我有一个运行 Web 服务器、Istio 入口网关和一些微服务的 Kubernetes 集群,我已将这些微服务安装在家里的裸机 tailscale 节点上(并且仅在我的 tailnet 上,不可公开访问)。
我已经开始运行并且可以从我的 tailnet 访问该网站,现在我正在尝试通过 https 获取服务。我正在使用 Tailscale MagicDNS 功能。
我知道
tailscale cert <domain>@codedread
无需通过 Istio 入口网关,因为 tailscale 已被考虑为另一个网关。
这是我的工作实现,供您参考。这个设置可以很好地处理 TLS 证书
resource "kubernetes_namespace" "tailscale_system" {
count = contains(var.enabled_addons, "tailscale-system") ? 1 : 0
metadata {
annotations = {
name = "tailscale-system"
}
labels = merge(
var.tags,
{
istio-injection = "false"
"prometheus-metrics-collection" = "true"
},
)
name = "tailscale-system"
}
}
resource "kubernetes_secret" "tailscale_secret" {
metadata {
name = "operator-oauth"
namespace = kubernetes_namespace.tailscale_system[0].metadata[0].name
}
data = {
client_id = var.tailscale_client_id
client_secret = var.tailscale_client_secret
}
lifecycle {
ignore_changes = [metadata[0].labels, metadata[0].annotations]
}
}
resource "helm_release" "tailscale_operator" {
count = contains(var.enabled_addons, "tailscale-system") ? 1 : 0
depends_on = [
kubernetes_namespace.tailscale_system,
kubernetes_secret.tailscale_secret
]
name = "tailscale-operator"
chart = "./tailscale/deploy/chart-operator/."
namespace = kubernetes_namespace.tailscale_system[0].metadata[0].name
version = "v0.1.0"
values = [
file("./tailscale/deploy/chart-operator/values.yaml")
]
set {
name = "operatorConfig.hostname"
value = "tailscale-operator-${var.tags.Environment}"
}
}
resource "kubernetes_manifest" "argocd_server_tailscale_ingress" {
provider = kubernetes
manifest = {
"apiVersion" = "networking.k8s.io/v1",
"kind" = "Ingress",
"metadata" = {
"name" = "argocd-ingress",
"namespace" = "argocd-system"
},
"spec" = {
"defaultBackend" = {
"service" = {
"name" = "argocd-server",
"port" = {
"number" = 80
}
}
},
"ingressClassName" = "tailscale",
"tls" = [
{
"hosts" = [
"argocd-${var.environment}"
]
}
]
}
}
}