2513 Commits (icio/netmap-diff-check)

Author	SHA1	Message	Date
Raj Singh	0b27871860	k8s-operator: add IPv6 support for DNS records (#16691) ... This change adds full IPv6 support to the Kubernetes operator's DNS functionality, enabling dual-stack and IPv6-only cluster support. Fixes #16633 Signed-off-by: Raj Singh <raj@tailscale.com>	2 months ago
James Sanderson	70400cb75f	cmd/tailscale/cli: reduce strength of lose-ssh risk warning ... Ideally we would remove this warning entirely, as it is now possible to reauthenticate without losing connectivty. However, it is still possible to lose SSH connectivity if the user changes the ownership of the machine when they do a force-reauth, and we have no way of knowing if they are going to do that before they do it. For now, let's just reduce the strength of the warning to warn them that they "may" lose their connection, rather than they "will". Updates tailscale/corp#32429 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	2 months ago
Simon Law	34242df51b	derp/derpserver: clean up extraction of derp.Server (#17264) ... PR #17258 extracted `derp.Server` into `derp/derpserver.Server`. This followup patch adds the following cleanups: 1. Rename `derp_server*.go` files to `derpserver*.go` to match the package name. 2. Rename the `derpserver.NewServer` constructor to `derpserver.New` to reduce stuttering. 3. Remove the unnecessary `derpserver.Conn` type alias. Updates #17257 Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>	2 months ago
Brad Fitzpatrick	21dc5f4e21	derp/derpserver: split off derp.Server out of derp into its own package ... This exports a number of things from the derp (generic + client) package to be used by the new derpserver package, as now used by cmd/derper. And then enough other misc changes to lock in that cmd/tailscaled can be configured to not bring in tailscale.com/client/local. (The webclient in particular, even when disabled, was bringing it in, so that's now fixed) Fixes #17257 Change-Id: I88b6c7958643fb54f386dd900bddf73d2d4d96d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b3e9a128af	net/dns, feature/featuretags: make NetworkManager, systemd-resolved, and DBus modular ... Saves 360 KB (19951800 => 19591352 on linux/amd64 --extra-small --box binary) Updates #12614 Updates #17206 Change-Id: Iafd5b2536dd735111b447546cba335a7a64379ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	8fe575409f	feature/featuretags: add build tag to remove captive portal detection ... This doesn't yet fully pull it out into a feature/captiveportal package. This is the usual first step, moving the code to its own files within the same packages. Updates #17254 Change-Id: Idfaec839debf7c96f51ca6520ce36ccf2f8eec92 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Jordan Whited	4657cbdb11	client, cmd/tailscale/cli, feature/relayserver, net/udprelay: implement tailscale debug peer-relay-sessions (#17239) ... Fixes tailscale/corp#30035 Signed-off-by: Dylan Bargatze <dylan@tailscale.com> Signed-off-by: Jordan Whited <jordan@tailscale.com> Co-authored-by: Dylan Bargatze <dylan@tailscale.com>	2 months ago
Percy Wegmann	e3307fbce1	cmd/tailscale: omit the `drive` subcommand in MacOS GUI apps ... In MacOS GUI apps, users have to select folders to share via the GUI. This is both because the GUI app keeps its own record of shares, and because the sandboxed version of the GUI app needs to gain access to the shared folders by having the user pick them in a file selector. The new build tag `ts_mac_gui` allows the MacOS GUI app build to signal that this is a MacOS GUI app, which causes the `drive` subcommand to be omitted so that people do not mistakenly attempt to use it. Updates tailscale/tailscale#17210 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Mahyar Mirrashed	5e79e497d3	cmd/tailscale/cli: show last seen time on status command (#16588) ... Add a last seen time on the cli's status command, similar to the web portal. Before: ``` 100.xxx.xxx.xxx tailscale-operator tagged-devices linux offline ``` After: ``` 100.xxx.xxx.xxx tailscale-operator tagged-devices linux offline, last seen 20d ago ``` Fixes #16584 Signed-off-by: Mahyar Mirrashed <mah.mirr@gmail.com>	2 months ago
David Bond	cc1761e8d2	cmd/k8s-operator: send operator logs to tailscale (#17110) ... This commit modifies the k8s operator to wrap its logger using the logtail logger provided via the tsnet server. This causes any logs written by the operator to make their way to Tailscale in the same fashion as wireguard logs to be used by support. This functionality can also be opted-out of entirely using the "TS_NO_LOGS_NO_SUPPORT" environment variable. Updates https://github.com/tailscale/corp/issues/32037 Signed-off-by: David Bond <davidsbond93@gmail.com>	2 months ago
Brad Fitzpatrick	db048e905d	control/controlhttp: simplify, fix race dialing, remove priority concept ... controlhttp has the responsibility of dialing a set of candidate control endpoints in a way that minimizes user facing latency. If one control endpoint is unavailable we promptly dial another, racing across the dimensions of: IPv6, IPv4, port 80, and port 443, over multiple server endpoints. In the case that the top priority endpoint was not available, the prior implementation would hang waiting for other results, so as to try to return the highest priority successful connection to the rest of the client code. This hang would take too long with a large dialplan and sufficient client to endpoint latency as to cause the server to timeout the connection due to inactivity in the intermediate state. Instead of trying to prioritize non-ideal candidate connections, the first successful connection is now used unconditionally, improving user facing latency and avoiding any delays that would encroach on the server-side timeout. The tests are converted to memnet and synctest, running on all platforms. Fixes #8442 Fixes tailscale/corp#32534 Co-authored-by: James Tucker <james@tailscale.com> Change-Id: I4eb57f046d8b40403220e40eb67a31c41adb3a38 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Brad Fitzpatrick	d7ec043306	cmd/tailscale/cli: add ts2021 debug flag to set a dial plan ... Updates tailscale/corp#32534 Change-Id: Ief4ee0a263ea1edbf652b74d8c335c1e5ee209d7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	798fddbe5c	feature/linuxdnsfight: move inotify watching of /etc/resolv.conf out to a feature ... tsnet apps in particular never use the Linux DNS OSManagers, so they don't need DBus, etc. I started to pull that all out into separate features so tsnet doesn't need to bring in DBus, but hit this first. Here you can see that tsnet (and the k8s-operator) no longer pulls in inotify. Updates #17206 Change-Id: I7af0f391f60c5e7dbeed7a080346f83262346591 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	d559a21418	util/eventbus/eventbustest: fix typo of test name ... And another case of the same typo in a comment elsewhere. Updates #cleanup Change-Id: Iaa9d865a1cf83318d4a30263c691451b5d708c9c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	5e698a81b6	cmd/tailscaled: make the outbound HTTP/SOCKS5 proxy modular ... Updates #12614 Change-Id: Icba6f1c0838dce6ee13aa2dc662fb551813262e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	ecfdd86fc9	net/ace, control/controlhttp: start adding ACE dialing support ... Updates tailscale/corp#32227 Change-Id: I38afc668f99eb1d6f7632e82554b82922f3ebb9f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Naman Sood	b9cda4bca5	tsnet,internal/client/tailscale: resolve OAuth into authkeys in tsnet (#17191) ... * tsnet,internal/client/tailscale: resolve OAuth into authkeys in tsnet Updates #8403. * internal/client/tailscale: omit OAuth library via build tag Updates #12614. Signed-off-by: Naman Sood <mail@nsood.in>	3 months ago
Brad Fitzpatrick	78035fb9d2	feature/featuretags,cmd/omitsize: support feature dependencies ... This produces the following omitsizes output: Starting with everything and removing a feature... tailscaled tailscale combined (linux/amd64) 27005112 18153656 39727288 - 7696384 - 7282688 -19607552 .. remove * - 167936 - 110592 - 245760 .. remove acme - 1925120 - 0 - 7340032 .. remove aws - 4096 - 0 - 8192 .. remove bird - 20480 - 12288 - 32768 .. remove capture - 0 - 57344 - 61440 .. remove completion - 249856 - 696320 - 692224 .. remove debugeventbus - 12288 - 4096 - 24576 .. remove debugportmapper - 0 - 0 - 0 .. remove desktop_sessions - 815104 - 8192 - 544768 .. remove drive - 65536 - 356352 - 425984 .. remove kube - 233472 - 286720 - 311296 .. remove portmapper (and debugportmapper) - 90112 - 0 - 110592 .. remove relayserver - 655360 - 712704 - 598016 .. remove serve (and webclient) - 937984 - 0 - 950272 .. remove ssh - 708608 - 401408 - 344064 .. remove syspolicy - 0 - 4071424 -11132928 .. remove systray - 159744 - 61440 - 225280 .. remove taildrop - 618496 - 454656 - 757760 .. remove tailnetlock - 122880 - 0 - 131072 .. remove tap - 442368 - 0 - 483328 .. remove tpm - 16384 - 0 - 20480 .. remove wakeonlan - 278528 - 368640 - 286720 .. remove webclient Starting at a minimal binary and adding one feature back... tailscaled tailscale combined (linux/amd64) 19308728 10870968 20119736 omitting everything + 352256 + 454656 + 643072 .. add acme + 2035712 + 0 + 2035712 .. add aws + 8192 + 0 + 8192 .. add bird + 20480 + 12288 + 36864 .. add capture + 0 + 57344 + 61440 .. add completion + 262144 + 274432 + 266240 .. add debugeventbus + 344064 + 118784 + 360448 .. add debugportmapper (and portmapper) + 0 + 0 + 0 .. add desktop_sessions + 978944 + 8192 + 991232 .. add drive + 61440 + 364544 + 425984 .. add kube + 331776 + 110592 + 335872 .. add portmapper + 122880 + 0 + 102400 .. add relayserver + 598016 + 155648 + 737280 .. add serve + 1142784 + 0 + 1142784 .. add ssh + 708608 + 860160 + 720896 .. add syspolicy + 0 + 4079616 + 6221824 .. add systray + 180224 + 65536 + 237568 .. add taildrop + 647168 + 393216 + 720896 .. add tailnetlock + 122880 + 0 + 126976 .. add tap + 446464 + 0 + 454656 .. add tpm + 20480 + 0 + 24576 .. add wakeonlan + 1011712 + 1011712 + 1138688 .. add webclient (and serve) Fixes #17139 Change-Id: Ia91be2da00de8481a893243d577d20e988a0920a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Esteban-Bermudez	1c9aaa444d	cmd/tailscale/cli: use helper function for matching profiles ... This makes the `switch` command use the helper `matchProfile` function that was introduced in the `remove` sub command. Signed-off-by: Esteban-Bermudez <esteban@bermudezaguirre.com>	3 months ago
Esteban-Bermudez	5e3e536c2d	cmd/tailscale/cli: add `remove` subcommand ... Fixes #12255 Add a new subcommand to `switch` for removing a profile from the local client. This does not delete the profile from the Tailscale account, but removes it from the local machine. This functionality is available on the GUI's, but not yet on the CLI. Signed-off-by: Esteban-Bermudez <esteban@bermudezaguirre.com>	3 months ago
Brad Fitzpatrick	55d0e6d3a8	net/dns/recursive: remove recursive DNS resolver ... It doesn't really pull its weight: it adds 577 KB to the binary and is rarely useful. Also, we now have static IPs and other connectivity paths coming soon enough. Updates #5853 Updates #1278 Updates tailscale/corp#32168 Change-Id: If336fed00a9c9ae9745419e6d81f7de6da6f7275 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	73c371f784	cmd/derper: permit port 80 in ACE targets ... Updates tailscale/corp#32168 Updates tailscale/corp#32226 Change-Id: Iddc017b060c76e6eab8f6d0c989a775bcaae3518 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Remy Guercio	9d661663f3	cmd/tsidp: update README with new repo location warning ... Fixes: #17170 Signed-off-by: Remy Guercio <remy@tailscale.com>	3 months ago
Brad Fitzpatrick	697098ed6c	ipn/ipnlocal: fix a case where ts_omit_ssh was still linking in x/crypto/ssh ... And add a test. Updates #12614 Change-Id: Icb1c77f5890def794a4938583725c1a0886b197d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Simon Law	6db30a10f7	cmd/tailscale: shrink QR codes using half blocks (#17084) ... When running `tailscale up --qr`, the QR code is rendered using two full blocks ██ to form a square pixel. This is a problem for people with smaller terminals, because the output is 37 lines high. All modern terminals support half block characters, like ▀ and ▄, which only takes 19 lines and can easily fit in a regular terminal window. For example, https://login.tailscale.com/a/0123456789 is now rendered: ``` user@host:~$ tailscale up --qr █████████████████████████████████████ █████████████████████████████████████ ████ ▄▄▄▄▄ █ ▀▀ █▄▀▀ ▄ █ ▄▄▄▄▄ ████ ████ █ █ █▀ ▄▄▄█▀█▄▀ ▄█ █ █ ████ ████ █▄▄▄█ ██▄ ▄▀▀▄▄ ▀▀ ▀█ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█ ▀▄▀ █▄▀▄▀▄█ █▄▄▄▄▄▄▄████ ████▄█▄ ▀▄▄▄█▀▄█▀ ▀▄ ▄ ▀▀ ▀▀▄█▄ ████ ████▄▀▄▀▄█▄ █ ▄▄▄▄█▀██▀██▄▄█▀█▄▄▀████ ████▄█▀ ▀ ▄█▄▄▀▄▀█ ▄ ▄█▀█▄▀██▄ ▀▀████ █████▀ ▀ ▄▀▀▀▀▄▀▄▀▀ ▄▄ ▄ ▀ █▄ ▄████ ██████ ▄▄█▄▄▄▄▄▀ █ ▄▀▀▄█▀ █ ▄ ▀ █████ ████▄█▄▄ ▄▀ ▀██▀ ▄█▀▀████▄▀█ ██████ █████▄▄▄█▄▄▄▀▀ █▄▄▄▄▄ ▀█ ▄▄▄ ▀▀████ ████ ▄▄▄▄▄ █ ██▄ ▀ █▀█ ▄ █▄█ █▄█████ ████ █ █ █▀ █ ▀█▄▄ █▀ ▄ ▀▄▀▄████ ████ █▄▄▄█ █▄█▀█▄▀██▀██▄ ▀█▄▀▀▄▀▄████ ████▄▄▄▄▄▄▄█▄▄███▄▄▄███▄▄▄██▄██▄█████ █████████████████████████████████████ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ``` To render a QR code with full blocks, like we did in the past, use the new `--qr-format` flag: ``` user@host:~$ tailscale up --qr --qr-format=large ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ████████ ██ ████ ██ ████ ██ ████████ ████████ ██████████ ██ ████ ██ ██ ██████████ ████████ ████████ ██ ██ ████ ██████ ██ ██ ██ ██ ████████ ████████ ██ ██ ██ ████████ ████ ████ ██ ██ ████████ ████████ ██ ██ ████ ████ ████ ████ ██ ██ ████████ ████████ ██████████ ██████ ██ ████ ██ ██████████ ████████ ████████ ██ ██ ██ ██ ██ ██ ██ ██ ████████ ████████████████████████ ██ ████ ██ ████ ████████████████████████ ████████ ██ ██ ████ ████ ██ ████ ████ ██ ████████ ██████████████ ████████ ████ ██ ██ ██████ ████████ ████████ ██ ██ ██ ██ ██████████████ ██████ ██████████ ██████████ ██ ██████ ██ ██████████ ████ ██████████ ██████ ████████ ████████ ████ ██ ██ ██ ████ ██████ ██████ ████████████ ████████████ ████████ ██ ██ ██ ████ ████ ██████ ████████ ████████████ ██ ████████ ██ ████ ██ ██ ████████ ██████████ ██ ██ ██ ████ ██ ████ ██████████ ████████████ ██ ██ ██ ████ ████ ██ ██ ██████████ ████████████ ████████████████ ██ ██ ████ ██ ██ ██████████ ████████ ██ ██ ████████ ██████████████ ████ ████████████ ████████████████ ██ ████ ████ ██████████ ██ ████████████ ██████████ ██ ████ ██ ████ ████████████ ████████████████████████ ████████████ ██ ██████ ████████ ████████ ██ ████ ██ ██████ ██ ██ ██ ██████████ ████████ ██████████ ██ ██████ ██ ██ ██ ██████ ██████████████ ████████ ██ ██ ████ ██ ████ ████ ██ ██ ████████ ████████ ██ ██ ██ ██ ██████ ██ ██ ██ ██████████ ████████ ██ ██ ██ ██████ ████████████ ████ ████ ██ ████████ ████████ ██████████ ██████ ████ ████ ██████ ████ ██ ██████████ ████████ ██ ██████ ██████ ████ ████ ██████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████ ``` Fixes #17083 Signed-off-by: Simon Law <sfllaw@tailscale.com>	3 months ago
Brad Fitzpatrick	e180fc267b	feature/featuretags, all: add ts_omit_acme to disable TLS cert support ... I'd started to do this in the earlier ts_omit_server PR but decided to split it into this separate PR. Updates #17128 Change-Id: Ief8823a78d1f7bbb79e64a5cab30a7d0a5d6ff4b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	99b3f69126	feature/portmapper: make the portmapper & its debugging tools modular ... Starting at a minimal binary and adding one feature back... tailscaled tailscale combined (linux/amd64) 30073135 17451704 31543692 omitting everything + 480302 + 10258 + 493896 .. add debugportmapper + 475317 + 151943 + 467660 .. add portmapper + 500086 + 162873 + 510511 .. add portmapper+debugportmapper Fixes #17148 Change-Id: I90bd0e9d1bd8cbe64fa2e885e9afef8fb5ee74b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Claus Lensbøl	2015ce4081	health,ipn/ipnlocal: introduce eventbus in heath.Tracker (#17085) ... The Tracker was using direct callbacks to ipnlocal. This PR moves those to be triggered via the eventbus. Additionally, the eventbus is now closed on exit from tailscaled explicitly, and health is now a SubSystem in tsd. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	3 months ago
Brad Fitzpatrick	4cca9f7c67	all: add ts_omit_serve, start making tailscale serve/funnel be modular ... tailscaled tailscale combined (linux/amd64) 29853147 17384418 31412596 omitting everything + 621570 + 219277 + 554256 .. add serve Updates #17128 Change-Id: I87c2c6c3d3fc2dc026c3de8ef7000a813b41d31c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	09dfd94613	cmd/omitsize: fix the --features flag ... When you say --features=foo,bar, that was supposed to mean to only show features "foo" and "bar" in the table. But it was also being used as the set of all features that are omittable, which was wrong, leading to misleading numbers when --features was non-empty. Updates #12614 Change-Id: Idad2fa67fb49c39454032e84a3dede967890fdf5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	17ffa80138	feature/featuretags: add auto-generated constants for all modular features ... So code (in upcoming PRs) can test for the build tags with consts and get dead code elimination from the compiler+linker. Updates #12614 Change-Id: If6160453ffd01b798f09894141e7631a93385941 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
David Bond	782c16c513	k8s-operator: reset service status before append (#17120) ... This commit fixes an issue within the service reconciler where we end up in a constant reconciliation loop. When reconciling, the loadbalancer status is appended to but not reset between each reconciliation, leading to an ever growing slice of duplicate statuses. Fixes https://github.com/tailscale/tailscale/issues/17105 Fixes https://github.com/tailscale/tailscale/issues/17107 Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
