Skip to content

feat: support workload identity federation and reading auth key/ID token from files#239

Open
SamyDjemai wants to merge 1 commit into
tailscale:mainfrom
SamyDjemai:wif-and-authkey-file
Open

feat: support workload identity federation and reading auth key/ID token from files#239
SamyDjemai wants to merge 1 commit into
tailscale:mainfrom
SamyDjemai:wif-and-authkey-file

Conversation

@SamyDjemai

Copy link
Copy Markdown

What

Adds two file-based credential options to golink, plus links in tsnet's workload identity federation (WIF) support.

--auth-key-file / TS_AUTHKEY_FILE (fixes #237)

Read the Tailscale auth key from a file instead of passing it inline. Useful when the key is provided as a mounted secret.

golink -sqlitedb golink.db --auth-key-file /run/secrets/ts_authkey

--id-token-file / TS_ID_TOKEN_FILE + WIF (fixes #238)

Authenticate via workload identity federation instead of an auth key. The ID token can be read from a file, which is the natural fit for a Kubernetes pod's mounted ServiceAccount token (it's a file, not an env var, and rotates over time).

TS_CLIENT_ID="<client-id>" \
  golink -sqlitedb golink.db \
  --id-token-file /var/run/secrets/kubernetes.io/serviceaccount/token

Per the tsnet docs, WIF support is not linked by default (to keep cloud-provider SDK deps out of programs that don't use it), so this PR adds a blank import of tailscale.com/feature/identityfederation. TS_CLIENT_ID, TS_ID_TOKEN, and TS_AUDIENCE continue to be honored directly by tsnet; this PR only adds the file-based ID token option and the feature link.

Implementation notes

  • Both files are read once at startup via a small readFlagFile helper (returns "" for an empty path, trims trailing whitespace). This matches tsnet's behavior: the credentials are only used during initial node enrollment and ignored once state is persisted, so a single read is sufficient.
  • AuthKey and IDToken are set on the tsnet.Server; existing TS_AUTHKEY behavior is unchanged when the new flags are not used.

Testing

  • go build ./..., go vet ./... clean
  • go test ./... — all existing tests pass
  • README updated to document both options

…ken from files

Adds two file-based credential options, useful for running golink on
infrastructure that provides secrets as mounted files:

- --auth-key-file (TS_AUTHKEY_FILE): read the Tailscale auth key from a
  file instead of passing it inline (tailscale#237).
- --id-token-file (TS_ID_TOKEN_FILE): read an OIDC ID token from a file
  for workload identity federation, e.g. a mounted Kubernetes
  ServiceAccount token (tailscale#238).

Also blank-imports tailscale.com/feature/identityfederation so tsnet's
WIF authentication path (TS_CLIENT_ID + TS_ID_TOKEN/TS_AUDIENCE) is
linked in; it is not linked by default upstream.

Signed-off-by: Samy Djemaï <53857555+SamyDjemai@users.noreply.github.com>
@SamyDjemai SamyDjemai force-pushed the wif-and-authkey-file branch from b35e3b0 to 8b139f1 Compare June 30, 2026 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support workload identity federation Read auth key from file path?

1 participant