[question] Is there a way to auto-renew the TAILSCALE_AUTHKEY?

[lukehsiao]

Right now, this action requires someone to update the TAILSCALE_AUTHKEY every 90 days, which is easy to forget. Is there a way we can automate this process?

Searching around, I've come across a few statements hinting at automation becoming possible soon:

https://github.com/tailscale/tailscale/issues/1151#issuecomment-777126523

We updated these labels to be less confusing a little while back. The labels no longer say that keys never expire, since all our keys expire after 90 days for security reasons.

If this bug was about that confusion, we can consider it fixed. If this bug was about the fact that our keys expire after 90 days, then we can discuss that. We have plans to build systems for automated key renewal, but they're not ready yet.

https://www.reddit.com/r/Tailscale/comments/pcpn0k/using_ts_in_github_actions/

We're working on a way to generate auth keys via our public API. Once that's ready, you could combine that with the GitHub CLI and run a cron job like:

gh secret set TS_KEY --org=organization-name --body "your auth key"

But I'm not sure if these have materialized, or if there was some other recommended best practice that can ensure our GitHub actions will continue to work well without a manual renewal process.

[mayakacz]

Is there a way we can automate this process?

There is not currently a way to do this.

Moving this to tailscale/tailscale and retagging as a feature request.

[DentonGentry]

We're expecting to handle this in https://github.com/tailscale/tailscale/issues/3243 by:

• allow an API key to create an authkey (which is available now)
• implement a way for automation to renew an API key, not expire every 90 days

We'll track remaining work in https://github.com/tailscale/tailscale/issues/3243