ipn/ipnlocal: add c2n method to check on TLS cert fetch status

So the control plane can delete TXT records more aggressively after client's done with ACME fetch. Updates tailscale/corp#15848 Change-Id: I4f1140305bee11ee3eee93d4fec3aef2bd6c5a7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2023-11-16 12:15:39 -08:00
parent 664ebb14d9
commit cca27ef96a
6 changed files with 236 additions and 2 deletions
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -41,6 +41,7 @@ import (
 	"tailscale.com/ipn/store"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/testenv"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -236,6 +237,8 @@ type certStore interface {

 var errCertExpired = errors.New("cert expired")

+var testX509Roots *x509.CertPool // set non-nil by tests
+
 func (b *LocalBackend) getCertStore() (certStore, error) {
 	switch b.store.(type) {
 	case *store.FileStore:
@@ -252,7 +255,10 @@ func (b *LocalBackend) getCertStore() (certStore, error) {
 	if err != nil {
 		return nil, err
 	}
-	return certFileStore{dir: dir}, nil
+	if testX509Roots != nil && !testenv.InTest() {
+		panic("use of test hook outside of tests")
+	}
+	return certFileStore{dir: dir, testRoots: testX509Roots}, nil
 }

 // certFileStore implements certStore by storing the cert & key files in the named directory.