mirrors/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2026-05-05 12:16:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

testing

Browse Source
This commit is contained in:
Mario Minardi 2026-01-13 13:11:19 -07:00
parent c5ec7d29ff
commit 7888d5a05d
No known key found for this signature in database
1 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
tsnet/tsnet.go
View File

@ -139,6 +139,14 @@ type Server struct {
// field is not used.
IDToken string
// Audience, if non-empty, is the audience to use when requesting
// an ID token from a well-known identity provider to exchange
// with the control server for workload identity federation. It
// will be preferred over the TS_AUDIENCE environment variable. If
// the node is already created (from state previously stored in Store),
// then this field is not used.
Audience string
// ControlURL optionally specifies the coordination server URL.
// If empty, the Tailscale default is used.
ControlURL string
@ -567,6 +575,13 @@ func (s *Server) getIDToken() string {
return os.Getenv("TS_ID_TOKEN")
}
func (s *Server) getAudience() string {
if v := s.Audience; v != "" {
return v
}
return os.Getenv("TS_AUDIENCE")
}
func (s *Server) start() (reterr error) {
var closePool closeOnErrorPool
defer closePool.closeAllIfError(&reterr)
@ -805,13 +820,19 @@ func (s *Server) resolveAuthKey() (string, error) {
if wifOk && authKey == "" {
clientID := s.getClientID()
idToken := s.getIDToken()
if clientID != "" && idToken == "" {
return "", fmt.Errorf("client ID for workload identity federation found, but ID token is empty")
audience := s.getAudience()
if clientID != "" && idToken == "" && audience == "" {
return "", fmt.Errorf("client ID for workload identity federation found, but ID token and audience are empty")
}
if clientID == "" && idToken != "" {
return "", fmt.Errorf("ID token for workload identity federation found, but client ID is empty")
if clientID == "" {
if idToken != "" {
return "", fmt.Errorf("ID token for workload identity federation found, but client ID is empty")
}
if audience != "" {
return "", fmt.Errorf("audience for workload identity federation found, but client ID is empty")
}
}
authKey, err = resolveViaWIF(s.shutdownCtx, s.ControlURL, clientID, idToken, "", s.AdvertiseTags)
authKey, err = resolveViaWIF(s.shutdownCtx, s.ControlURL, clientID, idToken, audience, s.AdvertiseTags)
if err != nil {
return "", err
}