docs/k8s: record the Tailscale device ID in a k8s annotation.

When a Tailscale pod comes up with k8s state storage, if it successfully
authenticates it records its device ID in the tailscale.com/device-id annotation
on the state secret.

Signed-off-by: David Anderson <danderson@tailscale.com>

Dockerfile

@@ -69,7 +69,7 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
       -v ./cmd/tailscale ./cmd/tailscaled
 
 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables jq curl
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/

Dockerfile.base

@@ -3,4 +3,4 @@
 # license that can be found in the LICENSE file.
 
 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables jq curl

docs/k8s/run.sh

@@ -89,5 +89,22 @@ if [[ ! -z "${TS_DEST_IP}" ]]; then
   iptables -t nat -I PREROUTING -d "$(tailscale --socket=${TS_SOCKET} ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
 fi
 
+if [[ ! -z "${TS_KUBE_SECRET}" ]]; then
+	DEVICE_ID=$(tailscale --socket="${TS_SOCKET}" status --json | jq -r .Self.ID)
+	echo "Device ID is $DEVICE_ID"
+	NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+	TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+	if ! curl -s -X PATCH \
+		 --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+		 -H "Authorization: Bearer $TOKEN" \
+		 -H "Accept: application/json" \
+		 -H "Content-Type: application/strategic-merge-patch+json" \
+		 --data-raw "{\"data\":{\"device_id\": \"$DEVICE_ID\"}}" \
+		 "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/namespaces/${NS}/secrets/${TS_KUBE_SECRET}?fieldManager=kubectl-patch" >/dev/null; then
+		echo "Failed to record Tailscale device ID"
+		exit 1
+	fi
+fi
+
 echo "Waiting for tailscaled to exit"
 wait ${PID}