Tailscale Operator & Ansible Tailscale deployment#658
Conversation
github-actions
Bot
added
component: database
jchristgit
left a comment
jchristgit
left a comment
There was a problem hiding this comment.
Looks good for the most part.
| ident_file = '/etc/postgresql/{{ postgres_version }}/main/pg_ident.conf' | ||
| external_pid_file = '/var/run/postgresql/{{ postgres_version }}-main.pid' | ||
| listen_addresses = '89.58.26.118,localhost' | ||
| listen_addresses = '89.58.26.118,lovelace.opossum-python.ts.net,localhost' |
There was a problem hiding this comment.
I assume this means PostgreSQL won't start if Tailscale is not running, doesn't it?
Should we perhaps change this to * while we're at it, then? Since we already listen on our public IPv4 and rely on nftables there, we might as well, no?
| - name: Update APT cache (Debian) | ||
| ansible.builtin.apt: | ||
| update_cache: yes | ||
| when: ansible_facts["distribution"] == "Debian" | ||
| tags: | ||
| - role::tailscale |
There was a problem hiding this comment.
Suggestion 1: use a handler and then - meta: flush_handlers for this
Suggestion 2: Register the task above, then add add_tailscale_apt_repository is changed to when here
| - name: Update APT cache (Debian) | ||
| ansible.builtin.apt: | ||
| update_cache: yes | ||
| when: ansible_facts["distribution"] == "Debian" |
There was a problem hiding this comment.
We could group all of these together in a block for a single condition per distribution, but I am indifferent about it.
| - name: Set tailscale_hosted_services to empty list if not defined | ||
| ansible.builtin.set_fact: | ||
| tailscale_hosted_services: [] | ||
| when: not tailscale_hosted_services | ||
| tags: | ||
| - role::tailscale |
There was a problem hiding this comment.
Is there a way we could get the task above to return this? When would this condition hit?
| - role::tailscale | ||
|
|
||
| - name: Ensure Tailscale services are configured | ||
| ansible.builtin.command: |- |
There was a problem hiding this comment.
The linter is right here, we should add changed_when depending on the item standard output.
| # Allow all traffic from/to tailscale0 | ||
| iifname tailscale0 accept |
There was a problem hiding this comment.
This comment is incorrect, this is the input chain. It also restates what the code speaks.
| # Allow all traffic from/to tailscale0 | |
| iifname tailscale0 accept | |
| # Allow all traffic from Tailscale | |
| iifname tailscale0 accept |
| tailscale/tailscale-operator \ | ||
| --namespace=tailscale \ | ||
| --create-namespace \ | ||
| --set-string oauth.clientId="<OAauth client ID>" \ |
There was a problem hiding this comment.
| --set-string oauth.clientId="<OAauth client ID>" \ | |
| --set-string oauth.clientId="<OAuth client ID>" \ |
2 participants
This PR introduces Tailscale to both Kubernetes & Ansible hosts.
On Kubernetes, the Tailscale Operator is used to allow routing traffic in/out of the cluster over Tailscale to other nodes connected to the tailnet. This allows us to securely forward traffic to an external service from any Kubernetes node without having to compromise on security.
Likewise in Ansible we now provision Tailscale on every host, optionally configuring service forwarding (where a service is allocated it's own FQDN within the tailnet) for traffic to be routed to. We can use this to secure inter-node communication on Ansible hosts or bring traffic from Kubernetes safely into Ansible with minimal overhead.