Tailscale Kubernetes Operator

Gary Kramlich - Aug 14 - - Dev Community

Apologizes to anyone looking for more #Pidgin content. I know it's been awhile and I'll get something out soon I promise, but there are quite a few Pidgin related things in this post too...

About a month ago I setup a Kubernetes cluster using Talos to handle my container load at home.

I have containers for all sorts of things including the graphs you all may have seen on my stream as well as an Ergo instance for developing our new IRCv3 protocol plugin.

I'll be adding to this cluster in the future too as we continue development on Xeme which is our new XMPP library as well as Myna which is our new Matrix library.

Having these servers running locally makes it easier to test interesting configurations, but more importantly, lets me use them on stream without leaking my IP address or any passwords.

Anyways, I'm not always at home when I want to work on something and I wanted to find a way to access services remotely. Well tonight I realized I should be able to do this with Tailscale.

I'm already using Tailscale to make sure we can access all of our build agents which are spread across a few sites, so being able to expose this to the other Pidgin developers who have access to that Tailscale network is just icing on the cake.

So I decided to give the Tailscale Kubernetes Operator a go. They have full documentation it here. As is pretty typical right now their installation instructions are based on using Helm.

I prefer to use Kustomize over Helm. There's plenty of reasons, but there's no reason to get into that now ;)

Thankfully, Tailscale provides a static manifest for deploying the operator. This is very easy to import into our kustomize and get running directly quite quickly.

But of course, it's not just that easy. Their instructions have you modifying that manifest and then applying that. This isn't a big deal, but it makes upgrading harder as you have to keep track of what you edited. Sure you could use version control (and you should have your manifest in version control) but kustomize makes this very easy.

First we needed to download operator.yaml which is the static manifest that Tailscale provides. We're going to use this file as is without modification which means we can just replace it if/when they update it.

Next we need to create our kustomization.yaml which is used to drive everything. My commented kustomization.yaml is below.

---
# Here we reference the unmodified operator.yaml we downloaded from
# Tailscale.
resources:
  - operator.yaml
patches:
  # Tailscale needs network admin and some other permissions, so
  # we use the following patch that will add the appropriate
  * annotations to the namespace.
  - patch: |-
      apiVersion: v1
      kind: Namespace
      metadata:
        name: tailscale
        labels:
          pod-security.kubernetes.io/enforce: privileged
          pod-security.kubernetes.io/audit: privileged
          pod-security.kubernetes.io/warn: privileged
secretGenerator:
  # As I mentioned earlier, operator.yaml defines a secret for the
  # tailscale oauth secrets which the documentation wants you to
  # modify manually. We can instead use a secret generator to read
  # those values from an `env` file and merge them into the
  # existing secret.
  - name: operator-oauth
    namespace: tailscale
    behavior: merge
    envs:
      - secrets/env
Enter fullscreen mode Exit fullscreen mode

With this all now setup, we can run kubectl kustomize and verify our output. A condensed output with just the namespace and secret are below.

apiVersion: v1
kind: Namespace
metadata:
  labels:
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
  name: tailscale
---
apiVersion: v1
data:
  client_id: aGFjayB0aGUgcGxhbmV0
  client_secret: aGFja2VycyBvZiB0aGUgd29ybGQgdW5pdGU=
kind: Secret
metadata:
  name: operator-oauth
  namespace: tailscale
type: Opaque
---
Enter fullscreen mode Exit fullscreen mode

Now that we've confirmed everything looks good, we can get ready to apply it to our cluster. Normally I'd recommend doing a dry run first, but since we're applying a namespace as well most of the tests will fail because that namespace doesn't exist.

Anyways, we can apply this kustomization with the following command:

kubectl apply -k .
Enter fullscreen mode Exit fullscreen mode

If everything is successful you'll see something like the following:

namespace/tailscale configured
customresourcedefinition.apiextensions.k8s.io/connectors.tailscale.com configured
customresourcedefinition.apiextensions.k8s.io/dnsconfigs.tailscale.com configured
customresourcedefinition.apiextensions.k8s.io/proxyclasses.tailscale.com configured
serviceaccount/operator configured
serviceaccount/proxies configured
role.rbac.authorization.k8s.io/operator configured
role.rbac.authorization.k8s.io/proxies configured
clusterrole.rbac.authorization.k8s.io/tailscale-operator configured
rolebinding.rbac.authorization.k8s.io/operator configured
rolebinding.rbac.authorization.k8s.io/proxies configured
clusterrolebinding.rbac.authorization.k8s.io/tailscale-operator configured
secret/operator-oauth configured
deployment.apps/operator configured
ingressclass.networking.k8s.io/tailscale configured
Enter fullscreen mode Exit fullscreen mode

