feature/featuretags, all: add ts_omit_acme to disable TLS cert support

I'd started to do this in the earlier ts_omit_server PR but decided to split it into this separate PR. Updates #17128 Change-Id: Ief8823a78d1f7bbb79e64a5cab30a7d0a5d6ff4b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-10-28 05:00:08 +00:00 · 2025-09-16 10:07:50 -07:00
parent 99b3f69126
commit e180fc267b
19 changed files with 342 additions and 236 deletions
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -1,6 +1,8 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

+//go:build !js && !ts_omit_acme
+
 package cli

 import (
@@ -25,19 +27,23 @@ import (
 	"tailscale.com/version"
 )

-var certCmd = &ffcli.Command{
-	Name:       "cert",
-	Exec:       runCert,
-	ShortHelp:  "Get TLS certs",
-	ShortUsage: "tailscale cert [flags] <domain>",
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("cert")
-		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
-		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
-		fs.DurationVar(&certArgs.minValidity, "min-validity", 0, "ensure the certificate is valid for at least this duration; the output certificate is never expired if this flag is unset or 0, but the lifetime may vary; the maximum allowed min-validity depends on the CA")
-		return fs
-	})(),
+func init() {
+	maybeCertCmd = func() *ffcli.Command {
+		return &ffcli.Command{
+			Name:       "cert",
+			Exec:       runCert,
+			ShortHelp:  "Get TLS certs",
+			ShortUsage: "tailscale cert [flags] <domain>",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("cert")
+				fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
+				fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+				fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
+				fs.DurationVar(&certArgs.minValidity, "min-validity", 0, "ensure the certificate is valid for at least this duration; the output certificate is never expired if this flag is unset or 0, but the lifetime may vary; the maximum allowed min-validity depends on the CA")
+				return fs
+			})(),
+		}
+	}
 }

 var certArgs struct {
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -215,6 +215,7 @@ var (
 	maybeNetlockCmd,
 	maybeFunnelCmd,
 	maybeServeCmd,
+	maybeCertCmd,
 	_ func() *ffcli.Command
 )

@@ -262,7 +263,7 @@ change in the future.
 			nilOrCall(maybeWebCmd),
 			nilOrCall(fileCmd),
 			bugReportCmd,
-			certCmd,
+			nilOrCall(maybeCertCmd),
 			nilOrCall(maybeNetlockCmd),
 			licensesCmd,
 			exitNodeCmd(),
--- a/cmd/tailscale/cli/configure-synology-cert.go
+++ b/cmd/tailscale/cli/configure-synology-cert.go
@@ -1,6 +1,8 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

+//go:build linux && !ts_omit_acme
+
 package cli

 import (
@@ -22,6 +24,10 @@ import (
 	"tailscale.com/version/distro"
 )

+func init() {
+	maybeConfigSynologyCertCmd = synologyConfigureCertCmd
+}
+
 func synologyConfigureCertCmd() *ffcli.Command {
 	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
 		return nil
--- a/cmd/tailscale/cli/configure-synology-cert_test.go
+++ b/cmd/tailscale/cli/configure-synology-cert_test.go
@@ -1,6 +1,8 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

+//go:build linux && !ts_omit_acme
+
 package cli

 import (
--- a/cmd/tailscale/cli/configure.go
+++ b/cmd/tailscale/cli/configure.go
@@ -10,7 +10,11 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 )

-var maybeJetKVMConfigureCmd func() *ffcli.Command // non-nil only on Linux/arm for JetKVM
+var (
+	maybeJetKVMConfigureCmd,
+	maybeConfigSynologyCertCmd,
+	_ func() *ffcli.Command // non-nil only on Linux/arm for JetKVM
+)

 func configureCmd() *ffcli.Command {
 	return &ffcli.Command{
@@ -28,7 +32,7 @@ services on the host to use Tailscale in more ways.
 		Subcommands: nonNilCmds(
 			configureKubeconfigCmd(),
 			synologyConfigureCmd(),
-			synologyConfigureCertCmd(),
+			ccall(maybeConfigSynologyCertCmd),
 			ccall(maybeSysExtCmd),
 			ccall(maybeVPNConfigCmd),
 			ccall(maybeJetKVMConfigureCmd),
--- a/cmd/tailscaled/deps_test.go
+++ b/cmd/tailscaled/deps_test.go
@@ -108,3 +108,16 @@ func TestOmitPortmapper(t *testing.T) {
 		},
 	}.Check(t)
 }
+
+func TestOmitACME(t *testing.T) {
+	deptest.DepChecker{
+		GOOS:   "linux",
+		GOARCH: "amd64",
+		Tags:   "ts_omit_acme,ts_include_cli",
+		OnDep: func(dep string) {
+			if strings.Contains(dep, "/acme") {
+				t.Errorf("unexpected dep with ts_omit_acme: %q", dep)
+			}
+		},
+	}.Check(t)
+}