2375 Commits (e4895abca15cf12f47d76cbe3a9cf2bc08d16a2d)

Author	SHA1	Message	Date
Kristoffer Dalby	0198255266	cmd/tailscale: warn user about nllock key removal without resigning ... Fixes #19445 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	6 months ago
Kristoffer Dalby	9309760263	util/prompt: make yes/no prompt reusable ... Updates #19445 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	6 months ago
Brad Fitzpatrick	9af42f425c	.github/workflows: shard the Windows builder ... It's one of the slower ones, so split it up into chunks. Updates tailscale/corp#28679 Change-Id: I16a5ba667678bf238c84417a51dda61baefbecf7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Irbe Krumina	253d0b026d	cmd/k8s-operator: remove conffile hashing mechanism (#16335) ... Proxies know how to reload configfile on changes since 1.80, which is going to be the earliest supported proxy version with 1.84 operator, so remove the mechanism that was updating configfile hash to force proxy Pod restarts on config changes. Updates #13032 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Brad Fitzpatrick	e92eb6b17b	net/tlsdial: fix TLS cert validation of HTTPS proxies ... If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Andrew Lytvynov	4979ce7a94	feature/tpm: implement ipn.StateStore using TPM sealing (#16030) ... Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Raj Singh	45a4b69ce0	cmd/tsidp: fix OIDC client persistence across restarts ... Fixes #16088 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Simon Law	49ae66c10c	cmd/tailscale: clean up dns --help messages (#16306) ... This patch contains the following cleanups: 1. Simplify `ffcli.Command` definitions; 2. Word-wrap help text, consistent with other commands; 3. `tailscale dns --help` usage makes subcommand usage more obvious; 4. `tailscale dns query --help` describes DNS record types. Updates #cleanup Signed-off-by: Simon Law <sfllaw@tailscale.com>	6 months ago
Mike O'Driscoll	e7f5c9a015	derp/derphttp: add error notify for RunWatchConnectionLoop (#16261) ... The caller of client.RunWatchConnectionLoop may need to be aware of errors that occur within loop. Add a channel that notifies of errors to the caller to allow for decisions to be make as to the state of the client. Updates tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	6 months ago
Brad Fitzpatrick	259bab9bff	scripts/check_license_headers.sh: delete, rewrite as a Go test ... Updates tailscale/corp#29650 Change-Id: Iad4e4ccd9d68ebb1d1a12f335cc5295d0bd05b60 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
James Tucker	86985228bc	cmd/natc: add a flag to use specific DNS servers ... If natc is running on a host with tailscale using `--accept-dns=true` then a DNS loop can occur. Provide a flag for some specific DNS upstreams for natc to use instead, to overcome such situations. Updates #14667 Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Anton Tolchanov	42da161b19	tka: reject removal of the last signing key ... Fixes tailscale/corp#19447 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago
Irbe Krumina	e29e3c150f	cmd/k8s-operator: ensure that TLS resources are updated for HA Ingress (#16262) ... Ensure that if the ProxyGroup for HA Ingress changes, the TLS Secret and Role and RoleBinding that allow proxies to read/write to it are updated. Fixes #16259 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
M. J. Fromberger	fe391d5694	client/local: use an iterator to stream bus events (#16269) ... This means the caller does not have to remember to close the reader, and avoids having to duplicate the logic to decode JSON into events. Updates #15160 Change-Id: I20186fabb02f72522f61d5908c4cc80b86b8936b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	6 months ago
James Tucker	b0f7b23efe	net/netcheck: preserve live home DERP through packet loss ... During a short period of packet loss, a TCP connection to the home DERP may be maintained. If no other regions emerge as winners, such as when all regions but one are avoided/disallowed as candidates, ensure that the current home region, if still active, is not dropped as the preferred region until it has failed two keepalives. Relatedly apply avoid and no measure no home to ICMP and HTTP checks as intended. Updates tailscale/corp#12894 Updates tailscale/corp#29491 Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Irbe Krumina	3219de4cb8	cmd/k8s-operator: ensure status update errors are displayed to users (#16251) ... Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Claus Lensbøl	6010812f0c	ipn/localapi,client/local: add debug watcher for bus events (#16239) ... Updates: #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	6 months ago
Fran Bull	3b25e94352	cmd/natc: allow specifying the tsnet state dir ... Which can make operating the service more convenient. It makes sense to put the cluster state with this if specified, so rearrange the logic to handle that. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Mike O'Driscoll	e72c528a5f	cmd/{derp,derpprobe},prober,derp: add mesh support to derpprobe (#15414) ... Add mesh key support to derpprobe for probing derpers with verify set to true. Move MeshKey checking to central point for code reuse. Fix a bad error fmt msg. Fixes tailscale/corp#27294 Fixes tailscale/corp#25756 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>	6 months ago
Anton Tolchanov	db34cdcfe7	cmd/tailscale/cli: add a risk message about rp_filter ... We already present a health warning about this, but it is easy to miss on a server when blackholing traffic makes it unreachable. In addition to a health warning, present a risk message when exit node is enabled. Example: ``` $ tailscale up --exit-node=lizard The following issues on your machine will likely make usage of exit nodes impossible: - interface "ens4" has strict reverse-path filtering enabled - interface "tailscale0" has strict reverse-path filtering enabled Please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 To skip this warning, use --accept-risk=linux-strict-rp-filter $ ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 months ago
Tom Meadows	4456f77af7	cmd/k8s-operator: explicitly set tcp on VIPService port configuration for Ingress with ProxyGroup (#16199) ... Updates tailscale/corp#24795 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	6 months ago
Fran Bull	3e08eab21e	cmd/natc: use new on disk state store for consensus ... Fixes #16027 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Fran Bull	486a55f0a9	cmd/natc: add optional consensus backend ... Enable nat connector to be run on a cluster of machines for high availability. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	6 months ago
Raj Singh	5f0e139012	cmd/tsidp: add Docker image building support (#16078) ... - Add tsidp target to build_docker.sh for standard Tailscale image builds - Add publishdevtsidp Makefile target for development image publishing - Remove Dockerfile, using standard build process - Include tsidp in depaware dependency tracking - Update README with comprehensive Docker usage examples This enables tsidp to be built and published like other Tailscale components (tailscale/tailscale, tailscale/k8s-operator, tailscale/k8s-nameserver). Fixes #16077 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Irbe Krumina	5b670eb3a5	cmd/containerboot: allow setting --accept-dns via TS_EXTRA_ARGS again (#16129) ... In 1.84 we made 'tailscale set'/'tailscale up' error out if duplicate command line flags are passed. This broke some container configurations as we have two env vars that can be used to set --accept-dns flag: - TS_ACCEPT_DNS- specifically for --accept-dns - TS_EXTRA_ARGS- accepts any arbitrary 'tailscale up'/'tailscale set' flag. We default TS_ACCEPT_DNS to false (to make the container behaviour more declarative), which with the new restrictive CLI behaviour resulted in failure for users who had set --accept-dns via TS_EXTRA_ARGS as the flag would be provided twice. This PR re-instates the previous behaviour by checking if TS_EXTRA_ARGS contains --accept-dns flag and if so using its value to override TS_ACCEPT_DNS. Updates tailscale/tailscale#16108 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Brad Fitzpatrick	401d6c0cfa	go.mod: bump golang.org/x deps ... Updates #8043 Change-Id: I8702a17130559353ccdecbe8b64eeee461ff09c3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Nick Khyl	191afd3390	net/tshttpproxy: fix WDAP/PAC proxy detection on Win10 1607 and earlier ... Using WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG on Windows versions older than Windows 10 1703 (build 15063) is not supported and causes WinHttpGetProxyForUrl to fail with ERROR_INVALID_PARAMETER. This results in failures reaching the control on environments where a proxy is required. We use wingoes version detection to conditionally set the WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG flag on Windows builds greater than 15063. While there, we also update proxy detection to use WINHTTP_AUTO_DETECT_TYPE_DNS_A, as DNS-based proxy discovery might be required with Active Directory and in certain other environments. Updates tailscale/corp#29168 Fixes #879 Signed-off-by: Nick Khyl <nickk@tailscale.com>	6 months ago
Raj Singh	09582bdc00	cmd/tsidp: add web UI for managing OIDC clients (#16068) ... Add comprehensive web interface at ui for managing OIDC clients, similar to tsrecorder's design. Features include list view, create/edit forms with validation, client secret management, delete functionality with confirmation dialogs, responsive design, and restricted tailnet access only. Fixes #16067 Signed-off-by: Raj Singh <raj@tailscale.com>	6 months ago
Tim Klocke	4980869977	cmd/tsidp: Fix sending string for refresh_token ... In accordance with the OIDC/OAuth 2.0 protocol, do not send an empty refresh_token and instead omit the field when empty. Fixes https://github.com/tailscale/tailscale/issues/16073 Signed-off-by: Tim Klocke <taaem@mailbox.org>	7 months ago
Irbe Krumina	00a7dd180a	cmd/k8s-operator: validate Service tags, catch duplicate Tailscale Services (#16058) ... Validate that any tags that users have specified via tailscale.com/tags annotation are valid Tailscale ACL tags. Validate that no more than one HA Tailscale Kubernetes Services in a single cluster refer to the same Tailscale Service. Updates tailscale/tailscale#16054 Updates tailscale/tailscale#16035 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Patrick O'Doherty	a05924a9e5	client/web: add Sec-Fetch-Site CSRF protection (#16046) ... RELNOTE=Fix CSRF errors in the client Web UI Replace gorilla/csrf with a Sec-Fetch-Site based CSRF protection middleware that falls back to comparing the Host & Origin headers if no SFS value is passed by the client. Add an -origin override to the web CLI that allows callers to specify the origin at which the web UI will be available if it is hosted behind a reverse proxy or within another application via CGI. Updates #14872 Updates #15065 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	7 months ago
Simon Law	3ee4c60ff0	cmd/derper: fix mesh auth for DERP servers (#16061) ... To authenticate mesh keys, the DERP servers used a simple == comparison, which is susceptible to a side channel timing attack. By extracting the mesh key for a DERP server, an attacker could DoS it by forcing disconnects using derp.Client.ClosePeer. They could also enumerate the public Wireguard keys, IP addresses and ports for nodes connected to that DERP server. DERP servers configured without mesh keys deny all such requests. This patch also extracts the mesh key logic into key.DERPMesh, to prevent this from happening again. Security bulletin: https://tailscale.com/security-bulletins#ts-2025-003 Fixes tailscale/corp#28720 Signed-off-by: Simon Law <sfllaw@tailscale.com>	7 months ago
Irbe Krumina	c4fb380f3c	cmd/k8s-operator: fix Tailscale Service API errors check (#16020) ... Updates tailscale/tailscale#15895 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Brad Fitzpatrick	54970054a6	cmd/tailscale/cli: suggest using "tailscale set", not "up", to set operator ... The same message was used for "up" and "down" permission failures, but "set" works better for both. Suggesting "up --operator" for a "down" permission failure was confusing. It's not like the latter command works in one shot anyway. Fixes #16008 Change-Id: I6e4225ef06ce2d8e19c40bece8104e254c2aa525 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	8009ad74a3	cmd/derper, net/tlsdial: fix client's self-signed cert validation ... This fixes the implementation and test from #15208 which apparently never worked. Ignore the metacert when counting the number of expected certs presented. And fix the test, pulling out the TLSConfig setup code into something shared between the real cmd/derper and the test. Fixes #15579 Change-Id: I90526e38e59f89b480629b415f00587b107de10a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Meadows	b5770c81c9	cmd/k8s-operator: rename VIPService -> Tailscale Service in L3 HA Service Reconciler (#16014) ... Also changes wording tests for L7 HA Reconciler Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	7fe27496c8	cmd/k8s-operator: warn if HA Service is applied, but VIPService feature flag is not enabled (#16013) ... Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Meadows	df8d51023e	cmd/k8s-operator,kube/kubetypes,k8s-operator/apis: reconcile L3 HA Services (#15961) ... This reconciler allows users to make applications highly available at L3 by leveraging Tailscale Virtual Services. Many Kubernetes Service's (irrespective of the cluster they reside in) can be mapped to a Tailscale Virtual Service, allowing access to these Services at L3. Updates #15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	7 months ago
Tom Proctor	d89aa29081	{cmd,}/k8s-operator: support IRSA for Recorder resources (#15913) ... Adds Recorder fields to configure the name and annotations of the ServiceAccount created for and used by its associated StatefulSet. This allows the created Pod to authenticate with AWS without requiring a Secret with static credentials, using AWS' IAM Roles for Service Accounts feature, documented here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html Fixes #15875 Change-Id: Ib0e15c0dbc357efa4be260e9ae5077bacdcb264f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Irbe Krumina	6b97e615d6	cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services (#15897) ... cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services This PR is part of the work to implement HA for Kubernetes Operator's network layer proxy. Adds logic to containerboot to monitor mounted ingress firewall configuration rules and update iptables/nftables rules as the config changes. Also adds new shared types for the ingress configuration. The implementation is intentionally similar to that for HA for egress proxy. Updates tailscale/tailscale#15895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Patrick O'Doherty	336b3b7df0	cmd/proxy-to-grafana: strip X-Webauth* headers from all requests (#15985) ... Update proxy-to-grafana to strip any X-Webauth prefixed headers passed by the client in *every* request, not just those to /login. /api/ routes will also accept these headers to authenticate users, necessitating their removal to prevent forgery. Updates tailscale/corp#28687 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	7 months ago
