tailscale

Commit Graph

Author	SHA1	Message	Date
Percy Wegmann	1f1a26776b	client/tailscale,cmd/k8s-operator,internal/client/tailscale: move VIP service client methods into internal control client Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	9c731b848b	cmd/gitops-pusher: log error details when unable to fetch ACL ETag This will help debug unexpected issues encountered by consumers of the gitops-pusher. Updates tailscale/corp#26664 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	4f0222388a	cmd,tsnet,internal/client: create internal shim to deprecated control plane API Even after we remove the deprecated API, we will want to maintain a minimal API for internal use, in order to avoid importing the external tailscale.com/client/tailscale/v2 package. This shim exposes only the necessary parts of the deprecated API for internal use, which gains us the following: 1. It removes deprecation warnings for internal use of the API. 2. It gives us an inventory of which parts we will want to keep for internal use. Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Brad Fitzpatrick	cbf3852b5d	cmd/testwrapper: temporarily remove test coverage support testwrapper doesn't work with Go 1.24 and the coverage support is making it harder to debug. Updates #15015 Updates tailscale/corp#26659 Change-Id: I0125e881d08c92f1ecef88b57344f6bbb571b569 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Nick Khyl	6df5c8f32e	various: keep tailscale connected when Always On mode is enabled on Windows In this PR, we enable the registration of LocalBackend extensions to exclude code specific to certain platforms or environments. We then introduce desktopSessionsExt, which is included only in Windows builds and only if the ts_omit_desktop_sessions tag is disabled for the build. This extension tracks desktop sessions and switches to (or remains on) the appropriate profile when a user signs in or out, locks their screen, or disconnects a remote session. As desktopSessionsExt requires an ipn/desktop.SessionManager, we register it with tsd.System for the tailscaled subprocess on Windows. We also fix a bug in the sessionWatcher implementation where it attempts to close a nil channel on stop. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Irbe Krumina	e11ff28443	cmd/k8s-operator: allow to optionally configure an HTTP endpoint for the HA Ingress (#14986 ) Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
kari-ts	4c3c04a413	ipn, tailscale/cli: add TaildropTargetStatus and remove race with FileTargets (#15017 ) Introduce new TaildropTargetStatus in PeerStatus Refactor getTargetStableID to solely rely on Status() instead of calling FileTargets(). This removes a possible race condition between the two calls and provides more detailed failure information if a peer can't receive files. Updates tailscale/tailscale#14393 Signed-off-by: kari-ts <kari@tailscale.com>	10 months ago
James Tucker	f2f7fd12eb	go.mod: bump bart Bart has had some substantial improvements in internal representation, update functions, and other optimizations to reduce memory usage and improve runtime performance. Updates tailscale/corp#26353 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Anton	f35c49d211	net/dns: update to illarion/gonotify/v3 to fix a panic Fixes #14699 Signed-off-by: Anton <anton@tailscale.com>	10 months ago
Brad Fitzpatrick	27f8e2e31d	go.mod: bump x/* deps Notably, this pulls in https://go.googlesource.com/net/+/2dab271ff1b7396498746703d88fefcddcc5cec7 for golang/go#71557. Updates #8043 Change-Id: I3637dbf27b90423dd4d54d147f12688b51f3ce36 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
James Tucker	e1523fe686	cmd/natc: remove speculative tuning from natc These tunings reduced memory usage while the implementation was struggling with earlier bugs, but will no longer be necessary after those bugs are addressed. Depends #14933 Depends #14934 Updates #9707 Updates #10408 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
James Tucker	e113b106a6	go.mod,wgengine/netstack: use cubic congestion control, bump gvisor Cubic performs better than Reno in higher BDP scenarios, and enables the use of the hystart++ implementation contributed by Coder. This improves throughput on higher BDP links with a much faster ramp. gVisor is bumped as well for some fixes related to send queue processing and RTT tracking. Updates #9707 Updates #10408 Updates #12393 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Sandro Jäckel	08a96a86af	cmd/tailscale: make ssh command work when tailscaled is built with the ts_include_cli tag Fixes #12125 Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>	10 months ago
