I just wish tailscale would allow you to use long-lived tokens for ephemeral nodes...
Short lived tokens is not always an option
I just wish tailscale would allow you to use long-lived tokens for ephemeral nodes...
Short lived tokens is not always an option
You can use oauth tokens with the permissions of auth_key write to use long lived tokens to permission ephemeral nodes
I have a GitHub action that uses an OAuth token to provision a new key and store it in our secrets manager as part of the workflow that provisions systems - the new systems then pull the ephemeral key to onboard themselves as they come up
It can get especially interesting when you do things like have your GitHub runners onboard themselves to Tailscale - at that point you can pretty much fully-provision isolated systems directly from GitHub Actions if you want
I'm curious, which situations are short-lived tokens not an option?
I want to give every node in my kubernetes cluster a tailscale key to join the cluster via the cloud-config / userdata. But this key is enforced by tailscale to be short lived, so if the server is reset and it boots again from cloud-config it has the expired key and can't join the tailscale network again.