-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support setting control server URL for Tailscale #7807
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯
cc @manuelbuil |
CI failure is unrelated, right? |
Yeah don't worry about it |
Thanks for the contribution. We would like to keep the API as generic as possible in case we integrate with more VPN providers. Therefore, I'd prefer if we name the option as "vpnServerURL" instead of "controlURL" |
Although I think that |
@dennwc I was trying to set up headscale + tailscale, so that I could prepare a testing document for QA to run. However, I must be doing something wrongly because it is not working. Could you give me a hand? This is what I am doing: 1 - Install headscale by following https://headscale.net/running-headscale-linux/#migrating-from-manual-install. I'm using the latest version v0.22.3 and Ubuntu. I'm on Azure and tailscale client has version
4 - In the client, I run:
And it blocks forever. Unfortunately,
I guess there is some misconfiguration in the headscale server but I can't find it. Unfortunately, the headscale docs do not explain much about how to troubleshoot. Any idea what might be happening? Do you know where to look for headscale logs? Is there any way to increase the verbosity of those logs? |
Found it! It was tls which was not configured and thus https would not work. By changing to:
things worked :). In any case, if you could recommend ways to get better logs or more verbosity, that would be great for the future. In the meanwhile, could you add the |
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## master #7807 +/- ##
==========================================
+ Coverage 47.22% 51.51% +4.29%
==========================================
Files 143 143
Lines 14509 14521 +12
==========================================
+ Hits 6852 7481 +629
+ Misses 6571 5856 -715
- Partials 1086 1184 +98
Flags with carried forward coverage won't be shown. Click here to find out more.
☔ View full report in Codecov by Sentry. |
@manuelbuil Sure, thank you, please do! I will add the timeout, then 👍 I assume you mean set it to 30s by default, no new options added. Regarding logs, sorry, cannot suggest anything useful here. Probably need to open an issue to Tailscale to include verbose logging. Cannot see relevant flags in the CLI help. |
I would have expected more logs in the headscale server but I guess it is still in its infancy. One extra comment I have. If you check this line: https://github.com/k3s-io/k3s/blob/master/pkg/agent/flannel/setup.go#L79, we are again using |
Good catch! I missed that From CLI docs:
So we need to pass all of the settings there as well. |
@manuelbuil I see no easy way of getting auth options there. I'll need to expose a new field on types.Agent I guess. I'm considering the following approaches:
|
What about changing that call in the flannel extension and instead of using |
That would work as well, but we also need I tried implementing (2) in the meantime, it requires one new type for config, plus returning that type from But it's up to you. I guess it's easier to start with |
Fix for the bug is merged, could you please rebase? Then, after all reviews are successful, we can merge this PR! Note that code freeze is tomorrow EOD |
Okay, great, will do it today 👍 |
I would love to get this in for the July releases, if we can get the feedback addressed (in addition to rebasing). |
This change enables the use of Headscale - open source implementation of the Tailscale control server. Signed-off-by: Denys Smirnov <dennwc@pm.me>
Rebased, removed Let me know if anything else should be done here before the code freeze. |
Perfect! As soon as CI passes, I'll merge and prepare the backports. Thanks for the contribution! |
This change enables the use of Headscale - open source implementation of the Tailscale control server.
Proposed Changes
Pretty simple: Add
controlURL
parameter to--vpn-auth
, which will be propagated to Tailscale as--login-server
flag. This flag will only be set ifcontrolURL
parameter is preset, so it's backward-compatible.Types of Changes
New Feature
Verification
You'll need a Headscale instance for this, see docs. Then add
controlURL=https://<your-headscale-server>
to the usual--vpn-auth
parameter.Verification can be done in a negative way: set
controlURL=https://example.com
for a valid Tailscale join key, and it should fail to join the network by hitting the wrong domain. See #7352 for a general Tailscale setup.Testing
1 - Install headscale in a separate VM by following these instructions .
2 - Edit the headscale config and set
listen_addr: 0.0.0.0:8080
3 - As explained in the headscale instructions, create a user and a pre authenticated key
4 - Deploy k3s with tailscale passing the extra config vpnServerURL=, where url is
http://$IP_HEADSCALE:8080
5 - Verify that tailscale interface gets an IPv4/IPv6 address
6 - In the headscale server, list the routes
sudo headscale routes list
and enable all of them (e.g. sudo headscale routes enable -r 1`)7 - Verify you can ping between pods on different nodes
Linked Issues
#7824
User-Facing Change
Further Comments