Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/michaelbeaumont/tailway

Gateway API on tailscale
https://github.com/michaelbeaumont/tailway

gateway-api kubernetes tailscale

Last synced: 12 days ago
JSON representation

Gateway API on tailscale

Host: GitHub
URL: https://github.com/michaelbeaumont/tailway
Owner: michaelbeaumont
Created: 2023-07-20T22:17:37.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-07-25T22:29:49.000Z (over 1 year ago)
Last Synced: 2024-10-13T00:04:03.334Z (26 days ago)
Topics: gateway-api, kubernetes, tailscale
Language: Go
Homepage:
Size: 27.3 KB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Tailway

Tailway is an implementation of a very limited subset of Gateway API using
Tailscale.

The idea is to improve on the current k8s-operator by handling TLS termination and
certificate provisioning.

It's mostly a weekend experiment. It can never be a compliant Gateway API
implementation without using some other proxy. In fact, the upstream `LoadBalancer`
controller, once it supports TLS and address tracking, is probably the better
option.

## Installation and usage

Deploy the controller:

```
$ kubectl apply -f manifests/controller.yaml
```

and create a `GatewayClass` pointing to Tailscale oauth credentials:

```
# manifests/config.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: my-tailnet-oauth
namespace: tailway-system
stringData:
client_id: # oauth client_id
client_secret: # oauth client_secret
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
name: my-tailnet
annotations:
# tags the managed machines should have
tailway.michaelbeaumont.github.io/tags: tag:k8s
spec:
controllerName: "tailway.michaelbeaumont.github.io/controller"
parametersRef:
kind: Secret
group: ""
name: my-tailnet-oauth
namespace: tailway-system
```

then launch a `Gateway`:

```
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: nginx
spec:
gatewayClassName: my-tailnet
listeners:
- port: 443
name: https
protocol: TLS
tls:
# this is required by the Gateway API webhook but
# isn't used. Tailscale provisions certs.
certificateRefs: [name: dummy]
# you can specify the name of your machine
# otherwise a default of - is used
addresses:
- type: Hostname
value: nginx
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: nginx
spec:
# only one rule with one backend is supported
rules:
- backendRefs:
- name: nginx
port: 80
parentRefs:
- name: my-tailnet
kind: nginx
```

The various addresses of the created machine are tracked in the `Gateway` status:

```
status:
addresses:
- type: Hostname
value: nginx.my-tailnet.ts.net
- type: IPAddress
value: 100.124.73.39
- type: IPAddress
value: fd7a:225c:a1f0:ab13:4843:cd96:627c:4927
```

## WIP

- [ ] handle conflicts (existing machines, listener conflicts, etc)
- [ ] handle deletion of gateways
- [ ] Dockerfile: why doesn't distroless work?
- [ ] limit RBAC permissions
- [ ] webhook
- [ ] more status/condition setting
- [ ] parametersRef