A Helm chart for deploying Tailscale into a Kubernetes cluster.
This chart allows you to run Tailscale components as Kubernetes workloads in order to securely connect your cluster, services, or workloads to a Tailnet (Tailscale network) without exposing them publicly.
Tailscale is a zero-configuration, WireGuard-based mesh VPN that simplifies secure networking between devices and services.
The helm-tailscale chart provides a flexible and Kubernetes-native way to deploy Tailscale.
It is designed to be:
- Simple to install and operate
- Configurable through standard Helm values
- Suitable for development, staging, and production environments
- Compatible with GitOps and CI/CD workflows
Typical use cases include:
- Connecting a Kubernetes cluster to a Tailnet
- Providing secure access to internal services
- Enabling private ingress or egress via Tailscale
- Running Tailscale nodes inside Kubernetes
- Kubernetes 1.24+ (recommended)
- Helm 3.x
- A valid Tailscale account
- A Tailscale auth key (ephemeral or reusable, depending on your security model)
git clone https://github.com/slash-mnt/helm-tailscale.git
cd helm-tailscalehelm install tailscale ./ \
--namespace tailscale \
--create-namespace \
-f values.yamlYou can also override values directly from the command line:
helm upgrade --install tailscale ./ \
--namespace tailscale \
--set tailscale.auth.key="tskey-xxxxx"The chart is configured using values.yaml.
tailscale:
auth:
key: "tskey-xxxxx"
image:
repository: tailscale/tailscale
tag: latest
hostname: "k8s-node"
node:
enabled: true
extraTags:
- "tag:kubernetes"
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 256Mi| Key | Description | Default |
|---|---|---|
tailscale.auth.key |
Tailscale authentication key | "" |
tailscale.image.repository |
Tailscale image repository | tailscale/tailscale |
tailscale.image.tag |
Image tag | latest |
tailscale.hostname |
Node hostname in Tailnet | "" |
node.enabled |
Enable Tailscale node deployment | true |
node.extraTags |
Additional Tailnet tags | [] |
Refer to values.yaml for the full list of configurable options.
Once installed, the Tailscale node should automatically appear in your Tailscale admin console.
From there, you can:
- Apply ACLs and tags
- Enable subnet routing (if configured)
- Use the node as a secure access point to cluster services
Depending on your configuration, this chart can be combined with:
- Kubernetes Services
- Ingress controllers
- Sidecar or gateway patterns
To upgrade an existing release:
helm upgrade tailscale ./ \
--namespace tailscale \
-f values.yamlTo remove Tailscale from your cluster:
helm uninstall tailscale --namespace tailscale- Prefer ephemeral auth keys when possible
- Use Tailscale tags and ACLs to restrict access
- Store auth keys in Kubernetes Secrets or external secret managers
- Review RBAC and PodSecurity policies in production environments
Contributions are welcome.
To contribute:
- Fork the repository
- Create a feature or fix branch
- Commit your changes with clear messages
- Open a Pull Request
Please ensure:
- Helm templates are linted
- Changes are documented
- Values remain backward-compatible when possible
This project is licensed under the MIT License.
See the LICENSE file for details.