tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	73c371f784	cmd/derper: permit port 80 in ACE targets Updates tailscale/corp#32168 Updates tailscale/corp#32226 Change-Id: Iddc017b060c76e6eab8f6d0c989a775bcaae3518 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Remy Guercio	9d661663f3	cmd/tsidp: update README with new repo location warning Fixes: #17170 Signed-off-by: Remy Guercio <remy@tailscale.com>	3 months ago
Brad Fitzpatrick	697098ed6c	ipn/ipnlocal: fix a case where ts_omit_ssh was still linking in x/crypto/ssh And add a test. Updates #12614 Change-Id: Icb1c77f5890def794a4938583725c1a0886b197d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Simon Law	6db30a10f7	cmd/tailscale: shrink QR codes using half blocks (#17084 ) When running `tailscale up --qr`, the QR code is rendered using two full blocks ██ to form a square pixel. This is a problem for people with smaller terminals, because the output is 37 lines high. All modern terminals support half block characters, like ▀ and ▄, which only takes 19 lines and can easily fit in a regular terminal window. For example, https://login.tailscale.com/a/0123456789 is now rendered: ``` user@host:~$ tailscale up --qr █████████████████████████████████████ █████████████████████████████████████ ████ ▄▄▄▄▄ █ ▀▀ █▄▀▀ ▄ █ ▄▄▄▄▄ ████ ████ █ █ █▀ ▄▄▄█▀█▄▀ ▄█ █ █ ████ ████ █▄▄▄█ ██▄ ▄▀▀▄▄ ▀▀ ▀█ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█ ▀▄▀ █▄▀▄▀▄█ █▄▄▄▄▄▄▄████ ████▄█▄ ▀▄▄▄█▀▄█▀ ▀▄ ▄ ▀▀ ▀▀▄█▄ ████ ████▄▀▄▀▄█▄ █ ▄▄▄▄█▀██▀██▄▄█▀█▄▄▀████ ████▄█▀ ▀ ▄█▄▄▀▄▀█ ▄ ▄█▀█▄▀██▄ ▀▀████ █████▀ ▀ ▄▀▀▀▀▄▀▄▀▀ ▄▄ ▄ ▀ █▄ ▄████ ██████ ▄▄█▄▄▄▄▄▀ █ ▄▀▀▄█▀ █ ▄ ▀ █████ ████▄█▄▄ ▄▀ ▀██▀ ▄█▀▀████▄▀█ ██████ █████▄▄▄█▄▄▄▀▀ █▄▄▄▄▄ ▀█ ▄▄▄ ▀▀████ ████ ▄▄▄▄▄ █ ██▄ ▀ █▀█ ▄ █▄█ █▄█████ ████ █ █ █▀ █ ▀█▄▄ █▀ ▄ ▀▄▀▄████ ████ █▄▄▄█ █▄█▀█▄▀██▀██▄ ▀█▄▀▀▄▀▄████ ████▄▄▄▄▄▄▄█▄▄███▄▄▄███▄▄▄██▄██▄█████ █████████████████████████████████████ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ``` To render a QR code with full blocks, like we did in the past, use the new `--qr-format` flag: ``` user@host:~$ tailscale up --qr --qr-format=large ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ████████ ██ ████ ██ ████ ██ ████████ ████████ ██████████ ██ ████ ██ ██ ██████████ ████████ ████████ ██ ██ ████ ██████ ██ ██ ██ ██ ████████ ████████ ██ ██ ██ ████████ ████ ████ ██ ██ ████████ ████████ ██ ██ ████ ████ ████ ████ ██ ██ ████████ ████████ ██████████ ██████ ██ ████ ██ ██████████ ████████ ████████ ██ ██ ██ ██ ██ ██ ██ ██ ████████ ████████████████████████ ██ ████ ██ ████ ████████████████████████ ████████ ██ ██ ████ ████ ██ ████ ████ ██ ████████ ██████████████ ████████ ████ ██ ██ ██████ ████████ ████████ ██ ██ ██ ██ ██████████████ ██████ ██████████ ██████████ ██ ██████ ██ ██████████ ████ ██████████ ██████ ████████ ████████ ████ ██ ██ ██ ████ ██████ ██████ ████████████ ████████████ ████████ ██ ██ ██ ████ ████ ██████ ████████ ████████████ ██ ████████ ██ ████ ██ ██ ████████ ██████████ ██ ██ ██ ████ ██ ████ ██████████ ████████████ ██ ██ ██ ████ ████ ██ ██ ██████████ ████████████ ████████████████ ██ ██ ████ ██ ██ ██████████ ████████ ██ ██ ████████ ██████████████ ████ ████████████ ████████████████ ██ ████ ████ ██████████ ██ ████████████ ██████████ ██ ████ ██ ████ ████████████ ████████████████████████ ████████████ ██ ██████ ████████ ████████ ██ ████ ██ ██████ ██ ██ ██ ██████████ ████████ ██████████ ██ ██████ ██ ██ ██ ██████ ██████████████ ████████ ██ ██ ████ ██ ████ ████ ██ ██ ████████ ████████ ██ ██ ██ ██ ██████ ██ ██ ██ ██████████ ████████ ██ ██ ██ ██████ ████████████ ████ ████ ██ ████████ ████████ ██████████ ██████ ████ ████ ██████ ████ ██ ██████████ ████████ ██ ██████ ██████ ████ ████ ██████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ``` Fixes #17083 Signed-off-by: Simon Law <sfllaw@tailscale.com>	3 months ago
Brad Fitzpatrick	e180fc267b	feature/featuretags, all: add ts_omit_acme to disable TLS cert support I'd started to do this in the earlier ts_omit_server PR but decided to split it into this separate PR. Updates #17128 Change-Id: Ief8823a78d1f7bbb79e64a5cab30a7d0a5d6ff4b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	99b3f69126	feature/portmapper: make the portmapper & its debugging tools modular Starting at a minimal binary and adding one feature back... tailscaled tailscale combined (linux/amd64) 30073135 17451704 31543692 omitting everything + 480302 + 10258 + 493896 .. add debugportmapper + 475317 + 151943 + 467660 .. add portmapper + 500086 + 162873 + 510511 .. add portmapper+debugportmapper Fixes #17148 Change-Id: I90bd0e9d1bd8cbe64fa2e885e9afef8fb5ee74b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Claus Lensbøl	2015ce4081	health,ipn/ipnlocal: introduce eventbus in heath.Tracker (#17085 ) The Tracker was using direct callbacks to ipnlocal. This PR moves those to be triggered via the eventbus. Additionally, the eventbus is now closed on exit from tailscaled explicitly, and health is now a SubSystem in tsd. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	3 months ago
Brad Fitzpatrick	4cca9f7c67	all: add ts_omit_serve, start making tailscale serve/funnel be modular tailscaled tailscale combined (linux/amd64) 29853147 17384418 31412596 omitting everything + 621570 + 219277 + 554256 .. add serve Updates #17128 Change-Id: I87c2c6c3d3fc2dc026c3de8ef7000a813b41d31c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	09dfd94613	cmd/omitsize: fix the --features flag When you say --features=foo,bar, that was supposed to mean to only show features "foo" and "bar" in the table. But it was also being used as the set of all features that are omittable, which was wrong, leading to misleading numbers when --features was non-empty. Updates #12614 Change-Id: Idad2fa67fb49c39454032e84a3dede967890fdf5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	17ffa80138	feature/featuretags: add auto-generated constants for all modular features So code (in upcoming PRs) can test for the build tags with consts and get dead code elimination from the compiler+linker. Updates #12614 Change-Id: If6160453ffd01b798f09894141e7631a93385941 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
David Bond	782c16c513	k8s-operator: reset service status before append (#17120 ) This commit fixes an issue within the service reconciler where we end up in a constant reconciliation loop. When reconciling, the loadbalancer status is appended to but not reset between each reconciliation, leading to an ever growing slice of duplicate statuses. Fixes https://github.com/tailscale/tailscale/issues/17105 Fixes https://github.com/tailscale/tailscale/issues/17107 Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
Brad Fitzpatrick	7d2101f352	cmd/omitsize: add flag to disable the removal table And remove a bogus omit feature from feature/featuretags. Updates #12614 Change-Id: I0a08183fb75c73ae75b6fd4216d134e352dcf5a0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	0cc1b2ff76	cmd/derper: add start of ACE support Updates tailscale/corp#32168 Updates tailscale/corp#32226 Change-Id: Ia46abcaa09dcfd53bf8d4699909537bacf84d57a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	3a49b7464c	all: add ts_omit_tailnetlock as a start of making it build-time modular Updates #17115 Change-Id: I6b083c0db4c4d359e49eb129d626b7f128f0a9d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	0e3d942e39	feature/featuretags: move list of omit-able features to a Go package Updates #12614 Change-Id: I4012c33095c6a7ccf80ad36dbab5cedbae5b3d47 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	a1dcf12b67	feature/drive: start factoring out Taildrive, add ts_omit_drive build tag As of this commit (per the issue), the Taildrive code remains where it was, but in new files that are protected by the new ts_omit_drive build tag. Future commits will move it. Updates #17058 Change-Id: Idf0a51db59e41ae8da6ea2b11d238aefc48b219e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	921d77062e	cmd/omitsize: add tool to dump build sizes Updates #12614 Change-Id: I8f85d7275bc8eecedbabe6631b50e1cf70791d2d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Tom Proctor	1ec3d20d10	cmd/k8s-operator: simplify scope of e2e tests (#17076 ) Removes ACL edits from e2e tests in favour of trying to simplify the tests and separate the actual test logic from the environment setup logic as much as possible. Also aims to fit in with the requirements that will generally be filled anyway for most devs working on the operator; in particular using tags that fit in with our documentation. Updates tailscale/corp#32085 Change-Id: I7659246e39ec0b7bcc4ec0a00c6310f25fe6fac2 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	3 months ago
nikiUppal-TS	88d7db33da	cmd/tailscale: use tailnet display name on cli (#17079 ) Updates cli to use tailnet display name Updates tailscale/corp#32108 Signed-off-by: nikiUppal-TS <nikita@tailscale.com>	3 months ago
Brad Fitzpatrick	f1ded84454	cmd/tailscaled: add disabled debug file to force reflect for binary size experiments This adds a file that's not compiled by default that exists just to make it easier to do binary size checks, probing what a binary would be like if it included reflect methods (as used by html/template, etc). As an example, once tailscaled uses reflect.Type.MethodByName(non-const-string) anywhere, the build jumps up by 14.5 MB: $ GOOS=linux GOARCH=amd64 ./tool/go build -tags=ts_include_cli,ts_omit_webclient,ts_omit_systray,ts_omit_debugeventbus -o before ./cmd/tailscaled $ GOOS=linux GOARCH=amd64 ./tool/go build -tags=ts_include_cli,ts_omit_webclient,ts_omit_systray,ts_omit_debugeventbus,ts_debug_forcereflect -o after ./cmd/tailscaled $ ls -l before after -rwxr-xr-x@ 1 bradfitz staff 41011861 Sep 9 07:28 before -rwxr-xr-x@ 1 bradfitz staff 55610948 Sep 9 07:29 after This is particularly pronounced with large deps like the AWS SDK. If you compare using ts_omit_aws: -rwxr-xr-x@ 1 bradfitz staff 38284771 Sep 9 07:40 no-aws-no-reflect -rwxr-xr-x@ 1 bradfitz staff 45546491 Sep 9 07:41 no-aws-with-reflect That means adding AWS to a non-reflect binary adds 2.7 MB but adding AWS to a reflect binary adds 10 MB. Updates #17063 Updates #12614 Change-Id: I18e9b77c9cf33565ce5bba65ac5584fa9433f7fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Alex Chan	f4ae81e015	tsnet: remove APIClient() which is deprecated and now unused (#17073 ) Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com>	3 months ago
Brad Fitzpatrick	3e4b0c1516	cmd/tailscale, ipn/ipnlocal: add ts_omit_webclient Fixes #17063 Updates #12614 Change-Id: I0a189f6a4d1c4558351e3195839867725774fa96 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Alex Chan	71cb6d4cbd	cmd/tailscale/cli, derp: use client/local instead of deprecated client/tailscale (#17061 ) * cmd/tailscale/cli: use client/local instead of deprecated client/tailscale Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com> * derp: use client/local instead of deprecated client/tailscale Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com> --------- Signed-off-by: Alex Chan <alexc@tailscale.com>	3 months ago
Alex Chan	ff8900583c	cmd/tailscale/cli: fix the spelling of "routes" (#17039 ) Updates #cleanup Signed-off-by: Alex Chan <alexc@tailscale.com>	3 months ago
Mike O'Driscoll	23297da10d	cmd/tailscale/cli: add new line for set --webclient (#17043 ) Fixes #17042 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	3 months ago
David Bond	624cdd2961	cmd/containerboot: do not reset state on non-existant secret (#17021 ) This commit modifies containerboot's state reset process to handle the state secret not existing. During other parts of the boot process we gracefully handle the state secret not being created yet, but missed that check within `resetContainerbootState` Fixes https://github.com/tailscale/tailscale/issues/16804 Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
David Bond	04f00339b6	cmd/k8s-operator: update connector example (#17020 ) This commit modifies the connector example to use the new hostname prefix and replicas fields Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
Brad Fitzpatrick	21f21bd2a2	util/syspolicy: finish adding ts_omit_syspolicy build tags, tests Fixes #16998 Updates #12614 Change-Id: Idf2b1657898111df4be31f356091b2376d0d7f0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	2b3e533048	util/syspolicy: finish plumbing policyclient, add feature/syspolicy, move global impl This is step 4 of making syspolicy a build-time feature. This adds a policyclient.Get() accessor to return the correct implementation to use: either the real one, or the no-op one. (A third type, a static one for testing, also exists, so in general a policyclient.Client should be plumbed around and not always fetched via policyclient.Get whenever possible, especially if tests need to use alternate syspolicy) Updates #16998 Updates #12614 Change-Id: Iaf19670744a596d5918acfa744f5db4564272978 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	2434bc69fc	util/syspolicy/{setting,ptype}: move PreferenceOption and Visibility to new leaf package Step 3 in the series. See earlier `cc532efc20` and `d05e6dc09e`. This step moves some types into a new leaf "ptype" package out of the big "settings" package. The policyclient.Client will later get new methods to return those things (as well as Duration and Uint64, which weren't done at the time of the earlier prototype). Updates #16998 Updates #12614 Change-Id: I4d72d8079de3b5351ed602eaa72863372bd474a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	42a215e12a	cmd/tailscale/cli: prompt for y/n when attempting risky action Previously, when attempting a risky action, the CLI printed a 5 second countdown saying "Continuing in 5 seconds...". When the countdown finished, the CLI aborted rather than continuing. To avoid confusion, but also avoid accidentally continuing if someone (or an automated process) fails to manually abort within the countdown, we now explicitly prompt for a y/n response on whether or not to continue. Updates #15445 Co-authored-by: Kot C <kot@kot.pink> Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	61d3693e61	cmd/tailscale/cli: add a debug command to force a risky action For testing risky action flows. Updates #15445 Change-Id: Id81e54678a1fe5ccedb5dd9c6542ff48c162b349 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
David Bond	12ad630128	cmd/k8s-operator: allow specifying replicas for connectors (#16721 ) This commit adds a `replicas` field to the `Connector` custom resource that allows users to specify the number of desired replicas deployed for their connectors. This allows users to deploy exit nodes, subnet routers and app connectors in a highly available fashion. Fixes #14020 Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
Brad Fitzpatrick	d05e6dc09e	util/syspolicy/policyclient: add policyclient.Client interface, start plumbing This is step 2 of ~4, breaking up #14720 into reviewable chunks, with the aim to make syspolicy be a build-time configurable feature. Step 1 was #16984. In this second step, the util/syspolicy/policyclient package is added with the policyclient.Client interface. This is the interface that's always present (regardless of build tags), and is what code around the tree uses to ask syspolicy/MDM questions. There are two implementations of policyclient.Client for now: 1) NoPolicyClient, which only returns default values. 2) the unexported, temporary 'globalSyspolicy', which is implemented in terms of the global functions we wish to later eliminate. This then starts to plumb around the policyclient.Client to most callers. Future changes will plumb it more. When the last of the global func callers are gone, then we can unexport the global functions and make a proper policyclient.Client type and constructor in the syspolicy package, removing the globalSyspolicy impl out of tsd. The final change will sprinkle build tags in a few more places and lock it in with dependency tests to make sure the dependencies don't later creep back in. Updates #16998 Updates #12614 Change-Id: Ib2c93d15c15c1f2b981464099177cd492d50391c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	cc532efc20	util/syspolicy/*: move syspolicy keys to new const leaf "pkey" package This is step 1 of ~3, breaking up #14720 into reviewable chunks, with the aim to make syspolicy be a build-time configurable feature. In this first (very noisy) step, all the syspolicy string key constants move to a new constant-only (code-free) package. This will make future steps more reviewable, without this movement noise. There are no code or behavior changes here. The future steps of this series can be seen in #14720: removing global funcs from syspolicy resolution and using an interface that's plumbed around instead. Then adding build tags. Updates #12614 Change-Id: If73bf2c28b9c9b1a408fe868b0b6a25b03eeabd1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Remy Guercio	89fe2e1f12	cmd/tsidp: add allow-insecure-no-client-registration and JSON file migration (#16881 ) Add a ternary flag that unless set explicitly to false keeps the insecure behavior of TSIDP. If the flag is false, add functionality on startup to migrate oidc-funnel-clients.json to oauth-clients.json if it doesn’t exist. If the flag is false, modify endpoints to behave similarly regardless of funnel, tailnet, or localhost. They will all verify client ID & secret when appropriate per RFC 6749. The authorize endpoint will no longer change based on funnel status or nodeID. Add extra tests verifying TSIDP endpoints behave as expected with the new flag. Safely create the redirect URL from what's passed into the authorize endpoint. Fixes #16880 Signed-off-by: Remy Guercio <remy@tailscale.com>	3 months ago
Joe Tsai	3aea0e095a	syncs: delete WaitGroup and use sync.WaitGroup.Go in Go 1.25 Our own WaitGroup wrapper type was a prototype implementation for the Go method on the standard sync.WaitGroup type. Now that there is first-class support for Go, we should migrate over to using it and delete syncs.WaitGroup. Updates #cleanup Updates tailscale/tailscale#16330 Change-Id: Ib52b10f9847341ce29b4ca0da927dc9321691235 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	3 months ago
James Tucker	f5d3c59a92	wgengine/magicsock: shorten process internal DERP queue DERP writes go via TCP and the host OS will have plenty of buffer space. We've observed in the wild with a backed up TCP socket kernel side buffers of >2.4MB. The DERP internal queue being larger causes an increase in the probability that the contents of the backbuffer are "dead letters" - packets that were assumed to be lost. A first step to improvement is to size this queue only large enough to avoid some of the initial connect stall problem, but not large enough that it is contributing in a substantial way to buffer bloat / dead-letter retention. Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	d42f0b6a21	util/ringbuffer: rename to ringlog I need a ringbuffer in the more traditional sense, one that has a notion of item removal as well as tail loss on overrun. This implementation is really a clearable log window, and is used as such where it is used. Updates #cleanup Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Maisem Ali	882b05fff9	cmd/viewer: add field comments to generated view methods Extract field comments from AST and include them in generated view methods. Comments are preserved from the original struct fields to provide documentation for the view accessors. Fixes #16958 Signed-off-by: Maisem Ali <3953239+maisem@users.noreply.github.com>	3 months ago
Patrick O'Doherty	c5429cd49c	go.toolchain.branch: bump to go1.25 (#16954 ) go.toolchain.rev: bump go1.25 version flake.nix: bump Go to 1.25 Updates #16330 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	3 months ago
Aaron Klotz	b5f834aef8	cmd/tailscaled: add Dnscache as a service dependency Updates https://github.com/tailscale/corp/issues/30961 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 months ago
Claus Lensbøl	fafb514538	client/systray: go back to using upstream library (#16938 ) We had a fix in a local branch, but upstream has merged it now. Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	3 months ago
Kot C	4236a759f3	cmd/tsidp: Add Docker image to README (#16915 ) Signed-off-by: Kot C <kot@kot.pink>	3 months ago
Need-an-AwP	b558f81a82	fix: invalid memory address or nil pointer dereference (#16922 ) Signed-off-by: Need-an-AwP <113933967+Need-an-AwP@users.noreply.github.com>	3 months ago
Tom Proctor	3eeecb4c7f	cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode (#16919 ) The serve code leaves it up to the system's DNS resolver and netstack to figure out how to reach the proxy destination. Combined with k8s-proxy running in userspace mode, this means we can't rely on MagicDNS being available or tailnet IPs being routable. I'd like to implement that as a feature for serve in userspace mode, but for now the safer fix to get kube-apiserver ProxyGroups consistently working in all environments is to switch to using localhost as the proxy target instead. This has a small knock-on in the code that does WhoIs lookups, which now needs to check the X-Forwarded-For header that serve populates to get the correct tailnet IP to look up, because the request's remote address will be loopback. Fixes #16920 Change-Id: I869ddcaf93102da50e66071bb00114cc1acc1288 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	3 months ago
Jordan Whited	b17cfe4aed	wgengine/magicsock,net/sockopts: export Windows ICMP suppression logic (#16917 ) For eventual use by net/udprelay.Server. Updates tailscale/corp#31506 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Jordan Whited	cf739256ca	net/udprelay: increase socket buffer size (#16910 ) This increases throughput over long fat networks, and in the presence of crypto/syscall-induced delay. Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Mike O'Driscoll	e296a6be8d	cmd/tsidp: update oidc-funnel-clients.json store path (#16845 ) Update odic-funnel-clients.json to take a path, this allows setting the location of the file and prevents it from landing in the root directory or users home directory. Move setting of rootPath until after tsnet has started. Previously this was added for the lazy creation of the oidc-key.json. It's now needed earlier in the flow. Updates #16734 Fixes #16844 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	3 months ago
