tka: make storage a parameter rather than an Authority struct member

Updates #5435

Based on the discussion in #5435, we can better support transactional data models
by making the underlying storage layer a parameter (which can be specialized for
the request) rather than a long-lived member of Authority.

Now that Authority is just an instantaneous snapshot of state, we can do things
like provide idempotent methods and make it cloneable, too.

Signed-off-by: Tom DNetto <tom@tailscale.com>

ipn/ipnlocal/local.go

@@ -148,7 +148,7 @@ type LocalBackend struct {
 	inServerMode   bool
 	machinePrivKey key.MachinePrivate
 	nlPrivKey      key.NLPrivate
-	tka            *tka.Authority
+	tka            *tkaState
 	state          ipn.State
 	capFileSharing bool // whether netMap contains the file sharing capability
 	// hostinfo is mutated in-place while mu is held.
@@ -2507,8 +2507,11 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 // used for locked tailnets.
 //
 // It should only be called before the LocalBackend is used.
-func (b *LocalBackend) SetTailnetKeyAuthority(a *tka.Authority) {
-	b.tka = a
+func (b *LocalBackend) SetTailnetKeyAuthority(a *tka.Authority, storage *tka.FS) {
+	b.tka = &tkaState{
+		authority: a,
+		storage:   storage,
+	}
 }
 
 // SetVarRoot sets the root directory of Tailscale's writable

ipn/ipnlocal/network-lock.go

@@ -26,6 +26,11 @@ import (
 
 var networkLockAvailable = envknob.Bool("TS_EXPERIMENTAL_NETWORK_LOCK")
 
+type tkaState struct {
+	authority *tka.Authority
+	storage   *tka.FS
+}
+
 // CanSupportNetworkLock returns true if tailscaled is able to operate
 // a local tailnet key authority (and hence enforce network lock).
 func (b *LocalBackend) CanSupportNetworkLock() bool {
@@ -54,7 +59,7 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 	}
 
 	var head [32]byte
-	h := b.tka.Head()
+	h := b.tka.authority.Head()
 	copy(head[:], h[:])
 
 	return &ipnstate.NetworkLockStatus{