lzc256
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: lzc256:main
Branches Tags
lzc256:main
lzc256:kevinliang10/Iptables_and_nftables_code_refactoring
lzc256:tom/tka4
lzc256:clairew/test-wrapper-write-file
lzc256:maisem/m1
lzc256:maisem/flake3
lzc256:maisem/egress
lzc256:soniaappasamy/funnel-foreground-play
lzc256:dsnet/rate-marshal
lzc256:tom/tka
lzc256:s/tsnetd
lzc256:valscale/uniqueLogs
lzc256:s/pmtud
lzc256:thisisparker/firstwords
lzc256:valscale/peermtu
lzc256:bradfitz/countrycode
lzc256:crawshaw/stunchild
lzc256:tom/disco
lzc256:release-branch/1.44
lzc256:maisem/ssh-incomplete-read
lzc256:raggi/v6masq
lzc256:aaron/authenticode
lzc256:dsnet/syncs-map-range-mutable
lzc256:release-branch/1.42
lzc256:andrew/dnsfallback-recursive
lzc256:dependabot/github_actions/peter-evans/create-pull-request-5.0.2
lzc256:maisem/alpine-bump
lzc256:raggi/heartbeat-timebomb
lzc256:raggi/derp-probe-stun-loss
lzc256:raggi/tsdebugger
lzc256:tom/derp
lzc256:Xe/tsnet-examples
lzc256:andrew/ipn-debug-1.42.0
lzc256:valscale/derpFlows
lzc256:maisem/blocked
lzc256:marwan/portlistrefactor
lzc256:marwan/noconstructor
lzc256:angott/allow-thunderbolt-bridge
lzc256:marwan/polleropts
lzc256:marwan/noconstructor2
lzc256:andrew/slicesx-deduplicate
lzc256:unraid-web
lzc256:revert
lzc256:dependabot/go_modules/github.com/docker/distribution-2.8.2incompatible
lzc256:danderson/art-table
lzc256:raggi/testseed
lzc256:release-branch/1.40
lzc256:kristoffer/enable-mips-pkgs
lzc256:maisem/histgram
lzc256:s/eq
lzc256:raggi/atomiccloseonce
lzc256:raggi/bump-goreleaserv2
lzc256:andrew/bump-esbuild
lzc256:marwan/tmp
lzc256:catzkorn/addrsend
lzc256:raggi/gofuzz
lzc256:shayne/funnel_cmd
lzc256:release-branch/1.38
lzc256:dgentry/atomicfile
lzc256:andrew/derp-region-location
lzc256:tom/tka6
lzc256:maisem/k8s-cache
lzc256:azure
lzc256:maisem/tun-1
lzc256:andrew/fastjson
lzc256:crawshaw/lnclose
lzc256:crawshaw/tsnet1
lzc256:maisem/tsnet-funnel-2
lzc256:crawshaw/httpconnect
lzc256:Xe/tsnet-funnel
lzc256:andrew/control-key-store
lzc256:dgentry/sniproxy-dns
lzc256:andrew/util-dnsconfig
lzc256:andrew/cloudenv-location
lzc256:release-branch/1.36
lzc256:aaron/migrate_windows
lzc256:crawshaw/pidlisten
lzc256:maisem/waiter
lzc256:andrew/router-drop-ula
lzc256:will/vizerr
lzc256:danderson/mkversion
lzc256:crawshaw/activesum
lzc256:andrew/doctor-scutil
lzc256:danderson/version-private3
lzc256:bradfitz/sassy
lzc256:bradfitz/win_unattended_warning
lzc256:andrew/hostinfo-HavePortMap
lzc256:skriptble/ssh-recording-persist
lzc256:maisem/funnel-k8s
lzc256:maisem/clean2
lzc256:crawshaw/ondemanddomains
lzc256:maisem/c1
lzc256:danderson/helm
lzc256:andrew/peer-status-KeyExpiry
lzc256:bradfitz/noise_debug_more
lzc256:release-branch/1.34
lzc256:cloner
lzc256:danderson/backport
lzc256:clairew/tsnet_get_own_ip
lzc256:bradfitz/tidy
lzc256:maisem/wakegroup
lzc256:raggi/tsweb-compression
lzc256:bradfitz/fix_ipn_cloner
lzc256:danderson/bootstrap
lzc256:will/enforce-hostname
lzc256:mihaip/delete-all-profiles
lzc256:raggi/tails
lzc256:release-branch/1.32
lzc256:shayne/serve_empty_text_handler
lzc256:phirework/pathfinder
lzc256:bradfitz/hostinfo_ingress_bit
lzc256:mihaip/logout-async-start
lzc256:net-audit-log/1.32
lzc256:bradfitz/set_prefs_locked
lzc256:mihaip/fas
lzc256:bradfitz/port_intercept
lzc256:andrew/net-tsaddr-mapviaaddr
lzc256:danderson/tsburrito
lzc256:andrew/tstest-goroutine-ignore
lzc256:andrew/monitor-link-change
lzc256:danderson/k8s
lzc256:andrew/debug-subnet-router
lzc256:andrew/metrics-distribution
lzc256:phirework/natlab
lzc256:knyar/prober
lzc256:crawshaw/accumulatorcfg
lzc256:bradfitz/keyboard-interactive
lzc256:maisem/unused-ssh-field
lzc256:bradfitz/tailpipe
lzc256:maisem/ssh-port-forward-no-session
lzc256:vm
lzc256:raggi/accept-routes-filter
lzc256:nyghtowl/tailnet-name2
lzc256:buildjet
lzc256:buildjet-vs-github
lzc256:andrew/netns-macos-route
lzc256:maisem/exit-lan
lzc256:andrew/rp-filter-check
lzc256:walterp-api
lzc256:andrew/linux-router-v4-disabled
lzc256:bradfitz/distro_ubuntu
lzc256:tom/iptables
lzc256:release-branch/1.30
lzc256:tom/tka2
lzc256:andrew/dnscache-debugging-1.22.2
lzc256:andrew/controlclient-dial
lzc256:raggi/experiment-queues
lzc256:bradfitz/u32
lzc256:ip6tables
lzc256:maisem/dns-5
lzc256:catzkorn/derp-benchmark
lzc256:maisem/dns-3
lzc256:jwhited/wireguard-go-vectorized-bind
lzc256:catzkorn/otel-init
lzc256:bradfitz/appendf
lzc256:mihaip/js-cli
lzc256:dsnet/tsweb-499s
lzc256:bradfitz/deephash_early_exit
lzc256:crawshaw/xdp
lzc256:dsnet/logtail-zstd-single-segment
lzc256:Xe/gitops-pusher-three-version-problem
lzc256:Xe/gitops-pusher-acl-test-error-output
lzc256:Xe/gitops-pusher-ffcli
lzc256:bradfitz/ssh_auth_none_demo
lzc256:release-branch/1.28
lzc256:catzkorn/otel-derp
lzc256:bradfitz/shared_split_dns
lzc256:nyghtowl/fix-resolved
lzc256:release-branch/1.26
lzc256:bradfitz/explicit_empty_test_3808
lzc256:crawshaw/preservenetinfo
lzc256:miriah-3808-reset-operator
lzc256:dsnet/tsnet-logging
lzc256:mihaip/wasm-taildrop
lzc256:crawshaw/stunname
lzc256:bradfitz/wasm_play
lzc256:maisem/reg
lzc256:bradfitz/dot
lzc256:bradfitz/tcp_flows
lzc256:release-branch/1.24
lzc256:raggi/netstack_fwd_close
lzc256:bradfitz/netstack_fwd_close
lzc256:merge-tag
lzc256:cross-android
lzc256:bradfitz/kmod
lzc256:bradfitz/ssh_banner
lzc256:bradfitz/ping
lzc256:tom/integration
lzc256:bradfitz/ssh_policy_earlier
lzc256:maisem/cu
lzc256:bradfitz/derpy_cast
lzc256:bradfitz/cli_admin
lzc256:release-branch/1.22
lzc256:maisem/ssh-policiy-2
lzc256:maisem/ssh-policiy-1
lzc256:aaron/go-ole-ref
lzc256:bradfitz/key_rotation_prep
lzc256:josh/tswebflags
lzc256:release-branch/1.20
lzc256:crawshaw/envtype
lzc256:danderson/tsweb-server
lzc256:bradfitz/autocert_force
lzc256:bradfitz/use_netstack_upstream
lzc256:Xe/winui-bugreport-without-tailscaled
lzc256:bradfitz/hostinfo_basically_equal
lzc256:release-branch/1.18
lzc256:aaron/loglog
lzc256:aaron/dnsapc
lzc256:bradfitz/demo_client_hijack
lzc256:bradfitz/windns
lzc256:bradfitz/exit_node_forward_dns
lzc256:bradfitz/1.18.1
lzc256:Xe/tailtlsproxy
lzc256:bradfitz/allsrc
lzc256:josh/peermap
lzc256:danderson/ebpf
lzc256:bradfitz/1_16_stress_netmap
lzc256:danderson/nodekey-move
lzc256:danderson/nodekey-delete-old
lzc256:danderson/nodekey-cleanup
lzc256:danderson/magicsock-discokey
lzc256:release-branch/1.16
lzc256:danderson/magicsock-node-key
lzc256:crawshaw/updatefallback
lzc256:release-branch/1.14
lzc256:bradfitz/1.14
lzc256:bradfitz/updates
lzc256:josh/immutable-views
lzc256:bradfitz/portmap_gh_actions
lzc256:danderson/kernel-tailscale
lzc256:bradfitz/win_default_route
lzc256:release-branch/1.12
lzc256:jknodt/logging
lzc256:simenghe/add-tsmpping-call
lzc256:josh/opt-getstatus
lzc256:Aadi/speedtest-tailscaled
lzc256:dsnet/admin-cli
lzc256:bradfitz/portmap_test
lzc256:jknodt/portmap_test
lzc256:upnpdebug
lzc256:jknodt/upnp_reuse
lzc256:crawshaw/peerdoh
lzc256:josh/debug-flake
lzc256:simenghe/pingresult-work
lzc256:jknodt/derp_flow
lzc256:tps/tailscaled
lzc256:jknodt/vms_ref
lzc256:jknodt/integ_test
lzc256:josh/fast-time
lzc256:josh/coarsetime
lzc256:bradfitz/derp_flow
lzc256:release-branch/1.10
lzc256:josh/io_uring
lzc256:josh/deflake-pipe-again
lzc256:Xe/testcontrol-v6
lzc256:jknodt/io-uring
lzc256:simenghe/admin-ping-test
lzc256:jknodt/periodic_probe
lzc256:simenghe/isoping
lzc256:Xe/private-logcatcher-in-process
lzc256:simenghe/tcpnodeping
lzc256:bradfitz/deephash_methods
lzc256:crawshaw/deephash
lzc256:josh/de-select-tstun-wrapper
lzc256:Xe/debug-nixos-build
lzc256:simenghe/isoping-experiment
lzc256:crawshaw/dnswslhackery
lzc256:jknodt/userderp
lzc256:jknodt/bw_rep2
lzc256:crawshaw/wslresolvconf
lzc256:jknodt/upnp
lzc256:crawshaw/magicdnsalways
lzc256:simenghe/flakeresolve
lzc256:rec_in_use_after_5_sec
lzc256:bradfitz/acme
lzc256:release-branch/1.8
lzc256:simenghe/add-httphandlers-ping
lzc256:simenghe/add-ping-route-testcontrol-mux
lzc256:simeng-pingtest
lzc256:Xe/test-install-script-libvirtd
lzc256:apenwarr/check184
lzc256:crawshaw/newbackendserver
lzc256:adding-address-ips-totestcontrolnode
lzc256:onebinary
lzc256:Xe/synology-does-actually-work-with-subnet-routes-til
lzc256:bradfitz/netstack_port_map
lzc256:bradfitz/demo_pinger
lzc256:apenwarr/fixes
lzc256:apenwarr/relogin
lzc256:josh/NewIPPort
lzc256:josh/IPWithPort
lzc256:bradfitz/integration_tests
lzc256:josh/opt-dp-wip
lzc256:bradfitz/ping_notes
lzc256:bradfitz/dropped_by_filter_logspam
lzc256:bradfitz/netstack_drop_silent
lzc256:bradfitz/log_rate_test
lzc256:bradfitz/issue_1840_rebased_tree
lzc256:bradfitz/issue_1849_rebased_tree
lzc256:crawshaw/syno
lzc256:apenwarr/statefix
lzc256:apenwarr/statetest
lzc256:josh/wip/endpoint-serialize
lzc256:apenwarr/ioslogin
lzc256:rosszurowski/cli-fix-typo
lzc256:bradfitz/cli_pretty
lzc256:bradfitz/win_delete_retry
lzc256:bradfitz/sleep
lzc256:naman/netstack-request-logging
lzc256:naman/ephem-expand-range
lzc256:bradfitz/macos_progress
lzc256:bradfitz/ip_of
lzc256:crawshaw/localapi404
lzc256:crawshaw/movefiles
lzc256:crawshaw/socket
lzc256:crawshaw/cgi
lzc256:naman/netstack-subnet-routing
lzc256:josh/wip/create-endpoint-no-public-key
lzc256:Xe/log-target-registry-key
lzc256:release-branch/1.6
lzc256:bradfitz/ipv6_link_local_strip
lzc256:bradfitz/health
lzc256:bradfitz/darwin_gw
lzc256:Xe/disallow-local-ip-for-exit-node
lzc256:release-branch/1.4
lzc256:crawshaw/upjson
lzc256:bradfitz/proposed_1.4.6
lzc256:bradfitz/derp_steer
lzc256:crawshaw/tailscalestatus
lzc256:Xe/reset-logid-on-logout-login
lzc256:naman/netstack-incoming
lzc256:mkramlich/macos-brew2
lzc256:naman/netstack-outgoing-udp-test
lzc256:mkramlich/macos-brew
lzc256:bradfitz/proposed-1.4.5
lzc256:peske/ifacewatcher
lzc256:Xe/hello-vr
lzc256:crawshaw/filchsync
lzc256:Xe/derphttp-panic-fix
lzc256:peske/elnotfound
lzc256:Xe/rel-144-fix-ipv6-broken-in-tests
lzc256:bradfitz/darwin_creds
lzc256:josh/longblock
lzc256:josh/udp-alloc-less
lzc256:josh/simplify-filch
lzc256:josh/remove-ipcgetfilter
lzc256:Xe/envvar-name-TS
lzc256:Xe/TS-envvar-name
lzc256:Xe/do-windows-logserver-better
lzc256:Xe/log-target-flag
lzc256:crawshaw/ipuint
lzc256:bradfitz/hello
lzc256:bradfitz/linux_v6_off
lzc256:bradfitz/call_me_maybe_eps
lzc256:bradfitz/api_docs
lzc256:alexbrainman/use_wg_dns_code
lzc256:naman/netstack-use-tailscale-ip
lzc256:josh/debug-TestLikelyHomeRouterIPSyscallExec
lzc256:noerror-not-notimp
lzc256:bradfitz/umaskless_permissions
lzc256:naman/netstack-bump-version
lzc256:bradfitz/lite_endpoint_update
lzc256:c22wen/api-docs
lzc256:bradfitz/grafana_auth_proxy
lzc256:crawshaw/dnsguid
lzc256:nix-shell
lzc256:release-branch/1.2
lzc256:bradfitz/acl_tags_in_tailscale_status
lzc256:bradfitz/expiry_spin
lzc256:josh/no-goroutine-per-udp-read-2
lzc256:crawshaw/tailcfg
lzc256:bradfitz/wgengine_monitor_windows_take2
lzc256:netstat-unsafe
lzc256:bradfitz/ipn_empty
lzc256:bradfitz/win_firewall_async
lzc256:bradfitz/machine_key
lzc256:apenwarr/faketun
lzc256:crawshaw/cloner
lzc256:crawshaw/jsonhandler
lzc256:c22wen/route-addr
lzc256:c22wen/magicsock.go
lzc256:bradfitz/gvisor_netstack
lzc256:crawshaw/loadtest
lzc256:dshynkev/dns-autoset
lzc256:crawshaw/e2etest
lzc256:bradfitz/win_wpad_pac
lzc256:release-branch/1.0
lzc256:bradfitz/linux_default_route_interface
lzc256:bradfitz/release-branch-1.0
lzc256:crawshaw/restartlimit
lzc256:clone
lzc256:dshynkev/dns-name
lzc256:dshynkev/dns-refactor
lzc256:bradfitz/go_vet
lzc256:crawshaw/tswebextra
lzc256:crawshaw/pinger2
lzc256:lzjluzijie/all_proxy
lzc256:rate-limiting
lzc256:lzjluzijie/227_http_proxy
lzc256:crawshaw/rebind
lzc256:crawshaw/hostinfo
lzc256:crawshaw/derp-nokeepalives
lzc256:crawshaw/derptimeout
lzc256:crawshaw/derpdial2
lzc256:crawshaw/derpdial
lzc256:crawshaw/ipn
lzc256:crawshaw/e2e_test
lzc256:crawshaw/ipn2
lzc256:crawshaw/magicsock
lzc256:crawshaw/magicsock-infping
lzc256:crawshaw/spray
lzc256:crawshaw/br1
lzc256:v1.44.0
lzc256:v1.42.1
lzc256:v1.42.0
lzc256:v1.40.1
lzc256:v1.40.0
lzc256:v1.38.4
lzc256:v1.38.3
lzc256:v1.38.2
lzc256:v1.38.1
lzc256:v1.38.0
lzc256:v1.36.2
lzc256:v1.36.1
lzc256:v1.36.0
lzc256:coral-gitops
lzc256:v1.34.2
lzc256:v1.34.1
lzc256:v1.34.0
lzc256:v1.32.3
lzc256:v1.32.2
lzc256:nginx-auth-0.1.2
lzc256:v1.32.1
lzc256:v1.32.0
lzc256:v1.30.2
lzc256:v1.30.1
lzc256:gitops-1.30.0
lzc256:v1.30.0
lzc256:v1.28.0
lzc256:v1.26.2
lzc256:v1.26.1
lzc256:v1.26.0
lzc256:v1.24.2
lzc256:v1.24.1
lzc256:v1.24.0
lzc256:v1.22.2
lzc256:v1.22.1
lzc256:v1.22.0
lzc256:v1.20.4
lzc256:v1.20.3
lzc256:v1.20.2
lzc256:v1.20.1
lzc256:v1.20.0
lzc256:v1.18.2
lzc256:v1.18.1
lzc256:v1.18.0
lzc256:v1.16.2
lzc256:v1.16.1
lzc256:v1.16.0
lzc256:v1.14.6
lzc256:v1.14.5
lzc256:v1.14.4
lzc256:v1.14.3
lzc256:v1.14.0
lzc256:v1.12.4
lzc256:v1.12.3
lzc256:v1.12.2
lzc256:v1.12.1
lzc256:v1.12.0
lzc256:v1.10.2
lzc256:v1.10.1
lzc256:v1.10.0
lzc256:v1.8.8
lzc256:v1.8.7
lzc256:v1.8.6
lzc256:v1.8.5
lzc256:v1.8.4
lzc256:v1.8.3
lzc256:v1.8.2
lzc256:v1.8.1
lzc256:v1.8.0
lzc256:v1.6.0
lzc256:v1.4.6
lzc256:v1.4.5
lzc256:v1.4.4
lzc256:v1.4.3
lzc256:v1.4.2
lzc256:v1.4.1
lzc256:v1.4.0
lzc256:v1.2.10
lzc256:v1.2.9
lzc256:v1.2.8
lzc256:v1.2.7
lzc256:v1.2.6
lzc256:v1.2.5
lzc256:v1.2.3
lzc256:v1.2.2
lzc256:v1.2.1
lzc256:v1.2.0
lzc256:v1.0.5
lzc256:v1.0.4
lzc256:v1.0.3
lzc256:v1.0.2
lzc256:v1.0.1
lzc256:v1.1.0
lzc256:v1.0.0
lzc256:v0.100.0-153
lzc256:v0.100.0-107
lzc256:v0.100.0
lzc256:v0.99.1
lzc256:v0.99.0
lzc256:v0.98.1
lzc256:v0.98.0
lzc256:v0.98
lzc256:v0.97
lzc256:v0.96.1
lzc256:v0.96
...
pull from: lzc256:maisem/funnel-k8s
Branches Tags
lzc256:main
lzc256:kevinliang10/Iptables_and_nftables_code_refactoring
lzc256:tom/tka4
lzc256:clairew/test-wrapper-write-file
lzc256:maisem/m1
lzc256:maisem/flake3
lzc256:maisem/egress
lzc256:soniaappasamy/funnel-foreground-play
lzc256:dsnet/rate-marshal
lzc256:tom/tka
lzc256:s/tsnetd
lzc256:valscale/uniqueLogs
lzc256:s/pmtud
lzc256:thisisparker/firstwords
lzc256:valscale/peermtu
lzc256:bradfitz/countrycode
lzc256:crawshaw/stunchild
lzc256:tom/disco
lzc256:release-branch/1.44
lzc256:maisem/ssh-incomplete-read
lzc256:raggi/v6masq
lzc256:aaron/authenticode
lzc256:dsnet/syncs-map-range-mutable
lzc256:release-branch/1.42
lzc256:andrew/dnsfallback-recursive
lzc256:dependabot/github_actions/peter-evans/create-pull-request-5.0.2
lzc256:maisem/alpine-bump
lzc256:raggi/heartbeat-timebomb
lzc256:raggi/derp-probe-stun-loss
lzc256:raggi/tsdebugger
lzc256:tom/derp
lzc256:Xe/tsnet-examples
lzc256:andrew/ipn-debug-1.42.0
lzc256:valscale/derpFlows
lzc256:maisem/blocked
lzc256:marwan/portlistrefactor
lzc256:marwan/noconstructor
lzc256:angott/allow-thunderbolt-bridge
lzc256:marwan/polleropts
lzc256:marwan/noconstructor2
lzc256:andrew/slicesx-deduplicate
lzc256:unraid-web
lzc256:revert
lzc256:dependabot/go_modules/github.com/docker/distribution-2.8.2incompatible
lzc256:danderson/art-table
lzc256:raggi/testseed
lzc256:release-branch/1.40
lzc256:kristoffer/enable-mips-pkgs
lzc256:maisem/histgram
lzc256:s/eq
lzc256:raggi/atomiccloseonce
lzc256:raggi/bump-goreleaserv2
lzc256:andrew/bump-esbuild
lzc256:marwan/tmp
lzc256:catzkorn/addrsend
lzc256:raggi/gofuzz
lzc256:shayne/funnel_cmd
lzc256:release-branch/1.38
lzc256:dgentry/atomicfile
lzc256:andrew/derp-region-location
lzc256:tom/tka6
lzc256:maisem/k8s-cache
lzc256:azure
lzc256:maisem/tun-1
lzc256:andrew/fastjson
lzc256:crawshaw/lnclose
lzc256:crawshaw/tsnet1
lzc256:maisem/tsnet-funnel-2
lzc256:crawshaw/httpconnect
lzc256:Xe/tsnet-funnel
lzc256:andrew/control-key-store
lzc256:dgentry/sniproxy-dns
lzc256:andrew/util-dnsconfig
lzc256:andrew/cloudenv-location
lzc256:release-branch/1.36
lzc256:aaron/migrate_windows
lzc256:crawshaw/pidlisten
lzc256:maisem/waiter
lzc256:andrew/router-drop-ula
lzc256:will/vizerr
lzc256:danderson/mkversion
lzc256:crawshaw/activesum
lzc256:andrew/doctor-scutil
lzc256:danderson/version-private3
lzc256:bradfitz/sassy
lzc256:bradfitz/win_unattended_warning
lzc256:andrew/hostinfo-HavePortMap
lzc256:skriptble/ssh-recording-persist
lzc256:maisem/funnel-k8s
lzc256:maisem/clean2
lzc256:crawshaw/ondemanddomains
lzc256:maisem/c1
lzc256:danderson/helm
lzc256:andrew/peer-status-KeyExpiry
lzc256:bradfitz/noise_debug_more
lzc256:release-branch/1.34
lzc256:cloner
lzc256:danderson/backport
lzc256:clairew/tsnet_get_own_ip
lzc256:bradfitz/tidy
lzc256:maisem/wakegroup
lzc256:raggi/tsweb-compression
lzc256:bradfitz/fix_ipn_cloner
lzc256:danderson/bootstrap
lzc256:will/enforce-hostname
lzc256:mihaip/delete-all-profiles
lzc256:raggi/tails
lzc256:release-branch/1.32
lzc256:shayne/serve_empty_text_handler
lzc256:phirework/pathfinder
lzc256:bradfitz/hostinfo_ingress_bit
lzc256:mihaip/logout-async-start
lzc256:net-audit-log/1.32
lzc256:bradfitz/set_prefs_locked
lzc256:mihaip/fas
lzc256:bradfitz/port_intercept
lzc256:andrew/net-tsaddr-mapviaaddr
lzc256:danderson/tsburrito
lzc256:andrew/tstest-goroutine-ignore
lzc256:andrew/monitor-link-change
lzc256:danderson/k8s
lzc256:andrew/debug-subnet-router
lzc256:andrew/metrics-distribution
lzc256:phirework/natlab
lzc256:knyar/prober
lzc256:crawshaw/accumulatorcfg
lzc256:bradfitz/keyboard-interactive
lzc256:maisem/unused-ssh-field
lzc256:bradfitz/tailpipe
lzc256:maisem/ssh-port-forward-no-session
lzc256:vm
lzc256:raggi/accept-routes-filter
lzc256:nyghtowl/tailnet-name2
lzc256:buildjet
lzc256:buildjet-vs-github
lzc256:andrew/netns-macos-route
lzc256:maisem/exit-lan
lzc256:andrew/rp-filter-check
lzc256:walterp-api
lzc256:andrew/linux-router-v4-disabled
lzc256:bradfitz/distro_ubuntu
lzc256:tom/iptables
lzc256:release-branch/1.30
lzc256:tom/tka2
lzc256:andrew/dnscache-debugging-1.22.2
lzc256:andrew/controlclient-dial
lzc256:raggi/experiment-queues
lzc256:bradfitz/u32
lzc256:ip6tables
lzc256:maisem/dns-5
lzc256:catzkorn/derp-benchmark
lzc256:maisem/dns-3
lzc256:jwhited/wireguard-go-vectorized-bind
lzc256:catzkorn/otel-init
lzc256:bradfitz/appendf
lzc256:mihaip/js-cli
lzc256:dsnet/tsweb-499s
lzc256:bradfitz/deephash_early_exit
lzc256:crawshaw/xdp
lzc256:dsnet/logtail-zstd-single-segment
lzc256:Xe/gitops-pusher-three-version-problem
lzc256:Xe/gitops-pusher-acl-test-error-output
lzc256:Xe/gitops-pusher-ffcli
lzc256:bradfitz/ssh_auth_none_demo
lzc256:release-branch/1.28
lzc256:catzkorn/otel-derp
lzc256:bradfitz/shared_split_dns
lzc256:nyghtowl/fix-resolved
lzc256:release-branch/1.26
lzc256:bradfitz/explicit_empty_test_3808
lzc256:crawshaw/preservenetinfo
lzc256:miriah-3808-reset-operator
lzc256:dsnet/tsnet-logging
lzc256:mihaip/wasm-taildrop
lzc256:crawshaw/stunname
lzc256:bradfitz/wasm_play
lzc256:maisem/reg
lzc256:bradfitz/dot
lzc256:bradfitz/tcp_flows
lzc256:release-branch/1.24
lzc256:raggi/netstack_fwd_close
lzc256:bradfitz/netstack_fwd_close
lzc256:merge-tag
lzc256:cross-android
lzc256:bradfitz/kmod
lzc256:bradfitz/ssh_banner
lzc256:bradfitz/ping
lzc256:tom/integration
lzc256:bradfitz/ssh_policy_earlier
lzc256:maisem/cu
lzc256:bradfitz/derpy_cast
lzc256:bradfitz/cli_admin
lzc256:release-branch/1.22
lzc256:maisem/ssh-policiy-2
lzc256:maisem/ssh-policiy-1
lzc256:aaron/go-ole-ref
lzc256:bradfitz/key_rotation_prep
lzc256:josh/tswebflags
lzc256:release-branch/1.20
lzc256:crawshaw/envtype
lzc256:danderson/tsweb-server
lzc256:bradfitz/autocert_force
lzc256:bradfitz/use_netstack_upstream
lzc256:Xe/winui-bugreport-without-tailscaled
lzc256:bradfitz/hostinfo_basically_equal
lzc256:release-branch/1.18
lzc256:aaron/loglog
lzc256:aaron/dnsapc
lzc256:bradfitz/demo_client_hijack
lzc256:bradfitz/windns
lzc256:bradfitz/exit_node_forward_dns
lzc256:bradfitz/1.18.1
lzc256:Xe/tailtlsproxy
lzc256:bradfitz/allsrc
lzc256:josh/peermap
lzc256:danderson/ebpf
lzc256:bradfitz/1_16_stress_netmap
lzc256:danderson/nodekey-move
lzc256:danderson/nodekey-delete-old
lzc256:danderson/nodekey-cleanup
lzc256:danderson/magicsock-discokey
lzc256:release-branch/1.16
lzc256:danderson/magicsock-node-key
lzc256:crawshaw/updatefallback
lzc256:release-branch/1.14
lzc256:bradfitz/1.14
lzc256:bradfitz/updates
lzc256:josh/immutable-views
lzc256:bradfitz/portmap_gh_actions
lzc256:danderson/kernel-tailscale
lzc256:bradfitz/win_default_route
lzc256:release-branch/1.12
lzc256:jknodt/logging
lzc256:simenghe/add-tsmpping-call
lzc256:josh/opt-getstatus
lzc256:Aadi/speedtest-tailscaled
lzc256:dsnet/admin-cli
lzc256:bradfitz/portmap_test
lzc256:jknodt/portmap_test
lzc256:upnpdebug
lzc256:jknodt/upnp_reuse
lzc256:crawshaw/peerdoh
lzc256:josh/debug-flake
lzc256:simenghe/pingresult-work
lzc256:jknodt/derp_flow
lzc256:tps/tailscaled
lzc256:jknodt/vms_ref
lzc256:jknodt/integ_test
lzc256:josh/fast-time
lzc256:josh/coarsetime
lzc256:bradfitz/derp_flow
lzc256:release-branch/1.10
lzc256:josh/io_uring
lzc256:josh/deflake-pipe-again
lzc256:Xe/testcontrol-v6
lzc256:jknodt/io-uring
lzc256:simenghe/admin-ping-test
lzc256:jknodt/periodic_probe
lzc256:simenghe/isoping
lzc256:Xe/private-logcatcher-in-process
lzc256:simenghe/tcpnodeping
lzc256:bradfitz/deephash_methods
lzc256:crawshaw/deephash
lzc256:josh/de-select-tstun-wrapper
lzc256:Xe/debug-nixos-build
lzc256:simenghe/isoping-experiment
lzc256:crawshaw/dnswslhackery
lzc256:jknodt/userderp
lzc256:jknodt/bw_rep2
lzc256:crawshaw/wslresolvconf
lzc256:jknodt/upnp
lzc256:crawshaw/magicdnsalways
lzc256:simenghe/flakeresolve
lzc256:rec_in_use_after_5_sec
lzc256:bradfitz/acme
lzc256:release-branch/1.8
lzc256:simenghe/add-httphandlers-ping
lzc256:simenghe/add-ping-route-testcontrol-mux
lzc256:simeng-pingtest
lzc256:Xe/test-install-script-libvirtd
lzc256:apenwarr/check184
lzc256:crawshaw/newbackendserver
lzc256:adding-address-ips-totestcontrolnode
lzc256:onebinary
lzc256:Xe/synology-does-actually-work-with-subnet-routes-til
lzc256:bradfitz/netstack_port_map
lzc256:bradfitz/demo_pinger
lzc256:apenwarr/fixes
lzc256:apenwarr/relogin
lzc256:josh/NewIPPort
lzc256:josh/IPWithPort
lzc256:bradfitz/integration_tests
lzc256:josh/opt-dp-wip
lzc256:bradfitz/ping_notes
lzc256:bradfitz/dropped_by_filter_logspam
lzc256:bradfitz/netstack_drop_silent
lzc256:bradfitz/log_rate_test
lzc256:bradfitz/issue_1840_rebased_tree
lzc256:bradfitz/issue_1849_rebased_tree
lzc256:crawshaw/syno
lzc256:apenwarr/statefix
lzc256:apenwarr/statetest
lzc256:josh/wip/endpoint-serialize
lzc256:apenwarr/ioslogin
lzc256:rosszurowski/cli-fix-typo
lzc256:bradfitz/cli_pretty
lzc256:bradfitz/win_delete_retry
lzc256:bradfitz/sleep
lzc256:naman/netstack-request-logging
lzc256:naman/ephem-expand-range
lzc256:bradfitz/macos_progress
lzc256:bradfitz/ip_of
lzc256:crawshaw/localapi404
lzc256:crawshaw/movefiles
lzc256:crawshaw/socket
lzc256:crawshaw/cgi
lzc256:naman/netstack-subnet-routing
lzc256:josh/wip/create-endpoint-no-public-key
lzc256:Xe/log-target-registry-key
lzc256:release-branch/1.6
lzc256:bradfitz/ipv6_link_local_strip
lzc256:bradfitz/health
lzc256:bradfitz/darwin_gw
lzc256:Xe/disallow-local-ip-for-exit-node
lzc256:release-branch/1.4
lzc256:crawshaw/upjson
lzc256:bradfitz/proposed_1.4.6
lzc256:bradfitz/derp_steer
lzc256:crawshaw/tailscalestatus
lzc256:Xe/reset-logid-on-logout-login
lzc256:naman/netstack-incoming
lzc256:mkramlich/macos-brew2
lzc256:naman/netstack-outgoing-udp-test
lzc256:mkramlich/macos-brew
lzc256:bradfitz/proposed-1.4.5
lzc256:peske/ifacewatcher
lzc256:Xe/hello-vr
lzc256:crawshaw/filchsync
lzc256:Xe/derphttp-panic-fix
lzc256:peske/elnotfound
lzc256:Xe/rel-144-fix-ipv6-broken-in-tests
lzc256:bradfitz/darwin_creds
lzc256:josh/longblock
lzc256:josh/udp-alloc-less
lzc256:josh/simplify-filch
lzc256:josh/remove-ipcgetfilter
lzc256:Xe/envvar-name-TS
lzc256:Xe/TS-envvar-name
lzc256:Xe/do-windows-logserver-better
lzc256:Xe/log-target-flag
lzc256:crawshaw/ipuint
lzc256:bradfitz/hello
lzc256:bradfitz/linux_v6_off
lzc256:bradfitz/call_me_maybe_eps
lzc256:bradfitz/api_docs
lzc256:alexbrainman/use_wg_dns_code
lzc256:naman/netstack-use-tailscale-ip
lzc256:josh/debug-TestLikelyHomeRouterIPSyscallExec
lzc256:noerror-not-notimp
lzc256:bradfitz/umaskless_permissions
lzc256:naman/netstack-bump-version
lzc256:bradfitz/lite_endpoint_update
lzc256:c22wen/api-docs
lzc256:bradfitz/grafana_auth_proxy
lzc256:crawshaw/dnsguid
lzc256:nix-shell
lzc256:release-branch/1.2
lzc256:bradfitz/acl_tags_in_tailscale_status
lzc256:bradfitz/expiry_spin
lzc256:josh/no-goroutine-per-udp-read-2
lzc256:crawshaw/tailcfg
lzc256:bradfitz/wgengine_monitor_windows_take2
lzc256:netstat-unsafe
lzc256:bradfitz/ipn_empty
lzc256:bradfitz/win_firewall_async
lzc256:bradfitz/machine_key
lzc256:apenwarr/faketun
lzc256:crawshaw/cloner
lzc256:crawshaw/jsonhandler
lzc256:c22wen/route-addr
lzc256:c22wen/magicsock.go
lzc256:bradfitz/gvisor_netstack
lzc256:crawshaw/loadtest
lzc256:dshynkev/dns-autoset
lzc256:crawshaw/e2etest
lzc256:bradfitz/win_wpad_pac
lzc256:release-branch/1.0
lzc256:bradfitz/linux_default_route_interface
lzc256:bradfitz/release-branch-1.0
lzc256:crawshaw/restartlimit
lzc256:clone
lzc256:dshynkev/dns-name
lzc256:dshynkev/dns-refactor
lzc256:bradfitz/go_vet
lzc256:crawshaw/tswebextra
lzc256:crawshaw/pinger2
lzc256:lzjluzijie/all_proxy
lzc256:rate-limiting
lzc256:lzjluzijie/227_http_proxy
lzc256:crawshaw/rebind
lzc256:crawshaw/hostinfo
lzc256:crawshaw/derp-nokeepalives
lzc256:crawshaw/derptimeout
lzc256:crawshaw/derpdial2
lzc256:crawshaw/derpdial
lzc256:crawshaw/ipn
lzc256:crawshaw/e2e_test
lzc256:crawshaw/ipn2
lzc256:crawshaw/magicsock
lzc256:crawshaw/magicsock-infping
lzc256:crawshaw/spray
lzc256:crawshaw/br1
lzc256:v1.44.0
lzc256:v1.42.1
lzc256:v1.42.0
lzc256:v1.40.1
lzc256:v1.40.0
lzc256:v1.38.4
lzc256:v1.38.3
lzc256:v1.38.2
lzc256:v1.38.1
lzc256:v1.38.0
lzc256:v1.36.2
lzc256:v1.36.1
lzc256:v1.36.0
lzc256:coral-gitops
lzc256:v1.34.2
lzc256:v1.34.1
lzc256:v1.34.0
lzc256:v1.32.3
lzc256:v1.32.2
lzc256:nginx-auth-0.1.2
lzc256:v1.32.1
lzc256:v1.32.0
lzc256:v1.30.2
lzc256:v1.30.1
lzc256:gitops-1.30.0
lzc256:v1.30.0
lzc256:v1.28.0
lzc256:v1.26.2
lzc256:v1.26.1
lzc256:v1.26.0
lzc256:v1.24.2
lzc256:v1.24.1
lzc256:v1.24.0
lzc256:v1.22.2
lzc256:v1.22.1
lzc256:v1.22.0
lzc256:v1.20.4
lzc256:v1.20.3
lzc256:v1.20.2
lzc256:v1.20.1
lzc256:v1.20.0
lzc256:v1.18.2
lzc256:v1.18.1
lzc256:v1.18.0
lzc256:v1.16.2
lzc256:v1.16.1
lzc256:v1.16.0
lzc256:v1.14.6
lzc256:v1.14.5
lzc256:v1.14.4
lzc256:v1.14.3
lzc256:v1.14.0
lzc256:v1.12.4
lzc256:v1.12.3
lzc256:v1.12.2
lzc256:v1.12.1
lzc256:v1.12.0
lzc256:v1.10.2
lzc256:v1.10.1
lzc256:v1.10.0
lzc256:v1.8.8
lzc256:v1.8.7
lzc256:v1.8.6
lzc256:v1.8.5
lzc256:v1.8.4
lzc256:v1.8.3
lzc256:v1.8.2
lzc256:v1.8.1
lzc256:v1.8.0
lzc256:v1.6.0
lzc256:v1.4.6
lzc256:v1.4.5
lzc256:v1.4.4
lzc256:v1.4.3
lzc256:v1.4.2
lzc256:v1.4.1
lzc256:v1.4.0
lzc256:v1.2.10
lzc256:v1.2.9
lzc256:v1.2.8
lzc256:v1.2.7
lzc256:v1.2.6
lzc256:v1.2.5
lzc256:v1.2.3
lzc256:v1.2.2
lzc256:v1.2.1
lzc256:v1.2.0
lzc256:v1.0.5
lzc256:v1.0.4
lzc256:v1.0.3
lzc256:v1.0.2
lzc256:v1.0.1
lzc256:v1.1.0
lzc256:v1.0.0
lzc256:v0.100.0-153
lzc256:v0.100.0-107
lzc256:v0.100.0
lzc256:v0.99.1
lzc256:v0.99.0
lzc256:v0.98.1
lzc256:v0.98.0
lzc256:v0.98
lzc256:v0.97
lzc256:v0.96.1
lzc256:v0.96

2 Commits
main ... maisem/fun

Author SHA1 Message Date
Maisem Ali 9500e7a2c0 ipn/ipnlocal: add support to store certs in k8s secrets 
Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2023-02-01 06:25:48 -08:00
Maisem Ali e2aa56b594 cmd/containerboot: add support for setting funnel TCP portforward 
WIP

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2023-02-01 06:25:38 -08:00
8 changed files with 137 additions and 36 deletions
Show Stats Expand all files Collapse all files

78
cmd/containerboot/main.go
View File

@ -90,8 +90,31 @@ func main() {
AuthOnce: defaultBool("TS_AUTH_ONCE", false),
Root: defaultEnv("TS_TEST_ONLY_ROOT", "/"),
}
funnelForwardPorts := strings.Split(defaultEnv("TS_FUNNEL_TCP_PORTFORWARD", ""), ",")
if len(funnelForwardPorts) > 0 {
ffp := make(map[uint16]uint16)
for _, p := range funnelForwardPorts {
if p == "" {
continue
}
from, to, ok := strings.Cut(p, ":")
if !ok {
log.Fatalf("TS_FUNNEL_TCP_PORTFORWARD: %q is not a valid port pair", p)
}
fp, err := strconv.ParseUint(from, 10, 16)
if err != nil {
log.Fatalf("TS_FUNNEL_TCP_PORTFORWARD: %v", err)
}
tp, err := strconv.ParseUint(to, 10, 16)
if err != nil {
log.Fatalf("TS_FUNNEL_TCP_PORTFORWARD: %v", err)
}
ffp[uint16(fp)] = uint16(tp)
}
cfg.FunnelTCPPorts = ffp
}
if cfg.ProxyTo != "" && cfg.UserspaceMode {
if cfg.ProxyTo != "" && cfg.UserspaceMode && len(cfg.FunnelTCPPorts) == 0 {
log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
}
@ -240,10 +263,8 @@ authLoop:
}
var (
wantProxy = cfg.ProxyTo != ""
wantDeviceInfo = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
startupTasksDone = false
currentIPs deephash.Sum // tailscale IPs assigned to device
currentDeviceInfo deephash.Sum // device ID and fqdn
)
for {
@ -261,11 +282,6 @@ authLoop:
log.Fatalf("tailscaled left running state (now in state %q), exiting", *n.State)
}
if n.NetMap != nil {
if cfg.ProxyTo != "" && len(n.NetMap.Addresses) > 0 && deephash.Update(&currentIPs, &n.NetMap.Addresses) {
if err := installIPTablesRule(ctx, cfg.ProxyTo, n.NetMap.Addresses); err != nil {
log.Fatalf("installing proxy rules: %v", err)
}
}
deviceInfo := []any{n.NetMap.SelfNode.StableID, n.NetMap.SelfNode.Name}
if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" && deephash.Update(&currentDeviceInfo, &deviceInfo) {
if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID, n.NetMap.SelfNode.Name); err != nil {
@ -274,7 +290,10 @@ authLoop:
}
}
if !startupTasksDone {
if (!wantProxy || currentIPs != deephash.Sum{}) && (!wantDeviceInfo || currentDeviceInfo != deephash.Sum{}) {
if (!wantDeviceInfo || currentDeviceInfo != deephash.Sum{}) {
if err := configureForwarding(ctx, client, cfg); err != nil {
log.Fatalf("configuring forwarding: %v", err)
}
// This log message is used in tests to detect when all
// post-auth configuration is done.
log.Println("Startup complete, waiting for shutdown signal")
@ -305,6 +324,35 @@ authLoop:
}
}
func configureForwarding(ctx context.Context, client *tailscale.LocalClient, cfg *settings) error {
if cfg.ProxyTo == "" {
return nil
}
st, err := client.StatusWithoutPeers(ctx)
if err != nil {
return err
}
if len(cfg.FunnelTCPPorts) == 0 {
return installIPTablesRule(ctx, cfg.ProxyTo, st.Self.TailscaleIPs)
}
if len(st.CertDomains) == 0 {
return errors.New("no cert domains, cannot configure TCP forwarding")
}
cd := st.CertDomains[0]
sc := &ipn.ServeConfig{
AllowFunnel: make(map[ipn.HostPort]bool),
TCP: make(map[uint16]*ipn.TCPPortHandler),
}
for f, t := range cfg.FunnelTCPPorts {
sc.TCP[f] = &ipn.TCPPortHandler{
TCPForward: fmt.Sprintf("%s:%d", cfg.ProxyTo, t),
TerminateTLS: cd,
}
sc.AllowFunnel[ipn.HostPort(fmt.Sprintf("%s:%d", cd, f))] = true
}
return client.SetServeConfig(ctx, sc)
}
func startTailscaled(ctx context.Context, cfg *settings) (*tailscale.LocalClient, int, error) {
args := tailscaledArgs(cfg)
sigCh := make(chan os.Signal, 1)
@ -488,7 +536,7 @@ func ensureIPForwarding(root, proxyTo, routes string) error {
return nil
}
func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Addr) error {
dst, err := netip.ParseAddr(dstStr)
if err != nil {
return err
@ -498,14 +546,11 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefi
argv0 = "ip6tables"
}
var local string
for _, pfx := range tsIPs {
if !pfx.IsSingleIP() {
for _, addr := range tsIPs {
if addr.Is4() != dst.Is4() {
continue
}
if pfx.Addr().Is4() != dst.Is4() {
continue
}
local = pfx.Addr().String()
local = addr.String()
break
}
if local == "" {
@ -529,6 +574,7 @@ type settings struct {
Hostname string
Routes string
ProxyTo string
FunnelTCPPorts map[uint16]uint16 // from Tailscale port -> to ProxyTo port
DaemonExtraArgs string
ExtraArgs string
InKubernetes bool

2
cmd/k8s-operator/manifests/proxy.yaml
View File

@ -27,8 +27,6 @@ spec:
- name: tailscale
imagePullPolicy: Always
env:
- name: TS_USERSPACE
value: "false"
- name: TS_AUTH_ONCE
value: "true"
securityContext:

22
cmd/k8s-operator/operator.go
View File

@ -235,9 +235,10 @@ const (
FinalizerName = "tailscale.com/finalizer"
AnnotationExpose = "tailscale.com/expose"
AnnotationTags = "tailscale.com/tags"
AnnotationHostname = "tailscale.com/hostname"
AnnotationExpose = "tailscale.com/expose"
AnnotationTags = "tailscale.com/tags"
AnnotationHostname = "tailscale.com/hostname"
AnnotationFunnelPorts = "tailscale.com/funnel-tcp-portforward"
)
// ServiceReconciler is a simple ControllerManagedBy example implementation.
@ -584,6 +585,21 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
Name: "TS_HOSTNAME",
Value: hostname,
})
if len(parentSvc.Annotations[AnnotationFunnelPorts]) > 0 {
container.Env = append(container.Env, corev1.EnvVar{
Name: "TS_FUNNEL_TCP_PORTFORWARD",
Value: parentSvc.Annotations[AnnotationFunnelPorts],
})
container.Env = append(container.Env, corev1.EnvVar{
Name: "TS_USERSPACE",
Value: "true",
})
} else {
container.Env = append(container.Env, corev1.EnvVar{
Name: "TS_USERSPACE",
Value: "false",
})
}
ss.ObjectMeta = metav1.ObjectMeta{
Name: headlessSvc.Name,
Namespace: a.operatorNamespace,

61
ipn/ipnlocal/cert.go
View File

@ -32,6 +32,8 @@ import (
"golang.org/x/crypto/acme"
"tailscale.com/envknob"
"tailscale.com/hostinfo"
"tailscale.com/ipn"
"tailscale.com/ipn/ipnstate"
"tailscale.com/types/logger"
"tailscale.com/version"
@ -94,9 +96,9 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertK
log.Printf("acme %T: %s", v, j)
}
if pair, ok := getCertPEMCached(dir, domain, now); ok {
if pair, ok := b.getCertPEMCached(dir, domain, now); ok {
future := now.AddDate(0, 0, 14)
if shouldStartDomainRenewal(dir, domain, future) {
if b.shouldStartDomainRenewal(dir, domain, future) {
logf("starting async renewal")
// Start renewal in the background.
go b.getCertPEM(context.Background(), logf, traceACME, dir, domain, future)
@ -112,7 +114,7 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertK
return pair, nil
}
func shouldStartDomainRenewal(dir, domain string, future time.Time) bool {
func (b *LocalBackend) shouldStartDomainRenewal(dir, domain string, future time.Time) bool {
renewMu.Lock()
defer renewMu.Unlock()
now := time.Now()
@ -122,7 +124,7 @@ func shouldStartDomainRenewal(dir, domain string, future time.Time) bool {
return false
}
lastRenewCheck[domain] = now
_, ok := getCertPEMCached(dir, domain, future)
_, ok := b.getCertPEMCached(dir, domain, future)
return !ok
}
@ -140,17 +142,36 @@ func certFile(dir, domain string) string { return filepath.Join(dir, domain+".cr
// getCertPEMCached returns a non-nil keyPair and true if a cached
// keypair for domain exists on disk in dir that is valid at the
// provided now time.
func getCertPEMCached(dir, domain string, now time.Time) (p *TLSCertKeyPair, ok bool) {
func (b *LocalBackend) getCertPEMCached(dir, domain string, now time.Time) (p *TLSCertKeyPair, ok bool) {
if !validLookingCertDomain(domain) {
// Before we read files from disk using it, validate it's halfway
// reasonable looking.
return nil, false
}
if keyPEM, err := os.ReadFile(keyFile(dir, domain)); err == nil {
certPEM, _ := os.ReadFile(certFile(dir, domain))
if validCertPEM(domain, keyPEM, certPEM, now) {
return &TLSCertKeyPair{CertPEM: certPEM, KeyPEM: keyPEM, Cached: true}, true
var keyPEM, certPEM []byte
var err error
if hostinfo.GetEnvType() == hostinfo.Kubernetes {
var err error
certPEM, err = b.store.ReadState(ipn.StateKey(domain + ".crt"))
if err != nil {
return nil, false
}
keyPEM, err = b.store.ReadState(ipn.StateKey(domain + ".key"))
if err != nil {
return nil, false
}
} else {
certPEM, err = os.ReadFile(keyFile(dir, domain))
if err != nil {
return nil, false
}
keyPEM, err = os.ReadFile(certFile(dir, domain))
if err != nil {
return nil, false
}
}
if validCertPEM(domain, keyPEM, certPEM, now) {
return &TLSCertKeyPair{CertPEM: certPEM, KeyPEM: keyPEM, Cached: true}, true
}
return nil, false
}
@ -159,7 +180,7 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, logf logger.Logf, traceAC
acmeMu.Lock()
defer acmeMu.Unlock()
if p, ok := getCertPEMCached(dir, domain, now); ok {
if p, ok := b.getCertPEMCached(dir, domain, now); ok {
return p, nil
}
@ -274,8 +295,14 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, logf logger.Logf, traceAC
if err := encodeECDSAKey(&privPEM, certPrivKey); err != nil {
return nil, err
}
if err := os.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
return nil, err
if hostinfo.GetEnvType() == hostinfo.Kubernetes {
if err := b.store.WriteState(ipn.StateKey(domain+".key"), privPEM.Bytes()); err != nil {
return nil, err
}
} else {
if err := os.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
return nil, err
}
}
csr, err := certRequest(certPrivKey, domain, nil)
@ -297,8 +324,14 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, logf logger.Logf, traceAC
return nil, err
}
}
if err := os.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
return nil, err
if hostinfo.GetEnvType() == hostinfo.Kubernetes {
if err := b.store.WriteState(ipn.StateKey(domain+".crt"), certPEM.Bytes()); err != nil {
return nil, err
}
} else {
if err := os.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
return nil, err
}
}
return &TLSCertKeyPair{CertPEM: certPEM.Bytes(), KeyPEM: privPEM.Bytes()}, nil

2
ipn/ipnlocal/profiles.go
View File

@ -185,7 +185,7 @@ func init() {
func (pm *profileManager) SetPrefs(prefsIn ipn.PrefsView) error {
prefs := prefsIn.AsStruct().View()
newPersist := prefs.Persist().AsStruct()
if newPersist == nil || newPersist.LoginName == "" {
if newPersist == nil || newPersist.NodeID == "" {
return pm.setPrefsLocked(prefs)
}
up := newPersist.UserProfile

2
ipn/ipnlocal/profiles_test.go
View File

@ -5,6 +5,7 @@ package ipnlocal
import (
"fmt"
"strconv"
"testing"
"tailscale.com/ipn"
@ -337,6 +338,7 @@ func TestProfileManagementWindows(t *testing.T) {
ID: id,
LoginName: loginName,
},
NodeID: tailcfg.StableNodeID(strconv.Itoa(int(id))),
}
if err := pm.SetPrefs(p.View()); err != nil {
t.Fatal(err)

3
ipn/ipnlocal/state_test.go
View File

@ -473,6 +473,7 @@ func TestStateMachine(t *testing.T) {
notifies.expect(3)
cc.persist.LoginName = "user1"
cc.persist.UserProfile.LoginName = "user1"
cc.persist.NodeID = "node1"
cc.send(nil, "", true, &netmap.NetworkMap{})
{
nn := notifies.drain(3)
@ -699,6 +700,7 @@ func TestStateMachine(t *testing.T) {
notifies.expect(3)
cc.persist.LoginName = "user2"
cc.persist.UserProfile.LoginName = "user2"
cc.persist.NodeID = "node2"
cc.send(nil, "", true, &netmap.NetworkMap{
MachineStatus: tailcfg.MachineAuthorized,
})
@ -835,6 +837,7 @@ func TestStateMachine(t *testing.T) {
notifies.expect(3)
cc.persist.LoginName = "user3"
cc.persist.UserProfile.LoginName = "user3"
cc.persist.NodeID = "node3"
cc.send(nil, "", true, &netmap.NetworkMap{
MachineStatus: tailcfg.MachineAuthorized,
})

3
ipn/store/kubestore/store_kube.go
View File

@ -7,6 +7,7 @@ package kubestore
import (
"context"
"strings"
"time"
"tailscale.com/ipn"
@ -36,6 +37,7 @@ func (s *Store) String() string { return "kube.Store" }
// ReadState implements the StateStore interface.
func (s *Store) ReadState(id ipn.StateKey) ([]byte, error) {
id = ipn.StateKey(strings.ReplaceAll(string(id), "/", "__"))
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
@ -55,6 +57,7 @@ func (s *Store) ReadState(id ipn.StateKey) ([]byte, error) {
// WriteState implements the StateStore interface.
func (s *Store) WriteState(id ipn.StateKey, bs []byte) error {
id = ipn.StateKey(strings.ReplaceAll(string(id), "/", "__"))
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()