control/controlclient: use the most recent syspolicy.MachineCertificateSubject value

This PR removes the sync.Once wrapper around retrieving the MachineCertificateSubject policy setting value, ensuring the most recent version is always used if it changes after the service starts. Although this policy setting is used by a very limited number of customers, recent support escalations have highlighted issues caused by outdated or incorrect policy values being applied. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-11-25 11:05:45 +00:00 · 2024-11-22 09:28:56 -06:00 · 2024-11-22 09:28:56 -06:00 · 3353f154bb
commit 3353f154bb
parent eb3cd32911
1 changed files with 2 additions and 11 deletions
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@ -13,7 +13,6 @@
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"sync"
 	"time"
 	"github.com/tailscale/certstore"
@ -22,11 +21,6 @@
 	"tailscale.com/util/syspolicy"
 )
 var getMachineCertificateSubjectOnce struct {
 	sync.Once
 	v string // Subject of machine certificate to search for
 }
 // getMachineCertificateSubject returns the exact name of a Subject that needs
 // to be present in an identity's certificate chain to sign a RegisterRequest,
 // formatted as per pkix.Name.String(). The Subject may be that of the identity
@ -37,11 +31,8 @@
 //
 // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA"
 func getMachineCertificateSubject() string {
-	getMachineCertificateSubjectOnce.Do(func() {
+	machineCertSubject, _ := syspolicy.GetString(syspolicy.MachineCertificateSubject, "")
-		getMachineCertificateSubjectOnce.v, _ = syspolicy.GetString(syspolicy.MachineCertificateSubject, "")
+	return machineCertSubject
 	})
 	return getMachineCertificateSubjectOnce.v
 }
 var (