Mike O'Driscoll	d08f830d50	cmd/derper: support no mesh key (#14931 ) Incorrect disabled support for not having a mesh key in `d5316a4fbb` Allow for no mesh key to be set. Fixes #14928 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Mike O'Driscoll	9a9ce12a3e	cmd/derper: close setec after use (#14929 ) Since dynamic reload of setec is not supported in derper at this time, close the server after the secret is loaded. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Brad Fitzpatrick	05ac21ebe4	all: use new LocalAPI client package location It was moved in `f57fa3cbc3`. Updates tailscale/corp#22748 Change-Id: I19f965e6bded1d4c919310aa5b864f2de0cd6220 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Percy Wegmann	f57fa3cbc3	client,localclient: move localclient.go to client/local package Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Mike O'Driscoll	e6e00012b2	cmd/derper: remove logging of mesh key (#14915 ) A previous PR accidentally logged the key as part of an error. Remove logging of the key. Add log print for Setec store steup. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Mike O'Driscoll	d5316a4fbb	cmd/derper: add setec secret support (#14890 ) Add setec secret support for derper. Support dev mode via env var, and setec via secrets URL. For backwards compatibility use setec load from file also. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	10 months ago
Irbe Krumina	5ef934b62d	cmd/k8s-operator: reinstate HA Ingress reconciler (#14887 ) This change: - reinstates the HA Ingress controller that was disabled for 1.80 release - fixes the API calls to manage VIPServices as the API was changed - triggers the HA Ingress reconciler on ProxyGroup changes Updates tailscale/tailscale#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Adrian Dewhurst	600f25dac9	tailcfg: add JSON unmarshal helper for view of node/peer capabilities Many places that need to work with node/peer capabilities end up with a something-View and need to either reimplement the helper code or make an expensive copy. We have the machinery to easily handle this now. Updates #cleanup Change-Id: Ic3f55be329f0fc6c178de26b34359d0e8c6ca5fc Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	10 months ago
Nick Khyl	17ca2b7721	cmd/tailscale/cli: update tailscale down to accept an optional --reason If specified, the reason is sent via the LocalAPI for auditing purposes. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Percy Wegmann	2e95313b8b	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Originally implemented in `46fd4e58a2`, which was reverted in `b60f6b849a` to keep the change out of v1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Andrea Gottardo	8ee72cd33c	cli/funnel: fix comment typo (#14840 ) Updates #cleanup Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	10 months ago
Tom Proctor	138a83efe1	cmd/containerboot: wait for consistent state on shutdown (#14263 ) tailscaled's ipn package writes a collection of keys to state after authenticating to control, but one at a time. If containerboot happens to send a SIGTERM signal to tailscaled in the middle of writing those keys, it may shut down with an inconsistent state Secret and never recover. While we can't durably fix this with our current single-use auth keys (no atomic operation to auth + write state), we can reduce the window for this race condition by checking for partial state before sending SIGTERM to tailscaled. Best effort only. Updates #14080 Change-Id: I0532d51b6f0b7d391e538468bd6a0a80dbe1d9f7 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	10 months ago
Irbe Krumina	a49af98b31	cmd/k8s-operator: temporarily disable HA Ingress controller (#14833 ) The HA Ingress functionality is not actually doing anything valuable yet, so don't run the controller in 1.80 release yet. Updates tailscale/tailscale#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	3f39211f98	cmd/k8s-operator: check that cluster traffic is routed to egress ProxyGroup Pod before marking it as ready (#14792 ) This change builds on top of #14436 to ensure minimum downtime during egress ProxyGroup update rollouts: - adds a readiness gate for ProxyGroup replicas that prevents kubelet from marking the replica Pod as ready before a corresponding readiness condition has been added to the Pod - adds a reconciler that reconciles egress ProxyGroup Pods and, for each that is not ready, if cluster traffic for relevant egress endpoints is routed via this Pod- if so add the readiness condition to allow kubelet to mark the Pod as ready. During the sequenced StatefulSet update rollouts kubelet does not restart a Pod before the previous replica has been updated and marked as ready, so ensuring that a replica is not marked as ready allows to avoid a temporary post-update situation where all replicas have been restarted, but none of the new ones are yet set up as an endpoint for the egress service, so cluster traffic is dropped. Updates tailscale/tailscale#14326 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Percy Wegmann	b60f6b849a	Revert "ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh" This reverts commit `46fd4e58a2`. We don't want to include this in 1.80 yet, but can add it back post 1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Irbe Krumina	52f88f782a	cmd/k8s-operator: don't set deprecated configfile hash on new proxies (#14817 ) Fixes the configfile reload logic- if the tailscale capver can not yet be determined because the device info is not yet written to the state Secret, don't assume that the proxy is pre-110. Updates tailscale/tailscale#13032 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Irbe Krumina	b406f209c3	cmd/{k8s-operator,containerboot},kube: ensure egress ProxyGroup proxies don't terminate while cluster traffic is still routed to them (#14436 ) cmd/{containerboot,k8s-operator},kube: add preshutdown hook for egress PG proxies This change is part of work towards minimizing downtime during update rollouts of egress ProxyGroup replicas. This change: - updates the containerboot health check logic to return Pod IP in headers, if set - always runs the health check for egress PG proxies - updates ClusterIP Services created for PG egress endpoints to include the health check endpoint - implements preshutdown endpoint in proxies. The preshutdown endpoint logic waits till, for all currently configured egress services, the ClusterIP Service health check endpoint is no longer returned by the shutting-down Pod (by looking at the new Pod IP header). - ensures that kubelet is configured to call the preshutdown endpoint This reduces the possibility that, as replicas are terminated during an update, a replica gets terminated to which cluster traffic is still being routed via the ClusterIP Service because kube proxy has not yet updated routig rules. This is not a perfect check as in practice, it only checks that the kube proxy on the node on which the proxy runs has updated rules. However, overall this might be good enough. The preshutdown logic is disabled if users have configured a custom health check port via TS_LOCAL_ADDR_PORT env var. This change throws a warnign if so and in future setting of that env var for operator proxies might be disallowed (as users shouldn't need to configure this for a Pod directly). This is backwards compatible with earlier proxy versions. Updates tailscale/tailscale#14326 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Percy Wegmann	46fd4e58a2	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
yejingchen	6f10fe8ab1	cmd/tailscale: add warning to help text of `--force-reauth` (#14778 ) The warning text is adapted from https://tailscale.com/kb/1028/key-expiry#renewing-keys-for-an-expired-device . There is already https://github.com/tailscale/tailscale/pull/7575 which presents a warning when connected over Tailscale, however the detection is done by checking SSH environment variables, which are absent within systemd's run0. That means `--force-reauth` will happily bring down Tailscale connection, leaving the user in despair. Changing only the help text is by no means a complete solution, but hopefully it will stop users from blindly trying it out, and motivate them to search for a proper solution. : https://www.freedesktop.org/software/systemd/man/devel/run0.html Updates #3849 Signed-off-by: yejingchen <ye.jingchen@gmail.com>	10 months ago
Brad Fitzpatrick	2691b9f6be	tempfork/acme: add new package for x/crypto package acme fork, move We've been maintaining temporary dev forks of golang.org/x/crypto/{acme,ssh} in https://github.com/tailscale/golang-x-crypto instead of using this repo's tempfork directory as we do with other packages. The reason we were doing that was because x/crypto/ssh depended on x/crypto/ssh/internal/poly1305 and I hadn't noticed there are forwarding wrappers already available in x/crypto/poly1305. It also depended internal/bcrypt_pbkdf but we don't use that so it's easy to just delete that calling code in our tempfork/ssh. Now that our SSH changes have been upstreamed, we can soon unfork from SSH. That leaves ACME remaining. This change copies our tailscale/golang-x-crypto/acme code to tempfork/acme but adds a test that our vendored copied still matches our tailscale/golang-x-crypto repo, where we can continue to do development work and rebases with upstream. A comment on the new test describes the expected workflow. While we could continue to just import & use tailscale/golang-x-crypto/acme, it seems a bit nicer to not have that entire-fork-of-x-crypto visible at all in our transitive deps and the questions that invites. Showing just a fork of an ACME client is much less scary. It does add a step to the process of hacking on the ACME client code, but we do that approximately never anyway, and the extra step is very incremental compared to the existing tedious steps. Updates #8593 Updates #10238 Change-Id: I8af4378c04c1f82e63d31bf4d16dba9f510f9199 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	bce05ec6c3	control/controlclient,tempfork/httprec: don't link httptest, test certs for c2n The c2n handling code was using the Go httptest package's ResponseRecorder code but that's in a test package which brings in Go's test certs, etc. This forks the httptest recorder type into its own package that only has the recorder and adds a test that we don't re-introduce a dependency on httptest. Updates #12614 Change-Id: I3546f49972981e21813ece9064cc2be0b74f4b16 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	8c925899e1	go.mod: bump depaware, add --internal flag to stop hiding internal packages The hiding of internal packages has hidden things I wanted to see a few times now. Stop hiding them. This makes depaware.txt output a bit longer, but not too much. Plus we only really look at it with diffs & greps anyway; it's not like anybody reads the whole thing. Updates #12614 Change-Id: I868c89eeeddcaaab63e82371651003629bc9bda8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	68a66ee81b	feature/capture: move packet capture to feature/*, out of iOS + CLI We had the debug packet capture code + Lua dissector in the CLI + the iOS app. Now we don't, with tests to lock it in. As a bonus, tailscale.com/net/packet and tailscale.com/net/flowtrack no longer appear in the CLI's binary either. A new build tag ts_omit_capture disables the packet capture code and was added to build_dist.sh's --extra-small mode. Updates #12614 Change-Id: I79b0628c0d59911bd4d510c732284d97b0160f10 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
James Tucker	82e41ddc42	cmd/natc: expose netstack metrics in client metrics in natc Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
James Tucker	ca39c4e150	cmd/natc,wgengine/netstack: tune buffer size and segment lifetime in natc Some natc instances have been observed with excessive memory growth, dominant in gvisor buffers. It is likely that the connection buffers are sticking around for too long due to the default long segment time, and uptuned buffer size applied by default in wgengine/netstack. Apply configurations in natc specifically which are a better match for the natc use case, most notably a 5s maximum segment lifetime. Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Percy Wegmann	450bc9a6b8	cmd/derper,derp: make TCP write timeout configurable The timeout still defaults to 2 seconds, but can now be changed via command-line flag. Updates tailscale/corp#26045 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Brad Fitzpatrick	61bea75092	cmd/tailscale: fix, test some recent doc inconsistencies `3dabea0fc2` added some docs with inconsistent usage docs. This fixes them, and adds a test. It also adds some other tests and fixes other verb tense inconsistencies. Updates tailscale/corp#25278 Change-Id: I94c2a8940791bddd7c35c1c3d5fb791a317370c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Nick Khyl	f0db47338e	cmd/tailscaled,util/syspolicy/source,util/winutil/gp: disallow acquiring the GP lock during service startup In v1.78, we started acquiring the GP lock when reading policy settings. This led to a deadlock during Tailscale installation via Group Policy Software Installation because the GP engine holds the write lock for the duration of policy processing, which in turn waits for the installation to complete, which in turn waits for the service to enter the running state. In this PR, we prevent the acquisition of GP locks (aka EnterCriticalPolicySection) during service startup and update the Windows Registry-based util/syspolicy/source.PlatformPolicyStore to handle this failure gracefully. The GP lock is somewhat optional; it’s safe to read policy settings without it, but acquiring the lock is recommended when reading multiple values to prevent the Group Policy engine from modifying settings mid-read and to avoid inconsistent results. Fixes #14416 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Brad Fitzpatrick	d6abbc2e61	net/tstun: move TAP support out to separate package feature/tap Still behind the same ts_omit_tap build tag. See #14738 for background on the pattern. Updates #12614 Change-Id: I03fb3d2bf137111e727415bd8e713d8568156ecc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Tom Proctor	3033a96b02	cmd/k8s-operator: fix reconciler name clash (#14712 ) The new ProxyGroup-based Ingress reconciler is causing a fatal log at startup because it has the same name as the existing Ingress reconciler. Explicitly name both to ensure they have unique names that are consistent with other explicitly named reconcilers. Updates #14583 Change-Id: Ie76e3eaf3a96b1cec3d3615ea254a847447372ea Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	10 months ago
Brad Fitzpatrick	1562a6f2f2	feature/: make Wake-on-LAN conditional, start supporting modular features This pulls out the Wake-on-LAN (WoL) code out into its own package (feature/wakeonlan) that registers itself with various new hooks around tailscaled. Then a new build tag (ts_omit_wakeonlan) causes the package to not even be linked in the binary. Ohter new packages include: feature: to just record which features are loaded. Future: dependencies between features. * feature/condregister: the package with all the build tags that tailscaled, tsnet, and the Tailscale Xcode project extension can empty (underscore) import to load features as a function of the defined build tags. Future commits will move of our "ts_omit_foo" build tags into this style. Updates #12614 Change-Id: I9c5378dafb1113b62b816aabef02714db3fc9c4a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Andrea Gottardo	3dabea0fc2	cmd/tailscale: define CLI tools to manipulate macOS network and system extensions (#14727 ) Updates tailscale/corp#25278 Adds definitions for new CLI commands getting added in v1.80. Refactors some pre-existing CLI commands within the `configure` tree to clean up code. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	11 months ago
