Tailscale: Talos Bridge Detail
Level 3 (Detail) — System Extension, AuthKey injection, connectivity verification.
Concept
Talos Linux nodes join the tailnet through the official Tailscale System Extension. This is configured during the Proxmox/Talos creation path by create.sh.
System Extension Configuration
The bridge patch applies ExtensionServiceConfig to each Talos node:
ExtensionServiceConfig:
- name: tailscale
url: https://github.com/siderolabs/tailscale/releases/latest
args:
- --advertise-tags=tag:tazlab-k8s
- --accept-routes=false
environment:
- TS_STATE_DIR=/var/lib/tailscale
Key points:
--advertise-tags=tag:tazlab-k8s— nodes join with cluster tag--accept-routes=false— no subnet routing (security boundary)TS_STATE_DIR=/var/lib/tailscale— state persists on node storage
AuthKey Injection
During creation, create.sh:
- Generates a short-lived auth key via the Tailscale API
- Injects it into the Talos node configuration before boot
- The key is generated in memory and not persisted to Terraform state
Kubelet Node-IP Narrowing
The same patch also configures the kubelet to use the lab subnet IP for node identity, while the OS still carries Tailscale traffic on a separate interface. This prevents node registration confusion.
Connectivity Verification
Verified on 2026-04-27:
- A pod in
external-secretsnamespace could open TCP to100.82.13.87:8200(Vault tailnet IP) - HTTPS from a pod succeeded with explicit SNI:
curl -k --resolve lushycorp-vault.magellanic-gondola.ts.net:8200:100.82.13.87 - Plain DNS resolution of Tailscale MagicDNS names did not work from within pods
- The node-level Tailscale state did not expose workload DNS
Gap
The bridge provides raw IP reachability but not automatic DNS resolution of Tailscale hostnames inside pods. This means:
- Pods can connect using tailnet IPs directly
- Pods that need hostname-based routing require explicit DNS configuration or the Tailscale Kubernetes Operator
See Also
- Topic: Cluster Integration
- Detail: MagicDNS Detail
- Topic: Vault Contract
- Hub: Tailscale