ipn/ipnlocal: fix cert storage in Kubernetes

We were checking against the wrong directory, instead if we have a custom store configured just use that. Fixes #7588 Fixes #7665 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2023-03-22 15:10:04 -07:00
parent ec90522a53
commit 8a11f76a0d
3 changed files with 15 additions and 5 deletions
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -35,6 +35,8 @@ import (
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/ipn/store"
+	"tailscale.com/ipn/store/mem"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
@@ -150,13 +152,21 @@ type certStore interface {
 var errCertExpired = errors.New("cert expired")

 func (b *LocalBackend) getCertStore() (certStore, error) {
+	switch b.store.(type) {
+	case *store.FileStore:
+	case *mem.Store:
+	default:
+		if hostinfo.GetEnvType() == hostinfo.Kubernetes {
+			// We're running in Kubernetes with a custom StateStore,
+			// use that instead of the cert directory.
+			// TODO(maisem): expand this to other environments?
+			return certStateStore{StateStore: b.store}, nil
+		}
+	}
 	dir, err := b.certDir()
 	if err != nil {
 		return nil, err
 	}
-	if hostinfo.GetEnvType() == hostinfo.Kubernetes && dir == "/tmp" {
-		return certStateStore{StateStore: b.store}, nil
-	}
 	return certFileStore{dir: dir}, nil
 }