You can verify the operator is up and running the following command:

kubectl -n tailscale get deployments
Enter fullscreen mode Exit fullscreen mode

You should see something like the following:

NAME       READY   UP-TO-DATE   AVAILABLE   AGE
operator   1/1     1            1           72m
Enter fullscreen mode Exit fullscreen mode

If that all looks good you can go ahead and verify that it shows up in the Machines section in Tailscale. You should see something like the following:

Image description

Now we're ready to expose a service via Tailscale!

As I mentioned earlier, I'm running an Ergo instance for local IRC development. I have an Service of type LoadBalancer to expose it to my LAN via MetalLB.

The Tailscale operator has multiple ways to integrate with your Kubernetes cluster, but we're just going to expose existing services to the tailnet and doing that is extremely simple.

To do so, you just need to add the tailscale.com/expose: "true" annotation to the service. Below is my updated Service for Ergo:

---
apiVersion: v1
kind: Service
metadata:
  name: ergo
  annotations:
    tailscale.com/expose: "true"
  labels:
    app: ergo
spec:
  ports:
    - port: 6667
      protocol: TCP
      name: irc
    - port: 6697
      protocol: TCP
      name: ircs
  selector:
    app: ergo
  type: LoadBalancer
Enter fullscreen mode Exit fullscreen mode

Now that that's done, I can apply the Kustomization for Ergo:

kubectl apply -k .
Enter fullscreen mode Exit fullscreen mode

The operator will automatically add it to the tailnet with a machine name of <namespace>-<service-name>. This ergo instance is running in the reaperworld namespace so it's machine name, and therefore DNS name is reaperworld-ergo which we can now see in the Tailscale machines page.

Image description

And that's it, that service is now available on the tailnet accessible to anyone else on the tailnet!

I hope you all found this interesting. I decided to write this as I had to learn about behavior: merge property of the secretGenerator and figured others might find this useful as well. Plus it gave me an excuse to show the power of Kustomize!

Image
Automating EC2 Instances with AWS Lambda and CloudWatch

aws, automation, devops, serverless
Image
The Ferulic Acid Market Poised to Witness High Growth Driven by Increasing Application in Various Industries
Image
NFTScan Insights: Exploring Various NFT Standards and Their Use Cases

nft, web3
Image
How to setup Stripe plugin in Medusa.js on Nomodo: Step‑by‑Step Guide

medusajs, tutorial
Image
Taskwarrior: The Command-Line Task Manager for Power Users

taskwarrior, productivity, taskmanagement, opensource
Image
Understanding Bitwise Operators in JavaScript

webdev, javascript, beginners, tutorial
Image
Nasdaq's Bold Move for Bitcoin Index Options

bitcoinoptions, cryptoinnovation, marketliquidity
Image
QA is Dead. Long Live QA

qa, qualityassurance, api
Image
Video: Access Raw Data in MedusaJS stored in PostgreSQL

medusajs, tutorial
Image
How to Find the Best SEO Expert for Your Startup in Delhi?

webdev, beginners, productivity
Image
Redux vs. Context.Provider: Choosing State Management in React Applications

react, nextjs, redux, javascript
Image
Using asyncio.create_task()
Image
Understanding the Difference Between HTTP and HTTPS

webdev, http, networking, network
Image
Next Generation Memory Market 2024-2032: Innovations & Growth

techtalks
Image
Building a Basic Convolutional Neural Network (CNN) in Python

ai, machinelearning, deeplearning, python
Image
🧠 Building a Basic Convolutional Neural Network (CNN) in Python

ai, machinelearning, deeplearning, python
Image
Machine Translation Market 2024-2032: Innovations & Growth Outlook

techtalks
Image
Mastering the Art of Prompting: A Developer's Guide to Effective Prompt Design

ai, genai, llm, datascience
Image
🧠 Demystifying CNN Neural Network Layers: A Deep Dive into AI Architecture

ai, deeplearning, machinelearning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player