Adrian Dewhurst	0fa7b4a236	tailcfg: add ServiceName Rather than using a string everywhere and needing to clarify that the string should have the svc: prefix, create a separate type for Service names. Updates tailscale/corp#24607 Change-Id: I720e022f61a7221644bb60955b72cacf42f59960 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	11 months ago
Brad Fitzpatrick	8b65598614	util/slicesx: add AppendNonzero By request of @agottardo. Updates #cleanup Change-Id: I2f02314eb9533b1581e47b66b45b6fb8ac257bb7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	150cd30b1d	ipn/ipnlocal: also use LetsEncrypt-baked-in roots for cert validation We previously baked in the LetsEncrypt x509 root CA for our tlsdial package. This moves that out into a new "bakedroots" package and is now also shared by ipn/ipnlocal's cert validation code (validCertPEM) that decides whether it's time to fetch a new cert. Otherwise, a machine without LetsEncrypt roots locally in its system roots is unable to use tailscale cert/serve and fetch certs. Fixes #14690 Change-Id: Ic88b3bdaabe25d56b9ff07ada56a27e3f11d7159 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	e12b2a7267	cmd/tailscale/cli: clean up how optional commands get registered Both @agottardo and I tripped over this today. Updates #cleanup Change-Id: I64380a03bfc952b9887b1512dbcadf26499ff1cd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
dependabot[bot]	bcc262269f	build(deps): bump braces from 3.0.2 to 3.0.3 in /cmd/tsconnect (#12468 ) Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	11 months ago
Irbe Krumina	817ba1c300	cmd/{k8s-operator,containerboot},kube/kubetypes: parse Ingresses for ingress ProxyGroup (#14583 ) cmd/k8s-operator: add logic to parse L7 Ingresses in HA mode - Wrap the Tailscale API client used by the Kubernetes Operator into a client that knows how to manage VIPServices. - Create/Delete VIPServices and update serve config for L7 Ingresses for ProxyGroup. - Ensure that ingress ProxyGroup proxies mount serve config from a shared ConfigMap. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
dependabot[bot]	70c7b0d77f	build(deps): bump nanoid from 3.3.4 to 3.3.8 in /cmd/tsconnect (#14352 ) Bumps [nanoid](https://github.com/ai/nanoid) from 3.3.4 to 3.3.8. - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](https://github.com/ai/nanoid/compare/3.3.4...3.3.8) --- updated-dependencies: - dependency-name: nanoid dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	11 months ago
Irbe Krumina	97a44d6453	go.{mod,sum},cmd/{k8s-operator,derper,stund}/depaware.txt: bump kube deps (#14601 ) Updates kube deps and mkctr, regenerates kube yamls with the updated tooling. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Tom Proctor	2d1f6f18cc	cmd/k8s-operator: require namespace config (#14648 ) Most users should not run into this because it's set in the helm chart and the deploy manifest, but if namespace is not set we get confusing authz errors because the kube client tries to fetch some namespaced resources as though they're cluster-scoped and reports permission denied. Try to detect namespace from the default projected volume, and otherwise fatal. Fixes #cleanup Change-Id: I64b34191e440b61204b9ad30bbfa117abbbe09c3 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	11 months ago
Brad Fitzpatrick	d8b00e39ef	cmd/tailscaled: add some more depchecker dep tests As we look to add github.com/prometheus/client_golang/prometheus to more parts of the codebase, lock in that we don't use it in tailscaled, primarily for binary size reasons. Updates #12614 Change-Id: I03c100d12a05019a22bdc23ce5c4df63d5a03ec6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Aaron Klotz	fcf90260ce	atomicfile: use ReplaceFile on Windows so that attributes and ACLs are preserved I moved the actual rename into separate, GOOS-specific files. On non-Windows, we do a simple os.Rename. On Windows, we first try ReplaceFile with a fallback to os.Rename if the target file does not exist. ReplaceFile is the recommended way to rename the file in this use case, as it preserves attributes and ACLs set on the target file. Updates #14428 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago
Percy Wegmann	db05e83efc	cmd/derper: support explicit configuration of mesh dial hosts The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com>	11 months ago
Brad Fitzpatrick	cfda1ff709	cmd/viewer,all: consistently use "read-only" instead of "readonly" Updates #cleanup Change-Id: I8e4e3497d3d0ec5b16a73aedda500fe5cfa37a67 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	414a01126a	go.mod: bump mdlayher/netlink and u-root/uio to use Go 1.21 NativeEndian This finishes the work started in #14616. Updates #8632 Change-Id: I4dc07d45b1e00c3db32217c03b21b8b1ec19e782 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Nick Khyl	da9965d51c	cmd/viewer,types/views,various: avoid allocations in pointer field getters whenever possible In this PR, we add a generic views.ValuePointer type that can be used as a view for pointers to basic types and struct types that do not require deep cloning and do not have corresponding view types. Its Get/GetOk methods return stack-allocated shallow copies of the underlying value. We then update the cmd/viewer codegen to produce getters that return either concrete views when available or ValuePointer views when not, for pointer fields in generated view types. This allows us to avoid unnecessary allocations compared to returning pointers to newly allocated shallow copies. Updates #14570 Signed-off-by: Nick Khyl <nickk@tailscale.com>	11 months ago
Anton Tolchanov	e4385f1c02	cmd/tailscale/cli: add --posture-checking to tailscale up This will prevent `tailscale up` from resetting the posture checking client pref. Fixes #12154 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	11 months ago
Michael Stapelberg	64ab0ddff1	cmd/tailscale/cli: only exit silently if len(args) == 0 This amends commit `b7e48058c8`. That commit broke all documented ways of starting Tailscale on gokrazy: https://gokrazy.org/packages/tailscale/ — both Option A (tailscale up) and Option B (tailscale up --auth-key) rely on the tailscale CLI working. I verified that the tailscale CLI just prints it help when started without arguments, i.e. it does not stay running and is not restarted. I verified that the tailscale CLI successfully exits when started with tailscale up --auth-key, regardless of whether the node has joined the tailnet yet or not. I verified that the tailscale CLI successfully waits and exits when started with tailscale up, as expected. fixes https://github.com/gokrazy/gokrazy/issues/286 Signed-off-by: Michael Stapelberg <michael@stapelberg.de>	11 months ago
Brad Fitzpatrick	69b90742fe	util/uniq,types/lazy,*: delete code that's now in Go std sync.OnceValue and slices.Compact were both added in Go 1.21. cmp.Or was added in Go 1.22. Updates #8632 Updates #11058 Change-Id: I89ba4c404f40188e1f8a9566c8aaa049be377754 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Percy Wegmann	cd795d8a7f	prober: support filtering regions by region ID in addition to code Updates tailscale/corp#25758 Signed-off-by: Percy Wegmann <percy@tailscale.com>	11 months ago
Irbe Krumina	77017bae59	cmd/containerboot: load containerboot serve config that does not contain HTTPS endpoint in tailnets with HTTPS disabled (#14538 ) cmd/containerboot: load containerboot serve config that does not contain HTTPS endpoint in tailnets with HTTPS disabled Fixes an issue where, if a tailnet has HTTPS disabled, no serve config set via TS_SERVE_CONFIG was loaded, even if it does not contain an HTTPS endpoint. Now for tailnets with HTTPS disabled serve config provided to containerboot is considered invalid (and therefore not loaded) only if there is an HTTPS endpoint defined in the config. Fixes tailscale/tailscale#14495 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Irbe Krumina	48a95c422a	cmd/containerboot,cmd/k8s-operator: reload tailscaled config (#14342 ) cmd/{k8s-operator,containerboot}: reload tailscaled configfile when its contents have changed Instead of restarting the Kubernetes Operator proxies each time tailscaled config has changed, this dynamically reloads the configfile using the new reload endpoint. Older annotation based mechanism will be supported till 1.84 to ensure that proxy versions prior to 1.80 keep working with operator 1.80 and newer. Updates tailscale/tailscale#13032 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Nahum Shalman	9373a1b902	all: illumos/solaris userspace only support Updates #14565 Change-Id: I743148144938794db0a224873ce76c10dbe6fa5f Signed-off-by: Nahum Shalman <nahamu@gmail.com>	11 months ago
Irbe Krumina	68997e0dfa	cmd/k8s-operator,k8s-operator: allow users to set custom labels for the optional ServiceMonitor (#14475 ) * cmd/k8s-operator,k8s-operator: allow users to set custom labels for the optional ServiceMonitor Updates tailscale/tailscale#14381 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Irbe Krumina	8d4ca13cf8	cmd/k8s-operator,k8s-operator: support ingress ProxyGroup type (#14548 ) Currently this does not yet do anything apart from creating the ProxyGroup resources like StatefulSet. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Will Norris	60daa2adb8	all: fix golangci-lint errors These erroneously blocked a recent PR, which I fixed by simply re-running CI. But we might as well fix them anyway. These are mostly `printf` to `print` and a couple of `!=` to `!Equal()` Updates #cleanup Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
James Tucker	6e45a8304e	cmd/derper: improve logging on derp mesh connect Include the mesh log prefix in all mesh connection setup. Updates tailscale/corp#25653 Signed-off-by: James Tucker <james@tailscale.com>	11 months ago
