mirror of
https://github.com/tailscale/tailscale.git
synced 2026-05-06 04:36:15 +02:00
5eb0b4be31
* kube/authkey,cmd/containerboot: extract shared auth key reissue package Move auth key reissue logic (set marker, wait for new key, clear marker, read config) into a shared kube/authkey package and update containerboot to use it. No behaviour change. Updates #14080 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * kube/authkey,kube/state,cmd/containerboot: preserve device_id across restarts Stop clearing device_id, device_fqdn, and device_ips from state on startup. These keys are now preserved across restarts so the operator can track device identity. Expand ClearReissueAuthKey to clear device state and tailscaled profile data when performing a full auth key reissue. Updates #14080 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * cmd/containerboot: use root context for auth key reissue wait Pass the root context instead of bootCtx to setAndWaitForAuthKeyReissue. The 60-second bootCtx timeout was cancelling the reissue wait before the operator had time to respond, causing the pod to crash-loop. Updates #14080 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * cmd/k8s-proxy: add auth key renewal support Add auth key reissue handling to k8s-proxy, mirroring containerboot. When the proxy detects an auth failure (login-state health warning or NeedsLogin state), it disconnects from control, signals the operator via the state Secret, waits for a new key, clears stale state, and exits so Kubernetes restarts the pod with the new key. A health watcher goroutine runs alongside ts.Up() to short-circuit the startup timeout on terminal auth failures. Updates #14080 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
142 lines
3.4 KiB
Go
142 lines
3.4 KiB
Go
// Copyright (c) Tailscale Inc & contributors
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build !plan9
|
|
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/google/go-cmp/cmp"
|
|
"tailscale.com/health"
|
|
"tailscale.com/kube/kubeapi"
|
|
"tailscale.com/kube/kubeclient"
|
|
"tailscale.com/kube/kubetypes"
|
|
"tailscale.com/tailcfg"
|
|
)
|
|
|
|
func TestResetState(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
existingData map[string][]byte
|
|
podUID string
|
|
configAuthKey string
|
|
wantPatched map[string][]byte
|
|
}{
|
|
{
|
|
name: "sets_capver_and_pod_uid",
|
|
existingData: map[string][]byte{
|
|
kubetypes.KeyDeviceID: []byte("device-123"),
|
|
kubetypes.KeyDeviceFQDN: []byte("node.tailnet"),
|
|
kubetypes.KeyDeviceIPs: []byte(`["100.64.0.1"]`),
|
|
},
|
|
podUID: "pod-123",
|
|
configAuthKey: "new-key",
|
|
wantPatched: map[string][]byte{
|
|
kubetypes.KeyPodUID: []byte("pod-123"),
|
|
},
|
|
},
|
|
{
|
|
name: "clears_reissue_marker_when_actioned",
|
|
existingData: map[string][]byte{
|
|
kubetypes.KeyReissueAuthkey: []byte("old-key"),
|
|
},
|
|
podUID: "pod-123",
|
|
configAuthKey: "new-key",
|
|
wantPatched: map[string][]byte{
|
|
kubetypes.KeyPodUID: []byte("pod-123"),
|
|
kubetypes.KeyReissueAuthkey: nil,
|
|
},
|
|
},
|
|
{
|
|
name: "keeps_reissue_marker_when_not_actioned",
|
|
existingData: map[string][]byte{
|
|
kubetypes.KeyReissueAuthkey: []byte("old-key"),
|
|
},
|
|
podUID: "pod-123",
|
|
configAuthKey: "old-key",
|
|
wantPatched: map[string][]byte{
|
|
kubetypes.KeyPodUID: []byte("pod-123"),
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
tt.wantPatched[kubetypes.KeyCapVer] = fmt.Appendf(nil, "%d", tailcfg.CurrentCapabilityVersion)
|
|
|
|
var patched map[string][]byte
|
|
kc := &kubeclient.FakeClient{
|
|
GetSecretImpl: func(ctx context.Context, name string) (*kubeapi.Secret, error) {
|
|
return &kubeapi.Secret{Data: tt.existingData}, nil
|
|
},
|
|
StrategicMergePatchSecretImpl: func(ctx context.Context, name string, s *kubeapi.Secret, fm string) error {
|
|
patched = s.Data
|
|
return nil
|
|
},
|
|
}
|
|
|
|
err := resetState(context.Background(), kc, "test-secret", tt.podUID, tt.configAuthKey)
|
|
if err != nil {
|
|
t.Fatalf("resetState() error = %v", err)
|
|
}
|
|
|
|
if diff := cmp.Diff(tt.wantPatched, patched); diff != "" {
|
|
t.Errorf("resetState() mismatch (-want +got):\n%s", diff)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNeedsAuthKeyReissue(t *testing.T) {
|
|
loginWarnableCode := string(health.LoginStateWarnable.Code)
|
|
|
|
tests := []struct {
|
|
name string
|
|
backendState string
|
|
health []string
|
|
want bool
|
|
}{
|
|
{
|
|
name: "running_healthy",
|
|
backendState: "Running",
|
|
want: false,
|
|
},
|
|
{
|
|
name: "needs_login",
|
|
backendState: "NeedsLogin",
|
|
want: true,
|
|
},
|
|
{
|
|
name: "running_with_login_warning",
|
|
backendState: "Running",
|
|
health: []string{"warning: " + loginWarnableCode + ": you are logged out"},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "running_with_unrelated_warning",
|
|
backendState: "Running",
|
|
health: []string{"dns-not-working"},
|
|
want: false,
|
|
},
|
|
{
|
|
name: "running_no_warnings",
|
|
backendState: "Running",
|
|
health: nil,
|
|
want: false,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := needsAuthKeyReissue(tt.backendState, tt.health)
|
|
if got != tt.want {
|
|
t.Errorf("needsAuthKeyReissue() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|