cmd/containerboot,kube,ipn/store/kubestore: allow interactive login on kube, check Secret create perms, allow empty state Secret (#11326)

cmd/containerboot,kube,ipn/store/kubestore: allow interactive login and empty state Secrets, check perms * Allow users to pre-create empty state Secrets * Add a fake internal kube client, test functionality that has dependencies on kube client operations. * Fix an issue where interactive login was not allowed in an edge case where state Secret does not exist * Make the CheckSecretPermissions method report whether we have permissions to create/patch a Secret if it's determined that these operations will be needed Updates tailscale/tailscale#11170 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2024-04-29 17:03:48 +01:00
parent 1e6cdb7d86
commit 1452faf510
6 changed files with 366 additions and 77 deletions
--- a/ipn/store/kubestore/store_kube.go
+++ b/ipn/store/kubestore/store_kube.go
@@ -7,6 +7,7 @@ package kubestore

 import (
 	"context"
+	"fmt"
 	"net"
 	"strings"
 	"time"
@@ -18,7 +19,7 @@ import (

 // Store is an ipn.StateStore that uses a Kubernetes Secret for persistence.
 type Store struct {
-	client     *kube.Client
+	client     kube.Client
 	canPatch   bool
 	secretName string
 }
@@ -29,7 +30,7 @@ func New(_ logger.Logf, secretName string) (*Store, error) {
 	if err != nil {
 		return nil, err
 	}
-	canPatch, err := c.CheckSecretPermissions(context.Background(), secretName)
+	canPatch, _, err := c.CheckSecretPermissions(context.Background(), secretName)
 	if err != nil {
 		return nil, err
 	}
@@ -83,7 +84,7 @@ func (s *Store) WriteState(id ipn.StateKey, bs []byte) error {

 	secret, err := s.client.GetSecret(ctx, s.secretName)
 	if err != nil {
-		if st, ok := err.(*kube.Status); ok && st.Code == 404 {
+		if kube.IsNotFoundErr(err) {
 			return s.client.CreateSecret(ctx, &kube.Secret{
 				TypeMeta: kube.TypeMeta{
 					APIVersion: "v1",
@@ -100,6 +101,19 @@ func (s *Store) WriteState(id ipn.StateKey, bs []byte) error {
 		return err
 	}
 	if s.canPatch {
+		if len(secret.Data) == 0 { // if user has pre-created a blank Secret
+			m := []kube.JSONPatch{
+				{
+					Op:    "add",
+					Path:  "/data",
+					Value: map[string][]byte{sanitizeKey(id): bs},
+				},
+			}
+			if err := s.client.JSONPatchSecret(ctx, s.secretName, m); err != nil {
+				return fmt.Errorf("error patching Secret %s with a /data field: %v", s.secretName, err)
+			}
+			return nil
+		}
 		m := []kube.JSONPatch{
 			{
 				Op:    "add",
@@ -108,7 +122,7 @@ func (s *Store) WriteState(id ipn.StateKey, bs []byte) error {
 			},
 		}
 		if err := s.client.JSONPatchSecret(ctx, s.secretName, m); err != nil {
-			return err
+			return fmt.Errorf("error patching Secret %s with /data/%s field", s.secretName, sanitizeKey(id))
 		}
 		return nil
 	}