Adds a new k8s-proxy command to convert operator's in-process proxy to
a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy
reads in a new config file written by the operator, modelled on tailscaled's
conffile but with some modifications to ensure multiple versions of the
config can co-exist within a file. This should make it much easier to
support reading that config file from a Kube Secret with a stable file name.
The operator's RBAC has had some updates to ensure it can delegate the
impersonation permissions that k8s-proxy requires to run its API Server
proxy in auth mode where it can impersonate users and groups.
Proxies deployed by kube-apiserver ProxyGroups currently work the same as
the operator's in-process proxy. They do not yet leverage Tailscale Services
for presenting a single HA DNS name.
Updates #13358
Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
For any changes that involve DERP, automatically add the
@tailscale/dataplane team as a reviewer.
Updates #cleanup
Signed-off-by: Simon Law <sfllaw@tailscale.com>
Premature cancellation was preventing the work from ever being cleaned
up in runLoop().
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
SSH was disabled in #10538
Exit node was disabled in #13726
This enables ssh and exit-node options in case of Home Assistant.
Fixes#15552
Signed-off-by: Laszlo Magyar <lmagyar1973@gmail.com>
This commit adds a NOTES.txt to the operator helm chart that will be written to the
terminal upon successful installation of the operator.
It includes a small list of knowledgebase articles with possible next steps for
the actor that installed the operator to the cluster. It also provides possible
commands to use for explaining the custom resources.
Fixes#13427
Signed-off-by: David Bond <davidsbond93@gmail.com>
Instead of every module having to come up with a set of test methods for
the event bus, this handful of test helpers hides a lot of the needed
setup for the testing of the event bus.
The tests in portmapper is also ported over to the new helpers.
Updates #15160
Signed-off-by: Claus Lensbøl <claus@tailscale.com>
20.04 is no longer supported.
This pulls in changes to the QDK package that were required to make build succeed on 24.04.
Updates https://github.com/tailscale/corp/issues/29849
Signed-off-by: Percy Wegmann <percy@tailscale.com>
After the switch to 24.04, unsigned packages did not build correctly (came out as only a few KBs).
Fixestailscale/tailscale-qpkg#148
Signed-off-by: Percy Wegmann <percy@tailscale.com>
If we acted as the allocator we are responsible for signaling it to the
remote peer in a CallMeMaybeVia message over DERP.
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
udprelay.Server is lazily initialized when the first request is received
over peerAPI. These early requests have a high chance of failure until
the first address discovery cycle has completed.
Return an ErrServerNotReady error until the first address discovery
cycle has completed, and plumb retry handling for this error all the
way back to the client in relayManager.
relayManager can now retry after a few seconds instead of waiting for
the next path discovery cycle, which could take another minute or
longer.
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
Any return underneath this select case must belong to a type switch case.
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
This tweaks the just-added ./tool/go.{cmd,ps1} port of ./tool/go for
Windows.
Otherwise in Windows Terminal in Powershell, running just ".\tool\go"
picks up go.ps1 before go.cmd, which means execution gets denied
without the cmd script's -ExecutionPolicy Bypass part letting it work.
This makes it work in both cmd.exe and in Powershell.
Updates tailscale/corp#28679
Change-Id: Iaf628a9fd6cb95670633b2dbdb635dfb8afaa006
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
go.cmd lets you run just "./tool/go" on Windows the same as Linux/Darwin.
The batch script (go.md) then just invokes PowerShell which is more
powerful than batch.
I wanted this while debugging Windows CI performance by reproducing slow
tests on my local Windows laptop.
Updates tailscale/corp#28679
Change-Id: I6e520968da3cef3032091c1c4f4237f663cefcab
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
It's one of the slower ones, so split it up into chunks.
Updates tailscale/corp#28679
Change-Id: I16a5ba667678bf238c84417a51dda61baefbecf7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Proxies know how to reload configfile on changes since 1.80, which
is going to be the earliest supported proxy version with 1.84 operator,
so remove the mechanism that was updating configfile hash to force
proxy Pod restarts on config changes.
