From 8b1d01161bbca8a26c2a50208444087c9fa2b3f1 Mon Sep 17 00:00:00 2001
From: Bjorn Neergaard <bjorn@neersighted.com>
Date: Wed, 11 Dec 2024 02:52:56 -0700
Subject: [PATCH] cmd/containerboot: guard kubeClient against nil dereference
 (#14357)

A method on kc was called unconditionally, even if was not initialized,
leading to a nil pointer dereference when TS_SERVE_CONFIG was set
outside Kubernetes.

Add a guard symmetric with other uses of the kubeClient.

Fixes #14354.

Signed-off-by: Bjorn Neergaard <bjorn@neersighted.com>
---
 cmd/containerboot/main.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cmd/containerboot/main.go b/cmd/containerboot/main.go
index ad1c0db20..7411ea949 100644
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -331,8 +331,10 @@ authLoop:
 		if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
 			log.Fatalf("failed to unset serve config: %v", err)
 		}
-		if err := kc.storeHTTPSEndpoint(ctx, ""); err != nil {
-			log.Fatalf("failed to update HTTPS endpoint in tailscale state: %v", err)
+		if hasKubeStateStore(cfg) {
+			if err := kc.storeHTTPSEndpoint(ctx, ""); err != nil {
+				log.Fatalf("failed to update HTTPS endpoint in tailscale state: %v", err)
+			}
 		}
 	}