authkey

package
v1.98.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 14, 2026 License: BSD-3-Clause Imports: 9 Imported by: 0

Documentation

Overview

Package authkey provides shared logic for handling auth key reissue requests between tailnet clients (containerboot, k8s-proxy) and the operator.

When a client fails to authenticate (expired key, single-use key already used), it signals the operator by setting a marker in its state Secret. The operator responds by deleting the old device and issuing a new auth key. The client watches for the new key and restarts to apply it.

Index

Constants

View Source 
const (
	TailscaleContainerFieldManager = "tailscale-container"
)

Variables

This section is empty.

Functions

func AuthKeyFromConfig 

func AuthKeyFromConfig(path string) string

AuthKeyFromConfig extracts the auth key from a tailscaled config file. Returns empty string if the file cannot be read or contains no auth key.

func ClearReissueAuthKey 

func ClearReissueAuthKey(ctx context.Context, kc kubeclient.Client, stateSecretName string, fieldManager string) error

ClearReissueAuthKey removes the reissue_authkey marker from the state Secret to signal to the operator that we've successfully received the new key.

func SetReissueAuthKey 

func SetReissueAuthKey(ctx context.Context, kc kubeclient.Client, stateSecretName string, authKey string, fieldManager string) error

SetReissueAuthKey sets the reissue_authkey marker in the state Secret to signal to the operator that a new auth key is needed. The marker value is the auth key that failed to authenticate.

func WaitForAuthKeyReissue 

func WaitForAuthKeyReissue(ctx context.Context, oldAuthKey string, maxWait time.Duration, getAuthKey func() string, clearFn func(context.Context) error, notify <-chan struct{}) error

WaitForAuthKeyReissue polls getAuthKey for a new auth key different from oldAuthKey, returning when one is found or maxWait expires. If notify is non-nil, it is used to wake the loop on config changes; otherwise it falls back to periodic polling. The clearFn callback is called when a new key is detected, to clear the reissue marker from the state Secret.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.