webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cmd/tailscale/cli,feature: add support for identity federation (#17529)

Browse Source 
Add new arguments to `tailscale up` so authkeys can be generated dynamically via identity federation.

Updates #9192

Signed-off-by: mcoulombe <max@tailscale.com>
This commit is contained in:
Max Coulombe
2025-10-17 18:05:32 -04:00
committed by GitHub
parent 54cee33bae
commit 6a73c0bdf5
14 changed files with 420 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/tailscale/cli/up.go
+46 -4
View File
@@ -25,6 +25,7 @@ import (
"github.com/peterbourgon/ff/v3/ffcli"
qrcode "github.com/skip2/go-qrcode"
"tailscale.com/feature/buildfeatures"
_ "tailscale.com/feature/condregister/identityfederation"
_ "tailscale.com/feature/condregister/oauthkey"
"tailscale.com/health/healthmsg"
"tailscale.com/internal/client/tailscale"
@@ -96,6 +97,9 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
upf.BoolVar(&upArgs.qr, "qr", false, "show QR code for login URLs")
upf.StringVar(&upArgs.qrFormat, "qr-format", "small", "QR code formatting (small or large)")
upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
upf.StringVar(&upArgs.clientID, "client-id", "", "Client ID used to generate authkeys via workload identity federation")
upf.StringVar(&upArgs.clientSecretOrFile, "client-secret", "", `Client Secret used to generate authkeys via OAuth; if it begins with "file:", then it's a path to a file containing the secret`)
upf.StringVar(&upArgs.idTokenOrFile, "id-token", "", `ID token from the identity provider to exchange with the control server for workload identity federation; if it begins with "file:", then it's a path to a file containing the token`)
upf.StringVar(&upArgs.server, "login-server", ipn.DefaultControlURL, "base URL of control server")
upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", acceptRouteDefault(goos), "accept routes advertised by other Tailscale nodes")
@@ -184,6 +188,9 @@ type upArgsT struct {
statefulFiltering bool
netfilterMode string
authKeyOrFile string // "secret" or "file:/path/to/secret"
clientID string
clientSecretOrFile string // "secret" or "file:/path/to/secret"
idTokenOrFile string // "secret" or "file:/path/to/secret"
hostname string
opUser string
json bool
@@ -193,8 +200,9 @@ type upArgsT struct {
postureChecking bool
}
func (a upArgsT) getAuthKey() (string, error) {
v := a.authKeyOrFile
// resolveValueFromFile returns the value as-is, or if it starts with "file:",
// reads and returns the trimmed contents of the file.
func resolveValueFromFile(v string) (string, error) {
if file, ok := strings.CutPrefix(v, "file:"); ok {
b, err := os.ReadFile(file)
if err != nil {
@@ -205,6 +213,18 @@ func (a upArgsT) getAuthKey() (string, error) {
return v, nil
}
func (a upArgsT) getAuthKey() (string, error) {
return resolveValueFromFile(a.authKeyOrFile)
}
func (a upArgsT) getClientSecret() (string, error) {
return resolveValueFromFile(a.clientSecretOrFile)
}
func (a upArgsT) getIDToken() (string, error) {
return resolveValueFromFile(a.idTokenOrFile)
}
var upArgsGlobal upArgsT
// Fields output when `tailscale up --json` is used. Two JSON blocks will be output.
@@ -586,11 +606,33 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
// Try to use an OAuth secret to generate an auth key if that functionality
// is available.
if f, ok := tailscale.HookResolveAuthKey.GetOk(); ok {
authKey, err = f(ctx, authKey, strings.Split(upArgs.advertiseTags, ","))
clientSecret := authKey // the authkey argument accepts client secrets, if both arguments are provided authkey has precedence
if clientSecret == "" {
clientSecret, err = upArgs.getClientSecret()
if err != nil {
return err
}
}
authKey, err = f(ctx, clientSecret, strings.Split(upArgs.advertiseTags, ","))
if err != nil {
return err
}
}
// Try to resolve the auth key via workload identity federation if that functionality
