Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(container): add support for verify-clients #71

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(container): add support for verify-clients #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ ARG VERSION=${VERSION:-v1.68.0}
# https://tailscale.com/kb/1118/custom-derp-servers/
RUN go install tailscale.com/cmd/derper@${VERSION}
RUN go install tailscale.com/cmd/derpprobe@${VERSION}
RUN go install tailscale.com/cmd/tailscaled@${VERSION}
RUN go install tailscale.com/cmd/tailscale@${VERSION}

FROM ubuntu:noble
WORKDIR /app
Expand All @@ -12,6 +14,8 @@ ARG DEBIAN_FRONTEND=noninteractive

COPY --from=builder /go/bin/derper .
COPY --from=builder /go/bin/derpprobe .
COPY --from=builder /go/bin/tailscaled .
COPY --from=builder /go/bin/tailscale .
COPY Docker/entrypoint.sh /app/entrypoint.sh
COPY Docker/healthprobe.sh /app/healthprobe.sh

Expand Down
58 changes: 43 additions & 15 deletions Docker/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,54 @@
#!/bin/bash

# Initialize the command with the executable
CMD="/app/derper"
# Initialize the commands with the executables
DERP_CMD="/app/derper"
TSD_CMD="/app/tailscaled"
TS_CMD="/app/tailscale up"

# Generate derpmap
jq -n --arg hostname "${DERP_HOSTNAME}" '{"Regions":{"900":{"RegionID":900,"Nodes":[{"Name":"900","HostName":$hostname}]}}}' > /app/derpmap.json

# Loop through all environment variables
for VAR in $(env); do
# Check if the variable starts with DERP_
if [[ $VAR == DERP_* ]]; then
# Extract the name and value
VAR_NAME=$(echo "$VAR" | cut -d= -f1)
VAR_VALUE=$(echo "$VAR" | cut -d= -f2-)
# Check if the variable starts with DERP_, TSD_, or TS_
case "$VAR" in
DERP_*|TSD_*|TS_*)
# Extract the name and value
VAR_NAME=$(echo "$VAR" | cut -d= -f1)
VAR_VALUE=$(echo "$VAR" | cut -d= -f2-)

# Convert the variable name to an argument name
# Remove the prefix, replace underscores with dashes, and convert to lowercase
ARG_NAME=$(echo "$VAR_NAME" | sed -E 's/^(DERP_|TSD_|TS_)//; s/_/-/g; y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/')

# Append the argument to command based on argument name
case "$VAR_NAME" in
DERP_*)
DERP_CMD="$DERP_CMD --$ARG_NAME=$VAR_VALUE"
echo "Adding $ARG_NAME=$VAR_VALUE to DERP_CMD"
;;
TSD_*)
TSD_CMD="$TSD_CMD --$ARG_NAME=$VAR_VALUE"
echo "Adding $ARG_NAME=$VAR_VALUE to TSD_CMD"
;;
TS_*)
TS_CMD="$TS_CMD --$ARG_NAME=$VAR_VALUE"
# We don't want to log the auth key
echo "Adding $ARG_NAME to TS_CMD"
;;
esac
;;
esac

# Convert the variable name to lowercase and replace underscores with hyphens
ARG_NAME=$(echo "$VAR_NAME" | sed 's/^DERP_//' | tr '[:upper:]' '[:lower:]' | tr '_' '-')

# Append the argument to the command
CMD="$CMD --$ARG_NAME=$VAR_VALUE"
fi
done

# Execute the command
exec $CMD
# Start tailscaled and call tailscale up if we need to verify clients
if [[ $DERP_VERIFY_CLIENTS == "true" ]]; then
# Start and background tailscaled
setsid $TSD_CMD > /dev/stdout 2> /dev/stderr &
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The canonically correct way to do this is probably to run tailscaled in a separate container and share the socket with the derper container 🤔

# Start and background tailscale up
setsid $TS_CMD > /dev/stdout 2> /dev/stderr &
fi

# Execute the derper
exec $DERP_CMD
15 changes: 14 additions & 1 deletion Docker/healthprobe.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,20 @@ if [[ "$response" -lt "200" ]] || [[ "$response" -ge "400" ]]; then
exit 1
fi

/app/derpprobe --derp-map file:///app/derpmap.json --once

if [[ $DERP_VERIFY_CLIENTS == "true" ]];
then
DERP_MAP="local"
if ! /app/tailscale status --peers=false --json | grep -q 'Online.*true'
then
echo "Tailscale is not online and DERP_VERIFY_CLIENTS is true"
exit 1
fi;
else
DERP_MAP="file:///app/derpmap.json"
fi

/app/derpprobe --derp-map $DERP_MAP --once

if [ $? -ne 0 ]; then
echo "Error: derpprobe failed"
Expand Down
12 changes: 10 additions & 2 deletions chart/tailscale-derp/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ env:
resource: limits.memory
- name: DERP_HOSTNAME
value: '{{ include "tailscale-derp.hostname" . }}'
# // Pass extra arguments to derper
# - name: DERP_CERTMODE
# value: "manual"
# - name: DERP_CERTDIR
Expand All @@ -53,9 +54,16 @@ env:
# value: "80"
# - name: DERP_STUN
# value: "true"
# - name: DERP_DERP
# - name: DERP_VERIFY_CLIENTS
# value: "true"

# // Pass arguments to tailscaled when using verify-clients
# - name: TSD_TUN
# value: "userspace-networking" # unprivileged
# - name: TSD_STATE
# value: "mem:" # ephemeral
# // Pass arguments to tailscale up when using verify-clients
# - name: TS_AUTH_KEY
# value: "" # register with auth key

podSecurityContext: {}
# fsGroup: 2000
Expand Down