cmd/derper: add GCP Certificate Manager support (#18161)

Add --certmode=gcp for using Google Cloud Certificate Manager's public CA instead of Let's Encrypt. GCP requires External Account Binding (EAB) credentials for ACME registration, so this adds --acme-eab-kid and --acme-eab-key flags. The EAB key accepts both base64url and standard base64 encoding to support both ACME spec format and gcloud output. Fixes tailscale/corp#34881 Signed-off-by: Raj Singh <raj@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-12-10 04:51:53 +05:30
parent 1dfdee8521
commit 8eda947530
4 changed files with 76 additions and 8 deletions
@@ -171,7 +171,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/version                                        from tailscale.com/cmd/derper+
        tailscale.com/version/distro                                 from tailscale.com/envknob+
        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap
-        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
+        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert+
        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+