From 066af76ee98770c2ee3e91237d9144da43a7aebf Mon Sep 17 00:00:00 2001
From: chaosinthecrd <tom@tmlabs.co.uk>
Date: Wed, 1 Apr 2026 13:16:00 +0100
Subject: [PATCH] cmd/containerboot: use root context for auth key reissue wait

Pass the root context instead of bootCtx to setAndWaitForAuthKeyReissue.
The 60-second bootCtx timeout was cancelling the reissue wait before the
operator had time to respond, causing the pod to crash-loop.

Updates #14080

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
---
 cmd/containerboot/main.go | 4 ++--
 kube/authkey/authkey.go   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/containerboot/main.go b/cmd/containerboot/main.go
index 1f66c2c95..3ed11c05f 100644
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -375,7 +375,7 @@ func run() error {
 					if hasKubeStateStore(cfg) {
 						log.Printf("Auth key missing or invalid (NeedsLogin state), disconnecting from control and requesting new key from operator")
 
-						err := kc.setAndWaitForAuthKeyReissue(bootCtx, client, cfg, tailscaledConfigAuthkey)
+						err := kc.setAndWaitForAuthKeyReissue(ctx, client, cfg, tailscaledConfigAuthkey)
 						if err != nil {
 							return fmt.Errorf("failed to get a reissued authkey: %w", err)
 						}
@@ -415,7 +415,7 @@ func run() error {
 				if isOneStepConfig(cfg) && hasKubeStateStore(cfg) {
 					log.Printf("Auth key failed to authenticate (may be expired or single-use), disconnecting from control and requesting new key from operator")
 
-					err := kc.setAndWaitForAuthKeyReissue(bootCtx, client, cfg, tailscaledConfigAuthkey)
+					err := kc.setAndWaitForAuthKeyReissue(ctx, client, cfg, tailscaledConfigAuthkey)
 					if err != nil {
 						return fmt.Errorf("failed to get a reissued authkey: %w", err)
 					}
diff --git a/kube/authkey/authkey.go b/kube/authkey/authkey.go
index c56301b12..65ad69d46 100644
--- a/kube/authkey/authkey.go
+++ b/kube/authkey/authkey.go
@@ -64,7 +64,7 @@ func ClearReissueAuthKey(ctx context.Context, kc kubeclient.Client, stateSecretN
 		},
 	}
 
-	if profileKey := string(existing.Data["_current-profile"]); profileKey != "" {
+	if profileKey := string(existing.Data[string(ipn.CurrentProfileStateKey)]); profileKey != "" {
 		s.Data[profileKey] = nil
 	}