TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2024-12-13 19:54:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
affa25097c
tailscale/cmd/gitops-pusher
History
Xe affa25097c cmd/gitops-pusher: add etag cache file for the three version problem 
This allows gitops-pusher to detect external ACL changes. I'm not
sure what to call this problem, so I've been calling it the "three
version problem" in my notes. The basic problem is that at any given
time we only have two versions of the ACL file at any given point:
the version in CONTROL and the one in the git repo. In order to
check if there has been tampering of the ACL files in the admin
panel, we need to have a _third_ version to compare against.

In this case I am not storing the old ACL entirely (though that could
be a reasonable thing to add in the future), but only its sha256sum.
This allows us to detect if the shasum in control matches the shasum
we expect, and if that expectation fails, then we can react
accordingly.

This will require additional configuration in CI, but I'm sure that
can be done.

Signed-off-by: Xe <xe@tailscale.com>
2022-07-22 13:53:20 -04:00
..
.gitignore cmd/gitops-pusher: add etag cache file for the three version problem 2022-07-22 13:53:20 -04:00
cache.go cmd/gitops-pusher: add etag cache file for the three version problem 2022-07-22 13:53:20 -04:00
gitops-pusher.go cmd/gitops-pusher: add etag cache file for the three version problem 2022-07-22 13:53:20 -04:00
README.md cmd/gitops-pusher: add new GitOps assistant (#4893) 2022-06-21 16:04:48 -04:00

README.md

gitops-pusher

This is a small tool to help people achieve a GitOps workflow with Tailscale ACL changes. This tool is intended to be used in a CI flow that looks like this:

name: Tailscale ACL syncing

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  acls:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
      
      - name: Setup Go environment
        uses: actions/setup-go@v3.2.0
        
      - name: Install gitops-pusher
        run: go install tailscale.com/cmd/gitops-pusher@latest
              
      - name: Deploy ACL
        if: github.event_name == 'push'
        env:
          TS_API_KEY: ${{ secrets.TS_API_KEY }}
          TS_TAILNET: ${{ secrets.TS_TAILNET }}
        run: |
          ~/go/bin/gitops-pusher --policy-file ./policy.hujson apply          

      - name: ACL tests
        if: github.event_name == 'pull_request'
        env:
          TS_API_KEY: ${{ secrets.TS_API_KEY }}
          TS_TAILNET: ${{ secrets.TS_TAILNET }}
        run: |
          ~/go/bin/gitops-pusher --policy-file ./policy.hujson test

Change the value of the --policy-file flag to point to the policy file on disk. Policy files should be in HuJSON format.