Kubernetes deployment

The recommended routing model is one shared host with Gateway API path routing:

• /api/v2 and /oauth/token → headtotails
• / → headscale

Apply headtotails

kubectl apply -k deploy/kustomize/overlays/production

Create operator oauth secret

kubectl create secret generic operator-oauth \
  --namespace tailscale \
  --from-literal=client_id=<OAUTH_CLIENT_ID> \
  --from-literal=client_secret=<OAUTH_CLIENT_SECRET>

Apply operator wiring overlay

kubectl kustomize deploy/kustomize/operator
kubectl apply -k deploy/kustomize/operator

Operator install example (Helm)

helm upgrade --install tailscale-operator tailscale/tailscale-operator \
  --namespace tailscale --create-namespace \
  --set-string loginServer="https://headscale.example.com" \
  --set-string oauth.clientId="<OAUTH_CLIENT_ID>" \
  --set-string oauth.clientSecret="<OAUTH_CLIENT_SECRET>"

Detailed guide: docs/gateway-api-deployment.md