ipn/store/kubestore: don't load write replica certs in memory (#18395)

Fixes a bug where, for kube HA proxies, TLS certs for the replica
responsible for cert issuance where loaded in memory on startup,
although the in-memory store was not updated after renewal (to
avoid failing re-issuance for re-created Ingresses).
Now the 'write' replica always reads certs from the kube Secret.

Updates tailscale/tailscale#18394

Signed-off-by: Irbe Krumina <irbekrm@gmail.com>
This commit is contained in:
Irbe Krumina
2026-01-13 13:43:17 +01:00
committed by GitHub
parent 87e108e10c
commit 8c17d871b3
2 changed files with 9 additions and 9 deletions
+2 -6
View File
@@ -688,7 +688,7 @@ func TestNewWithClient(t *testing.T) {
},
},
{
name: "load_select_certs_in_read_write_mode",
name: "do_not_load_certs_in_read_write_mode",
certMode: "rw",
stateSecretContents: map[string][]byte{
"foo": []byte("bar"),
@@ -704,11 +704,7 @@ func TestNewWithClient(t *testing.T) {
}, "4"),
},
wantMemoryStoreContents: map[ipn.StateKey][]byte{
"foo": []byte("bar"),
"app1.tailnetxyz.ts.net.crt": []byte(testCert + "1"),
"app1.tailnetxyz.ts.net.key": []byte(testKey + "1"),
"app2.tailnetxyz.ts.net.crt": []byte(testCert + "2"),
"app2.tailnetxyz.ts.net.key": []byte(testKey + "2"),
"foo": []byte("bar"),
},
},
{