all: remove everything related to non-seamless key renewal

Seamless key renewal has been the default in all clients since 1.90.
We retained the ability to disable it from the control plane as a
precaution, but we haven't seen any issues that require us to disable it.

We're now removing all the code for non-seamless key renewal, because we
don't expect to turn it on again, and indeed it's been untested in the
field for three releases so might contain latent bugs!

Updates tailscale/corp#33042

Change-Id: I4b80bf07a3a50298d1c303743484169accc8844b
Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit is contained in:
Alex Chan
2026-04-14 18:15:27 +01:00
committed by Alex Chan
parent 40088602c9
commit bb91bb842c
5 changed files with 82 additions and 219 deletions
+7 -16
View File
@@ -3571,12 +3571,11 @@ func (b *LocalBackend) setAuthURLLocked(url string) {
//
// b.mu must be held.
func (b *LocalBackend) popBrowserAuthNowLocked(url string, keyExpired bool, recipient ipnauth.Actor) {
b.logf("popBrowserAuthNow(%q): url=%v, key-expired=%v, seamless-key-renewal=%v", maybeUsernameOf(recipient), url != "", keyExpired, b.seamlessRenewalEnabled())
b.logf("popBrowserAuthNow(%q): url=%v, key-expired=%v", maybeUsernameOf(recipient), url != "", keyExpired)
// Deconfigure the local network data plane if:
// - seamless key renewal is not enabled;
// - key is expired (in which case tailnet connectivity is down anyway).
if !b.seamlessRenewalEnabled() || keyExpired {
// Deconfigure the local network data plane if the key is expired
// (in which case tailnet connectivity is down anyway).
if keyExpired {
b.blockEngineUpdatesLocked(true)
b.stopEngineAndWaitLocked()
@@ -5938,9 +5937,9 @@ func (b *LocalBackend) enterStateLocked(newState ipn.State) {
switch newState {
case ipn.NeedsLogin:
feature.SystemdStatus("Needs login: %s", authURL)
// always block updates on NeedsLogin even if seamless renewal is enabled,
// to prevent calls to authReconfigLocked from reconfiguring the engine when our
// key has expired and we're waiting to authenticate to use the new key.
// always block updates on NeedsLogin, to prevent calls to authReconfigLocked
// from reconfiguring the engine when our key has expired and we're waiting
// to authenticate to use the new key.
b.blockEngineUpdatesLocked(true)
fallthrough
case ipn.Stopped, ipn.NoState:
@@ -7598,14 +7597,6 @@ func (b *LocalBackend) ReadRouteInfo() (*appctype.RouteInfo, error) {
return b.readRouteInfoLocked()
}
// seamlessRenewalEnabled reports whether seamless key renewals are enabled.
//
// As of 2025-09-11, this is the default behaviour unless nodes receive
// [tailcfg.NodeAttrDisableSeamlessKeyRenewal] in their netmap.
func (b *LocalBackend) seamlessRenewalEnabled() bool {
return b.ControlKnobs().SeamlessKeyRenewal.Load()
}
var (
disallowedAddrs = []netip.Addr{
netip.MustParseAddr("::1"),