Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mewil/tailscale-ingress-controller

A Kubernetes Ingress Controller for Tailscale
https://github.com/mewil/tailscale-ingress-controller

kubernetes tailscale

Last synced: 4 days ago
JSON representation

A Kubernetes Ingress Controller for Tailscale

Host: GitHub
URL: https://github.com/mewil/tailscale-ingress-controller
Owner: mewil
License: mit
Created: 2022-11-26T21:33:49.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-06-16T14:24:23.000Z (5 months ago)
Last Synced: 2024-06-21T19:04:16.379Z (5 months ago)
Topics: kubernetes, tailscale
Language: Go
Homepage:
Size: 33.2 KB
Stars: 7
Watchers: 2
Forks: 6
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Tailscale Ingress Controller

This is a [Kubernetes Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) for [Tailscale](https://tailscale.com/).
The controller will [create a Tailscale node](https://tailscale.com/blog/tsnet-virtual-private-services/) for each host present in an Ingress resource and then route all incoming traffic to the correct backend service.

Try it out by applying the resources in the demo directory:
```
git clone https://github.com/mewil/tailscale-ingress-controller
cd tailscale-ingress-controller/demo
export TS_AUTHKEY=
sed "s/\$TS_AUTHKEY/$TS_AUTHKEY/g" * | kubectl apply -f -
```

If all goes well, you should be able to access the hello world HTTP demo service at `http://demo` on your Tailscale network.

## How it works

The demo manifests create a demo backend deployment and service, a demo ingress resource, a deployment for the ingress controller, and a secret for your Tailscale key.
The controller will create a Tailscale node with the hostname `demo` and proxy traffic from the Tailscale network to the backend Kubernetes service.

The controller proxy server will also parse the remote IP address from Tailscale and add `X-Webauth-User` and `X-Webauth-Name` HTTP headers to the request before forwarding it for the Tailscale login name and display name, respectively.
If the host is also listed in the `tls` section of the Ingress spec (see comment in the example Ingress to try it), then the Tailscale node will proxy requests from port 443 instead of 80 and [automatically generate a certificate for itself](https://tailscale.com/blog/tls-certs/).

## Future Work
- Store Tailscale state in a Kubernetes Secret
- Support Ingress Classes
- High Availability