@ -20,6 +20,7 @@ import (
"time"
"time"
"tailscale.com/envknob"
"tailscale.com/envknob"
"tailscale.com/health"
"tailscale.com/ipn"
"tailscale.com/ipn"
"tailscale.com/ipn/ipnstate"
"tailscale.com/ipn/ipnstate"
"tailscale.com/net/tsaddr"
"tailscale.com/net/tsaddr"
@ -60,9 +61,11 @@ func (b *LocalBackend) permitTKAInitLocked() bool {
func ( b * LocalBackend ) tkaFilterNetmapLocked ( nm * netmap . NetworkMap ) {
func ( b * LocalBackend ) tkaFilterNetmapLocked ( nm * netmap . NetworkMap ) {
// TODO(tom): Remove this guard for 1.35 and later.
// TODO(tom): Remove this guard for 1.35 and later.
if b . tka == nil && ! b . permitTKAInitLocked ( ) {
if b . tka == nil && ! b . permitTKAInitLocked ( ) {
health . SetTKAHealth ( nil )
return
return
}
}
if b . tka == nil {
if b . tka == nil {
health . SetTKAHealth ( nil )
return // TKA not enabled.
return // TKA not enabled.
}
}
@ -111,6 +114,13 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
} else {
} else {
b . tka . filtered = nil
b . tka . filtered = nil
}
}
// Check that we ourselves are not locked out, report a health issue if so.
if nm . SelfNode != nil && b . tka . authority . NodeKeyAuthorized ( nm . SelfNode . Key , nm . SelfNode . KeySignature ) != nil {
health . SetTKAHealth ( errors . New ( "this node is locked out; it will not have connectivity until it is signed. For more info, see https://tailscale.com/s/locked-out" ) )
} else {
health . SetTKAHealth ( nil )
}
}
}
// tkaSyncIfNeeded examines TKA info reported from the control plane,
// tkaSyncIfNeeded examines TKA info reported from the control plane,
@ -177,6 +187,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
b . logf ( "Disablement failed, leaving TKA enabled. Error: %v" , err )
b . logf ( "Disablement failed, leaving TKA enabled. Error: %v" , err )
} else {
} else {
isEnabled = false
isEnabled = false
health . SetTKAHealth ( nil )
}
}
} else {
} else {
return fmt . Errorf ( "[bug] unreachable invariant of wantEnabled /w isEnabled" )
return fmt . Errorf ( "[bug] unreachable invariant of wantEnabled /w isEnabled" )