-
Notifications
You must be signed in to change notification settings - Fork 119
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tailscale as a system service extension. Creates network devices in the talos 'host' Requires: siderolabs/talos#7408 Signed-off-by: Noel Georgi <git@frezbo.dev> Signed-off-by: beau trepp <beautrepp@gmail.com>
- Loading branch information
Showing
7 changed files
with
189 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
# Tailscale | ||
|
||
Adds https://tailscale.com network interfaces as system extensions. | ||
This means you can access your talos nodes from machines you have configured | ||
with tailscale | ||
|
||
## Installation | ||
|
||
Simplest install | ||
``` | ||
machine: | ||
install: | ||
extensions: | ||
- image: docker.io/btrepp/tailscale:1.40.0 | ||
files: | ||
- content: | | ||
TS_AUTHKEY=<your auth key> | ||
permissions: 0o644 | ||
path: /var/etc/tailscale/auth.env | ||
op: create | ||
``` | ||
|
||
``` | ||
> talosctl apply -n node myconfig.yaml | ||
> talosctl upgrade -n node | ||
``` | ||
|
||
## Configuration | ||
|
||
This extension runs containerboot https://pkg.go.dev/tailscale.com@v1.40.1/cmd/containerboot | ||
|
||
Extra tailscale specific environment vars can be configured as needed in `/var/etc/tailscale/auth.env` | ||
|
||
Current known env vars are: | ||
|
||
TS_AUTHKEY: the authkey to use for login. | ||
TS_HOSTNAME: the hostname to request for the node. | ||
TS_ROUTES: subnet routes to advertise. | ||
TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination. | ||
TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'. | ||
TS_EXTRA_ARGS: extra arguments to 'tailscale up'. | ||
TS_USERSPACE: run with userspace networking (the default) instead of kernel networking. | ||
TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts. | ||
TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration. | ||
TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state. | ||
TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet. | ||
TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet. | ||
TS_SOCKET: the path where the tailscaled LocalAPI socket should be created. | ||
TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false (the default, for backwards compatibility), forcibly log in every time the container starts. | ||
|
||
### Subnet routing | ||
|
||
A pratical example is enabling subnetrouting | ||
``` | ||
machine: | ||
files: | ||
- content: | | ||
TS_AUTHKEY=<your auth key> | ||
TS_ROUTES=10.96.0.0/12 | ||
permissions: 0o644 | ||
path: /var/etc/tailscale/auth.env | ||
op: create | ||
``` | ||
|
||
10.96.0.0/12 is the service subnet talos uses by default (if you use a custom one, you will need to change it). | ||
This allows the k8s services to be available over tailscale (without an ingress controller!). | ||
|
||
With this enabled, you can configure tailscales DNS to actually forward certain search domains | ||
to coredns, making it very easy to access k8s services from an external device. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
version: v1alpha1 | ||
metadata: | ||
name: tailscale | ||
version: "$VERSION" | ||
author: Beau Trepp | ||
description: | | ||
Tailscale connects your team's devices and development environments for easy access to remote resources. | ||
compatibility: | ||
talos: | ||
version: ">= v1.5.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
name: tailscale | ||
variant: scratch | ||
shell: /toolchain/bin/bash | ||
dependencies: | ||
- stage: base | ||
steps: | ||
- env: | ||
GOPATH: /go | ||
- sources: | ||
- url: https://github.com/tailscale/tailscale/archive/refs/tags/v{{ .TAILSCALE_VERSION }}.tar.gz | ||
destination: tailscale.tar.gz | ||
sha256: dc230cf3ac290140e573268a6e8f17124752ef064c8d3a86765a9dbb6f1bd354 | ||
sha512: d3bd5adf469cb2cc5a6e7df08fd9327d1b2492f7779dbf9e4158cc137dfcbe7c07c51f10adc142d5cd2827b837633722b585f2f20dfdd5821703fc9e4aed333d | ||
prepare: | ||
- | | ||
sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml | ||
- | | ||
mkdir tailscale dist | ||
tar -xzvf tailscale.tar.gz --strip-components=1 -C tailscale | ||
build: | ||
- | | ||
export PATH=${PATH}:${TOOLCHAIN}/go/bin | ||
go build \ | ||
-C tailscale \ | ||
-o ../dist \ | ||
-ldflags "-X tailscale.com/version.shortStamp={{ .TAILSCALE_VERSION }} \ | ||
-X tailscale.com/version.longStamp={{ .TAILSCALE_VERSION }}-TalosLinux" \ | ||
tailscale.com/cmd/{tailscale,tailscaled,containerboot} | ||
install: | ||
- | | ||
mkdir -p /rootfs/usr/local/lib/containers/tailscale/usr/local/bin/ | ||
cp -pr dist/tailscale /rootfs/usr/local/lib/containers/tailscale/usr/local/bin | ||
cp -pr dist/tailscaled /rootfs/usr/local/lib/containers/tailscale/usr/local/bin | ||
cp -pr dist/containerboot /rootfs/usr/local/lib/containers/tailscale/usr/local/bin | ||
finalize: | ||
- from: /rootfs | ||
to: /rootfs | ||
- from: /pkg/manifest.yaml | ||
to: / | ||
- from: /pkg/tailscale.yaml | ||
to: /rootfs/usr/local/etc/containers/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
name: tailscale | ||
depends: | ||
- service: cri | ||
- network: | ||
- addresses | ||
- connectivity | ||
- etcfiles | ||
container: | ||
entrypoint: /usr/local/bin/containerboot | ||
environmentFile: /var/etc/tailscale/auth.env | ||
environment: | ||
- PATH=/sbin:/usr/local/bin | ||
- TS_SOCKET=/var/run/tailscale/tailscaled.sock | ||
- TS_STATE_DIR=/var/lib/tailscale | ||
- TS_USERSPACE=false | ||
security: | ||
writeableRootfs: false | ||
writeableSysfs: true | ||
mounts: | ||
# libs | ||
- source: /lib | ||
destination: /lib | ||
type: bind | ||
options: | ||
- bind | ||
- ro | ||
# more libs | ||
- source: /usr/lib | ||
destination: /usr/lib | ||
type: bind | ||
options: | ||
- bind | ||
- ro | ||
## Required for tailscale. Ip addr and other commands | ||
- source: /sbin | ||
destination: /sbin | ||
type: bind | ||
options: | ||
- bind | ||
- ro | ||
## Tailscale needs to write to this to create the interfaces | ||
- source: /dev/net/tun | ||
destination: /dev/net/tun | ||
type: bind | ||
options: | ||
- bind | ||
- rw | ||
## Tailscale socket | ||
- source: /var/run/tailscale | ||
destination: /var/run/tailscale | ||
type: bind | ||
options: | ||
- bind | ||
- rw | ||
## Tailscale state. Particularly its 'auth' state | ||
- source: /var/lib/tailscale | ||
destination: /var/lib/tailscale | ||
type: bind | ||
options: | ||
- bind | ||
- rw | ||
restart: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
VERSION: "{{ .TAILSCALE_VERSION }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=tailscale/tailscale | ||
TAILSCALE_VERSION: 1.44.0 |