Tailscale Operator
Kubernetes operator for Tailscale VPN connectivity
The Tailscale Operator provides secure VPN connectivity for the Infra Management Cluster, enabling operators to access internal services via Tailscale.
ArgoCD Resource
| Property | Value |
|---|---|
| Kind | Application |
| Name | tailscale-operator |
| Namespace | tailscale |
| Project | infra-services |
| Source Type | Helm |
| File Path | apps/tailscale-operator.yaml |
Application Definition
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tailscale-operator
labels:
domain: infra
managed-by: global-infra-admins
slack: 'infra-team'
spec:
syncPolicy:
automated:
prune: true
destination:
namespace: tailscale
server: https://kubernetes.default.svc
project: infra-services
source:
chart: tailscale-operator
repoURL: 'https://pkgs.tailscale.com/helmcharts'
targetRevision: 1.92.5
helm:
valuesObject:
installCRDs: true
operatorConfig:
defaultTags:
- "tag:k8s-operator"
image:
repository: tailscale/k8s-operator
tag: "v1.92.5"
hostname: "tailscale-operator-infra-platform"
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 250m
memory: 512Mi
ingressClass:
enabled: true
proxyConfig:
defaultTags: "tag:k8s"
firewallMode: auto
apiServerProxyConfig:
mode: "true"
Key Configuration
Operator Settings
| Setting | Value | Purpose |
|---|---|---|
defaultTags | tag:k8s-operator | ACL tag for the operator |
hostname | tailscale-operator-infra-platform | Tailscale hostname |
installCRDs | true | Install Tailscale CRDs |
Proxy Settings
| Setting | Value | Purpose |
|---|---|---|
proxyConfig.defaultTags | tag:k8s | ACL tag for proxies |
firewallMode | auto | Automatic firewall configuration |
apiServerProxyConfig.mode | true | Enable API server proxy |
Ingress Class
The operator creates a Tailscale IngressClass, enabling services to be exposed via Tailscale.
How to Update
Upgrading the Operator
- Update
targetRevisioninapps/tailscale-operator.yaml - Update
operatorConfig.image.tagto match - Review the Tailscale changelog
- Commit and push to
main
Modifying Configuration
- Edit the
valuesObjectinapps/tailscale-operator.yaml - Commit and push to
main
OAuth Credentials
The operator requires OAuth credentials stored in a Secret named operator-oauth. This Secret must contain:
client_id: Tailscale OAuth client IDclient_secret: Tailscale OAuth client secret
The Secret is managed separately (not in this Application).
Related Resources
| Resource | Purpose |
|---|---|
operator-oauth Secret | OAuth credentials for Tailscale |
| Tailscale CRDs | Custom resources for Tailscale configuration |
IngressClass tailscale | Enables Tailscale-based ingress |
Tailscale ACL Requirements
The Tailscale ACL must grant the operator ownership of the configured tags:
{
"tagOwners": {
"tag:k8s-operator": ["autogroup:admin"],
"tag:k8s": ["tag:k8s-operator"]
}
}