FR: TS_KUBE_SECRET cannot be unset. As it defaults to `tailscale` if it's `""`

[stavros-k]

What are you trying to do?

Run ts in a kube environment, without the use of TS_KUBE_SECRET

How should we solve this?

In the case that someone runs tailscale in a pod with other container(s), you can't give access to the secret to a single container on that pod, service account binds to the whole pod.

Please allow having empty TS_KUBE_SECRET, so people can set a TS_STATE_DIR of their liking and also pass TS_AUTH_KEY as they please too.

Thanks.

tailscale/cmd/containerboot/main.go

Lines 40 to 41 in 7b65b7f

	// When running on Kubernetes, TS_KUBE_SECRET takes precedence over
	// TS_STATE_DIR. Additionally, if TS_AUTH_KEY is not provided and the

What is the impact of not solving this?

When using it in a pod with other containers, you are force to bind a Service account to tall the containers inside that pod.

Anything else?

No response

[danderson]

Hmm, looks like we never supported this, even in the old run.sh PID 1. I'm surprised it's taken this long for someone to need it.

I can definitely adjust containerboot so that an explicit TS_KUBE_SECRET="" disables secret storage. The question will be if all the regression tests of other combos of settings will still pass...

[stavros-k]

Hmm, looks like we never supported this, even in the old run.sh PID 1. I'm surprised it's taken this long for someone to need it.

I can definitely adjust containerboot so that an explicit TS_KUBE_SECRET="" disables secret storage. The question will be if all the regression tests of other combos of settings will still pass...

No idea if GO can do that. I guess it can. Check if env key exists, if exists and it's empty, disable the secret storage. (Check the it does not being set in any dockerfile as well).
If does not exist at all, default to "tailscale". So it's backwards compatible.

An easy solution might be to check for "ignore" or "disabled".
But then again it might look hacky.

[danderson]

Yeah Go can distinguish between an unset and an empty envvar, our container image just didn't. The question is more if changing the semantics of TS_KUBE_SECRET="" breaks any other possible configurations of the container.

Good news though, I just implemented it and the answer is: it's fine, all our regression tests still pass with the new behavior. Sending PR shortly.