webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cmd,internal,feature: add workload idenity support to gitops pusher

Browse Source 
Add support for authenticating the gitops-pusher using workload identity
federation.

Updates https://github.com/tailscale/corp/issues/34172

Signed-off-by: Mario Minardi <mario@tailscale.com>
This commit is contained in:
Mario Minardi
2025-12-17 09:49:34 -07:00
committed by Mario Minardi
parent 3e45e5b420
commit 4c37141ab7
3 changed files with 84 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/gitops-pusher/gitops-pusher.go
+73 -38
View File
@@ -19,12 +19,15 @@ import (
"os" "os"
"regexp" "regexp"
"strings" "strings"
"sync"
"time" "time"
"github.com/peterbourgon/ff/v3/ffcli" "github.com/peterbourgon/ff/v3/ffcli"
"github.com/tailscale/hujson" "github.com/tailscale/hujson"
"golang.org/x/oauth2/clientcredentials" "golang.org/x/oauth2/clientcredentials"
"tailscale.com/client/tailscale" tsclient "tailscale.com/client/tailscale"
_ "tailscale.com/feature/condregister/identityfederation"
"tailscale.com/internal/client/tailscale"
"tailscale.com/util/httpm" "tailscale.com/util/httpm"
) )
@@ -38,6 +41,12 @@ var (
failOnManualEdits = rootFlagSet.Bool("fail-on-manual-edits", false, "fail if manual edits to the ACLs in the admin panel are detected; when set to false (the default) only a warning is printed") failOnManualEdits = rootFlagSet.Bool("fail-on-manual-edits", false, "fail if manual edits to the ACLs in the admin panel are detected; when set to false (the default) only a warning is printed")
) )
var (
getCredentialsOnce sync.Once
client *http.Client
apiKey string
)
func modifiedExternallyError() error { func modifiedExternallyError() error {
if *githubSyntax { if *githubSyntax {
return fmt.Errorf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.", *policyFname) return fmt.Errorf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.", *policyFname)
@@ -46,9 +55,9 @@ func modifiedExternallyError() error {
} }
} }
func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { func apply(cache *Cache, tailnet string) func(context.Context, []string) error {
return func(ctx context.Context, args []string) error { return func(ctx context.Context, args []string) error {
controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) controlEtag, err := getACLETag(ctx, tailnet)
if err != nil { if err != nil {
return err return err
} }
@@ -83,7 +92,7 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
} }
} }
if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil { if err := applyNewACL(ctx, tailnet, *policyFname, controlEtag); err != nil {
return err return err
} }
@@ -93,9 +102,9 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
} }
} }
func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { func test(cache *Cache, tailnet string) func(context.Context, []string) error {
return func(ctx context.Context, args []string) error { return func(ctx context.Context, args []string) error {
controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) controlEtag, err := getACLETag(ctx, tailnet)
if err != nil { if err != nil {
return err return err
} }
@@ -129,16 +138,16 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
} }
} }
if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil { if err := testNewACLs(ctx, tailnet, *policyFname); err != nil {
return err return err
} }
return nil return nil
} }
} }
func getChecksums(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { func getChecksums(cache *Cache, tailnet string) func(context.Context, []string) error {
return func(ctx context.Context, args []string) error { return func(ctx context.Context, args []string) error {
controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) controlEtag, err := getACLETag(ctx, tailnet)
if err != nil { if err != nil {
return err return err
} }
@@ -166,28 +175,7 @@ func main() {
if !ok { if !ok {
log.Fatal("set envvar TS_TAILNET to your tailnet's name") log.Fatal("set envvar TS_TAILNET to your tailnet's name")
} }
apiKey, ok := os.LookupEnv("TS_API_KEY")
oauthId, oiok := os.LookupEnv("TS_OAUTH_ID")
oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET")
if !ok && (!oiok || !osok) {
log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret")
}
if apiKey != "" && (oauthId != "" || oauthSecret != "") {
log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET")
}
var client *http.Client
if oiok && (oauthId != "" || oauthSecret != "") {
// Both should ideally be set, but if either are non-empty it means the user had an intent
// to set _something_, so they should receive the oauth error flow.
