1420 Commits (47cf8367205f20083d3372f1b3af8333b5c6aa17)

Author	SHA1	Message	Date
Brad Fitzpatrick	04e1ce0034	control/controlclient: remove unused StartLogout ... Updates #cleanup Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I9d052fdbee787f1e8c872124e4bee61c7f04d142 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Andrew Lytvynov	4e72992900	clientupdate: add linux tarball updates (#9144) ... As a fallback to package managers, allow updating tailscale that was self-installed in some way. There are some tricky bits around updating the systemd unit (should we stick to local binary paths or to the ones in tailscaled.service?), so leaving that out for now. Updates #6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Chris Palmer	ce1e02096a	ipn/ipnlocal: support most Linuxes in handleC2NUpdate (#9114) ... * ipn/ipnlocal: support most Linuxes in handleC2NUpdate Updates #6995 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	10 months ago
Brad Fitzpatrick	7053e19562	control/controlclient: delete Status.Log{in,out}Finished ... They were entirely redundant and 1:1 with the status field so this turns them into methods instead. Updates #cleanup Updates #1909 Change-Id: I7d939750749edf7dae4c97566bbeb99f2f75adbc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Maisem Ali	794650fe50	cmd/k8s-operator: emit event if HTTPS is disabled on Tailnet ... Instead of confusing users, emit an event that explicitly tells the user that HTTPS is disabled on the tailnet and that ingress may not work until they enable it. Updates #9141 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Denton Gentry	be9914f714	cmd/sniproxy: move default debug-port away from 8080. ... Port 8080 is routinely used for HTTP services, make it easier to use --forwards=tcp/8080/... by moving the metrics port out of the way. Updates #1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	10 months ago
Maisem Ali	306b85b9a3	cmd/k8s-operator: add metrics to track usage ... Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Irbe Krumina	17438a98c0	cm/k8s-operator,cmd/containerboot: fix STS config, more tests (#9155) ... Ensures that Statefulset reconciler config has only one of Cluster target IP or tailnet target IP. Adds a test case for containerboot egress proxy mode. Updates tailscale/tailscale#8184 Signed-off-by: irbekrm <irbekrm@gmail.com>	10 months ago
Denton Gentry	29a35d4a5d	cmd/sniproxy: switch to peterbourgon/ff for flags ... Add support for TS_APPC_* variables to supply arguments by switching to https://github.com/peterbourgon/ff for CLI flag parsing. For example: TS_APPC_FORWARDS=tcp/22/github.com ./sniproxy Updates https://github.com/tailscale/tailscale/issues/1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	10 months ago
Irbe Krumina	fe709c81e5	cmd/k8s-operator,cmd/containerboot: add kube egress proxy (#9031) ... First part of work for the functionality that allows users to create an egress proxy to access Tailnet services from within Kubernetes cluster workloads. This PR allows creating an egress proxy that can access Tailscale services over HTTP only. Updates tailscale/tailscale#8184 Signed-off-by: irbekrm <irbekrm@gmail.com> Co-authored-by: Maisem Ali <maisem@tailscale.com> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	10 months ago
Maisem Ali	ae747a2e48	cmd/testwrapper: handle timeouts as test failures ... While investigating the fix in 7538f38671, I was curious why the testwrapper didn't fail. Turns out if the test times out and there was no explicit failure, the only message we get is that the overall pkg failed and no failure information about the individual test. This resulted in a 0 exit code. This fixes that by failing the explicit case of the pkg failing when there is nothing to retry for that pkg. Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	7538f38671	cmd/containerboot: fix broken tests ... The tests were broken in a61a9ab087, maybe even earlier. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
David Anderson	8b492b4121	net/wsconn: accept a remote addr string and plumb it through ... This makes wsconn.Conns somewhat present reasonably when they are the client of an http.Request, rather than just put a placeholder in that field. Updates tailscale/corp#13777 Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Maisem Ali	c919ff540f	cmd/k8s-operator,ipn/store/kubestore: patch secrets instead of updating ... We would call Update on the secret, but that was racey and would occasionaly fail. Instead use patch whenever we can. Fixes errors like ``` boot: 2023/08/29 01:03:53 failed to set serve config: sending serve config: updating config: writing ServeConfig to StateStore: Operation cannot be fulfilled on secrets "ts-webdav-kfrzv-0": the object has been modified; please apply your changes to the latest version and try again {"level":"error","ts":"2023-08-29T01:03:48Z","msg":"Reconciler error","controller":"ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"webdav","namespace":"default"},"namespace":"default","name":"webdav","reconcileID":"96f5cfed-7782-4834-9b75-b0950fd563ed","error":"failed to provision: failed to create or get API key secret: Operation cannot be fulfilled on secrets \"ts-webdav-kfrzv-0\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"} ``` Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	6dfa403e6b	cmd/tailscaled: default to userspace-networking on plan9 ... No tun support yet. Updates #5794 Change-Id: Ibd8db67594d4c65b47e352ae2af2ab3d2712dfad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	590c693b96	types/logger: add AsJSON ... Printing out JSON representation things in log output is pretty common. Updates #cleanup Change-Id: Ife2d2e321a18e6e1185efa8b699a23061ac5e5a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Andrew Lytvynov	8d2eaa1956	clientupdate: download SPK and MSI packages with distsign (#9115) ... Reimplement `downloadURLToFile` using `distsign.Download` and move all of the progress reporting logic over there. Updates #6995 Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Maisem Ali	0c6fe94cf4	cmd/k8s-operator: add matching family addresses to status ... This was added in 3451b89e5f, but resulted in the v6 Tailscale address being added to status when when the forwarding only happened on the v4 address. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	f92e6a1be8	cmd/k8s-operator: update RBAC to allow creating events ... The new ingress reconcile raises events on failure, but I forgot to add the updated permission. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Will Norris	d74c771fda	client/web: always use new web client; remove old client ... This uses the new react-based web client for all builds, not just with the --dev flag. If the web client assets have not been built, the client will serve a message that Tailscale was built without the web client, and link to build instructions. Because we will include the web client in all of our builds, this should only be seen by developers or users building from source. (And eventually this will be replaced by attempting to download needed assets as runtime.) We do now checkin the build/index.html file, which serves the error message when assets are unavailable. This will also eventually be used to trigger in CI when new assets should be built and uploaded to a well-known location. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Andrew Dunham	c86a610eb3	cmd/tailscale, net/portmapper: add --log-http option to "debug portmap" ... This option allows logging the raw HTTP requests and responses that the portmapper Client makes when using UPnP. This can be extremely helpful when debugging strange UPnP issues with users' devices, and might allow us to avoid having to instruct users to perform a packet capture. Updates #8992 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2c3cf6930b09717028deaff31738484cc9b008e4	10 months ago
Mike Beaumont	3451b89e5f	cmd/k8s-operator: put Tailscale IPs in Service ingress status ... Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	10 months ago
Mike Beaumont	ce4bf41dcf	cmd/k8s-operator: support being the default loadbalancer controller ... Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	10 months ago
Maisem Ali	9430481926	cmd/containerboot: account for k8s secret reflection in fsnotify ... On k8s the serve-config secret mount is symlinked so checking against the Name makes us miss the events. Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	c8dea67cbf	cmd/k8s-operator: add support for Ingress resources ... Previously, the operator would only monitor Services and create a Tailscale StatefulSet which acted as a L3 proxy which proxied traffic inbound to the Tailscale IP onto the services ClusterIP. This extends that functionality to also monitor Ingress resources where the `ingressClassName=tailscale` and similarly creates a Tailscale StatefulSet, acting as a L7 proxy instead. Users can override the desired hostname by setting: ``` - tls hosts: - "foo" ``` Hostnames specified under `rules` are ignored as we only create a single host. This is emitted as an event for users to see. Fixes #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	320f77bd24	cmd/containerboot: add support for setting ServeConfig ... This watches the provided path for a JSON encoded ipn.ServeConfig. Everytime the file changes, or the nodes FQDN changes it reapplies the ServeConfig. At boot time, it nils out any previous ServeConfig just like tsnet does. As the ServeConfig requires pre-existing knowledge of the nodes FQDN to do SNI matching, it introduces a special `${TS_CERT_DOMAIN}` value in the JSON file which is replaced with the known CertDomain before it is applied. Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	12ac672542	cmd/k8s-operator: handle changes to services w/o teardown ... Previously users would have to unexpose/expose the service in order to change Hostname/TargetIP. This now applies those changes by causing a StatefulSet rollout now that a61a9ab087 is in. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Denton Gentry	24d41e4ae7	cmd/sniproxy: add port forwarding and prometheus metrics ... 1. Add TCP port forwarding. For example: ./sniproxy -forwards=tcp/22/github.com will forward SSH to github. % ssh -i ~/.ssh/id_ecdsa.pem -T git@github.com Hi GitHubUser! You've successfully authenticated, but GitHub does not provide shell access. % ssh -i ~/.ssh/id_ecdsa.pem -T git@100.65.x.y Hi GitHubUser! You've successfully authenticated, but GitHub does not provide shell access. 2. Additionally export clientmetrics as prometheus metrics for local scraping over the tailnet: http://sniproxy-hostname:8080/debug/varz Updates https://github.com/tailscale/tailscale/issues/1748 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	10 months ago
Brad Fitzpatrick	98a5116434	all: adjust some build tags for plan9 ... I'm not saying it works, but it compiles. Updates #5794 Change-Id: I2f3c99732e67fe57a05edb25b758d083417f083e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Sonia Appasamy	f3077c6ab5	client/web: add self node cache ... Adds a cached self node to the web client Server struct, which will be used from the web client api to verify that request came from the node's own machine (i.e. came from the web client frontend). We'll be using when we switch the web client api over to acting as a proxy to the localapi, to protect against DNS rebinding attacks. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Andrew Lytvynov	b42c4e2da1	cmd/dist,release/dist: add distsign signing hooks (#9070) ... Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Maisem Ali	ff7f4b4224	cmd/testwrapper: fix off-by-one error in maxAttempts check ... It was checking if `>= maxAttempts` which meant that the third attempt would never run. Updates #8493 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	a61a9ab087	cmd/containerboot: reapply known args on restart ... Previously we would not reapply changes to TS_HOSTNAME etc when then the container restarted and TS_AUTH_ONCE was enabled. This splits those into two steps login and set, allowing us to only rerun the set step on restarts. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Aaron Klotz	5fb1695bcb	util/osdiag, util/osdiag/internal/wsc: add code to probe the Windows Security Center for installed software ... The Windows Security Center is a component that manages the registration of security products on a Windows system. Only products that have obtained a special cert from Microsoft may register themselves using the WSC API. Practically speaking, most vendors do in fact sign up for the program as it enhances their legitimacy. From our perspective, this is useful because it gives us a high-signal source of information to query for the security products installed on the system. I've tied this query into the osdiag package and is run during bugreports. It uses COM bindings that were automatically generated by my prototype metadata processor, however that program still has a few bugs, so I had to make a few manual tweaks. I dropped those binding into an internal package because (for the moment, at least) they are effectively purpose-built for the osdiag use case. We also update the wingoes dependency to pick up BSTR. Fixes #10646 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Will Norris	824cd02d6d	client/web: cache csrf key when running in CGI mode ... Indicate to the web client when it is running in CGI mode, and if it is then cache the csrf key between requests. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Brad Fitzpatrick	5b6a90fb33	types/logger, cmd/tailscale/cli: flesh out, simplify some non-unix build tags ... Can write "wasm" instead of js || wasi1p, since there's only two: $ go tool dist list | grep wasm js/wasm wasip1/wasm Plus, if GOOS=wasip2 is added later, we're already set. Updates #5794 Change-Id: Ifcfb187c3775c17c9141bc721512dc4577ac4434 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	d58ba59fd5	cmd/tailscale/cli: make netcheck run even if machine lacks TLS certs ... We have a fancy package for doing TLS cert validation even if the machine doesn't have TLS certs (for LetsEncrypt only) but the CLI's netcheck command wasn't using it. Also, update the tlsdial's outdated package docs while here. Updates #cleanup Change-Id: I74b3cb645d07af4d8ae230fb39a60c809ec129ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Marwan Sulaiman	9c07f4f512	all: replace deprecated ioutil references ... This PR removes calls to ioutil library and replaces them with their new locations in the io and os packages. Fixes #9034 Updates #5210 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	10 months ago
Maisem Ali	74388a771f	cmd/k8s-operator: fix regression from earlier refactor ... I forgot to move the defer out of the func, so the tsnet.Server immediately closed after starting. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	9089efea06	net/netmon: make ChangeFunc's signature take new ChangeDelta, not bool ... Updates #9040 Change-Id: Ia43752064a1a6ecefc8802b58d6eaa0b71cf1f84 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Sonia Appasamy	78f087aa02	cli/web: pass existing localClient to web client ... Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Maisem Ali	836f932ead	cmd/k8s-operator: split operator.go into svc.go/sts.go ... Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Maisem Ali	7f6bc52b78	cmd/k8s-operator: refactor operator code ... It was jumbled doing a lot of things, this breaks it up into the svc reconciliation and the tailscale sts reconciliation. Prep for future commit. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Aaron Klotz	ea693eacb6	util/winutil: add RegisterForRestart, allowing programs to indicate their preferences to the Windows restart manager ... In order for the installer to restart the GUI correctly post-upgrade, we need the GUI to be able to register its restart preferences. This PR adds API support for doing so. I'm adding it to OSS so that it is available should we need to do any such registrations on OSS binaries in the future. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Marwan Sulaiman	35ff5bf5a6	cmd/tailscale/cli, ipn/ipnlocal: [funnel] add stream mode ... Adds ability to start Funnel in the foreground and stream incoming connections. When foreground process is stopped, Funnel is turned back off for the port. Exampe usage: ``` TAILSCALE_FUNNEL_V2=on tailscale funnel 8080 ``` Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	10 months ago
Brad Fitzpatrick	84b94b3146	types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView ... Updates #1909 Change-Id: I8c470cbc147129a652c1d58eac9b790691b87606 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Sonia Appasamy	077bbb8403	client/web: add csrf protection to web client api ... Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Maisem Ali	2548496cef	types/views,cmd/viewer: add ByteSlice[T] to replace mem.RO ... Add a new views.ByteSlice[T ~[]byte] to provide a better API to use with views. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Maisem Ali	8a5ec72c85	cmd/cloner: use maps.Clone and ptr.To ... Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Brad Fitzpatrick	4511e7d64e	ipn/ipnstate: add PeerStatus.AltSharerUserID, stop mangling Node.User ... In b987b2ab18 (2021-01-12) when we introduced sharing we mapped the sharer to the userid at a low layer, mostly to fix the display of "tailscale status" and the client UIs, but also some tests. The commit earlier today, 7dec09d169, removed the 2.5yo option to let clients disable that automatic mapping, as clearly we were never getting around to it. This plumbs the Sharer UserID all the way to ipnstatus so the CLI itself can choose to print out the Sharer's identity over the node's original owner. Then we stop mangling Node.User and let clients decide how they want to render things. To ease the migration for the Windows GUI (which currently operates on tailcfg.Node via the NetMap from WatchIPNBus, instead of PeerStatus), a new method Node.SharerOrUser is added to do the mapping of Sharer-else-User. Updates #1909 Updates tailscale/corp#1183 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago