types/netmap: remove PrivateKey from NetworkMap

It's an unnecessary nuisance having it. We go out of our way to redact it in so many places when we don't even need it there anyway. Updates #12639 Change-Id: I5fc72e19e9cf36caeb42cf80ba430873f67167c3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-12-25 20:23:43 +00:00 · 2025-11-15 13:28:29 -08:00
parent 98aadbaf54
commit 653d0738f9
25 changed files with 292 additions and 462 deletions
--- a/wgengine/bench/wg.go
+++ b/wgengine/bench/wg.go
@@ -111,9 +111,8 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netip.
 			Endpoints:  epFromTyped(st.LocalAddrs),
 		}
 		e2.SetNetworkMap(&netmap.NetworkMap{
-			NodeKey:    k2.Public(),
-			PrivateKey: k2,
-			Peers:      []tailcfg.NodeView{n.View()},
+			NodeKey: k2.Public(),
+			Peers:   []tailcfg.NodeView{n.View()},
 		})

 		p := wgcfg.Peer{
@@ -143,9 +142,8 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netip.
 			Endpoints:  epFromTyped(st.LocalAddrs),
 		}
 		e1.SetNetworkMap(&netmap.NetworkMap{
-			NodeKey:    k1.Public(),
-			PrivateKey: k1,
-			Peers:      []tailcfg.NodeView{n.View()},
+			NodeKey: k1.Public(),
+			Peers:   []tailcfg.NodeView{n.View()},
 		})

 		p := wgcfg.Peer{
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@@ -308,8 +308,7 @@ func meshStacks(logf logger.Logf, mutateNetmap func(idx int, nm *netmap.NetworkM
 	buildNetmapLocked := func(myIdx int) *netmap.NetworkMap {
 		me := ms[myIdx]
 		nm := &netmap.NetworkMap{
-			PrivateKey: me.privateKey,
-			NodeKey:    me.privateKey.Public(),
+			NodeKey: me.privateKey.Public(),
 			SelfNode: (&tailcfg.Node{
 				Addresses: []netip.Prefix{netip.PrefixFrom(netaddr.IPv4(1, 0, 0, byte(myIdx+1)), 32)},
 			}).View(),
@@ -356,7 +355,7 @@ func meshStacks(logf logger.Logf, mutateNetmap func(idx int, nm *netmap.NetworkM
 				peerSet.Add(peer.Key())
 			}
 			m.conn.UpdatePeers(peerSet)
-			wg, err := nmcfg.WGCfg(nm, logf, 0, "")
+			wg, err := nmcfg.WGCfg(ms[i].privateKey, nm, logf, 0, "")
 			if err != nil {
 				// We're too far from the *testing.T to be graceful,
 				// blow up. Shouldn't happen anyway.
@@ -2201,9 +2200,8 @@ func TestIsWireGuardOnlyPeer(t *testing.T) {
 	defer m.Close()

 	nm := &netmap.NetworkMap{
-		Name:       "ts",
-		PrivateKey: m.privateKey,
-		NodeKey:    m.privateKey.Public(),
+		Name:    "ts",
+		NodeKey: m.privateKey.Public(),
 		SelfNode: (&tailcfg.Node{
 			Addresses: []netip.Prefix{tsaip},
 		}).View(),
@@ -2224,7 +2222,7 @@ func TestIsWireGuardOnlyPeer(t *testing.T) {
 	}
 	m.conn.onNodeViewsUpdate(nv)

-	cfg, err := nmcfg.WGCfg(nm, t.Logf, netmap.AllowSubnetRoutes, "")
+	cfg, err := nmcfg.WGCfg(m.privateKey, nm, t.Logf, netmap.AllowSubnetRoutes, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -2266,9 +2264,8 @@ func TestIsWireGuardOnlyPeerWithMasquerade(t *testing.T) {
 	defer m.Close()

 	nm := &netmap.NetworkMap{
-		Name:       "ts",
-		PrivateKey: m.privateKey,
-		NodeKey:    m.privateKey.Public(),
+		Name:    "ts",
+		NodeKey: m.privateKey.Public(),
 		SelfNode: (&tailcfg.Node{
 			Addresses: []netip.Prefix{tsaip},
 		}).View(),
@@ -2290,7 +2287,7 @@ func TestIsWireGuardOnlyPeerWithMasquerade(t *testing.T) {
 	}
 	m.conn.onNodeViewsUpdate(nv)

-	cfg, err := nmcfg.WGCfg(nm, t.Logf, netmap.AllowSubnetRoutes, "")
+	cfg, err := nmcfg.WGCfg(m.privateKey, nm, t.Logf, netmap.AllowSubnetRoutes, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -2334,7 +2331,7 @@ func applyNetworkMap(t *testing.T, m *magicStack, nm *netmap.NetworkMap) {
 	m.conn.noV6.Store(true)

 	// Turn the network map into a wireguard config (for the tailscale internal wireguard device).
-	cfg, err := nmcfg.WGCfg(nm, t.Logf, netmap.AllowSubnetRoutes, "")
+	cfg, err := nmcfg.WGCfg(m.privateKey, nm, t.Logf, netmap.AllowSubnetRoutes, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -2403,9 +2400,8 @@ func TestIsWireGuardOnlyPickEndpointByPing(t *testing.T) {
 	wgEpV6 := netip.MustParseAddrPort(v6.LocalAddr().String())

 	nm := &netmap.NetworkMap{
-		Name:       "ts",
-		PrivateKey: m.privateKey,
-		NodeKey:    m.privateKey.Public(),
+		Name:    "ts",
+		NodeKey: m.privateKey.Public(),
 		SelfNode: (&tailcfg.Node{
 			Addresses: []netip.Prefix{tsaip},
 		}).View(),
--- a/wgengine/wgcfg/nmcfg/nmcfg.go
+++ b/wgengine/wgcfg/nmcfg/nmcfg.go
@@ -12,6 +12,7 @@ import (
 	"strings"

 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netmap"
@@ -41,9 +42,9 @@ func cidrIsSubnet(node tailcfg.NodeView, cidr netip.Prefix) bool {
 }

 // WGCfg returns the NetworkMaps's WireGuard configuration.
-func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
+func WGCfg(pk key.NodePrivate, nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
 	cfg := &wgcfg.Config{
-		PrivateKey: nm.PrivateKey,
+		PrivateKey: pk,
 		Addresses:  nm.GetAddresses().AsSlice(),
 		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
 	}