Fix integrated Headscale server

deploy/charts/nebulous/Chart.yaml

@@ -7,10 +7,10 @@ home: https://github.com/agentsea/nebulous
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.61"
+appVersion: "0.1.75"

deploy/charts/nebulous/README.md

@@ -1,6 +1,6 @@
 # nebulous
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.61](https://img.shields.io/badge/AppVersion-0.1.61-informational?style=flat-square)
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.75](https://img.shields.io/badge/AppVersion-0.1.75-informational?style=flat-square)
 
 A cross-cloud container orchestrator for AI workloads
 
@@ -39,12 +39,14 @@ helm install nebulous nebulous/nebulous -f values.yaml \
 | headscale.derp.configMap.key | string | `"servers.yaml"` | The key in the ConfigMap containing the DERP server configuration YAML file. |
 | headscale.derp.configMap.name | string | `""` | The name of the ConfigMap containing the DERP server configuration. |
 | headscale.derp.externalMaps | list | `[]` | URLs of externally available DERP maps encoded in JSON. |
-| headscale.dns.base_domain | string | `""` | The base domain for MagicDNS hostnames. Cannot be the same as the Headscale server's domain. Refer to https://github.com/juanfont/headscale/blob/main/config-example.yaml for details. |
-| headscale.domain | string | `""` | The domain under which the Headscale server is exposed. |
+| headscale.dns.baseDomain | string | `""` | The base domain for MagicDNS hostnames. Cannot be the same as the Headscale server's domain. Refer to https://github.com/juanfont/headscale/blob/main/config-example.yaml for details. |
+| headscale.domain | string | `""` | The domain under which the Headscale server is exposed. Required if create is true. The headscale server must be reachable at https://${domain}:443. |
 | headscale.imageTag | string | `"latest"` | The Headscale image tag. |
 | headscale.ingress.annotations | object | `{}` | Annotations to add to the Ingress resource. |
 | headscale.ingress.enabled | bool | `false` | If enabled, create an Ingress resource. Ignored unless 'enabled' is true. |
 | headscale.ingress.ingressClassName | string | `""` | The ingress class. |
+| headscale.log.format | string | `"text"` | The log format of the Headscale server. Options are "text" or "json". |
+| headscale.log.level | string | `"info"` | The log level of the Headscale server. Options are "off", "trace", "debug", "info", "warn", "error". |
 | headscale.namespaceOverride | string | `""` | Namespace override for the Headscale deployment. |
 | headscale.prefixes | object | `{"v4":"100.64.0.0/10","v6":"fd7a:115c:a1e0::/48"}` | Prefixes to allocate tailaddresses from. Must be within the IP ranges supported by the Tailscale client. Refer to https://github.com/juanfont/headscale/blob/main/config-example.yaml for details. |
 | headscale.privateKeys.claimName | string | `"headscale-keys-pvc"` | The name of the PersistentVolumeClaim for the Headscale private keys. |
@@ -54,10 +56,17 @@ helm install nebulous nebulous/nebulous -f values.yaml \
 | headscale.service.annotations | object | `{}` | The annotations to add to the Kubernetes service. |
 | headscale.service.nameOverride | string | `""` | Override the name of the Kubernetes service. |
 | headscale.service.port | int | `80` | The port of the Kubernetes service. |
+| headscale.service.type | string | `"ClusterIP"` | The type of the Kubernetes service. Options are "ClusterIP", "NodePort", and "LoadBalancer". |
 | headscale.sqlite.claimName | string | `"headscale-sqlite-pvc"` | The name of the PersistentVolumeClaim for the Headscale sqlite database. |
 | headscale.sqlite.createPersistentVolumeClaim | bool | `true` | If true, create a PersistentVolumeClaim for the Headscale sqlite database. |
 | headscale.sqlite.size | string | `"10Gi"` | The size of the PersistentVolumeClaim created for the Headscale sqlite database. |
 | headscale.sqlite.storageClassName | string | `""` | The storage class of the PersistentVolumeClaim created for the Headscale sqlite database. |
+| headscale.tls.letsencrypt.claimName | string | `"headscale-tls-pvc"` | The name of the PersistentVolumeClaim for the Headscale Let's Encrypt cache. |
