-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: tailscale extension #154
Conversation
9522433
to
1bdefef
Compare
1bdefef
to
c20d657
Compare
c36b9a2
to
dda4e54
Compare
Cluster is healthy now
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also add a README?
4e00b69
to
0b0810a
Compare
0b0810a
to
1df009d
Compare
/ok-to-test |
1df009d
to
547ceb1
Compare
@btrepp would it be possible to sign off the commit:
|
547ceb1
to
db9b414
Compare
@frezbo should be done. Thanks for adding the environmentFile feature too!, that will be awesome for future extensions. |
db9b414
to
86c6e24
Compare
Tailscale as a system service extension. Creates network devices in the talos 'host' Requires: siderolabs/talos#7408 Signed-off-by: Noel Georgi <git@frezbo.dev> Signed-off-by: beau trepp <beautrepp@gmail.com> Signed-off-by: Noel Georgi <git@frezbo.dev>
86c6e24
to
6c502e1
Compare
/m |
This downloads and compiles tailscale,
as a talos extension, running as a service.
Uses the host/tun device.
Motivations
Motivation is to enable/simplify simple discovery, e.g by being in Tailscale, you can access your talos cluster anywhere, not needing to have routes setup if you are behind NAT devices, like would be common in hobby and lab setups.
Particularly I was chasing this for items like a NAS storage solution, so that I can use the tailnet IPs and DNS to mount nfs and other storage, that has a bit of a strange story on security.
Extension overview
Installation.
talosctl upgrade
Configure in Tailscale. It will log a message out, with a url to join the device.
I've chosen this approach as you don't need to manage a key, and would be 'interacting' with the operator on upgrades anyway, so if you nuke var you need to do this again.
talosctl logs ext-tailscale
Persistence.
It mounts /var/lib/tailscale as rw, as Tailscale requires state to not create new nodes.
This could be an issue on upgrades, as if you don't use --preserve, you probably will have wiped the secrets Tailscale needs.
I've accepted this as an 'okay' tradeoff, in upgrades, you are manually firing commands
talosctl upgrade
anyway, so your procedure will just have a 'second' step, to register (and rename, if required) nodes in Tailscale.The other option is ephemeral nodes and storing the auth key, which may be better, but Tailscale authkeys do expire, so it would be a trade-off.
Addresses
Shows the addresses registered on the machine.
###Limitations
MagicDNS not setupDNS works nowSubnet router not configured. Would possibly be a great way of exposing multiple containers into the talentHardcoded this as a test. Works great, you can even get Tailscale to forward to kubedns, basically getting you all the services accessible from a Tailscale machine, via dns.