tailscale

mirror of https://github.com/tailscale/tailscale.git synced 2025-07-29 15:23:45 +00:00

History

Tom Proctor 969927c47c cmd/{containerboot,k8s-operator}: reissue auth keys for broken proxies

Adds logic for containerboot to signal that it can't auth, so the
operator can reissue a new auth key. This only applies when running with
a config file and with a kube state store.

If the operator sees reissue_authkey in a state Secret, it will create a
new auth key iff the config has no auth key or its auth key matches the
value of reissue_authkey from the state Secret. This is to ensure we
don't reissue auth keys in a tight loop if the proxy is slow to start or
failing for some other reason. The reissue logic also uses a burstable
rate limiter to ensure there's no way a terminally misconfigured
or buggy operator can automatically generate new auth keys in a tight loop.

Updates #14080

Change-Id: I6982f8e741932a6891f2f48a2936f7f6a455317f
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>

2025-07-03 13:48:48 +01:00

egressservices

cmd/{k8s-operator,containerboot},kube: ensure egress ProxyGroup proxies don't terminate while cluster traffic is still routed to them (#14436 )

2025-01-29 07:35:50 +00:00

ingressservices

cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services (#15897 )

2025-05-19 10:42:03 +01:00

kubeapi

ipn/store/kubestore,kube,envknob,cmd/tailscaled/depaware.txt: allow kubestore read/write custom TLS secrets (#15307 )

2025-03-18 15:09:22 +00:00

kubeclient

cmd/{containerboot,k8s-operator}: use state Secret for checking device auth (#16328 )

2025-06-27 18:10:04 +01:00

kubetypes

cmd/{containerboot,k8s-operator}: reissue auth keys for broken proxies

2025-07-03 13:48:48 +01:00