tailscale

Commit Graph

Author	SHA1	Message	Date
Irbe Krumina	861dc3631c	cmd/{k8s-operator,containerboot},kube/egressservices: fix Pod IP check for dual stack clusters (#13721 ) Currently egress Services for ProxyGroup only work for Pods and Services with IPv4 addresses. Ensure that it works on dual stack clusters by reading proxy Pod's IP from the .status.podIPs list that always contains both IPv4 and IPv6 address (if the Pod has them) rather than .status.podIP that could contain IPv6 only for a dual stack cluster. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 weeks ago
Tom Proctor	cba2e76568	cmd/containerboot: simplify k8s setup logic (#13627 ) Rearrange conditionals to reduce indentation and make it a bit easier to read the logic. Also makes some error message updates for better consistency with the recent decision around capitalising resource names and the upcoming addition of config secrets. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 weeks ago
Tom Proctor	e48cddfbb3	cmd/{containerboot,k8s-operator},k8s-operator,kube: add ProxyGroup controller (#13684 ) Implements the controller for the new ProxyGroup CRD, designed for running proxies in a high availability configuration. Each proxy gets its own config and state Secret, and its own tailscale node ID. We are currently mounting all of the config secrets into the container, but will stop mounting them and instead read them directly from the kube API once #13578 is implemented. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 weeks ago
Irbe Krumina	e8bb5d1be5	cmd/{k8s-operator,containerboot},k8s-operator,kube: reconcile ExternalName Services for ProxyGroup (#13635 ) Adds a new reconciler that reconciles ExternalName Services that define a tailnet target that should be exposed to cluster workloads on a ProxyGroup's proxies. The reconciler ensures that for each such service, the config mounted to the proxies is updated with the tailnet target definition and that and EndpointSlice and ClusterIP Service are created for the service. Adds a new reconciler that ensures that as proxy Pods become ready to route traffic to a tailnet target, the EndpointSlice for the target is updated with the Pods' endpoints. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Irbe Krumina	9bd158cc09	cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658 ) The AddSNATRuleForDst rule was adding a new rule each time it was called including: - if a rule already existed - if a rule matching the destination, but with different desired source already existed This was causing issues especially for the in-progress egress HA proxies work, where the rules are now refreshed more frequently, so more redundant rules were being created. This change: - only creates the rule if it doesn't already exist - if a rule for the same dst, but different source is found, delete it - also ensures that egress proxies refresh firewall rules if the node's tailnet IP changes Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Irbe Krumina	096b090caf	cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531 ) * cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets This commit is first part of the work to allow running multiple replicas of the Kubernetes operator egress proxies per tailnet service + to allow exposing multiple tailnet services via each proxy replica. This expands the existing iptables/nftables-based proxy configuration mechanism. A proxy can now be configured to route to one or more tailnet targets via a (mounted) config file that, for each tailnet target, specifies: - the target's tailnet IP or FQDN - mappings of container ports to which cluster workloads will send traffic to tailnet target ports where the traffic should be forwarded. Example configfile contents: { "some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}} } A proxy that is configured with this config file will configure firewall rules to route cluster traffic to the tailnet targets. It will then watch the config file for updates as well as monitor relevant netmap updates and reconfigure firewall as needed. This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update the firewall rules without needing to restart the proxy Pod as well as to make it easier to debug/understand the rules: - for iptables, each portmapping is a DNAT rule with a comment pointing at the 'service',i.e: -A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80 Additionally there is a SNAT rule for each tailnet target, to mask the source address. - for nftables, a separate prerouting chain is created for each tailnet target and all the portmapping rules are placed in that chain. This makes it easier to look up rules and delete services when no longer needed. (nftables allows hooking a custom chain to a prerouting hook, so no extra work is needed to ensure that the rules in the service chains are evaluated). The next steps will be to get the Kubernetes Operator to generate the configfile and ensure it is mounted to the relevant proxy nodes. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Tom Proctor	d0a56a8870	cmd/containerboot: split main.go (#13517 ) containerboot's main.go had grown to well over 1000 lines with lots of disparate bits of functionality. This commit is pure copy- paste to group related functionality outside of the main function into its own set of files. Everything is still in the main package to keep the diff incremental and reviewable. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 month ago