Irbe Krumina	abe04bfa78	cmd/k8s-operator: warn if Tailscale Services use attempted for tailnet without the feature enabled (#15931) ... Also renames VIPService -> Tailscale Service (including user facing messages) Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	7 months ago
Simon Law	7f4aaed1d5	cmd/derpprobe: exit with non-zero status if --once fails (#15926) ... `cmd/derpprobe --once` didn’t respect the convention of non-zero exit status for a failed run. It would always exit zero (i.e. success), even. This patch fixes that, but only for `--once` mode. Fixes: #15925 Signed-off-by: Simon Law <sfllaw@tailscale.com>	7 months ago
Jordan Whited	0f4f808e70	wgengine/magicsock: re-shape relayManager to use an event loop (#15935) ... The event loop removes the need for growing locking complexities and synchronization. Now we simply use channels. The event loop only runs while there is active work to do. relayManager remains no-op inside magicsock for the time being. endpoints are never 'relayCapable' and therefore endpoint & Conn will not feed CallMeMaybeVia or allocation events into it. A number of relayManager events remain unimplemented, e.g. CallMeMaybeVia reception and relay handshaking. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Nick Khyl	a9be049c19	ipn/ipnlocal,net/dns/resolver: use the user dialer and routes for DNS forwarding by default, except on iOS and Android ... In this PR, we make the "user-dial-routes" behavior default on all platforms except for iOS and Android. It can be disabled by setting the TS_DNS_FORWARD_USE_ROUTES envknob to 0 or false. Updates #12027 Updates #13837 Signed-off-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Jordan Whited	0841477743	net/udprelay{/endpoint}, all: move ServerEndpoint to independent pkg (#15934) ... ServerEndpoint will be used within magicsock and potentially elsewhere, which should be possible without needing to import the server implementation itself. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Brad Fitzpatrick	165b99278b	feature/taildrop, ipn/ipnlocal: remove leftover dup calls to osshare ... I'd moved the osshare calls to feature/taildrop hooks, but forgot to remove them from ipnlocal, or lost them during a rebase. But then I noticed cmd/tailscaled also had some, so turn those into a hook. Updates #12614 Change-Id: I024fb1d27fbcc49c013158882ee5982c2737037d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	48dacf1bf7	cmd/tailscale/cli: omit "file" subcommand if taildrop is omitted from build ... Updates #15812 Updates #12614 Change-Id: Ic945b26a127ba15399abdaab8fe43b1cfa64d874 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	7cc2837594	tsnet: don't depend on condregister & its default tailscaled features ... None of them are applicable to the common tsnet use cases. If somebody wants one of them, they can empty import it. Updates #12614 Change-Id: I3d7f74b555eed22e05a09ad667e4572a5bc452d8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	5b597489bc	taildrop: merge taildrop and feature/taildrop packages together ... Fixes #15812 Change-Id: I3bf0666bf9e7a9caea5f0f99fdb0eb2812157608 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	068d5ab655	feature/taildrop: move rest of Taildrop out of LocalBackend ... Updates #12614 Change-Id: If451dec1d796f6a4216fe485975c87f0c62a53e5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Co-authored-by: Nick Khyl <nickk@tailscale.com>	7 months ago
Brad Fitzpatrick	cf6a593196	cmd/tailscale/cli: rename "--posture-checking" to "--report-posture" ... For consistency with other flags, per Slack chat. Updates #5902 Change-Id: I7ae1e4c97b37185573926f5fafda82cf8b46f071 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Tom Proctor	62182f3bcf	cmd/k8s-operator,k8s-operator/api-proxy: move k8s proxy code to library (#15857) ... The defaultEnv and defaultBool functions are copied over temporarily to minimise diff. This lays the ground work for having both the operator and the new k8s-proxy binary implement the API proxy Updates #13358 Change-Id: Ieacc79af64df2f13b27a18135517bb31c80a5a02 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	7 months ago
Andrew Lytvynov	3105ecd958	hostinfo,tailcfg: report TPM availability on windows/linux (#15831) ... Start collecting fleet data on TPM availability via hostinfo. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Brad Fitzpatrick	383664b2f7	cmd/tsidp: remove backticks in README in shell example ... Fixes #15818 Change-Id: I7a6f4c7368fed74b865a63acdea4559c3d0a0d09 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	e415f51351	feature/taildrop: add integration test ... Taildrop has never had an end-to-end test since it was introduced. This adds a basic one. It caught two recent refactoring bugs & one from 2022 (0f7da5c7dc). This is prep for moving the rest of Taildrop out of LocalBackend, so we can do more refactorings with some confidence. Updates #15812 Change-Id: I6182e49c5641238af0bfdd9fea1ef0420c112738 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Anton Tolchanov	fe0090909b	cmd/tailscale/cli: unhide `--posture-checking` flag to `set` ... Updates #5902 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	7 months ago
James Tucker	b95e8bf4a1	tsweb/varz: export GC CPU fraction gauge ... We were missing this metric, but it can be important for some workloads. Varz memstats output allocation cost reduced from 30 allocs per invocation to 1 alloc per invocation. Updates tailscale/corp#28033 Signed-off-by: James Tucker <james@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Brad Fitzpatrick	dbf13976d3	types/mapx, ipn/ipnext: add ordered map, akin to set.Slice ... We had an ordered set type (set.Slice) already but we occasionally want to do the same thing with a map, preserving the order things were added, so add that too, as mapsx.OrderedMap[K, V], and then use in ipnext. Updates #12614 Change-Id: I85e6f5e11035571a28316441075e952aef9a0863 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Patrick O'Doherty	e649227ef2	cmd/tsidp: fix interface{} linter warnings (#15729) ... Replace all instances of interface{} with any to resolve the golangci-lint errors that appeared in the previous tsidp PR. Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	8 months ago
Cedric Kienzler	b34a2bdb22	cmd/tsidp: add groups claim to tsidp (#15127) ... * cmd/tsidp: add groups claim to tsidp This feature adds support for a `groups` claim in tsidp using the grants syntax: ```json { "grants": [ { "src": ["group:admins"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["admin"] } ] } }, { "src": ["group:reader"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["reader"] } ] } } ] } ``` For #10263 Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * cmd/tsidp: refactor cap/tsidp to allow extraClaims This commit refactors the `capRule` struct to allow specifying arbitrary extra claims: ```json { "src": ["group:reader"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "extraClaims": { "groups": ["reader"], "entitlements": ["read-stuff"], }, } ] } } ``` Overwriting pre-existing claims cannot be modified/overwritten. Also adding more unit-testing Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * Update cmd/tsidp/tsidp.go Signed-off-by: cedi <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Fix logical error in test case Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * fix error printing for failed to unmarshal capability in tsidp Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * clarify doc string for withExtraClaims Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> --------- Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> Signed-off-by: cedi <cedi@users.noreply.github.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> Co-authored-by: Patrick O'Doherty <hello@patrickod.com>	8 months ago
Tom Meadows	9666c2e700	cmd/k8s-operator: default ingress paths to '/' if not specified by user (#15706) ... in resource Fixes #14908 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>	8 months ago
Percy Wegmann	26f31f73f4	cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key ... QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>	8 months ago
Brad Fitzpatrick	0c78f081a4	feature/taildrop: start moving Taildrop out of LocalBackend ... This adds a feature/taildrop package, a ts_omit_taildrop build tag, and starts moving code to feature/taildrop. In some cases, code remains where it was but is now behind a build tag. Future changes will move code to an extension and out of LocalBackend, etc. Updates #12614 Change-Id: Idf96c61144d1a5f707039ceb2ff59c99f5c1642f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
David Anderson	5399fa159a	net/netmon: publish events to event bus ... Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
David Anderson	6d6f69e735	derp/derphttp: remove ban on websockets dependency ... The event bus's debug page uses websockets. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
David Anderson	e8cacd2a32	cmd/tailscaled: clean up unnecessary logf indirection #cleanup ... Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
M. J. Fromberger	deb0b255ff	all: update the tsd.System constructor name (#15372) ... Replace NewSystemWithEventBus with plain NewSystem, and update all usage. See https://github.com/tailscale/tailscale/pull/15355#discussion_r2003910766 Updates #15160 Change-Id: I64d337f09576b41d9ad78eba301a74b9a9d6ebf4 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	baead61e44	{wgengine,util/portmapper}: add and plumb an event bus (#15359) ... Updates #15160 Change-Id: I2510fb4a8905fb0abe8a8e0c5b81adb15d50a6f8 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	418e19fb5e	portmapper: update NewClient to use a Config argument ... In preparation for adding more parameters (and later, moving some away), rework the portmapper constructor to accept its arguments on a Config struct rather than positionally. This is a breaking change to the function signature, but one that is very easy to update, and a search of GitHub reveals only six instances of usage outside clones and forks of Tailscale itself, that are not direct copies of the code fixed up here. While we could stub in another constructor, I think it is safe to let those folks do the update in-place, since their usage is already affected by other changes we can't test for anyway. Updates #15160 Change-Id: I9f8a5e12b38885074c98894b7376039261b43f43 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
M. J. Fromberger	ffb22ee353	all: construct new System values with an event bus pre-populated ... Although, at the moment, we do not yet require an event bus to be present, as we start to add more pieces we will want to ensure it is always available. Add a new constructor and replace existing uses of new(tsd.System) throughout. Update generated files for import changes. Updates #15160 Change-Id: Ie5460985571ade87b8eac8b416948c7f49f0f64b Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>	8 months ago
David Anderson	6b8bbb4c37	tsd: wire up the event bus to tailscaled ... Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	8 months ago
Jordan Whited	37f5fd2ec1	feature/{condregister,relayserver}: implement the skeleton for the relayserver feature (#15699) ... This feature is "registered" as an ipnlocal.Extension, and conditionally linked depending on GOOS and ts_omit_relayserver build tag. The feature is not linked on iOS in attempt to limit the impact to binary size and resulting effect of pushing up against NetworkExtension limits. Eventually we will want to support the relay server on iOS, specifically on the Apple TV. Apple TVs are well-fitted to act as underlay relay servers as they are effectively always-on servers. This skeleton begins to tie a PeerAPI endpoint to a net/udprelay.Server. The PeerAPI endpoint is currently no-op as extension.shouldRunRelayServer() always returns false. Follow-up commits will implement extension.shouldRunRelayServer(). Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Satyam Soni	b926cd7fc6	k8s-operator: add age column to all custom resources (#15663) ... This change introduces an Age column in the output for all custom resources to enhance visibility into their lifecycle status. Fixes #15499 Signed-off-by: satyampsoni <satyampsoni@gmail.com>	8 months ago
Fran Bull	4cb9d5c183	cmd/natc: cleanup unused state ... perPeerState no longer needs to know the v6ULA. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Fran Bull	1e290867bd	cmd/natc: only store v4 addresses ... Because we derive v6 addresses from v4 addresses we only need to store the v4 address, not both. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Nick Khyl	4941cd7c73	cmd/tailscaled,ipn/{auditlog,desktop,ipnext,ipnlocal},tsd: extract LocalBackend extension interfaces and implementation ... In this PR, we refactor the LocalBackend extension system, moving from direct callbacks to a more organized extension host model. Specifically, we: - Extract interface and callback types used by packages extending LocalBackend functionality into a new ipn/ipnext package. - Define ipnext.Host as a new interface that bridges extensions with LocalBackend. It enables extensions to register callbacks and interact with LocalBackend in a concurrency-safe, well-defined, and controlled way. - Move existing callback registration and invocation code from ipnlocal.LocalBackend into a new type called ipnlocal.ExtensionHost, implementing ipnext.Host. - Improve docs for existing types and methods while adding docs for the new interfaces. - Add test coverage for both the extracted and the new code. - Remove ipn/desktop.SessionManager from tsd.System since ipn/desktop is now self-contained. - Update existing extensions (e.g., ipn/auditlog and ipn/desktop) to use the new interfaces where appropriate. We're not introducing new callback and hook types (e.g., for ipn.Prefs changes) just yet, nor are we enhancing current callbacks, such as by improving conflict resolution when more than one extension tries to influence profile selection via a background profile resolver. These further improvements will be submitted separately. Updates #12614 Updates tailscale/corp#27645 Updates tailscale/corp#26435 Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	8 months ago
Jordan Whited	e17abbf461	cmd/tailscale,ipn: add relay-server-port "tailscale set" flag and Prefs field (#15594) ... This flag is currently no-op and hidden. The flag does round trip through the related pref. Subsequent commits will tie them to net/udprelay.Server. There is no corresponding "tailscale up" flag, enabling/disabling of the relay server will only be supported via "tailscale set". This is a string flag in order to support disablement via empty string as a port value of 0 means "enable the server and listen on a random unused port". Disablement via empty string also follows existing flag convention, e.g. advertise-routes. Early internal discussions settled on "tailscale set --relay="<port>", but the author felt this was too ambiguous around client vs server, and may cause confusion in the future if we add related flags. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Simon Law	7e296923ab	cmd/tailscale: test for new flags in tailscale up ... `tailscale set` was created to set preferences, which used to be overloaded into `tailscale up`. To move people over to the new command, `up` was supposed to be frozen and no new preference flags would be added. But people forgot, there was no test to warn them, and so new flags were added anyway. TestUpFlagSetIsFrozen complains when new flags are added to `tailscale up`. It doesn’t try all combinations of GOOS, but since the CI builds in every OS, the pull-request tests should cover this. Updates #15460 Signed-off-by: Simon Law <sfllaw@sfllaw.ca>	8 months ago
Tom Proctor	dd95a83a65	cmd/{containerboot,k8s-operator},kube/kubetypes: unadvertise ingress services on shutdown (#15451) ... Ensure no services are advertised as part of shutting down tailscaled. Prefs are only edited if services are currently advertised, and they're edited we wait for control's ~15s (+ buffer) delay to failover. Note that editing prefs will trigger a synchronous write to the state Secret, so it may fail to persist state if the ProxyGroup is getting scaled down and therefore has its RBAC deleted at the same time, but that failure doesn't stop prefs being updated within the local backend, doesn't affect connectivity to control, and the state Secret is about to get deleted anyway, so the only negative side effect is a harmless error log during shutdown. Control still learns that the node is no longer advertising the service and triggers the failover. Note that the first version of this used a PreStop lifecycle hook, but that only supports GET methods and we need the shutdown to trigger side effects (updating prefs) so it didn't seem appropriate to expose that functionality on a GET endpoint that's accessible on the k8s network. Updates tailscale/corp#24795 Change-Id: I0a9a4fe7a5395ca76135ceead05cbc3ee32b3d3c Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	8 months ago
James Tucker	8e1aa86bdb	cmd/natc: attempt to match IP version between upstream and downstream ... As IPv4 and IPv6 end up with different MSS and different congestion control strategies, proxying between them can really amplify TCP meltdown style conditions in many real world network conditions, such as with higher latency, some loss, etc. Attempt to match up the protocols, otherwise pick a destination address arbitrarily. Also shuffle the target address to spread load across upstream load balancers. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Tom Proctor	de949b050e	cmd/containerboot: speed up tests (#14883) ... The test suite had grown to about 20s on my machine, but it doesn't do much taxing work so was a good candidate to parallelise. Now runs in under 2s on my machine. Updates #cleanup Change-Id: I2fcc6be9ca226c74c0cb6c906778846e959492e4 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	8 months ago
Brad Fitzpatrick	79ff067db3	cmd/tailscale/cli: prevent all dup flags, not just strings ... The earlier #15534 prevent some dup string flags. This does it for all flag types. Updates #6813 Change-Id: Iec2871448394ea9a5b604310bdbf7b499434bf01 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Jason O'Donnell	6088ee311f	cmd/tailscale/cli: return error on duplicate multi-value flags (#15534) ... Some CLI flags support multiple values separated by commas. These flags are intended to be declared only once and will silently ignore subsequent instances. This will now throw an error if multiple instances of advertise-tags and advertise-routes are detected. Fixes #6813 Signed-off-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>	8 months ago
James Tucker	025fe72448	cmd/natc: fix handling of upstream and downstream nxdomain ... Ensure that the upstream is always queried, so that if upstream is going to NXDOMAIN natc will also return NXDOMAIN rather than returning address allocations. At this time both IPv4 and IPv6 are still returned if upstream has a result, regardless of upstream support - this is ~ok as we're proxying. Rewrite the tests to be once again slightly closer to integration tests, but they're still very rough and in need of a refactor. Further refactors are probably needed implementation side too, as this removed rather than added units. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Brad Fitzpatrick	fb96137d79	net/{netx,memnet},all: add netx.DialFunc, move memnet Network impl ... This adds netx.DialFunc, unifying a type we have a bazillion other places, giving it now a nice short name that's clickable in editors, etc. That highlighted that my earlier move (03b47a55c7) of stuff from nettest into netx moved too much: it also dragged along the memnet impl, meaning all users of netx.DialFunc who just wanted netx for the type definition were instead also pulling in all of memnet. So move the memnet implementation netx.Network into memnet, a package we already had. Then use netx.DialFunc in a bunch of places. I'm sure I missed some. And plenty remain in other repos, to be updated later. Updates tailscale/corp#27636 Change-Id: I7296cd4591218e8624e214f8c70dab05fb884e95 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	265c76dbc5	all: unify some redundant testing.TB interface copies ... I added yet another one in 6d117d64a2 but that new one is at the best place int he dependency graph and has the best name, so let's use that one for everything possible. types/lazy can't use it for circular dependency reasons, so unexport that copy at least. Updates #cleanup Change-Id: I25db6b6a0d81dbb8e89a0a9080c7f15cbf7aa770 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
phanirithvij	ad2b075d4f	cmd/nardump: support symlinks, add basic test ... Signed-off-by: phanirithvij <phanirithvij2000@gmail.com>	8 months ago
Fran Bull	603a1d3830	cmd/natc: move address storage behind an interface ... Adds IPPool and moves all IP address management concerns behind that. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Fran Bull	e2eb6eb870	cmd/natc: separate perPeerState from connector ... Make the perPeerState objects able to function independently without a shared reference to the connector. We don't currently change the values from connector that perPeerState uses at runtime. Explicitly copying them at perPeerState creation allows us to, for example, put the perPeerState into a consensus algorithm in the future. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	8 months ago
Kot	1284482790	Change README to reflect configuration ... Updates #15465 Signed-off-by: Kot <kot@kot.pink>	8 months ago
Kot	c86afacf26	Move env var flag passing to Dockerfile ... Updates #15465 Signed-off-by: Kot <kot@kot.pink>	8 months ago
Kot	85bcc2e3bd	cmd/tsidp: use advertised env vars for config ... Fixes #14491 Signed-off-by: Kot <kot@kot.pink>	8 months ago
Brad Fitzpatrick	7dbb21cae8	cmd/tailscale: add tailscale.rc Plan 9 wrapper ... So we can link tailscale and tailscaled together into one. Updates #5794 Change-Id: I9a8b793c64033827e4188931546cbd64db55982e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	b3953ce0c4	ssh/tailssh: add Plan 9 support for Tailscale SSH ... Updates #5794 Change-Id: I7b05cd29ec02085cb503bbcd0beb61bf455002ac Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	3da1728207	cmd/tailscaled: make state dir on Plan 9 ... Updates #5794 Change-Id: Id7bdc08263e98a1848ffce0dd25fc034747d7393 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	21d12ec522	cmd/tailscaled: let net/netmon know what our TUN interface is ... Updates #5794 Change-Id: Ia7e71c32e6c0cd79eb32b6c2c2d4e9a6d8c3e4d6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	60847128df	net/tstun: add Plan 9 'tun' support ... Updates #5794 Change-Id: I8c466cae25ae79be1097450a63e8c25c7b519331 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
James Tucker	95034e15a7	cmd/natc: fix ip allocation runtime ... Avoid the unbounded runtime during random allocation, if random allocation fails after a first pass at random through the provided ranges, pick the next free address by walking through the allocated set. The new ipx utilities provide a bitset based allocation pool, good for small to moderate ranges of IPv4 addresses as used in natc. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Brad Fitzpatrick	2a12e634bf	cmd/vnet: add wsproxy mode ... For hooking up websocket VM clients to natlab. Updates #13038 Change-Id: Iaf728b9146042f3d0c2d3a5e25f178646dd10951 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Irbe Krumina	bf8c8e9e89	cmd/k8s-operator,k8s-operator: enable HA Ingress again. (#15453) ... Re-enable HA Ingress again that was disabled for 1.82 release. This reverts commit fea74a60d5. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Brad Fitzpatrick	4c5112eba6	cmd/tailscaled: make embedded CLI run earlier, support triggering via env ... Not all platforms have hardlinks, or not easily. This lets a "tailscale" wrapper script set an environment variable before calling tailscaled. Updates #2233 Change-Id: I9eccc18651e56c106f336fcbbd0fd97a661d312e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Nick Khyl	6a9a7f35d9	cmd/tailscaled,ipn/{auditlog,ipnlocal},tsd: omit auditlog unless explicitly imported ... In this PR, we update ipnlocal.LocalBackend to allow registering callbacks for control client creation and profile changes. We also allow to register ipnauth.AuditLogFunc to be called when an auditable action is attempted. We then use all this to invert the dependency between the auditlog and ipnlocal packages and make the auditlog functionality optional, where it only registers its callbacks via ipnlocal-provided hooks when the auditlog package is imported. We then underscore-import it when building tailscaled for Windows, and we'll explicitly import it when building xcode/ipn-go-bridge for macOS. Since there's no default log-store location for macOS, we'll also need to call auditlog.SetStoreFilePath to specify where pending audit logs should be persisted. Fixes #15394 Updates tailscale/corp#26435 Updates tailscale/corp#27012 Signed-off-by: Nick Khyl <nickk@tailscale.com>	8 months ago
Simon Law	e9324236e8	cmd/tailscale: fix default for `tailscale set --accept-routes` ... The default values for `tailscale up` and `tailscale set` are supposed to agree for all common flags. But they don’t for `--accept-routes` on Windows and from the Mac OS App Store, because `tailscale up` computes this value based on the operating system: user@host:~$ tailscale up --help 2>&1 | grep -A1 accept-routes --accept-dns, --accept-dns=false accept DNS configuration from the admin panel (default true) user@host:~$ tailscale set --help 2>&1 | grep -A1 accept-routes --accept-dns, --accept-dns=false accept DNS configuration from the admin panel Luckily, `tailscale set` uses `ipn.MaskedPrefs`, so the default values don’t logically matter. But someone will get the wrong idea if they trust the `tailscale set --help` documentation. In addition, `ipn.Prefs.RouteAll` defaults to true so it disagrees with both of the flags above. This patch makes `--accept-routes` use the same logic for in both commands by hoisting the logic that was buried in `cmd/tailscale/cli` to `ipn.Prefs.DefaultRouteAll`. Then, all three of defaults can agree. Fixes: #15319 Signed-off-by: Simon Law <sfllaw@sfllaw.ca>	8 months ago
Simon Law	7fc9099cf8	cmd/tailscale: fix default for `tailscale set --accept-dns` ... The default values for `tailscale up` and `tailscale set` are supposed to agree on all common flags. But they don’t for `--accept-dns`: user@host:~$ tailscale up --help 2>&1 | grep -A1 accept-dns --accept-dns, --accept-dns=false accept DNS configuration from the admin panel (default true) user@host:~$ tailscale set --help 2>&1 | grep -A1 accept-dns --accept-dns, --accept-dns=false accept DNS configuration from the admin panel Luckily, `tailscale set` uses `ipn.MaskedPrefs`, so the default values don’t logically matter. But someone will get the wrong idea if they trust the `tailscale set --help` documentation. This patch makes `--accept-dns` default to true in both commands and also introduces `TestSetDefaultsMatchUpDefaults` to prevent any future drift. Fixes: #15319 Signed-off-by: Simon Law <sfllaw@sfllaw.ca>	8 months ago
Irbe Krumina	fea74a60d5	cmd/k8s-operator,k8s-operator: disable HA Ingress before stable release (#15433) ... Temporarily make sure that the HA Ingress reconciler does not run, as we do not want to release this to stable just yet. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
James Tucker	d0e7af3830	cmd/natc: add test and fix for ip exhaustion ... This is a very dumb fix as it has an unbounded worst case runtime. IP allocation needs to be done in a more sane way in a follow-up. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Irbe Krumina	a622debe9b	cmd/{k8s-operator,containerboot}: check TLS cert before advertising VIPService (#15427) ... cmd/{k8s-operator,containerboot}: check TLS cert before advertising VIPService - Ensures that Ingress status does not advertise port 443 before TLS cert has been issued - Ensure that Ingress backends do not advertise a VIPService before TLS cert has been issued, unless the service also exposes port 80 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
James Tucker	b3455fa99a	cmd/natc: add some initial unit test coverage ... These tests aren't perfect, nor is this complete coverage, but this is a set of coverage that is at least stable. Updates #15367 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Tom Proctor	005e20a45e	cmd/k8s-operator,internal/client/tailscale: use VIPService annotations for ownership tracking (#15356) ... Switch from using the Comment field to a ts-scoped annotation for tracking which operators are cooperating over ownership of a VIPService. Updates tailscale/corp#24795 Change-Id: I72d4a48685f85c0329aa068dc01a1a3c749017bf Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Irbe Krumina	196ae1cd74	cmd/k8s-operator,k8s-operator: allow optionally using LE staging endpoint for Ingress (#15360) ... cmd/k8s-operator,k8s-operator: allow using LE staging endpoint for Ingress Allow to optionally use LetsEncrypt staging endpoint to issue certs for Ingress/HA Ingress, so that it is easier to experiment with initial Ingress setup without hiting rate limits. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Brad Fitzpatrick	984cd1cab0	cmd/tailscale: add CLI debug command to do raw LocalAPI requests ... This adds a portable way to do a raw LocalAPI request without worrying about the Unix-vs-macOS-vs-Windows ways of hitting the LocalAPI server. (It was already possible but tedious with 'tailscale debug local-creds') Updates tailscale/corp#24690 Change-Id: I0828ca55edaedf0565c8db192c10f24bebb95f1b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Tom Proctor	8d84720edb	cmd/k8s-operator: update ProxyGroup config Secrets instead of patch (#15353) ... There was a flaky failure case where renaming a TLS hostname for an ingress might leave the old hostname dangling in tailscaled config. This happened when the proxygroup reconciler loop had an outdated resource version of the config Secret in its cache after the ingress-pg-reconciler loop had very recently written it to delete the old hostname. As the proxygroup reconciler then did a patch, there was no conflict and it reinstated the old hostname. This commit updates the patch to an update operation so that if the resource version is out of date it will fail with an optimistic lock error. It also checks for equality to reduce the likelihood that we make the update API call in the first place, because most of the time the proxygroup reconciler is not even making an update to the Secret in the case that the hostname has changed. Updates tailscale/corp#24795 Change-Id: Ie23a97440063976c9a8475d24ab18253e1f89050 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Irbe Krumina	f50d3b22db	cmd/k8s-operator: configure proxies for HA Ingress to run in cert share mode (#15308) ... cmd/k8s-operator: configure HA Ingress replicas to share certs Creates TLS certs Secret and RBAC that allows HA Ingress replicas to read/write to the Secret. Configures HA Ingress replicas to run in read-only mode. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tom Proctor	b0095a5da4	cmd/k8s-operator: wait for VIPService before updating HA Ingress status (#15343) ... Update the HA Ingress controller to wait until it sees AdvertisedServices config propagated into at least 1 Pod's prefs before it updates the status on the Ingress, to ensure the ProxyGroup Pods are ready to serve traffic before indicating that the Ingress is ready Updates tailscale/corp#24795 Change-Id: I1b8ce23c9e312d08f9d02e48d70bdebd9e1a4757 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
David Anderson	daa5635ba6	tsweb: split promvarz into an optional dependency ... Allows the use of tsweb without pulling in all of the heavy prometheus client libraries, protobuf and so on. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>	9 months ago
Irbe Krumina	34734ba635	ipn/store/kubestore,kube,envknob,cmd/tailscaled/depaware.txt: allow kubestore read/write custom TLS secrets (#15307) ... This PR adds some custom logic for reading and writing kube store values that are TLS certs and keys: 1) when store is initialized, lookup additional TLS Secrets for this node and if found, load TLS certs from there 2) if the node runs in certs 'read only' mode and TLS cert and key are not found in the in-memory store, look those up in a Secret 3) if the node runs in certs 'read only' mode, run a daily TLS certs reload to memory to get any renewed certs Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tom Proctor	ef1e14250c	cmd/k8s-operator: ensure old VIPServices are cleaned up (#15344) ... When the Ingress is updated to a new hostname, the controller does not currently clean up the old VIPService from control. Fix this up to parse the ownership comment correctly and write a test to enforce the improved behaviour Updates tailscale/corp#24795 Change-Id: I792ae7684807d254bf2d3cc7aa54aa04a582d1f5 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Anton Tolchanov	b413b70ae2	cmd/proxy-to-grafana: support setting Grafana role via grants ... This adds support for using ACL Grants to configure a role for the auto-provisioned user. Fixes tailscale/corp#14567 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	9 months ago
Irbe Krumina	299c5372bd	cmd/containerboot: manage HA Ingress TLS certs from containerboot (#15303) ... cmd/containerboot: manage HA Ingress TLS certs from containerboot When ran as HA Ingress node, containerboot now can determine whether it should manage TLS certs for the HA Ingress replicas and call the LocalAPI cert endpoint to ensure initial issuance and renewal of the shared TLS certs. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Paul Scott	eb680edbce	cmd/testwrapper: print failed tests preventing retry (#15270) ... Updates tailscale/corp#26637 Signed-off-by: Paul Scott <paul@tailscale.com>	9 months ago
Jonathan Nobels	52710945f5	control/controlclient, ipn: add client audit logging (#14950) ... updates tailscale/corp#26435 Adds client support for sending audit logs to control via /machine/audit-log. Specifically implements audit logging for user initiated disconnections. This will require further work to optimize the peristant storage and exclusion via build tags for mobile: tailscale/corp#27011 tailscale/corp#27012 Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	9 months ago
Fran Bull	5ebc135397	tsnet,wgengine: fix src to primary Tailscale IP for TCP dials ... Ensure that the src address for a connection is one of the primary addresses assigned by Tailscale. Not, for example, a virtual IP address. Updates #14667 Signed-off-by: Fran Bull <fran@tailscale.com>	9 months ago
Patrick O'Doherty	8f0080c7a4	cmd/tsidp: allow CORS requests to openid-configuration (#15229) ... Add support for Cross-Origin XHR requests to the openid-configuration endpoint to enable clients like Grafana's auto-population of OIDC setup data from its contents. Updates https://github.com/tailscale/tailscale/issues/10263 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	9 months ago
James Tucker	69b27d2fcf	cmd/natc: error and log when IP range is exhausted ... natc itself can't immediately fix the problem, but it can more correctly error that return bad addresses. Updates tailscale/corp#26968 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Brad Fitzpatrick	7fac0175c0	cmd/derper, derp/derphttp: support, generate self-signed IP address certs ... For people who can't use LetsEncrypt because it's banned. Per https://github.com/tailscale/tailscale/issues/11776#issuecomment-2520955317 This does two things: 1) if you run derper with --certmode=manual and --hostname=$IP_ADDRESS we previously permitted, but now we also: * auto-generate the self-signed cert for you if it doesn't yet exist on disk * print out the derpmap configuration you need to use that self-signed cert 2) teaches derp/derphttp's derp dialer to verify the signature of self-signed TLS certs, if so declared in the existing DERPNode.CertName field, which previously existed for domain fronting, separating out the dial hostname from how certs are validates, so it's not overloaded much; that's what it was meant for. Fixes #11776 Change-Id: Ie72d12f209416bb7e8325fe0838cd2c66342c5cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Irbe Krumina	74a2373e1d	cmd/k8s-operator: ensure HA Ingress can operate in multicluster mode. (#15157) ... cmd/k8s-operator: ensure HA Ingress can operate in multicluster mode. Update the owner reference mechanism so that: - if during HA Ingress resource creation, a VIPService with some other operator's owner reference is already found, just update the owner references to add one for this operator - if during HA Ingress deletion, the VIPService is found to have owner reference(s) from another operator, don't delete the VIPService, just remove this operator's owner reference - requeue after HA Ingress reconciles that resulted in VIPService updates, to guard against overwrites due to concurrent operations from different clusters. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Patrick O'Doherty	9d7f2719bb	cmd/tsidp: use constant time comparison for client_id/secret (#15222) ... Use secure constant time comparisons for the client ID and secret values during the allowRelyingParty authorization check. Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	9 months ago
Tom Proctor	ffb0b66d5b	cmd/k8s-operator: advertise VIPServices in ProxyGroup config (#14946) ... Now that packets flow for VIPServices, the last piece needed to start serving them from a ProxyGroup is config to tell the proxy Pods which services they should advertise. Updates tailscale/corp#24795 Change-Id: Ic7bbeac8e93c9503558107bc5f6123be02a84c77 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Sam Linville	27e0575f76	cmd/tsidp: add README and Dockerfile (#15205)	9 months ago
Brad Fitzpatrick	cae5b97626	cmd/derper: add --home flag to control home page behavior ... Updates #12897 Change-Id: I7e9c8de0d2daf92cc32e9f6121bc0874c6672540 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
James Sanderson	fa374fa852	cmd/testwrapper: Display package-level output ... Updates tailscale/corp#26861 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	9 months ago
Brian Palmer	e74a705c67	cmd/hello: display native ipv4 (#15191) ... We are soon going to start assigning shared-in nodes a CGNAT IPv4 in the Hello tailnet when necessary, the same way that normal node shares assign a new IPv4 on conflict. But Hello wants to display the node's native IPv4, the one it uses in its own tailnet. That IPv4 isn't available anywhere in the netmap today, because it's not normally needed for anything. We are going to start sending that native IPv4 in the peer node CapMap, only for Hello's netmap responses. This change enables Hello to display that native IPv4 instead, when available. Updates tailscale/corp#25393 Change-Id: I87480b6d318ab028b41ef149eb3ba618bd7f1e08 Signed-off-by: Brian Palmer <brianp@tailscale.com>	9 months ago
Irbe Krumina	6df0aa58bb	cmd/containerboot: fix nil pointer exception (#15090) ... Updates tailscale/tailscale#15081 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Brad Fitzpatrick	83c104652d	cmd/derper: add --socket flag to change unix socket path to tailscaled ... Fixes #10359 Change-Id: Ide49941c486d29856841016686827316878c9433 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Paul Scott	d1b0e1af06	cmd/testwrapper/flakytest: add Marked to check if in flakytest (#15119) ... Updates tailscale/corp#26637 Signed-off-by: Paul Scott <paul@tailscale.com>	9 months ago
Brad Fitzpatrick	836c01258d	go.toolchain.branch: update to Go 1.24 (#15016) ... * go.toolchain.branch: update to Go 1.24 Updates #15015 Change-Id: I29c934ec17e60c3ac3264f30fbbe68fc21422f4d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> * cmd/testwrapper: fix for go1.24 Updates #15015 Signed-off-by: Paul Scott <paul@tailscale.com> * go.mod,Dockerfile: bump to Go 1.24 Also bump golangci-lint to a version that was built with 1.24 Updates #15015 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> --------- Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Paul Scott <paul@tailscale.com> Signed-off-by: Andrew Lytvynov <awly@tailscale.com> Co-authored-by: Paul Scott <paul@tailscale.com> Co-authored-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Andrew Lytvynov	323747c3e0	various: disable MPTCP when setting TCP_USER_TIMEOUT sockopt (#15063) ... There's nothing about it on https://github.com/multipath-tcp/mptcp_net-next/issues/ but empirically MPTCP doesn't support this option on awly's kernel 6.13.2 and in GitHub actions. Updates #15015 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	10 months ago
Percy Wegmann	1f1a26776b	client/tailscale,cmd/k8s-operator,internal/client/tailscale: move VIP service client methods into internal control client ... Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	9c731b848b	cmd/gitops-pusher: log error details when unable to fetch ACL ETag ... This will help debug unexpected issues encountered by consumers of the gitops-pusher. Updates tailscale/corp#26664 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	4f0222388a	cmd,tsnet,internal/client: create internal shim to deprecated control plane API ... Even after we remove the deprecated API, we will want to maintain a minimal API for internal use, in order to avoid importing the external tailscale.com/client/tailscale/v2 package. This shim exposes only the necessary parts of the deprecated API for internal use, which gains us the following: 1. It removes deprecation warnings for internal use of the API. 2. It gives us an inventory of which parts we will want to keep for internal use. Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Brad Fitzpatrick	cbf3852b5d	cmd/testwrapper: temporarily remove test coverage support ... testwrapper doesn't work with Go 1.24 and the coverage support is making it harder to debug. Updates #15015 Updates tailscale/corp#26659 Change-Id: I0125e881d08c92f1ecef88b57344f6bbb571b569 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Nick Khyl	6df5c8f32e	various: keep tailscale connected when Always On mode is enabled on Windows ... In this PR, we enable the registration of LocalBackend extensions to exclude code specific to certain platforms or environments. We then introduce desktopSessionsExt, which is included only in Windows builds and only if the ts_omit_desktop_sessions tag is disabled for the build. This extension tracks desktop sessions and switches to (or remains on) the appropriate profile when a user signs in or out, locks their screen, or disconnects a remote session. As desktopSessionsExt requires an ipn/desktop.SessionManager, we register it with tsd.System for the tailscaled subprocess on Windows. We also fix a bug in the sessionWatcher implementation where it attempts to close a nil channel on stop. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Irbe Krumina	e11ff28443	cmd/k8s-operator: allow to optionally configure an HTTP endpoint for the HA Ingress (#14986) ... Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
kari-ts	4c3c04a413	ipn, tailscale/cli: add TaildropTargetStatus and remove race with FileTargets (#15017) ... Introduce new TaildropTargetStatus in PeerStatus Refactor getTargetStableID to solely rely on Status() instead of calling FileTargets(). This removes a possible race condition between the two calls and provides more detailed failure information if a peer can't receive files. Updates tailscale/tailscale#14393 Signed-off-by: kari-ts <kari@tailscale.com>	10 months ago
James Tucker	f2f7fd12eb	go.mod: bump bart ... Bart has had some substantial improvements in internal representation, update functions, and other optimizations to reduce memory usage and improve runtime performance. Updates tailscale/corp#26353 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
Anton	f35c49d211	net/dns: update to illarion/gonotify/v3 to fix a panic ... Fixes #14699 Signed-off-by: Anton <anton@tailscale.com>	10 months ago
Brad Fitzpatrick	27f8e2e31d	go.mod: bump x/* deps ... Notably, this pulls in https://go.googlesource.com/net/+/2dab271ff1b7396498746703d88fefcddcc5cec7 for golang/go#71557. Updates #8043 Change-Id: I3637dbf27b90423dd4d54d147f12688b51f3ce36 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
James Tucker	e1523fe686	cmd/natc: remove speculative tuning from natc ... These tunings reduced memory usage while the implementation was struggling with earlier bugs, but will no longer be necessary after those bugs are addressed. Depends #14933 Depends #14934 Updates #9707 Updates #10408 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago
James Tucker	e113b106a6	go.mod,wgengine/netstack: use cubic congestion control, bump gvisor ... Cubic performs better than Reno in higher BDP scenarios, and enables the use of the hystart++ implementation contributed by Coder. This improves throughput on higher BDP links with a much faster ramp. gVisor is bumped as well for some fixes related to send queue processing and RTT tracking. Updates #9707 Updates #10408 Updates #12393 Updates tailscale/corp#24483 Updates tailscale/corp#25169 Signed-off-by: James Tucker <james@tailscale.com>	10 months ago