Kestra Deployment

GitOps deployment for Kestra with Tailscale HTTPS access and route acceptance.

Prerequisites

PostgreSQL Database

Connect to your PostgreSQL server and create the database:

CREATE DATABASE kestra;
CREATE USER kestra WITH PASSWORD 'your-secure-password';
GRANT ALL PRIVILEGES ON DATABASE kestra TO kestra;
ALTER DATABASE kestra OWNER TO kestra;

Host Configuration

Download Tailscale serve configuration to /opt/kestra (first time only):

sudo mkdir -p /opt/kestra/tailscale
sudo curl -o /opt/kestra/tailscale/serve-config.json https://gitea.arnodo.fr/Damien/kestra-deployment/raw/branch/main/serve-config.json

Deployment

Create a new stack in Portainer
Select "Repository" and point to this repository
Portainer will load stack.env automatically
Override sensitive values (CHANGE_ME) in the environment variables section:
- TS_AUTHKEY - Tailscale auth key (reusable recommended)
- DB_PASSWORD - PostgreSQL password
- KESTRA_ADMIN_PASSWORD - Kestra admin password (min 8 chars, uppercase + number)
Deploy

Features

Tailscale Sidecar: HTTPS access via Tailscale with automatic certificate management
Route Acceptance: --accept-routes enabled to reach other services on the tailnet
PostgreSQL Backend: External PostgreSQL for persistent storage and queue
Docker-in-Docker: Socket mounted for running containerized tasks
Inline Configuration: Uses KESTRA_CONFIGURATION environment variable (official pattern)

Access

Once deployed: https://kestra.taila5ad8.ts.net

Directory Structure

/opt/kestra/
└── tailscale/
    └── serve-config.json     # Tailscale HTTPS configuration

Environment Variables

Variable	Description	Required
`TS_AUTHKEY`	Tailscale authentication key	Yes
`DB_HOST`	PostgreSQL host	Yes
`DB_PORT`	PostgreSQL port	Yes
`DB_NAME`	Database name	Yes
`DB_USER`	Database user	Yes
`DB_PASSWORD`	Database password	Yes
`KESTRA_ADMIN_USER`	Admin username	No (default: admin)
`KESTRA_ADMIN_PASSWORD`	Admin password (min 8 chars, uppercase + number)	Yes

2.2 KiB Raw Blame History