Will Norris	b36984cb16	cmd/systray: add cmd/systray back as a small client/systray wrapper Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	82e99fcf84	client/systray: move cmd/systray to client/systray Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Brad Fitzpatrick	5da772c670	cmd/tailscale/cli: fix TestUpdatePrefs on macOS It was failing about an unaccepted risk ("mac-app-connector") because it was checking runtime.GOOS ("darwin") instead of the test's env.goos string value ("linux", which doesn't have the warning). Fixes #14544 Change-Id: I470d86a6ad4bb18e1dd99d334538e56556147835 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	1e2e319e7d	util/slicesx: add MapKeys and MapValues from golang.org/x/exp/maps Importing the ~deprecated golang.org/x/exp/maps as "xmaps" to not shadow the std "maps" was getting ugly. And using slices.Collect on an iterator is verbose & allocates more. So copy (x)maps.Keys+Values into our slicesx package instead. Updates #cleanup Updates #12912 Updates #14514 (pulled out of that change) Change-Id: I5e68d12729934de93cf4a9cd87c367645f86123a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Will Norris	c43c5ca003	cmd/systray: properly set tooltip on different platforms On Linux, systray.SetTitle actually seems to set the tooltip on all desktops I've tested on. But on macOS, it actually does set a title that is always displayed in the systray area next to the icon. This change should properly set the tooltip across platforms. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	5a4148e7e8	cmd/systray: update state management and initialization Move a number of global state vars into the Menu struct, keeping things better encapsulated. The systray package still relies on its own global state, so only a single Menu instance can run at a time. Move a lot of the initialization logic out of onReady, in particular fetching the latest tailscale state. Instead, populate the state before calling systray.Run, which fixes a timing issue in GNOME (#14477). This change also creates a separate bgContext for actions not tied menu item clicks. Because we have to rebuild the entire menu regularly, we cancel that context as needed, which can cancel subsequent updateState calls. Also exit cleanly on SIGINT and SIGTERM. Updates #1708 Fixes #14477 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	86f273d930	cmd/systray: set app icon and title consistently Refactor code to set app icon and title as part of rebuild, rather than separately in eventLoop. This fixes several cases where they weren't getting updated properly. This change also makes use of the new exit node icons. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	2bdbe5b2ab	cmd/systray: add icons for exit node online and offline restructure tsLogo to allow setting a mask to be used when drawing the logo dots, as well as add an overlay icon, such as the arrow when connected to an exit node. The icon is still renders as white on black, but this change also prepare for doing a black on white version, as well a fully transparent icon. I don't know if we can consistently determine which to use, so this just keeps the single icon for now. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
James Tucker	68b12a74ed	metrics,syncs: add ShardedInt support to metrics.LabelMap metrics.LabelMap grows slightly more heavy, needing a lock to ensure proper ordering for newly initialized ShardedInt values. An Add method enables callers to use .Add for both expvar.Int and syncs.ShardedInt values, but retains the original behavior of defaulting to initializing expvar.Int values. Updates tailscale/corp#25450 Co-Authored-By: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: James Tucker <james@tailscale.com>	12 months ago
Will Norris	3837b6cebc	cmd/systray: rebuild menu on pref change, assorted other fixes - rebuild menu when prefs change outside of systray, such as setting an exit node - refactor onClick handler code - compare lowercase country name, the same as macOS and Windows (now sorts Ukraine before USA) - fix "connected / disconnected" menu items on stopped status - prevent nil pointer on "This Device" menu item Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	10d4057a64	cmd/systray: add visual workarounds for gnome, mac, and windows Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	cb59943501	cmd/systray: add exit nodes menu This commit builds the exit node menu including the recommended exit node, if available, as well as tailnet and mullvad exit nodes. This does not yet update the menu based on changes in exit node outside of the systray app, which will come later. This also does not include the ability to run as an exit node. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	256da8dfb5	cmd/systray: remove new menu delay on KDE The new menu delay added to fix libdbusmenu systrays causes problems with KDE. Given the state of wildly varying systray implementations, I suspect we may need more desktop-specific hacks, so I'm setting this up to accommodate that. Updates #1708 Updates #14431 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Tom Proctor	3adad364f1	cmd/k8s-operator,k8s-operator: include top-level CRD descriptions (#14435 ) When reading https://doc.crds.dev/github.com/tailscale/tailscale/tailscale.com/ProxyGroup/v1alpha1@v1.78.3 I noticed there is no top-level description for ProxyGroup and Recorder. Add one to give some high-level direction. Updates #cleanup Change-Id: I3666c5445be272ea5a1d4d02b6d5ad4c23afb09f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	12 months ago