Irbe Krumina	209567e7a0	kube,cmd/{k8s-operator,containerboot},envknob,ipn/store/kubestore,*/depaware.txt: rename packages (#13418 ) Rename kube/{types,client,api} -> kube/{kubetypes,kubeclient,kubeapi} so that we don't need to rename the package on each import to convey that it's kubernetes specific. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	d6dfb7f242	kube,cmd/{k8s-operator,containerboot},envknob,ipn/store/kubestore,*/depaware.txt: split out kube types (#13417 ) Further split kube package into kube/{client,api,types}. This is so that consumers who only need constants/static types don't have to import the client and api bits. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	b9f42814b5	cmd/containerboot: optionally serve health check endpoint (#12899 ) Add functionality to optionally serve a health check endpoint (off by default). Users can enable health check endpoint by setting TS_HEALTHCHECK_ADDR_PORT to [<addr>]:<port>. Containerboot will then serve an unauthenticatd HTTP health check at /healthz at that address. The health check returns 200 OK if the node has at least one tailnet IP address, else returns 503. Updates tailscale/tailscale#12898 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Tom Proctor	01a7726cf7	cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies (#12577 ) cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies Don't skip installing egress forwarding rules for IPv6 (as long as the host supports IPv6), and set headless services `ipFamilyPolicy` to `PreferDualStack` to optionally enable both IP families when possible. Note that even with `PreferDualStack` set, testing a dual-stack GKE cluster with the default DNS setup of kube-dns did not correctly set both A and AAAA records for the headless service, and instead only did so when switching the cluster DNS to Cloud DNS. For both IPv4 and IPv6 to work simultaneously in a dual-stack cluster, we require headless services to return both A and AAAA records. If the host doesn't support IPv6 but the FQDN specified only has IPv6 addresses available, containerboot will exit with error code 1 and an error message because there is no viable egress route. Fixes #12215 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 months ago
Irbe Krumina	8cc2738609	cmd/{containerboot,k8s-operator}: store proxy device ID early to help with cleanup for broken proxies (#12425 ) * cmd/containerboot: store device ID before setting up proxy routes. For containerboot instances whose state needs to be stored in a Kubernetes Secret, we additonally store the device's ID, FQDN and IPs. This is used, between other, by the Kubernetes operator, who uses the ID to delete the device when resources need cleaning up and writes the FQDN and IPs on various kube resource statuses for visibility. This change shifts storing device ID earlier in the proxy setup flow, to ensure that if proxy routing setup fails, the device can still be deleted. Updates tailscale/tailscale#12146 Signed-off-by: Irbe Krumina <irbe@tailscale.com> * code review feedback Signed-off-by: Irbe Krumina <irbe@tailscale.com> --------- Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 months ago
Irbe Krumina	bc53ebd4a0	ipn/{ipnlocal,localapi},net/netkernelconf,client/tailscale,cmd/containerboot: optionally enable UDP GRO forwarding for containers (#12410 ) Add a new TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS env var that can be set for tailscale/tailscale container running as a subnet router or exit node to enable UDP GRO forwarding for improved performance. See https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes This is currently considered an experimental approach; the configuration support is partially to allow further experimentation with containerized environments to evaluate the performance improvements. Updates tailscale/tailscale#12295 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
ChandonPierre	0a5bd63d32	ipn/store/kubestore, cmd/containerboot: allow overriding client api server URL via ENV (#12115 ) Updates tailscale/tailscale#11397 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>	5 months ago
Irbe Krumina	76c30e014d	cmd/containerboot: warn when an ingress proxy with an IPv4 tailnet address is being created for an IPv6 backend(s) (#12159 ) Updates tailscale/tailscale#12156 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	5 months ago
