Everything Tailscale at GitHub

Everything Tailscale at GitHub

Everything Tailscale at GitHub

GitHub has built its Tailscale deployment across three internal projects: a Go-based control plane for provisioning and managing our tailnet, a Kubernetes operator deployed across multiple clusters, and a custom Vault secrets engine for authkey lifecycle management.

This talk walks through our architecture end-to-end — from how we enforce Tailnet Lock with automatic nodekey signing and why we rejected pre-signed authkeys, to how we're working on replacing VPN connectivity in GitHub Actions CI/CD with OIDC-authenticated ephemeral nodes.

Along the way, we'll touch on how we manage ACLs as code with dynamic LDAP sync, just-in-time privileged access provisioning, and the patterns we use to expose both Kubernetes services and traditional infrastructure through Tailscale.

We will cover:

• Architecture Overview. The pillars of GitHub's Tailscale deployment and how they fit together
• Tailnet Lock & Nodekey Signing. Why we mandate signing for all nodes and how we automate trust decisions
• GitHub Actions Integration. OIDC token exchange for ephemeral authkeys, tag-based access policies, and the setup-tailscale action
• Exposing Infrastructure. Patterns for AppRoles, Kubernetes services via the operator (App Connectors, Subnet Routers, Exit Nodes)
• Operational Tooling. ACLs as code with LDAP sync, JIT access provisioning, and the Vault authkey plugin