cmd/k8s-operator: support workload identity federation

The feature is currently in private alpha, so requires a tailnet feature
flag. Initially focuses on supporting the operator's own auth, because the
operator is the only device we maintain that uses static long-lived
credentials. All other operator-created devices use single-use auth keys.

Testing steps:

* Create a cluster with an API server accessible over public internet
* kubectl get --raw /.well-known/openid-configuration | jq '.issuer'
* Create a federated OAuth client in the Tailscale admin console with:
  * The issuer from the previous step
  * Subject claim `system:serviceaccount:tailscale:operator`
  * Write scopes services, devices:core, auth_keys
  * Tag tag:k8s-operator
* Allow the Tailscale control plane to get the public portion of
  the ServiceAccount token signing key without authentication:
  * kubectl create clusterrolebinding oidc-discovery \
      --clusterrole=system:service-account-issuer-discovery \
      --group=system:unauthenticated
* helm install --set oauth.clientId=... --set oauth.audience=...

Updates #17457

Change-Id: Ib29c85ba97b093c70b002f4f41793ffc02e6c6e9
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>

This commit is contained in:

Tom Proctor

2025-10-05 02:10:50 +01:00

parent 1ed117dbc0

commit d4c5b278b3

7 changed files with 272 additions and 34 deletions

									
										cmd/k8s-operator/deploy/chart/templates/oauth-secret.yaml
									
		+1
		-1
	
												View File
												
				@@ -1,7 +1,7 @@

				# Copyright (c) Tailscale Inc & AUTHORS

				# SPDX-License-Identifier: BSD-3-Clause

				{{ if and .Values.oauth .Values.oauth.clientId -}}

				{{ if and .Values.oauth .Values.oauth.clientId .Values.oauth.clientSecret -}}

				apiVersion: v1

				kind: Secret

				metadata: