shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: wire DERPTLSConfig through CLI, SDK, tailnet, VPN, agent, and health checks (#24435)

Browse Source 
Wire DERPTLSConfig through the CLI, SDK, tailnet, VPN client, agent, and
health checks to allow custom TLS configuration for DERP connections.
The main use case is to be able to set a custom CA and also present
client certs (mTLS). See https://github.com/coder/tailscale/pull/105 for
related changes.

Adds three new global CLI flags:
- `--client-tls-ca-file` / `CODER_CLIENT_TLS_CA_FILE`
- `--client-tls-cert-file` / `CODER_CLIENT_TLS_CERT_FILE`
- `--client-tls-key-file` / `CODER_CLIENT_TLS_KEY_FILE`

Based on community PR #22695 by @ibdafna, with autogeneration issues
fixed (protobuf version mismatches in .pb.go files, golden file
regeneration, lint fixes).

> [!NOTE]
> This PR was authored by Coder Agents on behalf of a Coder team member.

<details>
<summary>Relationship to #22695</summary>

This is a clean reimplementation of the changes from #22695 on top of
current `main`, with the following differences:
- **Removed**: Accidental protobuf version changes in `.pb.go` files
(contributor had `protoc v6.33.4` vs project's `protoc v4.23.4`)
- **Added**: Properly regenerated golden files and docs via `make gen`
- **Fixed**: Lint issue (`var-declaration` revive warning on explicit
type in `createHTTPClient`)
- All meaningful code changes are identical to the original PR
</details>
This commit is contained in:
Spike Curtis
2026-04-16 12:46:52 -04:00
committed by GitHub
parent 7270e01390
commit 4c1a32cd7c
12 changed files with 296 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tailnet/conn.go
+6
View File
@@ -2,6 +2,7 @@ package tailnet
import (
"context"
"crypto/tls"
"encoding/binary"
"fmt"
"net"
@@ -92,6 +93,8 @@ type Options struct {
Addresses []netip.Prefix
DERPMap *tailcfg.DERPMap
DERPHeader *http.Header
// DERPTLSConfig is an optional TLS config for DERP connections.
DERPTLSConfig *tls.Config
// DERPForceWebSockets determines whether websockets is always used for DERP
// connections, rather than trying `Upgrade: derp` first and potentially
// falling back. This is useful for misbehaving proxies that prevent
@@ -239,6 +242,9 @@ func NewConn(options *Options) (conn *Conn, err error) {
if options.DERPHeader != nil {
magicConn.SetDERPHeader(options.DERPHeader.Clone())
}
if options.DERPTLSConfig != nil {
magicConn.SetDERPTLSConfig(options.DERPTLSConfig)
}
if options.ForceNetworkUp {
magicConn.SetNetworkUp(true)
}