From cd282ec00fa4fbb071a40627c7a1f285aa1322e7 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Tue, 15 Jun 2021 12:12:15 -0700 Subject: [PATCH] tailcfg: add DNSConfig.CertDomains Updates #1235 Signed-off-by: Brad Fitzpatrick --- ipn/ipnlocal/local.go | 1 + ipn/ipnstate/ipnstate.go | 7 +++++++ tailcfg/tailcfg.go | 14 +++++++++++++- tailcfg/tailcfg_clone.go | 2 ++ 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 462cd60af..01354d085 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -325,6 +325,7 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func s.AuthURL = b.authURLSticky if b.netMap != nil { s.MagicDNSSuffix = b.netMap.MagicDNSSuffix() + s.CertDomains = append([]string(nil), b.netMap.DNS.CertDomains...) } }) sb.MutateSelfStatus(func(ss *ipnstate.PeerStatus) { diff --git a/ipn/ipnstate/ipnstate.go b/ipn/ipnstate/ipnstate.go index 99663acf1..52aa3f97a 100644 --- a/ipn/ipnstate/ipnstate.go +++ b/ipn/ipnstate/ipnstate.go @@ -45,6 +45,13 @@ type Status struct { // has MagicDNS enabled. MagicDNSSuffix string + // CertDomains are the set of DNS names for which the control + // plane server will assist with provisioning TLS + // certificates. See SetDNSRequest for dns-01 ACME challenges + // for e.g. LetsEncrypt. These names are FQDNs without + // trailing periods, and without any "_acme-challenge." prefix. + CertDomains []string + Peer map[key.Public]*PeerStatus User map[tailcfg.UserID]tailcfg.UserProfile } diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index d57a72e8a..27d14424c 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -43,7 +43,8 @@ import ( // 18: 2021-04-19: MapResponse.Node nil means unchanged (all fields now omitempty) // 19: 2021-04-21: MapResponse.Debug.SleepSeconds // 20: 2021-06-11: MapResponse.LastSeen used even less (https://github.com/tailscale/tailscale/issues/2107) -const CurrentMapRequestVersion = 20 +// 21: 2021-06-15: added MapResponse.DNSConfig.CertDomains +const CurrentMapRequestVersion = 21 type StableID string @@ -873,6 +874,14 @@ type DNSConfig struct { // PerDomain is not set by the control server, and does nothing. PerDomain bool `json:",omitempty"` + + // CertDomains are the set of DNS names for which the control + // plane server will assist with provisioning TLS + // certificates. See SetDNSRequest, which can be used to + // answer dns-01 ACME challenges for e.g. LetsEncrypt. + // These names are FQDNs without trailing periods, and without + // any "_acme-challenge." prefix. + CertDomains []string `json:",omitempty"` } // PingRequest is a request to send an HTTP request to prove the @@ -1197,6 +1206,9 @@ type SetDNSRequest struct { NodeKey NodeKey // Name is the domain name for which to create a record. + // For ACME DNS-01 challenges, it should be one of the domains + // in MapResponse.DNSConfig.CertDomains with the prefix + // "_acme-challenge.". Name string // Type is the DNS record type. For ACME DNS-01 challenges, it diff --git a/tailcfg/tailcfg_clone.go b/tailcfg/tailcfg_clone.go index e6beefa01..36f33ffb5 100644 --- a/tailcfg/tailcfg_clone.go +++ b/tailcfg/tailcfg_clone.go @@ -204,6 +204,7 @@ func (src *DNSConfig) Clone() *DNSConfig { } dst.Domains = append(src.Domains[:0:0], src.Domains...) dst.Nameservers = append(src.Nameservers[:0:0], src.Nameservers...) + dst.CertDomains = append(src.CertDomains[:0:0], src.CertDomains...) return dst } @@ -217,6 +218,7 @@ var _DNSConfigNeedsRegeneration = DNSConfig(struct { Proxied bool Nameservers []netaddr.IP PerDomain bool + CertDomains []string }{}) // Clone makes a deep copy of DNSResolver.