tailscale

Commit Graph

Author	SHA1	Message	Date
Jenny Zhang	c446451bfa	cmd/gitops-pusher: only use OAuth creds if non-empty string `os.LookupEnv` may return true if the variable is present in the environment but an empty string. We should only attempt to set OAuth Config if thsoe values are non-empty. Updates gitops-acl-action#33 Signed-off-by: Jenny Zhang <jz@tailscale.com>	3 months ago
Will Norris	13f8a669d5	cmd/gitops-pusher: fix logic for checking credentials gitops-pusher supports authenticating with an API key or OAuth credentials (added in #7393). You shouldn't ever use both of those together, so we error if both are set. In tailscale/gitops-acl-action#24, OAuth support is being added to the GitHub action. In that environment, both the TS_API_KEY and OAuth variables will be set, even if they are empty values. This causes an error in gitops-pusher which expects only one to be set. Update gitops-pusher to check that only one set of environment variables are non-empty, rather than just checking if they are set. Updates #7393 Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Maisem Ali	3280c81c95	.github,cmd/gitops-pusher: update to checkout@v4 checkout@v3 is broken: actions/checkout#1448 Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Jenny Zhang	9ab70212f4	cmd/gitops-pusher: re-use existing types from acl package This changes the ACLTestError type to reuse the existing/identical types from the ACL implementation, to avoid issues in the future if the two types fall out of sync. Updates #8645 Signed-off-by: Jenny Zhang <jz@tailscale.com>	10 months ago
Vladimir Pouzanov	e3211ff88b	Add support for OAuth tokens #7394 (#7393 ) Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Brad Fitzpatrick	a1b4ab34e6	util/httpm: add new package for prettier HTTP method constants See package doc. Change-Id: Ibbfc8e1f98294217c56f3a9452bd93ffa3103572 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Denton Gentry	da53b1347b	cmd/gitops-pusher: support alternate api-server URLs Fixes https://github.com/tailscale/coral/issues/90 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
Xe Iaso	3564fd61b5	cmd/gitops-pusher: standardize hujson before posting to validate (#5525 ) Apparently the validate route doesn't check content-types or handle hujson with comments correctly. This patch makes gitops-pusher convert the hujson to normal json. Signed-off-by: Xe <xe@tailscale.com> Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	122bd667dc	cmd/gitops-pusher: be less paranoid about external modifications (#5488 ) This makes a "modified externally" error turn into a "modified externally" warning. It means CI won't fail if someone does something manually in the admin console. Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	904723691b	cmd/gitops-pusher: things i forgot to push last PR (#5128 ) Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	898695e312	cmd/gitops-pusher: add etag cache file for the three version problem (#5124 ) This allows gitops-pusher to detect external ACL changes. I'm not sure what to call this problem, so I've been calling it the "three version problem" in my notes. The basic problem is that at any given time we only have two versions of the ACL file at any given point: the version in CONTROL and the one in the git repo. In order to check if there has been tampering of the ACL files in the admin panel, we need to have a _third_ version to compare against. In this case I am not storing the old ACL entirely (though that could be a reasonable thing to add in the future), but only its sha256sum. This allows us to detect if the shasum in control matches the shasum we expect, and if that expectation fails, then we can react accordingly. This will require additional configuration in CI, but I'm sure that can be done. Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	92357a54ec	cmd/gitops-pusher: fix minor bug with ACL tests (#5123 ) Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	90ccba6730	cmd/gitops-pusher: port to use ffcli (#5113 ) Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	41e60dae80	cmd/gitops-pusher: use fmt.Println for errors (#5112 ) Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	004f0ca3e0	cmd/gitops-pusher: format HuJSON, enabling exact ACL matches (#5061 ) Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	16c85d0dc5	cmd/gitops-pusher: support GitHub Actions error syntax (#5060 ) GitHub Actions lets you annotate lines in files as errors[1]. This syntax will only fire on syntax errors. Future improvements can extend this to properly annotate ACL tests too. [1]: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	5bb44a4a5c	cmd/gitops-pusher: correctly handle ACL tests failing (#5016 ) Apparently the API for running ACL tests returns a 200 if the ACL tests fail. This is weird, but we can handle it. Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Xe Iaso	dee95d0894	cmd/gitops-pusher: add new GitOps assistant (#4893 ) This is for an upcoming blogpost on how to manage Tailscale ACLs using a GitOps flow. This tool is intended to be used in CI and will allow users to have a git repository be the ultimate source of truth for their ACL file. This enables ACL changes to be proposed, approved and discussed before they are applied. Signed-off-by: Xe <xe@tailscale.com>	2 years ago

19 Commits (main)