up when using verify-clients
+  # - name: TS_AUTH_KEY
+  #   value: "" # register with auth key
 
 podSecurityContext: {}
   # fsGroup: 2000