Will Norris	89adcd853d	cmd/systray: improve profile menu Bring UI closer to macOS and windows: - split login and tailnet name over separate lines - render profile picture (with very simple caching) - use checkbox to indicate active profile. I've not found any desktops that can't render checkboxes, so I'd like to explore other options if needed. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Will Norris	2d4edd80f1	cmd/systray: add extra padding around notification icon Some notification managers crop the application icon to a circle, so ensure we have enough padding to account for that. Updates #1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com>	12 months ago
Percy Wegmann	00a4504cf1	cmd/derpprobe,prober: add ability to perform continuous queuing delay measurements against DERP servers This new type of probe sends DERP packets sized similarly to CallMeMaybe packets at a rate of 10 packets per second. It records the round-trip times in a Prometheus histogram. It also keeps track of how many packets are dropped. Packets that fail to arrive within 5 seconds are considered dropped. Updates tailscale/corp#24522 Signed-off-by: Percy Wegmann <percy@tailscale.com>	12 months ago
Andrew Lytvynov	6ae0287a57	cmd/systray: add account switcher Updates #1708 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	12 months ago
Joe Tsai	b62a013ecb	Switch logging service from log.tailscale.io to log.tailscale.com (#14398 ) Updates tailscale/corp#23617 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	12 months ago
Irbe Krumina	cc168d9f6b	cmd/k8s-operator: fix ProxyGroup hostname (#14336 ) Updates tailscale/tailscale#14325 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Percy Wegmann	1ed9bd76d6	prober: perform DERP bandwidth probes over TUN device to mimic real client Updates tailscale/corp#24635 Co-authored-by: Mario Minardi <mario@tailscale.com> Signed-off-by: Percy Wegmann <percy@tailscale.com>	12 months ago
James Tucker	aa04f61d5e	net/netcheck: adjust HTTPS latency check to connection time and avoid data race The go-httpstat package has a data race when used with connections that are performing happy-eyeballs connection setups as we are in the DERP client. There is a long-stale PR upstream to address this, however revisiting the purpose of this code suggests we don't really need httpstat here. The code populates a latency table that may be used to compare to STUN latency, which is a lightweight RTT check. Switching out the reported timing here to simply the request HTTP request RTT avoids the problematic package. Fixes tailscale/corp#25095 Signed-off-by: James Tucker <james@tailscale.com>	12 months ago
Irbe Krumina	6e552f66a0	cmd/containerboot: don't attempt to patch a Secret field without permissions (#14365 ) Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Tom Proctor	f1ccdcc713	cmd/k8s-operator,k8s-operator: operator integration tests (#12792 ) This is the start of an integration/e2e test suite for the tailscale operator. It currently only tests two major features, ingress proxy and API server proxy, but we intend to expand it to cover more features over time. It also only supports manual runs for now. We intend to integrate it into CI checks in a separate update when we have planned how to securely provide CI with the secrets required for connecting to a test tailnet. Updates #12622 Change-Id: I31e464bb49719348b62a563790f2bc2ba165a11b Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	12 months ago
Irbe Krumina	fa655e6ed3	cmd/containerboot: add more tests, check that egress service config only set on kube (#14360 ) Updates tailscale/tailscale#14357 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Irbe Krumina	0cc071f154	cmd/containerboot: don't attempt to write kube Secret in non-kube environments (#14358 ) Updates tailscale/tailscale#14354 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	12 months ago
Bjorn Neergaard	8b1d01161b	cmd/containerboot: guard kubeClient against nil dereference (#14357 ) A method on kc was called unconditionally, even if was not initialized, leading to a nil pointer dereference when TS_SERVE_CONFIG was set outside Kubernetes. Add a guard symmetric with other uses of the kubeClient. Fixes #14354. Signed-off-by: Bjorn Neergaard <bjorn@neersighted.com>	12 months ago
Mike O'Driscoll	c2761162a0	cmd/stunc: enforce read timeout deadline (#14309 ) Make argparsing use flag for adding a new parameter that requires parsing. Enforce a read timeout deadline waiting for response from the stun server provided in the args. Otherwise the program will never exit. Fixes #14267 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	1 year ago
Percy Wegmann	06a82f416f	cmd,{get-authkey,tailscale}: remove unnecessary scope qualifier from OAuth clients OAuth clients that were used to generate an auth_key previously specified the scope 'device'. 'device' is not an actual scope, the real scope is 'devices'. The resulting OAuth token ended up including all scopes from the specified OAuth client, so the code was able to successfully create auth_keys. It's better not to hardcode a scope here anyway, so that we have the flexibility of changing which scope(s) are used in the future without having to update old clients. Since the qualifier never actually did anything, this commit simply removes it. Updates tailscale/corp#24934 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago

1 2 3 4 5 ...

2187 Commits (c76d0754723f10f6d7100972bbddaf6edae4e57c)