mirror of
https://github.com/tailscale/tailscale.git
synced 2026-02-15 02:12:07 -05:00
393954cf7f
Adds logic for containerboot to signal that it can't auth, so the
operator can reissue a new auth key. This only applies when running with
a config file and with a kube state store.
If the operator sees reissue_authkey in a state Secret, it will create a
new auth key iff the config has no auth key or its auth key matches the
value of reissue_authkey from the state Secret. This is to ensure we
don't reissue auth keys in a tight loop if the proxy is slow to start or
failing for some other reason. The reissue logic also uses a burstable
rate limiter to ensure there's no way a terminally misconfigured
or buggy operator can automatically generate new auth keys in a tight loop.
Updates #14080
Change-Id: I6982f8e741932a6891f2f48a2936f7f6a455317f
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
(cherry picked from commit 969927c47c)