+| headscale.tls.letsencrypt.createPersistentVolumeClaim | bool | `true` | If true, create a PersistentVolumeClaim for the Headscale Let's Encrypt cache. |
+| headscale.tls.letsencrypt.email | string | `""` | The email address for the Let's Encrypt certificate. |
+| headscale.tls.letsencrypt.hostname | string | `""` | The hostname for the Let's Encrypt certificate. Has to match the domain of the Headscale server. |
+| headscale.tls.letsencrypt.size | string | `"16Mi"` | The size of the PersistentVolumeClaim created for the Headscale Let's Encrypt cache. |
+| headscale.tls.letsencrypt.storageClassName | string | `""` | The storage class of the PersistentVolumeClaim created for the Headscale Let's Encrypt cache. |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"us-docker.pkg.dev/agentsea-dev/nebulous/server"` | The repository to pull the server image from. |
 | image.tag | string | `""` | The nebulous image tag. Defaults to the Helm chart's appVersion. |
@@ -77,7 +86,7 @@ helm install nebulous nebulous/nebulous -f values.yaml \
 | postgres.persistence.enabled | bool | `false` | If enabled, use a PersistentVolumeClaim for the Postgres data. Ignored unless 'create' is true. |
 | postgres.persistence.size | string | `"100Gi"` | The size of the PersistentVolumeClaim for the Postgres data. |
 | postgres.persistence.storageClassName | string | `""` | The storage class of the PersistentVolumeClaim for the Postgres data. |
-| postgres.secret.keys.connection_string | string | `"CONNECTION_STRING"` | The key in the secret containing the Postgres connection string. |
+| postgres.secret.keys.connectionString | string | `"CONNECTION_STRING"` | The key in the secret containing the Postgres connection string. |
 | postgres.secret.name | string | `"postgres-secret"` | Name of the secret with the Postgres connection string. |
 | providers.aws.auth | object | `{"accessKeyId":"","secretAccessKey":""}` | Manual configuration of the AWS credentials. Not recommended for production. |
 | providers.aws.enabled | bool | `false` | Enable access to AWS. |
@@ -91,11 +100,7 @@ helm install nebulous nebulous/nebulous -f values.yaml \
 | redis.auth | object | `{"database":0,"host":"","password":"nebulous","port":6379}` | Manual configuration of the Redis connection. Except for 'host', this information is also used if 'create' is true. |
 | redis.create | bool | `false` | If enabled, create a Redis deployment and service. Not recommended for production. |
 | redis.imageTag | string | `"latest"` | The redis image tag. Ignored unless 'create' is true. |
-| redis.ingress.annotations | object | `{}` | Annotations to add to the Ingress resource. |
-| redis.ingress.enabled | bool | `false` | If enabled, create an Ingress resource. Ignored unless 'create' is true. |
-| redis.ingress.host | string | `""` | The host field of the Ingress rule. |
-| redis.ingress.ingressClassName | string | `""` | The ingress class. |
-| redis.secret.keys.connection_string | string | `"CONNECTION_STRING"` | The key in the secret containing the Redis connection string. |
+| redis.secret.keys.connectionString | string | `"CONNECTION_STRING"` | The key in the secret containing the Redis connection string. |
 | redis.secret.keys.password | string | `"PASSWORD"` | The key in the secret containing the Redis password. |
 | redis.secret.name | string | `"redis-secret"` | Name of the secret with the Redis connection string and password. |
 | redis.service.annotations | object | `{}` | The annotations to add to the Kubernetes service. |
@@ -125,6 +130,5 @@ helm install nebulous nebulous/nebulous -f values.yaml \
 | tailscale.loginServer | string | `"https://login.tailscale.com"` | The Tailscale host to connect to. If headscale.enabled is true, this is ignored. |
 | tailscale.secret.keys.apiKey | string | `"API_KEY"` | The key in the secret containing the Tailscale API key |
 | tailscale.secret.keys.authKey | string | `"AUTH_KEY"` | The key in the secret containing the Tailscale auth key |
-| tailscale.secret.keys.loginServer | string | `"LOGIN_SERVER"` | The key in the secret containing the Tailscale host. |
 | tailscale.secret.name | string | `"tailscale-secret"` | Name of the secret with the Redis connection string and password. |
 

