AgendaEverything Tailscale at GitHub

Everything Tailscale at GitHub

Everything Tailscale at GitHub

Everything Tailscale at GitHub

GitHub has built its Tailscale deployment across three internal projects: a Go-based control plane for provisioning and managing our tailnet, a Kubernetes operator deployed across multiple clusters, and a custom Vault secrets engine for authkey lifecycle management.

This talk walks through our architecture end-to-end — from how we enforce Tailnet Lock with automatic nodekey signing and why we rejected pre-signed authkeys, to how we're working on replacing VPN connectivity in GitHub Actions CI/CD with OIDC-authenticated ephemeral nodes.

Along the way, we'll touch on how we manage ACLs as code with dynamic LDAP sync, just-in-time privileged access provisioning, and the patterns we use to expose both Kubernetes services and traditional infrastructure through Tailscale.

We will cover:

  • Architecture Overview. The pillars of GitHub's Tailscale deployment and how they fit together
  • Tailnet Lock & Nodekey Signing. Why we mandate signing for all nodes and how we automate trust decisions
  • GitHub Actions Integration. OIDC token exchange for ephemeral authkeys, tag-based access policies, and the setup-tailscale action
  • Exposing Infrastructure. Patterns for AppRoles, Kubernetes services via the operator (App Connectors, Subnet Routers, Exit Nodes)
  • Operational Tooling. ACLs as code with LDAP sync, JIT access provisioning, and the Vault authkey plugin

Speakers

Bogdan Tanasie

Bogdan Tanasie

Security Engineer at GitHub

GitHub

Read bio

Drop your VPN,
Not your standards.

Get startedContact us