I set up my Raspberry Pi cluster to be accessible from the internet without configuring a port-forward on my router.

Tailscale

Tailscale will create a private network using Wireguard. Wireguard isn't really that difficult to configure on its own, but you do have to manually generate and distribute keys. Tailscale will take care of that for you and they also have some fallbacks for difficult networks. It doesn't look like any of my nodes are using a fallback option based on the dashboard.

Setting up Tailscale is as easy as installing it and running tailscale up. Until recently, this required you to login interactively. Tailscale now supports pre-authenticated keys which means you can automate the setup.

Installing on Raspberry PIs

I made kasuboski/tailscale-install to automate the installation and start of Tailscale on Raspberry PIs. I plan to expand it to work on more varied platforms in the future.

It's a PyInfra deploy that basically just adds the package and runs tailscale up with a key sourced from the environment. I was able to add my Raspberry Pi cluster to the network in around 5 minutes, using this.

Exposing to the internet

My cluster ingress is now slightly different than described here. Traffic from the Linode now goes directly to the Kubernetes nodes on the port exposed by the nginx-ingress controller. This just removes the extra hop that was initially an internal haproxy running on a different Raspberry Pi.