fix(ingress-nginx): expose to Tailscale

2026-03-21 10:39:43 +00:00 · 2023-12-17 17:17:16 +08:00
parent 8fc5a5f229
commit 7345ce8e48
4 changed files with 7 additions and 0 deletions
--- a/kube/deploy/core/ingress/ingress-nginx/app/hr-external.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/hr-external.yaml
@@ -27,6 +27,7 @@ spec:
        externalTrafficPolicy: "Cluster"
        annotations:
          "io.cilium/lb-ipam-ips": "${APP_IP_NGINX_EXTERNAL}"
+          tailscale.com/expose: "true"
      extraArgs:
        default-ssl-certificate: "ingress/short-domain-tls"
      ingressClassResource:
--- a/kube/deploy/core/ingress/ingress-nginx/app/hr-internal.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/hr-internal.yaml
@@ -26,6 +26,7 @@ spec:
        externalTrafficPolicy: "Cluster"
        annotations:
          "io.cilium/lb-ipam-ips": "${APP_IP_NGINX_INTERNAL}"
+          tailscale.com/expose: "true"
      extraArgs:
        default-ssl-certificate: "ingress/short-domain-tls"
      ingressClassResource:
--- a/kube/deploy/core/ingress/ingress-nginx/app/hr-public.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/hr-public.yaml
@@ -27,6 +27,7 @@ spec:
        externalTrafficPolicy: "Cluster"
        annotations:
          "io.cilium/lb-ipam-ips": "${APP_IP_NGINX_PUBLIC}"
+          tailscale.com/expose: "true"
      extraArgs:
        default-ssl-certificate: "ingress/long-domain-tls"
      ingressClassResource:
--- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
@@ -42,6 +42,10 @@ spec:
              protocol: TCP
            - port: "443"
              protocol: UDP
+    # allow traffic from Tailscale within cluster
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: tailscale
    # allow traffic from external-proxy-x
    - fromEndpoints:
        - matchLabels: