search

tailscale / github-action

A GitHub Action to connect your workflow to your Tailscale network.
BSD 3-Clause "New" or "Revised" License
532 stars 80 forks source link

Discussion: Stuck implementing OAuth Client for GitHub Actions CI/CD #79

Closed rihardsgrislis closed 10 months ago

rihardsgrislis commented 12 months ago

Hey Tailers,

I noticed you guys have deprecated the 'authkey' input in favor of an OAuth API client. Sounds good, but I'm a bit stuck trying to switch over.

From the action's readme I picked up that I should use "tag:ci" in the GitHub Action. But then, when I'm setting up the OAuth Client, things get a bit foggy. I picked "devices:write" for my client's scope. Wasn't quite sure about that, some more info might help which scopes are required for the action?

Next step, adding a tag since it's required for "devices:write". I'm guessing I need "tag:ci" here too, right? But when I click "Manage tags in Access Controls" the progress is lost due to redirect.

Here's the part that's got me scratching my head:

// Define the tags which can be applied to devices and by which users.
"tagOwners": {
    "tag:ci": [?]
},

Which user should I put here? Then, I remembered the readme said this:

"At least one tag is required: an OAuth client is not associated with any of the Users on the tailnet, it has to Tag its nodes."

That left me a bit puzzled.

Hope you guys can help me sort this out. The switch from 'authkey' to OAuth Client isn't quite the walk in the park I hoped it'd be.

Thanks!

rihardsgrislis commented 11 months ago

I went ahead and tested it with scope device:write and this:

"tagOwners": {
    "tag:ci":        ["autogroup:admin"],`
},

Works fine but I'm unsure about my choice of autogroup:admin.

peteretelej commented 11 months ago

that should be ok. However, you don't need to specify a tag owner for this as the OAuth client will automatically assign tags to the ephemeral devices.

For example, this should also work:

"tagOwners": {
    "tag:ci": []
}

tag owners allows the owners to assign tags to devices (https://tailscale.com/kb/1068/acl-tags/#defining-tag-owners). In this case, the device will be tagged automatically.

You can make use of the tag in your ACLs for more fine-grained permissioning if desired.

rihardsgrislis commented 10 months ago

@peteretelej thanks, removing "autogroup:admin" from tag:ci works!

However, I checked the documentation on ACL tags and that's the same as having the autogroup:admin specified. :D

A shorthand notation, [], is available for autogroup:admin. - https://tailscale.com/kb/1018/acls/#tag-owners