TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-16 11:41:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/k8s-operator: drop https:// in capName

Browse Source 
Add the new format but keep respecting the old one.

Updates #4217

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2023-12-12 00:51:20 +05:00 committed by Maisem Ali
parent 4e012794fc
commit fb632036e3
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/k8s-operator/proxy.go
View File

@ -218,7 +218,10 @@ func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLo
} }
} }
const capabilityName = "https://tailscale.com/cap/kubernetes" const (
capabilityName = "tailscale.com/cap/kubernetes"
oldCapabilityName = "https://" + capabilityName
)
type capRule struct { type capRule struct {
// Impersonate is a list of rules that specify how to impersonate the caller // Impersonate is a list of rules that specify how to impersonate the caller
@ -239,6 +242,10 @@ func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
log = log.With("remote", r.RemoteAddr) log = log.With("remote", r.RemoteAddr)
who := whoIsFromRequest(r) who := whoIsFromRequest(r)
rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName) rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName)
if len(rules) == 0 && err == nil {
// Try the old capability name for backwards compatibility.
rules, err = tailcfg.UnmarshalCapJSON[capRule](who.CapMap, oldCapabilityName)
}
if err != nil { if err != nil {
return fmt.Errorf("failed to unmarshal capability: %v", err) return fmt.Errorf("failed to unmarshal capability: %v", err)
} }