summaryrefslogtreecommitdiffhomepage
path: root/control/controlhttp/controlhttpserver/controlhttpserver.go
diff options
context:
space:
mode:
authorTom Proctor <tomhjp@users.noreply.github.com>2025-10-05 02:10:50 +0100
committerTom Proctor <tomhjp@users.noreply.github.com>2025-11-07 14:24:24 +0000
commitd4c5b278b3dd67e31498dfbfe321c5e00a801898 (patch)
tree47ba83f03b4a8b1a2a22c95d984959186463257a /control/controlhttp/controlhttpserver/controlhttpserver.go
parent1ed117dbc08ac60a69ba46bdb7289b1d416bc5dc (diff)
downloadtailscale-d4c5b278b3dd67e31498dfbfe321c5e00a801898.tar.xz
tailscale-d4c5b278b3dd67e31498dfbfe321c5e00a801898.zip
cmd/k8s-operator: support workload identity federation
The feature is currently in private alpha, so requires a tailnet feature flag. Initially focuses on supporting the operator's own auth, because the operator is the only device we maintain that uses static long-lived credentials. All other operator-created devices use single-use auth keys. Testing steps: * Create a cluster with an API server accessible over public internet * kubectl get --raw /.well-known/openid-configuration | jq '.issuer' * Create a federated OAuth client in the Tailscale admin console with: * The issuer from the previous step * Subject claim `system:serviceaccount:tailscale:operator` * Write scopes services, devices:core, auth_keys * Tag tag:k8s-operator * Allow the Tailscale control plane to get the public portion of the ServiceAccount token signing key without authentication: * kubectl create clusterrolebinding oidc-discovery \ --clusterrole=system:service-account-issuer-discovery \ --group=system:unauthenticated * helm install --set oauth.clientId=... --set oauth.audience=... Updates #17457 Change-Id: Ib29c85ba97b093c70b002f4f41793ffc02e6c6e9 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions