headscale icon indicating copy to clipboard operation
headscale copied to clipboard

Published 20 hours ago verified publisher icon juanfont

Node key rotating

Open TotoTheDragon opened this issue 1 year ago • 2 comments

Why

Tailscale rotates keys in certain cases, we should support this properly

Description

An example of where a node key is rotated within the tailscale client: https://github.com/tailscale/tailscale/blob/5595b61b96aac4558525d4fc56362dd36cc42616/control/controlclient/direct.go#L706-L708

https://github.com/juanfont/headscale/pull/1719 has introduced code to make sure the node key is updated when the keys do not match and no old node key is provided. Some research needs to be done to figure out how to properly detect when a key is being rotated, so we can handle it in a similar way to this.

TotoTheDragon avatar Feb 06 '24 18:02 TotoTheDragon

https://github.com/tailscale/tailscale/blob/5595b61b96aac4558525d4fc56362dd36cc42616/control/controlclient/direct.go#L478-L489

There seem to be only two cases.

  1. When the old key is expired
  2. When login is interactive, e.g. when using OIDC, we also regenerate the key

TotoTheDragon avatar Feb 06 '24 18:02 TotoTheDragon

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar May 07 '24 01:05 github-actions[bot]

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Aug 07 '24 01:08 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Aug 14 '24 01:08 github-actions[bot]