ipn/store/kubestore,kube,envknob,cmd/tailscaled/depaware.txt: allow kubestore read/write custom TLS secrets (#15307)

This PR adds some custom logic for reading and writing kube store values that are TLS certs and keys: 1) when store is initialized, lookup additional TLS Secrets for this node and if found, load TLS certs from there 2) if the node runs in certs 'read only' mode and TLS cert and key are not found in the in-memory store, look those up in a Secret 3) if the node runs in certs 'read only' mode, run a daily TLS certs reload to memory to get any renewed certs Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-08-14 06:57:31 +00:00 · 2025-03-18 15:09:22 +00:00
parent ef1e14250c
commit 34734ba635
8 changed files with 881 additions and 92 deletions
--- a/kube/kubetypes/types.go
+++ b/kube/kubetypes/types.go
@@ -48,4 +48,7 @@ const (
 	PodIPv4Header string = "Pod-IPv4"

 	EgessServicesPreshutdownEP = "/internal-egress-services-preshutdown"
+
+	LabelManaged    = "tailscale.com/managed"
+	LabelSecretType = "tailscale.com/secret-type" // "config", "state" "certs"
 )