Jordan Whited	641a90ea33	net/sockopts,wgengine/magicsock: export socket buffer sizing logic (#16909 ) For eventual use by net/udprelay.Server Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	3 months ago
Fran Bull	b48d2de6ab	cmd/natc,tsconsensus: add cluster config admin Add the ability for operators of natc in consensus mode to remove servers from the raft cluster config, without losing other state. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	4 months ago
Fran Bull	d986baa18f	tsconsensus,cmd/natc: add 'follower only' bootstrap option Currently consensus has a bootstrap routine where a tsnet node tries to join each other node with the cluster tag, and if it is not able to join any other node it starts its own cluster. That algorithm is racy, and can result in split brain (more than one leader/cluster) if all the nodes for a cluster are started at the same time. Add a FollowOnly argument to the bootstrap function. If provided this tsnet node will never lead, it will try (and retry with exponential back off) to follow any node it can contact. Add a --follow-only flag to cmd/natc that uses this new tsconsensus functionality. Also slightly reorganize some arguments into opts structs. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	4 months ago
Jordan Whited	d4b7200129	net/udprelay: use batching.Conn (#16866 ) This significantly improves throughput of a peer relay server on Linux. Server.packetReadLoop no longer passes sockets down the stack. Instead, packet handling methods return a netip.AddrPort and []byte, which packetReadLoop gathers together for eventual batched writes on the appropriate socket(s). Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Mike O'Driscoll	6d45663dd4	cmd/derpprobe,prober: add run all probes handler (#16875 ) Add a Run all probes handler that executes all probes except those that are continuous or the derpmap probe. This is leveraged by other tooling to confirm DERP stability after a deploy. Updates tailscale/corp#27370 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	4 months ago
Percy Wegmann	192fa6f05d	{cmd/dist,release/dist}: add support for intermediary QNAP signing certificates Updates #23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Joe Tsai	fbb91758ac	cmd/viewer, types/views: implement support for json/v2 (#16852 ) This adds support for having every viewer type implement jsonv2.MarshalerTo and jsonv2.UnmarshalerFrom. This provides a significant boost in performance as the json package no longer needs to validate the entirety of the JSON value outputted by MarshalJSON, nor does it need to identify the boundaries of a JSON value in order to call UnmarshalJSON. For deeply nested and recursive MarshalJSON or UnmarshalJSON calls, this can improve runtime from O(N²) to O(N). This still references "github.com/go-json-experiment/json" instead of the experimental "encoding/json/v2" package now available in Go 1.25 under goexperiment.jsonv2 so that code still builds without the experiment tag. Of note, the "github.com/go-json-experiment/json" package aliases the standard library under the right build conditions. Updates tailscale/corp#791 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Jordan Whited	16bc0a5558	net/{batching,packet},wgengine/magicsock: export batchingConn (#16848 ) For eventual use by net/udprelay.Server. Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Andrew Lytvynov	f22c7657e5	cmd/tailscale: add --json-docs flag (#16851 ) This prints all command and flag docs as JSON. To be used for generating the contents of https://tailscale.com/kb/1080/cli. Updates https://github.com/tailscale/tailscale-www/issues/4722 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 months ago
M. J. Fromberger	ee0c7b05a5	cmd/tailscale: fix a panic in netcheck portmapper construction (#16843 ) This affects the 1.87.33 unstable release. Updates #16842 Updates #15160 Change-Id: Ie6d1b2c094d1a6059fbd1023760567900f06e0ad Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	4 months ago
Claus Lensbøl	5297dc3baf	cmd/tailscale/cli: move systray configuration to tailscale configure (#16817 ) Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Claus Lensbøl	3fe022877a	client/systray: temporarily replace systray module (#16807 ) We are waiting for a PR to be reviewed upstream. https://github.com/fyne-io/systray/pull/100 Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Claus Lensbøl	89954fbceb	client/systray: add startup script generator for systemd (#16801 ) Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Andrew Lytvynov	f80ea92030	.github/workflows: enforce github action version pinning (#16768 ) Use https://github.com/stacklok/frizbee via the new `go tool` support from Go 1.24. Updates https://github.com/tailscale/corp/issues/31017 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 months ago
Will Norris	9f29c428f4	client/systray: allow specifying tailscaled socket Pass a local.Client to systray.Run, so we can use the existing global localClient in the cmd/tailscale CLI. Add socket flag to cmd/systray. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Claus Lensbøl	5bb42e3018	wgengine/router: rely on events for deleted IP rules (#16744 ) Adds the eventbus to the router subsystem. The event is currently only used on linux. Also includes facilities to inject events into the bus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Will Norris	834630fedf	cmd/tailscale: add systray subcommand on Linux builds This will start including the sytray app in unstable builds for Linux, unless the `ts_omit_systray` build flag is specified. If we decide not to include it in the v1.88 release, we can pull it back out or restrict it to unstable builds. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Lee Briggs	f2fd7a0514	cmd/k8s-operator,k8s-operator: allow setting a `priorityClassName` (#16685 ) * cmd/k8s-operator,k8s-operator: allow setting a `priorityClassName` Fixes #16682 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk> * Update k8s-operator/apis/v1alpha1/types_proxyclass.go Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: Lee Briggs <jaxxstorm@users.noreply.github.com> * run make kube-generate-all Change-Id: I5f8f16694fdc181b048217b9f05ec2ee2aa04def Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> --------- Signed-off-by: Lee Briggs <lee@leebriggs.co.uk> Signed-off-by: Lee Briggs <jaxxstorm@users.noreply.github.com> Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
Mike O'Driscoll	47b5f10165	cmd/tsidp,tsnet: update tsidp oidc-key store path (#16735 ) The tsidp oidc-key.json ended up in the root directory or home dir of the user process running it. Update this to store it in a known location respecting the TS_STATE_DIR and flagDir options. Fixes #16734 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	4 months ago
KevinLiang10	e37432afb7	cmd/tailscale/cli: update message for disable service (#16705 ) This commit update the message for recommanding clear command after running serve for service. Instead of a flag, we pass the service name as a parameter. Fixes tailscale/corp#30846 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	4 months ago
Raj Singh	e300a00058	cmd/k8s-operator: Enhance DNS record handling for ProxyGroup egress services (#16181 ) This update introduces support for DNS records associated with ProxyGroup egress services, ensuring that the ClusterIP Service IP is used instead of Pod IPs. Fixes #15945 Signed-off-by: Raj Singh <raj@tailscale.com>	4 months ago
Aaron Klotz	bfebf870ae	cmd/tailscaled: update installSystemDaemonWindows to set the correct system service depndencies Fixes #16658 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	4 months ago
Danni Popova	c572442548	cmd/tailscale: allow SSH to IPs or DNS names without MagicDNS (#16591 ) fixes #16381 Signed-off-by: Danni Popova <danni@tailscale.com>	4 months ago
Nick Khyl	c87f44b687	cmd/tailscale/cli: use DNS name instead of Location to hide Mullvad exit nodes from status output Previously, we used a non-nil Location as an indicator that a peer is a Mullvad exit node. However, this is not, or no longer, reliable, since regular exit nodes may also have a non-nil Location, such as when traffic steering is enabled for a tailnet. In this PR, we update the plaintext `tailscale status` output to omit only Mullvad exit nodes, rather than all exit nodes with a non-nil Location. The JSON output remains unchanged and continues to include all peers. Updates tailscale/corp#30614 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 months ago
KevinLiang10	1ae6a97a73	cmd/tailscale/cli: add advertise command to advertise a node as service proxy to tailnet (#16620 ) This commit adds a advertise subcommand for tailscale serve, that would declare the node as a service proxy for a service. This command only adds the service to node's list of advertised service, but doesn't modify the list of services currently advertised. Fixes tailscale/corp#28016 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	4 months ago
KevinLiang10	19faaff95c	cmd/tailscale/cli: revert key for web config for services to FQDN (#16627 ) This commit reverts the key of Web field in ipn.ServiceConfig to use FQDN instead of service name for the host part of HostPort. This change is because k8s operator already build base on the assumption of the part being FQDN. We don't want to break the code with dependency. Fixes tailscale/corp#30695 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	4 months ago
David Bond	4494705496	cmd/{k8s-proxy,containerboot,k8s-operator},kube: add health check and metrics endpoints for k8s-proxy (#16540 ) * Modifies the k8s-proxy to expose health check and metrics endpoints on the Pod's IP. * Moves cmd/containerboot/healthz.go and cmd/containerboot/metrics.go to /kube to be shared with /k8s-proxy. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	4 months ago
Tom Proctor	22a8e0ac50	cmd/{k8s-operator,k8s-proxy},kube: use consistent type for auth mode config (#16626 ) Updates k8s-proxy's config so its auth mode config matches that we set in kube-apiserver ProxyGroups for consistency. Updates #13358 Change-Id: I95e29cec6ded2dc7c6d2d03f968a25c822bc0e01 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
Tom Proctor	6f7e78b10f	cmd/tailscale/cli: make configure kubeconfig accept Tailscale Services (#16601 ) The Kubernetes API server proxy is getting the ability to serve on a Tailscale Service instead of individual node names. Update the configure kubeconfig sub-command to accept arguments that look like a Tailscale Service. Note, we can't know for sure whether a peer is advertising a Tailscale Service, we can only guess based on the ExtraRecords in the netmap and that IP showing up in a peer's AllowedIPs. Also adds an --http flag to allow targeting individual proxies that can be adverting on http for their node name, and makes the command a bit more forgiving on the range of inputs it accepts and how eager it is to print the help text when the input is obviously wrong. Updates #13358 Change-Id: Ica0509c6b2c707252a43d7c18b530ec1acf7508f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
David Bond	c989824aac	cmd/k8s-operator: Allow specifying cluster ips for nameservers (#16477 ) This commit modifies the kubernetes operator's `DNSConfig` resource with the addition of a new field at `nameserver.service.clusterIP`. This field allows users to specify a static in-cluster IP address of the nameserver when deployed. Fixes #14305 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	f421907c38	all-kube: create Tailscale Service for HA kube-apiserver ProxyGroup (#16572 ) Adds a new reconciler for ProxyGroups of type kube-apiserver that will provision a Tailscale Service for each replica to advertise. Adds two new condition types to the ProxyGroup, TailscaleServiceValid and TailscaleServiceConfigured, to post updates on the state of that reconciler in a way that's consistent with the service-pg reconciler. The created Tailscale Service name is configurable via a new ProxyGroup field spec.kubeAPISserver.ServiceName, which expects a string of the form "svc:<dns-label>". Lots of supporting changes were needed to implement this in a way that's consistent with other operator workflows, including: * Pulled containerboot's ensureServicesUnadvertised and certManager into kube/ libraries to be shared with k8s-proxy. Use those in k8s-proxy to aid Service cert sharing between replicas and graceful Service shutdown. * For certManager, add an initial wait to the cert loop to wait until the domain appears in the devices's netmap to avoid a guaranteed error on the first issue attempt when it's quick to start. * Made several methods in ingress-for-pg.go and svc-for-pg.go into functions to share with the new reconciler * Added a Resource struct to the owner refs stored in Tailscale Service annotations to be able to distinguish between Ingress- and ProxyGroup- based Services that need cleaning up in the Tailscale API. * Added a ListVIPServices method to the internal tailscale client to aid cleaning up orphaned Services * Support for reading config from a kube Secret, and partial support for config reloading, to prevent us having to force Pod restarts when config changes. * Fixed up the zap logger so it's possible to set debug log level. Updates #13358 Change-Id: Ia9607441157dd91fb9b6ecbc318eecbef446e116 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
KevinLiang10	5adde9e3f3	cmd/tailscale/cli: remove advertise command (#16592 ) This commit removes the advertise command for service. The advertising is now embedded into serve command and unadvertising is moved to drain subcommand Fixes tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
KevinLiang10	e01618a7c4	cmd/tailscale/cli: Add clear subcommand for serve services (#16509 ) * cmd/tailscale/cli: add clear subcommand for serve services This commit adds a clear subcommand for serve command, to remove all config for a passed service. This is a short cut for user to remove services after they drain a service. As an indipendent command it would avoid accidently remove a service on typo. Updates tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * update regarding comments Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * log when clearing a non-existing service but not error Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> --------- Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
KevinLiang10	871f73d992	Kevin/add drain sub command for serve services (#16502 ) * cmd/tailscale/cli: add drain subCommand for serve This commit adds the drain subcommand for serving services. After we merge advertise and serve service as one step, we now need a way to unadvertise service and this is it. Updates tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * move runServeDrain and some update regarding pr comments Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * some code structure change Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> --------- Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
Claus Lensbøl	d334d9ba07	client/local,cmd/tailscale/cli,ipn/localapi: expose eventbus graph (#16597 ) Make it possible to dump the eventbus graph as JSON or DOT to both debug and document what is communicated via the bus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	5 months ago
KevinLiang10	e7238efafa	cmd/tailscale/cli: Add service flag to serve command (#16191 ) * cmd/tailscale/cli: Add service flag to serve command This commit adds the service flag to serve command which allows serving a service and add the service to the advertisedServices field in prefs (What advertise command does that will be removed later). When adding proxies, TCP proxies and WEB proxies work the same way as normal serve, just under a different DNSname. There is a services specific L3 serving mode called Tun, can be set via --tun flag. Serving a service is always in --bg mode. If --bg is explicitly set t o false, an error message will be sent out. The restriction on proxy target being localhost or 127.0.0.1 also applies to services. When removing proxies, TCP proxies can be removed with type and port flag and off argument. Web proxies can be removed with type, port, setPath flag and off argument. To align with normal serve, when setPath is not set, all handler under the hostport will be removed. When flags are not set but off argument was passed by user, it will be a noop. Removing all config for a service will be available later with a new subcommand clear. Updates tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: fix ai comments and fix a test Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Add a test for addServiceToPrefs Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: fix comment Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * add dnsName in error message Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * change the cli input flag variable type Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace FindServiceConfig with map lookup Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * some code simplification and add asServiceName This commit cotains code simplification for IsServingHTTPS, SetWebHandler, SetTCPForwarding Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace IsServiceName with tailcfg.AsServiceName Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace all assemble of host name for service with strings.Join Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: adjust parameter order and update output message This commit updates the parameter order for IsTCPForwardingOnPort and SetWebHandler. Also updated the message msgServiceIPNotAssigned to msgServiceWaitingApproval to adapt to latest terminologies around services. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: flip bool condition This commit fixes a previous bug added that throws error when serve funnel without service. It should've been the opposite, which throws error when serve funnel with service. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: change parameter of IsTCPForwardingOnPort This commit changes the dnsName string parameter for IsTCPForwardingOnPort to svcName tailcfg.ServiceName. This change is made to reduce ambiguity when a single service might have different dnsNames Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * ipn/ipnlocal: replace the key to webHandler for services This commit changes the way we get the webhandler for vipServices. It used to use the host name from request to find the webHandler, now everything targeting the vipService IP have the same set of handlers. This commit also stores service:port instead of FQDN:port as the key in serviceConfig for Web map. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Updated use of service name. This commit removes serviceName.IsEmpty and use direct comparison to instead. In legacy code, when an empty service name needs to be passed, a new constant noService is passed. Removed redundant code for checking service name validity and string method for serviceNameFlag. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Update bgBoolFlag This commit update field name, set and string method of bgBoolFlag to make code cleaner. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: remove isDefaultService output from srvTypeAndPortFromFlags This commit removes the isDefaultService out put as it's no longer needed. Also deleted redundant code. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: remove unnessesary variable declare in messageForPort Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace bool output for AsServiceName with err Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Replace DNSName with NoService if DNSname only used to identify service This commit moves noService constant to tailcfg, updates AsServiceName to return tailcfg.NoService if the input is not a valid service name. This commit also removes using the local DNSName as scvName parameter. When a function is only using DNSName to identify if it's working with a service, the input in replaced with svcName and expect caller to pass tailcfg.NoService if it's a local serve. This commit also replaces some use of Sprintf with net.JoinHostPort for ipn.HostPort creation. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Remove the returned error for AsServiceName Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * apply suggested code and comment Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace local dnsName in test with tailcfg.NoService Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: move noService back and use else where The constant serves the purpose of provide readability for passing as a function parameter. It's more meaningful comparing to a . It can just be an empty string in other places. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * ipn: Make WebHandlerExists and RemoveTCPForwarding accept svcName This commit replaces two functions' string input with svcName input since they only use the dnsName to identify service. Also did some minor cleanups Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> --------- Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
Jordan Whited	3c6d17e6f1	cmd/tailscale/cli,ipn/ipnlocal,wgengine/magicsock: implement tailscale debug peer-relay-servers (#16577 ) Updates tailscale/corp#30036 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Tom Meadows	fe46f33885	cmd/{k8s-operator,k8s-proxy},kube/k8s-proxy: add static endpoints for kube-apiserver type ProxyGroups (#16523 ) Updates #13358 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	5 months ago
Simon Law	f23e4279c4	types/lazy: add lazy.GMap: a map of lazily computed GValues (#16532 ) Fixes tailscale/corp#30360 Signed-off-by: Simon Law <sfllaw@tailscale.com>	5 months ago
Andrew Lytvynov	39bf84d1c7	cmd/tsidp: set hostinfo.App in tsnet mode (#16544 ) This makes it easier to track how widely tsidp is used in practice. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Brad Fitzpatrick	30da2e1c32	cmd/tailscale/cli: add "configure jetkvm" subcommand To write the init script. And fix the JetKVM detection to work during early boot while the filesystem and modules are still being loaded; it wasn't being detected on early boot and then tailscaled was failing to start because it didn't know it was on JetKVM and didn't modprobe tun. Updates #16524 Change-Id: I0524ca3abd7ace68a69af96aab4175d32c07e116 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Dylan Bargatze	fed72e2aa9	cmd/tailscale, ipn/ipnstate, wgengine/magicsock: update ping output for peer relay (#16515 ) Updates the output for "tailscale ping" to indicate if a peer relay was traversed, just like the output for DERP or direct connections. Fixes tailscale/corp#30034 Signed-off-by: Dylan Bargatze <dylan@tailscale.com>	5 months ago
Brad Fitzpatrick	fbc6a9ec5a	all: detect JetKVM and specialize a handful of things for it Updates #16524 Change-Id: I183428de8c65d7155d82979d2d33f031c22e3331 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
David Bond	d0cafc0a67	cmd/{k8s-operator,k8s-proxy}: apply accept-routes configuration to k8s-proxy (#16522 ) This commit modifies the k8s-operator and k8s-proxy to support passing down the accept-routes configuration from the proxy class as a configuration value read and used by the k8s-proxy when ran as a distinct container managed by the operator. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	2b665c370c	cmd/{k8s-operator,k8s-proxy}: allow setting login server url (#16504 ) This commit modifies the k8s proxy application configuration to include a new field named `ServerURL` which, when set, modifies the tailscale coordination server used by the proxy. This works in the same way as the operator and the proxies it deploys. If unset, the default coordination server is used. Updates https://github.com/tailscale/tailscale/issues/13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	cf0460b9da	cmd/k8s-operator: allow letsencrypt staging on k8s proxies (#16521 ) This commit modifies the operator to detect the usage of k8s-apiserver type proxy groups that wish to use the letsencrypt staging directory and apply the appropriate environment variable to the statefulset it produces. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Jordan Whited	ae8641735d	cmd/tailscale/cli,ipn/ipnstate,wgengine/magicsock: label peer-relay (#16510 ) Updates tailscale/corp#30033 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Nick Khyl	c5fdf9e1db	cmd/tailscale/cli: add support for tailscale {up,set} --exit-node=auto:any If the specified exit node string starts with "auto:" (i.e., can be parsed as an ipn.ExitNodeExpression), we update ipn.Prefs.AutoExitNode instead of ipn.Prefs.ExitNodeID. Fixes #16459 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
Tom Proctor	27fa2ad868	cmd/k8s-operator: don't require generation for Available condition (#16497 ) The observed generation was set to always 0 in #16429, but this had the knock-on effect of other controllers considering ProxyGroups never ready because the observed generation is never up to date in proxyGroupCondition. Make sure the ProxyGroupAvailable function does not requires the observed generation to be up to date, and add testing coverage to catch regressions. Updates #16327 Change-Id: I42f50ad47dd81cc2d3c3ce2cd7b252160bb58e40 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	4dfed6b146	cmd/{k8s-operator,k8s-proxy}: add kube-apiserver ProxyGroup type (#16266 ) Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. To avoid needing to give the operator ClusterRole{,Binding} permissions, the helm chart now optionally deploys a new static ServiceAccount for the API Server proxy to use if in auth mode. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	90bf0a97b3	cmd/k8s-operator/deploy: clarify helm install notes (#16449 ) Based on feedback that it wasn't clear what the user is meant to do with the output of the last command, clarify that it's an optional command to explore what got created. Updates #13427 Change-Id: Iff64ec6d02dc04bf4bbebf415d7ed1a44e7dd658 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Simon Law	bad17a1bfa	cmd/tailscale: format empty cities and countries as hyphens (#16495 ) When running `tailscale exit-node list`, an empty city or country name should be displayed as a hyphen "-". However, this only happened when there was no location at all. If a node provides a Hostinfo.Location, then the list would display exactly what was provided. This patch changes the listing so that empty cities and countries will either render the provided name or "-". Fixes #16500 Signed-off-by: Simon Law <sfllaw@tailscale.com>	5 months ago
Nick Khyl	1fe82d6ef5	cmd/tailscale/cli,ipn/ipnlocal: restrict logout when AlwaysOn mode is enabled In this PR, we start passing a LocalAPI actor to (*LocalBackend).Logout to make it subject to the same access check as disconnects made via tailscale down or the GUI. We then update the CLI to allow `tailscale logout` to accept a reason, similar to `tailscale down`. Updates tailscale/corp#26249 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
David Bond	84eac7b8de	cmd/k8s-operator: Allow custom ingress class names (#16472 ) This commit modifies the k8s operator to allow for customisation of the ingress class name via a new `OPERATOR_INGRESS_CLASS_NAME` environment variable. For backwards compatibility, this defaults to `tailscale`. When using helm, a new `ingress.name` value is provided that will set this environment variable and modify the name of the deployed `IngressClass` resource. Fixes https://github.com/tailscale/tailscale/issues/16248 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	079134d3c0	cmd/k8s-operator: always set ProxyGroup status conditions (#16429 ) Refactors setting status into its own top-level function to make it easier to ensure we _always_ set the status if it's changed on every reconcile. Previously, it was possible to have stale status if some earlier part of the provision logic failed. Updates #16327 Change-Id: Idab0cfc15ae426cf6914a82f0d37a5cc7845236b Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
David Bond	c46145b99e	cmd/k8s-operator: Move login server value to top-level (#16470 ) This commit modifies the operator helm chart values to bring the newly added `loginServer` field to the top level. We felt as though it was a bit confusing to be at the `operatorConfig` level as this value modifies the behaviour or the operator, api server & all resources that the operator manages. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Nick Khyl	a8055b5f40	cmd/tailscale/cli,ipn,ipn/ipnlocal: add AutoExitNode preference for automatic exit node selection With this change, policy enforcement and exit node resolution can happen in separate steps, since enforcement no longer depends on resolving the suggested exit node. This keeps policy enforcement synchronous (e.g., when switching profiles), while allowing exit node resolution to be asynchronous on netmap updates, link changes, etc. Additionally, the new preference will be used to let GUIs and CLIs switch back to "auto" mode after a manual exit node override, which is necessary for tailscale/corp#29969. Updates tailscale/corp#29969 Updates #16459 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
David Bond	5dc11d50f7	cmd/k8s-operator: Set login server on tsrecorder nodes (#16443 ) This commit modifies the recorder node reconciler to include the environment variable added in https://github.com/tailscale/corp/pull/30058 which allows for configuration of the coordination server. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	eb03d42fe6	cmd/k8s-operator: Allow configuration of login server (#16432 ) This commit modifies the kubernetes operator to allow for customisation of the tailscale login url. This provides some data locality for people that want to configure it. This value is set in the `loginServer` helm value and is propagated down to all resources managed by the operator. The only exception to this is recorder nodes, where additional changes are required to support modifying the url. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Meadows	2fc247573b	cmd/k8s-operator: ProxyClass annotation for Services and Ingresses (#16363 ) * cmd/k8s-operator: ProxyClass annotation for Services and Ingresses Previously, the ProxyClass could only be configured for Services and Ingresses via a Label. This adds the ability to set it via an Annotation, but prioritizes the Label if both a Label and Annotation are set. Updates #14323 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * Update cmd/k8s-operator/operator.go Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> * Update cmd/k8s-operator/operator.go Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> * cmd/k8s-operator: ProxyClass annotation for Services and Ingresses Previously, the ProxyClass could only be configured for Services and Ingresses via a Label. This adds the ability to set it via an Annotation, but prioritizes the Label if both a Label and Annotation are set. Updates #14323 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Simon Law	544aee9d08	tsidp: update README to refer to community projects (#16411 ) We dropped the idea of the Experimental release stage in tailscale/tailscale-www#7697, in favour of Community Projects. Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>	5 months ago
Andrew Lytvynov	76b9afb54d	ipn/store: make StateStore.All optional (#16409 ) This method is only needed to migrate between store.FileStore and tpm.tpmStore. We can make a runtime type assertion instead of implementing an unused method for every platform. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Tom Proctor	711698f5a9	cmd/{containerboot,k8s-operator}: use state Secret for checking device auth (#16328 ) Previously, the operator checked the ProxyGroup status fields for information on how many of the proxies had successfully authed. Use their state Secrets instead as a more reliable source of truth. containerboot has written device_fqdn and device_ips keys to the state Secret since inception, and pod_uid since 1.78.0, so there's no need to use the API for that data. Read it from the state Secret for consistency. However, to ensure we don't read data from a previous run of containerboot, make sure we reset containerboot's state keys on startup. One other knock-on effect of that is ProxyGroups can briefly be marked not Ready while a Pod is restarting. Introduce a new ProxyGroupAvailable condition to more accurately reflect when downstream controllers can implement flows that rely on a ProxyGroup having at least 1 proxy Pod running. Fixes #16327 Change-Id: I026c18e9d23e87109a471a87b8e4fb6271716a66 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Meadows	f81baa2d56	cmd/k8s-operator, k8s-operator: support Static Endpoints on ProxyGroups (#16115 ) updates: #14674 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	5 months ago
Kristoffer Dalby	df786be14d	cmd/tailscale: use text format for TKA head Updates tailscale/corp#23258 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Kristoffer Dalby	4a7b8afabf	cmd/tailscale: add tlpub: prefix to lock log output Updates tailscale/corp#23258 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Andrew Lytvynov	6feb3c35cb	ipn/store: automatically migrate between plaintext and encrypted state (#16318 ) Add a new `--encrypt-state` flag to `cmd/tailscaled`. Based on that flag, migrate the existing state file to/from encrypted format if needed. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
David Bond	b75fe9eeca	cmd/k8s-operator: Add NOTES.txt to Helm chart (#16364 ) This commit adds a NOTES.txt to the operator helm chart that will be written to the terminal upon successful installation of the operator. It includes a small list of knowledgebase articles with possible next steps for the actor that installed the operator to the cluster. It also provides possible commands to use for explaining the custom resources. Fixes #13427 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Kristoffer Dalby	0198255266	cmd/tailscale: warn user about nllock key removal without resigning Fixes #19445 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Kristoffer Dalby	9309760263	util/prompt: make yes/no prompt reusable Updates #19445 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Brad Fitzpatrick	9af42f425c	.github/workflows: shard the Windows builder It's one of the slower ones, so split it up into chunks. Updates tailscale/corp#28679 Change-Id: I16a5ba667678bf238c84417a51dda61baefbecf7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Irbe Krumina	253d0b026d	cmd/k8s-operator: remove conffile hashing mechanism (#16335 ) Proxies know how to reload configfile on changes since 1.80, which is going to be the earliest supported proxy version with 1.84 operator, so remove the mechanism that was updating configfile hash to force proxy Pod restarts on config changes. Updates #13032 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Brad Fitzpatrick	e92eb6b17b	net/tlsdial: fix TLS cert validation of HTTPS proxies If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Andrew Lytvynov	4979ce7a94	feature/tpm: implement ipn.StateStore using TPM sealing (#16030 ) Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Raj Singh	45a4b69ce0	cmd/tsidp: fix OIDC client persistence across restarts Fixes #16088 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Simon Law	49ae66c10c	cmd/tailscale: clean up dns --help messages (#16306 ) This patch contains the following cleanups: 1. Simplify `ffcli.Command` definitions; 2. Word-wrap help text, consistent with other commands; 3. `tailscale dns --help` usage makes subcommand usage more obvious; 4. `tailscale dns query --help` describes DNS record types. Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>	6 months ago
Mike O'Driscoll	e7f5c9a015	derp/derphttp: add error notify for RunWatchConnectionLoop (#16261 ) The caller of client.RunWatchConnectionLoop may need to be aware of errors that occur within loop. Add a channel that notifies of errors to the caller to allow for decisions to be make as to the state of the client. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	6 months ago
Brad Fitzpatrick	259bab9bff	scripts/check_license_headers.sh: delete, rewrite as a Go test Updates tailscale/corp#29650 Change-Id: Iad4e4ccd9d68ebb1d1a12f335cc5295d0bd05b60 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
James Tucker	86985228bc	cmd/natc: add a flag to use specific DNS servers If natc is running on a host with tailscale using `--accept-dns=true` then a DNS loop can occur. Provide a flag for some specific DNS upstreams for natc to use instead, to overcome such situations. Updates #14667 Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Anton Tolchanov	42da161b19	tka: reject removal of the last signing key Fixes tailscale/corp#19447 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago
Irbe Krumina	e29e3c150f	cmd/k8s-operator: ensure that TLS resources are updated for HA Ingress (#16262 ) Ensure that if the ProxyGroup for HA Ingress changes, the TLS Secret and Role and RoleBinding that allow proxies to read/write to it are updated. Fixes #16259 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
M. J. Fromberger	fe391d5694	client/local: use an iterator to stream bus events (#16269 ) This means the caller does not have to remember to close the reader, and avoids having to duplicate the logic to decode JSON into events. Updates #15160 Change-Id: I20186fabb02f72522f61d5908c4cc80b86b8936b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	6 months ago
James Tucker	b0f7b23efe	net/netcheck: preserve live home DERP through packet loss During a short period of packet loss, a TCP connection to the home DERP may be maintained. If no other regions emerge as winners, such as when all regions but one are avoided/disallowed as candidates, ensure that the current home region, if still active, is not dropped as the preferred region until it has failed two keepalives. Relatedly apply avoid and no measure no home to ICMP and HTTP checks as intended. Updates tailscale/corp#12894 Updates tailscale/corp#29491 Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Irbe Krumina	3219de4cb8	cmd/k8s-operator: ensure status update errors are displayed to users (#16251 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Claus Lensbøl	6010812f0c	ipn/localapi,client/local: add debug watcher for bus events (#16239 ) Updates: #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	6 months ago
Fran Bull	3b25e94352	cmd/natc: allow specifying the tsnet state dir Which can make operating the service more convenient. It makes sense to put the cluster state with this if specified, so rearrange the logic to handle that. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Mike O'Driscoll	e72c528a5f	cmd/{derp,derpprobe},prober,derp: add mesh support to derpprobe (#15414 ) Add mesh key support to derpprobe for probing derpers with verify set to true. Move MeshKey checking to central point for code reuse. Fix a bad error fmt msg. Fixes tailscale/corp#27294 Fixes tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	6 months ago
Anton Tolchanov	db34cdcfe7	cmd/tailscale/cli: add a risk message about rp_filter We already present a health warning about this, but it is easy to miss on a server when blackholing traffic makes it unreachable. In addition to a health warning, present a risk message when exit node is enabled. Example: ``` $ tailscale up --exit-node=lizard The following issues on your machine will likely make usage of exit nodes impossible: - interface "ens4" has strict reverse-path filtering enabled - interface "tailscale0" has strict reverse-path filtering enabled Please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 To skip this warning, use --accept-risk=linux-strict-rp-filter $ ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago
Tom Meadows	4456f77af7	cmd/k8s-operator: explicitly set tcp on VIPService port configuration for Ingress with ProxyGroup (#16199 ) Updates tailscale/corp#24795 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	6 months ago
Fran Bull	3e08eab21e	cmd/natc: use new on disk state store for consensus Fixes #16027 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Fran Bull	486a55f0a9	cmd/natc: add optional consensus backend Enable nat connector to be run on a cluster of machines for high availability. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Raj Singh	5f0e139012	cmd/tsidp: add Docker image building support (#16078 ) - Add tsidp target to build_docker.sh for standard Tailscale image builds - Add publishdevtsidp Makefile target for development image publishing - Remove Dockerfile, using standard build process - Include tsidp in depaware dependency tracking - Update README with comprehensive Docker usage examples This enables tsidp to be built and published like other Tailscale components (tailscale/tailscale, tailscale/k8s-operator, tailscale/k8s-nameserver). Fixes #16077 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Irbe Krumina	5b670eb3a5	cmd/containerboot: allow setting --accept-dns via TS_EXTRA_ARGS again (#16129 ) In 1.84 we made 'tailscale set'/'tailscale up' error out if duplicate command line flags are passed. This broke some container configurations as we have two env vars that can be used to set --accept-dns flag: - TS_ACCEPT_DNS- specifically for --accept-dns - TS_EXTRA_ARGS- accepts any arbitrary 'tailscale up'/'tailscale set' flag. We default TS_ACCEPT_DNS to false (to make the container behaviour more declarative), which with the new restrictive CLI behaviour resulted in failure for users who had set --accept-dns via TS_EXTRA_ARGS as the flag would be provided twice. This PR re-instates the previous behaviour by checking if TS_EXTRA_ARGS contains --accept-dns flag and if so using its value to override TS_ACCEPT_DNS. Updates tailscale/tailscale#16108 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Brad Fitzpatrick	401d6c0cfa	go.mod: bump golang.org/x deps Updates #8043 Change-Id: I8702a17130559353ccdecbe8b64eeee461ff09c3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Nick Khyl	191afd3390	net/tshttpproxy: fix WDAP/PAC proxy detection on Win10 1607 and earlier Using WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG on Windows versions older than Windows 10 1703 (build 15063) is not supported and causes WinHttpGetProxyForUrl to fail with ERROR_INVALID_PARAMETER. This results in failures reaching the control on environments where a proxy is required. We use wingoes version detection to conditionally set the WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG flag on Windows builds greater than 15063. While there, we also update proxy detection to use WINHTTP_AUTO_DETECT_TYPE_DNS_A, as DNS-based proxy discovery might be required with Active Directory and in certain other environments. Updates tailscale/corp#29168 Fixes #879 Signed-off-by: Nick Khyl <nickk@tailscale.com>	6 months ago
Raj Singh	09582bdc00	cmd/tsidp: add web UI for managing OIDC clients (#16068 ) Add comprehensive web interface at ui for managing OIDC clients, similar to tsrecorder's design. Features include list view, create/edit forms with validation, client secret management, delete functionality with confirmation dialogs, responsive design, and restricted tailnet access only. Fixes #16067 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Tim Klocke	4980869977	cmd/tsidp: Fix sending string for refresh_token In accordance with the OIDC/OAuth 2.0 protocol, do not send an empty refresh_token and instead omit the field when empty. Fixes https://github.com/tailscale/tailscale/issues/16073 Signed-off-by: Tim Klocke <taaem@mailbox.org>	6 months ago
Irbe Krumina	00a7dd180a	cmd/k8s-operator: validate Service tags, catch duplicate Tailscale Services (#16058 ) Validate that any tags that users have specified via tailscale.com/tags annotation are valid Tailscale ACL tags. Validate that no more than one HA Tailscale Kubernetes Services in a single cluster refer to the same Tailscale Service. Updates tailscale/tailscale#16054 Updates tailscale/tailscale#16035 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Patrick O'Doherty	a05924a9e5	client/web: add Sec-Fetch-Site CSRF protection (#16046 ) RELNOTE=Fix CSRF errors in the client Web UI Replace gorilla/csrf with a Sec-Fetch-Site based CSRF protection middleware that falls back to comparing the Host & Origin headers if no SFS value is passed by the client. Add an -origin override to the web CLI that allows callers to specify the origin at which the web UI will be available if it is hosted behind a reverse proxy or within another application via CGI. Updates #14872 Updates #15065 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	7 months ago
Simon Law	3ee4c60ff0	cmd/derper: fix mesh auth for DERP servers (#16061 ) To authenticate mesh keys, the DERP servers used a simple == comparison, which is susceptible to a side channel timing attack. By extracting the mesh key for a DERP server, an attacker could DoS it by forcing disconnects using derp.Client.ClosePeer. They could also enumerate the public Wireguard keys, IP addresses and ports for nodes connected to that DERP server. DERP servers configured without mesh keys deny all such requests. This patch also extracts the mesh key logic into key.DERPMesh, to prevent this from happening again. Security bulletin: https://tailscale.com/security-bulletins#ts-2025-003 Fixes tailscale/corp#28720 Signed-off-by: Simon Law <sfllaw@tailscale.com>	7 months ago
Irbe Krumina	c4fb380f3c	cmd/k8s-operator: fix Tailscale Service API errors check (#16020 ) Updates tailscale/tailscale#15895 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Brad Fitzpatrick	54970054a6	cmd/tailscale/cli: suggest using "tailscale set", not "up", to set operator The same message was used for "up" and "down" permission failures, but "set" works better for both. Suggesting "up --operator" for a "down" permission failure was confusing. It's not like the latter command works in one shot anyway. Fixes #16008 Change-Id: I6e4225ef06ce2d8e19c40bece8104e254c2aa525 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	8009ad74a3	cmd/derper, net/tlsdial: fix client's self-signed cert validation This fixes the implementation and test from #15208 which apparently never worked. Ignore the metacert when counting the number of expected certs presented. And fix the test, pulling out the TLSConfig setup code into something shared between the real cmd/derper and the test. Fixes #15579 Change-Id: I90526e38e59f89b480629b415f00587b107de10a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Meadows	b5770c81c9	cmd/k8s-operator: rename VIPService -> Tailscale Service in L3 HA Service Reconciler (#16014 ) Also changes wording tests for L7 HA Reconciler Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	7fe27496c8	cmd/k8s-operator: warn if HA Service is applied, but VIPService feature flag is not enabled (#16013 ) Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	df8d51023e	cmd/k8s-operator,kube/kubetypes,k8s-operator/apis: reconcile L3 HA Services (#15961 ) This reconciler allows users to make applications highly available at L3 by leveraging Tailscale Virtual Services. Many Kubernetes Service's (irrespective of the cluster they reside in) can be mapped to a Tailscale Virtual Service, allowing access to these Services at L3. Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Proctor	d89aa29081	{cmd,}/k8s-operator: support IRSA for Recorder resources (#15913 ) Adds Recorder fields to configure the name and annotations of the ServiceAccount created for and used by its associated StatefulSet. This allows the created Pod to authenticate with AWS without requiring a Secret with static credentials, using AWS' IAM Roles for Service Accounts feature, documented here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html Fixes #15875 Change-Id: Ib0e15c0dbc357efa4be260e9ae5077bacdcb264f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Irbe Krumina	6b97e615d6	cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services (#15897 ) cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services This PR is part of the work to implement HA for Kubernetes Operator's network layer proxy. Adds logic to containerboot to monitor mounted ingress firewall configuration rules and update iptables/nftables rules as the config changes. Also adds new shared types for the ingress configuration. The implementation is intentionally similar to that for HA for egress proxy. Updates tailscale/tailscale#15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Patrick O'Doherty	336b3b7df0	cmd/proxy-to-grafana: strip X-Webauth* headers from all requests (#15985 ) Update proxy-to-grafana to strip any X-Webauth prefixed headers passed by the client in every request, not just those to /login. /api/ routes will also accept these headers to authenticate users, necessitating their removal to prevent forgery. Updates tailscale/corp#28687 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	7 months ago
Irbe Krumina	abe04bfa78	cmd/k8s-operator: warn if Tailscale Services use attempted for tailnet without the feature enabled (#15931 ) Also renames VIPService -> Tailscale Service (including user facing messages) Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Simon Law	7f4aaed1d5	cmd/derpprobe: exit with non-zero status if --once fails (#15926 ) `cmd/derpprobe --once` didn’t respect the convention of non-zero exit status for a failed run. It would always exit zero (i.e. success), even. This patch fixes that, but only for `--once` mode. Fixes: #15925 Signed-off-by: Simon Law <sfllaw@tailscale.com>	7 months ago
Jordan Whited	0f4f808e70	wgengine/magicsock: re-shape relayManager to use an event loop (#15935 ) The event loop removes the need for growing locking complexities and synchronization. Now we simply use channels. The event loop only runs while there is active work to do. relayManager remains no-op inside magicsock for the time being. endpoints are never 'relayCapable' and therefore endpoint & Conn will not feed CallMeMaybeVia or allocation events into it. A number of relayManager events remain unimplemented, e.g. CallMeMaybeVia reception and relay handshaking. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Nick Khyl	a9be049c19	ipn/ipnlocal,net/dns/resolver: use the user dialer and routes for DNS forwarding by default, except on iOS and Android In this PR, we make the "user-dial-routes" behavior default on all platforms except for iOS and Android. It can be disabled by setting the TS_DNS_FORWARD_USE_ROUTES envknob to 0 or false. Updates #12027 Updates #13837 Signed-off-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Jordan Whited	0841477743	net/udprelay{/endpoint}, all: move ServerEndpoint to independent pkg (#15934 ) ServerEndpoint will be used within magicsock and potentially elsewhere, which should be possible without needing to import the server implementation itself. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Brad Fitzpatrick	165b99278b	feature/taildrop, ipn/ipnlocal: remove leftover dup calls to osshare I'd moved the osshare calls to feature/taildrop hooks, but forgot to remove them from ipnlocal, or lost them during a rebase. But then I noticed cmd/tailscaled also had some, so turn those into a hook. Updates #12614 Change-Id: I024fb1d27fbcc49c013158882ee5982c2737037d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	48dacf1bf7	cmd/tailscale/cli: omit "file" subcommand if taildrop is omitted from build Updates #15812 Updates #12614 Change-Id: Ic945b26a127ba15399abdaab8fe43b1cfa64d874 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	7cc2837594	tsnet: don't depend on condregister & its default tailscaled features None of them are applicable to the common tsnet use cases. If somebody wants one of them, they can empty import it. Updates #12614 Change-Id: I3d7f74b555eed22e05a09ad667e4572a5bc452d8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	5b597489bc	taildrop: merge taildrop and feature/taildrop packages together Fixes #15812 Change-Id: I3bf0666bf9e7a9caea5f0f99fdb0eb2812157608 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	068d5ab655	feature/taildrop: move rest of Taildrop out of LocalBackend Updates #12614 Change-Id: If451dec1d796f6a4216fe485975c87f0c62a53e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Co-authored-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Brad Fitzpatrick	cf6a593196	cmd/tailscale/cli: rename "--posture-checking" to "--report-posture" For consistency with other flags, per Slack chat. Updates #5902 Change-Id: I7ae1e4c97b37185573926f5fafda82cf8b46f071 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Proctor	62182f3bcf	cmd/k8s-operator,k8s-operator/api-proxy: move k8s proxy code to library (#15857 ) The defaultEnv and defaultBool functions are copied over temporarily to minimise diff. This lays the ground work for having both the operator and the new k8s-proxy binary implement the API proxy Updates #13358 Change-Id: Ieacc79af64df2f13b27a18135517bb31c80a5a02 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Andrew Lytvynov	3105ecd958	hostinfo,tailcfg: report TPM availability on windows/linux (#15831 ) Start collecting fleet data on TPM availability via hostinfo. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Brad Fitzpatrick	383664b2f7	cmd/tsidp: remove backticks in README in shell example Fixes #15818 Change-Id: I7a6f4c7368fed74b865a63acdea4559c3d0a0d09 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	e415f51351	feature/taildrop: add integration test Taildrop has never had an end-to-end test since it was introduced. This adds a basic one. It caught two recent refactoring bugs & one from 2022 (`0f7da5c7dc`). This is prep for moving the rest of Taildrop out of LocalBackend, so we can do more refactorings with some confidence. Updates #15812 Change-Id: I6182e49c5641238af0bfdd9fea1ef0420c112738 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Anton Tolchanov	fe0090909b	cmd/tailscale/cli: unhide `--posture-checking` flag to `set` Updates #5902 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	7 months ago
James Tucker	b95e8bf4a1	tsweb/varz: export GC CPU fraction gauge We were missing this metric, but it can be important for some workloads. Varz memstats output allocation cost reduced from 30 allocs per invocation to 1 alloc per invocation. Updates tailscale/corp#28033 Signed-off-by: James Tucker <james@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	dbf13976d3	types/mapx, ipn/ipnext: add ordered map, akin to set.Slice We had an ordered set type (set.Slice) already but we occasionally want to do the same thing with a map, preserving the order things were added, so add that too, as mapsx.OrderedMap[K, V], and then use in ipnext. Updates #12614 Change-Id: I85e6f5e11035571a28316441075e952aef9a0863 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Patrick O'Doherty	e649227ef2	cmd/tsidp: fix interface{} linter warnings (#15729 ) Replace all instances of interface{} with any to resolve the golangci-lint errors that appeared in the previous tsidp PR. Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	8 months ago
Cedric Kienzler	b34a2bdb22	cmd/tsidp: add groups claim to tsidp (#15127 ) * cmd/tsidp: add groups claim to tsidp This feature adds support for a `groups` claim in tsidp using the grants syntax: ```json { "grants": [ { "src": ["group:admins"], "dst": [""], "ip": [""], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["admin"] } ] } }, { "src": ["group:reader"], "dst": [""], "ip": [""], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["reader"] } ] } } ] } ``` For #10263 Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * cmd/tsidp: refactor cap/tsidp to allow extraClaims This commit refactors the `capRule` struct to allow specifying arbitrary extra claims: ```json { "src": ["group:reader"], "dst": [""], "ip": [""], "app": { "tailscale.com/cap/tsidp": [ { "extraClaims": { "groups": ["reader"], "entitlements": ["read-stuff"], }, } ] } } ``` Overwriting pre-existing claims cannot be modified/overwritten. Also adding more unit-testing Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * Update cmd/tsidp/tsidp.go Signed-off-by: cedi <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Fix logical error in test case Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * fix error printing for failed to unmarshal capability in tsidp Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * clarify doc string for withExtraClaims Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> --------- Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> Signed-off-by: cedi <cedi@users.noreply.github.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> Co-authored-by: Patrick O'Doherty <hello@patrickod.com>	8 months ago
Tom Meadows	9666c2e700	cmd/k8s-operator: default ingress paths to '/' if not specified by user (#15706 ) in resource Fixes #14908 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	8 months ago
Percy Wegmann	26f31f73f4	cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>	8 months ago
Brad Fitzpatrick	0c78f081a4	feature/taildrop: start moving Taildrop out of LocalBackend This adds a feature/taildrop package, a ts_omit_taildrop build tag, and starts moving code to feature/taildrop. In some cases, code remains where it was but is now behind a build tag. Future changes will move code to an extension and out of LocalBackend, etc. Updates #12614 Change-Id: Idf96c61144d1a5f707039ceb2ff59c99f5c1642f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
David Anderson	5399fa159a	net/netmon: publish events to event bus Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
David Anderson	6d6f69e735	derp/derphttp: remove ban on websockets dependency The event bus's debug page uses websockets. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
David Anderson	e8cacd2a32	cmd/tailscaled: clean up unnecessary logf indirection #cleanup Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
M. J. Fromberger	deb0b255ff	all: update the tsd.System constructor name (#15372 ) Replace NewSystemWithEventBus with plain NewSystem, and update all usage. See https://github.com/tailscale/tailscale/pull/15355#discussion_r2003910766 Updates #15160 Change-Id: I64d337f09576b41d9ad78eba301a74b9a9d6ebf4 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	baead61e44	{wgengine,util/portmapper}: add and plumb an event bus (#15359 ) Updates #15160 Change-Id: I2510fb4a8905fb0abe8a8e0c5b81adb15d50a6f8 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	418e19fb5e	portmapper: update NewClient to use a Config argument In preparation for adding more parameters (and later, moving some away), rework the portmapper constructor to accept its arguments on a Config struct rather than positionally. This is a breaking change to the function signature, but one that is very easy to update, and a search of GitHub reveals only six instances of usage outside clones and forks of Tailscale itself, that are not direct copies of the code fixed up here. While we could stub in another constructor, I think it is safe to let those folks do the update in-place, since their usage is already affected by other changes we can't test for anyway. Updates #15160 Change-Id: I9f8a5e12b38885074c98894b7376039261b43f43 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	ffb22ee353	all: construct new System values with an event bus pre-populated Although, at the moment, we do not yet require an event bus to be present, as we start to add more pieces we will want to ensure it is always available. Add a new constructor and replace existing uses of new(tsd.System) throughout. Update generated files for import changes. Updates #15160 Change-Id: Ie5460985571ade87b8eac8b416948c7f49f0f64b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
David Anderson	6b8bbb4c37	tsd: wire up the event bus to tailscaled Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
Jordan Whited	37f5fd2ec1	feature/{condregister,relayserver}: implement the skeleton for the relayserver feature (#15699 ) This feature is "registered" as an ipnlocal.Extension, and conditionally linked depending on GOOS and ts_omit_relayserver build tag. The feature is not linked on iOS in attempt to limit the impact to binary size and resulting effect of pushing up against NetworkExtension limits. Eventually we will want to support the relay server on iOS, specifically on the Apple TV. Apple TVs are well-fitted to act as underlay relay servers as they are effectively always-on servers. This skeleton begins to tie a PeerAPI endpoint to a net/udprelay.Server. The PeerAPI endpoint is currently no-op as extension.shouldRunRelayServer() always returns false. Follow-up commits will implement extension.shouldRunRelayServer(). Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Satyam Soni	b926cd7fc6	k8s-operator: add age column to all custom resources (#15663 ) This change introduces an Age column in the output for all custom resources to enhance visibility into their lifecycle status. Fixes #15499 Signed-off-by: satyampsoni <satyampsoni@gmail.com>	8 months ago
Fran Bull	4cb9d5c183	cmd/natc: cleanup unused state perPeerState no longer needs to know the v6ULA. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Fran Bull	1e290867bd	cmd/natc: only store v4 addresses Because we derive v6 addresses from v4 addresses we only need to store the v4 address, not both. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Nick Khyl	4941cd7c73	cmd/tailscaled,ipn/{auditlog,desktop,ipnext,ipnlocal},tsd: extract LocalBackend extension interfaces and implementation In this PR, we refactor the LocalBackend extension system, moving from direct callbacks to a more organized extension host model. Specifically, we: - Extract interface and callback types used by packages extending LocalBackend functionality into a new ipn/ipnext package. - Define ipnext.Host as a new interface that bridges extensions with LocalBackend. It enables extensions to register callbacks and interact with LocalBackend in a concurrency-safe, well-defined, and controlled way. - Move existing callback registration and invocation code from ipnlocal.LocalBackend into a new type called ipnlocal.ExtensionHost, implementing ipnext.Host. - Improve docs for existing types and methods while adding docs for the new interfaces. - Add test coverage for both the extracted and the new code. - Remove ipn/desktop.SessionManager from tsd.System since ipn/desktop is now self-contained. - Update existing extensions (e.g., ipn/auditlog and ipn/desktop) to use the new interfaces where appropriate. We're not introducing new callback and hook types (e.g., for ipn.Prefs changes) just yet, nor are we enhancing current callbacks, such as by improving conflict resolution when more than one extension tries to influence profile selection via a background profile resolver. These further improvements will be submitted separately. Updates #12614 Updates tailscale/corp#27645 Updates tailscale/corp#26435 Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	8 months ago
Jordan Whited	e17abbf461	cmd/tailscale,ipn: add relay-server-port "tailscale set" flag and Prefs field (#15594 ) This flag is currently no-op and hidden. The flag does round trip through the related pref. Subsequent commits will tie them to net/udprelay.Server. There is no corresponding "tailscale up" flag, enabling/disabling of the relay server will only be supported via "tailscale set". This is a string flag in order to support disablement via empty string as a port value of 0 means "enable the server and listen on a random unused port". Disablement via empty string also follows existing flag convention, e.g. advertise-routes. Early internal discussions settled on "tailscale set --relay="<port>", but the author felt this was too ambiguous around client vs server, and may cause confusion in the future if we add related flags. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Simon Law	7e296923ab	cmd/tailscale: test for new flags in tailscale up `tailscale set` was created to set preferences, which used to be overloaded into `tailscale up`. To move people over to the new command, `up` was supposed to be frozen and no new preference flags would be added. But people forgot, there was no test to warn them, and so new flags were added anyway. TestUpFlagSetIsFrozen complains when new flags are added to `tailscale up`. It doesn’t try all combinations of GOOS, but since the CI builds in every OS, the pull-request tests should cover this. Updates #15460 Signed-off-by: Simon Law <sfllaw@sfllaw.ca>	8 months ago
Tom Proctor	dd95a83a65	cmd/{containerboot,k8s-operator},kube/kubetypes: unadvertise ingress services on shutdown (#15451 ) Ensure no services are advertised as part of shutting down tailscaled. Prefs are only edited if services are currently advertised, and they're edited we wait for control's ~15s (+ buffer) delay to failover. Note that editing prefs will trigger a synchronous write to the state Secret, so it may fail to persist state if the ProxyGroup is getting scaled down and therefore has its RBAC deleted at the same time, but that failure doesn't stop prefs being updated within the local backend, doesn't affect connectivity to control, and the state Secret is about to get deleted anyway, so the only negative side effect is a harmless error log during shutdown. Control still learns that the node is no longer advertising the service and triggers the failover. Note that the first version of this used a PreStop lifecycle hook, but that only supports GET methods and we need the shutdown to trigger side effects (updating prefs) so it didn't seem appropriate to expose that functionality on a GET endpoint that's accessible on the k8s network. Updates tailscale/corp#24795 Change-Id: I0a9a4fe7a5395ca76135ceead05cbc3ee32b3d3c Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	8 months ago
James Tucker	8e1aa86bdb	cmd/natc: attempt to match IP version between upstream and downstream As IPv4 and IPv6 end up with different MSS and different congestion control strategies, proxying between them can really amplify TCP meltdown style conditions in many real world network conditions, such as with higher latency, some loss, etc. Attempt to match up the protocols, otherwise pick a destination address arbitrarily. Also shuffle the target address to spread load across upstream load balancers. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Tom Proctor	de949b050e	cmd/containerboot: speed up tests (#14883 ) The test suite had grown to about 20s on my machine, but it doesn't do much taxing work so was a good candidate to parallelise. Now runs in under 2s on my machine. Updates #cleanup Change-Id: I2fcc6be9ca226c74c0cb6c906778846e959492e4 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	8 months ago
Brad Fitzpatrick	79ff067db3	cmd/tailscale/cli: prevent all dup flags, not just strings The earlier #15534 prevent some dup string flags. This does it for all flag types. Updates #6813 Change-Id: Iec2871448394ea9a5b604310bdbf7b499434bf01 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago

... 2 3 4 5 6 ...

2542 Commits (cmol/resolveconf_trample_trample_back)