mirrors/talos-extensions
1
0
Fork 0
mirror of https://github.com/siderolabs/extensions.git synced 2025-08-05 22:07:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
main
talos-extensions/network/tailscale
History
Dmitrii Sharshakov cd4673697a
feat: add SBOM to some extensions 
Tailscale is built here, with SBOM generated in its pkg.yaml, and
nvidia-lts copies SBOM from pkgs.

Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
2025-07-15 18:36:21 +02:00
..
manifest.yaml feat: tailscale extension 2023-06-28 21:01:27 +05:30
pkg.yaml feat: add SBOM to some extensions 2025-07-15 18:36:21 +02:00
README.md docs: improve ExtensionServiceConfig docs 2024-04-25 18:42:54 +05:30
tailscale.yaml fix: add SSL mount to Tailscale 2025-04-17 08:00:48 -05:00
vars.yaml feat: tailscale extension 2023-06-28 21:01:27 +05:30

README.md

Tailscale

Adds https://tailscale.com network interfaces as system extensions. This means you can access your talos nodes from machines you have configured with tailscale

Installation

See Installing Extensions.

Usage

Configure the extension via ExtensionServiceConfig document.

---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: tailscale
environment:
  - TS_AUTHKEY=<your auth key>

Then apply the patch to your node's MachineConfigs

talosctl patch mc -p @tailscale-config.yaml

You will then be able to verify that it is in place with the following command

talosctl get extensionserviceconfigs

NODE          NAMESPACE   TYPE                     ID           VERSION
mynode   runtime     ExtensionServiceConfig   tailscale   1

Configuration

This extension runs containerboot https://pkg.go.dev/tailscale.com@v1.40.1/cmd/containerboot

Extra tailscale specific environment vars can be configured as needed in /var/etc/tailscale/auth.env

Current known env vars are:

  • TS_AUTHKEY: the authkey to use for login.
  • TS_HOSTNAME: the hostname to request for the node.
  • TS_ROUTES: subnet routes to advertise.
  • TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination.
  • TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
  • TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
  • TS_USERSPACE: run with userspace networking (the default) instead of kernel networking.
  • TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts.
  • TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
  • TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state.
  • TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet.
  • TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet.
  • TS_SOCKET: the path where the tailscaled LocalAPI socket should be created.
  • TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false (the default, for backwards compatibility), forcibly log in every time the container starts.

Subnet routing

A pratical example is enabling subnetrouting

---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: tailscale
environment:
  - TS_AUTHKEY=<your auth key>
  - TS_ROUTES=10.96.0.0/12

10.96.0.0/12 is the service subnet talos uses by default (if you use a custom one, you will need to change it). This allows the k8s services to be available over tailscale (without an ingress controller!).

With this enabled, you can configure tailscales DNS to actually forward certain search domains to coredns, making it very easy to access k8s services from an external device.