My Surprise Discovery: How Headscale Simplified Our GitHub Runner Connections
I’ll be the first to admit it: I was skeptical about trying yet another solution for connecting our GitHub-hosted runners to internal resources. But, after weeks of struggling with other options, we stumbled upon Headscale, and it’s been a total game-changer for our team.
We started our journey with Tailscale, which worked great initially, but the per-user pricing didn’t make sense for our scale. So, we moved on to Netbird, which required a lot of effort to set up and still didn’t quite meet our needs. The connections were slow, taking around 10-30 seconds to establish, and the MacOS client was unstable.
Our Search for a Reliable Solution
Next, we tried Netmaker, hoping it would be a plug-and-play alternative that we could host on Kubernetes. Unfortunately, despite significant effort, it couldn’t handle the large number of ephemeral runners we needed. It’s still in an early stage and not production-ready for our use case.
That’s when we decided to give Headscale a try. I had heard of it as a Tailscale drop-in replacement, but I wasn’t sure what to expect. We were also hesitant about its SQLite backend and the warnings against containerized setups. But, we were desperate for a solution that worked, so we decided to take the plunge.
Our Experience with Headscale
After a quick Kubernetes deployment and routing setup, we integrated Headscale into our GitHub Actions workflow. And, wow, were we impressed! Spinning up 200 ephemeral runners at once worked flawlessly, with connections establishing in under 4 seconds. It was like a breath of fresh air after weeks of struggling with other solutions.
What really surprised us was how well Headscale performed without any crazy optimizations. We had spent weeks tuning Netmaker and days tweaking Netbird, but Headscale just worked out of the box. It’s been a huge relief for our team, and we’re now able to focus on other important tasks.
Securing Our Setup
Now that we have Headscale up and running, we’re working on hardening our setup to ensure it’s secure. We’re using an AWS ALB to expose the Headscale controller, and we’re considering using WAF ACLs to secure our GitHub-hosted runners. If you have any experience with this, we’d love to hear your thoughts on the best way to secure our setup.
For now, we’re just enjoying the simplicity and reliability that Headscale has brought to our workflow. It’s amazing how something so simple can make such a big difference in our daily work.
Moje Zaskakuj膮ce Odkrycie: Jak Headscale Upro艣ci艂o Po艂膮czenia Naszych Runner贸w GitHub
Przyznaj臋, 偶e by艂em sceptyczny co do pr贸bowania kolejnego rozwi膮zania dla po艂膮cze艅 naszych runner贸w GitHub z zasobami wewn臋trznymi. Ale po tygodniach walki z innymi opcjami, natkn臋li艣my si臋 na Headscale, i okaza艂o si臋, 偶e to by艂o rozwi膮zanie, kt贸rego potrzebowali艣my.
Zacz臋li艣my nasz膮 przygod臋 z Tailscale, kt贸re pocz膮tkowo dzia艂a艂o 艣wietnie, ale cena za u偶ytkownika nie by艂a dla nas op艂acalna. Wi臋c przenie艣li艣my si臋 do Netbird, kt贸re wymaga艂o du偶ej ilo艣ci wysi艂ku, aby je ustawi膰, i nadal nie spe艂nia艂o naszych potrzeb. Po艂膮czenia by艂y wolne, zajmuj膮c oko艂o 10-30 sekund, aby si臋 ustali膰, a klient MacOS by艂 niestabilny.
Nasza Wyszukiwarka Niezawodnego Rozwi膮zania
Nast臋pnie spr贸bowali艣my Netmaker, maj膮c nadziej臋, 偶e b臋dzie to rozwi膮zanie plug-and-play, kt贸re mo偶emy hostowa膰 na Kubernetes. Niestety, pomimo znacznych wysi艂k贸w, nie mog艂o poradzi膰 sobie z du偶膮 liczb膮 ephemeralnych runner贸w, kt贸rych potrzebowali艣my. Jest to jeszcze we wczesnym stadium i nie jest gotowe do produkcji dla naszego przypadku u偶ycia.
Wtedy postanowili艣my spr贸bowa膰 Headscale. S艂ysza艂em o nim jako o zast臋pniku Tailscale, ale nie wiedzia艂em, czego si臋 spodziewa膰. Byli艣my r贸wnie偶 ostrzegani przed u偶yciem bazy danych SQLite i ostrze偶eniami przeciwko ustawieniom kontenerowym. Ale byli艣my desperacko szukaj膮cy rozwi膮zania, kt贸re dzia艂a, wi臋c postanowili艣my zaryzykowa膰.
Nasze Do艣wiadczenie z Headscale
Po szybkiej wdro偶eniu Kubernetes i ustawieniu routingu, zintegrowali艣my Headscale z naszym workflow GitHub Actions. I, wow, byli艣my zaskoczeni! Uruchomienie 200 ephemeralnych runner贸w na raz dzia艂a艂o bezproblemowo, z po艂膮czeniami ustalaj膮cymi si臋 w czasie kr贸tszym ni偶 4 sekundy. By艂o to jak oddech 艣wie偶ego powietrza po tygodniach walki z innymi rozwi膮zaniami.
Co nas najbardziej zaskoczy艂o, to jak dobrze Headscale dzia艂a艂o bez 偶adnych szalonych optymalizacji. Sp臋dzili艣my tygodnie na dostosowywaniu Netmaker i dni na adjustowaniu Netbird, ale Headscale po prostu dzia艂a艂o od razu. By艂o to ogromne ul偶enie dla naszego zespo艂u, i mo偶emy teraz skupi膰 si臋 na innych wa偶nych zadaniach.
Zabezpieczanie Naszego Rozwi膮zania
Teraz, gdy mamy Headscale wdro偶one, pracujemy nad zabezpieczeniem naszego rozwi膮zania, aby upewni膰 si臋, 偶e jest ono bezpieczne. U偶ywamy AWS ALB do eksponowania kontrolera Headscale, i rozwa偶amy u偶ycie WAF ACL, aby zabezpieczy膰 nasze GitHub-hostowane runnery. Je艣li masz jakie艣 do艣wiadczenie z tym, bardzo chcieliby艣my us艂ysze膰 Twoje my艣li na temat najlepszego sposobu zabezpieczenia naszego rozwi膮zania.
Na razie cieszymy si臋 prostot膮 i niezawodno艣ci膮, kt贸r膮 Headscale wprowadzi艂o do naszego workflow. To niesamowite, jak co艣 tak prostego mo偶e mie膰 tak du偶y wp艂yw na nasz膮 codzienn膮 prac臋.