Maintain external Tailscale settings when applying k3s tailscale configuration

[jmif]

Is your feature request related to a problem? Please describe.
I have Tailscale setup on my k3s nodes and I'd like to enable using them as an exit node and enabling tailscale SSH. This means I need to run sudo tailscale up --ssh --advertise-exit-node. If I run this after booting the node (and added the flags --accept-routes --advertise-routes=10.42.0.0/24 that are applied by k3s), the settings are successfully applied and I can use the node as an exit node. However, once I reboot the instance I lose the --ssh --advertise-exit-node settings.

Describe the solution you'd like
The settings would be retained.

Describe alternatives you've considered
A systemd script that runs after the k3s boot.

Additional context
k3s version v1.31.4+k3s1 (a562d09)

[dereknola]

This has nothing to do with K3s. We don't run any tailscale commands directly, we make it easier to connect tailscale and K3s. Also based off tailscales forum, it appears that tailscale config should persist across reboots, so you may have a separate issue.

[jmif]

Ok, so K3S doesn't touch the Tailscale config? I think it must in some way, here's the sequence of events (with no other configuration changes in between) that triggered this for me:

1. Install Tailscale, enable SSH and exit node advertisement.

2. Install k3s without tailscale VPN integration

3. Reboot machine as part of some other hard drive configuration tests

4. SSH / Exit node status was maintained

5. Re run k3s install script with the VPN configuration

6. Before restarting, I noticed that my SSH config / exit node config were gone

7. I tried to reapply them with the same command I used sudo tailscale up --advertise-exit-node and got this response:

   Error: changing settings via 'tailscale up' requires mentioning all
   non-default flags. To proceed, either re-run your command with --reset or
   use the command below to explicitly mention the current value of
   all non-default settings:
   
    tailscale up --advertise-exit-node --accept-routes --advertise-routes=10.42.1.0/24
   

   Whats interesting here is I didn't add the accept routes or advertise routes flags at any point. And these seem to directly relate to the k3s pod CIDRs, so k3s must be modifying config somehow.

8. I ran the command suggested above tailscale up --advertise-exit-node --accept-routes --advertise-routes=10.42.1.0/24

9. SSH / Exit node status was re applied and functional

10. I restarted and they disappeared again.

[dereknola]

Apologies, I answered far too quickly and should have let @manuelbuil answer.

K3s does indeed make changes to tailscale directly via

k3s/pkg/vpn/vpn.go

Line 61 in 68fbd1a

output, err := util.ExecCommand("tailscale", args)

. This include a --reset flag by default. However, we do have the option to pass additional commands to the tailescale up command. So if you want to use k3s --vpn-auth, you can no longer configure tailscale separately, it all or nothing.

If you look at the docs we have some info on this but its not super clear. You need to pass the additional commands extraArgs when using the --vpn-auth CLI flag for k3s.

I'm assuming your using a config.yaml for k3s config. In that case, the file would look like the following

#/etc/rancher/k3s/config.yaml
vpn-auth: name=tailscale,joinKey=$AUTH-KEY,extraArgs=--advertise-exit-nodes --accept-routes --advertise-routes=10.42.1.0/24

This results internally with k3s calling tailscale up --authkey $AUTH-KEY --timeout=30s --reset --advertise-exit-nodes --accept-routes --advertise-routes=10.42.1.0/24 You can see this if you use the --debug flag or debug: true in the config.yaml

DEBU[0000] Flags passed to tailscale up: [up --authkey $AUTH-KEY --timeout=30s --reset --advertise-exit-nodes --accept-routes --advertise-routes=10.42.1.0/24]

[jmif]

No worries! That's worked, thanks for the help!