search

tailscale / gitops-acl-action

GitOps for your Tailscale ACLs
81 stars 24 forks source link

The oauth update broke regular API keys #33

Closed bdomars closed 7 months ago

bdomars commented 7 months ago

Since a day ago all my actions are failing with:

Get "https://api.tailscale.com/api/v2/tailnet/***/acl": oauth2: cannot fetch token: 401 Unauthorized
Response: {"message":"API token invalid"}

I have TS_API_KEY and TS_TAILNET set via repository secrets.

I suspect that Github Actions is also setting TS_OAUTH_ID and TS_OAUTH_SECRET to "" even if they are not in the repository secrets and this causes gitops-pusher to try to do oauth with an empty string which obviously fails.

From gitops-pusher

    tailnet, ok := os.LookupEnv("TS_TAILNET")
    if !ok {
        log.Fatal("set envvar TS_TAILNET to your tailnet's name")
    }
    apiKey, ok := os.LookupEnv("TS_API_KEY")
    oauthId, oiok := os.LookupEnv("TS_OAUTH_ID")
    oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET")
    if !ok && (!oiok || !osok) {
        log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret")
    }
    if apiKey != "" && (oauthId != "" || oauthSecret != "") {
        log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET")
    }
    var client *http.Client
    if oiok {
        oauthConfig := &clientcredentials.Config{
            ClientID:     oauthId,
            ClientSecret: oauthSecret,
            TokenURL:     fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer),
        }
        client = oauthConfig.Client(context.Background())
    } else {
        client = http.DefaultClient
    }

As you can see it uses the error from LookupEnv to determine whether to do oauth or not, so if it's set to "" it will fail.

timtailscale commented 7 months ago

While we are working on a fix, an immediate workaround is specifying the old v1.0.0 tag in your Action to use the old version, or you can try updating to OAuth clients for authentication. We recommend using OAuth clients, as they don't expire and allow scoped permissions unlike the full permissions and 90-day expiration of an API key.

willnorris commented 7 months ago

Sorry about that. We've released v1.1.1 which fixes this bug in the action itself. We're working on fixing it in the upstream code as well.