deploy/charts/nebulous/templates/_helpers.tpl

@@ -46,7 +46,15 @@ headscale
 {{- end }}
 
 {{- define "headscale.host" -}}
-{{- include "headscale.serviceName" . }}.{{- include "headscale.namespace" . }}.svc.cluster.local
+https://{{- required ".Values.headscale.domain is required" .Values.headscale.domain }}
+{{- end }}
+
+{{- define "tailscale.loginServer" }}
+{{- if .Values.headscale.create }}
+{{- include "headscale.host" . }}
+{{- else }}
+{{- required ".Values.tailscale.loginServer is required" .Values.tailscale.loginServer }}
+{{- end }}
 {{- end }}
 
 {{- define "postgres.name" -}}

deploy/charts/nebulous/templates/deployment.yaml

@@ -7,6 +7,8 @@ metadata:
     {{- include "common.labels" . | nindent 4 }}
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: {{ include "nebulous.appSelector" . }}
@@ -19,13 +21,21 @@ spec:
         "helm.sh/restart-timestamp": "{{ now | date "20250101010203" }}"
       {{- end }}
     spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: {{ include "nebulous.serviceAccountName" . }}
       containers:
         - name: nebulous-server
           image: {{ include "nebulous.image" . }}
           {{- with .Values.image.pullPolicy }}
           imagePullPolicy: {{.}}
           {{- end }}
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - NET_RAW
+            privileged: true
           ports:
             - containerPort: 3000
           env:
@@ -38,15 +48,15 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.postgres.secret.name }}
-                  key: {{ .Values.postgres.secret.keys.connection_string }}
+                  key: {{ .Values.postgres.secret.keys.connectionString }}
             - name: MESSAGE_QUEUE_TYPE
               value: {{ .Values.messageQueue.type }}
             {{- if eq .Values.messageQueue.type "redis" }}
             - name: REDIS_URL
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.redis.secret.name }}
-                  key: {{ .Values.redis.secret.keys.connection_string }}
+                  key: {{ .Values.redis.secret.keys.connectionString }}
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -62,14 +72,14 @@ spec:
             - name: AWS_SECRET_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
-                  name:  {{ .Values.providers.aws.secret.name }}
+                  name: {{ .Values.providers.aws.secret.name }}
                   key: {{ .Values.providers.aws.secret.keys.secretAccessKey }}
             {{- end }}
             {{- if .Values.providers.runpod.enabled }}
             - name: RUNPOD_API_KEY
               valueFrom:
                 secretKeyRef:
-                  name:  {{ .Values.providers.runpod.secret.name }}
+                  name: {{ .Values.providers.runpod.secret.name }}
                   key: {{ .Values.providers.runpod.secret.keys.apiKey }}
             {{- end }}
             - name: TS_AUTHKEY
@@ -79,9 +89,9 @@ spec:
                   key: {{ .Values.tailscale.secret.keys.authKey }}
             - name: TS_LOGINSERVER
               valueFrom:
-                  secretKeyRef:
-                    name: {{ .Values.tailscale.secret.name }}
-                    key: {{ .Values.tailscale.secret.keys.loginServer }}
+                secretKeyRef:
+                  name: {{ .Values.tailscale.secret.name }}
+                  key: {{ .Values.tailscale.secret.keys.loginServer }}
             - name: RUST_LOG
               value: {{ .Values.logLevel | lower }}
           envFrom:
@@ -96,6 +106,8 @@ spec:
               mountPath: /datasets
             - name: model-pvc
               mountPath: /models
+            - name: dev-net-tun
+              mountPath: /dev/net/tun
       volumes:
         - name: huggingface-pvc
           persistentVolumeClaim:
@@ -109,3 +121,7 @@ spec:
         - name: model-pvc
           persistentVolumeClaim:
             claimName: {{ .Values.storage.model.claimName }}
+        - name: dev-net-tun
+          hostPath:
+            path: /dev/net/tun
+            type: CharDevice