Commit Graph

7147 Commits (irbekrm/operatorversion)
 

Author SHA1 Message Date
Irbe Krumina 2f7b287220 cmd/k8s-operator: annotate proxy StatefulSets with operator version
Add a tailscale.com/operator-last-version annotation to StatefulSets for ingress/egress proxies and Connectors.
Set it to the operator version of the current operator version each time the StatefulSet is re-synced.
This will help us to determine the potential proxy state when making changes in proxy configuration in the future.

Updates tailscale/tailscale#10407

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
9 months ago
Patrick O'Doherty 38bba2d23a
clientupdate: disable auto update on NixOS (#11136)
Updates #cleanup

NixOS packages are immutable and attempts to update via our tarball
mechanism will always fail as a result. Instead we now direct users to
update their nix channel or nixpkgs flake input to receive the latest
Tailscale release.

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
9 months ago
Andrew Dunham b7104cde4a util/topk: add package containing a probabilistic top-K tracker
This package uses a count-min sketch and a heap to track the top K items
in a stream of data. Tracking a new item and adding a count to an
existing item both require no memory allocations and is at worst
O(log(k)) complexity.

Change-Id: I0553381be3fef2470897e2bd806d43396f2dbb36
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
9 months ago
Flakes Updater 7ad2bb87a6 go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
9 months ago
Brad Fitzpatrick 61a1644c2a go.mod, all: move away from inet.af domain seized by Taliban
Updates inetaf/tcpproxy#39

Change-Id: I7fee276b116bd08397347c6c949011d76a2842cf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
9 months ago
Andrew Dunham b0e96a6c39 net/dns: log more info when openresolv commands fail
Updates #11129

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ic594868ba3bc31f6d3b0721ecba4090749a81f7f
9 months ago
Nathan Woodburn 7c0651aea6 scripts/installer.sh: add tuxedoOS to the Ubuntu copies
Signed-off-by: Nathan Woodburn <github@nathan.woodburn.au>
9 months ago
Patrick O'Doherty 256ecd0e8f
Revert "tsweb: update ServeMux matching to 1.22.0 syntax (#11090)" (#11125)
This reverts commit 30c9189ed3.

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
9 months ago
Aaron Klotz f7acbefbbb wgengine/router: make the Windows ifconfig implementation reuse existing MibIPforwardRow2 when possible
Looking at profiles, we spend a lot of time in winipcfg.LUID.DeleteRoute
looking up the routing table entry for the provided RouteData.

But we already have the row! We previously obtained that data via the full
table dump we did in getInterfaceRoutes. We can make this a lot faster by
hanging onto a reference to the wipipcfg.MibIPforwardRow2 and executing
the delete operation directly on that.

Fixes #11123

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
9 months ago
Patrick O'Doherty 30c9189ed3
tsweb: update ServeMux matching to 1.22.0 syntax (#11090)
* tsweb: update ServeMux matching to 1.22.0 syntax

Updates #cleanup

Go 1.22.0 introduced the ability to use more expressive routing patterns
that include HTTP method when constructing ServeMux entries.
Applications that attempted to use these patterns in combination with
the old `tsweb.Debugger` would experience a panic as Go would not permit
the use of matching rules with mixed level of specificity. We now
specify the method for each `/debug` handler to prevent
incompatibilities.

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
9 months ago
Irbe Krumina 5bd19fd3e3
cmd/k8s-operator,k8s-operator: proxy configuration mechanism via a new ProxyClass custom resource (#11074)
* cmd/k8s-operator,k8s-operator: introduce proxy configuration mechanism via ProxyClass custom resource.

ProxyClass custom resource can be used to specify customizations
for the proxy resources created by the operator.

Add a reconciler that validates ProxyClass resources
and sets a Ready condition to True or False with a corresponding reason and message.
This is required because some fields (labels and annotations)
require complex validations that cannot be performed at custom resource apply time.
Reconcilers that use the ProxyClass to configure proxy resources are expected to
verify that the ProxyClass is Ready and not proceed with resource creation
if configuration from a ProxyClass that is not yet Ready is required.

If a tailscale ingress/egress Service is annotated with a tailscale.com/proxy-class annotation, look up the corresponding ProxyClass and, if it is Ready, apply the configuration from the ProxyClass to the proxy's StatefulSet.

If a tailscale Ingress has a tailscale.com/proxy-class annotation
and the referenced ProxyClass custom resource is available and Ready,
apply configuration from the ProxyClass to the proxy resources
that will be created for the Ingress.

Add a new .proxyClass field to the Connector spec.
If connector.spec.proxyClass is set to a ProxyClass that is available and Ready,
apply configuration from the ProxyClass to the proxy resources created for the Connector.

Ensure that when Helm chart is packaged, the ProxyClass yaml is added to chart templates. Ensure that static manifest generator adds ProxyClass yaml to operator.yaml. Regenerate operator.yaml


Signed-off-by: Irbe Krumina <irbe@tailscale.com>
9 months ago
Brad Fitzpatrick f7f496025a types/views: add test that LenIter doesn't allocate
For a second we thought this was allocating but we were looking
at a CPU profile (which showed calls to mallocgc view makeslice)
instead of the alloc profile.

Updates golang/go#65685 (which if fixed wouldn't have confused us)

Change-Id: Ic0132310d52d8a65758a516142525339aa23b1ed
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
9 months ago
Percy Wegmann c42a4e407a tailfs: listen for local clients only on 100.100.100.100
FileSystemForLocal was listening on the node's Tailscale address,
which potentially exposes the user's view of TailFS shares to other
Tailnet users. Remote nodes should connect to exported shares via
the peerapi.

This removes that code so that FileSystemForLocal is only avaialable
on 100.100.100.100:8080.

Updates tailscale/corp#16827

Signed-off-by: Percy Wegmann <percy@tailscale.com>
9 months ago
Percy Wegmann d0ef3a25df cmd/tailscale: hide share subcommand
Fixes #1115

Signed-off-by: Percy Wegmann <percy@tailscale.com>
9 months ago
David Anderson 58b8f78e7e flake.nix: build tailscale with go 1.22
Updates #cleanup

Signed-off-by: David Anderson <danderson@tailscale.com>
9 months ago
Maisem Ali 370ecb4654 tailcfg: remove UserProfile.Groups
Removing as per go/group-all-the-things.

Updates tailscale/corp#17445

Signed-off-by: Maisem Ali <maisem@tailscale.com>
9 months ago
Andrew Dunham c1c50cfcc0 util/cloudenv: add support for DigitalOcean
Updates #4984

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ib229eb40af36a80e6b0fd1dd0cabb07f0d50a7d1
9 months ago
Percy Wegmann 55b372a79f tailscaled: revert to using pointers for subcommands
As part of #10631, we stopped using function pointers for subcommands,
preventing us from registering platform-specific installSystemDaemon
and uninstallSystemDaemon subcommands.

Fixes #11099

Signed-off-by: Percy Wegmann <percy@tailscale.com>
9 months ago
Percy Wegmann 87154a2f88 tailfs: fix startup issues on windows
Starts TailFS for Windows too, initializes shares on startup.

Updates tailscale/corp#16827

Signed-off-by: Percy Wegmann <percy@tailscale.com>
9 months ago
Percy Wegmann ddcffaef7a tailfs: disable TailFSForLocal via policy
Adds support for node attribute tailfs:access. If this attribute is
not present, Tailscale will not accept connections to the local TailFS
server at 100.100.100.100:8080.

Updates tailscale/corp#16827

Signed-off-by: Percy Wegmann <percy@tailscale.com>
9 months ago
Percy Wegmann abab0d4197 tailfs: clean up naming and package structure
- Restyles tailfs -> tailFS
- Defines interfaces for main TailFS types
- Moves implemenatation of TailFS into tailfsimpl package

Updates tailscale/corp#16827

Signed-off-by: Percy Wegmann <percy@tailscale.com>
9 months ago
dependabot[bot] 79b547804b build(deps-dev): bump vite from 4.4.9 to 4.5.2 in /client/web
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 4.4.9 to 4.5.2.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v4.5.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v4.5.2/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
9 months ago
James Tucker 24bac27632 util/rands: add Shuffle and Perm functions with on-stack RNG state
The new math/rand/v2 package includes an m-local global random number
generator that can not be reseeded by the user, which is suitable for
most uses without the RNG pools we have in a number of areas of the code
base.

The new API still does not have an allocation-free way of performing a
seeded operations, due to the long term compiler bug around interface
parameter escapes, and the Source interface.

This change introduces the two APIs that math/rand/v2 can not yet
replace efficiently: seeded Perm() and Shuffle() operations. This
implementation chooses to use the PCG random source from math/rand/v2,
as with sufficient compiler optimization, this source should boil down
to only two on-stack registers for random state under ideal conditions.

Updates #17243

Signed-off-by: James Tucker <james@tailscale.com>
9 months ago
Sonia Appasamy 2bb837a9cf client/web: only check policy caps for tagged nodes
For user-owned nodes, only the owner is ever allowed to manage the
node.

Updates tailscale/corp#16695

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
9 months ago
Andrew Dunham 6f6383f69e .github: fuzzing is now unbroken
Updates #cleanup

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I10dca601c79411b412180a46b3f82136e40544b0
9 months ago
Keisuke Umegaki 7039c06d9b
fix toolchain not available error (#11083)
Relates to golang/go#62278
Updates #11058

Signed-off-by: keisku <keisuke.umegaki.630@gmail.com>
9 months ago
Patrick O'Doherty 7c52b27daf
Revert "tsweb: update ServeMux matching to 1.22.0 syntax (#11087)" (#11089)
This reverts commit 291f91d164.

Updates #cleanup

This PR needs additional changes to the registration of child handlers under /debug

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
9 months ago
Patrick O'Doherty 291f91d164
tsweb: update ServeMux matching to 1.22.0 syntax (#11087)
Updates #cleanup

Go 1.22.0 introduced the ability to use more expressive routing patterns
that include HTTP method when constructing ServeMux entries.
Applications that attempted to use these patterns in combination with
the old `tsweb.Debugger` would experience a panic as Go would not permit
the use of matching rules with mixed level of specificity.

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
9 months ago
Jenny Zhang c446451bfa cmd/gitops-pusher: only use OAuth creds if non-empty string
`os.LookupEnv` may return true if the variable is present in
the environment but an empty string. We should only attempt
to set OAuth Config if thsoe values are non-empty.

Updates gitops-acl-action#33

Signed-off-by: Jenny Zhang <jz@tailscale.com>
9 months ago
Percy Wegmann 993acf4475 tailfs: initial implementation
Add a WebDAV-based folder sharing mechanism that is exposed to local clients at
100.100.100.100:8080 and to remote peers via a new peerapi endpoint at
/v0/tailfs.

Add the ability to manage folder sharing via the new 'share' CLI sub-command.

Updates tailscale/corp#16827

Signed-off-by: Percy Wegmann <percy@tailscale.com>
9 months ago
Joe Tsai 2e404b769d
all: use new AppendEncode methods available in Go 1.22 (#11079)
Updates #cleanup

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
9 months ago
Joe Tsai 94a4f701c2
all: use reflect.TypeFor now available in Go 1.22 (#11078)
Updates #cleanup

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
9 months ago
Joe Tsai efddad7d7d
util/deephash: cleanup TODO in TestHash (#11080)
Updates #cleanup

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
9 months ago
Charlotte Brandhorst-Satzkorn 0f042b9814
cmd/tailscale/cli: fix exit node status output (#11076)
This change fixes the format of tailscale status output when location
based exit nodes are present.

Fixes #11065

Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
9 months ago
Andrea Gottardo 6c79f55d48
ipnlocal: force-regen new authURL when it is too old (#10971)
Fixes tailscale/support-escalations#23.

authURLs returned by control expire after 1 hour from creation. Customer reported that the Tailscale client on macOS would sending users to a stale authentication page when clicking on the `Login...` menu item. This can happen when clicking on Login after leaving the device unattended for several days. The device key expires, leading to the creation of a new authURL, however the client doesn't keep track of when the authURL was created. Meaning that `login-interactive` would send the user to an authURL that had expired server-side a long time before.

