Tailscale: Talos Bridge Detail

Level 3 (Detail) — System Extension, AuthKey injection, connectivity verification.

Concept

Talos Linux nodes join the tailnet through the official Tailscale System Extension. This is configured during the Proxmox/Talos creation path by create.sh.

System Extension Configuration

The bridge patch applies ExtensionServiceConfig to each Talos node:

ExtensionServiceConfig:
  - name: tailscale
    url: https://github.com/siderolabs/tailscale/releases/latest
    args:
      - --advertise-tags=tag:tazlab-k8s
      - --accept-routes=false
    environment:
      - TS_STATE_DIR=/var/lib/tailscale

Key points:

  • --advertise-tags=tag:tazlab-k8s — nodes join with cluster tag
  • --accept-routes=false — no subnet routing (security boundary)
  • TS_STATE_DIR=/var/lib/tailscale — state persists on node storage

AuthKey Injection

During creation, create.sh:

  1. Generates a short-lived auth key via the Tailscale API
  2. Injects it into the Talos node configuration before boot
  3. The key is generated in memory and not persisted to Terraform state

Kubelet Node-IP Narrowing

The same patch also configures the kubelet to use the lab subnet IP for node identity, while the OS still carries Tailscale traffic on a separate interface. This prevents node registration confusion.

Connectivity Verification

Verified on 2026-04-27:

  • A pod in external-secrets namespace could open TCP to 100.82.13.87:8200 (Vault tailnet IP)
  • HTTPS from a pod succeeded with explicit SNI: curl -k --resolve lushycorp-vault.magellanic-gondola.ts.net:8200:100.82.13.87
  • Plain DNS resolution of Tailscale MagicDNS names did not work from within pods
  • The node-level Tailscale state did not expose workload DNS

Gap

The bridge provides raw IP reachability but not automatic DNS resolution of Tailscale hostnames inside pods. This means:

  • Pods can connect using tailnet IPs directly
  • Pods that need hostname-based routing require explicit DNS configuration or the Tailscale Kubernetes Operator

See Also