From 39efba528ffc5f6399f95bac36a481a6bf7e6504 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Tue, 3 Jan 2023 15:17:44 -0800 Subject: [PATCH] cmd/containerboot: use TS_AUTHKEY as the parameter for auth keys We still accept the previous TS_AUTH_KEY for backwards compatibility, but the documented option name is the spelling we use everywhere else. Updates #6321 Signed-off-by: David Anderson --- cmd/containerboot/main.go | 15 +++++++++++--- cmd/containerboot/main_test.go | 38 +++++++++++++++++++++++++--------- 2 files changed, 40 insertions(+), 13 deletions(-) diff --git a/cmd/containerboot/main.go b/cmd/containerboot/main.go index 6b50b4654..bf9d534c4 100644 --- a/cmd/containerboot/main.go +++ b/cmd/containerboot/main.go @@ -12,7 +12,7 @@ // As with most container things, configuration is passed through environment // variables. All configuration is optional. // -// - TS_AUTH_KEY: the authkey to use for login. +// - TS_AUTHKEY: the authkey to use for login. // - TS_ROUTES: subnet routes to advertise. // - TS_DEST_IP: proxy all incoming Tailscale traffic to the given // destination. @@ -42,7 +42,7 @@ // TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir. The state dir should // be persistent storage. // -// Additionally, if TS_AUTH_KEY is not set and the TS_KUBE_SECRET contains an +// Additionally, if TS_AUTHKEY is not set and the TS_KUBE_SECRET contains an // "authkey" field, that key is used as the tailscale authkey. package main @@ -73,7 +73,7 @@ func main() { tailscale.I_Acknowledge_This_API_Is_Unstable = true cfg := &settings{ - AuthKey: defaultEnv("TS_AUTH_KEY", ""), + AuthKey: defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""), Routes: defaultEnv("TS_ROUTES", ""), ProxyTo: defaultEnv("TS_DEST_IP", ""), DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""), @@ -548,6 +548,15 @@ func defaultEnv(name, defVal string) string { return defVal } +func defaultEnvs(names []string, defVal string) string { + for _, name := range names { + if v, ok := os.LookupEnv(name); ok { + return v + } + } + return defVal +} + // defaultBool returns the boolean value of the given envvar name, or // defVal if unset or not a bool. func defaultBool(name string, defVal bool) bool { diff --git a/cmd/containerboot/main_test.go b/cmd/containerboot/main_test.go index c12269f84..05b1a8650 100644 --- a/cmd/containerboot/main_test.go +++ b/cmd/containerboot/main_test.go @@ -146,6 +146,24 @@ func TestContainerBoot(t *testing.T) { { // Userspace mode, ephemeral storage, authkey provided on every run. Name: "authkey", + Env: map[string]string{ + "TS_AUTHKEY": "tskey-key", + }, + Phases: []phase{ + { + WantCmds: []string{ + "/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking", + "/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key", + }, + }, + { + Notify: runningNotify, + }, + }, + }, + { + // Userspace mode, ephemeral storage, authkey provided on every run. + Name: "authkey-old-flag", Env: map[string]string{ "TS_AUTH_KEY": "tskey-key", }, @@ -164,7 +182,7 @@ func TestContainerBoot(t *testing.T) { { Name: "authkey_disk_state", Env: map[string]string{ - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", "TS_STATE_DIR": filepath.Join(d, "tmp"), }, Phases: []phase{ @@ -182,8 +200,8 @@ func TestContainerBoot(t *testing.T) { { Name: "routes", Env: map[string]string{ - "TS_AUTH_KEY": "tskey-key", - "TS_ROUTES": "1.2.3.0/24,10.20.30.0/24", + "TS_AUTHKEY": "tskey-key", + "TS_ROUTES": "1.2.3.0/24,10.20.30.0/24", }, Phases: []phase{ { @@ -204,7 +222,7 @@ func TestContainerBoot(t *testing.T) { { Name: "routes_kernel_ipv4", Env: map[string]string{ - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", "TS_ROUTES": "1.2.3.0/24,10.20.30.0/24", "TS_USERSPACE": "false", }, @@ -227,7 +245,7 @@ func TestContainerBoot(t *testing.T) { { Name: "routes_kernel_ipv6", Env: map[string]string{ - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", "TS_ROUTES": "::/64,1::/64", "TS_USERSPACE": "false", }, @@ -250,7 +268,7 @@ func TestContainerBoot(t *testing.T) { { Name: "routes_kernel_all_families", Env: map[string]string{ - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", "TS_ROUTES": "::/64,1.2.3.0/24", "TS_USERSPACE": "false", }, @@ -273,7 +291,7 @@ func TestContainerBoot(t *testing.T) { { Name: "proxy", Env: map[string]string{ - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", "TS_DEST_IP": "1.2.3.4", "TS_USERSPACE": "false", }, @@ -295,7 +313,7 @@ func TestContainerBoot(t *testing.T) { { Name: "authkey_once", Env: map[string]string{ - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", "TS_AUTH_ONCE": "true", }, Phases: []phase{ @@ -354,7 +372,7 @@ func TestContainerBoot(t *testing.T) { // Explicitly set to an empty value, to override the default of "tailscale". "TS_KUBE_SECRET": "", "TS_STATE_DIR": filepath.Join(d, "tmp"), - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", }, KubeSecret: map[string]string{}, Phases: []phase{ @@ -376,7 +394,7 @@ func TestContainerBoot(t *testing.T) { Env: map[string]string{ "KUBERNETES_SERVICE_HOST": kube.Host, "KUBERNETES_SERVICE_PORT_HTTPS": kube.Port, - "TS_AUTH_KEY": "tskey-key", + "TS_AUTHKEY": "tskey-key", }, KubeSecret: map[string]string{}, KubeDenyPatch: true,