mirror of
https://github.com/tailscale/tailscale.git
synced 2026-06-03 21:01:54 +08:00
95a135ead1
Adds logic for containerboot to signal that it can't auth, so the
operator can reissue a new auth key. This only applies when running with
a config file and with a kube state store.
If the operator sees reissue_authkey in a state Secret, it will create a
new auth key iff the config has no auth key or its auth key matches the
value of reissue_authkey from the state Secret. This is to ensure we
don't reissue auth keys in a tight loop if the proxy is slow to start or
failing for some other reason. The reissue logic also uses a burstable
rate limiter to ensure there's no way a terminally misconfigured
or buggy operator can automatically generate new auth keys in a tight loop.
Additional implementation details (ChaosInTheCRD):
- Added `ipn.NotifyInitialHealthState` to ipn watcher, to ensure that
`n.Health` is populated when notify's are returned.
- on auth failure, containerboot:
- Disconnects from control server
- Sets reissue_authkey marker in state Secret with the failing key
- Polls config file for new auth key (10 minute timeout)
- Restarts after receiving new key to apply it
- modified operator's reissue logic slightly:
- Deletes old device from tailnet before creating new key
- Rate limiting: 1 key per 30s with initial burst equal to replica count
- In-flight tracking (authKeyReissuing map) prevents duplicate API calls
across reconcile loops
Updates #14080
Change-Id: I6982f8e741932a6891f2f48a2936f7f6a455317f
(cherry picked from commit 969927c47c3d4de05e90f5b26a6d8d931c5ceed4)
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>
|
||
|---|---|---|
| .. | ||
| addlicense | ||
| build-webclient | ||
| checkmetrics | ||
| cigocacher | ||
| cloner | ||
| connector-gen | ||
| containerboot | ||
| derper | ||
| derpprobe | ||
| dist | ||
| distsign | ||
| featuretags | ||
| get-authkey | ||
| gitops-pusher | ||
| hello | ||
| jsonimports | ||
| k8s-nameserver | ||
| k8s-operator | ||
| k8s-proxy | ||
| mkmanifest | ||
| mkpkg | ||
| mkversion | ||
| nardump | ||
| natc | ||
| netlogfmt | ||
| nginx-auth | ||
| omitsize | ||
| pgproxy | ||
| printdep | ||
| proxy-test-server | ||
| proxy-to-grafana | ||
| sniproxy | ||
| speedtest | ||
| ssh-auth-none-demo | ||
| stunc | ||
| stund | ||
| stunstamp | ||
| sync-containers | ||
| systray | ||
| tailscale | ||
| tailscaled | ||
| testcontrol | ||
| testwrapper | ||
| tl-longchain | ||
| tsconnect | ||
| tsidp | ||
| tsshd | ||
| tta | ||
| vet | ||
| viewer | ||
| vnet | ||
| xdpderper | ||