Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

Deploy app connector on Kubernetes using the operator

In Tailscale v1.78 and later, you can deploy app connector to your Kubernetes cluster using the operator and its Connector Custom Resource Definition.

The only tested and supported use case is to deploy an app connector to access SaaS applications available on the public internet. Using the app connector to expose cluster workloads or other internal workloads might work, but this is not a use case that we have tested or optimized for.

If you are using the app connector to access SaaS applications because you need a predictable egress IP address that you can add to an allowlist, it's also your responsibility to ensure that cluster traffic from the connector flows using that predictable IP address. For example, by ensuring cluster egress traffic is routed using an egress NAT device with a static IP address.

Prerequisites

  1. Set up the Kubernetes operator.

  2. (Optional) Create a tag (for example, tag:github-connector) to attach to the connector device. If you do not specify a custom tag, the operator will tag the connector device with tag:k8s. Make sure the operator is one of the tag owners for the connector tag:

    "tagOwners": {
     "tag:k8s-operator":   [],
     "tag:github-connector":   ["tag:k8s-operator"],
}

  3. Configure the domains that route through the app connector in Apps.

  4. Follow steps three through five in app connector policy configuration instructions to set up permissions to route traffic for the required domains using the app connector.

Deploy

  1. Create your Connector resource based on the below and save it as connector.yaml.

    apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
  name: appc-github
spec:
  appConnector: {}

  2. (Optional) Add preconfigured routes

    apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
  name: appc-github
spec:
  appConnector:
    routes:
    - 140.82.114.4/32

    You can find all available Connector configuration options on GitHub →

  3. Apply the file:

    kubectl apply -f connector.yaml

  4. (Optional) Wait for the recorder to become ready:

    kubectl wait --for condition=ConnectorReady=true Connector appc-github
connector.tailscale.com/appc-github condition met

  5. (Optional) Add the app connector's egress IP address to an IP allowlist.

Known issues and limitations

  • The setup flow involves a large number of manual steps to configure the tailnet policy file and apps. We welcome feedback for further improvements for automating this workflow.

  • There is no way to auto-discover the egress IP of the app connector - you need to look it up in the admin console.

Last updated