all: remove everything related to non-seamless key renewal
Seamless key renewal has been the default in all clients since 1.90. We retained the ability to disable it from the control plane as a precaution, but we haven't seen any issues that require us to disable it. We're now removing all the code for non-seamless key renewal, because we don't expect to turn it on again, and indeed it's been untested in the field for three releases so might contain latent bugs! Updates tailscale/corp#33042 Change-Id: I4b80bf07a3a50298d1c303743484169accc8844b Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit is contained in:
+7
-16
@@ -3571,12 +3571,11 @@ func (b *LocalBackend) setAuthURLLocked(url string) {
|
||||
//
|
||||
// b.mu must be held.
|
||||
func (b *LocalBackend) popBrowserAuthNowLocked(url string, keyExpired bool, recipient ipnauth.Actor) {
|
||||
b.logf("popBrowserAuthNow(%q): url=%v, key-expired=%v, seamless-key-renewal=%v", maybeUsernameOf(recipient), url != "", keyExpired, b.seamlessRenewalEnabled())
|
||||
b.logf("popBrowserAuthNow(%q): url=%v, key-expired=%v", maybeUsernameOf(recipient), url != "", keyExpired)
|
||||
|
||||
// Deconfigure the local network data plane if:
|
||||
// - seamless key renewal is not enabled;
|
||||
// - key is expired (in which case tailnet connectivity is down anyway).
|
||||
if !b.seamlessRenewalEnabled() || keyExpired {
|
||||
// Deconfigure the local network data plane if the key is expired
|
||||
// (in which case tailnet connectivity is down anyway).
|
||||
if keyExpired {
|
||||
b.blockEngineUpdatesLocked(true)
|
||||
b.stopEngineAndWaitLocked()
|
||||
|
||||
@@ -5938,9 +5937,9 @@ func (b *LocalBackend) enterStateLocked(newState ipn.State) {
|
||||
switch newState {
|
||||
case ipn.NeedsLogin:
|
||||
feature.SystemdStatus("Needs login: %s", authURL)
|
||||
// always block updates on NeedsLogin even if seamless renewal is enabled,
|
||||
// to prevent calls to authReconfigLocked from reconfiguring the engine when our
|
||||
// key has expired and we're waiting to authenticate to use the new key.
|
||||
// always block updates on NeedsLogin, to prevent calls to authReconfigLocked
|
||||
// from reconfiguring the engine when our key has expired and we're waiting
|
||||
// to authenticate to use the new key.
|
||||
b.blockEngineUpdatesLocked(true)
|
||||
fallthrough
|
||||
case ipn.Stopped, ipn.NoState:
|
||||
@@ -7598,14 +7597,6 @@ func (b *LocalBackend) ReadRouteInfo() (*appctype.RouteInfo, error) {
|
||||
return b.readRouteInfoLocked()
|
||||
}
|
||||
|
||||
// seamlessRenewalEnabled reports whether seamless key renewals are enabled.
|
||||
//
|
||||
// As of 2025-09-11, this is the default behaviour unless nodes receive
|
||||
// [tailcfg.NodeAttrDisableSeamlessKeyRenewal] in their netmap.
|
||||
func (b *LocalBackend) seamlessRenewalEnabled() bool {
|
||||
return b.ControlKnobs().SeamlessKeyRenewal.Load()
|
||||
}
|
||||
|
||||
var (
|
||||
disallowedAddrs = []netip.Addr{
|
||||
netip.MustParseAddr("::1"),
|
||||
|
||||
Reference in New Issue
Block a user