|
| 1 | +--- |
| 2 | +slug: /tailscale-service-exposal |
| 3 | +title: Tailscale |
| 4 | +sidebar_position: 3 |
| 5 | +--- |
| 6 | +# Expose Services with Tailscale |
| 7 | +This guide is a recommendation on how to access services from anywhere if you are evaluating the metalstack on-prem starter without a public IP-address. |
| 8 | + |
| 9 | +These steps will guide you through the process quickly. For a deeper dive, or if you want to use alternative setups, the Tailscale articles are also linked. |
| 10 | + |
| 11 | +## What are Tailscale and Tailnets? |
| 12 | +Tailscale is a Canadian company that offers a virtual private network solution based on WireGuard. |
| 13 | + |
| 14 | +Instead of relying on centralised VPN servers to route all traffic, Tailscale creates a mesh VPN called Tailnet. It creates encrypted peer-to-peer connections between network subscribers. This approach is claimed to improve throughput and stability while reducing latency. |
| 15 | + |
| 16 | +Tailscale's solution is composed of components that are mostly open source. Find more information on their [open source sstatement](https://tailscale.com/opensource) and their [GitHub repository](https://github.com/tailscale). |
| 17 | + |
| 18 | +## Setup an Account and Clients |
| 19 | +Please begin by [following these steps](https://login.tailscale.com/start) to use an authentication provider to create the first user account for your network. |
| 20 | + |
| 21 | +The first step is to install Tailscale clients on the devices from which you wish to access the Kubernetes services. |
| 22 | + |
| 23 | +Should you require to extend an invitation to additional users, this can be facilitated by navigating to the "Users" tab on the Admin Console. |
| 24 | + |
| 25 | +## Setup the Operator |
| 26 | +### Labels |
| 27 | +First, we will establish tags to categorise our services. Please open the 'Access controls' tab, where you will find a text editor containing all the Access Control settings in JSON format. |
| 28 | + |
| 29 | +Uncomment the `tagOwners` section and add the following tags: |
| 30 | +```json |
| 31 | +"tagOwners": { |
| 32 | + "tag:k8s-operator": [], |
| 33 | + "tag:k8s": ["tag:k8s-operator"], |
| 34 | +} |
| 35 | +``` |
| 36 | +The operator will use the `k8s-operator`-tag. Devices with this tag are now configured as owner for devices with the `k8s`-tag, which will be used for our services. |
| 37 | +### Create OAuth-Client Credentials |
| 38 | +In the "Settings" tab at "OAuth clients", generate a new OAuth client. Set write permissions for "Devices - Core" and "Keys - Auth Keys". Select the `k8s-operator` tag for both. |
| 39 | + |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +Therefore, a device that has been assigned the label `k8s-operator` will have the capability to register additional devices with the `k8s` tag. |
| 44 | + |
| 45 | +When you click "create", you get a client-id and client-secret, that you will need to setup the operator. |
| 46 | +### Setup Operator with helm |
| 47 | +The most common and practical way is to use a Helm chart to setup the operator. Therefore, we first have to add and update the helm-repository of tailscale: |
| 48 | +``` |
| 49 | +helm repo add tailscale https://pkgs.tailscale.com/helmcharts |
| 50 | +helm repo update |
| 51 | +``` |
| 52 | + |
| 53 | +Now, we can install the helm-chart in a dedicated namespace using the credentials of the OAuth client |
| 54 | + |
| 55 | +```bash |
| 56 | +helm upgrade \ |
| 57 | + --install \ |
| 58 | + tailscale-operator \ |
| 59 | + tailscale/tailscale-operator \ |
| 60 | + --namespace=tailscale \ |
| 61 | + --create-namespace \ |
| 62 | + --set-string oauth.clientId="<OAauth client ID>" \ |
| 63 | + --set-string oauth.clientSecret="<OAuth client secret>" \ |
| 64 | + --wait |
| 65 | +``` |
| 66 | +Check on the administration console, if your operator appears on the Machines list. |
| 67 | + |
| 68 | +Alternative ways & troubleshooting: |
| 69 | +- Take the [operator.yaml manifest](https://github.com/tailscale/tailscale/blob/main/cmd/k8s-operator/deploy/manifests/operator.yaml) from the GitHub repository and make your adjustments to use [Static manifests with kubectl](https://tailscale.com/kb/1236/kubernetes-operator#static-manifests-with-kubectl) |
| 70 | +- If the operator does not show op in the Machines list, use the guide for [Troubleshooting the Kubernetes operator](https://tailscale.com/kb/1446/kubernetes-operator-troubleshooting) |
| 71 | +## Expose Services on the Tailnet |
| 72 | +There are three ways to allow traffic to your pods from the tailnet. We can setup a dedicated Service or annotate an existing one. For more routing options, use an Ingress object. For detailed configuration options, review the article about [Expose a Kubernetes cluster workload to your tailnet (cluster ingress)](https://tailscale.com/kb/1439/kubernetes-operator-cluster-ingress) |
| 73 | +### Add a Load Balancer Service |
| 74 | +The installed operator is looking for Service objects with the `spec.type`of `LoadBalancer`and the `spec.loadBalancerClass` of `tailscale`. |
| 75 | +```yaml |
| 76 | +--- |
| 77 | +apiVersion: v1 |
| 78 | +kind: Service |
| 79 | +metadata: |
| 80 | + name: nginx |
| 81 | +spec: |
| 82 | + ports: |
| 83 | + - name: https |
| 84 | + port: 443 |
| 85 | + targetPort: 443 |
| 86 | + type: LoadBalancer |
| 87 | + loadBalancerClass: tailscale |
| 88 | +``` |
| 89 | +### Annotate an existing Service |
| 90 | +Edit the Service and add the annotation `tailscale.com/expose` with the value "true": |
| 91 | +```yaml |
| 92 | +--- |
| 93 | +apiVersion: v1 |
| 94 | +kind: Service |
| 95 | +metadata: |
| 96 | + annotations: |
| 97 | + tailscale.com/expose: "true" |
| 98 | + name: nginx |
| 99 | +spec: |
| 100 | + ... |
| 101 | +``` |
| 102 | +Note that "true" is quoted because annotation values are strings, and an unquoted true will be incorrectly interpreted as a boolean. |
| 103 | +### Use an Ingress |
| 104 | +To enable path-based routing, use an Ingress resource. |
| 105 | +Ingress routes only use TLS over HTTPS. To make this work, you have to enable the `MagicDNS` and `HTTPS` options in the [DNS-Tab on your Administration Console](https://login.tailscale.com/admin/dns). This enables helpful features: |
| 106 | +- Magic DNS automatically register your services with subdomains in your tailnet |
| 107 | +- HTTPS enables the provisioning of certificates for devices |
| 108 | + |
| 109 | +To set the Ingress up, just refer to `tailscale` as the `ingressClassName`: |
| 110 | +```yaml |
| 111 | +--- |
| 112 | +apiVersion: networking.k8s.io/v1 |
| 113 | +kind: Ingress |
| 114 | +metadata: |
| 115 | + name: nginx |
| 116 | +spec: |
| 117 | + ingressClassName: tailscale |
| 118 | + rules: |
| 119 | + - http: |
| 120 | + paths: |
| 121 | + - path: / |
| 122 | + pathType: Prefix |
| 123 | + backend: |
| 124 | + ... |
| 125 | +``` |
| 126 | +Please consider, that currently only paths with `pathType: prefix` are supported currently |
0 commit comments