Documentation ¶
Overview ¶
The containerboot binary is a wrapper for starting tailscaled in a container. It handles reading the desired mode of operation out of environment variables, bringing up and authenticating Tailscale, and any other kubernetes-specific side jobs.
As with most container things, configuration is passed through environment variables. All configuration is optional.
- TS_AUTH_KEY: the authkey to use for login.
- TS_ROUTES: subnet routes to advertise.
- TS_DEST_IP: proxy all incoming Tailscale traffic to the given destination.
- TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
- TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
- TS_USERSPACE: run with userspace networking (the default) instead of kernel networking.
- TS_STATE_DIR: the directory in which to store tailscaled state. The data should persist across container restarts.
- TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
- TS_KUBE_SECRET: the name of the Kubernetes secret in which to store tailscaled state.
- TS_SOCKS5_SERVER: the address on which to listen for SOCKS5 proxying into the tailnet.
- TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen for HTTP proxying into the tailnet.
- TS_SOCKET: the path where the tailscaled local API socket should be created.
- TS_AUTH_ONCE: if true, only attempt to log in if not already logged in. If false (the default, for backwards compatibility), forcibly log in every time the container starts.
When running on Kubernetes, TS_KUBE_SECRET takes precedence over TS_STATE_DIR. Additionally, if TS_AUTH_KEY is not provided and the TS_KUBE_SECRET contains an "authkey" field, that key is used.
Click to show internal directories.
Click to hide internal directories.