SYS.DOCS // DOCS

Tailscale Tailnet Traffic Exposure

Edka supports two private traffic exposure patterns with Tailscale:

Envoy Gateway classes with exposure mode Tailscale tailnet (BYOD) for private Gateway API traffic published into your tailnet. This is the recommended way to expose Gateway API traffic to your tailnet.
The direct tailscale ingress class with separate hostnames for each workload.

Prerequisites

Create the tags tag:k8s-operator and tag:k8s, and make tag:k8s-operator an owner of tag:k8s in your tailnet policy:

{
    "tagOwners": {
        "tag:k8s-operator": [],
        "tag:k8s": ["tag:k8s-operator"]
    }
}

Create an OAuth client in the Trust credentials page of the Tailscale admin console. Grant the client with Devices Core, Auth Keys, Services and DNS write scopes, and the tag tag:k8s-operator in the Allowed tags field.

This allows the Tailscale operator to manage the tailnet and the published Gateway or ingress endpoints.

Go to Gateway and press Install Tailscale operator.
Provide the OAuth client ID and client secret for the operator.
Enter your tailnet DNS name, for example camel-alphard.ts.net. You can find it in the DNS page of the Tailscale admin console.
Finish the install and wait for the add-on to become ready.
Create a gateway class with the exposure mode Tailscale tailnet (BYOD).

Installation notes:

The operator is configured with OAuth client credentials.
OAuth client credentials are stored in your cluster as a Kubernetes secret, not in Edka’s Secret Store.
The tailnet DNS name is required so Edka can render full Tailscale URLs when you use the direct tailscale ingress class.

Mode	Best for	Hostname source	TLS certificate management
`Tailscale tailnet (BYOD)` Gateway class	Multiple deployments and applications	Single hostname or wildcard domains you own	Managed by you in Edka
`tailscale` ingress class	Clusters without custom domains	Tailnet DNS name	Managed by Tailscale

Use Tailscale tailnet (BYOD) when you want to keep Gateway API semantics while publishing the Gateway service into your tailnet.

Add a single hostname or wildcard domain in your cluster Domains view and select the Tailscale tailnet (BYOD) class.
Continue with the domain setup.

Set the CNAME record in your DNS provider to point to the Tailscale operator endpoint.
Set a CNAME record to verify the domain ownership and issue a TLS certificate.

Once the domain is setup, you can use the domain in your deployments and apps to privately expose your traffic inside tailnet.

Operational notes:

Envoy stays in cluster.
The Gateway service is published to your tailnet through the Tailscale operator.
This mode keeps the normal Gateway API hostname flow and it uses your own domains.
Public Let’s Encrypt HTTP-01 validation is not available on this private traffic class.
It only works with wildcard domains.
The Tailscale operator cannot be uninstalled while Gateway classes, deployments, or apps still depend on it.

Use the direct tailscale traffic class when you don’t have a custom domain and you want to use the tailnet DNS name to expose your traffic.

Edka renders the final hostname as <subdomain>.<tailnet-dns-name>.

Operational notes:

Tailscale manages routing and certificates for the tailnet hostname.
The TLS certificate can take few minutes to be issued and Edka does not provide a status indicator for it. You can check the status in the Tailscale admin console.

More information about the Tailscale Operator on the official Tailscale Operator page.