oauthConfig := &clientcredentials.Config{
ClientID: oauthId,
ClientSecret: oauthSecret,
TokenURL: fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer),
}
client = oauthConfig.Client(context.Background())
} else {
client = http.DefaultClient
}
cache, err := LoadCache(*cacheFname) cache, err := LoadCache(*cacheFname)
if err != nil { if err != nil {
if os.IsNotExist(err) { if os.IsNotExist(err) {
@@ -203,7 +191,7 @@ func main() {
ShortUsage: "gitops-pusher [options] apply", ShortUsage: "gitops-pusher [options] apply",
ShortHelp: "Pushes changes to CONTROL", ShortHelp: "Pushes changes to CONTROL",
LongHelp: `Pushes changes to CONTROL`, LongHelp: `Pushes changes to CONTROL`,
Exec: apply(cache, client, tailnet, apiKey), Exec: apply(cache, tailnet),
} }
testCmd := &ffcli.Command{ testCmd := &ffcli.Command{
@@ -211,7 +199,7 @@ func main() {
ShortUsage: "gitops-pusher [options] test", ShortUsage: "gitops-pusher [options] test",
ShortHelp: "Tests ACL changes", ShortHelp: "Tests ACL changes",
LongHelp: "Tests ACL changes", LongHelp: "Tests ACL changes",
Exec: test(cache, client, tailnet, apiKey), Exec: test(cache, tailnet),
} }
cksumCmd := &ffcli.Command{ cksumCmd := &ffcli.Command{
@@ -219,7 +207,7 @@ func main() {
ShortUsage: "Shows checksums of ACL files", ShortUsage: "Shows checksums of ACL files",
ShortHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", ShortHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
LongHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", LongHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
Exec: getChecksums(cache, client, tailnet, apiKey), Exec: getChecksums(cache, tailnet),
} }
root := &ffcli.Command{ root := &ffcli.Command{
@@ -242,6 +230,47 @@ func main() {
} }
} }
func getCredentials() (*http.Client, string) {
getCredentialsOnce.Do(func() {
apiKeyEnv, ok := os.LookupEnv("TS_API_KEY")
oauthId, oiok := os.LookupEnv("TS_OAUTH_ID")
oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET")
idToken, idok := os.LookupEnv("TS_ID_TOKEN")
if !ok && (!oiok || (!osok && !idok)) {
log.Fatal("set envvar TS_API_KEY to your Tailscale API key, TS_OAUTH_ID and TS_OAUTH_SECRET to a Tailscale OAuth ID and Secret, or TS_OAUTH_ID and TS_ID_TOKEN to a Tailscale federated identity Client ID and OIDC identity token")
}
if apiKeyEnv != "" && (oauthId != "" || (oauthSecret != "" && idToken != "")) {
log.Fatal("set either the envvar TS_API_KEY, TS_OAUTH_ID and TS_OAUTH_SECRET, or TS_OAUTH_ID and TS_ID_TOKEN")
}
if oiok && ((oauthId != "" && !idok) || oauthSecret != "") {
// Both should ideally be set, but if either are non-empty it means the user had an intent
// to set _something_, so they should receive the oauth error flow.
oauthConfig := &clientcredentials.Config{
ClientID: oauthId,
ClientSecret: oauthSecret,
TokenURL: fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer),
}
client = oauthConfig.Client(context.Background())
} else if idok {
if exchangeJWTForToken, ok := tailscale.HookExchangeJWTForTokenViaWIF.GetOk(); ok {
var err error
apiKeyEnv, err = exchangeJWTForToken(context.Background(), fmt.Sprintf("https://%s", *apiServer), oauthId, idToken)
if err != nil {
log.Fatal(err)
}
}
client = http.DefaultClient
} else {
client = http.DefaultClient
}
apiKey = apiKeyEnv
})
return client, apiKey
}
func sumFile(fname string) (string, error) { func sumFile(fname string) (string, error) {
data, err := os.ReadFile(fname) data, err := os.ReadFile(fname)
if err != nil { if err != nil {
@@ -262,7 +291,9 @@ func sumFile(fname string) (string, error) {
return fmt.Sprintf("%x", h.Sum(nil)), nil return fmt.Sprintf("%x", h.Sum(nil)), nil
} }
func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname, oldEtag string) error { func applyNewACL(ctx context.Context, tailnet, policyFname, oldEtag string) error {
client, apiKey := getCredentials()
fin, err := os.Open(policyFname) fin, err := os.Open(policyFname)
if err != nil { if err != nil {
return err return err
@@ -299,7 +330,9 @@ func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, poli
return nil return nil
} }
func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname string) error { func testNewACLs(ctx context.Context, tailnet, policyFname string) error {
client, apiKey := getCredentials()
data, err := os.ReadFile(policyFname) data, err := os.ReadFile(policyFname)
if err != nil { if err != nil {
return err return err
@@ -346,7 +379,7 @@ var lineColMessageSplit = regexp.MustCompile(`line ([0-9]+), column ([0-9]+): (.
// ACLGitopsTestError is redefined here so we can add a custom .Error() response // ACLGitopsTestError is redefined here so we can add a custom .Error() response
type ACLGitopsTestError struct { type ACLGitopsTestError struct {
tailscale.ACLTestError tsclient.ACLTestError
} }
func (ate ACLGitopsTestError) Error() string { func (ate ACLGitopsTestError) Error() string {
@@ -388,7 +421,9 @@ func (ate ACLGitopsTestError) Error() string {
return sb.String() return sb.String()
} }
func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) { func getACLETag(ctx context.Context, tailnet string) (string, error) {
client, apiKey := getCredentials()
req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil) req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
if err != nil { if err != nil {
return "", err return "", err
feature/identityfederation/identityfederation.go
+1
View File
@@ -24,6 +24,7 @@ import (
func init() { func init() {
feature.Register("identityfederation") feature.Register("identityfederation")
tailscale.HookResolveAuthKeyViaWIF.Set(resolveAuthKey) tailscale.HookResolveAuthKeyViaWIF.Set(resolveAuthKey)
tailscale.HookExchangeJWTForTokenViaWIF.Set(exchangeJWTForToken)
} }
// resolveAuthKey uses OIDC identity federation to exchange the provided ID token and client ID for an authkey. // resolveAuthKey uses OIDC identity federation to exchange the provided ID token and client ID for an authkey.
internal/client/tailscale/identityfederation.go
+10 -2
View File
@@ -9,11 +9,19 @@ import (
"tailscale.com/feature" "tailscale.com/feature"
) )
// HookResolveAuthKeyViaWIF resolves to [identityfederation.ResolveAuthKey] when the // HookResolveAuthKeyViaWIF resolves to [identityfederation.resolveAuthKey] when the
// corresponding feature tag is enabled in the build process. // corresponding feature tag is enabled in the build process.
// //
// baseURL is the URL of the control server used for token exchange and authkey generation. // baseURL is the URL of the control server used for token exchange and authkey generation.
// clientID is the federated client ID used for token exchange, the format is <tailnet ID>/<oauth client ID> // clientID is the federated client ID used for token exchange
// idToken is the Identity token from the identity provider // idToken is the Identity token from the identity provider
// tags is the list of tags to be associated with the auth key // tags is the list of tags to be associated with the auth key
var HookResolveAuthKeyViaWIF feature.Hook[func(ctx context.Context, baseURL, clientID, idToken string, tags []string) (string, error)] var HookResolveAuthKeyViaWIF feature.Hook[func(ctx context.Context, baseURL, clientID, idToken string, tags []string) (string, error)]
// HookExchangeJWTForTokenViaWIF resolves to [identityfederation.exchangeJWTForToken] when the
// corresponding feature tag is enabled in the build process.
//
// baseURL is the URL of the control server used for token exchange
// clientID is the federated client ID used for token exchange
// idToken is the Identity token from the identity provider
var HookExchangeJWTForTokenViaWIF feature.Hook[func(ctx context.Context, baseURL, clientID, idToken string) (string, error)]