Wildcard DNS for Local Access to Remote Kubernetes Cluster

We have a reverse proxy in our Kubernetes cluster (GKE) that enables local machines to talk to in-cluster services. Right now, we use IAP for authentication and use the first part of the path of the URL to indicate to the reverse proxy where the request should be routed; for example, internal.example.com/my-service-8080/my/path gets routed internally to the private service my-service:8080/my/path.

Polluting the path with the service information can make some application behavior tricky to deal with. As a result, we’d like to switch to using sub-domains to communicate the service information (e.g. my-service-8080.internal.example.com/my/path).

This has proved challenging with IAP on GKE because of the lack of support for wildcard sub-domains with managed certificates. Not to mention, relying on IAP as a means of authentication makes enabling non-browser based interactions quite complex. We’d also ideally like to not expose the internal.example.com as a public DNS entry.

We’d love to use Tailscale to support our use case. I’ve followed the Kubernetes Sample Proxy documentation which all makes sense, but its still unclear to me if our wildcard sub-domain requirement would be supported. We need the reverse proxy behavior to be dynamic and not rely on custom DNS records for each new service our engineering team brings up.

Would appreciate any pointers/advice on how we can enable our desired state using Tailscale. Love the product so far!