tailscale

Commit Graph

Author	SHA1	Message	Date
Tom Proctor	22a8e0ac50	cmd/{k8s-operator,k8s-proxy},kube: use consistent type for auth mode config (#16626 ) Updates k8s-proxy's config so its auth mode config matches that we set in kube-apiserver ProxyGroups for consistency. Updates #13358 Change-Id: I95e29cec6ded2dc7c6d2d03f968a25c822bc0e01 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
David Bond	c989824aac	cmd/k8s-operator: Allow specifying cluster ips for nameservers (#16477 ) This commit modifies the kubernetes operator's `DNSConfig` resource with the addition of a new field at `nameserver.service.clusterIP`. This field allows users to specify a static in-cluster IP address of the nameserver when deployed. Fixes #14305 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	f421907c38	all-kube: create Tailscale Service for HA kube-apiserver ProxyGroup (#16572 ) Adds a new reconciler for ProxyGroups of type kube-apiserver that will provision a Tailscale Service for each replica to advertise. Adds two new condition types to the ProxyGroup, TailscaleServiceValid and TailscaleServiceConfigured, to post updates on the state of that reconciler in a way that's consistent with the service-pg reconciler. The created Tailscale Service name is configurable via a new ProxyGroup field spec.kubeAPISserver.ServiceName, which expects a string of the form "svc:<dns-label>". Lots of supporting changes were needed to implement this in a way that's consistent with other operator workflows, including: * Pulled containerboot's ensureServicesUnadvertised and certManager into kube/ libraries to be shared with k8s-proxy. Use those in k8s-proxy to aid Service cert sharing between replicas and graceful Service shutdown. * For certManager, add an initial wait to the cert loop to wait until the domain appears in the devices's netmap to avoid a guaranteed error on the first issue attempt when it's quick to start. * Made several methods in ingress-for-pg.go and svc-for-pg.go into functions to share with the new reconciler * Added a Resource struct to the owner refs stored in Tailscale Service annotations to be able to distinguish between Ingress- and ProxyGroup- based Services that need cleaning up in the Tailscale API. * Added a ListVIPServices method to the internal tailscale client to aid cleaning up orphaned Services * Support for reading config from a kube Secret, and partial support for config reloading, to prevent us having to force Pod restarts when config changes. * Fixed up the zap logger so it's possible to set debug log level. Updates #13358 Change-Id: Ia9607441157dd91fb9b6ecbc318eecbef446e116 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Meadows	fe46f33885	cmd/{k8s-operator,k8s-proxy},kube/k8s-proxy: add static endpoints for kube-apiserver type ProxyGroups (#16523 ) Updates #13358 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	5 months ago
David Bond	d0cafc0a67	cmd/{k8s-operator,k8s-proxy}: apply accept-routes configuration to k8s-proxy (#16522 ) This commit modifies the k8s-operator and k8s-proxy to support passing down the accept-routes configuration from the proxy class as a configuration value read and used by the k8s-proxy when ran as a distinct container managed by the operator. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	2b665c370c	cmd/{k8s-operator,k8s-proxy}: allow setting login server url (#16504 ) This commit modifies the k8s proxy application configuration to include a new field named `ServerURL` which, when set, modifies the tailscale coordination server used by the proxy. This works in the same way as the operator and the proxies it deploys. If unset, the default coordination server is used. Updates https://github.com/tailscale/tailscale/issues/13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	cf0460b9da	cmd/k8s-operator: allow letsencrypt staging on k8s proxies (#16521 ) This commit modifies the operator to detect the usage of k8s-apiserver type proxy groups that wish to use the letsencrypt staging directory and apply the appropriate environment variable to the statefulset it produces. Updates #13358 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	27fa2ad868	cmd/k8s-operator: don't require generation for Available condition (#16497 ) The observed generation was set to always 0 in #16429, but this had the knock-on effect of other controllers considering ProxyGroups never ready because the observed generation is never up to date in proxyGroupCondition. Make sure the ProxyGroupAvailable function does not requires the observed generation to be up to date, and add testing coverage to catch regressions. Updates #16327 Change-Id: I42f50ad47dd81cc2d3c3ce2cd7b252160bb58e40 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	4dfed6b146	cmd/{k8s-operator,k8s-proxy}: add kube-apiserver ProxyGroup type (#16266 ) Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. To avoid needing to give the operator ClusterRole{,Binding} permissions, the helm chart now optionally deploys a new static ServiceAccount for the API Server proxy to use if in auth mode. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	90bf0a97b3	cmd/k8s-operator/deploy: clarify helm install notes (#16449 ) Based on feedback that it wasn't clear what the user is meant to do with the output of the last command, clarify that it's an optional command to explore what got created. Updates #13427 Change-Id: Iff64ec6d02dc04bf4bbebf415d7ed1a44e7dd658 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
David Bond	84eac7b8de	cmd/k8s-operator: Allow custom ingress class names (#16472 ) This commit modifies the k8s operator to allow for customisation of the ingress class name via a new `OPERATOR_INGRESS_CLASS_NAME` environment variable. For backwards compatibility, this defaults to `tailscale`. When using helm, a new `ingress.name` value is provided that will set this environment variable and modify the name of the deployed `IngressClass` resource. Fixes https://github.com/tailscale/tailscale/issues/16248 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Proctor	079134d3c0	cmd/k8s-operator: always set ProxyGroup status conditions (#16429 ) Refactors setting status into its own top-level function to make it easier to ensure we _always_ set the status if it's changed on every reconcile. Previously, it was possible to have stale status if some earlier part of the provision logic failed. Updates #16327 Change-Id: Idab0cfc15ae426cf6914a82f0d37a5cc7845236b Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
David Bond	c46145b99e	cmd/k8s-operator: Move login server value to top-level (#16470 ) This commit modifies the operator helm chart values to bring the newly added `loginServer` field to the top level. We felt as though it was a bit confusing to be at the `operatorConfig` level as this value modifies the behaviour or the operator, api server & all resources that the operator manages. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	5dc11d50f7	cmd/k8s-operator: Set login server on tsrecorder nodes (#16443 ) This commit modifies the recorder node reconciler to include the environment variable added in https://github.com/tailscale/corp/pull/30058 which allows for configuration of the coordination server. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
David Bond	eb03d42fe6	cmd/k8s-operator: Allow configuration of login server (#16432 ) This commit modifies the kubernetes operator to allow for customisation of the tailscale login url. This provides some data locality for people that want to configure it. This value is set in the `loginServer` helm value and is propagated down to all resources managed by the operator. The only exception to this is recorder nodes, where additional changes are required to support modifying the url. Updates https://github.com/tailscale/corp/issues/29847 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Tom Meadows	2fc247573b	cmd/k8s-operator: ProxyClass annotation for Services and Ingresses (#16363 ) * cmd/k8s-operator: ProxyClass annotation for Services and Ingresses Previously, the ProxyClass could only be configured for Services and Ingresses via a Label. This adds the ability to set it via an Annotation, but prioritizes the Label if both a Label and Annotation are set. Updates #14323 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * Update cmd/k8s-operator/operator.go Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> * Update cmd/k8s-operator/operator.go Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> * cmd/k8s-operator: ProxyClass annotation for Services and Ingresses Previously, the ProxyClass could only be configured for Services and Ingresses via a Label. This adds the ability to set it via an Annotation, but prioritizes the Label if both a Label and Annotation are set. Updates #14323 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Signed-off-by: Tom Meadows <tom@tmlabs.co.uk> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Proctor	711698f5a9	cmd/{containerboot,k8s-operator}: use state Secret for checking device auth (#16328 ) Previously, the operator checked the ProxyGroup status fields for information on how many of the proxies had successfully authed. Use their state Secrets instead as a more reliable source of truth. containerboot has written device_fqdn and device_ips keys to the state Secret since inception, and pod_uid since 1.78.0, so there's no need to use the API for that data. Read it from the state Secret for consistency. However, to ensure we don't read data from a previous run of containerboot, make sure we reset containerboot's state keys on startup. One other knock-on effect of that is ProxyGroups can briefly be marked not Ready while a Pod is restarting. Introduce a new ProxyGroupAvailable condition to more accurately reflect when downstream controllers can implement flows that rely on a ProxyGroup having at least 1 proxy Pod running. Fixes #16327 Change-Id: I026c18e9d23e87109a471a87b8e4fb6271716a66 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	5 months ago
Tom Meadows	f81baa2d56	cmd/k8s-operator, k8s-operator: support Static Endpoints on ProxyGroups (#16115 ) updates: #14674 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	5 months ago
David Bond	b75fe9eeca	cmd/k8s-operator: Add NOTES.txt to Helm chart (#16364 ) This commit adds a NOTES.txt to the operator helm chart that will be written to the terminal upon successful installation of the operator. It includes a small list of knowledgebase articles with possible next steps for the actor that installed the operator to the cluster. It also provides possible commands to use for explaining the custom resources. Fixes #13427 Signed-off-by: David Bond <davidsbond93@gmail.com>	5 months ago
Irbe Krumina	253d0b026d	cmd/k8s-operator: remove conffile hashing mechanism (#16335 ) Proxies know how to reload configfile on changes since 1.80, which is going to be the earliest supported proxy version with 1.84 operator, so remove the mechanism that was updating configfile hash to force proxy Pod restarts on config changes. Updates #13032 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	e29e3c150f	cmd/k8s-operator: ensure that TLS resources are updated for HA Ingress (#16262 ) Ensure that if the ProxyGroup for HA Ingress changes, the TLS Secret and Role and RoleBinding that allow proxies to read/write to it are updated. Fixes #16259 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	3219de4cb8	cmd/k8s-operator: ensure status update errors are displayed to users (#16251 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Anton Tolchanov	db34cdcfe7	cmd/tailscale/cli: add a risk message about rp_filter We already present a health warning about this, but it is easy to miss on a server when blackholing traffic makes it unreachable. In addition to a health warning, present a risk message when exit node is enabled. Example: ``` $ tailscale up --exit-node=lizard The following issues on your machine will likely make usage of exit nodes impossible: - interface "ens4" has strict reverse-path filtering enabled - interface "tailscale0" has strict reverse-path filtering enabled Please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 To skip this warning, use --accept-risk=linux-strict-rp-filter $ ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago
Tom Meadows	4456f77af7	cmd/k8s-operator: explicitly set tcp on VIPService port configuration for Ingress with ProxyGroup (#16199 ) Updates tailscale/corp#24795 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	6 months ago
Brad Fitzpatrick	401d6c0cfa	go.mod: bump golang.org/x deps Updates #8043 Change-Id: I8702a17130559353ccdecbe8b64eeee461ff09c3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Irbe Krumina	00a7dd180a	cmd/k8s-operator: validate Service tags, catch duplicate Tailscale Services (#16058 ) Validate that any tags that users have specified via tailscale.com/tags annotation are valid Tailscale ACL tags. Validate that no more than one HA Tailscale Kubernetes Services in a single cluster refer to the same Tailscale Service. Updates tailscale/tailscale#16054 Updates tailscale/tailscale#16035 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Patrick O'Doherty	a05924a9e5	client/web: add Sec-Fetch-Site CSRF protection (#16046 ) RELNOTE=Fix CSRF errors in the client Web UI Replace gorilla/csrf with a Sec-Fetch-Site based CSRF protection middleware that falls back to comparing the Host & Origin headers if no SFS value is passed by the client. Add an -origin override to the web CLI that allows callers to specify the origin at which the web UI will be available if it is hosted behind a reverse proxy or within another application via CGI. Updates #14872 Updates #15065 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	7 months ago
Irbe Krumina	c4fb380f3c	cmd/k8s-operator: fix Tailscale Service API errors check (#16020 ) Updates tailscale/tailscale#15895 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Brad Fitzpatrick	8009ad74a3	cmd/derper, net/tlsdial: fix client's self-signed cert validation This fixes the implementation and test from #15208 which apparently never worked. Ignore the metacert when counting the number of expected certs presented. And fix the test, pulling out the TLSConfig setup code into something shared between the real cmd/derper and the test. Fixes #15579 Change-Id: I90526e38e59f89b480629b415f00587b107de10a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Meadows	b5770c81c9	cmd/k8s-operator: rename VIPService -> Tailscale Service in L3 HA Service Reconciler (#16014 ) Also changes wording tests for L7 HA Reconciler Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	7fe27496c8	cmd/k8s-operator: warn if HA Service is applied, but VIPService feature flag is not enabled (#16013 ) Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	df8d51023e	cmd/k8s-operator,kube/kubetypes,k8s-operator/apis: reconcile L3 HA Services (#15961 ) This reconciler allows users to make applications highly available at L3 by leveraging Tailscale Virtual Services. Many Kubernetes Service's (irrespective of the cluster they reside in) can be mapped to a Tailscale Virtual Service, allowing access to these Services at L3. Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Proctor	d89aa29081	{cmd,}/k8s-operator: support IRSA for Recorder resources (#15913 ) Adds Recorder fields to configure the name and annotations of the ServiceAccount created for and used by its associated StatefulSet. This allows the created Pod to authenticate with AWS without requiring a Secret with static credentials, using AWS' IAM Roles for Service Accounts feature, documented here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html Fixes #15875 Change-Id: Ib0e15c0dbc357efa4be260e9ae5077bacdcb264f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Irbe Krumina	abe04bfa78	cmd/k8s-operator: warn if Tailscale Services use attempted for tailnet without the feature enabled (#15931 ) Also renames VIPService -> Tailscale Service (including user facing messages) Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Jordan Whited	0f4f808e70	wgengine/magicsock: re-shape relayManager to use an event loop (#15935 ) The event loop removes the need for growing locking complexities and synchronization. Now we simply use channels. The event loop only runs while there is active work to do. relayManager remains no-op inside magicsock for the time being. endpoints are never 'relayCapable' and therefore endpoint & Conn will not feed CallMeMaybeVia or allocation events into it. A number of relayManager events remain unimplemented, e.g. CallMeMaybeVia reception and relay handshaking. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Nick Khyl	a9be049c19	ipn/ipnlocal,net/dns/resolver: use the user dialer and routes for DNS forwarding by default, except on iOS and Android In this PR, we make the "user-dial-routes" behavior default on all platforms except for iOS and Android. It can be disabled by setting the TS_DNS_FORWARD_USE_ROUTES envknob to 0 or false. Updates #12027 Updates #13837 Signed-off-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Brad Fitzpatrick	165b99278b	feature/taildrop, ipn/ipnlocal: remove leftover dup calls to osshare I'd moved the osshare calls to feature/taildrop hooks, but forgot to remove them from ipnlocal, or lost them during a rebase. But then I noticed cmd/tailscaled also had some, so turn those into a hook. Updates #12614 Change-Id: I024fb1d27fbcc49c013158882ee5982c2737037d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	7cc2837594	tsnet: don't depend on condregister & its default tailscaled features None of them are applicable to the common tsnet use cases. If somebody wants one of them, they can empty import it. Updates #12614 Change-Id: I3d7f74b555eed22e05a09ad667e4572a5bc452d8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	5b597489bc	taildrop: merge taildrop and feature/taildrop packages together Fixes #15812 Change-Id: I3bf0666bf9e7a9caea5f0f99fdb0eb2812157608 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	068d5ab655	feature/taildrop: move rest of Taildrop out of LocalBackend Updates #12614 Change-Id: If451dec1d796f6a4216fe485975c87f0c62a53e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Co-authored-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Tom Proctor	62182f3bcf	cmd/k8s-operator,k8s-operator/api-proxy: move k8s proxy code to library (#15857 ) The defaultEnv and defaultBool functions are copied over temporarily to minimise diff. This lays the ground work for having both the operator and the new k8s-proxy binary implement the API proxy Updates #13358 Change-Id: Ieacc79af64df2f13b27a18135517bb31c80a5a02 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Andrew Lytvynov	3105ecd958	hostinfo,tailcfg: report TPM availability on windows/linux (#15831 ) Start collecting fleet data on TPM availability via hostinfo. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Brad Fitzpatrick	dbf13976d3	types/mapx, ipn/ipnext: add ordered map, akin to set.Slice We had an ordered set type (set.Slice) already but we occasionally want to do the same thing with a map, preserving the order things were added, so add that too, as mapsx.OrderedMap[K, V], and then use in ipnext. Updates #12614 Change-Id: I85e6f5e11035571a28316441075e952aef9a0863 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Meadows	9666c2e700	cmd/k8s-operator: default ingress paths to '/' if not specified by user (#15706 ) in resource Fixes #14908 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	8 months ago
Brad Fitzpatrick	0c78f081a4	feature/taildrop: start moving Taildrop out of LocalBackend This adds a feature/taildrop package, a ts_omit_taildrop build tag, and starts moving code to feature/taildrop. In some cases, code remains where it was but is now behind a build tag. Future changes will move code to an extension and out of LocalBackend, etc. Updates #12614 Change-Id: Idf96c61144d1a5f707039ceb2ff59c99f5c1642f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
M. J. Fromberger	ffb22ee353	all: construct new System values with an event bus pre-populated Although, at the moment, we do not yet require an event bus to be present, as we start to add more pieces we will want to ensure it is always available. Add a new constructor and replace existing uses of new(tsd.System) throughout. Update generated files for import changes. Updates #15160 Change-Id: Ie5460985571ade87b8eac8b416948c7f49f0f64b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
David Anderson	6b8bbb4c37	tsd: wire up the event bus to tailscaled Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
Jordan Whited	37f5fd2ec1	feature/{condregister,relayserver}: implement the skeleton for the relayserver feature (#15699 ) This feature is "registered" as an ipnlocal.Extension, and conditionally linked depending on GOOS and ts_omit_relayserver build tag. The feature is not linked on iOS in attempt to limit the impact to binary size and resulting effect of pushing up against NetworkExtension limits. Eventually we will want to support the relay server on iOS, specifically on the Apple TV. Apple TVs are well-fitted to act as underlay relay servers as they are effectively always-on servers. This skeleton begins to tie a PeerAPI endpoint to a net/udprelay.Server. The PeerAPI endpoint is currently no-op as extension.shouldRunRelayServer() always returns false. Follow-up commits will implement extension.shouldRunRelayServer(). Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Satyam Soni	b926cd7fc6	k8s-operator: add age column to all custom resources (#15663 ) This change introduces an Age column in the output for all custom resources to enhance visibility into their lifecycle status. Fixes #15499 Signed-off-by: satyampsoni <satyampsoni@gmail.com>	8 months ago
Nick Khyl	4941cd7c73	cmd/tailscaled,ipn/{auditlog,desktop,ipnext,ipnlocal},tsd: extract LocalBackend extension interfaces and implementation In this PR, we refactor the LocalBackend extension system, moving from direct callbacks to a more organized extension host model. Specifically, we: - Extract interface and callback types used by packages extending LocalBackend functionality into a new ipn/ipnext package. - Define ipnext.Host as a new interface that bridges extensions with LocalBackend. It enables extensions to register callbacks and interact with LocalBackend in a concurrency-safe, well-defined, and controlled way. - Move existing callback registration and invocation code from ipnlocal.LocalBackend into a new type called ipnlocal.ExtensionHost, implementing ipnext.Host. - Improve docs for existing types and methods while adding docs for the new interfaces. - Add test coverage for both the extracted and the new code. - Remove ipn/desktop.SessionManager from tsd.System since ipn/desktop is now self-contained. - Update existing extensions (e.g., ipn/auditlog and ipn/desktop) to use the new interfaces where appropriate. We're not introducing new callback and hook types (e.g., for ipn.Prefs changes) just yet, nor are we enhancing current callbacks, such as by improving conflict resolution when more than one extension tries to influence profile selection via a background profile resolver. These further improvements will be submitted separately. Updates #12614 Updates tailscale/corp#27645 Updates tailscale/corp#26435 Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	8 months ago
Tom Proctor	dd95a83a65	cmd/{containerboot,k8s-operator},kube/kubetypes: unadvertise ingress services on shutdown (#15451 ) Ensure no services are advertised as part of shutting down tailscaled. Prefs are only edited if services are currently advertised, and they're edited we wait for control's ~15s (+ buffer) delay to failover. Note that editing prefs will trigger a synchronous write to the state Secret, so it may fail to persist state if the ProxyGroup is getting scaled down and therefore has its RBAC deleted at the same time, but that failure doesn't stop prefs being updated within the local backend, doesn't affect connectivity to control, and the state Secret is about to get deleted anyway, so the only negative side effect is a harmless error log during shutdown. Control still learns that the node is no longer advertising the service and triggers the failover. Note that the first version of this used a PreStop lifecycle hook, but that only supports GET methods and we need the shutdown to trigger side effects (updating prefs) so it didn't seem appropriate to expose that functionality on a GET endpoint that's accessible on the k8s network. Updates tailscale/corp#24795 Change-Id: I0a9a4fe7a5395ca76135ceead05cbc3ee32b3d3c Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	8 months ago
Brad Fitzpatrick	fb96137d79	net/{netx,memnet},all: add netx.DialFunc, move memnet Network impl This adds netx.DialFunc, unifying a type we have a bazillion other places, giving it now a nice short name that's clickable in editors, etc. That highlighted that my earlier move (`03b47a55c7`) of stuff from nettest into netx moved too much: it also dragged along the memnet impl, meaning all users of netx.DialFunc who just wanted netx for the type definition were instead also pulling in all of memnet. So move the memnet implementation netx.Network into memnet, a package we already had. Then use netx.DialFunc in a bunch of places. I'm sure I missed some. And plenty remain in other repos, to be updated later. Updates tailscale/corp#27636 Change-Id: I7296cd4591218e8624e214f8c70dab05fb884e95 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Irbe Krumina	bf8c8e9e89	cmd/k8s-operator,k8s-operator: enable HA Ingress again. (#15453 ) Re-enable HA Ingress again that was disabled for 1.82 release. This reverts commit `fea74a60d5`. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Nick Khyl	6a9a7f35d9	cmd/tailscaled,ipn/{auditlog,ipnlocal},tsd: omit auditlog unless explicitly imported In this PR, we update ipnlocal.LocalBackend to allow registering callbacks for control client creation and profile changes. We also allow to register ipnauth.AuditLogFunc to be called when an auditable action is attempted. We then use all this to invert the dependency between the auditlog and ipnlocal packages and make the auditlog functionality optional, where it only registers its callbacks via ipnlocal-provided hooks when the auditlog package is imported. We then underscore-import it when building tailscaled for Windows, and we'll explicitly import it when building xcode/ipn-go-bridge for macOS. Since there's no default log-store location for macOS, we'll also need to call auditlog.SetStoreFilePath to specify where pending audit logs should be persisted. Fixes #15394 Updates tailscale/corp#26435 Updates tailscale/corp#27012 Signed-off-by: Nick Khyl <nickk@tailscale.com>	8 months ago
Irbe Krumina	fea74a60d5	cmd/k8s-operator,k8s-operator: disable HA Ingress before stable release (#15433 ) Temporarily make sure that the HA Ingress reconciler does not run, as we do not want to release this to stable just yet. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Irbe Krumina	a622debe9b	cmd/{k8s-operator,containerboot}: check TLS cert before advertising VIPService (#15427 ) cmd/{k8s-operator,containerboot}: check TLS cert before advertising VIPService - Ensures that Ingress status does not advertise port 443 before TLS cert has been issued - Ensure that Ingress backends do not advertise a VIPService before TLS cert has been issued, unless the service also exposes port 80 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Tom Proctor	005e20a45e	cmd/k8s-operator,internal/client/tailscale: use VIPService annotations for ownership tracking (#15356 ) Switch from using the Comment field to a ts-scoped annotation for tracking which operators are cooperating over ownership of a VIPService. Updates tailscale/corp#24795 Change-Id: I72d4a48685f85c0329aa068dc01a1a3c749017bf Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Irbe Krumina	196ae1cd74	cmd/k8s-operator,k8s-operator: allow optionally using LE staging endpoint for Ingress (#15360 ) cmd/k8s-operator,k8s-operator: allow using LE staging endpoint for Ingress Allow to optionally use LetsEncrypt staging endpoint to issue certs for Ingress/HA Ingress, so that it is easier to experiment with initial Ingress setup without hiting rate limits. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tom Proctor	8d84720edb	cmd/k8s-operator: update ProxyGroup config Secrets instead of patch (#15353 ) There was a flaky failure case where renaming a TLS hostname for an ingress might leave the old hostname dangling in tailscaled config. This happened when the proxygroup reconciler loop had an outdated resource version of the config Secret in its cache after the ingress-pg-reconciler loop had very recently written it to delete the old hostname. As the proxygroup reconciler then did a patch, there was no conflict and it reinstated the old hostname. This commit updates the patch to an update operation so that if the resource version is out of date it will fail with an optimistic lock error. It also checks for equality to reduce the likelihood that we make the update API call in the first place, because most of the time the proxygroup reconciler is not even making an update to the Secret in the case that the hostname has changed. Updates tailscale/corp#24795 Change-Id: Ie23a97440063976c9a8475d24ab18253e1f89050 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Irbe Krumina	f50d3b22db	cmd/k8s-operator: configure proxies for HA Ingress to run in cert share mode (#15308 ) cmd/k8s-operator: configure HA Ingress replicas to share certs Creates TLS certs Secret and RBAC that allows HA Ingress replicas to read/write to the Secret. Configures HA Ingress replicas to run in read-only mode. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tom Proctor	b0095a5da4	cmd/k8s-operator: wait for VIPService before updating HA Ingress status (#15343 ) Update the HA Ingress controller to wait until it sees AdvertisedServices config propagated into at least 1 Pod's prefs before it updates the status on the Ingress, to ensure the ProxyGroup Pods are ready to serve traffic before indicating that the Ingress is ready Updates tailscale/corp#24795 Change-Id: I1b8ce23c9e312d08f9d02e48d70bdebd9e1a4757 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
David Anderson	daa5635ba6	tsweb: split promvarz into an optional dependency Allows the use of tsweb without pulling in all of the heavy prometheus client libraries, protobuf and so on. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	9 months ago
Tom Proctor	ef1e14250c	cmd/k8s-operator: ensure old VIPServices are cleaned up (#15344 ) When the Ingress is updated to a new hostname, the controller does not currently clean up the old VIPService from control. Fix this up to parse the ownership comment correctly and write a test to enforce the improved behaviour Updates tailscale/corp#24795 Change-Id: I792ae7684807d254bf2d3cc7aa54aa04a582d1f5 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Jonathan Nobels	52710945f5	control/controlclient, ipn: add client audit logging (#14950 ) updates tailscale/corp#26435 Adds client support for sending audit logs to control via /machine/audit-log. Specifically implements audit logging for user initiated disconnections. This will require further work to optimize the peristant storage and exclusion via build tags for mobile: tailscale/corp#27011 tailscale/corp#27012 Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	9 months ago
Fran Bull	5ebc135397	tsnet,wgengine: fix src to primary Tailscale IP for TCP dials Ensure that the src address for a connection is one of the primary addresses assigned by Tailscale. Not, for example, a virtual IP address. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	9 months ago
Irbe Krumina	74a2373e1d	cmd/k8s-operator: ensure HA Ingress can operate in multicluster mode. (#15157 ) cmd/k8s-operator: ensure HA Ingress can operate in multicluster mode. Update the owner reference mechanism so that: - if during HA Ingress resource creation, a VIPService with some other operator's owner reference is already found, just update the owner references to add one for this operator - if during HA Ingress deletion, the VIPService is found to have owner reference(s) from another operator, don't delete the VIPService, just remove this operator's owner reference - requeue after HA Ingress reconciles that resulted in VIPService updates, to guard against overwrites due to concurrent operations from different clusters. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tom Proctor	ffb0b66d5b	cmd/k8s-operator: advertise VIPServices in ProxyGroup config (#14946 ) Now that packets flow for VIPServices, the last piece needed to start serving them from a ProxyGroup is config to tell the proxy Pods which services they should advertise. Updates tailscale/corp#24795 Change-Id: Ic7bbeac8e93c9503558107bc5f6123be02a84c77 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Brad Fitzpatrick	836c01258d	go.toolchain.branch: update to Go 1.24 (#15016 ) * go.toolchain.branch: update to Go 1.24 Updates #15015 Change-Id: I29c934ec17e60c3ac3264f30fbbe68fc21422f4d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> * cmd/testwrapper: fix for go1.24 Updates #15015 Signed-off-by: Paul Scott <paul@tailscale.com> * go.mod,Dockerfile: bump to Go 1.24 Also bump golangci-lint to a version that was built with 1.24 Updates #15015 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> --------- Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Paul Scott <paul@tailscale.com> Signed-off-by: Andrew Lytvynov <awly@tailscale.com> Co-authored-by: Paul Scott <paul@tailscale.com> Co-authored-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Percy Wegmann	1f1a26776b	client/tailscale,cmd/k8s-operator,internal/client/tailscale: move VIP service client methods into internal control client Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	4f0222388a	cmd,tsnet,internal/client: create internal shim to deprecated control plane API Even after we remove the deprecated API, we will want to maintain a minimal API for internal use, in order to avoid importing the external tailscale.com/client/tailscale/v2 package. This shim exposes only the necessary parts of the deprecated API for internal use, which gains us the following: 1. It removes deprecation warnings for internal use of the API. 2. It gives us an inventory of which parts we will want to keep for internal use. Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Nick Khyl	6df5c8f32e	various: keep tailscale connected when Always On mode is enabled on Windows In this PR, we enable the registration of LocalBackend extensions to exclude code specific to certain platforms or environments. We then introduce desktopSessionsExt, which is included only in Windows builds and only if the ts_omit_desktop_sessions tag is disabled for the build. This extension tracks desktop sessions and switches to (or remains on) the appropriate profile when a user signs in or out, locks their screen, or disconnects a remote session. As desktopSessionsExt requires an ipn/desktop.SessionManager, we register it with tsd.System for the tailscaled subprocess on Windows. We also fix a bug in the sessionWatcher implementation where it attempts to close a nil channel on stop. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Irbe Krumina	e11ff28443	cmd/k8s-operator: allow to optionally configure an HTTP endpoint for the HA Ingress (#14986 ) Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
James Tucker	f2f7fd12eb	go.mod: bump bart Bart has had some substantial improvements in internal representation, update functions, and other optimizations to reduce memory usage and improve runtime performance. Updates tailscale/corp#26353 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Anton	f35c49d211	net/dns: update to illarion/gonotify/v3 to fix a panic Fixes #14699 Signed-off-by: Anton <anton@tailscale.com>	10 months ago
Brad Fitzpatrick	27f8e2e31d	go.mod: bump x/* deps Notably, this pulls in https://go.googlesource.com/net/+/2dab271ff1b7396498746703d88fefcddcc5cec7 for golang/go#71557. Updates #8043 Change-Id: I3637dbf27b90423dd4d54d147f12688b51f3ce36 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
James Tucker	e113b106a6	go.mod,wgengine/netstack: use cubic congestion control, bump gvisor Cubic performs better than Reno in higher BDP scenarios, and enables the use of the hystart++ implementation contributed by Coder. This improves throughput on higher BDP links with a much faster ramp. gVisor is bumped as well for some fixes related to send queue processing and RTT tracking. Updates #9707 Updates #10408 Updates #12393 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Brad Fitzpatrick	05ac21ebe4	all: use new LocalAPI client package location It was moved in `f57fa3cbc3`. Updates tailscale/corp#22748 Change-Id: I19f965e6bded1d4c919310aa5b864f2de0cd6220 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Percy Wegmann	f57fa3cbc3	client,localclient: move localclient.go to client/local package Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Mike O'Driscoll	d5316a4fbb	cmd/derper: add setec secret support (#14890 ) Add setec secret support for derper. Support dev mode via env var, and setec via secrets URL. For backwards compatibility use setec load from file also. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Irbe Krumina	5ef934b62d	cmd/k8s-operator: reinstate HA Ingress reconciler (#14887 ) This change: - reinstates the HA Ingress controller that was disabled for 1.80 release - fixes the API calls to manage VIPServices as the API was changed - triggers the HA Ingress reconciler on ProxyGroup changes Updates tailscale/tailscale#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Percy Wegmann	2e95313b8b	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Originally implemented in `46fd4e58a2`, which was reverted in `b60f6b849a` to keep the change out of v1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Irbe Krumina	a49af98b31	cmd/k8s-operator: temporarily disable HA Ingress controller (#14833 ) The HA Ingress functionality is not actually doing anything valuable yet, so don't run the controller in 1.80 release yet. Updates tailscale/tailscale#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	3f39211f98	cmd/k8s-operator: check that cluster traffic is routed to egress ProxyGroup Pod before marking it as ready (#14792 ) This change builds on top of #14436 to ensure minimum downtime during egress ProxyGroup update rollouts: - adds a readiness gate for ProxyGroup replicas that prevents kubelet from marking the replica Pod as ready before a corresponding readiness condition has been added to the Pod - adds a reconciler that reconciles egress ProxyGroup Pods and, for each that is not ready, if cluster traffic for relevant egress endpoints is routed via this Pod- if so add the readiness condition to allow kubelet to mark the Pod as ready. During the sequenced StatefulSet update rollouts kubelet does not restart a Pod before the previous replica has been updated and marked as ready, so ensuring that a replica is not marked as ready allows to avoid a temporary post-update situation where all replicas have been restarted, but none of the new ones are yet set up as an endpoint for the egress service, so cluster traffic is dropped. Updates tailscale/tailscale#14326 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Percy Wegmann	b60f6b849a	Revert "ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh" This reverts commit `46fd4e58a2`. We don't want to include this in 1.80 yet, but can add it back post 1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Irbe Krumina	52f88f782a	cmd/k8s-operator: don't set deprecated configfile hash on new proxies (#14817 ) Fixes the configfile reload logic- if the tailscale capver can not yet be determined because the device info is not yet written to the state Secret, don't assume that the proxy is pre-110. Updates tailscale/tailscale#13032 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	b406f209c3	cmd/{k8s-operator,containerboot},kube: ensure egress ProxyGroup proxies don't terminate while cluster traffic is still routed to them (#14436 ) cmd/{containerboot,k8s-operator},kube: add preshutdown hook for egress PG proxies This change is part of work towards minimizing downtime during update rollouts of egress ProxyGroup replicas. This change: - updates the containerboot health check logic to return Pod IP in headers, if set - always runs the health check for egress PG proxies - updates ClusterIP Services created for PG egress endpoints to include the health check endpoint - implements preshutdown endpoint in proxies. The preshutdown endpoint logic waits till, for all currently configured egress services, the ClusterIP Service health check endpoint is no longer returned by the shutting-down Pod (by looking at the new Pod IP header). - ensures that kubelet is configured to call the preshutdown endpoint This reduces the possibility that, as replicas are terminated during an update, a replica gets terminated to which cluster traffic is still being routed via the ClusterIP Service because kube proxy has not yet updated routig rules. This is not a perfect check as in practice, it only checks that the kube proxy on the node on which the proxy runs has updated rules. However, overall this might be good enough. The preshutdown logic is disabled if users have configured a custom health check port via TS_LOCAL_ADDR_PORT env var. This change throws a warnign if so and in future setting of that env var for operator proxies might be disallowed (as users shouldn't need to configure this for a Pod directly). This is backwards compatible with earlier proxy versions. Updates tailscale/tailscale#14326 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Percy Wegmann	46fd4e58a2	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Brad Fitzpatrick	2691b9f6be	tempfork/acme: add new package for x/crypto package acme fork, move We've been maintaining temporary dev forks of golang.org/x/crypto/{acme,ssh} in https://github.com/tailscale/golang-x-crypto instead of using this repo's tempfork directory as we do with other packages. The reason we were doing that was because x/crypto/ssh depended on x/crypto/ssh/internal/poly1305 and I hadn't noticed there are forwarding wrappers already available in x/crypto/poly1305. It also depended internal/bcrypt_pbkdf but we don't use that so it's easy to just delete that calling code in our tempfork/ssh. Now that our SSH changes have been upstreamed, we can soon unfork from SSH. That leaves ACME remaining. This change copies our tailscale/golang-x-crypto/acme code to tempfork/acme but adds a test that our vendored copied still matches our tailscale/golang-x-crypto repo, where we can continue to do development work and rebases with upstream. A comment on the new test describes the expected workflow. While we could continue to just import & use tailscale/golang-x-crypto/acme, it seems a bit nicer to not have that entire-fork-of-x-crypto visible at all in our transitive deps and the questions that invites. Showing just a fork of an ACME client is much less scary. It does add a step to the process of hacking on the ACME client code, but we do that approximately never anyway, and the extra step is very incremental compared to the existing tedious steps. Updates #8593 Updates #10238 Change-Id: I8af4378c04c1f82e63d31bf4d16dba9f510f9199 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	bce05ec6c3	control/controlclient,tempfork/httprec: don't link httptest, test certs for c2n The c2n handling code was using the Go httptest package's ResponseRecorder code but that's in a test package which brings in Go's test certs, etc. This forks the httptest recorder type into its own package that only has the recorder and adds a test that we don't re-introduce a dependency on httptest. Updates #12614 Change-Id: I3546f49972981e21813ece9064cc2be0b74f4b16 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	8c925899e1	go.mod: bump depaware, add --internal flag to stop hiding internal packages The hiding of internal packages has hidden things I wanted to see a few times now. Stop hiding them. This makes depaware.txt output a bit longer, but not too much. Plus we only really look at it with diffs & greps anyway; it's not like anybody reads the whole thing. Updates #12614 Change-Id: I868c89eeeddcaaab63e82371651003629bc9bda8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	68a66ee81b	feature/capture: move packet capture to feature/*, out of iOS + CLI We had the debug packet capture code + Lua dissector in the CLI + the iOS app. Now we don't, with tests to lock it in. As a bonus, tailscale.com/net/packet and tailscale.com/net/flowtrack no longer appear in the CLI's binary either. A new build tag ts_omit_capture disables the packet capture code and was added to build_dist.sh's --extra-small mode. Updates #12614 Change-Id: I79b0628c0d59911bd4d510c732284d97b0160f10 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	d6abbc2e61	net/tstun: move TAP support out to separate package feature/tap Still behind the same ts_omit_tap build tag. See #14738 for background on the pattern. Updates #12614 Change-Id: I03fb3d2bf137111e727415bd8e713d8568156ecc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Tom Proctor	3033a96b02	cmd/k8s-operator: fix reconciler name clash (#14712 ) The new ProxyGroup-based Ingress reconciler is causing a fatal log at startup because it has the same name as the existing Ingress reconciler. Explicitly name both to ensure they have unique names that are consistent with other explicitly named reconcilers. Updates #14583 Change-Id: Ie76e3eaf3a96b1cec3d3615ea254a847447372ea Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	11 months ago
Brad Fitzpatrick	1562a6f2f2	feature/: make Wake-on-LAN conditional, start supporting modular features This pulls out the Wake-on-LAN (WoL) code out into its own package (feature/wakeonlan) that registers itself with various new hooks around tailscaled. Then a new build tag (ts_omit_wakeonlan) causes the package to not even be linked in the binary. Ohter new packages include: feature: to just record which features are loaded. Future: dependencies between features. * feature/condregister: the package with all the build tags that tailscaled, tsnet, and the Tailscale Xcode project extension can empty (underscore) import to load features as a function of the defined build tags. Future commits will move of our "ts_omit_foo" build tags into this style. Updates #12614 Change-Id: I9c5378dafb1113b62b816aabef02714db3fc9c4a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Adrian Dewhurst	0fa7b4a236	tailcfg: add ServiceName Rather than using a string everywhere and needing to clarify that the string should have the svc: prefix, create a separate type for Service names. Updates tailscale/corp#24607 Change-Id: I720e022f61a7221644bb60955b72cacf42f59960 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	11 months ago
Brad Fitzpatrick	150cd30b1d	ipn/ipnlocal: also use LetsEncrypt-baked-in roots for cert validation We previously baked in the LetsEncrypt x509 root CA for our tlsdial package. This moves that out into a new "bakedroots" package and is now also shared by ipn/ipnlocal's cert validation code (validCertPEM) that decides whether it's time to fetch a new cert. Otherwise, a machine without LetsEncrypt roots locally in its system roots is unable to use tailscale cert/serve and fetch certs. Fixes #14690 Change-Id: Ic88b3bdaabe25d56b9ff07ada56a27e3f11d7159 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Irbe Krumina	817ba1c300	cmd/{k8s-operator,containerboot},kube/kubetypes: parse Ingresses for ingress ProxyGroup (#14583 ) cmd/k8s-operator: add logic to parse L7 Ingresses in HA mode - Wrap the Tailscale API client used by the Kubernetes Operator into a client that knows how to manage VIPServices. - Create/Delete VIPServices and update serve config for L7 Ingresses for ProxyGroup. - Ensure that ingress ProxyGroup proxies mount serve config from a shared ConfigMap. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Irbe Krumina	97a44d6453	go.{mod,sum},cmd/{k8s-operator,derper,stund}/depaware.txt: bump kube deps (#14601 ) Updates kube deps and mkctr, regenerates kube yamls with the updated tooling. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Tom Proctor	2d1f6f18cc	cmd/k8s-operator: require namespace config (#14648 ) Most users should not run into this because it's set in the helm chart and the deploy manifest, but if namespace is not set we get confusing authz errors because the kube client tries to fetch some namespaced resources as though they're cluster-scoped and reports permission denied. Try to detect namespace from the default projected volume, and otherwise fatal. Fixes #cleanup Change-Id: I64b34191e440b61204b9ad30bbfa117abbbe09c3 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	11 months ago
Aaron Klotz	fcf90260ce	atomicfile: use ReplaceFile on Windows so that attributes and ACLs are preserved I moved the actual rename into separate, GOOS-specific files. On non-Windows, we do a simple os.Rename. On Windows, we first try ReplaceFile with a fallback to os.Rename if the target file does not exist. ReplaceFile is the recommended way to rename the file in this use case, as it preserves attributes and ACLs set on the target file. Updates #14428 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago

1 2 3 4 5 ...

368 Commits (141eb64d3fe2d00c47ca6a77372e84d265e15edd)