setting tailscale's login-server with controlServerURL doesn't work as force-reauth is required with recent version of tailscale

[proof-llc]

Environmental Info:
K3s Version:
1.29 and 1.30

Cluster Configuration:
single server

Describe the bug:
setting tailscale's login-server with controlServerURL doesn't work as force-reauth is required with recent version of tailscale

Steps To Reproduce:
curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=v1.29 K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="server" sh -s - --disable=traefik --tls-san="node.example.com" --vpn-auth="name=tailscale,joinKey=asdfsadfasdfasdfsadfasdfsadfas,controlServerURL=https://example.com,forceReauth=true,extraArgs=--ssh" --node-external-ip=100.64.0.1

Expected behavior:
server should start

Actual behavior:
i get a message in the logs from tailscale that you can't run tailscale up and change login-server without --force-reauth.

[brandond]

Are you actually trying to change the control server, or have you had it set to this same URL the whole time?

If the tailscale CLI is making you force-reauth even when not actually changing the URL (ie when keeping it set to the same custom value), that seems like a bug in tailscale. Have you opened an issue there?

[proof-llc]

i figured out the issue after reading your comment - thank you! k3s runs tailscale commands on the node itself, not some k8s pod or something similar - given i already had a working tailscale client on the node, it would interfere with its config. one thing, i wonder is: what does the integration do on top of "tailscale login" - is it configuring --flannel-iface tailscale0 or os it something i still have to do?

[brandond]

k3s/pkg/agent/flannel/setup.go

Lines 41 to 45 in 2441e46

	tailscaledBackend = `{
	"Type": "extension",
	"PostStartupCommand": "tailscale set --accept-routes --advertise-routes=%Routes%",
	"ShutdownCommand": "tailscale down"
	}`

And everything around

k3s/pkg/vpn/vpn.go

Lines 131 to 151 in 2441e46

	// getTailscaleInfo returns the IPs of the interface
	func getTailscaleInfo() (VPNInfo, error) {
	output, err := util.ExecCommand("tailscale", []string{"status", "--json"})
	if err != nil {
	return VPNInfo{}, fmt.Errorf("failed to run tailscale status --json: %v", err)
	}
	logrus.Debugf("Output from tailscale status --json: %v", output)
	var tailscaleOutput TailscaleOutput
	err = json.Unmarshal([]byte(output), &tailscaleOutput)
	if err != nil {
	return VPNInfo{}, fmt.Errorf("failed to unmarshal tailscale output: %v", err)
	}
	// Errors are ignored because the interface might not have ipv4 or ipv6 addresses (that's the only possible error)
	ipv4Address, _ := util.GetFirst4String(tailscaleOutput.TailscaleIPs)
	ipv6Address, _ := util.GetFirst6String(tailscaleOutput.TailscaleIPs)
	return VPNInfo{IPv4Address: net.ParseIP(ipv4Address), IPv6Address: net.ParseIP(ipv6Address), NodeID: "", ProviderName: "tailscale", VPNInterface: tailscaleIf}, nil
	}