Initial commit

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.github/workflows/mirror.yaml

@@ -0,0 +1,17 @@
+name: Mirror to Gitlab
+
+on: [push]
+
+jobs:
+  mirror:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: yesolutions/[email protected]
+        with:
+          REMOTE: 'https://gitlab.com/${{ github.repository }}'
+          GIT_USERNAME: ${{ secrets.ORG_GITLAB_SYNC_UN }}
+          GIT_PASSWORD: ${{ secrets.ORG_GITLAB_SYNC_PW }}
+

.gitlab-ci.yml

@@ -0,0 +1,84 @@
+default:
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [ "" ]
+  tags:
+    - ord1-tenant
+
+workflow:
+  rules:
+    - if: $CI_COMMIT_TAG
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      when: always
+
+variables:
+  RELEASE_VERSION: "1.68.0"
+  REF_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+  FIXED_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
+  DOCKERFILE: ${CI_PROJECT_DIR}/Docker/Dockerfile
+  REGPROXY_URI: ${REGPROXY_URI}
+  LATEST_IMAGE: $CI_REGISTRY_IMAGE:latest
+  MUSEUM_REPO_URL: $PROD_HELM_REPO_URL
+  MUSEUM_REPO_USER: $PROD_HELM_REPO_USER
+  MUSEUM_REPO_PASS: $PROD_HELM_REPO_PASS
+
+stages:
+  - build
+  - release
+
+build:
+  stage: build
+  before_script:
+    - export HTTP_PROXY=${REGPROXY_URI}
+    - export HTTPS_PROXY=${REGPROXY_URI}
+    - mkdir -p /etc/ssl/certs/ && cat /etc/gitlab-runner/certs/proxy-ca.crt >> /etc/ssl/certs/ca-certificates.crt
+    - mkdir -p /kaniko/.docker
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+  script: |-
+    /kaniko/executor \
+      --context ${CI_PROJECT_DIR} \
+      --dockerfile $DOCKERFILE \
+      --destination $REF_IMAGE \
+      --destination $FIXED_IMAGE \
+      --build-arg VERSION="v${RELEASE_VERSION}"
+  only:
+    changes:
+      - Docker/*
+
+release:
+  stage: release
+  only:
+    refs:
+      - main
+  dependencies:
+    - build
+  before_script:
+    - export HTTP_PROXY=${REGPROXY_URI}
+    - export HTTPS_PROXY=${REGPROXY_URI}
+    - export RELEASE="$CI_REGISTRY_IMAGE":"v${RELEASE_VERSION}"
+    - mkdir -p /etc/ssl/certs/ && cat /etc/gitlab-runner/certs/proxy-ca.crt >> /etc/ssl/certs/ca-certificates.crt
+    - mkdir -p /kaniko/.docker
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+  script: |-
+    /kaniko/executor \
+    --context ${CI_PROJECT_DIR} \
+    --dockerfile $DOCKERFILE \
+    --destination $RELEASE \
+    --build-arg VERSION="v${RELEASE_VERSION}"
+
+release-chart:
+  stage: release
+  image: alpine/helm:3.15.2
+  only:
+    refs:
+      - main
+  dependencies:
+    - build
+  script:
+    - apk add git
+    - helm plugin install https://github.com/chartmuseum/helm-push.git
+    - cd chart
+    - helm repo add helm_repo $MUSEUM_REPO_URL--username $MUSEUM_REPO_USER --password $MUSEUM_REPO_PASS
+    - helm package ./tailscale-derp --version "$RELEASE_VERSION"
+    - helm cm-push ./tailscale-derp helm_repo --version "$RELEASE_VERSION" -f

Docker/Dockerfile

@@ -0,0 +1,25 @@
+FROM golang:latest AS builder
+WORKDIR /app
+ARG VERSION=${VERSION:-v1.68.0}
+# https://tailscale.com/kb/1118/custom-derp-servers/
+RUN go install tailscale.com/cmd/derper@${VERSION}
+RUN go install tailscale.com/cmd/derpprobe@${VERSION}
+
+FROM ubuntu:noble
+WORKDIR /app
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+COPY --from=builder /go/bin/derper .
+COPY --from=builder /go/bin/derpprobe .
+COPY Docker/entrypoint.sh /app/entrypoint.sh
+COPY Docker/healthprobe.sh /app/healthprobe.sh
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends apt-utils ca-certificates curl jq && \
+    rm -rf /var/lib/apt/lists/* && \
+    mkdir /app/certs && \
+    chmod +x /app/entrypoint.sh && \
+    chmod +x /app/healthprobe.sh
+
+ENTRYPOINT ["/app/entrypoint.sh"]

Docker/entrypoint.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Initialize the command with the executable
+CMD="/app/derper"
+
+# Generate derpmap
+jq -n --arg hostname "${DERP_HOSTNAME}" '{"Regions":{"900":{"RegionID":900,"Nodes":[{"Name":"900","HostName":$hostname}]}}}' > /app/derpmap.json
+
+# Loop through all environment variables
+for VAR in $(env); do
+  # Check if the variable starts with DERP_
+  if [[ $VAR == DERP_* ]]; then
+    # Extract the name and value
+    VAR_NAME=$(echo "$VAR" | cut -d= -f1)
+    VAR_VALUE=$(echo "$VAR" | cut -d= -f2-)
+
+    # Convert the variable name to lowercase and replace underscores with hyphens
+    ARG_NAME=$(echo "$VAR_NAME" | sed 's/^DERP_//' | tr '[:upper:]' '[:lower:]' | tr '_' '-')
+
+    # Append the argument to the command
+    CMD="$CMD --$ARG_NAME=$VAR_VALUE"
+  fi
+done
+
+# Execute the command
+exec $CMD

Docker/healthprobe.sh

@@ -0,0 +1,17 @@
+response=$(curl --head -L -w '%{http_code}' -o /dev/null -s -k https://"${DERP_HOSTNAME}"/derp/probe -m "${CURL_TIMEOUT:-2}")
+if [ $? -ne 0 ]; then
+  echo "Error: curl failed"
+  exit 1
+fi
+
+if [[ "$response" -lt "200" ]] || [[ "$response" -ge "400" ]]; then
+    echo "failed curl for ${PROBE_ADDRESS} with response $response" >&2
+    exit 1
+fi
+
+/app/derpprobe --derp-map file:///app/derpmap.json  --once
+
+if [ $? -ne 0 ]; then
+  echo "Error: derpprobe failed"
+  exit 1
+fi

chart/tailscale-derp/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/tailscale-derp/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: tailscale-derp
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v1.68.0"

chart/tailscale-derp/templates/_helpers.tpl

@@ -0,0 +1,69 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "tailscale-derp.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "tailscale-derp.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "tailscale-derp.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "tailscale-derp.labels" -}}
+helm.sh/chart: {{ include "tailscale-derp.chart" . }}
+{{ include "tailscale-derp.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "tailscale-derp.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "tailscale-derp.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "tailscale-derp.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "tailscale-derp.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the derp hostname
+*/}}
+{{- define "tailscale-derp.hostname" -}}
+{{- tpl .Values.derpServerHostname . }}
+{{- end }}

chart/tailscale-derp/templates/cert.yaml

@@ -0,0 +1,17 @@
+{{- if (.Values.tls).enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  annotations: {{ .Values.tls.annotations | toYaml | nindent 4 }}
+  labels: {{ .Values.tls.labels | toYaml | nindent 4 }}
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: '{{ tpl ((.Values.tls).domain) . }}'
+  dnsNames:
+  - '{{ tpl ((.Values.tls).domain) . }}'
+  issuerRef:
+    kind: ClusterIssuer
+    name: {{ (.Values.tls).clusterIssuer | default "letsencrypt-prod" }}
+  secretName: {{ .Release.Name }}-tls
+{{- end }}

chart/tailscale-derp/templates/deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "tailscale-derp.fullname" . }}
+  labels:
+    {{- include "tailscale-derp.labels" . | nindent 4 }}
+  annotations:
+    {{- tpl (toYaml .Values.deploymentAnnotations) .  | nindent 4 }}
+spec:
+  strategy:
+    type: Recreate
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "tailscale-derp.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        {{- tpl (toYaml .Values.podAnnotations) .  | nindent 8 }}
+      labels:
+        {{- include "tailscale-derp.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "tailscale-derp.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          env:
+            {{- tpl (toYaml .Values.env) . | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            {{- range .Values.service.ports }}
+            - name: {{ .name }}
+              containerPort: {{ .targetPort }}
+              protocol: {{ .protocol | default "TCP" }}
+            {{- end }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            {{- tpl (toYaml .Values.volumeMounts) .  | nindent 12 }}
+      volumes:
+        {{- tpl (toYaml .Values.volumes) .  | nindent 8 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}