2512 Commits (6ac80b7334eb978390c75134a82462d43c78f029)

Author	SHA1	Message	Date
M. J. Fromberger	fe391d5694	client/local: use an iterator to stream bus events (#16269) ... This means the caller does not have to remember to close the reader, and avoids having to duplicate the logic to decode JSON into events. Updates #15160 Change-Id: I20186fabb02f72522f61d5908c4cc80b86b8936b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	6 months ago
James Tucker	b0f7b23efe	net/netcheck: preserve live home DERP through packet loss ... During a short period of packet loss, a TCP connection to the home DERP may be maintained. If no other regions emerge as winners, such as when all regions but one are avoided/disallowed as candidates, ensure that the current home region, if still active, is not dropped as the preferred region until it has failed two keepalives. Relatedly apply avoid and no measure no home to ICMP and HTTP checks as intended. Updates tailscale/corp#12894 Updates tailscale/corp#29491 Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Irbe Krumina	3219de4cb8	cmd/k8s-operator: ensure status update errors are displayed to users (#16251) ... Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Claus Lensbøl	6010812f0c	ipn/localapi,client/local: add debug watcher for bus events (#16239) ... Updates: #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	6 months ago
Fran Bull	3b25e94352	cmd/natc: allow specifying the tsnet state dir ... Which can make operating the service more convenient. It makes sense to put the cluster state with this if specified, so rearrange the logic to handle that. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Mike O'Driscoll	e72c528a5f	cmd/{derp,derpprobe},prober,derp: add mesh support to derpprobe (#15414) ... Add mesh key support to derpprobe for probing derpers with verify set to true. Move MeshKey checking to central point for code reuse. Fix a bad error fmt msg. Fixes tailscale/corp#27294 Fixes tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	6 months ago
Anton Tolchanov	db34cdcfe7	cmd/tailscale/cli: add a risk message about rp_filter ... We already present a health warning about this, but it is easy to miss on a server when blackholing traffic makes it unreachable. In addition to a health warning, present a risk message when exit node is enabled. Example: ``` $ tailscale up --exit-node=lizard The following issues on your machine will likely make usage of exit nodes impossible: - interface "ens4" has strict reverse-path filtering enabled - interface "tailscale0" has strict reverse-path filtering enabled Please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 To skip this warning, use --accept-risk=linux-strict-rp-filter $ ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago
Tom Meadows	4456f77af7	cmd/k8s-operator: explicitly set tcp on VIPService port configuration for Ingress with ProxyGroup (#16199) ... Updates tailscale/corp#24795 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	6 months ago
Fran Bull	3e08eab21e	cmd/natc: use new on disk state store for consensus ... Fixes #16027 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Fran Bull	486a55f0a9	cmd/natc: add optional consensus backend ... Enable nat connector to be run on a cluster of machines for high availability. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Raj Singh	5f0e139012	cmd/tsidp: add Docker image building support (#16078) ... - Add tsidp target to build_docker.sh for standard Tailscale image builds - Add publishdevtsidp Makefile target for development image publishing - Remove Dockerfile, using standard build process - Include tsidp in depaware dependency tracking - Update README with comprehensive Docker usage examples This enables tsidp to be built and published like other Tailscale components (tailscale/tailscale, tailscale/k8s-operator, tailscale/k8s-nameserver). Fixes #16077 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Irbe Krumina	5b670eb3a5	cmd/containerboot: allow setting --accept-dns via TS_EXTRA_ARGS again (#16129) ... In 1.84 we made 'tailscale set'/'tailscale up' error out if duplicate command line flags are passed. This broke some container configurations as we have two env vars that can be used to set --accept-dns flag: - TS_ACCEPT_DNS- specifically for --accept-dns - TS_EXTRA_ARGS- accepts any arbitrary 'tailscale up'/'tailscale set' flag. We default TS_ACCEPT_DNS to false (to make the container behaviour more declarative), which with the new restrictive CLI behaviour resulted in failure for users who had set --accept-dns via TS_EXTRA_ARGS as the flag would be provided twice. This PR re-instates the previous behaviour by checking if TS_EXTRA_ARGS contains --accept-dns flag and if so using its value to override TS_ACCEPT_DNS. Updates tailscale/tailscale#16108 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Brad Fitzpatrick	401d6c0cfa	go.mod: bump golang.org/x deps ... Updates #8043 Change-Id: I8702a17130559353ccdecbe8b64eeee461ff09c3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Nick Khyl	191afd3390	net/tshttpproxy: fix WDAP/PAC proxy detection on Win10 1607 and earlier ... Using WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG on Windows versions older than Windows 10 1703 (build 15063) is not supported and causes WinHttpGetProxyForUrl to fail with ERROR_INVALID_PARAMETER. This results in failures reaching the control on environments where a proxy is required. We use wingoes version detection to conditionally set the WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG flag on Windows builds greater than 15063. While there, we also update proxy detection to use WINHTTP_AUTO_DETECT_TYPE_DNS_A, as DNS-based proxy discovery might be required with Active Directory and in certain other environments. Updates tailscale/corp#29168 Fixes #879 Signed-off-by: Nick Khyl <nickk@tailscale.com>	6 months ago
Raj Singh	09582bdc00	cmd/tsidp: add web UI for managing OIDC clients (#16068) ... Add comprehensive web interface at ui for managing OIDC clients, similar to tsrecorder's design. Features include list view, create/edit forms with validation, client secret management, delete functionality with confirmation dialogs, responsive design, and restricted tailnet access only. Fixes #16067 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Tim Klocke	4980869977	cmd/tsidp: Fix sending string for refresh_token ... In accordance with the OIDC/OAuth 2.0 protocol, do not send an empty refresh_token and instead omit the field when empty. Fixes https://github.com/tailscale/tailscale/issues/16073 Signed-off-by: Tim Klocke <taaem@mailbox.org>	6 months ago
Irbe Krumina	00a7dd180a	cmd/k8s-operator: validate Service tags, catch duplicate Tailscale Services (#16058) ... Validate that any tags that users have specified via tailscale.com/tags annotation are valid Tailscale ACL tags. Validate that no more than one HA Tailscale Kubernetes Services in a single cluster refer to the same Tailscale Service. Updates tailscale/tailscale#16054 Updates tailscale/tailscale#16035 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Patrick O'Doherty	a05924a9e5	client/web: add Sec-Fetch-Site CSRF protection (#16046) ... RELNOTE=Fix CSRF errors in the client Web UI Replace gorilla/csrf with a Sec-Fetch-Site based CSRF protection middleware that falls back to comparing the Host & Origin headers if no SFS value is passed by the client. Add an -origin override to the web CLI that allows callers to specify the origin at which the web UI will be available if it is hosted behind a reverse proxy or within another application via CGI. Updates #14872 Updates #15065 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	7 months ago
Simon Law	3ee4c60ff0	cmd/derper: fix mesh auth for DERP servers (#16061) ... To authenticate mesh keys, the DERP servers used a simple == comparison, which is susceptible to a side channel timing attack. By extracting the mesh key for a DERP server, an attacker could DoS it by forcing disconnects using derp.Client.ClosePeer. They could also enumerate the public Wireguard keys, IP addresses and ports for nodes connected to that DERP server. DERP servers configured without mesh keys deny all such requests. This patch also extracts the mesh key logic into key.DERPMesh, to prevent this from happening again. Security bulletin: https://tailscale.com/security-bulletins#ts-2025-003 Fixes tailscale/corp#28720 Signed-off-by: Simon Law <sfllaw@tailscale.com>	7 months ago
Irbe Krumina	c4fb380f3c	cmd/k8s-operator: fix Tailscale Service API errors check (#16020) ... Updates tailscale/tailscale#15895 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Brad Fitzpatrick	54970054a6	cmd/tailscale/cli: suggest using "tailscale set", not "up", to set operator ... The same message was used for "up" and "down" permission failures, but "set" works better for both. Suggesting "up --operator" for a "down" permission failure was confusing. It's not like the latter command works in one shot anyway. Fixes #16008 Change-Id: I6e4225ef06ce2d8e19c40bece8104e254c2aa525 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	8009ad74a3	cmd/derper, net/tlsdial: fix client's self-signed cert validation ... This fixes the implementation and test from #15208 which apparently never worked. Ignore the metacert when counting the number of expected certs presented. And fix the test, pulling out the TLSConfig setup code into something shared between the real cmd/derper and the test. Fixes #15579 Change-Id: I90526e38e59f89b480629b415f00587b107de10a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Meadows	b5770c81c9	cmd/k8s-operator: rename VIPService -> Tailscale Service in L3 HA Service Reconciler (#16014) ... Also changes wording tests for L7 HA Reconciler Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	7fe27496c8	cmd/k8s-operator: warn if HA Service is applied, but VIPService feature flag is not enabled (#16013) ... Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	df8d51023e	cmd/k8s-operator,kube/kubetypes,k8s-operator/apis: reconcile L3 HA Services (#15961) ... This reconciler allows users to make applications highly available at L3 by leveraging Tailscale Virtual Services. Many Kubernetes Service's (irrespective of the cluster they reside in) can be mapped to a Tailscale Virtual Service, allowing access to these Services at L3. Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Proctor	d89aa29081	{cmd,}/k8s-operator: support IRSA for Recorder resources (#15913) ... Adds Recorder fields to configure the name and annotations of the ServiceAccount created for and used by its associated StatefulSet. This allows the created Pod to authenticate with AWS without requiring a Secret with static credentials, using AWS' IAM Roles for Service Accounts feature, documented here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html Fixes #15875 Change-Id: Ib0e15c0dbc357efa4be260e9ae5077bacdcb264f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Irbe Krumina	6b97e615d6	cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services (#15897) ... cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services This PR is part of the work to implement HA for Kubernetes Operator's network layer proxy. Adds logic to containerboot to monitor mounted ingress firewall configuration rules and update iptables/nftables rules as the config changes. Also adds new shared types for the ingress configuration. The implementation is intentionally similar to that for HA for egress proxy. Updates tailscale/tailscale#15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Patrick O'Doherty	336b3b7df0	cmd/proxy-to-grafana: strip X-Webauth* headers from all requests (#15985) ... Update proxy-to-grafana to strip any X-Webauth prefixed headers passed by the client in *every* request, not just those to /login. /api/ routes will also accept these headers to authenticate users, necessitating their removal to prevent forgery. Updates tailscale/corp#28687 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	7 months ago
Irbe Krumina	abe04bfa78	cmd/k8s-operator: warn if Tailscale Services use attempted for tailnet without the feature enabled (#15931) ... Also renames VIPService -> Tailscale Service (including user facing messages) Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Simon Law	7f4aaed1d5	cmd/derpprobe: exit with non-zero status if --once fails (#15926) ... `cmd/derpprobe --once` didn’t respect the convention of non-zero exit status for a failed run. It would always exit zero (i.e. success), even. This patch fixes that, but only for `--once` mode. Fixes: #15925 Signed-off-by: Simon Law <sfllaw@tailscale.com>	7 months ago
Jordan Whited	0f4f808e70	wgengine/magicsock: re-shape relayManager to use an event loop (#15935) ... The event loop removes the need for growing locking complexities and synchronization. Now we simply use channels. The event loop only runs while there is active work to do. relayManager remains no-op inside magicsock for the time being. endpoints are never 'relayCapable' and therefore endpoint & Conn will not feed CallMeMaybeVia or allocation events into it. A number of relayManager events remain unimplemented, e.g. CallMeMaybeVia reception and relay handshaking. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Nick Khyl	a9be049c19	ipn/ipnlocal,net/dns/resolver: use the user dialer and routes for DNS forwarding by default, except on iOS and Android ... In this PR, we make the "user-dial-routes" behavior default on all platforms except for iOS and Android. It can be disabled by setting the TS_DNS_FORWARD_USE_ROUTES envknob to 0 or false. Updates #12027 Updates #13837 Signed-off-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Jordan Whited	0841477743	net/udprelay{/endpoint}, all: move ServerEndpoint to independent pkg (#15934) ... ServerEndpoint will be used within magicsock and potentially elsewhere, which should be possible without needing to import the server implementation itself. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Brad Fitzpatrick	165b99278b	feature/taildrop, ipn/ipnlocal: remove leftover dup calls to osshare ... I'd moved the osshare calls to feature/taildrop hooks, but forgot to remove them from ipnlocal, or lost them during a rebase. But then I noticed cmd/tailscaled also had some, so turn those into a hook. Updates #12614 Change-Id: I024fb1d27fbcc49c013158882ee5982c2737037d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	48dacf1bf7	cmd/tailscale/cli: omit "file" subcommand if taildrop is omitted from build ... Updates #15812 Updates #12614 Change-Id: Ic945b26a127ba15399abdaab8fe43b1cfa64d874 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	7cc2837594	tsnet: don't depend on condregister & its default tailscaled features ... None of them are applicable to the common tsnet use cases. If somebody wants one of them, they can empty import it. Updates #12614 Change-Id: I3d7f74b555eed22e05a09ad667e4572a5bc452d8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	5b597489bc	taildrop: merge taildrop and feature/taildrop packages together ... Fixes #15812 Change-Id: I3bf0666bf9e7a9caea5f0f99fdb0eb2812157608 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	068d5ab655	feature/taildrop: move rest of Taildrop out of LocalBackend ... Updates #12614 Change-Id: If451dec1d796f6a4216fe485975c87f0c62a53e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Co-authored-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Brad Fitzpatrick	cf6a593196	cmd/tailscale/cli: rename "--posture-checking" to "--report-posture" ... For consistency with other flags, per Slack chat. Updates #5902 Change-Id: I7ae1e4c97b37185573926f5fafda82cf8b46f071 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Proctor	62182f3bcf	cmd/k8s-operator,k8s-operator/api-proxy: move k8s proxy code to library (#15857) ... The defaultEnv and defaultBool functions are copied over temporarily to minimise diff. This lays the ground work for having both the operator and the new k8s-proxy binary implement the API proxy Updates #13358 Change-Id: Ieacc79af64df2f13b27a18135517bb31c80a5a02 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Andrew Lytvynov	3105ecd958	hostinfo,tailcfg: report TPM availability on windows/linux (#15831) ... Start collecting fleet data on TPM availability via hostinfo. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Brad Fitzpatrick	383664b2f7	cmd/tsidp: remove backticks in README in shell example ... Fixes #15818 Change-Id: I7a6f4c7368fed74b865a63acdea4559c3d0a0d09 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	e415f51351	feature/taildrop: add integration test ... Taildrop has never had an end-to-end test since it was introduced. This adds a basic one. It caught two recent refactoring bugs & one from 2022 (0f7da5c7dc). This is prep for moving the rest of Taildrop out of LocalBackend, so we can do more refactorings with some confidence. Updates #15812 Change-Id: I6182e49c5641238af0bfdd9fea1ef0420c112738 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Anton Tolchanov	fe0090909b	cmd/tailscale/cli: unhide `--posture-checking` flag to `set` ... Updates #5902 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	7 months ago
