cmd/containerboot: add EXPERIMENTAL_TS_CONFIGFILE_PATH env var to allow passing tailscaled config in a file #10759
Conversation
So that we can distinguish between the value being set to false explicitly bs being unset. Updates #10708 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
If EXPERIMENTAL_TS_CONFIGFILE_PATH env var is set, only run tailscaled with the provided config file. Do not run 'tailscale up' or 'tailscale set'. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
irbekrm
force-pushed
the
irbekrm/containerbootconf
branch
from
c585e7d
to
d9c92f1
Compare
cmd/containerboot/main.go
Outdated
| @@ -253,7 +251,7 @@ func main() { | |||
| return nil | |||
| } | |||
|
|
|||
| if !cfg.AuthOnce { | |||
| if !runTailscaleSet(cfg) { | |||
There was a problem hiding this comment.
It's a bit weird that running tailscale up is gated by a function called run tailscale set. Perhaps it would be better to leave this as !cfg.AuthOnce, since authTailscale exits early if we use a config file anyway?
There was a problem hiding this comment.
This PR adds a bunch more combinations of 'is/is not cfg.AuthOnce and ' to the extent that I think it becomes difficult to follow which bits of the three installation modes a certain conditional gates.
I am trying to distinguish between the three install modes (run tailscaled + tailscale auth, run tailscaled + tailscale auth and subsequent tailscale set, run tailscaled only).
I've updated the helper functions to have hopefully better names, happy to rename them differently if you have other suggestions 0bf017c#diff-700830ac79a41da42cd3a82065f0fee3003a4390eead4db1de4bf30557a06bd6L999-R1019
cmd/containerboot/main.go
Outdated
| @@ -309,7 +314,7 @@ authLoop: | |||
| } | |||
| } | |||
|
|
|||
| if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce { | |||
| if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && runTailscaleSet(cfg) { | |||
There was a problem hiding this comment.
Again, weird to see runTailscaleSet gating something other than tailscaleSet. Perhaps we could use a better function name, or gate this by AuthOnce and runTailscaledOnly like you do on line 172?
There was a problem hiding this comment.
Same as in #10759 (comment)
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
I'm going to merge this, since it's approved and so that I can rebase the other PR. Happy to address any further readability improvements in followups though! |
…ow passing tailscaled config in a file (tailscale#10759) * cmd/containerboot: optionally configure tailscaled with a configfile. If EXPERIMENTAL_TS_CONFIGFILE_PATH env var is set, only run tailscaled with the provided config file. Do not run 'tailscale up' or 'tailscale set'. * cmd/containerboot: store containerboot accept_dns val in bool pointer So that we can distinguish between the value being set to false explicitly bs being unset. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Currently when a containerboot container starts:
TS_AUTH_ONCEenv var is set to true it runstailscaledfollowed bytailscale up+ auth key + config opts on first container start andtailscaled+tailscale set+ config opts on subsequent startsTS_AUTH_ONCEenv var is set to false (default) runstailscaledfollowed bytailscale up+ config opts on any container startThe config opts are passed as env vars. This has a number of issues- env vars are not a great configuration option as we need to add extra logic in tailscale to validate them and having the config scattered accross multiple commands makes it harder to implement declarative configuration.
Right now we need to add more configuration options (see #10740) so it's a good time to add support for a better config mechanism.
This PR adds support for optionally providing configuration via a config file passed to
tailscaled.Users can set
EXPERIMENTAL_TS_CONFIGFILE_PATHto a path to tailscaled config file, see https://pkg.go.dev/tailscale.com@v1.56.1/ipn#ConfigVAlpha.If this is set containerboot only runs
tailscaled --config <path-to-the-configfile> ..<other config opts>(and nottailscale uportailscale set). Users must pass auth key via the tailscaled config.Notes