tailscale/cmd/gitops-pusher
Andrew Lytvynov c0c4791ce7
cmd/gitops-pusher: ignore previous etag if local acls match control (#13068)
In a situation when manual edits are made on the admin panel, around the
GitOps process, the pusher will be stuck if `--fail-on-manual-edits` is
set, as expected.

To recover from this, there are 2 options:
1. revert the admin panel changes to get back in sync with the code
2. check in the manual edits to code

The former will work well, since previous and local ETags will match
control ETag again. The latter will still fail, since local and control
ETags match, but previous does not.

For this situation, check the local ETag against control first and
ignore previous when things are already in sync.

Updates https://github.com/tailscale/corp/issues/22177

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-08-08 13:23:06 -07:00
..
.gitignore cmd/gitops-pusher: add etag cache file for the three version problem (#5124) 2022-07-22 15:07:38 -04:00
README.md .github,cmd/gitops-pusher: update to checkout@v4 2023-09-04 15:12:57 -07:00
cache.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
gitops-pusher.go cmd/gitops-pusher: ignore previous etag if local acls match control (#13068) 2024-08-08 13:23:06 -07:00
gitops-pusher_test.go cmd/gitops-pusher: re-use existing types from acl package 2023-07-19 14:44:45 -04:00

README.md

gitops-pusher

This is a small tool to help people achieve a GitOps workflow with Tailscale ACL changes. This tool is intended to be used in a CI flow that looks like this:

name: Tailscale ACL syncing

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  acls:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      
      - name: Setup Go environment
        uses: actions/setup-go@v3.2.0
        
      - name: Install gitops-pusher
        run: go install tailscale.com/cmd/gitops-pusher@latest
              
      - name: Deploy ACL
        if: github.event_name == 'push'
        env:
          TS_API_KEY: ${{ secrets.TS_API_KEY }}
          TS_TAILNET: ${{ secrets.TS_TAILNET }}
        run: |
          ~/go/bin/gitops-pusher --policy-file ./policy.hujson apply          

      - name: ACL tests
        if: github.event_name == 'pull_request'
        env:
          TS_API_KEY: ${{ secrets.TS_API_KEY }}
          TS_TAILNET: ${{ secrets.TS_TAILNET }}
        run: |
          ~/go/bin/gitops-pusher --policy-file ./policy.hujson test          

Change the value of the --policy-file flag to point to the policy file on disk. Policy files should be in HuJSON format.