Tailscale Operator

The Tailscale operator lets you expose your Kubernetes workloads privately inside your tailnet. You can use the direct tailscale ingress class, or publish managed Envoy Gateway classes into the tailnet for private Gateway API traffic.

Features available

• OAuth client credential based installation
• Direct tailscale ingress for workload specific hostnames like grafana.<tailnet>.ts.net
• Tailnet-published Envoy Gateway classes for private Gateway API entry points
• Tailscale-managed certificates for direct tailnet hostnames

Install the operator from Cluster > Gateway or Cluster > Add-ons and follow the instructions to complete the installation. Create the OAuth client credentials from the Tailscale admin Trust credentials page, then provide your tailnet DNS name from the Tailscale admin DNS page.

Edka stores the OAuth values only in the cluster as a Kubernetes secret. After install, choose how to expose traffic from the deployment or Gateway screens:

• Use the direct tailscale traffic class for workload-specific hostnames like grafana.<tailnet>.ts.net.
• Create a Gateway class with exposure mode Tailscale tailnet (BYOD) when you want private Gateway API traffic published into your tailnet.

Tailscale manages certificates for direct tailnet hostnames. Tailnet-published Gateway classes keep Envoy in-cluster and publish the Gateway service through Tailscale. If you attach wildcard domains to that Gateway class, the Domains view will show the wildcard CNAME record to create.

For the full workflow, see the Tailscale tailnet exposure guide.

Deploy Tailscale Operator