Brad Fitzpatrick	7d2101f352	cmd/omitsize: add flag to disable the removal table ... And remove a bogus omit feature from feature/featuretags. Updates #12614 Change-Id: I0a08183fb75c73ae75b6fd4216d134e352dcf5a0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	0cc1b2ff76	cmd/derper: add start of ACE support ... Updates tailscale/corp#32168 Updates tailscale/corp#32226 Change-Id: Ia46abcaa09dcfd53bf8d4699909537bacf84d57a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	3a49b7464c	all: add ts_omit_tailnetlock as a start of making it build-time modular ... Updates #17115 Change-Id: I6b083c0db4c4d359e49eb129d626b7f128f0a9d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	0e3d942e39	feature/featuretags: move list of omit-able features to a Go package ... Updates #12614 Change-Id: I4012c33095c6a7ccf80ad36dbab5cedbae5b3d47 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	a1dcf12b67	feature/drive: start factoring out Taildrive, add ts_omit_drive build tag ... As of this commit (per the issue), the Taildrive code remains where it was, but in new files that are protected by the new ts_omit_drive build tag. Future commits will move it. Updates #17058 Change-Id: Idf0a51db59e41ae8da6ea2b11d238aefc48b219e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	921d77062e	cmd/omitsize: add tool to dump build sizes ... Updates #12614 Change-Id: I8f85d7275bc8eecedbabe6631b50e1cf70791d2d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Tom Proctor	1ec3d20d10	cmd/k8s-operator: simplify scope of e2e tests (#17076) ... Removes ACL edits from e2e tests in favour of trying to simplify the tests and separate the actual test logic from the environment setup logic as much as possible. Also aims to fit in with the requirements that will generally be filled anyway for most devs working on the operator; in particular using tags that fit in with our documentation. Updates tailscale/corp#32085 Change-Id: I7659246e39ec0b7bcc4ec0a00c6310f25fe6fac2 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	3 months ago
nikiUppal-TS	88d7db33da	cmd/tailscale: use tailnet display name on cli (#17079) ... Updates cli to use tailnet display name Updates tailscale/corp#32108 Signed-off-by: nikiUppal-TS <nikita@tailscale.com>	3 months ago
Brad Fitzpatrick	f1ded84454	cmd/tailscaled: add disabled debug file to force reflect for binary size experiments ... This adds a file that's not compiled by default that exists just to make it easier to do binary size checks, probing what a binary would be like if it included reflect methods (as used by html/template, etc). As an example, once tailscaled uses reflect.Type.MethodByName(non-const-string) anywhere, the build jumps up by 14.5 MB: $ GOOS=linux GOARCH=amd64 ./tool/go build -tags=ts_include_cli,ts_omit_webclient,ts_omit_systray,ts_omit_debugeventbus -o before ./cmd/tailscaled $ GOOS=linux GOARCH=amd64 ./tool/go build -tags=ts_include_cli,ts_omit_webclient,ts_omit_systray,ts_omit_debugeventbus,ts_debug_forcereflect -o after ./cmd/tailscaled $ ls -l before after -rwxr-xr-x@ 1 bradfitz staff 41011861 Sep 9 07:28 before -rwxr-xr-x@ 1 bradfitz staff 55610948 Sep 9 07:29 after This is particularly pronounced with large deps like the AWS SDK. If you compare using ts_omit_aws: -rwxr-xr-x@ 1 bradfitz staff 38284771 Sep 9 07:40 no-aws-no-reflect -rwxr-xr-x@ 1 bradfitz staff 45546491 Sep 9 07:41 no-aws-with-reflect That means adding AWS to a non-reflect binary adds 2.7 MB but adding AWS to a reflect binary adds 10 MB. Updates #17063 Updates #12614 Change-Id: I18e9b77c9cf33565ce5bba65ac5584fa9433f7fb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Alex Chan	f4ae81e015	tsnet: remove APIClient() which is deprecated and now unused (#17073) ... Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com>	3 months ago
Brad Fitzpatrick	3e4b0c1516	cmd/tailscale, ipn/ipnlocal: add ts_omit_webclient ... Fixes #17063 Updates #12614 Change-Id: I0a189f6a4d1c4558351e3195839867725774fa96 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Alex Chan	71cb6d4cbd	cmd/tailscale/cli, derp: use client/local instead of deprecated client/tailscale (#17061) ... * cmd/tailscale/cli: use client/local instead of deprecated client/tailscale Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com> * derp: use client/local instead of deprecated client/tailscale Updates tailscale/corp#22748 Signed-off-by: Alex Chan <alexc@tailscale.com> --------- Signed-off-by: Alex Chan <alexc@tailscale.com>	3 months ago
Alex Chan	ff8900583c	cmd/tailscale/cli: fix the spelling of "routes" (#17039) ... Updates #cleanup Signed-off-by: Alex Chan <alexc@tailscale.com>	3 months ago
Mike O'Driscoll	23297da10d	cmd/tailscale/cli: add new line for set --webclient (#17043) ... Fixes #17042 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	3 months ago
David Bond	624cdd2961	cmd/containerboot: do not reset state on non-existant secret (#17021) ... This commit modifies containerboot's state reset process to handle the state secret not existing. During other parts of the boot process we gracefully handle the state secret not being created yet, but missed that check within `resetContainerbootState` Fixes https://github.com/tailscale/tailscale/issues/16804 Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
David Bond	04f00339b6	cmd/k8s-operator: update connector example (#17020) ... This commit modifies the connector example to use the new hostname prefix and replicas fields Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
Brad Fitzpatrick	21f21bd2a2	util/syspolicy: finish adding ts_omit_syspolicy build tags, tests ... Fixes #16998 Updates #12614 Change-Id: Idf2b1657898111df4be31f356091b2376d0d7f0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	2b3e533048	util/syspolicy: finish plumbing policyclient, add feature/syspolicy, move global impl ... This is step 4 of making syspolicy a build-time feature. This adds a policyclient.Get() accessor to return the correct implementation to use: either the real one, or the no-op one. (A third type, a static one for testing, also exists, so in general a policyclient.Client should be plumbed around and not always fetched via policyclient.Get whenever possible, especially if tests need to use alternate syspolicy) Updates #16998 Updates #12614 Change-Id: Iaf19670744a596d5918acfa744f5db4564272978 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	2434bc69fc	util/syspolicy/{setting,ptype}: move PreferenceOption and Visibility to new leaf package ... Step 3 in the series. See earlier cc532efc20 and d05e6dc09e. This step moves some types into a new leaf "ptype" package out of the big "settings" package. The policyclient.Client will later get new methods to return those things (as well as Duration and Uint64, which weren't done at the time of the earlier prototype). Updates #16998 Updates #12614 Change-Id: I4d72d8079de3b5351ed602eaa72863372bd474a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	42a215e12a	cmd/tailscale/cli: prompt for y/n when attempting risky action ... Previously, when attempting a risky action, the CLI printed a 5 second countdown saying "Continuing in 5 seconds...". When the countdown finished, the CLI aborted rather than continuing. To avoid confusion, but also avoid accidentally continuing if someone (or an automated process) fails to manually abort within the countdown, we now explicitly prompt for a y/n response on whether or not to continue. Updates #15445 Co-authored-by: Kot C <kot@kot.pink> Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Brad Fitzpatrick	61d3693e61	cmd/tailscale/cli: add a debug command to force a risky action ... For testing risky action flows. Updates #15445 Change-Id: Id81e54678a1fe5ccedb5dd9c6542ff48c162b349 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
David Bond	12ad630128	cmd/k8s-operator: allow specifying replicas for connectors (#16721) ... This commit adds a `replicas` field to the `Connector` custom resource that allows users to specify the number of desired replicas deployed for their connectors. This allows users to deploy exit nodes, subnet routers and app connectors in a highly available fashion. Fixes #14020 Signed-off-by: David Bond <davidsbond93@gmail.com>	3 months ago
