Skip to content

Instantly share code, notes, and snippets.

@johannrichard
Last active September 4, 2022 10:19
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save johannrichard/3ff68f274852f6dce8f9de989214dbbb to your computer and use it in GitHub Desktop.
Tailscale ACL GitOps Workflow

Tailscale ACL Workflow for GitOps

Tailscale recently introduced the possibility to manage Tailnet ACLs in Git Repositories. This is my tailscale.yml which has a notable difference to the one proposed by Tailscale. By putting the ACL test in front of the ACL deployment, it becomes a bit clearer that a failure happened b/c of a failed ACL.

Bonus: by installing act, one can actually run these tests locally, e.g. before committing / pushing to Github. Works well with a Git pre-commit hook that will fail if the ACL test is unsusscessful. Combined with the 1Password cli op command, you can get a nice little ACL workflow.

op run --env-file=".github/act/.env" -- act --secret TS_API_KEY --secret TS_TAILNET 
# .github/act/.env
TS_TAILNET="op://Dev-Vault/TS_TAILNET/credential"
TS_API_KEY="op://Dev-Vault/TS_API_KEY/credential"
#!/bin/bash
# Put this into .git/hooks/pre-commit or amend your existing pre-commit hook accordingly
op run --env-file=".github/act/.env" -- act --secret TS_API_KEY --secret TS_TAILNET
name: Sync Tailscale ACLs
on:
push:
branches: ["live", "main"]
pull_request:
branches: ["live"]
jobs:
acls:
name: "test and deploy"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Test ACL
id: test-acl
uses: tailscale/gitops-acl-action@v1
with:
api-key: ${{ secrets.TS_API_KEY }}
tailnet: ${{ secrets.TS_TAILNET }}
action: test
- name: Deploy ACL
if: github.event_name == 'push' && github.ref == 'refs/heads/live'
id: deploy-acl
uses: tailscale/gitops-acl-action@v1
with:
api-key: ${{ secrets.TS_API_KEY }}
tailnet: ${{ secrets.TS_TAILNET }}
action: apply
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment