mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
c62b0732d2
The operator creates a non-reusable auth key for each of the cluster proxies that it creates and puts in the tailscaled configfile mounted to the proxies. The proxies are always tagged, and their state is persisted in a Kubernetes Secret, so their node keys are expected to never be regenerated, so that they don't need to re-auth. Some tailnet configurations however have seen issues where the auth keys being left in the tailscaled configfile cause the proxies to end up in unauthorized state after a restart at a later point in time. Currently, we have not found a way to reproduce this issue, however this commit removes the auth key from the config once the proxy can be assumed to have logged in. If an existing, logged-in proxy is upgraded to this version, its redundant auth key will be removed from the conffile. If an existing, logged-in proxy is downgraded from this version to a previous version, it will work as before without re-issuing key as the previous code did not enforce that a key must be present. Updates tailscale/tailscale#13451 Signed-off-by: Irbe Krumina <irbe@tailscale.com> |
||
|---|---|---|
| .. | ||
| deploy | ||
| generate | ||
| connector_test.go | ||
| connector.go | ||
| depaware.txt | ||
| dnsrecords_test.go | ||
| dnsrecords.go | ||
| ingress_test.go | ||
| ingress.go | ||
| nameserver_test.go | ||
| nameserver.go | ||
| operator_test.go | ||
| operator.go | ||
| proxy_test.go | ||
| proxy.go | ||
| proxyclass_test.go | ||
| proxyclass.go | ||
| sts_test.go | ||
| sts.go | ||
| svc.go | ||
| testutils_test.go | ||
| tsrecorder_specs_test.go | ||
| tsrecorder_specs.go | ||
| tsrecorder_test.go | ||
| tsrecorder.go | ||