TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-10-29 07:09:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

control, ipn, tailcfg: enable seamless key renewal by default

Browse Source 
Previously, seamless key renewal was an opt-in feature.  Customers had
to set a `seamless-key-renewal` node attribute in their policy file.

This patch enables seamless key renewal by default for all clients.

It includes a `disable-seamless-key-renewal` node attribute we can set
in Control, so we can manage the rollout and disable the feature for
clients with known bugs.  This new attribute makes the feature opt-out.

Updates tailscale/corp#31479

Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit is contained in:
Alex Chan
2025-09-11 13:11:41 +01:00
committed by Alex Chan
parent 1c9aaa444d
commit cd153aa644
3 changed files with 38 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tailcfg/tailcfg.go
View File

@@ -170,7 +170,8 @@ type CapabilityVersion int
// - 123: 2025-07-28: fix deadlock regression from cryptokey routing change (issue #16651)
// - 124: 2025-08-08: removed NodeAttrDisableMagicSockCryptoRouting support, crypto routing is now mandatory
// - 125: 2025-08-11: dnstype.Resolver adds UseWithExitNode field.
const CurrentCapabilityVersion CapabilityVersion = 125
// - 126: 2025-09-17: Client uses seamless key renewal unless disabled by control (tailscale/corp#31479)
const CurrentCapabilityVersion CapabilityVersion = 126
// ID is an integer ID for a user, node, or login allocated by the
// control plane.
@@ -2530,8 +2531,19 @@ const (
// This cannot be set simultaneously with NodeAttrLinuxMustUseIPTables.
NodeAttrLinuxMustUseNfTables NodeCapability = "linux-netfilter?v=nftables"
// NodeAttrSeamlessKeyRenewal makes clients enable beta functionality
// of renewing node keys without breaking connections.
// NodeAttrDisableSeamlessKeyRenewal disables seamless key renewal, which is
// enabled by default in clients as of 2025-09-17 (1.90 and later).
//
// We will use this attribute to manage the rollout, and disable seamless in
// clients with known bugs.
// http://go/seamless-key-renewal
NodeAttrDisableSeamlessKeyRenewal NodeCapability = "disable-seamless-key-renewal"
// NodeAttrSeamlessKeyRenewal was used to opt-in to seamless key renewal
// during its private alpha.
//
// Deprecated: NodeAttrSeamlessKeyRenewal is deprecated as of CapabilityVersion 126,
// because seamless key renewal is now enabled by default.
NodeAttrSeamlessKeyRenewal NodeCapability = "seamless-key-renewal"
// NodeAttrProbeUDPLifetime makes the client probe UDP path lifetime at the