ipn/store/kubestore,kube,envknob,cmd/tailscaled/depaware.txt: allow kubestore read/write custom TLS secrets (#15307)

This PR adds some custom logic for reading and writing kube store values that are TLS certs and keys: 1) when store is initialized, lookup additional TLS Secrets for this node and if found, load TLS certs from there 2) if the node runs in certs 'read only' mode and TLS cert and key are not found in the in-memory store, look those up in a Secret 3) if the node runs in certs 'read only' mode, run a daily TLS certs reload to memory to get any renewed certs Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-08-11 05:07:33 +00:00 · 2025-03-18 15:09:22 +00:00
parent ef1e14250c
commit 34734ba635
8 changed files with 881 additions and 92 deletions
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -286,7 +286,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/ipnlocal+
   L    tailscale.com/kube/kubeapi                                   from tailscale.com/ipn/store/kubestore+
   L    tailscale.com/kube/kubeclient                                from tailscale.com/ipn/store/kubestore
-        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
+        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob+
        tailscale.com/licenses                                       from tailscale.com/client/web
        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
        tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal