feat(ci): Bump to upstream v1.84.1 #24
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: kari-ts <[email protected]>
Updates tailscale#15404 Change-Id: Ic754cc54113b1660b7071b40babb9d3c0e25b2e1 Signed-off-by: Brad Fitzpatrick <[email protected]>
The default values for `tailscale up` and `tailscale set` are supposed
to agree on all common flags. But they don’t for `--accept-dns`:
user@host:~$ tailscale up --help 2>&1 | grep -A1 accept-dns
--accept-dns, --accept-dns=false
accept DNS configuration from the admin panel (default true)
user@host:~$ tailscale set --help 2>&1 | grep -A1 accept-dns
--accept-dns, --accept-dns=false
accept DNS configuration from the admin panel
Luckily, `tailscale set` uses `ipn.MaskedPrefs`, so the default values
don’t logically matter. But someone will get the wrong idea if they
trust the `tailscale set --help` documentation.
This patch makes `--accept-dns` default to true in both commands and
also introduces `TestSetDefaultsMatchUpDefaults` to prevent any future
drift.
Fixes: tailscale#15319
Signed-off-by: Simon Law <[email protected]>
The default values for `tailscale up` and `tailscale set` are supposed
to agree for all common flags. But they don’t for `--accept-routes`
on Windows and from the Mac OS App Store, because `tailscale up`
computes this value based on the operating system:
user@host:~$ tailscale up --help 2>&1 | grep -A1 accept-routes
--accept-dns, --accept-dns=false
accept DNS configuration from the admin panel (default true)
user@host:~$ tailscale set --help 2>&1 | grep -A1 accept-routes
--accept-dns, --accept-dns=false
accept DNS configuration from the admin panel
Luckily, `tailscale set` uses `ipn.MaskedPrefs`, so the default values
don’t logically matter. But someone will get the wrong idea if they
trust the `tailscale set --help` documentation.
In addition, `ipn.Prefs.RouteAll` defaults to true so it disagrees
with both of the flags above.
This patch makes `--accept-routes` use the same logic for in both
commands by hoisting the logic that was buried in `cmd/tailscale/cli`
to `ipn.Prefs.DefaultRouteAll`. Then, all three of defaults can agree.
Fixes: tailscale#15319
Signed-off-by: Simon Law <[email protected]>
Signed-off-by: Raúl Blanco <[email protected]>
LocalBackend transitions to ipn.NoState when switching to a different (or new) profile. When this happens, we should unconfigure wgengine to clear routes, DNS configuration, firewall rules that block all traffic except to the exit node, etc. In this PR, we update (*LocalBackend).enterStateLockedOnEntry to do just that. Fixes tailscale#15316 Updates tailscale/corp#23967 Signed-off-by: Nick Khyl <[email protected]>
…icitly imported In this PR, we update ipnlocal.LocalBackend to allow registering callbacks for control client creation and profile changes. We also allow to register ipnauth.AuditLogFunc to be called when an auditable action is attempted. We then use all this to invert the dependency between the auditlog and ipnlocal packages and make the auditlog functionality optional, where it only registers its callbacks via ipnlocal-provided hooks when the auditlog package is imported. We then underscore-import it when building tailscaled for Windows, and we'll explicitly import it when building xcode/ipn-go-bridge for macOS. Since there's no default log-store location for macOS, we'll also need to call auditlog.SetStoreFilePath to specify where pending audit logs should be persisted. Fixes tailscale#15394 Updates tailscale/corp#26435 Updates tailscale/corp#27012 Signed-off-by: Nick Khyl <[email protected]>
… env Not all platforms have hardlinks, or not easily. This lets a "tailscale" wrapper script set an environment variable before calling tailscaled. Updates tailscale#2233 Change-Id: I9eccc18651e56c106f336fcbbd0fd97a661d312e Signed-off-by: Brad Fitzpatrick <[email protected]>
) Re-enable HA Ingress again that was disabled for 1.82 release. This reverts commit fea74a6. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <[email protected]>
For hooking up websocket VM clients to natlab. Updates tailscale#13038 Change-Id: Iaf728b9146042f3d0c2d3a5e25f178646dd10951 Signed-off-by: Brad Fitzpatrick <[email protected]>
If we previously knew of macaddresses of a node, and they suddenly goes to zero, ignore them and return the previous hardware addresses. Updates tailscale/corp#25168 Signed-off-by: Kristoffer Dalby <[email protected]>
initPeerAPIListener may be returning early unexpectedly. Add debug logging to see what causes it to return early when it does. Updates tailscale#14393 Signed-off-by: Percy Wegmann <[email protected]>
It only affected js/wasm and tamago. Updates tailscale/corp#24697 Change-Id: I8fd29323ed9b663fe3fd8d4a86f26ff584a3e134 Signed-off-by: Brad Fitzpatrick <[email protected]>
Otherwise you can get stuck finding minor ones nonstop. Fixes tailscale#15484 Change-Id: I7f98ac338c0b32ec1b9fdc47d053207b5fc1bf23 Signed-off-by: Brad Fitzpatrick <[email protected]>
Add the golang-image-ico package, which is an incredibly small package to handle the ICO container format with PNG inside. Some profile photos look quite pixelated when displayed at this size, but it's better than nothing, and any Windows support is just a bonus anyway. Updates tailscale#1708 Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <[email protected]>
This commit implements an experimental UDP relay server. The UDP relay server leverages the Disco protocol for a 3-way handshake between client and server, along with 3 new Disco message types for said handshake. These new Disco message types are also considered experimental, and are not yet tied to a capver. The server expects, and imposes, a Geneve (Generic Network Virtualization Encapsulation) header immediately following the underlay UDP header. Geneve protocol field values have been defined for Disco and WireGuard. The Geneve control bit must be set for the handshake between client and server, and unset for messages relayed between clients through the server. Updates tailscale/corp#27101 Signed-off-by: Jordan Whited <[email protected]>
…ailscale#15493) fixes tailscale/corp#27506 The source address link selection on sandboxed macOS doesn't deal with loopback addresses correctly. This adds an explicit check to ensure we return the loopback interface for loopback addresses instead of the default empty interface. Specifically, this allows the dns resolver to route queries to a loopback IP which is a common tactic for local DNS proxies. Tested on both macos, macsys and tailscaled. Forwarded requests to 127/8 all bound to lo0. Signed-off-by: Jonathan Nobels <[email protected]>
Avoid the unbounded runtime during random allocation, if random allocation fails after a first pass at random through the provided ranges, pick the next free address by walking through the allocated set. The new ipx utilities provide a bitset based allocation pool, good for small to moderate ranges of IPv4 addresses as used in natc. Updates tailscale#15367 Signed-off-by: James Tucker <[email protected]>
…#15477) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.11 to 3.28.13. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@6bb031a...1b549b9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updates tailscale#5794 Change-Id: I696d49a3b0825ca90d3cb148b1c0dad9f7855808 Signed-off-by: Brad Fitzpatrick <[email protected]>
Not currently used in the OSS tree, a View for tailcfg.VIPService will make implementing some server side changes easier. Updates tailscale/corp#26272 Change-Id: If1ed0bea4eff8c4425d3845b433a1c562d99eb9e Signed-off-by: Adrian Dewhurst <[email protected]>
Updates tailscale#5794 Change-Id: I8c466cae25ae79be1097450a63e8c25c7b519331 Signed-off-by: Brad Fitzpatrick <[email protected]>
Updates tailscale#5794 Change-Id: I12e8417ebd553f9951690c388fbe42228f8c9097 Signed-off-by: Brad Fitzpatrick <[email protected]>
Updates tailscale#5794 Change-Id: Ib78a3ea971a2374d405b024ab88658ec34be59a6 Signed-off-by: Brad Fitzpatrick <[email protected]>
This wasn't right; it was spinning up new goroutines non-stop. Revert to a boring localhost TCP implementation for now. Updates tailscale#5794 Change-Id: If93caa20a12ee4e741c0c72b0d91cc0cc5870152 Signed-off-by: Brad Fitzpatrick <[email protected]>
Updates tailscale#5794 Change-Id: I0f96383dea2ad017988d300df723ce906debb007 Signed-off-by: Brad Fitzpatrick <[email protected]>
Otherwise this was repeated closing control/derp connections all the time on netmon changes. Arguably we should do this on all platforms? Updates tailscale#5794 Change-Id: If6bbeff554235f188bab2a40ab75e08dd14746b2 Signed-off-by: Brad Fitzpatrick <[email protected]>
Updates tailscale#5794 Change-Id: Ia7e71c32e6c0cd79eb32b6c2c2d4e9a6d8c3e4d6 Signed-off-by: Brad Fitzpatrick <[email protected]>
Updates tailscale#5794 Change-Id: Id7bdc08263e98a1848ffce0dd25fc034747d7393 Signed-off-by: Brad Fitzpatrick <[email protected]>
To ease local debugging and have fewer moving pieces while bringing up Plan 9 support. Updates tailscale#5794 Change-Id: I2dc98e73bbb0d4d4730dc47203efc0550a0ac0a0 Signed-off-by: Brad Fitzpatrick <[email protected]>
…profile Currently, LocalBackend/ExtensionHost doesn't invoke the profile change callback for the initial profile. Since the initial profile may vary depending on loaded extensions and applied policy settings, it can't be reliably determined until all extensions are initialized. Additionally, some extensions may asynchronously trigger a switch to the "best" profile (based on system state and policy settings) during initialization. We intended to address these issues as part of the ongoing profileManager/LocalBackend refactoring, but the changes didn't land in time for the v1.84 release and the Taildrop refactoring. In this PR, we update the Taildrop extension to retrieve the current profile at initialization time and handle it as a profile change. We also defer extension initialization until LocalBackend has started, since the Taildrop extension already relies on this behavior (e.g., it requires clients to call SetDirectFileRoot before Init). Fixes tailscale#15970 Updates tailscale#15812 Updates tailscale/corp#28449 Signed-off-by: Nick Khyl <[email protected]>
…lscale#15985) Update proxy-to-grafana to strip any X-Webauth prefixed headers passed by the client in *every* request, not just those to /login. /api/ routes will also accept these headers to authenticate users, necessitating their removal to prevent forgery. Updates tailscale/corp#28687 Signed-off-by: Patrick O'Doherty <[email protected]>
Content-type was responding as test/plain for probes accepting application/json. Set content type header before setting the response code to correct this. Updates tailscale/corp#27370 Signed-off-by: Mike O'Driscoll <[email protected]>
CallMeMaybeVia reception and endpoint allocation have been collapsed to a single event channel. discoInfo caching for active relay handshakes is now implemented. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <[email protected]>
Also, add the short version of the node key in parens to match existing patterns. Updates #cleanup Signed-off-by: Jordan Whited <[email protected]>
…fic to cluster Services (tailscale#15897) cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services This PR is part of the work to implement HA for Kubernetes Operator's network layer proxy. Adds logic to containerboot to monitor mounted ingress firewall configuration rules and update iptables/nftables rules as the config changes. Also adds new shared types for the ingress configuration. The implementation is intentionally similar to that for HA for egress proxy. Updates tailscale#15895 Signed-off-by: chaosinthecrd <[email protected]> Signed-off-by: Irbe Krumina <[email protected]>
…5913) Adds Recorder fields to configure the name and annotations of the ServiceAccount created for and used by its associated StatefulSet. This allows the created Pod to authenticate with AWS without requiring a Secret with static credentials, using AWS' IAM Roles for Service Accounts feature, documented here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html Fixes tailscale#15875 Change-Id: Ib0e15c0dbc357efa4be260e9ae5077bacdcb264f Signed-off-by: Tom Proctor <[email protected]>
…rvices (tailscale#15961) This reconciler allows users to make applications highly available at L3 by leveraging Tailscale Virtual Services. Many Kubernetes Service's (irrespective of the cluster they reside in) can be mapped to a Tailscale Virtual Service, allowing access to these Services at L3. Updates tailscale#15895 Signed-off-by: chaosinthecrd <[email protected]>
…re flag is not enabled (tailscale#16013) Updates tailscale#15895 Signed-off-by: chaosinthecrd <[email protected]>
…vice Reconciler (tailscale#16014) Also changes wording tests for L7 HA Reconciler Updates tailscale#15895 Signed-off-by: chaosinthecrd <[email protected]>
This fixes the implementation and test from tailscale#15208 which apparently never worked. Ignore the metacert when counting the number of expected certs presented. And fix the test, pulling out the TLSConfig setup code into something shared between the real cmd/derper and the test. Fixes tailscale#15579 Change-Id: I90526e38e59f89b480629b415f00587b107de10a Signed-off-by: Brad Fitzpatrick <[email protected]>
…lscale#16018) Updates #cleanup Signed-off-by: Jordan Whited <[email protected]>
…erator The same message was used for "up" and "down" permission failures, but "set" works better for both. Suggesting "up --operator" for a "down" permission failure was confusing. It's not like the latter command works in one shot anyway. Fixes tailscale#16008 Change-Id: I6e4225ef06ce2d8e19c40bece8104e254c2aa525 Signed-off-by: Brad Fitzpatrick <[email protected]>
Taildrop wasn't working on iOS since tailscale#15971 because GetExt didn't work until after init, but that PR moved Init until after Start. This makes GetExt work before LocalBackend.Start (ExtensionHost.Init). Updates tailscale#15812 Change-Id: I6e87257cd97a20f86083a746d39df223e5b6791b Signed-off-by: Brad Fitzpatrick <[email protected]>
This type improves code clarity and reduces the chance of heap alloc as we pass it as a non-pointer. VNI being a 3-byte value enables us to track set vs unset via the reserved/unused byte. Updates tailscale/corp#27502 Signed-off-by: Jordan Whited <[email protected]>
…6020) Updates tailscale#15895 Signed-off-by: Irbe Krumina <[email protected]>
Use of the httptest client doesn't render header ordering as expected. Use http.DefaultClient for the test to ensure that the header ordering test is valid. Updates tailscale/corp#27370 Signed-off-by: Mike O'Driscoll <[email protected]>
heartbeatInterval is currently 3s. Updates #cleanup Signed-off-by: Jordan Whited <[email protected]>
Create FileOps for calling platform-specific file operations such as SAF APIs in Taildrop Update taildrop.PutFile to support both traditional and SAF modes Updates tailscale#15263 Signed-off-by: kari-ts <[email protected]>
…scale#15986) Registering a new store is cheap, it just adds a map entry. No need to lazy-init it with sync.Once and an intermediate slice holding init functions. Updates #cleanup Signed-off-by: Andrew Lytvynov <[email protected]>
Signed-off-by: Jonathan Nobels <[email protected]>
…tailscale#16110) fixes tailscale#16082 RouteAll should be true by default on iOS and Android. Signed-off-by: Jonathan Nobels <[email protected]> (cherry picked from commit 842df37)
…le#16059) fixes tailscale/corp#25612 We now keep track of any dns configurations which we could not compile. This gives RecompileDNSConfig a configuration to attempt to recompile and apply when the OS pokes us to indicate that the interface dns servers have changed/updated. The manager config will remain unset until we have the required information to compile it correctly which should eliminate the problematic SERVFAIL responses (especially on macOS 15). This also removes the missingUpstreamRecovery func in the forwarder which is no longer required now that we have proper error handling and recovery manager and the client. Signed-off-by: Jonathan Nobels <[email protected]> (cherry picked from commit 5e54819)
…tailscale#16129) (tailscale#16140) In 1.84 we made 'tailscale set'/'tailscale up' error out if duplicate command line flags are passed. This broke some container configurations as we have two env vars that can be used to set --accept-dns flag: - TS_ACCEPT_DNS- specifically for --accept-dns - TS_EXTRA_ARGS- accepts any arbitrary 'tailscale up'/'tailscale set' flag. We default TS_ACCEPT_DNS to false (to make the container behaviour more declarative), which with the new restrictive CLI behaviour resulted in failure for users who had set --accept-dns via TS_EXTRA_ARGS as the flag would be provided twice. This PR re-instates the previous behaviour by checking if TS_EXTRA_ARGS contains --accept-dns flag and if so using its value to override TS_ACCEPT_DNS. Updates tailscale#16108 (cherry picked from commit 5b670eb) Signed-off-by: Irbe Krumina <[email protected]>
anthr76
approved these changes
Jun 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://tailscale.com/changelog#2025-05-21