webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

cmd/containerboot: allow for automatic ID token generation

Browse Source 
Allow for optionally specifying an audience for containerboot. This is
passed to tailscale up to allow for containerboot to use automatic ID
token generation for authentication.

Updates https://github.com/tailscale/corp/issues/34430

Signed-off-by: Mario Minardi <mario@tailscale.com>
This commit is contained in:
Mario Minardi
2026-01-13 17:30:57 -07:00
committed by Mario Minardi
parent 02af7c963c
commit e9d82767e5
4 changed files with 79 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/containerboot/main.go
+7 -3
View File
@@ -20,8 +20,12 @@
// - TS_ID_TOKEN: the ID token from the identity provider for workload identity federation.
// Must be used together with TS_CLIENT_ID. If the value begins with "file:", it is
// treated as a path to a file containing the token.
// - Note: TS_AUTHKEY is mutually exclusive with TS_CLIENT_ID, TS_CLIENT_SECRET, and TS_ID_TOKEN.
// TS_CLIENT_SECRET and TS_ID_TOKEN cannot be used together.
// - TS_AUDIENCE: the audience to use when requesting an ID token from a well-known identity provider
// to exchange with the control server for workload identity federation. Must be used together
// with TS_CLIENT_ID.
// - Note: TS_AUTHKEY is mutually exclusive with TS_CLIENT_ID, TS_CLIENT_SECRET, TS_ID_TOKEN,
// and TS_AUDIENCE.
// TS_CLIENT_SECRET, TS_ID_TOKEN, and TS_AUDIENCE cannot be used together.
// - TS_HOSTNAME: the hostname to request for the node.
// - TS_ROUTES: subnet routes to advertise. Explicitly setting it to an empty
// value will cause containerboot to stop acting as a subnet router for any
@@ -78,7 +82,7 @@
// directory that containers tailscaled config in file. The config file needs to be
// named cap-<current-tailscaled-cap>.hujson. If this is set, TS_HOSTNAME,
// TS_EXTRA_ARGS, TS_AUTHKEY, TS_CLIENT_ID, TS_CLIENT_SECRET, TS_ID_TOKEN,
// TS_ROUTES, TS_ACCEPT_DNS env vars must not be set. If this is set,
// TS_ROUTES, TS_ACCEPT_DNS, TS_AUDIENCE env vars must not be set. If this is set,
// containerboot only runs `tailscaled --config <path-to-this-configfile>`
// and not `tailscale up` or `tailscale set`.
// The config file contents are currently read once on container start.