From 124535dd2b26af4b66ffa8fb8cf46cfb49718ff0 Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Fri, 21 Oct 2022 16:25:11 -0700
Subject: [PATCH] docs/k8s: record the Tailscale device ID in a k8s annotation.

When a Tailscale pod comes up with k8s state storage, if it successfully
authenticates it records its device ID in the tailscale.com/device-id annotation
on the state secret.

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 Dockerfile      |  2 +-
 Dockerfile.base |  2 +-
 docs/k8s/run.sh | 19 ++++++++++++++++++-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5ff271233..a73ae170a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -69,7 +69,7 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
       -v ./cmd/tailscale ./cmd/tailscaled
 
 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables jq curl
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/
diff --git a/Dockerfile.base b/Dockerfile.base
index bf675921c..d8fa29cf2 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -3,4 +3,4 @@
 # license that can be found in the LICENSE file.
 
 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables jq curl
diff --git a/docs/k8s/run.sh b/docs/k8s/run.sh
index 765f536ab..df541f9ac 100755
--- a/docs/k8s/run.sh
+++ b/docs/k8s/run.sh
@@ -89,5 +89,22 @@ if [[ ! -z "${TS_DEST_IP}" ]]; then
   iptables -t nat -I PREROUTING -d "$(tailscale --socket=${TS_SOCKET} ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
 fi
 
+if [[ ! -z "${TS_KUBE_SECRET}" ]]; then
+	DEVICE_ID=$(tailscale --socket="${TS_SOCKET}" status --json | jq -r .Self.ID)
+	echo "Device ID is $DEVICE_ID"
+	NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+	TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+	if ! curl -s -X PATCH \
+		 --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+		 -H "Authorization: Bearer $TOKEN" \
+		 -H "Accept: application/json" \
+		 -H "Content-Type: application/strategic-merge-patch+json" \
+		 --data-raw "{\"data\":{\"device_id\": \"$DEVICE_ID\"}}" \
+		 "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/namespaces/${NS}/secrets/${TS_KUBE_SECRET}?fieldManager=kubectl-patch" >/dev/null; then
+		echo "Failed to record Tailscale device ID"
+		exit 1
+	fi
+fi
+
 echo "Waiting for tailscaled to exit"
-wait ${PID}
\ No newline at end of file
+wait ${PID}