// is available and no auth key is yet determined.
if f, ok := tailscale.HookResolveAuthKeyViaWIF.GetOk(); ok && authKey == "" {
idToken, err := upArgs.getIDToken()
if err != nil {
return err
}
authKey, err = f(ctx, prefs.ControlURL, upArgs.clientID, idToken, strings.Split(upArgs.advertiseTags, ","))
if err != nil {
return err
}
}
err = localClient.Start(ctx, ipn.Options{
AuthKey: authKey,
UpdatePrefs: prefs,
@@ -869,7 +911,7 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
// correspond to an ipn.Pref.
func preflessFlag(flagName string) bool {
switch flagName {
case "auth-key", "force-reauth", "reset", "qr", "qr-format", "json", "timeout", "accept-risk", "host-routes":
case "auth-key", "force-reauth", "reset", "qr", "qr-format", "json", "timeout", "accept-risk", "host-routes", "client-id", "client-secret", "id-token":
return true
}
return false
cmd/tailscale/cli/up_test.go
+3
View File
@@ -43,6 +43,9 @@ var validUpFlags = set.Of(
"stateful-filtering",
"timeout",
"unattended",
"client-id",
"client-secret",
"id-token",
)
// TestUpFlagSetIsFrozen complains when new flags are added to tailscale up.
cmd/tailscale/depaware.txt
+3 -1
View File
@@ -98,9 +98,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
tailscale.com/feature from tailscale.com/tsweb+
tailscale.com/feature/buildfeatures from tailscale.com/cmd/tailscale/cli+
tailscale.com/feature/capture/dissector from tailscale.com/cmd/tailscale/cli
tailscale.com/feature/condregister/identityfederation from tailscale.com/cmd/tailscale/cli
tailscale.com/feature/condregister/oauthkey from tailscale.com/cmd/tailscale/cli
tailscale.com/feature/condregister/portmapper from tailscale.com/cmd/tailscale/cli
tailscale.com/feature/condregister/useproxy from tailscale.com/cmd/tailscale/cli
tailscale.com/feature/identityfederation from tailscale.com/feature/condregister/identityfederation
tailscale.com/feature/oauthkey from tailscale.com/feature/condregister/oauthkey
tailscale.com/feature/portmapper from tailscale.com/feature/condregister/portmapper
tailscale.com/feature/syspolicy from tailscale.com/cmd/tailscale/cli
@@ -245,7 +247,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
golang.org/x/net/ipv6 from golang.org/x/net/icmp+
golang.org/x/net/proxy from tailscale.com/net/netns
D golang.org/x/net/route from tailscale.com/net/netmon+
golang.org/x/oauth2 from golang.org/x/oauth2/clientcredentials
golang.org/x/oauth2 from golang.org/x/oauth2/clientcredentials+
golang.org/x/oauth2/clientcredentials from tailscale.com/feature/oauthkey
golang.org/x/oauth2/internal from golang.org/x/oauth2+
golang.org/x/sync/errgroup from github.com/mdlayher/socket+
cmd/tailscaled/depaware-minbox.txt
+1
View File
@@ -75,6 +75,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
tailscale.com/feature/buildfeatures from tailscale.com/ipn/ipnlocal+
tailscale.com/feature/condlite/expvar from tailscale.com/wgengine/magicsock
tailscale.com/feature/condregister from tailscale.com/cmd/tailscaled
tailscale.com/feature/condregister/identityfederation from tailscale.com/cmd/tailscale/cli
tailscale.com/feature/condregister/oauthkey from tailscale.com/cmd/tailscale/cli
tailscale.com/feature/condregister/portmapper from tailscale.com/feature/condregister+
tailscale.com/feature/condregister/useproxy from tailscale.com/cmd/tailscale/cli+
cmd/tailscaled/deps_test.go
+3 -3
View File
@@ -137,14 +137,14 @@ func TestOmitCaptivePortal(t *testing.T) {
}.Check(t)
}
func TestOmitOAuthKey(t *testing.T) {
func TestOmitAuth(t *testing.T) {
deptest.DepChecker{
GOOS: "linux",
GOARCH: "amd64",
Tags: "ts_omit_oauthkey,ts_include_cli",
Tags: "ts_omit_oauthkey,ts_omit_identityfederation,ts_include_cli",
OnDep: func(dep string) {
if strings.HasPrefix(dep, "golang.org/x/oauth2") {
t.Errorf("unexpected dep with ts_omit_oauthkey: %q", dep)
t.Errorf("unexpected oauth2 dep: %q", dep)
}
},
}.Check(t)