This PR ensures that whenever `login-interactive` is called via LocalAPI, an authURL that is too old won't be used. We force control to give us a new authURL whenever it's been more than 30 minutes since the last authURL was sent down from control.



Apply suggestions from code review




Set interval to 6 days and 23 hours

Signed-off-by: Andrea Gottardo <andrea@tailscale.com>
Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
9 months ago
Sonia Appasamy 1217f655c0 cmd/dist: update logs for synology builds
Update logs for synology builds to more clearly callout which variant
is being built. The two existing variants are:

1. Sideloaded (can be manual installed on a device by anyone)
2. Package center distribution (by the tailscale team)

Updates #cleanup

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
9 months ago
OSS Updater 664b861cd4 go.mod: update web-client-prebuilt module
Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>
9 months ago
Will Norris 6f0c5e0c05 client/web: use smart quotes in web UI frontend
add the curly-quotes eslint plugin (same that we use for the admin
panel), and fix existing straight quotes in the current web UI.

Updates #cleanup

Signed-off-by: Will Norris <will@tailscale.com>
9 months ago
Will Norris 128c99d4ae client/web: add new readonly mode
The new read-only mode is only accessible when running `tailscale web`
by passing a new `-readonly` flag. This new mode is identical to the
existing login mode with two exceptions:

 - the management client in tailscaled is not started (though if it is
   already running, it is left alone)

 - the client does not prompt the user to login or switch to the
   management client. Instead, a message is shown instructing the user
   to use other means to manage the device.

Updates #10979

Signed-off-by: Will Norris <will@tailscale.com>
9 months ago
License Updater 9f0eaa4464 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
9 months ago
License Updater 78f257d9f8 licenses: update android licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
9 months ago
License Updater 5486d8aaf9 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
9 months ago
Irbe Krumina a6cc2fdc3e
cmd/{containerboot,k8s-operator/deploy/manifests}: optionally allow proxying cluster traffic to a cluster target via ingress proxy (#11036)
* cmd/containerboot,cmd/k8s-operator/deploy/manifests: optionally forward cluster traffic via ingress proxy.

If a tailscale Ingress has tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation, configure the associated ingress proxy to have its tailscale serve proxy to listen on Pod's IP address. This ensures that cluster traffic too can be forwarded via this proxy to the ingress backend(s).

In containerboot, if EXPERIMENTAL_PROXY_CLUSTER_TRAFFIC_VIA_INGRESS is set to true
and the node is Kubernetes operator ingress proxy configured via Ingress,
make sure that traffic from within the cluster can be proxied to the ingress target.

Updates tailscale/tailscale#10499

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
9 months ago
Flakes Updater 2404b1444e go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
9 months ago
Brad Fitzpatrick c424e192c0 .github/workflows: temporarily disable broken oss-fuzz action
Updates #11064
Updates #11058

Change-Id: I63acc13dece3379a0b2df573afecfd245b7cd6c2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
9 months ago
Brad Fitzpatrick 2bd3c1474b util/cmpx: delete now that we're using Go 1.22
Updates #11058

Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
9 months ago
Brad Fitzpatrick 5ea071186e Dockerfile: use Go 1.22
Updates #11058

Change-Id: I0f63be498be33d71bd90b7956f9fe9666fd7a696
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
9 months ago
Brad Fitzpatrick 9612001cf4 .github/workflows: update golangci-lint for Go 1.22
Updates #11058

Change-Id: I3785c1f1bea4a4663e7e5fb6d209d3caedae436d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
9 months ago
Brad Fitzpatrick b6153efb7d go.mod, README.md: use Go 1.22
Updates #11058

Change-Id: I95eecdc7afe2b5f8189016fdb8a773f78e9f5c42
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
9 months ago
Tom DNetto 653721541c tsweb: normalize passkey identities in bucketed stats
Signed-off-by: Tom DNetto <tom@tailscale.com>
Updates: corp#17075
9 months ago