Brad Fitzpatrick	d05e6dc09e	util/syspolicy/policyclient: add policyclient.Client interface, start plumbing ... This is step 2 of ~4, breaking up #14720 into reviewable chunks, with the aim to make syspolicy be a build-time configurable feature. Step 1 was #16984. In this second step, the util/syspolicy/policyclient package is added with the policyclient.Client interface. This is the interface that's always present (regardless of build tags), and is what code around the tree uses to ask syspolicy/MDM questions. There are two implementations of policyclient.Client for now: 1) NoPolicyClient, which only returns default values. 2) the unexported, temporary 'globalSyspolicy', which is implemented in terms of the global functions we wish to later eliminate. This then starts to plumb around the policyclient.Client to most callers. Future changes will plumb it more. When the last of the global func callers are gone, then we can unexport the global functions and make a proper policyclient.Client type and constructor in the syspolicy package, removing the globalSyspolicy impl out of tsd. The final change will sprinkle build tags in a few more places and lock it in with dependency tests to make sure the dependencies don't later creep back in. Updates #16998 Updates #12614 Change-Id: Ib2c93d15c15c1f2b981464099177cd492d50391c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	cc532efc20	util/syspolicy/*: move syspolicy keys to new const leaf "pkey" package ... This is step 1 of ~3, breaking up #14720 into reviewable chunks, with the aim to make syspolicy be a build-time configurable feature. In this first (very noisy) step, all the syspolicy string key constants move to a new constant-only (code-free) package. This will make future steps more reviewable, without this movement noise. There are no code or behavior changes here. The future steps of this series can be seen in #14720: removing global funcs from syspolicy resolution and using an interface that's plumbed around instead. Then adding build tags. Updates #12614 Change-Id: If73bf2c28b9c9b1a408fe868b0b6a25b03eeabd1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Remy Guercio	89fe2e1f12	cmd/tsidp: add allow-insecure-no-client-registration and JSON file migration (#16881) ... Add a ternary flag that unless set explicitly to false keeps the insecure behavior of TSIDP. If the flag is false, add functionality on startup to migrate oidc-funnel-clients.json to oauth-clients.json if it doesn’t exist. If the flag is false, modify endpoints to behave similarly regardless of funnel, tailnet, or localhost. They will all verify client ID & secret when appropriate per RFC 6749. The authorize endpoint will no longer change based on funnel status or nodeID. Add extra tests verifying TSIDP endpoints behave as expected with the new flag. Safely create the redirect URL from what's passed into the authorize endpoint. Fixes #16880 Signed-off-by: Remy Guercio <remy@tailscale.com>	3 months ago
Joe Tsai	3aea0e095a	syncs: delete WaitGroup and use sync.WaitGroup.Go in Go 1.25 ... Our own WaitGroup wrapper type was a prototype implementation for the Go method on the standard sync.WaitGroup type. Now that there is first-class support for Go, we should migrate over to using it and delete syncs.WaitGroup. Updates #cleanup Updates tailscale/tailscale#16330 Change-Id: Ib52b10f9847341ce29b4ca0da927dc9321691235 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	3 months ago
James Tucker	f5d3c59a92	wgengine/magicsock: shorten process internal DERP queue ... DERP writes go via TCP and the host OS will have plenty of buffer space. We've observed in the wild with a backed up TCP socket kernel side buffers of >2.4MB. The DERP internal queue being larger causes an increase in the probability that the contents of the backbuffer are "dead letters" - packets that were assumed to be lost. A first step to improvement is to size this queue only large enough to avoid some of the initial connect stall problem, but not large enough that it is contributing in a substantial way to buffer bloat / dead-letter retention. Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
James Tucker	d42f0b6a21	util/ringbuffer: rename to ringlog ... I need a ringbuffer in the more traditional sense, one that has a notion of item removal as well as tail loss on overrun. This implementation is really a clearable log window, and is used as such where it is used. Updates #cleanup Updates tailscale/corp#31762 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Maisem Ali	882b05fff9	cmd/viewer: add field comments to generated view methods ... Extract field comments from AST and include them in generated view methods. Comments are preserved from the original struct fields to provide documentation for the view accessors. Fixes #16958 Signed-off-by: Maisem Ali <3953239+maisem@users.noreply.github.com>	3 months ago
Patrick O'Doherty	c5429cd49c	go.toolchain.branch: bump to go1.25 (#16954) ... go.toolchain.rev: bump go1.25 version flake.nix: bump Go to 1.25 Updates #16330 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	3 months ago
Aaron Klotz	b5f834aef8	cmd/tailscaled: add Dnscache as a service dependency ... Updates https://github.com/tailscale/corp/issues/30961 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	3 months ago
Claus Lensbøl	fafb514538	client/systray: go back to using upstream library (#16938) ... We had a fix in a local branch, but upstream has merged it now. Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	3 months ago
Kot C	4236a759f3	cmd/tsidp: Add Docker image to README (#16915) ... Signed-off-by: Kot C <kot@kot.pink>	3 months ago
Need-an-AwP	b558f81a82	fix: invalid memory address or nil pointer dereference (#16922) ... Signed-off-by: Need-an-AwP <113933967+Need-an-AwP@users.noreply.github.com>	3 months ago
Tom Proctor	3eeecb4c7f	cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode (#16919) ... The serve code leaves it up to the system's DNS resolver and netstack to figure out how to reach the proxy destination. Combined with k8s-proxy running in userspace mode, this means we can't rely on MagicDNS being available or tailnet IPs being routable. I'd like to implement that as a feature for serve in userspace mode, but for now the safer fix to get kube-apiserver ProxyGroups consistently working in all environments is to switch to using localhost as the proxy target instead. This has a small knock-on in the code that does WhoIs lookups, which now needs to check the X-Forwarded-For header that serve populates to get the correct tailnet IP to look up, because the request's remote address will be loopback. Fixes #16920 Change-Id: I869ddcaf93102da50e66071bb00114cc1acc1288 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	3 months ago
Jordan Whited	b17cfe4aed	wgengine/magicsock,net/sockopts: export Windows ICMP suppression logic (#16917) ... For eventual use by net/udprelay.Server. Updates tailscale/corp#31506 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Jordan Whited	cf739256ca	net/udprelay: increase socket buffer size (#16910) ... This increases throughput over long fat networks, and in the presence of crypto/syscall-induced delay. Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Mike O'Driscoll	e296a6be8d	cmd/tsidp: update oidc-funnel-clients.json store path (#16845) ... Update odic-funnel-clients.json to take a path, this allows setting the location of the file and prevents it from landing in the root directory or users home directory. Move setting of rootPath until after tsnet has started. Previously this was added for the lazy creation of the oidc-key.json. It's now needed earlier in the flow. Updates #16734 Fixes #16844 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	4 months ago
Jordan Whited	641a90ea33	net/sockopts,wgengine/magicsock: export socket buffer sizing logic (#16909) ... For eventual use by net/udprelay.Server Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Fran Bull	b48d2de6ab	cmd/natc,tsconsensus: add cluster config admin ... Add the ability for operators of natc in consensus mode to remove servers from the raft cluster config, without losing other state. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	4 months ago
Fran Bull	d986baa18f	tsconsensus,cmd/natc: add 'follower only' bootstrap option ... Currently consensus has a bootstrap routine where a tsnet node tries to join each other node with the cluster tag, and if it is not able to join any other node it starts its own cluster. That algorithm is racy, and can result in split brain (more than one leader/cluster) if all the nodes for a cluster are started at the same time. Add a FollowOnly argument to the bootstrap function. If provided this tsnet node will never lead, it will try (and retry with exponential back off) to follow any node it can contact. Add a --follow-only flag to cmd/natc that uses this new tsconsensus functionality. Also slightly reorganize some arguments into opts structs. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	4 months ago
Jordan Whited	d4b7200129	net/udprelay: use batching.Conn (#16866) ... This significantly improves throughput of a peer relay server on Linux. Server.packetReadLoop no longer passes sockets down the stack. Instead, packet handling methods return a netip.AddrPort and []byte, which packetReadLoop gathers together for eventual batched writes on the appropriate socket(s). Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Mike O'Driscoll	6d45663dd4	cmd/derpprobe,prober: add run all probes handler (#16875) ... Add a Run all probes handler that executes all probes except those that are continuous or the derpmap probe. This is leveraged by other tooling to confirm DERP stability after a deploy. Updates tailscale/corp#27370 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	4 months ago
Percy Wegmann	192fa6f05d	{cmd/dist,release/dist}: add support for intermediary QNAP signing certificates ... Updates #23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Joe Tsai	fbb91758ac	cmd/viewer, types/views: implement support for json/v2 (#16852) ... This adds support for having every viewer type implement jsonv2.MarshalerTo and jsonv2.UnmarshalerFrom. This provides a significant boost in performance as the json package no longer needs to validate the entirety of the JSON value outputted by MarshalJSON, nor does it need to identify the boundaries of a JSON value in order to call UnmarshalJSON. For deeply nested and recursive MarshalJSON or UnmarshalJSON calls, this can improve runtime from O(N²) to O(N). This still references "github.com/go-json-experiment/json" instead of the experimental "encoding/json/v2" package now available in Go 1.25 under goexperiment.jsonv2 so that code still builds without the experiment tag. Of note, the "github.com/go-json-experiment/json" package aliases the standard library under the right build conditions. Updates tailscale/corp#791 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Jordan Whited	16bc0a5558	net/{batching,packet},wgengine/magicsock: export batchingConn (#16848) ... For eventual use by net/udprelay.Server. Updates tailscale/corp#31164 Signed-off-by: Jordan Whited <jordan@tailscale.com>	4 months ago
Andrew Lytvynov	f22c7657e5	cmd/tailscale: add --json-docs flag (#16851) ... This prints all command and flag docs as JSON. To be used for generating the contents of https://tailscale.com/kb/1080/cli. Updates https://github.com/tailscale/tailscale-www/issues/4722 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 months ago
M. J. Fromberger	ee0c7b05a5	cmd/tailscale: fix a panic in netcheck portmapper construction (#16843) ... This affects the 1.87.33 unstable release. Updates #16842 Updates #15160 Change-Id: Ie6d1b2c094d1a6059fbd1023760567900f06e0ad Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	4 months ago
Claus Lensbøl	5297dc3baf	cmd/tailscale/cli: move systray configuration to tailscale configure (#16817) ... Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Claus Lensbøl	3fe022877a	client/systray: temporarily replace systray module (#16807) ... We are waiting for a PR to be reviewed upstream. https://github.com/fyne-io/systray/pull/100 Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Claus Lensbøl	89954fbceb	client/systray: add startup script generator for systemd (#16801) ... Updates #1708 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Andrew Lytvynov	f80ea92030	.github/workflows: enforce github action version pinning (#16768) ... Use https://github.com/stacklok/frizbee via the new `go tool` support from Go 1.24. Updates https://github.com/tailscale/corp/issues/31017 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 months ago
Will Norris	9f29c428f4	client/systray: allow specifying tailscaled socket ... Pass a local.Client to systray.Run, so we can use the existing global localClient in the cmd/tailscale CLI. Add socket flag to cmd/systray. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Claus Lensbøl	5bb42e3018	wgengine/router: rely on events for deleted IP rules (#16744) ... Adds the eventbus to the router subsystem. The event is currently only used on linux. Also includes facilities to inject events into the bus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	4 months ago
Will Norris	834630fedf	cmd/tailscale: add systray subcommand on Linux builds ... This will start including the sytray app in unstable builds for Linux, unless the `ts_omit_systray` build flag is specified. If we decide not to include it in the v1.88 release, we can pull it back out or restrict it to unstable builds. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	4 months ago
Lee Briggs	f2fd7a0514	cmd/k8s-operator,k8s-operator: allow setting a `priorityClassName` (#16685) ... * cmd/k8s-operator,k8s-operator: allow setting a `priorityClassName` Fixes #16682 Signed-off-by: Lee Briggs <lee@leebriggs.co.uk> * Update k8s-operator/apis/v1alpha1/types_proxyclass.go Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: Lee Briggs <jaxxstorm@users.noreply.github.com> * run make kube-generate-all Change-Id: I5f8f16694fdc181b048217b9f05ec2ee2aa04def Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> --------- Signed-off-by: Lee Briggs <lee@leebriggs.co.uk> Signed-off-by: Lee Briggs <jaxxstorm@users.noreply.github.com> Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
Mike O'Driscoll	47b5f10165	cmd/tsidp,tsnet: update tsidp oidc-key store path (#16735) ... The tsidp oidc-key.json ended up in the root directory or home dir of the user process running it. Update this to store it in a known location respecting the TS_STATE_DIR and flagDir options. Fixes #16734 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	4 months ago
KevinLiang10	e37432afb7	cmd/tailscale/cli: update message for disable service (#16705) ... This commit update the message for recommanding clear command after running serve for service. Instead of a flag, we pass the service name as a parameter. Fixes tailscale/corp#30846 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	4 months ago
Raj Singh	e300a00058	cmd/k8s-operator: Enhance DNS record handling for ProxyGroup egress services (#16181) ... This update introduces support for DNS records associated with ProxyGroup egress services, ensuring that the ClusterIP Service IP is used instead of Pod IPs. Fixes #15945 Signed-off-by: Raj Singh <raj@tailscale.com>	4 months ago
Aaron Klotz	bfebf870ae	cmd/tailscaled: update installSystemDaemonWindows to set the correct system service depndencies ... Fixes #16658 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	4 months ago
Danni Popova	c572442548	cmd/tailscale: allow SSH to IPs or DNS names without MagicDNS (#16591) ... fixes #16381 Signed-off-by: Danni Popova <danni@tailscale.com>	4 months ago
Nick Khyl	c87f44b687	cmd/tailscale/cli: use DNS name instead of Location to hide Mullvad exit nodes from status output ... Previously, we used a non-nil Location as an indicator that a peer is a Mullvad exit node. However, this is not, or no longer, reliable, since regular exit nodes may also have a non-nil Location, such as when traffic steering is enabled for a tailnet. In this PR, we update the plaintext `tailscale status` output to omit only Mullvad exit nodes, rather than all exit nodes with a non-nil Location. The JSON output remains unchanged and continues to include all peers. Updates tailscale/corp#30614 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 months ago
KevinLiang10	1ae6a97a73	cmd/tailscale/cli: add advertise command to advertise a node as service proxy to tailnet (#16620) ... This commit adds a advertise subcommand for tailscale serve, that would declare the node as a service proxy for a service. This command only adds the service to node's list of advertised service, but doesn't modify the list of services currently advertised. Fixes tailscale/corp#28016 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
KevinLiang10	19faaff95c	cmd/tailscale/cli: revert key for web config for services to FQDN (#16627) ... This commit reverts the key of Web field in ipn.ServiceConfig to use FQDN instead of service name for the host part of HostPort. This change is because k8s operator already build base on the assumption of the part being FQDN. We don't want to break the code with dependency. Fixes tailscale/corp#30695 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
David Bond	4494705496	cmd/{k8s-proxy,containerboot,k8s-operator},kube: add health check and metrics endpoints for k8s-proxy (#16540) ... * Modifies the k8s-proxy to expose health check and metrics endpoints on the Pod's IP. * Moves cmd/containerboot/healthz.go and cmd/containerboot/metrics.go to /kube to be shared with /k8s-proxy. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	22a8e0ac50	cmd/{k8s-operator,k8s-proxy},kube: use consistent type for auth mode config (#16626) ... Updates k8s-proxy's config so its auth mode config matches that we set in kube-apiserver ProxyGroups for consistency. Updates #13358 Change-Id: I95e29cec6ded2dc7c6d2d03f968a25c822bc0e01 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	6f7e78b10f	cmd/tailscale/cli: make configure kubeconfig accept Tailscale Services (#16601) ... The Kubernetes API server proxy is getting the ability to serve on a Tailscale Service instead of individual node names. Update the configure kubeconfig sub-command to accept arguments that look like a Tailscale Service. Note, we can't know for sure whether a peer is advertising a Tailscale Service, we can only guess based on the ExtraRecords in the netmap and that IP showing up in a peer's AllowedIPs. Also adds an --http flag to allow targeting individual proxies that can be adverting on http for their node name, and makes the command a bit more forgiving on the range of inputs it accepts and how eager it is to print the help text when the input is obviously wrong. Updates #13358 Change-Id: Ica0509c6b2c707252a43d7c18b530ec1acf7508f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
