K8s Tailwind reverse proxy
·2 mins
Tailscale introduced the K8s operator that allows us to expose tailnet devices/services to a Kubernetes cluster (among many other features). As always, I’m using Flux. We’re going to install the tailwind operator from helm chart:
Warning! Storing the tailwind client-id/client-secret in yaml is a bad idea. Load the value form a secret instead.
Env variables
CLIENT_ID_FILE and CLIENT_SECRET_FILE can be used to mount credentials into your pods. For a full
example, see this official manifest.yaml
.
Alternatively, you can use postBuild substitution to pass those args as values to the helm chart.Our goal is to expose a service running on 100.106.152.101:8080.
We define a Service object:
apiVersion: v1
kind: Service
metadata:
annotations:
tailscale.com/tailnet-ip: 100.106.152.101
name: reverse-service
spec:
# any value - will be overwritten by operator
externalName: placeholder
type: ExternalName
Finally, an ingress object to terminate SSL and expose the device to the internet:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: reverse-ingress-http
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
cert-manager.io/cluster-issuer: "<your cluster issuer>"
kubernetes.io/ingress.class: "nginx"
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: reverse-service
port:
number: 8080
host: test.example.de
tls:
- hosts:
- test.example.de
secretName: reverse-ingress-http