ipn/{ipnext,ipnlocal}: expose authReconfig in ipnext.Host as AuthReconfigAsync

Also implement a limit of one on the number of goroutines that can be
waiting to do a reconfig via AuthReconfig, to prevent extensions from
calling too fast and taxing resources.

Even with the protection, the new method should only be used in
experimental or proof-of-concept contexts. The current intended use is
for an extension to be able force a reconfiguration of WireGuard, and
have the reconfiguration call back into the extension for extra Allowed
IPs.

If in the future if WireGuard is able to reconfigure individual peers more
dynamically, an extension might be able to hook into that process, and
this method on ipnext.Host may be deprecated.

Fixes tailscale/corp#38120
Updates tailscale/corp#38124
Updates tailscale/corp#38125

Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>
This commit is contained in:
Michael Ben-Ami
2026-03-18 16:25:09 -04:00
committed by mzbenami
parent 3a5afc3358
commit ea7040eea2
4 changed files with 48 additions and 3 deletions
+1
View File
@@ -1375,6 +1375,7 @@ func (b *testBackend) Sys() *tsd.System {
func (b *testBackend) SendNotify(ipn.Notify) { panic("not implemented") }
func (b *testBackend) NodeBackend() ipnext.NodeBackend { panic("not implemented") }
func (b *testBackend) TailscaleVarRoot() string { panic("not implemented") }
func (b *testBackend) authReconfig() { panic("not implemented") }
func (b *testBackend) SwitchToBestProfile(reason string) {
b.mu.Lock()