David Bond	c989824aac	cmd/k8s-operator: Allow specifying cluster ips for nameservers (#16477) ... This commit modifies the kubernetes operator's `DNSConfig` resource with the addition of a new field at `nameserver.service.clusterIP`. This field allows users to specify a static in-cluster IP address of the nameserver when deployed. Fixes #14305 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	f421907c38	all-kube: create Tailscale Service for HA kube-apiserver ProxyGroup (#16572) ... Adds a new reconciler for ProxyGroups of type kube-apiserver that will provision a Tailscale Service for each replica to advertise. Adds two new condition types to the ProxyGroup, TailscaleServiceValid and TailscaleServiceConfigured, to post updates on the state of that reconciler in a way that's consistent with the service-pg reconciler. The created Tailscale Service name is configurable via a new ProxyGroup field spec.kubeAPISserver.ServiceName, which expects a string of the form "svc:<dns-label>". Lots of supporting changes were needed to implement this in a way that's consistent with other operator workflows, including: * Pulled containerboot's ensureServicesUnadvertised and certManager into kube/ libraries to be shared with k8s-proxy. Use those in k8s-proxy to aid Service cert sharing between replicas and graceful Service shutdown. * For certManager, add an initial wait to the cert loop to wait until the domain appears in the devices's netmap to avoid a guaranteed error on the first issue attempt when it's quick to start. * Made several methods in ingress-for-pg.go and svc-for-pg.go into functions to share with the new reconciler * Added a Resource struct to the owner refs stored in Tailscale Service annotations to be able to distinguish between Ingress- and ProxyGroup- based Services that need cleaning up in the Tailscale API. * Added a ListVIPServices method to the internal tailscale client to aid cleaning up orphaned Services * Support for reading config from a kube Secret, and partial support for config reloading, to prevent us having to force Pod restarts when config changes. * Fixed up the zap logger so it's possible to set debug log level. Updates #13358 Change-Id: Ia9607441157dd91fb9b6ecbc318eecbef446e116 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
KevinLiang10	5adde9e3f3	cmd/tailscale/cli: remove advertise command (#16592) ... This commit removes the advertise command for service. The advertising is now embedded into serve command and unadvertising is moved to drain subcommand Fixes tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
KevinLiang10	e01618a7c4	cmd/tailscale/cli: Add clear subcommand for serve services (#16509) ... * cmd/tailscale/cli: add clear subcommand for serve services This commit adds a clear subcommand for serve command, to remove all config for a passed service. This is a short cut for user to remove services after they drain a service. As an indipendent command it would avoid accidently remove a service on typo. Updates tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * update regarding comments Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * log when clearing a non-existing service but not error Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> --------- Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
KevinLiang10	871f73d992	Kevin/add drain sub command for serve services (#16502) ... * cmd/tailscale/cli: add drain subCommand for serve This commit adds the drain subcommand for serving services. After we merge advertise and serve service as one step, we now need a way to unadvertise service and this is it. Updates tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * move runServeDrain and some update regarding pr comments Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * some code structure change Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> --------- Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
Claus Lensbøl	d334d9ba07	client/local,cmd/tailscale/cli,ipn/localapi: expose eventbus graph (#16597) ... Make it possible to dump the eventbus graph as JSON or DOT to both debug and document what is communicated via the bus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	5 months ago
KevinLiang10	e7238efafa	cmd/tailscale/cli: Add service flag to serve command (#16191) ... * cmd/tailscale/cli: Add service flag to serve command This commit adds the service flag to serve command which allows serving a service and add the service to the advertisedServices field in prefs (What advertise command does that will be removed later). When adding proxies, TCP proxies and WEB proxies work the same way as normal serve, just under a different DNSname. There is a services specific L3 serving mode called Tun, can be set via --tun flag. Serving a service is always in --bg mode. If --bg is explicitly set t o false, an error message will be sent out. The restriction on proxy target being localhost or 127.0.0.1 also applies to services. When removing proxies, TCP proxies can be removed with type and port flag and off argument. Web proxies can be removed with type, port, setPath flag and off argument. To align with normal serve, when setPath is not set, all handler under the hostport will be removed. When flags are not set but off argument was passed by user, it will be a noop. Removing all config for a service will be available later with a new subcommand clear. Updates tailscale/corp#22954 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: fix ai comments and fix a test Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Add a test for addServiceToPrefs Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: fix comment Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * add dnsName in error message Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * change the cli input flag variable type Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace FindServiceConfig with map lookup Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * some code simplification and add asServiceName This commit cotains code simplification for IsServingHTTPS, SetWebHandler, SetTCPForwarding Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace IsServiceName with tailcfg.AsServiceName Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace all assemble of host name for service with strings.Join Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: adjust parameter order and update output message This commit updates the parameter order for IsTCPForwardingOnPort and SetWebHandler. Also updated the message msgServiceIPNotAssigned to msgServiceWaitingApproval to adapt to latest terminologies around services. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: flip bool condition This commit fixes a previous bug added that throws error when serve funnel without service. It should've been the opposite, which throws error when serve funnel with service. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: change parameter of IsTCPForwardingOnPort This commit changes the dnsName string parameter for IsTCPForwardingOnPort to svcName tailcfg.ServiceName. This change is made to reduce ambiguity when a single service might have different dnsNames Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * ipn/ipnlocal: replace the key to webHandler for services This commit changes the way we get the webhandler for vipServices. It used to use the host name from request to find the webHandler, now everything targeting the vipService IP have the same set of handlers. This commit also stores service:port instead of FQDN:port as the key in serviceConfig for Web map. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Updated use of service name. This commit removes serviceName.IsEmpty and use direct comparison to instead. In legacy code, when an empty service name needs to be passed, a new constant noService is passed. Removed redundant code for checking service name validity and string method for serviceNameFlag. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Update bgBoolFlag This commit update field name, set and string method of bgBoolFlag to make code cleaner. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: remove isDefaultService output from srvTypeAndPortFromFlags This commit removes the isDefaultService out put as it's no longer needed. Also deleted redundant code. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: remove unnessesary variable declare in messageForPort Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace bool output for AsServiceName with err Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Replace DNSName with NoService if DNSname only used to identify service This commit moves noService constant to tailcfg, updates AsServiceName to return tailcfg.NoService if the input is not a valid service name. This commit also removes using the local DNSName as scvName parameter. When a function is only using DNSName to identify if it's working with a service, the input in replaced with svcName and expect caller to pass tailcfg.NoService if it's a local serve. This commit also replaces some use of Sprintf with net.JoinHostPort for ipn.HostPort creation. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: Remove the returned error for AsServiceName Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * apply suggested code and comment Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * replace local dnsName in test with tailcfg.NoService Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * cmd/tailscale/cli: move noService back and use else where The constant serves the purpose of provide readability for passing as a function parameter. It's more meaningful comparing to a . It can just be an empty string in other places. Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> * ipn: Make WebHandlerExists and RemoveTCPForwarding accept svcName This commit replaces two functions' string input with svcName input since they only use the dnsName to identify service. Also did some minor cleanups Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com> --------- Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	5 months ago
Jordan Whited	3c6d17e6f1	cmd/tailscale/cli,ipn/ipnlocal,wgengine/magicsock: implement tailscale debug peer-relay-servers (#16577) ... Updates tailscale/corp#30036 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Tom Meadows	fe46f33885	cmd/{k8s-operator,k8s-proxy},kube/k8s-proxy: add static endpoints for kube-apiserver type ProxyGroups (#16523) ... Updates #13358 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	5 months ago
Simon Law	f23e4279c4	types/lazy: add lazy.GMap: a map of lazily computed GValues (#16532) ... Fixes tailscale/corp#30360 Signed-off-by: Simon Law <sfllaw@tailscale.com>	5 months ago
Andrew Lytvynov	39bf84d1c7	cmd/tsidp: set hostinfo.App in tsnet mode (#16544) ... This makes it easier to track how widely tsidp is used in practice. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Brad Fitzpatrick	30da2e1c32	cmd/tailscale/cli: add "configure jetkvm" subcommand ... To write the init script. And fix the JetKVM detection to work during early boot while the filesystem and modules are still being loaded; it wasn't being detected on early boot and then tailscaled was failing to start because it didn't know it was on JetKVM and didn't modprobe tun. Updates #16524 Change-Id: I0524ca3abd7ace68a69af96aab4175d32c07e116 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Dylan Bargatze	fed72e2aa9	cmd/tailscale, ipn/ipnstate, wgengine/magicsock: update ping output for peer relay (#16515) ... Updates the output for "tailscale ping" to indicate if a peer relay was traversed, just like the output for DERP or direct connections. Fixes tailscale/corp#30034 Signed-off-by: Dylan Bargatze <dylan@tailscale.com>	5 months ago
Brad Fitzpatrick	fbc6a9ec5a	all: detect JetKVM and specialize a handful of things for it ... Updates #16524 Change-Id: I183428de8c65d7155d82979d2d33f031c22e3331 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
David Bond	d0cafc0a67	cmd/{k8s-operator,k8s-proxy}: apply accept-routes configuration to k8s-proxy (#16522) ... This commit modifies the k8s-operator and k8s-proxy to support passing down the accept-routes configuration from the proxy class as a configuration value read and used by the k8s-proxy when ran as a distinct container managed by the operator. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	2b665c370c	cmd/{k8s-operator,k8s-proxy}: allow setting login server url (#16504) ... This commit modifies the k8s proxy application configuration to include a new field named `ServerURL` which, when set, modifies the tailscale coordination server used by the proxy. This works in the same way as the operator and the proxies it deploys. If unset, the default coordination server is used. Updates https://github.com/tailscale/tailscale/issues/13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	cf0460b9da	cmd/k8s-operator: allow letsencrypt staging on k8s proxies (#16521) ... This commit modifies the operator to detect the usage of k8s-apiserver type proxy groups that wish to use the letsencrypt staging directory and apply the appropriate environment variable to the statefulset it produces. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Jordan Whited	ae8641735d	cmd/tailscale/cli,ipn/ipnstate,wgengine/magicsock: label peer-relay (#16510) ... Updates tailscale/corp#30033 Signed-off-by: Jordan Whited <jordan@tailscale.com>	5 months ago
Nick Khyl	c5fdf9e1db	cmd/tailscale/cli: add support for tailscale {up,set} --exit-node=auto:any ... If the specified exit node string starts with "auto:" (i.e., can be parsed as an ipn.ExitNodeExpression), we update ipn.Prefs.AutoExitNode instead of ipn.Prefs.ExitNodeID. Fixes #16459 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
Tom Proctor	27fa2ad868	cmd/k8s-operator: don't require generation for Available condition (#16497) ... The observed generation was set to always 0 in #16429, but this had the knock-on effect of other controllers considering ProxyGroups never ready because the observed generation is never up to date in proxyGroupCondition. Make sure the ProxyGroupAvailable function does not requires the observed generation to be up to date, and add testing coverage to catch regressions. Updates #16327 Change-Id: I42f50ad47dd81cc2d3c3ce2cd7b252160bb58e40 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	4dfed6b146	cmd/{k8s-operator,k8s-proxy}: add kube-apiserver ProxyGroup type (#16266) ... Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. To avoid needing to give the operator ClusterRole{,Binding} permissions, the helm chart now optionally deploys a new static ServiceAccount for the API Server proxy to use if in auth mode. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	90bf0a97b3	cmd/k8s-operator/deploy: clarify helm install notes (#16449) ... Based on feedback that it wasn't clear what the user is meant to do with the output of the last command, clarify that it's an optional command to explore what got created. Updates #13427 Change-Id: Iff64ec6d02dc04bf4bbebf415d7ed1a44e7dd658 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Simon Law	bad17a1bfa	cmd/tailscale: format empty cities and countries as hyphens (#16495) ... When running `tailscale exit-node list`, an empty city or country name should be displayed as a hyphen "-". However, this only happened when there was no location at all. If a node provides a Hostinfo.Location, then the list would display exactly what was provided. This patch changes the listing so that empty cities and countries will either render the provided name or "-". Fixes #16500 Signed-off-by: Simon Law <sfllaw@tailscale.com>	5 months ago
Nick Khyl	1fe82d6ef5	cmd/tailscale/cli,ipn/ipnlocal: restrict logout when AlwaysOn mode is enabled ... In this PR, we start passing a LocalAPI actor to (*LocalBackend).Logout to make it subject to the same access check as disconnects made via tailscale down or the GUI. We then update the CLI to allow `tailscale logout` to accept a reason, similar to `tailscale down`. Updates tailscale/corp#26249 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
David Bond	84eac7b8de	cmd/k8s-operator: Allow custom ingress class names (#16472) ... This commit modifies the k8s operator to allow for customisation of the ingress class name via a new `OPERATOR_INGRESS_CLASS_NAME` environment variable. For backwards compatibility, this defaults to `tailscale`. When using helm, a new `ingress.name` value is provided that will set this environment variable and modify the name of the deployed `IngressClass` resource. Fixes https://github.com/tailscale/tailscale/issues/16248 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	079134d3c0	cmd/k8s-operator: always set ProxyGroup status conditions (#16429) ... Refactors setting status into its own top-level function to make it easier to ensure we _always_ set the status if it's changed on every reconcile. Previously, it was possible to have stale status if some earlier part of the provision logic failed. Updates #16327 Change-Id: Idab0cfc15ae426cf6914a82f0d37a5cc7845236b Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
David Bond	c46145b99e	cmd/k8s-operator: Move login server value to top-level (#16470) ... This commit modifies the operator helm chart values to bring the newly added `loginServer` field to the top level. We felt as though it was a bit confusing to be at the `operatorConfig` level as this value modifies the behaviour or the operator, api server & all resources that the operator manages. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Nick Khyl	a8055b5f40	cmd/tailscale/cli,ipn,ipn/ipnlocal: add AutoExitNode preference for automatic exit node selection ... With this change, policy enforcement and exit node resolution can happen in separate steps, since enforcement no longer depends on resolving the suggested exit node. This keeps policy enforcement synchronous (e.g., when switching profiles), while allowing exit node resolution to be asynchronous on netmap updates, link changes, etc. Additionally, the new preference will be used to let GUIs and CLIs switch back to "auto" mode after a manual exit node override, which is necessary for tailscale/corp#29969. Updates tailscale/corp#29969 Updates #16459 Signed-off-by: Nick Khyl <nickk@tailscale.com>	5 months ago
David Bond	5dc11d50f7	cmd/k8s-operator: Set login server on tsrecorder nodes (#16443) ... This commit modifies the recorder node reconciler to include the environment variable added in https://github.com/tailscale/corp/pull/30058 which allows for configuration of the coordination server. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	eb03d42fe6	cmd/k8s-operator: Allow configuration of login server (#16432) ... This commit modifies the kubernetes operator to allow for customisation of the tailscale login url. This provides some data locality for people that want to configure it. This value is set in the `loginServer` helm value and is propagated down to all resources managed by the operator. The only exception to this is recorder nodes, where additional changes are required to support modifying the url. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Meadows	2fc247573b	cmd/k8s-operator: ProxyClass annotation for Services and Ingresses (#16363) ... * cmd/k8s-operator: ProxyClass annotation for Services and Ingresses Previously, the ProxyClass could only be configured for Services and Ingresses via a Label. This adds the ability to set it via an Annotation, but prioritizes the Label if both a Label and Annotation are set. Updates #14323 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * Update cmd/k8s-operator/operator.go Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> * Update cmd/k8s-operator/operator.go Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> * cmd/k8s-operator: ProxyClass annotation for Services and Ingresses Previously, the ProxyClass could only be configured for Services and Ingresses via a Label. This adds the ability to set it via an Annotation, but prioritizes the Label if both a Label and Annotation are set. Updates #14323 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Simon Law	544aee9d08	tsidp: update README to refer to community projects (#16411) ... We dropped the idea of the Experimental release stage in tailscale/tailscale-www#7697, in favour of Community Projects. Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>	5 months ago
Andrew Lytvynov	76b9afb54d	ipn/store: make StateStore.All optional (#16409) ... This method is only needed to migrate between store.FileStore and tpm.tpmStore. We can make a runtime type assertion instead of implementing an unused method for every platform. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Tom Proctor	711698f5a9	cmd/{containerboot,k8s-operator}: use state Secret for checking device auth (#16328) ... Previously, the operator checked the ProxyGroup status fields for information on how many of the proxies had successfully authed. Use their state Secrets instead as a more reliable source of truth. containerboot has written device_fqdn and device_ips keys to the state Secret since inception, and pod_uid since 1.78.0, so there's no need to use the API for that data. Read it from the state Secret for consistency. However, to ensure we don't read data from a previous run of containerboot, make sure we reset containerboot's state keys on startup. One other knock-on effect of that is ProxyGroups can briefly be marked not Ready while a Pod is restarting. Introduce a new ProxyGroupAvailable condition to more accurately reflect when downstream controllers can implement flows that rely on a ProxyGroup having at least 1 proxy Pod running. Fixes #16327 Change-Id: I026c18e9d23e87109a471a87b8e4fb6271716a66 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Meadows	f81baa2d56	cmd/k8s-operator, k8s-operator: support Static Endpoints on ProxyGroups (#16115) ... updates: #14674 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	5 months ago
Kristoffer Dalby	df786be14d	cmd/tailscale: use text format for TKA head ... Updates tailscale/corp#23258 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Kristoffer Dalby	4a7b8afabf	cmd/tailscale: add tlpub: prefix to lock log output ... Updates tailscale/corp#23258 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Andrew Lytvynov	6feb3c35cb	ipn/store: automatically migrate between plaintext and encrypted state (#16318) ... Add a new `--encrypt-state` flag to `cmd/tailscaled`. Based on that flag, migrate the existing state file to/from encrypted format if needed. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
David Bond	b75fe9eeca	cmd/k8s-operator: Add NOTES.txt to Helm chart (#16364) ... This commit adds a NOTES.txt to the operator helm chart that will be written to the terminal upon successful installation of the operator. It includes a small list of knowledgebase articles with possible next steps for the actor that installed the operator to the cluster. It also provides possible commands to use for explaining the custom resources. Fixes #13427 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Kristoffer Dalby	0198255266	cmd/tailscale: warn user about nllock key removal without resigning ... Fixes #19445 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Kristoffer Dalby	9309760263	util/prompt: make yes/no prompt reusable ... Updates #19445 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	5 months ago
Brad Fitzpatrick	9af42f425c	.github/workflows: shard the Windows builder ... It's one of the slower ones, so split it up into chunks. Updates tailscale/corp#28679 Change-Id: I16a5ba667678bf238c84417a51dda61baefbecf7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Irbe Krumina	253d0b026d	cmd/k8s-operator: remove conffile hashing mechanism (#16335) ... Proxies know how to reload configfile on changes since 1.80, which is going to be the earliest supported proxy version with 1.84 operator, so remove the mechanism that was updating configfile hash to force proxy Pod restarts on config changes. Updates #13032 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Brad Fitzpatrick	e92eb6b17b	net/tlsdial: fix TLS cert validation of HTTPS proxies ... If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Andrew Lytvynov	4979ce7a94	feature/tpm: implement ipn.StateStore using TPM sealing (#16030) ... Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Raj Singh	45a4b69ce0	cmd/tsidp: fix OIDC client persistence across restarts ... Fixes #16088 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Simon Law	49ae66c10c	cmd/tailscale: clean up dns --help messages (#16306) ... This patch contains the following cleanups: 1. Simplify `ffcli.Command` definitions; 2. Word-wrap help text, consistent with other commands; 3. `tailscale dns --help` usage makes subcommand usage more obvious; 4. `tailscale dns query --help` describes DNS record types. Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>	6 months ago
Mike O'Driscoll	e7f5c9a015	derp/derphttp: add error notify for RunWatchConnectionLoop (#16261) ... The caller of client.RunWatchConnectionLoop may need to be aware of errors that occur within loop. Add a channel that notifies of errors to the caller to allow for decisions to be make as to the state of the client. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	6 months ago
Brad Fitzpatrick	259bab9bff	scripts/check_license_headers.sh: delete, rewrite as a Go test ... Updates tailscale/corp#29650 Change-Id: Iad4e4ccd9d68ebb1d1a12f335cc5295d0bd05b60 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
James Tucker	86985228bc	cmd/natc: add a flag to use specific DNS servers ... If natc is running on a host with tailscale using `--accept-dns=true` then a DNS loop can occur. Provide a flag for some specific DNS upstreams for natc to use instead, to overcome such situations. Updates #14667 Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Anton Tolchanov	42da161b19	tka: reject removal of the last signing key ... Fixes tailscale/corp#19447 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago