mirror of
https://github.com/tailscale/tailscale.git
synced 2026-06-24 07:52:47 -04:00
e4ea65d32d
This commit modifies the reconciler for the `Tailnet` custom resource to allow referenced secrets to specify an `audience` field. If a referenced secret contains both an `audience` and `client_id` we assume the user's intention is to use workload identity. In that case, we configure the tailscale API client to authenticate using the Kubernetes token request API against the operator's service account. This requires the operator to be aware of its own service account name. A small change has also been made to the messages added to the `Tailnet` CRD's status field in the even that it is missing scopes to make it clearer that certain scopes may not be applied. Closes: #19090 Updates: #19471 Signed-off-by: David Bond <davidsbond93@gmail.com>