Updates #13032
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
I earlier thought this saved a second of CPU even on a fast machine,
but I think when I was previously measuring, I still had a 4096 bit
RSA key being generated in the code I was measuring.
Measuring again for this, it's plenty fast.
Prep for using this package more, for derp, etc.
Updates #16315
Change-Id: I4c9008efa9aa88a3d65409d6ffd7b3807f4d75e9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This reverts commit 6a93b17c8cafc1d8e1c52e133511e52ed9086355.
The reverted commit added more complexity than it was worth at the
current stage. Handling delta CapVer changes requires extensive changes
to relayManager datastructures in order to also support delta updates of
relay servers.
Updates tailscale/corp#27502
Signed-off-by: Jordan Whited <jordan@tailscale.com>
If you had HTTPS_PROXY=https://some-valid-cert.example.com running a
CONNECT proxy, we should've been able to do a TLS CONNECT request to
e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure
it used to work, but refactorings and lack of integration tests made
it regress.
It probably regressed when we added the baked-in LetsEncrypt root cert
validation fallback code, which was testing against the wrong hostname
(the ultimate one, not the one which we were being asked to validate)
Fixes#16222
Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Resolver.PreferGo didn't used to work on Windows.
It was fixed in 2022, though. (https://github.com/golang/go/issues/33097)
Updates #5161
Change-Id: I4e1aeff220ebd6adc8a14f781664fa6a2068b48c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This patch contains the following cleanups:
1. Simplify `ffcli.Command` definitions;
2. Word-wrap help text, consistent with other commands;
3. `tailscale dns --help` usage makes subcommand usage more obvious;
4. `tailscale dns query --help` describes DNS record types.
Updates #cleanup
Signed-off-by: Simon Law <sfllaw@tailscale.com>
We aim to make the tsgo directories be read-only mounts on builders.
But gocross was previously writing within the ~/.cache/tsgo/$HASH/
directories to make the synthetic GOROOT directories.
This moves them to ~/.cache/tsgoroot/$HASH/ instead.
Updates tailscale/corp#28679
Updates tailscale/corp#26717
Change-Id: I0d17730bbdce3d6374e79d49486826575d4690af
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
The caller of client.RunWatchConnectionLoop may need to be
aware of errors that occur within loop. Add a channel
that notifies of errors to the caller to allow for
decisions to be make as to the state of the client.
Updates tailscale/corp#25756
Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
Make the OS-specific staticcheck jobs only test stuff that's specialized
for that OS. Do that using a new ./tool/listpkgs program that's a fancy
'go list' with more filtering flags.
Updates tailscale/corp#28679
Change-Id: I790be2e3a0b42b105bd39f68c4b20e217a26de60
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Tests that go mod version matches ./tool/go version.
Mismatched versions result in incosistent Go versions being used i.e.
in CI jobs as the version in go.mod is used to determine what Go version
Github actions pull in.
Updates #16283
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
gocross is not needed like it used to be, now that Go does
version stamping itself.
We keep it for the xcode and Windows builds for now.
This simplifies things in the build, especially with upcoming build
system updates.
Updates tailscale/corp#28679
Updates tailscale/corp#26717
Change-Id: Ib4bebe6f50f3b9c3d6cd27323fca603e3dfb43cc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
If natc is running on a host with tailscale using `--accept-dns=true`
then a DNS loop can occur. Provide a flag for some specific DNS
upstreams for natc to use instead, to overcome such situations.
Updates #14667
Signed-off-by: James Tucker <james@tailscale.com>
eventbus.Publish() calls newPublisher(), which in turn invokes (*Client).addPublisher().
That method adds the new publisher to c.pub, so we don’t need to add it again in eventbus.Publish.
Updates #cleanup
Signed-off-by: Nick Khyl <nickk@tailscale.com>