Irbe Krumina	d86d1e7601	cmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: turn off stateful filter for egress proxies. (#12075 ) Turn off stateful filtering for egress proxies to allow cluster traffic to be forwarded to tailnet. Allow configuring stateful filter via tailscaled config file. Deprecate EXPERIMENTAL_TS_CONFIGFILE_PATH env var and introduce a new TS_EXPERIMENTAL_VERSIONED_CONFIG env var that can be used to provide containerboot a directory that should contain one or more tailscaled config files named cap-<tailscaled-cap-version>.hujson. Containerboot will pick the one with the newest capability version that is not newer than its current capability version. Proxies with this change will not work with older Tailscale Kubernetes operator versions - users must ensure that the deployed operator is at the same version or newer (up to 4 version skew) than the proxies. Updates tailscale/tailscale#12061 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	6 months ago
Irbe Krumina	1452faf510	cmd/containerboot,kube,ipn/store/kubestore: allow interactive login on kube, check Secret create perms, allow empty state Secret (#11326 ) cmd/containerboot,kube,ipn/store/kubestore: allow interactive login and empty state Secrets, check perms * Allow users to pre-create empty state Secrets * Add a fake internal kube client, test functionality that has dependencies on kube client operations. * Fix an issue where interactive login was not allowed in an edge case where state Secret does not exist * Make the CheckSecretPermissions method report whether we have permissions to create/patch a Secret if it's determined that these operations will be needed Updates tailscale/tailscale#11170 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	45f0721530	cmd/containerboot: wait on tailscaled process only (#11897 ) Modifies containerboot to wait on tailscaled process only, not on any child process of containerboot. Waiting on any subprocess was racing with Go's exec.Cmd.Run, used to run iptables commands and that starts its own subprocesses and waits on them. Containerboot itself does not run anything else except for tailscaled, so there shouldn't be a need to wait on anything else. Updates tailscale/tailscale#11593 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	3af0f526b8	cmd{containerboot,k8s-operator},util/linuxfw: support ExternalName Services (#11802 ) * cmd/containerboot,util/linuxfw: support proxy backends specified by DNS name Adds support for optionally configuring containerboot to proxy traffic to backends configured by passing TS_EXPERIMENTAL_DEST_DNS_NAME env var to containerboot. Containerboot will periodically (every 10 minutes) attempt to resolve the DNS name and ensure that all traffic sent to the node's tailnet IP gets forwarded to the resolved backend IP addresses. Currently: - if the firewall mode is iptables, traffic will be load balanced accross the backend IP addresses using round robin. There are no health checks for whether the IPs are reachable. - if the firewall mode is nftables traffic will only be forwarded to the first IP address in the list. This is to be improved. * cmd/k8s-operator: support ExternalName Services Adds support for exposing endpoints, accessible from within a cluster to the tailnet via DNS names using ExternalName Services. This can be done by annotating the ExternalName Service with tailscale.com/expose: "true" annotation. The operator will deploy a proxy configured to route tailnet traffic to the backend IPs that service.spec.externalName resolves to. The backend IPs must be reachable from the operator's namespace. Updates tailscale/tailscale#10606 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Irbe Krumina	a6cc2fdc3e	cmd/{containerboot,k8s-operator/deploy/manifests}: optionally allow proxying cluster traffic to a cluster target via ingress proxy (#11036 ) * cmd/containerboot,cmd/k8s-operator/deploy/manifests: optionally forward cluster traffic via ingress proxy. If a tailscale Ingress has tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation, configure the associated ingress proxy to have its tailscale serve proxy to listen on Pod's IP address. This ensures that cluster traffic too can be forwarded via this proxy to the ingress backend(s). In containerboot, if EXPERIMENTAL_PROXY_CLUSTER_TRAFFIC_VIA_INGRESS is set to true and the node is Kubernetes operator ingress proxy configured via Ingress, make sure that traffic from within the cluster can be proxied to the ingress target. Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Irbe Krumina	133699284e	cmd/containerboot: add EXPERIMENTAL_TS_CONFIGFILE_PATH env var to allow passing tailscaled config in a file (#10759 ) * cmd/containerboot: optionally configure tailscaled with a configfile. If EXPERIMENTAL_TS_CONFIGFILE_PATH env var is set, only run tailscaled with the provided config file. Do not run 'tailscale up' or 'tailscale set'. * cmd/containerboot: store containerboot accept_dns val in bool pointer So that we can distinguish between the value being set to false explicitly bs being unset. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	3a9450bc06	cmd/containerboot: don't parse empty subnet routes (#10738 ) Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	5a2eb26db3	cmd/containerboot: ensure that subnet routes can be unset. (#10734 ) A Tailnet node can be told to stop advertise subnets by passing an empty string to --advertise-routes flag. Respect an explicitly passed empty value to TS_ROUTES env var so that users have a way to stop containerboot acting as a subnet router without recreating it. Distinguish between TS_ROUTES being unset and empty. Updates tailscale/tailscale#10708 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Maisem Ali	7bdea283bd	cmd/containerboot: symlink TS_SOCKET to socket expected by CLI `tailscaled` and `tailscale` expect the socket to be at `/var/run/tailscale/tailscaled.sock`, however containerboot would set up the socket at `/tmp/tailscaled.sock`. This leads to a poor UX when users try to use any `tailscale` command as they have to prefix everything with `--socket /tmp/tailscaled.sock`. To improve the UX, this adds a symlink to `/var/run/tailscale/tailscaled.sock` to point to `/tmp/tailscaled.sock`. This approach has two benefits, 1 users are able to continue to use existing scripts without this being a breaking change. 2. users are able to use the `tailscale` CLI without having to add the `--socket` flag. Fixes tailscale/corp#15902 Fixes #6849 Fixes #10027 Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Naman Sood	0a59754eda	linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	11 months ago
Matt Layher	a217f1fccf	all: fix nilness issues Signed-off-by: Matt Layher <mdlayher@gmail.com>	11 months ago
Irbe Krumina	18ceb4e1f6	cmd/{containerboot,k8s-operator}: allow users to define tailnet egress target by FQDN (#10360 ) * cmd/containerboot: proxy traffic to tailnet target defined by FQDN Add a new Service annotation tailscale.com/tailnet-fqdn that users can use to specify a tailnet target for which an egress proxy should be deployed in the cluster. Updates tailscale/tailscale#10280 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Claire Wang	afacf2e368	containerboot: Add TS_ACCEPT_ROUTES (#10176 ) Fixes tailscale/corp#15596 Signed-off-by: Claire Wang <claire@tailscale.com>	11 months ago
Irbe Krumina	664ebb14d9	cmd/containerboot: fix unclean shutdown (#10035 ) * cmd/containerboot: shut down cleanly on SIGTERM Make sure that tailscaled watcher returns when SIGTERM is received and also that it shuts down before tailscaled exits. Updates tailscale/tailscale#10090 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Maisem Ali	4899c2c1f4	cmd/containerboot: revert to using tailscale up This partially reverts commits `a61a9ab087` and `7538f38671` and fully reverts `4823a7e591`. The goal of that commit was to reapply known config whenever the container restarts. However, that already happens when TS_AUTH_ONCE was false (the default back then). So we only had to selectively reapply the config if TS_AUTH_ONCE is true, this does exactly that. This is a little sad that we have to revert to `tailscale up`, but it fixes the backwards incompatibility problem. Updates tailscale/tailscale#9539 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	2d4f808a4c	cmd/containerboot: fix time based serveConfig watcher This broke in a last minute refactor and seems to have never worked. Fixes #9686 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	fbfee6a8c0	cmd/containerboot: use linuxfw.NetfilterRunner This migrates containerboot to reuse the NetfilterRunner used by tailscaled instead of manipulating iptables rule itself. This has the added advantage of now working with nftables and we can potentially drop the `iptables` command from the container image in the future. Updates #9310 Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	d71184d674	cmd/containerboot: only wipeout serve config when TS_SERVE_CONFIG is set Fixes #9558 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Denton Gentry	4823a7e591	cmd/containerboot: set TS_AUTH_ONCE default to true. 1.50.0 switched containerboot from using `tailscale up` to `tailscale login`. A side-effect is that a re-usable authkey is now re-applied on every boot by `tailscale login`, where `tailscale up` would ignore an authkey if already authenticated. Though this looks like it is changing the default, in reality it is setting the default to match what 1.48 and all prior releases actually implemented. Fixes https://github.com/tailscale/tailscale/issues/9539 Fixes https://github.com/tailscale/corp/issues/14953 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	1 year ago
