VPN Setup (Tailscale/Headscale)

To access our internal infrastructure, you must be connected to our private VPN (Headscale).

1. Install Tailscale

Download the client for your OS: tailscale.com/download

2. Connect to Localghost VPN

You must point the client to our coordination server:

• macOS (App Store): Option-Click the Tailscale icon -> Coordinated Server -> Enter https://vpn.localghost.com
• Linux / Standalone: Run tailscale up --login-server https://vpn.localghost.com
• Windows: Shift-Right-Click the tray icon -> Change Server... -> Enter https://vpn.localghost.com

Authenticate via the browser window using your Authentik credentials.

Jumphost Access

The Jumphost is our central entry point for administrative tasks. It is a persistent VM integrated with Authentik OIDC.

Prerequisites

• VPN Connection: You must be active on the vpn.localghost.com tailnet.

How to Connect

Using SSH

ssh <username>@jumphost.ts.localghost.com

Using Mosh (Recommended)

mosh <username>@jumphost.ts.localghost.com

Kubernetes OIDC Access Guide

Configure kubectl to use Authentik OIDC for cluster authentication.

Setup

1. Install kubelogin: brew install int128/kubelogin/kubelogin
2. Run Configuration:

# 1. Define the Cluster connection
kubectl config set-cluster localghost \
  --server=https://k.localghost.com:6443 \
  --insecure-skip-tls-verify=true

# 2. Define the OIDC user credentials
kubectl config set-credentials authentik-user \
  --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=kubectl-oidc_login \
  --exec-arg=get-token \
  --exec-arg=--oidc-issuer-url=https://auth.localghost.com/application/o/rancher/ \
  --exec-arg=--oidc-client-id=rancher \
  --exec-arg=--oidc-extra-scope=email \
  --exec-arg=--oidc-extra-scope=groups 

# 3. Create a context linking the two
kubectl config set-context localghost-oidc \
  --cluster=localghost \
  --user=authentik-user

# 4. Switch to the new context
kubectl config use-context localghost-oidc

Usage

kubectl get pods