Tailscale + Kubernetes + Istio (certs)

Question

I have a Kubernetes cluster running a web server, an Istio ingress gateway, and some microservicea that I've installed on a bare metal tailscale node at home (and only on my tailnet, not publicly accessible).

I've got things running and can reach the website from my tailnet, now I'm trying to get things servings over https. I'm using the Tailscale MagicDNS feature.

I know that tailscale cert <domain> delivers .crt and .key files, and I know I can add these as a secret to my cluster, but it's not clear to my yet how to fully wire this up (maybe something with cert-manager?) nor how I can keep the certs fresh. Any help is appreciated!

Answer 1

@codedread

No need to go through Istio ingress gateway since tailscale is consider another gateway already.

This is my working implementation for you as a reference. this setup will handle TLS cert very nicely

resource "kubernetes_namespace" "tailscale_system" {
  count = contains(var.enabled_addons, "tailscale-system") ? 1 : 0
  metadata {
    annotations = {
      name = "tailscale-system"
    }

    labels = merge(
      var.tags,
      {
        istio-injection                  = "false"
        "prometheus-metrics-collection"  = "true"
      },
    )

    name = "tailscale-system"
  }
}

resource "kubernetes_secret" "tailscale_secret" {
  metadata {
    name      = "operator-oauth"
    namespace = kubernetes_namespace.tailscale_system[0].metadata[0].name
  }

  data = {
    client_id     = var.tailscale_client_id
    client_secret = var.tailscale_client_secret
  }

  lifecycle {
    ignore_changes = [metadata[0].labels, metadata[0].annotations]
  }
}

resource "helm_release" "tailscale_operator" {
  count = contains(var.enabled_addons, "tailscale-system") ? 1 : 0
  depends_on = [
    kubernetes_namespace.tailscale_system,
    kubernetes_secret.tailscale_secret
  ]

  name      = "tailscale-operator"
  chart     = "./tailscale/deploy/chart-operator/."
  namespace = kubernetes_namespace.tailscale_system[0].metadata[0].name
  version   = "v0.1.0"
  values = [
    file("./tailscale/deploy/chart-operator/values.yaml")
  ]

  set {
    name  = "operatorConfig.hostname"
    value = "tailscale-operator-${var.tags.Environment}"
  }
}

resource "kubernetes_manifest" "argocd_server_tailscale_ingress" {
  provider = kubernetes

  manifest = {
    "apiVersion" = "networking.k8s.io/v1",
    "kind"       = "Ingress",
    "metadata" = {
      "name"      = "argocd-ingress",
      "namespace" = "argocd-system"
    },
    "spec" = {
      "defaultBackend" = {
        "service" = {
          "name" = "argocd-server",
          "port" = {
            "number" = 80
          }
        }
      },
      "ingressClassName" = "tailscale",
      "tls" = [
        {
          "hosts" = [
            "argocd-${var.environment}"
          ]
        }
      ]
    }
  }
}