James Tucker	a82a74f2cf	cmd/containerboot: avoid leaking bash scripts after test runs The test was sending SIGKILL to containerboot, which results in no signal propagation down to the bash script that is running as a child process, thus it leaks. Minor changes to the test daemon script, so that it cleans up the socket that it creates on exit, and spawns fewer processes. Fixes tailscale/corp#14833 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Maisem Ali	4669e7f7d5	cmd/containerboot: add iptables based MSS clamping for ingress/egress proxies In typical k8s setups, the MTU configured on the eth0 interfaces is typically 1500 which results in packets being dropped when they make it to proxy pods as the tailscale0 interface has a 1280 MTU. As the primary use of this functionality is TCP, add iptables based MSS clamping to allow connectivity. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Irbe Krumina	17438a98c0	cm/k8s-operator,cmd/containerboot: fix STS config, more tests (#9155 ) Ensures that Statefulset reconciler config has only one of Cluster target IP or tailnet target IP. Adds a test case for containerboot egress proxy mode. Updates tailscale/tailscale#8184 Signed-off-by: irbekrm <irbekrm@gmail.com>	1 year ago
Irbe Krumina	fe709c81e5	cmd/k8s-operator,cmd/containerboot: add kube egress proxy (#9031 ) First part of work for the functionality that allows users to create an egress proxy to access Tailnet services from within Kubernetes cluster workloads. This PR allows creating an egress proxy that can access Tailscale services over HTTP only. Updates tailscale/tailscale#8184 Signed-off-by: irbekrm <irbekrm@gmail.com> Co-authored-by: Maisem Ali <maisem@tailscale.com> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	1 year ago
Maisem Ali	7538f38671	cmd/containerboot: fix broken tests The tests were broken in `a61a9ab087`, maybe even earlier. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Mike Beaumont	3451b89e5f	cmd/k8s-operator: put Tailscale IPs in Service ingress status Updates #502 Signed-off-by: Mike Beaumont <mjboamail@gmail.com>	1 year ago
Maisem Ali	9430481926	cmd/containerboot: account for k8s secret reflection in fsnotify On k8s the serve-config secret mount is symlinked so checking against the Name makes us miss the events. Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	320f77bd24	cmd/containerboot: add support for setting ServeConfig This watches the provided path for a JSON encoded ipn.ServeConfig. Everytime the file changes, or the nodes FQDN changes it reapplies the ServeConfig. At boot time, it nils out any previous ServeConfig just like tsnet does. As the ServeConfig requires pre-existing knowledge of the nodes FQDN to do SNI matching, it introduces a special `${TS_CERT_DOMAIN}` value in the JSON file which is replaced with the known CertDomain before it is applied. Updates #502 Updates #7895 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Maisem Ali	a61a9ab087	cmd/containerboot: reapply known args on restart Previously we would not reapply changes to TS_HOSTNAME etc when then the container restarted and TS_AUTH_ONCE was enabled. This splits those into two steps login and set, allowing us to only rerun the set step on restarts. Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Brad Fitzpatrick	84b94b3146	types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView Updates #1909 Change-Id: I8c470cbc147129a652c1d58eac9b790691b87606 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	e1530cdfcc	cmd/containerboot,kube: consolidate the two kube clients We had two implemenetations of the kube client, merge them. containerboot was also using a raw http.Transport, this also has the side effect of making it use a http.Client Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	6bae55e351	ipn/ipnlocal: add support to store certs in k8s secrets Fixes #5676 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	2 years ago
David Anderson	9bd6a2fb8d	cmd/k8s-operator: support setting a custom hostname. Updates #502 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	39efba528f	cmd/containerboot: use TS_AUTHKEY as the parameter for auth keys We still accept the previous TS_AUTH_KEY for backwards compatibility, but the documented option name is the spelling we use everywhere else. Updates #6321 Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
David Anderson	af3127711a	cmd/containerboot: allow disabling secret storage in k8s. In some configurations, user explicitly do not want to store tailscale state in k8s secrets, because doing that leads to some annoying permission issues with sidecar containers. With this change, TS_KUBE_SECRET="" and TS_STATE_DIR=/foo will force storage to file when running in kubernetes. Fixes #6704. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago

1 2

65 Commits (b2665d9b89ee8c7be10a8e0a2fa36d35d21d8440)