ipn/store: add ability to store data as k8s secrets.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2021-09-01 08:11:43 -07:00
parent f53792026e
commit 0842e2f45b
11 changed files with 493 additions and 4 deletions
--- a/docs/k8s/README.md
+++ b/docs/k8s/README.md
@@ -0,0 +1,20 @@
+# Using Kubernetes Secrets as the state store for Tailscale
+Tailscale supports using Kubernetes Secrets as the state store, however there is some configuration required in order for it to work.
+
+**Note: this only works if `tailscaled` runs inside a pod in the cluster.**
+
+1. Create a service account for Tailscale (optional)
+   ```
+   kubectl create -f sa.yaml
+   ```
+
+1. Create role and role bindings for the service account
+   ```
+   kubectl create -f role.yaml
+   kubectl create -f rolebinding.yaml
+   ```
+
+1. Launch `tailscaled` with a Kubernetes Secret as the state store.
+   ```
+   tailscaled --state=kube:tailscale
+   ```
--- a/docs/k8s/role.yaml
+++ b/docs/k8s/role.yaml
@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: tailscale
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resourceNames: ["tailscale"]
+  resources: ["secrets"]
+  verbs: ["create", "get", "update"]
--- a/docs/k8s/rolebinding.yaml
+++ b/docs/k8s/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: default
+  name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: tailscale
+roleRef:
+  kind: Role
+  name: tailscale
+  apiGroup: rbac.authorization.k8s.io
--- a/docs/k8s/sa.yaml
+++ b/docs/k8s/sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale
+  namespace: default