webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cmd/k8s-operator: support workload identity federation

Browse Source 
The feature is currently in private alpha, so requires a tailnet feature
flag. Initially focuses on supporting the operator's own auth, because the
operator is the only device we maintain that uses static long-lived
credentials. All other operator-created devices use single-use auth keys.

Testing steps:

* Create a cluster with an API server accessible over public internet
* kubectl get --raw /.well-known/openid-configuration | jq '.issuer'
* Create a federated OAuth client in the Tailscale admin console with:
  * The issuer from the previous step
  * Subject claim `system:serviceaccount:tailscale:operator`
  * Write scopes services, devices:core, auth_keys
  * Tag tag:k8s-operator
* Allow the Tailscale control plane to get the public portion of
  the ServiceAccount token signing key without authentication:
  * kubectl create clusterrolebinding oidc-discovery \
      --clusterrole=system:service-account-issuer-discovery \
      --group=system:unauthenticated
* helm install --set oauth.clientId=... --set oauth.audience=...

Updates #17457

Change-Id: Ib29c85ba97b093c70b002f4f41793ffc02e6c6e9
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
This commit is contained in:
Tom Proctor
2025-10-05 02:10:50 +01:00
parent 1ed117dbc0
commit d4c5b278b3
7 changed files with 272 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/k8s-operator/deploy/chart/values.yaml
+14 -7
View File
@@ -1,13 +1,20 @@
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
# Operator oauth credentials. If set a Kubernetes Secret with the provided
# values will be created in the operator namespace. If unset a Secret named
# operator-oauth must be precreated or oauthSecretVolume needs to be adjusted.
# This block will be overridden by oauthSecretVolume, if set.
oauth: {}
# clientId: ""
# clientSecret: ""
# Operator oauth credentials. If unset a Secret named operator-oauth must be
# precreated or oauthSecretVolume needs to be adjusted. This block will be
# overridden by oauthSecretVolume, if set.
oauth:
# The Client ID the operator will authenticate with.
clientId: ""
# If set a Kubernetes Secret with the provided value will be created in
# the operator namespace, and mounted into the operator Pod. Takes precedence
# over oauth.audience.
clientSecret: ""
# The audience for oauth.clientId if using a workload identity federation
# OAuth client. Mutually exclusive with oauth.clientSecret.
# See https://tailscale.com/kb/1581/workload-identity-federation.
audience: ""
# URL of the control plane to be used by all resources managed by the operator.
loginServer: ""