James Tucker	b95e8bf4a1	tsweb/varz: export GC CPU fraction gauge ... We were missing this metric, but it can be important for some workloads. Varz memstats output allocation cost reduced from 30 allocs per invocation to 1 alloc per invocation. Updates tailscale/corp#28033 Signed-off-by: James Tucker <james@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	dbf13976d3	types/mapx, ipn/ipnext: add ordered map, akin to set.Slice ... We had an ordered set type (set.Slice) already but we occasionally want to do the same thing with a map, preserving the order things were added, so add that too, as mapsx.OrderedMap[K, V], and then use in ipnext. Updates #12614 Change-Id: I85e6f5e11035571a28316441075e952aef9a0863 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Patrick O'Doherty	e649227ef2	cmd/tsidp: fix interface{} linter warnings (#15729) ... Replace all instances of interface{} with any to resolve the golangci-lint errors that appeared in the previous tsidp PR. Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	8 months ago
Cedric Kienzler	b34a2bdb22	cmd/tsidp: add groups claim to tsidp (#15127) ... * cmd/tsidp: add groups claim to tsidp This feature adds support for a `groups` claim in tsidp using the grants syntax: ```json { "grants": [ { "src": ["group:admins"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["admin"] } ] } }, { "src": ["group:reader"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["reader"] } ] } } ] } ``` For #10263 Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * cmd/tsidp: refactor cap/tsidp to allow extraClaims This commit refactors the `capRule` struct to allow specifying arbitrary extra claims: ```json { "src": ["group:reader"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "extraClaims": { "groups": ["reader"], "entitlements": ["read-stuff"], }, } ] } } ``` Overwriting pre-existing claims cannot be modified/overwritten. Also adding more unit-testing Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * Update cmd/tsidp/tsidp.go Signed-off-by: cedi <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Fix logical error in test case Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * fix error printing for failed to unmarshal capability in tsidp Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * clarify doc string for withExtraClaims Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> --------- Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> Signed-off-by: cedi <cedi@users.noreply.github.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> Co-authored-by: Patrick O'Doherty <hello@patrickod.com>	8 months ago
Tom Meadows	9666c2e700	cmd/k8s-operator: default ingress paths to '/' if not specified by user (#15706) ... in resource Fixes #14908 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	8 months ago
Percy Wegmann	26f31f73f4	cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key ... QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>	8 months ago
Brad Fitzpatrick	0c78f081a4	feature/taildrop: start moving Taildrop out of LocalBackend ... This adds a feature/taildrop package, a ts_omit_taildrop build tag, and starts moving code to feature/taildrop. In some cases, code remains where it was but is now behind a build tag. Future changes will move code to an extension and out of LocalBackend, etc. Updates #12614 Change-Id: Idf96c61144d1a5f707039ceb2ff59c99f5c1642f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
David Anderson	5399fa159a	net/netmon: publish events to event bus ... Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
David Anderson	6d6f69e735	derp/derphttp: remove ban on websockets dependency ... The event bus's debug page uses websockets. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
David Anderson	e8cacd2a32	cmd/tailscaled: clean up unnecessary logf indirection #cleanup ... Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
M. J. Fromberger	deb0b255ff	all: update the tsd.System constructor name (#15372) ... Replace NewSystemWithEventBus with plain NewSystem, and update all usage. See https://github.com/tailscale/tailscale/pull/15355#discussion_r2003910766 Updates #15160 Change-Id: I64d337f09576b41d9ad78eba301a74b9a9d6ebf4 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	baead61e44	{wgengine,util/portmapper}: add and plumb an event bus (#15359) ... Updates #15160 Change-Id: I2510fb4a8905fb0abe8a8e0c5b81adb15d50a6f8 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	418e19fb5e	portmapper: update NewClient to use a Config argument ... In preparation for adding more parameters (and later, moving some away), rework the portmapper constructor to accept its arguments on a Config struct rather than positionally. This is a breaking change to the function signature, but one that is very easy to update, and a search of GitHub reveals only six instances of usage outside clones and forks of Tailscale itself, that are not direct copies of the code fixed up here. While we could stub in another constructor, I think it is safe to let those folks do the update in-place, since their usage is already affected by other changes we can't test for anyway. Updates #15160 Change-Id: I9f8a5e12b38885074c98894b7376039261b43f43 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	ffb22ee353	all: construct new System values with an event bus pre-populated ... Although, at the moment, we do not yet require an event bus to be present, as we start to add more pieces we will want to ensure it is always available. Add a new constructor and replace existing uses of new(tsd.System) throughout. Update generated files for import changes. Updates #15160 Change-Id: Ie5460985571ade87b8eac8b416948c7f49f0f64b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
David Anderson	6b8bbb4c37	tsd: wire up the event bus to tailscaled ... Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
Jordan Whited	37f5fd2ec1	feature/{condregister,relayserver}: implement the skeleton for the relayserver feature (#15699) ... This feature is "registered" as an ipnlocal.Extension, and conditionally linked depending on GOOS and ts_omit_relayserver build tag. The feature is not linked on iOS in attempt to limit the impact to binary size and resulting effect of pushing up against NetworkExtension limits. Eventually we will want to support the relay server on iOS, specifically on the Apple TV. Apple TVs are well-fitted to act as underlay relay servers as they are effectively always-on servers. This skeleton begins to tie a PeerAPI endpoint to a net/udprelay.Server. The PeerAPI endpoint is currently no-op as extension.shouldRunRelayServer() always returns false. Follow-up commits will implement extension.shouldRunRelayServer(). Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Satyam Soni	b926cd7fc6	k8s-operator: add age column to all custom resources (#15663) ... This change introduces an Age column in the output for all custom resources to enhance visibility into their lifecycle status. Fixes #15499 Signed-off-by: satyampsoni <satyampsoni@gmail.com>	8 months ago
Fran Bull	4cb9d5c183	cmd/natc: cleanup unused state ... perPeerState no longer needs to know the v6ULA. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Fran Bull	1e290867bd	cmd/natc: only store v4 addresses ... Because we derive v6 addresses from v4 addresses we only need to store the v4 address, not both. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Nick Khyl	4941cd7c73	cmd/tailscaled,ipn/{auditlog,desktop,ipnext,ipnlocal},tsd: extract LocalBackend extension interfaces and implementation ... In this PR, we refactor the LocalBackend extension system, moving from direct callbacks to a more organized extension host model. Specifically, we: - Extract interface and callback types used by packages extending LocalBackend functionality into a new ipn/ipnext package. - Define ipnext.Host as a new interface that bridges extensions with LocalBackend. It enables extensions to register callbacks and interact with LocalBackend in a concurrency-safe, well-defined, and controlled way. - Move existing callback registration and invocation code from ipnlocal.LocalBackend into a new type called ipnlocal.ExtensionHost, implementing ipnext.Host. - Improve docs for existing types and methods while adding docs for the new interfaces. - Add test coverage for both the extracted and the new code. - Remove ipn/desktop.SessionManager from tsd.System since ipn/desktop is now self-contained. - Update existing extensions (e.g., ipn/auditlog and ipn/desktop) to use the new interfaces where appropriate. We're not introducing new callback and hook types (e.g., for ipn.Prefs changes) just yet, nor are we enhancing current callbacks, such as by improving conflict resolution when more than one extension tries to influence profile selection via a background profile resolver. These further improvements will be submitted separately. Updates #12614 Updates tailscale/corp#27645 Updates tailscale/corp#26435 Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	8 months ago
Jordan Whited	e17abbf461	cmd/tailscale,ipn: add relay-server-port "tailscale set" flag and Prefs field (#15594) ... This flag is currently no-op and hidden. The flag does round trip through the related pref. Subsequent commits will tie them to net/udprelay.Server. There is no corresponding "tailscale up" flag, enabling/disabling of the relay server will only be supported via "tailscale set". This is a string flag in order to support disablement via empty string as a port value of 0 means "enable the server and listen on a random unused port". Disablement via empty string also follows existing flag convention, e.g. advertise-routes. Early internal discussions settled on "tailscale set --relay="<port>", but the author felt this was too ambiguous around client vs server, and may cause confusion in the future if we add related flags. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Simon Law	7e296923ab	cmd/tailscale: test for new flags in tailscale up ... `tailscale set` was created to set preferences, which used to be overloaded into `tailscale up`. To move people over to the new command, `up` was supposed to be frozen and no new preference flags would be added. But people forgot, there was no test to warn them, and so new flags were added anyway. TestUpFlagSetIsFrozen complains when new flags are added to `tailscale up`. It doesn’t try all combinations of GOOS, but since the CI builds in every OS, the pull-request tests should cover this. Updates #15460 Signed-off-by: Simon Law <sfllaw@sfllaw.ca>	8 months ago
Tom Proctor	dd95a83a65	cmd/{containerboot,k8s-operator},kube/kubetypes: unadvertise ingress services on shutdown (#15451) ... Ensure no services are advertised as part of shutting down tailscaled. Prefs are only edited if services are currently advertised, and they're edited we wait for control's ~15s (+ buffer) delay to failover. Note that editing prefs will trigger a synchronous write to the state Secret, so it may fail to persist state if the ProxyGroup is getting scaled down and therefore has its RBAC deleted at the same time, but that failure doesn't stop prefs being updated within the local backend, doesn't affect connectivity to control, and the state Secret is about to get deleted anyway, so the only negative side effect is a harmless error log during shutdown. Control still learns that the node is no longer advertising the service and triggers the failover. Note that the first version of this used a PreStop lifecycle hook, but that only supports GET methods and we need the shutdown to trigger side effects (updating prefs) so it didn't seem appropriate to expose that functionality on a GET endpoint that's accessible on the k8s network. Updates tailscale/corp#24795 Change-Id: I0a9a4fe7a5395ca76135ceead05cbc3ee32b3d3c Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	8 months ago
James Tucker	8e1aa86bdb	cmd/natc: attempt to match IP version between upstream and downstream ... As IPv4 and IPv6 end up with different MSS and different congestion control strategies, proxying between them can really amplify TCP meltdown style conditions in many real world network conditions, such as with higher latency, some loss, etc. Attempt to match up the protocols, otherwise pick a destination address arbitrarily. Also shuffle the target address to spread load across upstream load balancers. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Tom Proctor	de949b050e	cmd/containerboot: speed up tests (#14883) ... The test suite had grown to about 20s on my machine, but it doesn't do much taxing work so was a good candidate to parallelise. Now runs in under 2s on my machine. Updates #cleanup Change-Id: I2fcc6be9ca226c74c0cb6c906778846e959492e4 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	8 months ago
Brad Fitzpatrick	79ff067db3	cmd/tailscale/cli: prevent all dup flags, not just strings ... The earlier #15534 prevent some dup string flags. This does it for all flag types. Updates #6813 Change-Id: Iec2871448394ea9a5b604310bdbf7b499434bf01 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Jason O'Donnell	6088ee311f	cmd/tailscale/cli: return error on duplicate multi-value flags (#15534) ... Some CLI flags support multiple values separated by commas. These flags are intended to be declared only once and will silently ignore subsequent instances. This will now throw an error if multiple instances of advertise-tags and advertise-routes are detected. Fixes #6813 Signed-off-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>	8 months ago
James Tucker	025fe72448	cmd/natc: fix handling of upstream and downstream nxdomain ... Ensure that the upstream is always queried, so that if upstream is going to NXDOMAIN natc will also return NXDOMAIN rather than returning address allocations. At this time both IPv4 and IPv6 are still returned if upstream has a result, regardless of upstream support - this is ~ok as we're proxying. Rewrite the tests to be once again slightly closer to integration tests, but they're still very rough and in need of a refactor. Further refactors are probably needed implementation side too, as this removed rather than added units. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Brad Fitzpatrick	fb96137d79	net/{netx,memnet},all: add netx.DialFunc, move memnet Network impl ... This adds netx.DialFunc, unifying a type we have a bazillion other places, giving it now a nice short name that's clickable in editors, etc. That highlighted that my earlier move (03b47a55c7) of stuff from nettest into netx moved too much: it also dragged along the memnet impl, meaning all users of netx.DialFunc who just wanted netx for the type definition were instead also pulling in all of memnet. So move the memnet implementation netx.Network into memnet, a package we already had. Then use netx.DialFunc in a bunch of places. I'm sure I missed some. And plenty remain in other repos, to be updated later. Updates tailscale/corp#27636 Change-Id: I7296cd4591218e8624e214f8c70dab05fb884e95 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	265c76dbc5	all: unify some redundant testing.TB interface copies ... I added yet another one in 6d117d64a2 but that new one is at the best place int he dependency graph and has the best name, so let's use that one for everything possible. types/lazy can't use it for circular dependency reasons, so unexport that copy at least. Updates #cleanup Change-Id: I25db6b6a0d81dbb8e89a0a9080c7f15cbf7aa770 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
phanirithvij	ad2b075d4f	cmd/nardump: support symlinks, add basic test ... Signed-off-by: phanirithvij <phanirithvij2000@gmail.com>	8 months ago
Fran Bull	603a1d3830	cmd/natc: move address storage behind an interface ... Adds IPPool and moves all IP address management concerns behind that. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Fran Bull	e2eb6eb870	cmd/natc: separate perPeerState from connector ... Make the perPeerState objects able to function independently without a shared reference to the connector. We don't currently change the values from connector that perPeerState uses at runtime. Explicitly copying them at perPeerState creation allows us to, for example, put the perPeerState into a consensus algorithm in the future. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Kot	1284482790	Change README to reflect configuration ... Updates #15465 Signed-off-by: Kot <kot@kot.pink>	8 months ago
Kot	c86afacf26	Move env var flag passing to Dockerfile ... Updates #15465 Signed-off-by: Kot <kot@kot.pink>	8 months ago
Kot	85bcc2e3bd	cmd/tsidp: use advertised env vars for config ... Fixes #14491 Signed-off-by: Kot <kot@kot.pink>	8 months ago
Brad Fitzpatrick	7dbb21cae8	cmd/tailscale: add tailscale.rc Plan 9 wrapper ... So we can link tailscale and tailscaled together into one. Updates #5794 Change-Id: I9a8b793c64033827e4188931546cbd64db55982e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	b3953ce0c4	ssh/tailssh: add Plan 9 support for Tailscale SSH ... Updates #5794 Change-Id: I7b05cd29ec02085cb503bbcd0beb61bf455002ac Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	3da1728207	cmd/tailscaled: make state dir on Plan 9 ... Updates #5794 Change-Id: Id7bdc08263e98a1848ffce0dd25fc034747d7393 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	21d12ec522	cmd/tailscaled: let net/netmon know what our TUN interface is ... Updates #5794 Change-Id: Ia7e71c32e6c0cd79eb32b6c2c2d4e9a6d8c3e4d6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	60847128df	net/tstun: add Plan 9 'tun' support ... Updates #5794 Change-Id: I8c466cae25ae79be1097450a63e8c25c7b519331 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
James Tucker	95034e15a7	cmd/natc: fix ip allocation runtime ... Avoid the unbounded runtime during random allocation, if random allocation fails after a first pass at random through the provided ranges, pick the next free address by walking through the allocated set. The new ipx utilities provide a bitset based allocation pool, good for small to moderate ranges of IPv4 addresses as used in natc. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Brad Fitzpatrick	2a12e634bf	cmd/vnet: add wsproxy mode ... For hooking up websocket VM clients to natlab. Updates #13038 Change-Id: Iaf728b9146042f3d0c2d3a5e25f178646dd10951 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Irbe Krumina	bf8c8e9e89	cmd/k8s-operator,k8s-operator: enable HA Ingress again. (#15453) ... Re-enable HA Ingress again that was disabled for 1.82 release. This reverts commit fea74a60d5. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Brad Fitzpatrick	4c5112eba6	cmd/tailscaled: make embedded CLI run earlier, support triggering via env ... Not all platforms have hardlinks, or not easily. This lets a "tailscale" wrapper script set an environment variable before calling tailscaled. Updates #2233 Change-Id: I9eccc18651e56c106f336fcbbd0fd97a661d312e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Nick Khyl	6a9a7f35d9	cmd/tailscaled,ipn/{auditlog,ipnlocal},tsd: omit auditlog unless explicitly imported ... In this PR, we update ipnlocal.LocalBackend to allow registering callbacks for control client creation and profile changes. We also allow to register ipnauth.AuditLogFunc to be called when an auditable action is attempted. We then use all this to invert the dependency between the auditlog and ipnlocal packages and make the auditlog functionality optional, where it only registers its callbacks via ipnlocal-provided hooks when the auditlog package is imported. We then underscore-import it when building tailscaled for Windows, and we'll explicitly import it when building xcode/ipn-go-bridge for macOS. Since there's no default log-store location for macOS, we'll also need to call auditlog.SetStoreFilePath to specify where pending audit logs should be persisted. Fixes #15394 Updates tailscale/corp#26435 Updates tailscale/corp#27012 Signed-off-by: Nick Khyl <nickk@tailscale.com>	8 months ago
Simon Law	e9324236e8	cmd/tailscale: fix default for `tailscale set --accept-routes` ... The default values for `tailscale up` and `tailscale set` are supposed to agree for all common flags. But they don’t for `--accept-routes` on Windows and from the Mac OS App Store, because `tailscale up` computes this value based on the operating system: user@host:~$ tailscale up --help 2>&1 | grep -A1 accept-routes --accept-dns, --accept-dns=false accept DNS configuration from the admin panel (default true) user@host:~$ tailscale set --help 2>&1 | grep -A1 accept-routes --accept-dns, --accept-dns=false accept DNS configuration from the admin panel Luckily, `tailscale set` uses `ipn.MaskedPrefs`, so the default values don’t logically matter. But someone will get the wrong idea if they trust the `tailscale set --help` documentation. In addition, `ipn.Prefs.RouteAll` defaults to true so it disagrees with both of the flags above. This patch makes `--accept-routes` use the same logic for in both commands by hoisting the logic that was buried in `cmd/tailscale/cli` to `ipn.Prefs.DefaultRouteAll`. Then, all three of defaults can agree. Fixes: #15319 Signed-off-by: Simon Law <sfllaw@sfllaw.ca>	8 months ago
Simon Law	7fc9099cf8	cmd/tailscale: fix default for `tailscale set --accept-dns` ... The default values for `tailscale up` and `tailscale set` are supposed to agree on all common flags. But they don’t for `--accept-dns`: user@host:~$ tailscale up --help 2>&1 | grep -A1 accept-dns --accept-dns, --accept-dns=false accept DNS configuration from the admin panel (default true) user@host:~$ tailscale set --help 2>&1 | grep -A1 accept-dns --accept-dns, --accept-dns=false accept DNS configuration from the admin panel Luckily, `tailscale set` uses `ipn.MaskedPrefs`, so the default values don’t logically matter. But someone will get the wrong idea if they trust the `tailscale set --help` documentation. This patch makes `--accept-dns` default to true in both commands and also introduces `TestSetDefaultsMatchUpDefaults` to prevent any future drift. Fixes: #15319 Signed-off-by: Simon Law <sfllaw@sfllaw.ca>	8 months ago
Irbe Krumina	fea74a60d5	cmd/k8s-operator,k8s-operator: disable HA Ingress before stable release (#15433) ... Temporarily make sure that the HA Ingress reconciler does not run, as we do not want to release this to stable just yet. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
James Tucker	d0e7af3830	cmd/natc: add test and fix for ip exhaustion ... This is a very dumb fix as it has an unbounded worst case runtime. IP allocation needs to be done in a more sane way in a follow-up. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Irbe Krumina	a622debe9b	cmd/{k8s-operator,containerboot}: check TLS cert before advertising VIPService (#15427) ... cmd/{k8s-operator,containerboot}: check TLS cert before advertising VIPService - Ensures that Ingress status does not advertise port 443 before TLS cert has been issued - Ensure that Ingress backends do not advertise a VIPService before TLS cert has been issued, unless the service also exposes port 80 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
James Tucker	b3455fa99a	cmd/natc: add some initial unit test coverage ... These tests aren't perfect, nor is this complete coverage, but this is a set of coverage that is at least stable. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Tom Proctor	005e20a45e	cmd/k8s-operator,internal/client/tailscale: use VIPService annotations for ownership tracking (#15356) ... Switch from using the Comment field to a ts-scoped annotation for tracking which operators are cooperating over ownership of a VIPService. Updates tailscale/corp#24795 Change-Id: I72d4a48685f85c0329aa068dc01a1a3c749017bf Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Irbe Krumina	196ae1cd74	cmd/k8s-operator,k8s-operator: allow optionally using LE staging endpoint for Ingress (#15360) ... cmd/k8s-operator,k8s-operator: allow using LE staging endpoint for Ingress Allow to optionally use LetsEncrypt staging endpoint to issue certs for Ingress/HA Ingress, so that it is easier to experiment with initial Ingress setup without hiting rate limits. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Brad Fitzpatrick	984cd1cab0	cmd/tailscale: add CLI debug command to do raw LocalAPI requests ... This adds a portable way to do a raw LocalAPI request without worrying about the Unix-vs-macOS-vs-Windows ways of hitting the LocalAPI server. (It was already possible but tedious with 'tailscale debug local-creds') Updates tailscale/corp#24690 Change-Id: I0828ca55edaedf0565c8db192c10f24bebb95f1b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Tom Proctor	8d84720edb	cmd/k8s-operator: update ProxyGroup config Secrets instead of patch (#15353) ... There was a flaky failure case where renaming a TLS hostname for an ingress might leave the old hostname dangling in tailscaled config. This happened when the proxygroup reconciler loop had an outdated resource version of the config Secret in its cache after the ingress-pg-reconciler loop had very recently written it to delete the old hostname. As the proxygroup reconciler then did a patch, there was no conflict and it reinstated the old hostname. This commit updates the patch to an update operation so that if the resource version is out of date it will fail with an optimistic lock error. It also checks for equality to reduce the likelihood that we make the update API call in the first place, because most of the time the proxygroup reconciler is not even making an update to the Secret in the case that the hostname has changed. Updates tailscale/corp#24795 Change-Id: Ie23a97440063976c9a8475d24ab18253e1f89050 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Irbe Krumina	f50d3b22db	cmd/k8s-operator: configure proxies for HA Ingress to run in cert share mode (#15308) ... cmd/k8s-operator: configure HA Ingress replicas to share certs Creates TLS certs Secret and RBAC that allows HA Ingress replicas to read/write to the Secret. Configures HA Ingress replicas to run in read-only mode. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tom Proctor	b0095a5da4	cmd/k8s-operator: wait for VIPService before updating HA Ingress status (#15343) ... Update the HA Ingress controller to wait until it sees AdvertisedServices config propagated into at least 1 Pod's prefs before it updates the status on the Ingress, to ensure the ProxyGroup Pods are ready to serve traffic before indicating that the Ingress is ready Updates tailscale/corp#24795 Change-Id: I1b8ce23c9e312d08f9d02e48d70bdebd9e1a4757 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
David Anderson	daa5635ba6	tsweb: split promvarz into an optional dependency ... Allows the use of tsweb without pulling in all of the heavy prometheus client libraries, protobuf and so on. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	9 months ago
Irbe Krumina	34734ba635	ipn/store/kubestore,kube,envknob,cmd/tailscaled/depaware.txt: allow kubestore read/write custom TLS secrets (#15307) ... This PR adds some custom logic for reading and writing kube store values that are TLS certs and keys: 1) when store is initialized, lookup additional TLS Secrets for this node and if found, load TLS certs from there 2) if the node runs in certs 'read only' mode and TLS cert and key are not found in the in-memory store, look those up in a Secret 3) if the node runs in certs 'read only' mode, run a daily TLS certs reload to memory to get any renewed certs Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tom Proctor	ef1e14250c	cmd/k8s-operator: ensure old VIPServices are cleaned up (#15344) ... When the Ingress is updated to a new hostname, the controller does not currently clean up the old VIPService from control. Fix this up to parse the ownership comment correctly and write a test to enforce the improved behaviour Updates tailscale/corp#24795 Change-Id: I792ae7684807d254bf2d3cc7aa54aa04a582d1f5 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Anton Tolchanov	b413b70ae2	cmd/proxy-to-grafana: support setting Grafana role via grants ... This adds support for using ACL Grants to configure a role for the auto-provisioned user. Fixes tailscale/corp#14567 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	9 months ago
Irbe Krumina	299c5372bd	cmd/containerboot: manage HA Ingress TLS certs from containerboot (#15303) ... cmd/containerboot: manage HA Ingress TLS certs from containerboot When ran as HA Ingress node, containerboot now can determine whether it should manage TLS certs for the HA Ingress replicas and call the LocalAPI cert endpoint to ensure initial issuance and renewal of the shared TLS certs. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Paul Scott	eb680edbce	cmd/testwrapper: print failed tests preventing retry (#15270) ... Updates tailscale/corp#26637 Signed-off-by: Paul Scott <paul@tailscale.com>	9 months ago
Jonathan Nobels	52710945f5	control/controlclient, ipn: add client audit logging (#14950) ... updates tailscale/corp#26435 Adds client support for sending audit logs to control via /machine/audit-log. Specifically implements audit logging for user initiated disconnections. This will require further work to optimize the peristant storage and exclusion via build tags for mobile: tailscale/corp#27011 tailscale/corp#27012 Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	9 months ago
Fran Bull	5ebc135397	tsnet,wgengine: fix src to primary Tailscale IP for TCP dials ... Ensure that the src address for a connection is one of the primary addresses assigned by Tailscale. Not, for example, a virtual IP address. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	9 months ago
Patrick O'Doherty	8f0080c7a4	cmd/tsidp: allow CORS requests to openid-configuration (#15229) ... Add support for Cross-Origin XHR requests to the openid-configuration endpoint to enable clients like Grafana's auto-population of OIDC setup data from its contents. Updates https://github.com/tailscale/tailscale/issues/10263 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	9 months ago
James Tucker	69b27d2fcf	cmd/natc: error and log when IP range is exhausted ... natc itself can't immediately fix the problem, but it can more correctly error that return bad addresses. Updates tailscale/corp#26968 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Brad Fitzpatrick	7fac0175c0	cmd/derper, derp/derphttp: support, generate self-signed IP address certs ... For people who can't use LetsEncrypt because it's banned. Per https://github.com/tailscale/tailscale/issues/11776#issuecomment-2520955317 This does two things: 1) if you run derper with --certmode=manual and --hostname=$IP_ADDRESS we previously permitted, but now we also: * auto-generate the self-signed cert for you if it doesn't yet exist on disk * print out the derpmap configuration you need to use that self-signed cert 2) teaches derp/derphttp's derp dialer to verify the signature of self-signed TLS certs, if so declared in the existing DERPNode.CertName field, which previously existed for domain fronting, separating out the dial hostname from how certs are validates, so it's not overloaded much; that's what it was meant for. Fixes #11776 Change-Id: Ie72d12f209416bb7e8325fe0838cd2c66342c5cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Irbe Krumina	74a2373e1d	cmd/k8s-operator: ensure HA Ingress can operate in multicluster mode. (#15157) ... cmd/k8s-operator: ensure HA Ingress can operate in multicluster mode. Update the owner reference mechanism so that: - if during HA Ingress resource creation, a VIPService with some other operator's owner reference is already found, just update the owner references to add one for this operator - if during HA Ingress deletion, the VIPService is found to have owner reference(s) from another operator, don't delete the VIPService, just remove this operator's owner reference - requeue after HA Ingress reconciles that resulted in VIPService updates, to guard against overwrites due to concurrent operations from different clusters. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Patrick O'Doherty	9d7f2719bb	cmd/tsidp: use constant time comparison for client_id/secret (#15222) ... Use secure constant time comparisons for the client ID and secret values during the allowRelyingParty authorization check. Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	9 months ago
Tom Proctor	ffb0b66d5b	cmd/k8s-operator: advertise VIPServices in ProxyGroup config (#14946) ... Now that packets flow for VIPServices, the last piece needed to start serving them from a ProxyGroup is config to tell the proxy Pods which services they should advertise. Updates tailscale/corp#24795 Change-Id: Ic7bbeac8e93c9503558107bc5f6123be02a84c77 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Sam Linville	27e0575f76	cmd/tsidp: add README and Dockerfile (#15205)	9 months ago
Brad Fitzpatrick	cae5b97626	cmd/derper: add --home flag to control home page behavior ... Updates #12897 Change-Id: I7e9c8de0d2daf92cc32e9f6121bc0874c6672540 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
James Sanderson	fa374fa852	cmd/testwrapper: Display package-level output ... Updates tailscale/corp#26861 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	9 months ago
Brian Palmer	e74a705c67	cmd/hello: display native ipv4 (#15191) ... We are soon going to start assigning shared-in nodes a CGNAT IPv4 in the Hello tailnet when necessary, the same way that normal node shares assign a new IPv4 on conflict. But Hello wants to display the node's native IPv4, the one it uses in its own tailnet. That IPv4 isn't available anywhere in the netmap today, because it's not normally needed for anything. We are going to start sending that native IPv4 in the peer node CapMap, only for Hello's netmap responses. This change enables Hello to display that native IPv4 instead, when available. Updates tailscale/corp#25393 Change-Id: I87480b6d318ab028b41ef149eb3ba618bd7f1e08 Signed-off-by: Brian Palmer <brianp@tailscale.com>	9 months ago
Irbe Krumina	6df0aa58bb	cmd/containerboot: fix nil pointer exception (#15090) ... Updates tailscale/tailscale#15081 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Brad Fitzpatrick	83c104652d	cmd/derper: add --socket flag to change unix socket path to tailscaled ... Fixes #10359 Change-Id: Ide49941c486d29856841016686827316878c9433 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Paul Scott	d1b0e1af06	cmd/testwrapper/flakytest: add Marked to check if in flakytest (#15119) ... Updates tailscale/corp#26637 Signed-off-by: Paul Scott <paul@tailscale.com>	9 months ago
Brad Fitzpatrick	836c01258d	go.toolchain.branch: update to Go 1.24 (#15016) ... * go.toolchain.branch: update to Go 1.24 Updates #15015 Change-Id: I29c934ec17e60c3ac3264f30fbbe68fc21422f4d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> * cmd/testwrapper: fix for go1.24 Updates #15015 Signed-off-by: Paul Scott <paul@tailscale.com> * go.mod,Dockerfile: bump to Go 1.24 Also bump golangci-lint to a version that was built with 1.24 Updates #15015 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> --------- Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Paul Scott <paul@tailscale.com> Signed-off-by: Andrew Lytvynov <awly@tailscale.com> Co-authored-by: Paul Scott <paul@tailscale.com> Co-authored-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Andrew Lytvynov	323747c3e0	various: disable MPTCP when setting TCP_USER_TIMEOUT sockopt (#15063) ... There's nothing about it on https://github.com/multipath-tcp/mptcp_net-next/issues/ but empirically MPTCP doesn't support this option on awly's kernel 6.13.2 and in GitHub actions. Updates #15015 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Percy Wegmann	1f1a26776b	client/tailscale,cmd/k8s-operator,internal/client/tailscale: move VIP service client methods into internal control client ... Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	9c731b848b	cmd/gitops-pusher: log error details when unable to fetch ACL ETag ... This will help debug unexpected issues encountered by consumers of the gitops-pusher. Updates tailscale/corp#26664 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	4f0222388a	cmd,tsnet,internal/client: create internal shim to deprecated control plane API ... Even after we remove the deprecated API, we will want to maintain a minimal API for internal use, in order to avoid importing the external tailscale.com/client/tailscale/v2 package. This shim exposes only the necessary parts of the deprecated API for internal use, which gains us the following: 1. It removes deprecation warnings for internal use of the API. 2. It gives us an inventory of which parts we will want to keep for internal use. Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Brad Fitzpatrick	cbf3852b5d	cmd/testwrapper: temporarily remove test coverage support ... testwrapper doesn't work with Go 1.24 and the coverage support is making it harder to debug. Updates #15015 Updates tailscale/corp#26659 Change-Id: I0125e881d08c92f1ecef88b57344f6bbb571b569 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Nick Khyl	6df5c8f32e	various: keep tailscale connected when Always On mode is enabled on Windows ... In this PR, we enable the registration of LocalBackend extensions to exclude code specific to certain platforms or environments. We then introduce desktopSessionsExt, which is included only in Windows builds and only if the ts_omit_desktop_sessions tag is disabled for the build. This extension tracks desktop sessions and switches to (or remains on) the appropriate profile when a user signs in or out, locks their screen, or disconnects a remote session. As desktopSessionsExt requires an ipn/desktop.SessionManager, we register it with tsd.System for the tailscaled subprocess on Windows. We also fix a bug in the sessionWatcher implementation where it attempts to close a nil channel on stop. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Irbe Krumina	e11ff28443	cmd/k8s-operator: allow to optionally configure an HTTP endpoint for the HA Ingress (#14986) ... Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
kari-ts	4c3c04a413	ipn, tailscale/cli: add TaildropTargetStatus and remove race with FileTargets (#15017) ... Introduce new TaildropTargetStatus in PeerStatus Refactor getTargetStableID to solely rely on Status() instead of calling FileTargets(). This removes a possible race condition between the two calls and provides more detailed failure information if a peer can't receive files. Updates tailscale/tailscale#14393 Signed-off-by: kari-ts <kari@tailscale.com>	10 months ago
James Tucker	f2f7fd12eb	go.mod: bump bart ... Bart has had some substantial improvements in internal representation, update functions, and other optimizations to reduce memory usage and improve runtime performance. Updates tailscale/corp#26353 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Anton	f35c49d211	net/dns: update to illarion/gonotify/v3 to fix a panic ... Fixes #14699 Signed-off-by: Anton <anton@tailscale.com>	10 months ago
Brad Fitzpatrick	27f8e2e31d	go.mod: bump x/* deps ... Notably, this pulls in https://go.googlesource.com/net/+/2dab271ff1b7396498746703d88fefcddcc5cec7 for golang/go#71557. Updates #8043 Change-Id: I3637dbf27b90423dd4d54d147f12688b51f3ce36 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
James Tucker	e1523fe686	cmd/natc: remove speculative tuning from natc ... These tunings reduced memory usage while the implementation was struggling with earlier bugs, but will no longer be necessary after those bugs are addressed. Depends #14933 Depends #14934 Updates #9707 Updates #10408 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
James Tucker	e113b106a6	go.mod,wgengine/netstack: use cubic congestion control, bump gvisor ... Cubic performs better than Reno in higher BDP scenarios, and enables the use of the hystart++ implementation contributed by Coder. This improves throughput on higher BDP links with a much faster ramp. gVisor is bumped as well for some fixes related to send queue processing and RTT tracking. Updates #9707 Updates #10408 Updates #12393 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Sandro Jäckel	08a96a86af	cmd/tailscale: make ssh command work when tailscaled is built with the ts_include_cli tag ... Fixes #12125 Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>	10 months ago
Mike O'Driscoll	d08f830d50	cmd/derper: support no mesh key (#14931) ... Incorrect disabled support for not having a mesh key in d5316a4fbb Allow for no mesh key to be set. Fixes #14928 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Mike O'Driscoll	9a9ce12a3e	cmd/derper: close setec after use (#14929) ... Since dynamic reload of setec is not supported in derper at this time, close the server after the secret is loaded. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Brad Fitzpatrick	05ac21ebe4	all: use new LocalAPI client package location ... It was moved in f57fa3cbc3. Updates tailscale/corp#22748 Change-Id: I19f965e6bded1d4c919310aa5b864f2de0cd6220 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Percy Wegmann	f57fa3cbc3	client,localclient: move localclient.go to client/local package ... Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Mike O'Driscoll	e6e00012b2	cmd/derper: remove logging of mesh key (#14915) ... A previous PR accidentally logged the key as part of an error. Remove logging of the key. Add log print for Setec store steup. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Mike O'Driscoll	d5316a4fbb	cmd/derper: add setec secret support (#14890) ... Add setec secret support for derper. Support dev mode via env var, and setec via secrets URL. For backwards compatibility use setec load from file also. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Irbe Krumina	5ef934b62d	cmd/k8s-operator: reinstate HA Ingress reconciler (#14887) ... This change: - reinstates the HA Ingress controller that was disabled for 1.80 release - fixes the API calls to manage VIPServices as the API was changed - triggers the HA Ingress reconciler on ProxyGroup changes Updates tailscale/tailscale#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Adrian Dewhurst	600f25dac9	tailcfg: add JSON unmarshal helper for view of node/peer capabilities ... Many places that need to work with node/peer capabilities end up with a something-View and need to either reimplement the helper code or make an expensive copy. We have the machinery to easily handle this now. Updates #cleanup Change-Id: Ic3f55be329f0fc6c178de26b34359d0e8c6ca5fc Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	10 months ago
Nick Khyl	17ca2b7721	cmd/tailscale/cli: update tailscale down to accept an optional --reason ... If specified, the reason is sent via the LocalAPI for auditing purposes. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Percy Wegmann	2e95313b8b	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh ... The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Originally implemented in 46fd4e58a2, which was reverted in b60f6b849a to keep the change out of v1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Andrea Gottardo	8ee72cd33c	cli/funnel: fix comment typo (#14840) ... Updates #cleanup Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	10 months ago
Tom Proctor	138a83efe1	cmd/containerboot: wait for consistent state on shutdown (#14263) ... tailscaled's ipn package writes a collection of keys to state after authenticating to control, but one at a time. If containerboot happens to send a SIGTERM signal to tailscaled in the middle of writing those keys, it may shut down with an inconsistent state Secret and never recover. While we can't durably fix this with our current single-use auth keys (no atomic operation to auth + write state), we can reduce the window for this race condition by checking for partial state before sending SIGTERM to tailscaled. Best effort only. Updates #14080 Change-Id: I0532d51b6f0b7d391e538468bd6a0a80dbe1d9f7 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	10 months ago
Irbe Krumina	a49af98b31	cmd/k8s-operator: temporarily disable HA Ingress controller (#14833) ... The HA Ingress functionality is not actually doing anything valuable yet, so don't run the controller in 1.80 release yet. Updates tailscale/tailscale#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	3f39211f98	cmd/k8s-operator: check that cluster traffic is routed to egress ProxyGroup Pod before marking it as ready (#14792) ... This change builds on top of #14436 to ensure minimum downtime during egress ProxyGroup update rollouts: - adds a readiness gate for ProxyGroup replicas that prevents kubelet from marking the replica Pod as ready before a corresponding readiness condition has been added to the Pod - adds a reconciler that reconciles egress ProxyGroup Pods and, for each that is not ready, if cluster traffic for relevant egress endpoints is routed via this Pod- if so add the readiness condition to allow kubelet to mark the Pod as ready. During the sequenced StatefulSet update rollouts kubelet does not restart a Pod before the previous replica has been updated and marked as ready, so ensuring that a replica is not marked as ready allows to avoid a temporary post-update situation where all replicas have been restarted, but none of the new ones are yet set up as an endpoint for the egress service, so cluster traffic is dropped. Updates tailscale/tailscale#14326 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Percy Wegmann	b60f6b849a	Revert "ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh" ... This reverts commit 46fd4e58a2. We don't want to include this in 1.80 yet, but can add it back post 1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Irbe Krumina	52f88f782a	cmd/k8s-operator: don't set deprecated configfile hash on new proxies (#14817) ... Fixes the configfile reload logic- if the tailscale capver can not yet be determined because the device info is not yet written to the state Secret, don't assume that the proxy is pre-110. Updates tailscale/tailscale#13032 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	b406f209c3	cmd/{k8s-operator,containerboot},kube: ensure egress ProxyGroup proxies don't terminate while cluster traffic is still routed to them (#14436) ... cmd/{containerboot,k8s-operator},kube: add preshutdown hook for egress PG proxies This change is part of work towards minimizing downtime during update rollouts of egress ProxyGroup replicas. This change: - updates the containerboot health check logic to return Pod IP in headers, if set - always runs the health check for egress PG proxies - updates ClusterIP Services created for PG egress endpoints to include the health check endpoint - implements preshutdown endpoint in proxies. The preshutdown endpoint logic waits till, for all currently configured egress services, the ClusterIP Service health check endpoint is no longer returned by the shutting-down Pod (by looking at the new Pod IP header). - ensures that kubelet is configured to call the preshutdown endpoint This reduces the possibility that, as replicas are terminated during an update, a replica gets terminated to which cluster traffic is still being routed via the ClusterIP Service because kube proxy has not yet updated routig rules. This is not a perfect check as in practice, it only checks that the kube proxy on the node on which the proxy runs has updated rules. However, overall this might be good enough. The preshutdown logic is disabled if users have configured a custom health check port via TS_LOCAL_ADDR_PORT env var. This change throws a warnign if so and in future setting of that env var for operator proxies might be disallowed (as users shouldn't need to configure this for a Pod directly). This is backwards compatible with earlier proxy versions. Updates tailscale/tailscale#14326 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Percy Wegmann	46fd4e58a2	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh ... The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
yejingchen	6f10fe8ab1	cmd/tailscale: add warning to help text of `--force-reauth` (#14778) ... The warning text is adapted from https://tailscale.com/kb/1028/key-expiry#renewing-keys-for-an-expired-device . There is already https://github.com/tailscale/tailscale/pull/7575 which presents a warning when connected over Tailscale, however the detection is done by checking SSH environment variables, which are absent within systemd's run0*. That means `--force-reauth` will happily bring down Tailscale connection, leaving the user in despair. Changing only the help text is by no means a complete solution, but hopefully it will stop users from blindly trying it out, and motivate them to search for a proper solution. *: https://www.freedesktop.org/software/systemd/man/devel/run0.html Updates #3849 Signed-off-by: yejingchen <ye.jingchen@gmail.com>	10 months ago
Brad Fitzpatrick	2691b9f6be	tempfork/acme: add new package for x/crypto package acme fork, move ... We've been maintaining temporary dev forks of golang.org/x/crypto/{acme,ssh} in https://github.com/tailscale/golang-x-crypto instead of using this repo's tempfork directory as we do with other packages. The reason we were doing that was because x/crypto/ssh depended on x/crypto/ssh/internal/poly1305 and I hadn't noticed there are forwarding wrappers already available in x/crypto/poly1305. It also depended internal/bcrypt_pbkdf but we don't use that so it's easy to just delete that calling code in our tempfork/ssh. Now that our SSH changes have been upstreamed, we can soon unfork from SSH. That leaves ACME remaining. This change copies our tailscale/golang-x-crypto/acme code to tempfork/acme but adds a test that our vendored copied still matches our tailscale/golang-x-crypto repo, where we can continue to do development work and rebases with upstream. A comment on the new test describes the expected workflow. While we could continue to just import & use tailscale/golang-x-crypto/acme, it seems a bit nicer to not have that entire-fork-of-x-crypto visible at all in our transitive deps and the questions that invites. Showing just a fork of an ACME client is much less scary. It does add a step to the process of hacking on the ACME client code, but we do that approximately never anyway, and the extra step is very incremental compared to the existing tedious steps. Updates #8593 Updates #10238 Change-Id: I8af4378c04c1f82e63d31bf4d16dba9f510f9199 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	bce05ec6c3	control/controlclient,tempfork/httprec: don't link httptest, test certs for c2n ... The c2n handling code was using the Go httptest package's ResponseRecorder code but that's in a test package which brings in Go's test certs, etc. This forks the httptest recorder type into its own package that only has the recorder and adds a test that we don't re-introduce a dependency on httptest. Updates #12614 Change-Id: I3546f49972981e21813ece9064cc2be0b74f4b16 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	8c925899e1	go.mod: bump depaware, add --internal flag to stop hiding internal packages ... The hiding of internal packages has hidden things I wanted to see a few times now. Stop hiding them. This makes depaware.txt output a bit longer, but not too much. Plus we only really look at it with diffs & greps anyway; it's not like anybody reads the whole thing. Updates #12614 Change-Id: I868c89eeeddcaaab63e82371651003629bc9bda8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	68a66ee81b	feature/capture: move packet capture to feature/*, out of iOS + CLI ... We had the debug packet capture code + Lua dissector in the CLI + the iOS app. Now we don't, with tests to lock it in. As a bonus, tailscale.com/net/packet and tailscale.com/net/flowtrack no longer appear in the CLI's binary either. A new build tag ts_omit_capture disables the packet capture code and was added to build_dist.sh's --extra-small mode. Updates #12614 Change-Id: I79b0628c0d59911bd4d510c732284d97b0160f10 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
James Tucker	82e41ddc42	cmd/natc: expose netstack metrics in client metrics in natc ... Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
James Tucker	ca39c4e150	cmd/natc,wgengine/netstack: tune buffer size and segment lifetime in natc ... Some natc instances have been observed with excessive memory growth, dominant in gvisor buffers. It is likely that the connection buffers are sticking around for too long due to the default long segment time, and uptuned buffer size applied by default in wgengine/netstack. Apply configurations in natc specifically which are a better match for the natc use case, most notably a 5s maximum segment lifetime. Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Percy Wegmann	450bc9a6b8	cmd/derper,derp: make TCP write timeout configurable ... The timeout still defaults to 2 seconds, but can now be changed via command-line flag. Updates tailscale/corp#26045 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Brad Fitzpatrick	61bea75092	cmd/tailscale: fix, test some recent doc inconsistencies ... 3dabea0fc2 added some docs with inconsistent usage docs. This fixes them, and adds a test. It also adds some other tests and fixes other verb tense inconsistencies. Updates tailscale/corp#25278 Change-Id: I94c2a8940791bddd7c35c1c3d5fb791a317370c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Nick Khyl	f0db47338e	cmd/tailscaled,util/syspolicy/source,util/winutil/gp: disallow acquiring the GP lock during service startup ... In v1.78, we started acquiring the GP lock when reading policy settings. This led to a deadlock during Tailscale installation via Group Policy Software Installation because the GP engine holds the write lock for the duration of policy processing, which in turn waits for the installation to complete, which in turn waits for the service to enter the running state. In this PR, we prevent the acquisition of GP locks (aka EnterCriticalPolicySection) during service startup and update the Windows Registry-based util/syspolicy/source.PlatformPolicyStore to handle this failure gracefully. The GP lock is somewhat optional; it’s safe to read policy settings without it, but acquiring the lock is recommended when reading multiple values to prevent the Group Policy engine from modifying settings mid-read and to avoid inconsistent results. Fixes #14416 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Brad Fitzpatrick	d6abbc2e61	net/tstun: move TAP support out to separate package feature/tap ... Still behind the same ts_omit_tap build tag. See #14738 for background on the pattern. Updates #12614 Change-Id: I03fb3d2bf137111e727415bd8e713d8568156ecc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Tom Proctor	3033a96b02	cmd/k8s-operator: fix reconciler name clash (#14712) ... The new ProxyGroup-based Ingress reconciler is causing a fatal log at startup because it has the same name as the existing Ingress reconciler. Explicitly name both to ensure they have unique names that are consistent with other explicitly named reconcilers. Updates #14583 Change-Id: Ie76e3eaf3a96b1cec3d3615ea254a847447372ea Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	10 months ago
Brad Fitzpatrick	1562a6f2f2	feature/*: make Wake-on-LAN conditional, start supporting modular features ... This pulls out the Wake-on-LAN (WoL) code out into its own package (feature/wakeonlan) that registers itself with various new hooks around tailscaled. Then a new build tag (ts_omit_wakeonlan) causes the package to not even be linked in the binary. Ohter new packages include: * feature: to just record which features are loaded. Future: dependencies between features. * feature/condregister: the package with all the build tags that tailscaled, tsnet, and the Tailscale Xcode project extension can empty (underscore) import to load features as a function of the defined build tags. Future commits will move of our "ts_omit_foo" build tags into this style. Updates #12614 Change-Id: I9c5378dafb1113b62b816aabef02714db3fc9c4a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Andrea Gottardo	3dabea0fc2	cmd/tailscale: define CLI tools to manipulate macOS network and system extensions (#14727) ... Updates tailscale/corp#25278 Adds definitions for new CLI commands getting added in v1.80. Refactors some pre-existing CLI commands within the `configure` tree to clean up code. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	11 months ago
Adrian Dewhurst	0fa7b4a236	tailcfg: add ServiceName ... Rather than using a string everywhere and needing to clarify that the string should have the svc: prefix, create a separate type for Service names. Updates tailscale/corp#24607 Change-Id: I720e022f61a7221644bb60955b72cacf42f59960 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	11 months ago
Brad Fitzpatrick	8b65598614	util/slicesx: add AppendNonzero ... By request of @agottardo. Updates #cleanup Change-Id: I2f02314eb9533b1581e47b66b45b6fb8ac257bb7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	150cd30b1d	ipn/ipnlocal: also use LetsEncrypt-baked-in roots for cert validation ... We previously baked in the LetsEncrypt x509 root CA for our tlsdial package. This moves that out into a new "bakedroots" package and is now also shared by ipn/ipnlocal's cert validation code (validCertPEM) that decides whether it's time to fetch a new cert. Otherwise, a machine without LetsEncrypt roots locally in its system roots is unable to use tailscale cert/serve and fetch certs. Fixes #14690 Change-Id: Ic88b3bdaabe25d56b9ff07ada56a27e3f11d7159 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	e12b2a7267	cmd/tailscale/cli: clean up how optional commands get registered ... Both @agottardo and I tripped over this today. Updates #cleanup Change-Id: I64380a03bfc952b9887b1512dbcadf26499ff1cd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
dependabot[bot]	bcc262269f	build(deps): bump braces from 3.0.2 to 3.0.3 in /cmd/tsconnect (#12468) ... Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	11 months ago
Irbe Krumina	817ba1c300	cmd/{k8s-operator,containerboot},kube/kubetypes: parse Ingresses for ingress ProxyGroup (#14583) ... cmd/k8s-operator: add logic to parse L7 Ingresses in HA mode - Wrap the Tailscale API client used by the Kubernetes Operator into a client that knows how to manage VIPServices. - Create/Delete VIPServices and update serve config for L7 Ingresses for ProxyGroup. - Ensure that ingress ProxyGroup proxies mount serve config from a shared ConfigMap. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
dependabot[bot]	70c7b0d77f	build(deps): bump nanoid from 3.3.4 to 3.3.8 in /cmd/tsconnect (#14352) ... Bumps [nanoid](https://github.com/ai/nanoid) from 3.3.4 to 3.3.8. - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](https://github.com/ai/nanoid/compare/3.3.4...3.3.8) --- updated-dependencies: - dependency-name: nanoid dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	11 months ago
Irbe Krumina	97a44d6453	go.{mod,sum},cmd/{k8s-operator,derper,stund}/depaware.txt: bump kube deps (#14601) ... Updates kube deps and mkctr, regenerates kube yamls with the updated tooling. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Tom Proctor	2d1f6f18cc	cmd/k8s-operator: require namespace config (#14648) ... Most users should not run into this because it's set in the helm chart and the deploy manifest, but if namespace is not set we get confusing authz errors because the kube client tries to fetch some namespaced resources as though they're cluster-scoped and reports permission denied. Try to detect namespace from the default projected volume, and otherwise fatal. Fixes #cleanup Change-Id: I64b34191e440b61204b9ad30bbfa117abbbe09c3 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	11 months ago
Brad Fitzpatrick	d8b00e39ef	cmd/tailscaled: add some more depchecker dep tests ... As we look to add github.com/prometheus/client_golang/prometheus to more parts of the codebase, lock in that we don't use it in tailscaled, primarily for binary size reasons. Updates #12614 Change-Id: I03c100d12a05019a22bdc23ce5c4df63d5a03ec6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Aaron Klotz	fcf90260ce	atomicfile: use ReplaceFile on Windows so that attributes and ACLs are preserved ... I moved the actual rename into separate, GOOS-specific files. On non-Windows, we do a simple os.Rename. On Windows, we first try ReplaceFile with a fallback to os.Rename if the target file does not exist. ReplaceFile is the recommended way to rename the file in this use case, as it preserves attributes and ACLs set on the target file. Updates #14428 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago
Percy Wegmann	db05e83efc	cmd/derper: support explicit configuration of mesh dial hosts ... The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com>	11 months ago
Brad Fitzpatrick	cfda1ff709	cmd/viewer,all: consistently use "read-only" instead of "readonly" ... Updates #cleanup Change-Id: I8e4e3497d3d0ec5b16a73aedda500fe5cfa37a67 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	414a01126a	go.mod: bump mdlayher/netlink and u-root/uio to use Go 1.21 NativeEndian ... This finishes the work started in #14616. Updates #8632 Change-Id: I4dc07d45b1e00c3db32217c03b21b8b1ec19e782 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Nick Khyl	da9965d51c	cmd/viewer,types/views,various: avoid allocations in pointer field getters whenever possible ... In this PR, we add a generic views.ValuePointer type that can be used as a view for pointers to basic types and struct types that do not require deep cloning and do not have corresponding view types. Its Get/GetOk methods return stack-allocated shallow copies of the underlying value. We then update the cmd/viewer codegen to produce getters that return either concrete views when available or ValuePointer views when not, for pointer fields in generated view types. This allows us to avoid unnecessary allocations compared to returning pointers to newly allocated shallow copies. Updates #14570 Signed-off-by: Nick Khyl <nickk@tailscale.com>	11 months ago
Anton Tolchanov	e4385f1c02	cmd/tailscale/cli: add --posture-checking to tailscale up ... This will prevent `tailscale up` from resetting the posture checking client pref. Fixes #12154 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	11 months ago
Michael Stapelberg	64ab0ddff1	cmd/tailscale/cli: only exit silently if len(args) == 0 ... This amends commit b7e48058c8. That commit broke all documented ways of starting Tailscale on gokrazy: https://gokrazy.org/packages/tailscale/ — both Option A (tailscale up) and Option B (tailscale up --auth-key) rely on the tailscale CLI working. I verified that the tailscale CLI just prints it help when started without arguments, i.e. it does not stay running and is not restarted. I verified that the tailscale CLI successfully exits when started with tailscale up --auth-key, regardless of whether the node has joined the tailnet yet or not. I verified that the tailscale CLI successfully waits and exits when started with tailscale up, as expected. fixes https://github.com/gokrazy/gokrazy/issues/286 Signed-off-by: Michael Stapelberg <michael@stapelberg.de>	11 months ago
Brad Fitzpatrick	69b90742fe	util/uniq,types/lazy,*: delete code that's now in Go std ... sync.OnceValue and slices.Compact were both added in Go 1.21. cmp.Or was added in Go 1.22. Updates #8632 Updates #11058 Change-Id: I89ba4c404f40188e1f8a9566c8aaa049be377754 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Percy Wegmann	cd795d8a7f	prober: support filtering regions by region ID in addition to code ... Updates tailscale/corp#25758 Signed-off-by: Percy Wegmann <percy@tailscale.com>	11 months ago
Irbe Krumina	77017bae59	cmd/containerboot: load containerboot serve config that does not contain HTTPS endpoint in tailnets with HTTPS disabled (#14538) ... cmd/containerboot: load containerboot serve config that does not contain HTTPS endpoint in tailnets with HTTPS disabled Fixes an issue where, if a tailnet has HTTPS disabled, no serve config set via TS_SERVE_CONFIG was loaded, even if it does not contain an HTTPS endpoint. Now for tailnets with HTTPS disabled serve config provided to containerboot is considered invalid (and therefore not loaded) only if there is an HTTPS endpoint defined in the config. Fixes tailscale/tailscale#14495 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Irbe Krumina	48a95c422a	cmd/containerboot,cmd/k8s-operator: reload tailscaled config (#14342) ... cmd/{k8s-operator,containerboot}: reload tailscaled configfile when its contents have changed Instead of restarting the Kubernetes Operator proxies each time tailscaled config has changed, this dynamically reloads the configfile using the new reload endpoint. Older annotation based mechanism will be supported till 1.84 to ensure that proxy versions prior to 1.80 keep working with operator 1.80 and newer. Updates tailscale/tailscale#13032 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Nahum Shalman	9373a1b902	all: illumos/solaris userspace only support ... Updates #14565 Change-Id: I743148144938794db0a224873ce76c10dbe6fa5f Signed-off-by: Nahum Shalman <nahamu@gmail.com>	11 months ago
Irbe Krumina	68997e0dfa	cmd/k8s-operator,k8s-operator: allow users to set custom labels for the optional ServiceMonitor (#14475) ... * cmd/k8s-operator,k8s-operator: allow users to set custom labels for the optional ServiceMonitor Updates tailscale/tailscale#14381 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Irbe Krumina	8d4ca13cf8	cmd/k8s-operator,k8s-operator: support ingress ProxyGroup type (#14548) ... Currently this does not yet do anything apart from creating the ProxyGroup resources like StatefulSet. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Will Norris	60daa2adb8	all: fix golangci-lint errors ... These erroneously blocked a recent PR, which I fixed by simply re-running CI. But we might as well fix them anyway. These are mostly `printf` to `print` and a couple of `!=` to `!Equal()` Updates #cleanup Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
James Tucker	6e45a8304e	cmd/derper: improve logging on derp mesh connect ... Include the mesh log prefix in all mesh connection setup. Updates tailscale/corp#25653 Signed-off-by: James Tucker <james@tailscale.com>	11 months ago
Will Norris	b36984cb16	cmd/systray: add cmd/systray back as a small client/systray wrapper ... Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	82e99fcf84	client/systray: move cmd/systray to client/systray ... Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Brad Fitzpatrick	5da772c670	cmd/tailscale/cli: fix TestUpdatePrefs on macOS ... It was failing about an unaccepted risk ("mac-app-connector") because it was checking runtime.GOOS ("darwin") instead of the test's env.goos string value ("linux", which doesn't have the warning). Fixes #14544 Change-Id: I470d86a6ad4bb18e1dd99d334538e56556147835 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	1e2e319e7d	util/slicesx: add MapKeys and MapValues from golang.org/x/exp/maps ... Importing the ~deprecated golang.org/x/exp/maps as "xmaps" to not shadow the std "maps" was getting ugly. And using slices.Collect on an iterator is verbose & allocates more. So copy (x)maps.Keys+Values into our slicesx package instead. Updates #cleanup Updates #12912 Updates #14514 (pulled out of that change) Change-Id: I5e68d12729934de93cf4a9cd87c367645f86123a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Will Norris	c43c5ca003	cmd/systray: properly set tooltip on different platforms ... On Linux, systray.SetTitle actually seems to set the tooltip on all desktops I've tested on. But on macOS, it actually does set a title that is always displayed in the systray area next to the icon. This change should properly set the tooltip across platforms. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	5a4148e7e8	cmd/systray: update state management and initialization ... Move a number of global state vars into the Menu struct, keeping things better encapsulated. The systray package still relies on its own global state, so only a single Menu instance can run at a time. Move a lot of the initialization logic out of onReady, in particular fetching the latest tailscale state. Instead, populate the state before calling systray.Run, which fixes a timing issue in GNOME (#14477). This change also creates a separate bgContext for actions not tied menu item clicks. Because we have to rebuild the entire menu regularly, we cancel that context as needed, which can cancel subsequent updateState calls. Also exit cleanly on SIGINT and SIGTERM. Updates #1708 Fixes #14477 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	86f273d930	cmd/systray: set app icon and title consistently ... Refactor code to set app icon and title as part of rebuild, rather than separately in eventLoop. This fixes several cases where they weren't getting updated properly. This change also makes use of the new exit node icons. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	2bdbe5b2ab	cmd/systray: add icons for exit node online and offline ... restructure tsLogo to allow setting a mask to be used when drawing the logo dots, as well as add an overlay icon, such as the arrow when connected to an exit node. The icon is still renders as white on black, but this change also prepare for doing a black on white version, as well a fully transparent icon. I don't know if we can consistently determine which to use, so this just keeps the single icon for now. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
James Tucker	68b12a74ed	metrics,syncs: add ShardedInt support to metrics.LabelMap ... metrics.LabelMap grows slightly more heavy, needing a lock to ensure proper ordering for newly initialized ShardedInt values. An Add method enables callers to use .Add for both expvar.Int and syncs.ShardedInt values, but retains the original behavior of defaulting to initializing expvar.Int values. Updates tailscale/corp#25450 Co-Authored-By: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: James Tucker <james@tailscale.com>	12 months ago
Will Norris	3837b6cebc	cmd/systray: rebuild menu on pref change, assorted other fixes ... - rebuild menu when prefs change outside of systray, such as setting an exit node - refactor onClick handler code - compare lowercase country name, the same as macOS and Windows (now sorts Ukraine before USA) - fix "connected / disconnected" menu items on stopped status - prevent nil pointer on "This Device" menu item Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	10d4057a64	cmd/systray: add visual workarounds for gnome, mac, and windows ... Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	cb59943501	cmd/systray: add exit nodes menu ... This commit builds the exit node menu including the recommended exit node, if available, as well as tailnet and mullvad exit nodes. This does not yet update the menu based on changes in exit node outside of the systray app, which will come later. This also does not include the ability to run as an exit node. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	256da8dfb5	cmd/systray: remove new menu delay on KDE ... The new menu delay added to fix libdbusmenu systrays causes problems with KDE. Given the state of wildly varying systray implementations, I suspect we may need more desktop-specific hacks, so I'm setting this up to accommodate that. Updates #1708 Updates #14431 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Tom Proctor	3adad364f1	cmd/k8s-operator,k8s-operator: include top-level CRD descriptions (#14435) ... When reading https://doc.crds.dev/github.com/tailscale/tailscale/tailscale.com/ProxyGroup/v1alpha1@v1.78.3 I noticed there is no top-level description for ProxyGroup and Recorder. Add one to give some high-level direction. Updates #cleanup Change-Id: I3666c5445be272ea5a1d4d02b6d5ad4c23afb09f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	12 months ago
Will Norris	89adcd853d	cmd/systray: improve profile menu ... Bring UI closer to macOS and windows: - split login and tailnet name over separate lines - render profile picture (with very simple caching) - use checkbox to indicate active profile. I've not found any desktops that can't render checkboxes, so I'd like to explore other options if needed. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	2d4edd80f1	cmd/systray: add extra padding around notification icon ... Some notification managers crop the application icon to a circle, so ensure we have enough padding to account for that. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Percy Wegmann	00a4504cf1	cmd/derpprobe,prober: add ability to perform continuous queuing delay measurements against DERP servers ... This new type of probe sends DERP packets sized similarly to CallMeMaybe packets at a rate of 10 packets per second. It records the round-trip times in a Prometheus histogram. It also keeps track of how many packets are dropped. Packets that fail to arrive within 5 seconds are considered dropped. Updates tailscale/corp#24522 Signed-off-by: Percy Wegmann <percy@tailscale.com>	12 months ago
Andrew Lytvynov	6ae0287a57	cmd/systray: add account switcher ... Updates #1708 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	12 months ago
Joe Tsai	b62a013ecb	Switch logging service from log.tailscale.io to log.tailscale.com (#14398) ... Updates tailscale/corp#23617 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	12 months ago
Irbe Krumina	cc168d9f6b	cmd/k8s-operator: fix ProxyGroup hostname (#14336) ... Updates tailscale/tailscale#14325 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Percy Wegmann	1ed9bd76d6	prober: perform DERP bandwidth probes over TUN device to mimic real client ... Updates tailscale/corp#24635 Co-authored-by: Mario Minardi <mario@tailscale.com> Signed-off-by: Percy Wegmann <percy@tailscale.com>	12 months ago
James Tucker	aa04f61d5e	net/netcheck: adjust HTTPS latency check to connection time and avoid data race ... The go-httpstat package has a data race when used with connections that are performing happy-eyeballs connection setups as we are in the DERP client. There is a long-stale PR upstream to address this, however revisiting the purpose of this code suggests we don't really need httpstat here. The code populates a latency table that may be used to compare to STUN latency, which is a lightweight RTT check. Switching out the reported timing here to simply the request HTTP request RTT avoids the problematic package. Fixes tailscale/corp#25095 Signed-off-by: James Tucker <james@tailscale.com>	12 months ago
Irbe Krumina	6e552f66a0	cmd/containerboot: don't attempt to patch a Secret field without permissions (#14365) ... Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Tom Proctor	f1ccdcc713	cmd/k8s-operator,k8s-operator: operator integration tests (#12792) ... This is the start of an integration/e2e test suite for the tailscale operator. It currently only tests two major features, ingress proxy and API server proxy, but we intend to expand it to cover more features over time. It also only supports manual runs for now. We intend to integrate it into CI checks in a separate update when we have planned how to securely provide CI with the secrets required for connecting to a test tailnet. Updates #12622 Change-Id: I31e464bb49719348b62a563790f2bc2ba165a11b Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	12 months ago
Irbe Krumina	fa655e6ed3	cmd/containerboot: add more tests, check that egress service config only set on kube (#14360) ... Updates tailscale/tailscale#14357 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Irbe Krumina	0cc071f154	cmd/containerboot: don't attempt to write kube Secret in non-kube environments (#14358) ... Updates tailscale/tailscale#14354 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Bjorn Neergaard	8b1d01161b	cmd/containerboot: guard kubeClient against nil dereference (#14357) ... A method on kc was called unconditionally, even if was not initialized, leading to a nil pointer dereference when TS_SERVE_CONFIG was set outside Kubernetes. Add a guard symmetric with other uses of the kubeClient. Fixes #14354. Signed-off-by: Bjorn Neergaard <bjorn@neersighted.com>	12 months ago
Mike O'Driscoll	c2761162a0	cmd/stunc: enforce read timeout deadline (#14309) ... Make argparsing use flag for adding a new parameter that requires parsing. Enforce a read timeout deadline waiting for response from the stun server provided in the args. Otherwise the program will never exit. Fixes #14267 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	1 year ago
Percy Wegmann	06a82f416f	cmd,{get-authkey,tailscale}: remove unnecessary scope qualifier from OAuth clients ... OAuth clients that were used to generate an auth_key previously specified the scope 'device'. 'device' is not an actual scope, the real scope is 'devices'. The resulting OAuth token ended up including all scopes from the specified OAuth client, so the code was able to successfully create auth_keys. It's better not to hardcode a scope here anyway, so that we have the flexibility of changing which scope(s) are used in the future without having to update old clients. Since the qualifier never actually did anything, this commit simply removes it. Updates tailscale/corp#24934 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Andrew Lytvynov	66aa774167	cmd/gitops-pusher: default previousEtag to controlEtag (#14296) ... If previousEtag is empty, then we assume control ACLs were not modified manually and push the local ACLs. Instead, we defaulted to localEtag which would be different if local ACLs were different from control. AFAIK this was always buggy, but never reported? Fixes #14295 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Brad Fitzpatrick	87546a5edf	cmd/derper: allow absent SNI when using manual certs and IP literal for hostname ... Updates #11776 Change-Id: I81756415feb630da093833accc3074903ebd84a7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Tom Proctor	df94a14870	cmd/k8s-operator: don't error for transient failures (#14073) ... Every so often, the ProxyGroup and other controllers lose an optimistic locking race with other controllers that update the objects they create. Stop treating this as an error event, and instead just log an info level log line for it. Fixes #14072 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
James Tucker	7f9ebc0a83	cmd/tailscale,net/netcheck: add debug feature to force preferred DERP ... This provides an interface for a user to force a preferred DERP outcome for all future netchecks that will take precedence unless the forced region is unreachable. The option does not persist and will be lost when the daemon restarts. Updates tailscale/corp#18997 Updates tailscale/corp#24755 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Irbe Krumina	2aac916888	cmd/{containerboot,k8s-operator},kube/kubetypes: kube Ingress L7 proxies only advertise HTTPS endpoint when ready (#14171) ... cmd/containerboot,kube/kubetypes,cmd/k8s-operator: detect if Ingress is created in a tailnet that has no HTTPS This attempts to make Kubernetes Operator L7 Ingress setup failures more explicit: - the Ingress resource now only advertises HTTPS endpoint via status.ingress.loadBalancer.hostname when/if the proxy has succesfully loaded serve config - the proxy attempts to catch cases where HTTPS is disabled for the tailnet and logs a warning Updates tailscale/tailscale#12079 Updates tailscale/tailscale#10407 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Irbe Krumina	aa43388363	cmd/k8s-operator: fix a bunch of status equality checks (#14270) ... Updates tailscale/tailscale#14269 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Oliver Rahner	cbf1a4efe9	cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account (#14264) ... cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account Updates #14264 Signed-off-by: Oliver Rahner <o.rahner@dke-data.com>	1 year ago
Tom Proctor	efdfd54797	cmd/k8s-operator: avoid port collision with metrics endpoint (#14185) ... When the operator enables metrics on a proxy, it uses the port 9001, and in the near future it will start using 9002 for the debug endpoint as well. Make sure we don't choose ports from a range that includes 9001 so that we never clash. Setting TS_SOCKS5_SERVER, TS_HEALTHCHECK_ADDR_PORT, TS_OUTBOUND_HTTP_PROXY_LISTEN, and PORT could also open arbitrary ports, so we will need to document that users should not choose ports from the 10000-11000 range for those settings. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Irbe Krumina	9f9063e624	cmd/k8s-operator,k8s-operator,go.mod: optionally create ServiceMonitor (#14248) ... * cmd/k8s-operator,k8s-operator,go.mod: optionally create ServiceMonitor Adds a new spec.metrics.serviceMonitor field to ProxyClass. If that's set to true (and metrics are enabled), the operator will create a Prometheus ServiceMonitor for each proxy to which the ProxyClass applies. Additionally, create a metrics Service for each proxy that has metrics enabled. Updates tailscale/tailscale#11292 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Irbe Krumina	eabb424275	cmd/k8s-operator,docs/k8s: run tun mode proxies in privileged containers (#14262) ... We were previously relying on unintended behaviour by runc where all containers where by default given read/write/mknod permissions for tun devices. This behaviour was removed in https://github.com/opencontainers/runc/pull/3468 and released in runc 1.2. Containerd container runtime, used by Docker and majority of Kubernetes distributions bumped runc to 1.2 in 1.7.24 https://github.com/containerd/containerd/releases/tag/v1.7.24 thus breaking our reference tun mode Tailscale Kubernetes manifests and Kubernetes operator proxies. This PR changes the all Kubernetes container configs that run Tailscale in tun mode to privileged. This should not be a breaking change because all these containers would run in a Pod that already has a privileged init container. Updates tailscale/tailscale#14256 Updates tailscale/tailscale#10814 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Tom Proctor	24095e4897	cmd/containerboot: serve health on local endpoint (#14246) ... * cmd/containerboot: serve health on local endpoint We introduced stable (user) metrics in #14035, and `TS_LOCAL_ADDR_PORT` with it. Rather than requiring users to specify a new addr/port combination for each new local endpoint they want the container to serve, this combines the health check endpoint onto the local addr/port used by metrics if `TS_ENABLE_HEALTH_CHECK` is used instead of `TS_HEALTHCHECK_ADDR_PORT`. `TS_LOCAL_ADDR_PORT` now defaults to binding to all interfaces on 9002 so that it works more seamlessly and with less configuration in environments other than Kubernetes, where the operator always overrides the default anyway. In particular, listening on localhost would not be accessible from outside the container, and many scripted container environments do not know the IP address of the container before it's started. Listening on all interfaces allows users to just set one env var (`TS_ENABLE_METRICS` or `TS_ENABLE_HEALTH_CHECK`) to get a fully functioning local endpoint they can query from outside the container. Updates #14035, #12898 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Brad Fitzpatrick	a68efe2088	cmd/checkmetrics: add command for checking metrics against kb ... This commit adds a command to validate that all the metrics that are registring in the client are also present in a path or url. It is intended to be ran from the KB against the latest version of tailscale. Updates tailscale/corp#24066 Updates tailscale/corp#22075 Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Irbe Krumina	13faa64c14	cmd/k8s-operator: always set stateful filtering to false (#14216) ... Updates tailscale/tailscale#12108 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Irbe Krumina	f8587e321e	cmd/k8s-operator: fix port name change bug for egress ProxyGroup proxies (#14247) ... Ensure that the ExternalName Service port names are always synced to the ClusterIP Service, to fix a bug where if users created a Service with a single unnamed port and later changed to 1+ named ports, the operator attempted to apply an invalid multi-port Service with an unnamed port. Also, fixes a small internal issue where not-yet Service status conditons were lost on a spec update. Updates tailscale/tailscale#10102 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Nick Khyl	a62f7183e4	cmd/tailscale/cli: fix format string ... Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Irbe Krumina	ba3523fc3f	cmd/containerboot: preserve headers of metrics endpoints responses (#14204) ... Updates tailscale/tailscale#11292 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Nick Khyl	7c8f663d70	cmd/tailscaled: log SCM interactions if the policy setting is enabled at the time of interaction ... This updates the syspolicy.LogSCMInteractions check to run at the time of an interaction, just before logging a message, instead of during service startup. This ensures the most recent policy setting is used if it has changed since the service started. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	50bf32a0ba	cmd/tailscaled: flush DNS if FlushDNSOnSessionUnlock is true upon receiving a session change notification ... In this PR, we move the syspolicy.FlushDNSOnSessionUnlock check from service startup to when a session change notification is received. This ensures that the most recent policy setting value is used if it has changed since the service started. We also plan to handle session change notifications for unrelated reasons and need to decouple notification subscriptions from DNS anyway. Updates #12687 Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Tom Proctor	74d4652144	cmd/{containerboot,k8s-operator},k8s-operator: new options to expose user metrics (#14035) ... containerboot: Adds 3 new environment variables for containerboot, `TS_LOCAL_ADDR_PORT` (default `"${POD_IP}:9002"`), `TS_METRICS_ENABLED` (default `false`), and `TS_DEBUG_ADDR_PORT` (default `""`), to configure metrics and debug endpoints. In a follow-up PR, the health check endpoint will be updated to use the `TS_LOCAL_ADDR_PORT` if `TS_HEALTHCHECK_ADDR_PORT` hasn't been set. Users previously only had access to internal debug metrics (which are unstable and not recommended) via passing the `--debug` flag to tailscaled, but can now set `TS_METRICS_ENABLED=true` to expose the stable metrics documented at https://tailscale.com/kb/1482/client-metrics at `/metrics` on the addr/port specified by `TS_LOCAL_ADDR_PORT`. Users can also now configure a debug endpoint more directly via the `TS_DEBUG_ADDR_PORT` environment variable. This is not recommended for production use, but exposes an internal set of debug metrics and pprof endpoints. operator: The `ProxyClass` CRD's `.spec.metrics.enable` field now enables serving the stable user metrics documented at https://tailscale.com/kb/1482/client-metrics at `/metrics` on the same "metrics" container port that debug metrics were previously served on. To smooth the transition for anyone relying on the way the operator previously consumed this field, we also _temporarily_ serve tailscaled's internal debug metrics on the same `/debug/metrics` path as before, until 1.82.0 when debug metrics will be turned off by default even if `.spec.metrics.enable` is set. At that point, anyone who wishes to continue using the internal debug metrics (not recommended) will need to set the new `ProxyClass` field `.spec.statefulSet.pod.tailscaleContainer.debug.enable`. Users who wish to opt out of the transitional behaviour, where enabling `.spec.metrics.enable` also enables debug metrics, can set `.spec.statefulSet.pod.tailscaleContainer.debug.enable` to false (recommended). Separately but related, the operator will no longer specify a host port for the "metrics" container port definition. This caused scheduling conflicts when k8s needs to schedule more than one proxy per node, and was not necessary for allowing the pod's port to be exposed to prometheus scrapers. Updates #11292 --------- Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com> Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Irbe Krumina	c59ab6baac	cmd/k8s-operator/deploy: ensure that operator can write kube state Events (#14177) ... A small follow-up to #14112- ensures that the operator itself can emit Events for its kube state store changes. Updates tailscale/tailscale#14080 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Andrea Gottardo	e3c6ca43d3	cli: present risk warning when setting up app connector on macOS (#14181)	1 year ago
Andrew Dunham	af4c3a4a1b	cmd/tailscale/cli: create netmon in debug ts2021 ... Otherwise we'll see a panic if we hit the dnsfallback code and try to call NewDialer with a nil NetMon. Updates #14161 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I81c6e72376599b341cb58c37134c2a948b97cf5f	1 year ago
Brad Fitzpatrick	02cafbe1ca	tsweb: change RequestID format to have a date in it ... So we can locate them in logs more easily. Updates tailscale/corp#24721 Change-Id: Ia766c75608050dde7edc99835979a6e9bb328df2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Irbe Krumina	ebeb5da202	cmd/k8s-operator,kube/kubeclient,docs/k8s: update rbac to emit events + small fixes (#14164) ... This is a follow-up to #14112 where our internal kube client was updated to allow it to emit Events - this updates our sample kube manifests and tsrecorder manifest templates so they can benefit from this functionality. Updates tailscale/tailscale#14080 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
James Stocker	303a4a1dfb	Make the deployment of an IngressClass optional, default to true (#14153) ... Fixes tailscale/tailscale#14152 Signed-off-by: James Stocker jamesrstocker@gmail.com Co-authored-by: James Stocker <james.stocker@intenthq.co.uk>	1 year ago
Irbe Krumina	00517c8189	kube/{kubeapi,kubeclient},ipn/store/kubestore,cmd/{containerboot,k8s-operator}: emit kube store Events (#14112) ... Adds functionality to kube client to emit Events. Updates kube store to emit Events when tailscaled state has been loaded, updated or if any errors where encountered during those operations. This should help in cases where an error related to state loading/updating caused the Pod to crash in a loop- unlike logs of the originally failed container instance, Events associated with the Pod will still be accessible even after N restarts. Updates tailscale/tailscale#14080 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Brad Fitzpatrick	93db503565	ipn/ipnlocal: add IPN Bus NotifyRateLimit watch bit NotifyRateLimit ... Limit spamming GUIs with boring updates to once in 3 seconds, unless the notification is relatively interesting and the GUI should update immediately. This is basically @barnstar's #14119 but with the logic moved to be per-watch-session (since the bit is per session), rather than globally. And this distinguishes notable Notify messages (such as state changes) and makes them send immediately. Updates tailscale/corp#24553 Change-Id: I79cac52cce85280ce351e65e76ea11e107b00b49 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Percy Wegmann	1355f622be	cmd/derpprobe,prober: add ability to restrict derpprobe to a single region ... Updates #24522 Co-authored-by: Mario Minardi <mario@tailscale.com> Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Brad Fitzpatrick	f593d3c5c0	cmd/tailscale/cli: add "help" alias for --help ... Fixes #14053 Change-Id: I0a13e11af089f02b0656fea0d316543c67591fb5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Irbe Krumina	cf41cec5a8	cmd/{k8s-operator,containerboot},k8s-operator: remove support for proxies below capver 95. (#13986) ... Updates tailscale/tailscale#13984 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Tom Proctor	d8a3683fdf	cmd/k8s-operator: restart ProxyGroup pods less (#14045) ... We currently annotate pods with a hash of the tailscaled config so that we can trigger pod restarts whenever it changes. However, the hash updates more frequently than is necessary causing more restarts than is necessary. This commit removes two causes; scaling up/down and removing the auth key after pods have initially authed to control. However, note that pods will still restart on scale-up/down because of the updated set of volumes mounted into each pod. Hopefully we can fix that in a planned follow-up PR. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Brad Fitzpatrick	4e0fc037e6	all: use iterators over slice views more ... This gets close to all of the remaining ones. Updates #12912 Change-Id: I9c672bbed2654a6c5cab31e0cbece6c107d8c6fa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Irbe Krumina	b9ecc50ce3	cmd/k8s-operator,k8s-operator,kube/kubetypes: add an option to configure app connector via Connector spec (#13950) ... * cmd/k8s-operator,k8s-operator,kube/kubetypes: add an option to configure app connector via Connector spec Updates tailscale/tailscale#11113 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Brad Fitzpatrick	020cacbe70	derp/derphttp: don't link websockets other than on GOOS=js ... Or unless the new "ts_debug_websockets" build tag is set. Updates #1278 Change-Id: Ic4c4f81c1924250efd025b055585faec37a5491d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	c3306bfd15	control/controlhttp/controlhttpserver: split out Accept to its own package ... Otherwise all the clients only using control/controlhttp for the ts2021 HTTP client were also pulling in WebSocket libraries, as the server side always needs to speak websockets, but only GOOS=js clients speak it. This doesn't yet totally remove the websocket dependency on Linux because Linux has a envknob opt-in to act like GOOS=js for manual testing and force the use of WebSockets for DERP only (not control). We can put that behind a build tag in a future change to eliminate the dep on all GOOSes. Updates #1278 Change-Id: I4f60508f4cad52bf8c8943c8851ecee506b7ebc9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	23880eb5b0	cmd/tailscaled: support "ts_omit_ssh" build tag to remove SSH ... Some environments would like to remove Tailscale SSH support for the binary for various reasons when not needed (either for peace of mind, or the ~1MB of binary space savings). Updates tailscale/corp#24454 Updates #1278 Updates #12614 Change-Id: Iadd6c5a393992c254b5dc9aa9a526916f96fd07a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Irbe Krumina	8ba9b558d2	envknob,kube/kubetypes,cmd/k8s-operator: add app type for ProxyGroup (#14029) ... Sets a custom hostinfo app type for ProxyGroup replicas, similarly to how we do it for all other Kubernetes Operator managed components. Updates tailscale/tailscale#13406,tailscale/corp#22920 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Percy Wegmann	8dcbd988f7	cmd/derper: show more information on home page ... - Basic description of DERP If configured to do so, also show - Mailto link to security@tailscale.com - Link to Tailscale Security Policies - Link to Tailscale Acceptable Use Policy Updates tailscale/corp#24092 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Brad Fitzpatrick	01185e436f	types/result, util/lineiter: add package for a result type, use it ... This adds a new generic result type (motivated by golang/go#70084) to try it out, and uses it in the new lineutil package (replacing the old lineread package), changing that package to return iterators: sometimes over []byte (when the input is all in memory), but sometimes iterators over results of []byte, if errors might happen at runtime. Updates #12912 Updates golang/go#70084 Change-Id: Iacdc1070e661b5fb163907b1e8b07ac7d51d3f83 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Irbe Krumina	809a6eba80	cmd/k8s-operator: allow to optionally configure tailscaled port (#14005) ... Updates tailscale/tailscale#13981 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Brad Fitzpatrick	45da3a4b28	cmd/tsconnect: block after starting esbuild dev server ... Thanks to @davidbuzz for raising the issue in #13973. Fixes #8272 Fixes #13973 Change-Id: Ic413e14d34c82df3c70a97e591b90316b0b4946b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	634cc2ba4a	wgengine/netstack: remove unused taildrive deps ... A filesystem was plumbed into netstack in 993acf4475 but hasn't been used since 2d5d6f5403. Remove it. Noticed while rebasing a Tailscale fork elsewhere. Updates tailscale/corp#16827 Change-Id: Ib76deeda205ffe912b77a59b9d22853ebff42813 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Nick Khyl	3f626c0d77	cmd/tailscale/cli, client/tailscale, ipn/localapi: add tailscale syspolicy {list,reload} commands ... In this PR, we add the tailscale syspolicy command with two subcommands: list, which displays policy settings, and reload, which forces a reload of those settings. We also update the LocalAPI and LocalClient to facilitate these additions. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Irbe Krumina	1103044598	cmd/k8s-operator,k8s-operator: add topology spread constraints to ProxyClass (#13959) ... Now when we have HA for egress proxies, it makes sense to support topology spread constraints that would allow users to define more complex topologies of how proxy Pods need to be deployed in relation with other Pods/across regions etc. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Anton Tolchanov	9545e36007	cmd/tailscale/cli: add 'tailscale metrics' command ... - `tailscale metrics print`: to show metric values in console - `tailscale metrics write`: to write metrics to a file (with a tempfile & rename dance, which is atomic on Unix). Also, remove the `TS_DEBUG_USER_METRICS` envknob as we are getting more confident in these metrics. Updates tailscale/corp#22075 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Nick Kirby	6ab39b7bcd	cmd/k8s-operator: validate that tailscale.com/tailnet-ip annotation value is a valid IP ... Fixes #13836 Signed-off-by: Nick Kirby <nrkirb@gmail.com>	1 year ago
Nick Khyl	e815ae0ec4	util/syspolicy, ipn/ipnlocal: update syspolicy package to utilize syspolicy/rsop ... In this PR, we update the syspolicy package to utilize syspolicy/rsop under the hood, and remove syspolicy.CachingHandler, syspolicy.windowsHandler and related code which is no longer used. We mark the syspolicy.Handler interface and RegisterHandler/SetHandlerForTest functions as deprecated, but keep them temporarily until they are no longer used in other repos. We also update the package to register setting definitions for all existing policy settings and to register the Registry-based, Windows-specific policy stores when running on Windows. Finally, we update existing internal and external tests to use the new API and add a few more tests and benchmarks. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Paul Scott	212270463b	cmd/testwrapper: add pkg runtime to output (#13894) ... Fixes #13893 Signed-off-by: Paul Scott <paul@tailscale.com>	1 year ago
Andrew Dunham	b2665d9b89	net/netcheck: add a Now field to the netcheck Report ... This allows us to print the time that a netcheck was run, which is useful in debugging. Updates #10972 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id48d30d4eb6d5208efb2b1526a71d83fe7f9320b	1 year ago
Maisem Ali	d4d21a0bbf	net/tstun: restore tap mode functionality ... It had bit-rotted likely during the transition to vector io in 76389d8baf. Tested on Ubuntu 24.04 by creating a netns and doing the DHCP dance to get an IP. Updates #2589 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Nick Khyl	0f4c9c0ecb	cmd/viewer: import types/views when generating a getter for a map field ... Fixes #13873 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Brad Fitzpatrick	c76a6e5167	derp: track client-advertised non-ideal DERP connections in more places ... In f77821fd63 (released in v1.72.0), we made the client tell a DERP server when the connection was not its ideal choice (the first node in its region). But we didn't do anything with that information until now. This adds a metric about how many such connections are on a given derper, and also adds a bit to the PeerPresentFlags bitmask so watchers can identify (and rebalance) them. Updates tailscale/corp#372 Change-Id: Ief8af448750aa6d598e5939a57c062f4e55962be Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrea Gottardo	fd77965f23	net/tlsdial: call out firewalls blocking Tailscale in health warnings (#13840) ... Updates tailscale/tailscale#13839 Adds a new blockblame package which can detect common MITM SSL certificates used by network appliances. We use this in `tlsdial` to display a dedicated health warning when we cannot connect to control, and a network appliance MITM attack is detected. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Naman Sood	22c89fcb19	cmd/tailscale,ipn,tailcfg: add `tailscale advertise` subcommand behind envknob (#13734) ... Signed-off-by: Naman Sood <mail@nsood.in>	1 year ago
Mario Minardi	d32d742af0	ipn/ipnlocal: error when trying to use exit node on unsupported platform (#13726) ... Adds logic to `checkExitNodePrefsLocked` to return an error when attempting to use exit nodes on a platform where this is not supported. This mirrors logic that was added to error out when trying to use `ssh` on an unsupported platform, and has very similar semantics. Fixes https://github.com/tailscale/tailscale/issues/13724 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 year ago
Christian	74dd24ce71	cmd/tsconnect, logpolicy: fixes for wasm_js.go ... * updates to LocalBackend require metrics to be passed in which are now initialized * os.MkdirTemp isn't supported in wasm/js so we simply return empty string for logger * adds a UDP dialer which was missing and led to the dialer being incompletely initialized Fixes #10454 and #8272 Signed-off-by: Christian <christian@devzero.io>	1 year ago
Andrew Dunham	2aa9125ac4	cmd/derpprobe: add /healthz endpoint ... For a customer that wants to run their own DERP prober, let's add a /healthz endpoint that can be used to monitor derpprobe itself. Updates #6526 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iba315c999fc0b1a93d8c503c07cc733b4c8d5b6b	1 year ago
Percy Wegmann	f9949cde8b	client/tailscale,cmd/{cli,get-authkey,k8s-operator}: set distinct User-Agents ... This helps better distinguish what is generating activity to the Tailscale public API. Updates tailscale/corp#23838 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Brad Fitzpatrick	1938685d39	clientupdate: don't link distsign on platforms that don't download ... Updates tailscale/corp#20099 Change-Id: Ie3b782379b19d5f7890a8d3a378096b4f3e8a612 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	2531065d10	clientupdate, ipn/localapi: don't use google/uuid, thin iOS deps ... We were using google/uuid in two places and that brought in database/sql/driver. We didn't need it in either place. Updates #13760 Updates tailscale/corp#20099 Change-Id: Ieed32f1bebe35d35f47ec5a2a429268f24f11f1f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Irbe Krumina	89ee6bbdae	cmd/k8s-operator,k8s-operator/apis: set a readiness condition on egress Services for ProxyGroup (#13746) ... cmd/k8s-operator,k8s-operator/apis: set a readiness condition on egress Services Set a readiness condition on ExternalName Services that define a tailnet target to route cluster traffic to via a ProxyGroup's proxies. The condition is set to true if at least one proxy is currently set up to route. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Irbe Krumina	f6d4d03355	cmd/k8s-operator: don't error out if ProxyClass for ProxyGroup not found. (#13736) ... We don't need to error out and continuously reconcile if ProxyClass has not (yet) been created, once it gets created the ProxyGroup reconciler will get triggered. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Irbe Krumina	60011e73b8	cmd/k8s-operator: fix Pod IP selection (#13743) ... Ensure that .status.podIPs is used to select Pod's IP in all reconcilers. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Nick Khyl	da40609abd	util/syspolicy, ipn: add "tailscale debug component-logs" support ... Fixes #13313 Fixes #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Tom Proctor	07c157ee9f	cmd/k8s-operator: base ProxyGroup StatefulSet on common proxy.yaml definition (#13714) ... As discussed in #13684, base the ProxyGroup's proxy definitions on the same scaffolding as the existing proxies, as defined in proxy.yaml Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Irbe Krumina	861dc3631c	cmd/{k8s-operator,containerboot},kube/egressservices: fix Pod IP check for dual stack clusters (#13721) ... Currently egress Services for ProxyGroup only work for Pods and Services with IPv4 addresses. Ensure that it works on dual stack clusters by reading proxy Pod's IP from the .status.podIPs list that always contains both IPv4 and IPv6 address (if the Pod has them) rather than .status.podIP that could contain IPv6 only for a dual stack cluster. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Tom Proctor	36cb2e4e5f	cmd/k8s-operator,k8s-operator: use default ProxyClass if set for ProxyGroup (#13720) ... The default ProxyClass can be set via helm chart or env var, and applies to all proxies that do not otherwise have an explicit ProxyClass set. This ensures proxies created by the new ProxyGroup CRD are consistent with the behaviour of existing proxies Nearby but unrelated changes: * Fix up double error logs (controller runtime logs returned errors) * Fix a couple of variable names Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Tom Proctor	cba2e76568	cmd/containerboot: simplify k8s setup logic (#13627) ... Rearrange conditionals to reduce indentation and make it a bit easier to read the logic. Also makes some error message updates for better consistency with the recent decision around capitalising resource names and the upcoming addition of config secrets. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Irbe Krumina	7f016baa87	cmd/k8s-operator,k8s-operator: create ConfigMap for egress services + small fixes for egress services (#13715) ... cmd/k8s-operator, k8s-operator: create ConfigMap for egress services + small reconciler fixes Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Erisa A	c588c36233	types/key: use tlpub: in error message (#13707) ... Fixes tailscale/corp#19442 Signed-off-by: Erisa A <erisa@tailscale.com>	1 year ago
Tom Proctor	e48cddfbb3	cmd/{containerboot,k8s-operator},k8s-operator,kube: add ProxyGroup controller (#13684) ... Implements the controller for the new ProxyGroup CRD, designed for running proxies in a high availability configuration. Each proxy gets its own config and state Secret, and its own tailscale node ID. We are currently mounting all of the config secrets into the container, but will stop mounting them and instead read them directly from the kube API once #13578 is implemented. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 year ago
Erisa A	f30d85310c	cmd/tailscale/cli: don't print disablement secrets if init fails (#13673) ... * cmd/tailscale/cli: don't print disablement secrets if init fails Fixes tailscale/corp#11355 Signed-off-by: Erisa A <erisa@tailscale.com> * cmd/tailscale/cli: changes from code review Signed-off-by: Erisa A <erisa@tailscale.com> * cmd/tailscale/cli: small grammar change Signed-off-by: Erisa A <erisa@tailscale.com> --------- Signed-off-by: Erisa A <erisa@tailscale.com>	1 year ago
Irbe Krumina	e8bb5d1be5	cmd/{k8s-operator,containerboot},k8s-operator,kube: reconcile ExternalName Services for ProxyGroup (#13635) ... Adds a new reconciler that reconciles ExternalName Services that define a tailnet target that should be exposed to cluster workloads on a ProxyGroup's proxies. The reconciler ensures that for each such service, the config mounted to the proxies is updated with the tailnet target definition and that and EndpointSlice and ClusterIP Service are created for the service. Adds a new reconciler that ensures that as proxy Pods become ready to route traffic to a tailnet target, the EndpointSlice for the target is updated with the Pods' endpoints. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Irbe Krumina	9bd158cc09	cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658) ... The AddSNATRuleForDst rule was adding a new rule each time it was called including: - if a rule already existed - if a rule matching the destination, but with different desired source already existed This was causing issues especially for the in-progress egress HA proxies work, where the rules are now refreshed more frequently, so more redundant rules were being created. This change: - only creates the rule if it doesn't already exist - if a rule for the same dst, but different source is found, delete it - also ensures that egress proxies refresh firewall rules if the node's tailnet IP changes Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Brad Fitzpatrick	d3f302d8e2	cmd/tailscale/cli: make 'tailscale debug ts2021' try twice ... In prep for a future port 80 MITM fix, make the 'debug ts2021' command retry once after a failure to give it a chance to pick a new strategy. Updates #13597 Change-Id: Icb7bad60cbf0dbec78097df4a00e9795757bc8e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago