various: bump go dependeny to 1.23.5

Bump to latest patch version of 1.23 to get security fixes. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
tsnet: return from Accept when the listener gets closed
2025-01-28 10:43:29 -07:00 · 2025-01-28 14:02:36 +00:00 · 2025-01-28 10:05:49 +00:00 · 2025-01-27 22:15:08 +00:00 · 2025-01-27 22:01:50 +00:00 · 2025-01-27 21:32:26 +00:00
233 changed files with 14115 additions and 2858 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -49,13 +49,13 @@ jobs:

    # Install a more recent Go that understands modern go.mod content.
    - name: Install Go
-      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
      with:
        go-version-file: go.mod

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+      uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+      uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+      uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -25,14 +25,13 @@ jobs:
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version-file: go.mod
          cache: false

      - name: golangci-lint
-        # Note: this is the 'v6.1.0' tag as of 2024-08-21
-        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
        with:
          version: v1.60

--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -24,13 +24,13 @@ jobs:

      - name: Post to slack
        if: failure() && github.event_name == 'schedule'
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
        with:
-          channel-id: 'C05PXRM304B'
+          method: chat.postMessage
+          token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
          payload: |
            {
+              "channel": "C05PXRM304B",
              "blocks": [
                {
                  "type": "section",
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -153,7 +153,7 @@ jobs:
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Install Go
-      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
      with:
        go-version-file: go.mod
        cache: false
@@ -467,7 +467,7 @@ jobs:
      run: |
        echo "artifacts_path=$(realpath .)" >> $GITHUB_ENV
    - name: upload crash
-      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
      with:
        name: artifacts
@@ -481,7 +481,7 @@ jobs:
    - name: check depaware
      run: |
        export PATH=$(./tool/go env GOROOT)/bin:$PATH
-        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check
+        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check --internal

  go_generate:
    runs-on: ubuntu-22.04
@@ -569,8 +569,10 @@ jobs:
      # By having the job always run, but skipping its only step as needed, we
      # let the CI output collapse nicely in PRs.
      if: failure() && github.event_name == 'push'
-      uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+      uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
      with:
+        webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+        webhook-type: incoming-webhook
        payload: |
          {
            "attachments": [{
@@ -582,9 +584,6 @@ jobs:
              "color": "danger"
            }]
          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

  check_mergeability:
    if: always()
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -36,7 +36,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
--- a/.github/workflows/update-webclient-prebuilt.yml
+++ b/.github/workflows/update-webclient-prebuilt.yml
@@ -35,7 +35,7 @@ jobs:

      - name: Send pull request
        id: pull-request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: OSS Updater <noreply+oss-updater@tailscale.com>
--- a/ALPINE.txt
+++ b/ALPINE.txt
@@ -1 +1 @@
-3.21
+3.18
--- a/2
+++ b/2
@@ -62,7 +62,7 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot

-FROM alpine:3.21
+FROM alpine:3.18
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables

 COPY --from=build-env /go/bin/* /usr/local/bin/
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,5 +1,5 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause

-FROM alpine:3.21
+FROM alpine:3.18
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
--- a/4
+++ b/4
@@ -17,7 +17,7 @@ lint: ## Run golangci-lint
 updatedeps: ## Update depaware deps
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update --internal \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
@@ -27,7 +27,7 @@ updatedeps: ## Update depaware deps
 depaware: ## Run depaware checks
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --internal \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
--- a/appc/appconnector.go
+++ b/appc/appconnector.go
@@ -374,13 +374,13 @@ func (e *AppConnector) DomainRoutes() map[string][]netip.Addr {
 // response is being returned over the PeerAPI. The response is parsed and
 // matched against the configured domains, if matched the routeAdvertiser is
 // advised to advertise the discovered route.
-func (e *AppConnector) ObserveDNSResponse(res []byte) {
+func (e *AppConnector) ObserveDNSResponse(res []byte) error {
 	var p dnsmessage.Parser
 	if _, err := p.Start(res); err != nil {
-		return
+		return err
 	}
 	if err := p.SkipAllQuestions(); err != nil {
-		return
+		return err
 	}

 	// cnameChain tracks a chain of CNAMEs for a given query in order to reverse
@@ -399,12 +399,12 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 			break
 		}
 		if err != nil {
-			return
+			return err
 		}

 		if h.Class != dnsmessage.ClassINET {
 			if err := p.SkipAnswer(); err != nil {
-				return
+				return err
 			}
 			continue
 		}
@@ -413,7 +413,7 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		case dnsmessage.TypeCNAME, dnsmessage.TypeA, dnsmessage.TypeAAAA:
 		default:
 			if err := p.SkipAnswer(); err != nil {
-				return
+				return err
 			}
 			continue

@@ -427,7 +427,7 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		if h.Type == dnsmessage.TypeCNAME {
 			res, err := p.CNAMEResource()
 			if err != nil {
-				return
+				return err
 			}
 			cname := strings.TrimSuffix(strings.ToLower(res.CNAME.String()), ".")
 			if len(cname) == 0 {
@@ -441,20 +441,20 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		case dnsmessage.TypeA:
 			r, err := p.AResource()
 			if err != nil {
-				return
+				return err
 			}
 			addr := netip.AddrFrom4(r.A)
 			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
 		case dnsmessage.TypeAAAA:
 			r, err := p.AAAAResource()
 			if err != nil {
-				return
+				return err
 			}
 			addr := netip.AddrFrom16(r.AAAA)
 			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
 		default:
 			if err := p.SkipAnswer(); err != nil {
-				return
+				return err
 			}
 			continue
 		}
@@ -485,6 +485,7 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 			e.scheduleAdvertisement(domain, toAdvertise...)
 		}
 	}
+	return nil
 }

 // starting from the given domain that resolved to an address, find it, or any
--- a/appc/appconnector_test.go
+++ b/appc/appconnector_test.go
@@ -69,7 +69,9 @@ func TestUpdateRoutes(t *testing.T) {
 		a.updateDomains([]string{"*.example.com"})

 		// This route should be collapsed into the range
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
+		if err := a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)

 		if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
@@ -77,7 +79,9 @@ func TestUpdateRoutes(t *testing.T) {
 		}

 		// This route should not be collapsed or removed
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
+		if err := a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)

 		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
@@ -130,7 +134,9 @@ func TestDomainRoutes(t *testing.T) {
 			a = NewAppConnector(t.Logf, rc, nil, nil)
 		}
 		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(context.Background())

 		want := map[string][]netip.Addr{
@@ -155,7 +161,9 @@ func TestObserveDNSResponse(t *testing.T) {
 		}

 		// a has no domains configured, so it should not advertise any routes
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
 			t.Errorf("got %v; want %v", got, want)
 		}
@@ -163,7 +171,9 @@ func TestObserveDNSResponse(t *testing.T) {
 		wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}

 		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)
 		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
 			t.Errorf("got %v; want %v", got, want)
@@ -172,7 +182,9 @@ func TestObserveDNSResponse(t *testing.T) {
 		// a CNAME record chain should result in a route being added if the chain
 		// matches a routed domain.
 		a.updateDomains([]string{"www.example.com", "example.com"})
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com."))
+		if err := a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com.")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)
 		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
 		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
@@ -181,7 +193,9 @@ func TestObserveDNSResponse(t *testing.T) {

 		// a CNAME record chain should result in a route being added if the chain
 		// even if only found in the middle of the chain
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org."))
+		if err := a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org.")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)
 		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
 		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
@@ -190,14 +204,18 @@ func TestObserveDNSResponse(t *testing.T) {

 		wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))

-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)
 		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
 			t.Errorf("got %v; want %v", got, want)
 		}

 		// don't re-advertise routes that have already been advertised
-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)
 		if !slices.Equal(rc.Routes(), wantRoutes) {
 			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
@@ -207,7 +225,9 @@ func TestObserveDNSResponse(t *testing.T) {
 		pfx := netip.MustParsePrefix("192.0.2.0/24")
 		a.updateRoutes([]netip.Prefix{pfx})
 		wantRoutes = append(wantRoutes, pfx)
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)
 		if !slices.Equal(rc.Routes(), wantRoutes) {
 			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
@@ -230,7 +250,9 @@ func TestWildcardDomains(t *testing.T) {
 		}

 		a.updateDomains([]string{"*.example.com"})
-		a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
+		if err := a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
 		a.Wait(ctx)
 		if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
 			t.Errorf("routes: got %v; want %v", got, want)
@@ -438,10 +460,16 @@ func TestUpdateDomainRouteRemoval(t *testing.T) {
 		// adding domains doesn't immediately cause any routes to be advertised
 		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})

-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.4"))
+		for _, res := range [][]byte{
+			dnsResponse("a.example.com.", "1.2.3.1"),
+			dnsResponse("a.example.com.", "1.2.3.2"),
+			dnsResponse("b.example.com.", "1.2.3.3"),
+			dnsResponse("b.example.com.", "1.2.3.4"),
+		} {
+			if err := a.ObserveDNSResponse(res); err != nil {
+				t.Errorf("ObserveDNSResponse: %v", err)
+			}
+		}
 		a.Wait(ctx)
 		// observing dns responses causes routes to be advertised
 		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
@@ -487,10 +515,16 @@ func TestUpdateWildcardRouteRemoval(t *testing.T) {
 		// adding domains doesn't immediately cause any routes to be advertised
 		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})

-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("1.b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("2.b.example.com.", "1.2.3.4"))
+		for _, res := range [][]byte{
+			dnsResponse("a.example.com.", "1.2.3.1"),
+			dnsResponse("a.example.com.", "1.2.3.2"),
+			dnsResponse("1.b.example.com.", "1.2.3.3"),
+			dnsResponse("2.b.example.com.", "1.2.3.4"),
+		} {
+			if err := a.ObserveDNSResponse(res); err != nil {
+				t.Errorf("ObserveDNSResponse: %v", err)
+			}
+		}
 		a.Wait(ctx)
 		// observing dns responses causes routes to be advertised
 		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@@ -15,8 +15,9 @@ import (
 )

 // WriteFile writes data to filename+some suffix, then renames it into filename.
-// The perm argument is ignored on Windows. If the target filename already
-// exists but is not a regular file, WriteFile returns an error.
+// The perm argument is ignored on Windows, but if the target filename already
+// exists then the target file's attributes and ACLs are preserved. If the target
+// filename already exists but is not a regular file, WriteFile returns an error.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
 	fi, err := os.Stat(filename)
 	if err == nil && !fi.Mode().IsRegular() {
@@ -47,5 +48,5 @@ func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
 	if err := f.Close(); err != nil {
 		return err
 	}
-	return os.Rename(tmpName, filename)
+	return rename(tmpName, filename)
 }
--- a/atomicfile/atomicfile_notwindows.go
+++ b/atomicfile/atomicfile_notwindows.go
@@ -0,0 +1,14 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !windows
+
+package atomicfile
+
+import (
+	"os"
+)
+
+func rename(srcFile, destFile string) error {
+	return os.Rename(srcFile, destFile)
+}
--- a/atomicfile/atomicfile_windows.go
+++ b/atomicfile/atomicfile_windows.go
@@ -0,0 +1,33 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package atomicfile
+
+import (
+	"os"
+
+	"golang.org/x/sys/windows"
+)
+
+func rename(srcFile, destFile string) error {
+	// Use replaceFile when possible to preserve the original file's attributes and ACLs.
+	if err := replaceFile(destFile, srcFile); err == nil || err != windows.ERROR_FILE_NOT_FOUND {
+		return err
+	}
+	// destFile doesn't exist. Just do a normal rename.
+	return os.Rename(srcFile, destFile)
+}
+
+func replaceFile(destFile, srcFile string) error {
+	destFile16, err := windows.UTF16PtrFromString(destFile)
+	if err != nil {
+		return err
+	}
+
+	srcFile16, err := windows.UTF16PtrFromString(srcFile)
+	if err != nil {
+		return err
+	}
+
+	return replaceFileW(destFile16, srcFile16, nil, 0, nil, nil)
+}
--- a/atomicfile/atomicfile_windows_test.go
+++ b/atomicfile/atomicfile_windows_test.go
@@ -0,0 +1,146 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package atomicfile
+
+import (
+	"os"
+	"testing"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _SECURITY_RESOURCE_MANAGER_AUTHORITY = windows.SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 9}}
+
+// makeRandomSID generates a SID derived from a v4 GUID.
+// This is basically the same algorithm used by browser sandboxes for generating
+// random SIDs.
+func makeRandomSID() (*windows.SID, error) {
+	guid, err := windows.GenerateGUID()
+	if err != nil {
+		return nil, err
+	}
+
+	rids := *((*[4]uint32)(unsafe.Pointer(&guid)))
+
+	var pSID *windows.SID
+	if err := windows.AllocateAndInitializeSid(&_SECURITY_RESOURCE_MANAGER_AUTHORITY, 4, rids[0], rids[1], rids[2], rids[3], 0, 0, 0, 0, &pSID); err != nil {
+		return nil, err
+	}
+	defer windows.FreeSid(pSID)
+
+	// Make a copy that lives on the Go heap
+	return pSID.Copy()
+}
+
+func getExistingFileSD(name string) (*windows.SECURITY_DESCRIPTOR, error) {
+	const infoFlags = windows.DACL_SECURITY_INFORMATION
+	return windows.GetNamedSecurityInfo(name, windows.SE_FILE_OBJECT, infoFlags)
+}
+
+func getExistingFileDACL(name string) (*windows.ACL, error) {
+	sd, err := getExistingFileSD(name)
+	if err != nil {
+		return nil, err
+	}
+
+	dacl, _, err := sd.DACL()
+	return dacl, err
+}
+
+func addDenyACEForRandomSID(dacl *windows.ACL) (*windows.ACL, error) {
+	randomSID, err := makeRandomSID()
+	if err != nil {
+		return nil, err
+	}
+
+	randomSIDTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
+		windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_UNKNOWN,
+		windows.TrusteeValueFromSID(randomSID)}
+
+	entries := []windows.EXPLICIT_ACCESS{
+		{
+			windows.GENERIC_ALL,
+			windows.DENY_ACCESS,
+			windows.NO_INHERITANCE,
+			randomSIDTrustee,
+		},
+	}
+
+	return windows.ACLFromEntries(entries, dacl)
+}
+
+func setExistingFileDACL(name string, dacl *windows.ACL) error {
+	return windows.SetNamedSecurityInfo(name, windows.SE_FILE_OBJECT,
+		windows.DACL_SECURITY_INFORMATION, nil, nil, dacl, nil)
+}
+
+// makeOrigFileWithCustomDACL creates a new, temporary file with a custom
+// DACL that we can check for later. It returns the name of the temporary
+// file and the security descriptor for the file in SDDL format.
+func makeOrigFileWithCustomDACL() (name, sddl string, err error) {
+	f, err := os.CreateTemp("", "foo*.tmp")
+	if err != nil {
+		return "", "", err
+	}
+	name = f.Name()
+	if err := f.Close(); err != nil {
+		return "", "", err
+	}
+	f = nil
+	defer func() {
+		if err != nil {
+			os.Remove(name)
+		}
+	}()
+
+	dacl, err := getExistingFileDACL(name)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Add a harmless, deny-only ACE for a random SID that isn't used for anything
+	// (but that we can check for later).
+	dacl, err = addDenyACEForRandomSID(dacl)
+	if err != nil {
+		return "", "", err
+	}
+
+	if err := setExistingFileDACL(name, dacl); err != nil {
+		return "", "", err
+	}
+
+	sd, err := getExistingFileSD(name)
+	if err != nil {
+		return "", "", err
+	}
+
+	return name, sd.String(), nil
+}
+
+func TestPreserveSecurityInfo(t *testing.T) {
+	// Make a test file with a custom ACL.
+	origFileName, want, err := makeOrigFileWithCustomDACL()
+	if err != nil {
+		t.Fatalf("makeOrigFileWithCustomDACL returned %v", err)
+	}
+	t.Cleanup(func() {
+		os.Remove(origFileName)
+	})
+
+	if err := WriteFile(origFileName, []byte{}, 0); err != nil {
+		t.Fatalf("WriteFile returned %v", err)
+	}
+
+	// We expect origFileName's security descriptor to be unchanged despite
+	// the WriteFile call.
+	sd, err := getExistingFileSD(origFileName)
+	if err != nil {
+		t.Fatalf("getExistingFileSD(%q) returned %v", origFileName, err)
+	}
+
+	if got := sd.String(); got != want {
+		t.Errorf("security descriptor comparison failed: got %q, want %q", got, want)
+	}
+}
--- a/atomicfile/mksyscall.go
+++ b/atomicfile/mksyscall.go
@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package atomicfile
+
+//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go mksyscall.go
+
+//sys replaceFileW(replaced *uint16, replacement *uint16, backup *uint16, flags uint32, exclude unsafe.Pointer, reserved unsafe.Pointer) (err error) [int32(failretval)==0] = kernel32.ReplaceFileW
--- a/atomicfile/zsyscall_windows.go
+++ b/atomicfile/zsyscall_windows.go
@@ -0,0 +1,52 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package atomicfile
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+
+	procReplaceFileW = modkernel32.NewProc("ReplaceFileW")
+)
+
+func replaceFileW(replaced *uint16, replacement *uint16, backup *uint16, flags uint32, exclude unsafe.Pointer, reserved unsafe.Pointer) (err error) {
+	r1, _, e1 := syscall.Syscall6(procReplaceFileW.Addr(), 6, uintptr(unsafe.Pointer(replaced)), uintptr(unsafe.Pointer(replacement)), uintptr(unsafe.Pointer(backup)), uintptr(flags), uintptr(exclude), uintptr(reserved))
+	if int32(r1) == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -37,7 +37,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion,ts_omit_ssh,ts_omit_wakeonlan,ts_omit_capture"
 		;;
 	--box)
 		shift
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -62,6 +62,12 @@ type LocalClient struct {
 	// machine's tailscaled or equivalent. If nil, a default is used.
 	Dial func(ctx context.Context, network, addr string) (net.Conn, error)

+	// Transport optionally specifies an alternate [http.RoundTripper]
+	// used to execute HTTP requests. If nil, a default [http.Transport] is used,
+	// potentially with custom dialing logic from [Dial].
+	// It is primarily used for testing.
+	Transport http.RoundTripper
+
 	// Socket specifies an alternate path to the local Tailscale socket.
 	// If empty, a platform-specific default is used.
 	Socket string
@@ -129,9 +135,9 @@ func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error)
 	req.Header.Set("Tailscale-Cap", strconv.Itoa(int(tailcfg.CurrentCapabilityVersion)))
 	lc.tsClientOnce.Do(func() {
 		lc.tsClient = &http.Client{
-			Transport: &http.Transport{
-				DialContext: lc.dialer(),
-			},
+			Transport: cmp.Or(lc.Transport, http.RoundTripper(
+				&http.Transport{DialContext: lc.dialer()}),
+			),
 		}
 	})
 	if !lc.OmitAuth {
--- a/client/web/src/components/views/login-view.tsx
+++ b/client/web/src/components/views/login-view.tsx
@@ -1,13 +1,11 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-import React, { useState } from "react"
+import React from "react"
 import { useAPI } from "src/api"
 import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
-import Collapsible from "src/ui/collapsible"
-import Input from "src/ui/input"

 /**
 * LoginView is rendered when the client is not authenticated
@@ -15,8 +13,6 @@ import Input from "src/ui/input"
 */
 export default function LoginView({ data }: { data: NodeData }) {
  const api = useAPI()
-  const [controlURL, setControlURL] = useState<string>("")
-  const [authKey, setAuthKey] = useState<string>("")

  return (
    <div className="mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
@@ -88,8 +84,6 @@ export default function LoginView({ data }: { data: NodeData }) {
                action: "up",
                data: {
                  Reauthenticate: true,
-                  ControlURL: controlURL,
-                  AuthKey: authKey,
                },
              })
            }
@@ -98,34 +92,6 @@ export default function LoginView({ data }: { data: NodeData }) {
          >
            Log In
          </Button>
-          <Collapsible trigger="Advanced options">
-            <h4 className="font-medium mb-1 mt-2">Auth Key</h4>
-            <p className="text-sm text-gray-500">
-              Connect with a pre-authenticated key.{" "}
-              <a
-                href="https://tailscale.com/kb/1085/auth-keys/"
-                className="link"
-                target="_blank"
-                rel="noreferrer"
-              >
-                Learn more &rarr;
-              </a>
-            </p>
-            <Input
-              className="mt-2"
-              value={authKey}
-              onChange={(e) => setAuthKey(e.target.value)}
-              placeholder="tskey-auth-XXX"
-            />
-            <h4 className="font-medium mt-3 mb-1">Server URL</h4>
-            <p className="text-sm text-gray-500">Base URL of control server.</p>
-            <Input
-              className="mt-2"
-              value={controlURL}
-              onChange={(e) => setControlURL(e.target.value)}
-              placeholder="https://login.tailscale.com/"
-            />
-          </Collapsible>
        </>
      )}
    </div>
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -89,8 +89,8 @@ type Server struct {
 type ServerMode string

 const (
-	// LoginServerMode serves a readonly login client for logging a
-	// node into a tailnet, and viewing a readonly interface of the
+	// LoginServerMode serves a read-only login client for logging a
+	// node into a tailnet, and viewing a read-only interface of the
 	// node's current Tailscale settings.
 	//
 	// In this mode, API calls are authenticated via platform auth.
@@ -110,7 +110,7 @@ const (
 	// This mode restricts the app to only being assessible over Tailscale,
 	// and API calls are authenticated via browser sessions associated with
 	// the source's Tailscale identity. If the source browser does not have
-	// a valid session, a readonly version of the app is displayed.
+	// a valid session, a read-only version of the app is displayed.
 	ManageServerMode ServerMode = "manage"
 )

@@ -695,16 +695,16 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 	switch {
 	case sErr != nil && errors.Is(sErr, errNotUsingTailscale):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.Authorized = false // restricted to the read-only view
 	case sErr != nil && errors.Is(sErr, errNotOwner):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_not_owner", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.Authorized = false // restricted to the read-only view
 	case sErr != nil && errors.Is(sErr, errTaggedLocalSource):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local_tag", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.Authorized = false // restricted to the read-only view
 	case sErr != nil && errors.Is(sErr, errTaggedRemoteSource):
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote_tag", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.Authorized = false // restricted to the read-only view
 	case sErr != nil && !errors.Is(sErr, errNoSession):
 		// Any other error.
 		http.Error(w, sErr.Error(), http.StatusInternalServerError)
--- a/cmd/containerboot/serve.go
+++ b/cmd/containerboot/serve.go
@@ -65,6 +65,10 @@ func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan
 		if err != nil {
 			log.Fatalf("serve proxy: failed to read serve config: %v", err)
 		}
+		if sc == nil {
+			log.Printf("serve proxy: no serve config at %q, skipping", path)
+			continue
+		}
 		if prevServeConfig != nil && reflect.DeepEqual(sc, prevServeConfig) {
 			continue
 		}
@@ -131,6 +135,9 @@ func readServeConfig(path, certDomain string) (*ipn.ServeConfig, error) {
 	}
 	j, err := os.ReadFile(path)
 	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
 		return nil, err
 	}
 	// Serve config can be provided by users as well as the Kubernetes Operator (for its proxies). User-provided
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -28,7 +28,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
   L 💣 github.com/mdlayher/netlink                                  from github.com/google/nftables+
@@ -36,11 +35,11 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+        github.com/munnerz/goautoneg                                 from github.com/prometheus/common/expfmt
     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
@@ -86,7 +85,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        google.golang.org/protobuf/runtime/protoimpl                 from github.com/prometheus/client_model/go+
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
        tailscale.com                                                from tailscale.com/version
-        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
+     💣 tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
        tailscale.com/client/tailscale                               from tailscale.com/derp
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
        tailscale.com/derp                                           from tailscale.com/cmd/derper+
@@ -100,6 +99,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
        tailscale.com/metrics                                        from tailscale.com/cmd/derper+
+        tailscale.com/net/bakedroots                                 from tailscale.com/net/tlsdial
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
        tailscale.com/net/ktimeout                                   from tailscale.com/cmd/derper
        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
@@ -189,6 +189,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
+        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
@@ -201,10 +203,11 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/net/http/httpproxy                              from net/http+
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
+        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from github.com/josharian/native+
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/argon2+
  LD    golang.org/x/sys/unix                                        from github.com/google/nftables+
   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
@@ -232,6 +235,18 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
+        crypto/internal/boring                                       from crypto/aes+
+        crypto/internal/boring/bbig                                  from crypto/ecdsa+
+        crypto/internal/boring/sig                                   from crypto/internal/boring
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/hpke                                         from crypto/tls
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
@@ -242,6 +257,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from golang.org/x/crypto/acme+
        crypto/x509                                                  from crypto/tls+
+   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
@@ -263,9 +279,47 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
        html/template                                                from tailscale.com/cmd/derper
+        internal/abi                                                 from crypto/x509/internal/macos+
+        internal/asan                                                from syscall
+        internal/bisect                                              from internal/godebug
+        internal/bytealg                                             from bytes+
+        internal/byteorder                                           from crypto/aes+
+        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
+        internal/coverage/rtcov                                      from runtime
+        internal/cpu                                                 from crypto/aes+
+        internal/filepathlite                                        from os+
+        internal/fmtsort                                             from fmt+
+        internal/goarch                                              from crypto/aes+
+        internal/godebug                                             from crypto/tls+
+        internal/godebugs                                            from internal/godebug+
+        internal/goexperiment                                        from runtime
+        internal/goos                                                from crypto/x509+
+        internal/itoa                                                from internal/poll+
+        internal/msan                                                from syscall
+        internal/nettrace                                            from net+
+        internal/oserror                                             from io/fs+
+        internal/poll                                                from net+
+        internal/profile                                             from net/http/pprof
+        internal/profilerecord                                       from runtime+
+        internal/race                                                from internal/poll+
+        internal/reflectlite                                         from context+
+        internal/runtime/atomic                                      from internal/runtime/exithook+
+        internal/runtime/exithook                                    from runtime
+   L    internal/runtime/syscall                                     from runtime+
+        internal/singleflight                                        from net
+        internal/stringslite                                         from embed+
+        internal/syscall/execenv                                     from os+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
+   W    internal/syscall/windows/registry                            from mime+
+   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
+        internal/testlog                                             from os
+        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/mitchellh/go-ps+
+   L    io/ioutil                                                    from github.com/mitchellh/go-ps+
        iter                                                         from maps+
        log                                                          from expvar+
        log/internal                                                 from log
@@ -282,6 +336,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/http                                                     from expvar+
        net/http/httptrace                                           from net/http+
        net/http/internal                                            from net/http
+        net/http/internal/ascii                                      from net/http
        net/http/pprof                                               from tailscale.com/tsweb
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
@@ -295,7 +350,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
+        runtime                                                      from crypto/internal/nistec+
        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
@@ -314,3 +372,4 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
+        unsafe                                                       from bytes+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -63,7 +63,7 @@ var (
 	runDERP     = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")

 	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list. If an entry contains a slash, the second part names a hostname to be used when dialing the target.")
 	bootstrapDNS    = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
 	unpublishedDNS  = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list. If an entry contains a slash, the second part names a DNS record to poll for its TXT record with a `0` to `100` value for rollout percentage.")
 	verifyClients   = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
@@ -77,6 +77,8 @@ var (
 	tcpKeepAlive = flag.Duration("tcp-keepalive-time", 10*time.Minute, "TCP keepalive time")
 	// tcpUserTimeout is intentionally short, so that hung connections are cleaned up promptly. DERPs should be nearby users.
 	tcpUserTimeout = flag.Duration("tcp-user-timeout", 15*time.Second, "TCP user timeout")
+	// tcpWriteTimeout is the timeout for writing to client TCP connections. It does not apply to mesh connections.
+	tcpWriteTimeout = flag.Duration("tcp-write-timeout", derp.DefaultTCPWiteTimeout, "TCP write timeout; 0 results in no timeout being set on writes")
 )

 var (
@@ -173,6 +175,7 @@ func main() {
 	s.SetVerifyClient(*verifyClients)
 	s.SetVerifyClientURL(*verifyClientURL)
 	s.SetVerifyClientURLFailOpen(*verifyFailOpen)
+	s.SetTCPWriteTimeout(*tcpWriteTimeout)

 	if *meshPSKFile != "" {
 		b, err := os.ReadFile(*meshPSKFile)
--- a/cmd/derper/mesh.go
+++ b/cmd/derper/mesh.go
@@ -10,7 +10,6 @@ import (
 	"log"
 	"net"
 	"strings"
-	"time"

 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
@@ -25,15 +24,28 @@ func startMesh(s *derp.Server) error {
 	if !s.HasMeshKey() {
 		return errors.New("--mesh-with requires --mesh-psk-file")
 	}
-	for _, host := range strings.Split(*meshWith, ",") {
-		if err := startMeshWithHost(s, host); err != nil {
+	for _, hostTuple := range strings.Split(*meshWith, ",") {
+		if err := startMeshWithHost(s, hostTuple); err != nil {
 			return err
 		}
 	}
 	return nil
 }

-func startMeshWithHost(s *derp.Server, host string) error {
+func startMeshWithHost(s *derp.Server, hostTuple string) error {
+	var host string
+	var dialHost string
+	hostParts := strings.Split(hostTuple, "/")
+	if len(hostParts) > 2 {
+		return fmt.Errorf("too many components in host tuple %q", hostTuple)
+	}
+	host = hostParts[0]
+	if len(hostParts) == 2 {
+		dialHost = hostParts[1]
+	} else {
+		dialHost = hostParts[0]
+	}
+
 	logf := logger.WithPrefix(log.Printf, fmt.Sprintf("mesh(%q): ", host))
 	netMon := netmon.NewStatic() // good enough for cmd/derper; no need for netns fanciness
 	c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf, netMon)
@@ -43,35 +55,20 @@ func startMeshWithHost(s *derp.Server, host string) error {
 	c.MeshKey = s.MeshKey()
 	c.WatchConnectionChanges = true

-	// For meshed peers within a region, connect via VPC addresses.
-	c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
-		host, port, err := net.SplitHostPort(addr)
-		if err != nil {
-			logf("failed to split %q: %v", addr, err)
-			return nil, err
-		}
+	logf("will dial %q for %q", dialHost, host)
+	if dialHost != host {
 		var d net.Dialer
-		var r net.Resolver
-		if base, ok := strings.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
-			subCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
-			defer cancel()
-			vpcHost := base + "-vpc.tailscale.com"
-			ips, err := r.LookupIP(subCtx, "ip", vpcHost)
+		c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
+			_, port, err := net.SplitHostPort(addr)
 			if err != nil {
-				logf("failed to resolve %v: %v", vpcHost, err)
+				logf("failed to split %q: %v", addr, err)
+				return nil, err
 			}
-			if len(ips) > 0 {
-				vpcAddr := net.JoinHostPort(ips[0].String(), port)
-				c, err := d.DialContext(subCtx, network, vpcAddr)
-				if err == nil {
-					logf("connected to %v (%v) instead of %v", vpcHost, ips[0], base)
-					return c, nil
-				}
-				logf("failed to connect to %v (%v): %v; trying non-VPC route", vpcHost, ips[0], err)
-			}
-		}
-		return d.DialContext(ctx, network, addr)
-	})
+			dialAddr := net.JoinHostPort(dialHost, port)
+			logf("dialing %q instead of %q", dialAddr, addr)
+			return d.DialContext(ctx, network, dialAddr)
+		})
+	}

 	add := func(m derp.PeerPresentMessage) { s.AddPacketForwarder(m.Key, c) }
 	remove := func(m derp.PeerGoneMessage) { s.RemovePacketForwarder(m.Peer, c) }
--- a/cmd/k8s-operator/connector_test.go
+++ b/cmd/k8s-operator/connector_test.go
@@ -79,8 +79,8 @@ func TestConnector(t *testing.T) {
 		subnetRoutes: "10.40.0.0/14",
 		app:          kubetypes.AppConnector,
 	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// Connector status should get updated with the IP/hostname info when available.
 	const hostname = "foo.tailnetxyz.ts.net"
@@ -106,7 +106,7 @@ func TestConnector(t *testing.T) {
 	opts.subnetRoutes = "10.40.0.0/14,10.44.0.0/20"
 	expectReconciled(t, cr, "", "test")

-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// Remove a route.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
@@ -114,7 +114,7 @@ func TestConnector(t *testing.T) {
 	})
 	opts.subnetRoutes = "10.44.0.0/20"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// Remove the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
@@ -122,7 +122,7 @@ func TestConnector(t *testing.T) {
 	})
 	opts.subnetRoutes = ""
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// Re-add the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
@@ -132,7 +132,7 @@ func TestConnector(t *testing.T) {
 	})
 	opts.subnetRoutes = "10.44.0.0/20"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -175,8 +175,8 @@ func TestConnector(t *testing.T) {
 		hostname:     "test-connector",
 		app:          kubetypes.AppConnector,
 	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// Add an exit node.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
@@ -184,7 +184,7 @@ func TestConnector(t *testing.T) {
 	})
 	opts.isExitNode = true
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -261,8 +261,8 @@ func TestConnectorWithProxyClass(t *testing.T) {
 		subnetRoutes: "10.40.0.0/14",
 		app:          kubetypes.AppConnector,
 	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 2. Update Connector to specify a ProxyClass. ProxyClass is not yet
 	// ready, so its configuration is NOT applied to the Connector
@@ -271,7 +271,7 @@ func TestConnectorWithProxyClass(t *testing.T) {
 		conn.Spec.ProxyClass = "custom-metadata"
 	})
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 3. ProxyClass is set to Ready by proxy-class reconciler. Connector
 	// get reconciled and configuration from the ProxyClass is applied to
@@ -286,7 +286,7 @@ func TestConnectorWithProxyClass(t *testing.T) {
 	})
 	opts.proxyClass = pc.Name
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 4. Connector.spec.proxyClass field is unset, Connector gets
 	// reconciled and configuration from the ProxyClass is removed from the
@@ -296,7 +296,7 @@ func TestConnectorWithProxyClass(t *testing.T) {
 	})
 	opts.proxyClass = ""
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)
 }

 func TestConnectorWithAppConnector(t *testing.T) {
@@ -351,8 +351,8 @@ func TestConnectorWithAppConnector(t *testing.T) {
 		app:            kubetypes.AppConnector,
 		isAppConnector: true,
 	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)
 	// Connector's ready condition should be set to true

 	cn.ObjectMeta.Finalizers = append(cn.ObjectMeta.Finalizers, "tailscale.com/finalizer")
@@ -364,7 +364,7 @@ func TestConnectorWithAppConnector(t *testing.T) {
 		Reason:             reasonConnectorCreated,
 		Message:            reasonConnectorCreated,
 	}}
-	expectEqual(t, fc, cn, nil)
+	expectEqual(t, fc, cn)

 	// 2. Connector with invalid app connector routes has status set to invalid
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
@@ -379,7 +379,7 @@ func TestConnectorWithAppConnector(t *testing.T) {
 		Reason:             reasonConnectorInvalid,
 		Message:            "Connector is invalid: route 1.2.3.4/5 has non-address bits set; expected 0.0.0.0/5",
 	}}
-	expectEqual(t, fc, cn, nil)
+	expectEqual(t, fc, cn)

 	// 3. Connector with valid app connnector routes becomes ready
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
--- a/cmd/k8s-operator/depaware.txt
+++ b/cmd/k8s-operator/depaware.txt
@@ -94,7 +94,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        github.com/evanphx/json-patch/v5                             from sigs.k8s.io/controller-runtime/pkg/client
        github.com/evanphx/json-patch/v5/internal/json               from github.com/evanphx/json-patch/v5
     💣 github.com/fsnotify/fsnotify                                 from sigs.k8s.io/controller-runtime/pkg/certwatcher
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
+        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka+
        github.com/gaissmai/bart                                     from tailscale.com/net/ipset+
        github.com/go-json-experiment/json                           from tailscale.com/types/opt+
        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json/internal/jsonflags+
@@ -110,11 +110,11 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        github.com/go-openapi/jsonpointer                            from github.com/go-openapi/jsonreference
        github.com/go-openapi/jsonreference                          from k8s.io/kube-openapi/pkg/internal+
        github.com/go-openapi/jsonreference/internal                 from github.com/go-openapi/jsonreference
-        github.com/go-openapi/swag                                   from github.com/go-openapi/jsonpointer+
+     💣 github.com/go-openapi/swag                                   from github.com/go-openapi/jsonpointer+
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
     💣 github.com/gogo/protobuf/proto                               from k8s.io/api/admission/v1+
        github.com/gogo/protobuf/sortkeys                            from k8s.io/api/admission/v1+
-        github.com/golang/groupcache/lru                             from k8s.io/client-go/tools/record+
+        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/golang/protobuf/proto                             from k8s.io/client-go/discovery+
        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
        github.com/google/gnostic-models/compiler                    from github.com/google/gnostic-models/openapiv2+
@@ -140,14 +140,12 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
        github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
   L 💣 github.com/illarion/gonotify/v2                              from tailscale.com/net/dns
-        github.com/imdario/mergo                                     from k8s.io/client-go/tools/clientcmd
-   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
+   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/feature/tap
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
        github.com/josharian/intern                                  from github.com/mailru/easyjson/jlexer
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
     💣 github.com/json-iterator/go                                  from sigs.k8s.io/structured-merge-diff/v4/fieldpath+
@@ -158,7 +156,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/util/zstdframe
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
+        github.com/kortschak/wol                                     from tailscale.com/feature/wakeonlan
        github.com/mailru/easyjson/buffer                            from github.com/mailru/easyjson/jwriter
     💣 github.com/mailru/easyjson/jlexer                            from github.com/go-openapi/swag
        github.com/mailru/easyjson/jwriter                           from github.com/go-openapi/swag
@@ -172,7 +170,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
        github.com/modern-go/concurrent                              from github.com/json-iterator/go
     💣 github.com/modern-go/reflect2                                from github.com/json-iterator/go
-        github.com/munnerz/goautoneg                                 from k8s.io/kube-openapi/pkg/handler3
+        github.com/munnerz/goautoneg                                 from k8s.io/kube-openapi/pkg/handler3+
        github.com/opencontainers/go-digest                          from github.com/distribution/reference
   L    github.com/pierrec/lz4/v4                                    from github.com/u-root/uio/uio
   L    github.com/pierrec/lz4/v4/internal/lz4block                  from github.com/pierrec/lz4/v4+
@@ -187,7 +185,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        github.com/prometheus/client_golang/prometheus/promhttp      from sigs.k8s.io/controller-runtime/pkg/metrics/server+
        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
@@ -200,7 +197,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
   W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
   W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
-        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal
  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
@@ -251,6 +247,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
        google.golang.org/protobuf/internal/editiondefaults          from google.golang.org/protobuf/internal/filedesc+
+        google.golang.org/protobuf/internal/editionssupport          from google.golang.org/protobuf/reflect/protodesc
        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
@@ -276,8 +273,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        google.golang.org/protobuf/types/gofeaturespb                from google.golang.org/protobuf/reflect/protodesc
        google.golang.org/protobuf/types/known/anypb                 from github.com/google/gnostic-models/compiler+
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
+        gopkg.in/evanphx/json-patch.v4                               from k8s.io/client-go/testing
        gopkg.in/inf.v0                                              from k8s.io/apimachinery/pkg/api/resource
-        gopkg.in/yaml.v2                                             from k8s.io/kube-openapi/pkg/util/proto+
        gopkg.in/yaml.v3                                             from github.com/go-openapi/swag+
        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/buffer+
        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
@@ -304,7 +301,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
        gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
        gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/feature/tap+
        gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack+
        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
@@ -346,6 +343,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/api/certificates/v1alpha1                             from k8s.io/client-go/applyconfigurations/certificates/v1alpha1+
        k8s.io/api/certificates/v1beta1                              from k8s.io/client-go/applyconfigurations/certificates/v1beta1+
        k8s.io/api/coordination/v1                                   from k8s.io/client-go/applyconfigurations/coordination/v1+
+        k8s.io/api/coordination/v1alpha2                             from k8s.io/client-go/applyconfigurations/coordination/v1alpha2+
        k8s.io/api/coordination/v1beta1                              from k8s.io/client-go/applyconfigurations/coordination/v1beta1+
        k8s.io/api/core/v1                                           from k8s.io/api/apps/v1+
        k8s.io/api/discovery/v1                                      from k8s.io/client-go/applyconfigurations/discovery/v1+
@@ -368,7 +366,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/api/rbac/v1                                           from k8s.io/client-go/applyconfigurations/rbac/v1+
        k8s.io/api/rbac/v1alpha1                                     from k8s.io/client-go/applyconfigurations/rbac/v1alpha1+
        k8s.io/api/rbac/v1beta1                                      from k8s.io/client-go/applyconfigurations/rbac/v1beta1+
-        k8s.io/api/resource/v1alpha2                                 from k8s.io/client-go/applyconfigurations/resource/v1alpha2+
+        k8s.io/api/resource/v1alpha3                                 from k8s.io/client-go/applyconfigurations/resource/v1alpha3+
+        k8s.io/api/resource/v1beta1                                  from k8s.io/client-go/applyconfigurations/resource/v1beta1+
        k8s.io/api/scheduling/v1                                     from k8s.io/client-go/applyconfigurations/scheduling/v1+
        k8s.io/api/scheduling/v1alpha1                               from k8s.io/client-go/applyconfigurations/scheduling/v1alpha1+
        k8s.io/api/scheduling/v1beta1                                from k8s.io/client-go/applyconfigurations/scheduling/v1beta1+
@@ -381,10 +380,12 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/apimachinery/pkg/api/equality                         from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
        k8s.io/apimachinery/pkg/api/errors                           from k8s.io/apimachinery/pkg/util/managedfields/internal+
        k8s.io/apimachinery/pkg/api/meta                             from k8s.io/apimachinery/pkg/api/validation+
+        k8s.io/apimachinery/pkg/api/meta/testrestmapper              from k8s.io/client-go/testing
        k8s.io/apimachinery/pkg/api/resource                         from k8s.io/api/autoscaling/v1+
        k8s.io/apimachinery/pkg/api/validation                       from k8s.io/apimachinery/pkg/util/managedfields/internal+
     💣 k8s.io/apimachinery/pkg/apis/meta/internalversion            from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
        k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme     from k8s.io/client-go/metadata
+        k8s.io/apimachinery/pkg/apis/meta/internalversion/validation from k8s.io/client-go/util/watchlist
     💣 k8s.io/apimachinery/pkg/apis/meta/v1                         from k8s.io/api/admission/v1+
        k8s.io/apimachinery/pkg/apis/meta/v1/unstructured            from k8s.io/apimachinery/pkg/runtime/serializer/versioning+
        k8s.io/apimachinery/pkg/apis/meta/v1/validation              from k8s.io/apimachinery/pkg/api/validation+
@@ -396,6 +397,9 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/apimachinery/pkg/runtime                              from k8s.io/api/admission/v1+
        k8s.io/apimachinery/pkg/runtime/schema                       from k8s.io/api/admission/v1+
        k8s.io/apimachinery/pkg/runtime/serializer                   from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
+        k8s.io/apimachinery/pkg/runtime/serializer/cbor              from k8s.io/client-go/dynamic+
+        k8s.io/apimachinery/pkg/runtime/serializer/cbor/direct       from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
+        k8s.io/apimachinery/pkg/runtime/serializer/cbor/internal/modes from k8s.io/apimachinery/pkg/runtime/serializer/cbor+
        k8s.io/apimachinery/pkg/runtime/serializer/json              from k8s.io/apimachinery/pkg/runtime/serializer+
        k8s.io/apimachinery/pkg/runtime/serializer/protobuf          from k8s.io/apimachinery/pkg/runtime/serializer
        k8s.io/apimachinery/pkg/runtime/serializer/recognizer        from k8s.io/apimachinery/pkg/runtime/serializer+
@@ -447,6 +451,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/applyconfigurations/certificates/v1alpha1   from k8s.io/client-go/kubernetes/typed/certificates/v1alpha1
        k8s.io/client-go/applyconfigurations/certificates/v1beta1    from k8s.io/client-go/kubernetes/typed/certificates/v1beta1
        k8s.io/client-go/applyconfigurations/coordination/v1         from k8s.io/client-go/kubernetes/typed/coordination/v1
+        k8s.io/client-go/applyconfigurations/coordination/v1alpha2   from k8s.io/client-go/kubernetes/typed/coordination/v1alpha2
        k8s.io/client-go/applyconfigurations/coordination/v1beta1    from k8s.io/client-go/kubernetes/typed/coordination/v1beta1
        k8s.io/client-go/applyconfigurations/core/v1                 from k8s.io/client-go/applyconfigurations/apps/v1+
        k8s.io/client-go/applyconfigurations/discovery/v1            from k8s.io/client-go/kubernetes/typed/discovery/v1
@@ -471,7 +476,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/applyconfigurations/rbac/v1                 from k8s.io/client-go/kubernetes/typed/rbac/v1
        k8s.io/client-go/applyconfigurations/rbac/v1alpha1           from k8s.io/client-go/kubernetes/typed/rbac/v1alpha1
        k8s.io/client-go/applyconfigurations/rbac/v1beta1            from k8s.io/client-go/kubernetes/typed/rbac/v1beta1
-        k8s.io/client-go/applyconfigurations/resource/v1alpha2       from k8s.io/client-go/kubernetes/typed/resource/v1alpha2
+        k8s.io/client-go/applyconfigurations/resource/v1alpha3       from k8s.io/client-go/kubernetes/typed/resource/v1alpha3
+        k8s.io/client-go/applyconfigurations/resource/v1beta1        from k8s.io/client-go/kubernetes/typed/resource/v1beta1
        k8s.io/client-go/applyconfigurations/scheduling/v1           from k8s.io/client-go/kubernetes/typed/scheduling/v1
        k8s.io/client-go/applyconfigurations/scheduling/v1alpha1     from k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1
        k8s.io/client-go/applyconfigurations/scheduling/v1beta1      from k8s.io/client-go/kubernetes/typed/scheduling/v1beta1
@@ -481,8 +487,80 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1 from k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1
        k8s.io/client-go/discovery                                   from k8s.io/client-go/applyconfigurations/meta/v1+
        k8s.io/client-go/dynamic                                     from sigs.k8s.io/controller-runtime/pkg/cache/internal+
-        k8s.io/client-go/features                                    from k8s.io/client-go/tools/cache
-        k8s.io/client-go/kubernetes                                  from k8s.io/client-go/tools/leaderelection/resourcelock
+        k8s.io/client-go/features                                    from k8s.io/client-go/tools/cache+
+        k8s.io/client-go/gentype                                     from k8s.io/client-go/kubernetes/typed/admissionregistration/v1+
+        k8s.io/client-go/informers                                   from k8s.io/client-go/tools/leaderelection
+        k8s.io/client-go/informers/admissionregistration             from k8s.io/client-go/informers
+        k8s.io/client-go/informers/admissionregistration/v1          from k8s.io/client-go/informers/admissionregistration
+        k8s.io/client-go/informers/admissionregistration/v1alpha1    from k8s.io/client-go/informers/admissionregistration
+        k8s.io/client-go/informers/admissionregistration/v1beta1     from k8s.io/client-go/informers/admissionregistration
+        k8s.io/client-go/informers/apiserverinternal                 from k8s.io/client-go/informers
+        k8s.io/client-go/informers/apiserverinternal/v1alpha1        from k8s.io/client-go/informers/apiserverinternal
+        k8s.io/client-go/informers/apps                              from k8s.io/client-go/informers
+        k8s.io/client-go/informers/apps/v1                           from k8s.io/client-go/informers/apps
+        k8s.io/client-go/informers/apps/v1beta1                      from k8s.io/client-go/informers/apps
+        k8s.io/client-go/informers/apps/v1beta2                      from k8s.io/client-go/informers/apps
+        k8s.io/client-go/informers/autoscaling                       from k8s.io/client-go/informers
+        k8s.io/client-go/informers/autoscaling/v1                    from k8s.io/client-go/informers/autoscaling
+        k8s.io/client-go/informers/autoscaling/v2                    from k8s.io/client-go/informers/autoscaling
+        k8s.io/client-go/informers/autoscaling/v2beta1               from k8s.io/client-go/informers/autoscaling
+        k8s.io/client-go/informers/autoscaling/v2beta2               from k8s.io/client-go/informers/autoscaling
+        k8s.io/client-go/informers/batch                             from k8s.io/client-go/informers
+        k8s.io/client-go/informers/batch/v1                          from k8s.io/client-go/informers/batch
+        k8s.io/client-go/informers/batch/v1beta1                     from k8s.io/client-go/informers/batch
+        k8s.io/client-go/informers/certificates                      from k8s.io/client-go/informers
+        k8s.io/client-go/informers/certificates/v1                   from k8s.io/client-go/informers/certificates
+        k8s.io/client-go/informers/certificates/v1alpha1             from k8s.io/client-go/informers/certificates
+        k8s.io/client-go/informers/certificates/v1beta1              from k8s.io/client-go/informers/certificates
+        k8s.io/client-go/informers/coordination                      from k8s.io/client-go/informers
+        k8s.io/client-go/informers/coordination/v1                   from k8s.io/client-go/informers/coordination
+        k8s.io/client-go/informers/coordination/v1alpha2             from k8s.io/client-go/informers/coordination
+        k8s.io/client-go/informers/coordination/v1beta1              from k8s.io/client-go/informers/coordination
+        k8s.io/client-go/informers/core                              from k8s.io/client-go/informers
+        k8s.io/client-go/informers/core/v1                           from k8s.io/client-go/informers/core
+        k8s.io/client-go/informers/discovery                         from k8s.io/client-go/informers
+        k8s.io/client-go/informers/discovery/v1                      from k8s.io/client-go/informers/discovery
+        k8s.io/client-go/informers/discovery/v1beta1                 from k8s.io/client-go/informers/discovery
+        k8s.io/client-go/informers/events                            from k8s.io/client-go/informers
+        k8s.io/client-go/informers/events/v1                         from k8s.io/client-go/informers/events
+        k8s.io/client-go/informers/events/v1beta1                    from k8s.io/client-go/informers/events
+        k8s.io/client-go/informers/extensions                        from k8s.io/client-go/informers
+        k8s.io/client-go/informers/extensions/v1beta1                from k8s.io/client-go/informers/extensions
+        k8s.io/client-go/informers/flowcontrol                       from k8s.io/client-go/informers
+        k8s.io/client-go/informers/flowcontrol/v1                    from k8s.io/client-go/informers/flowcontrol
+        k8s.io/client-go/informers/flowcontrol/v1beta1               from k8s.io/client-go/informers/flowcontrol
+        k8s.io/client-go/informers/flowcontrol/v1beta2               from k8s.io/client-go/informers/flowcontrol
+        k8s.io/client-go/informers/flowcontrol/v1beta3               from k8s.io/client-go/informers/flowcontrol
+        k8s.io/client-go/informers/internalinterfaces                from k8s.io/client-go/informers+
+        k8s.io/client-go/informers/networking                        from k8s.io/client-go/informers
+        k8s.io/client-go/informers/networking/v1                     from k8s.io/client-go/informers/networking
+        k8s.io/client-go/informers/networking/v1alpha1               from k8s.io/client-go/informers/networking
+        k8s.io/client-go/informers/networking/v1beta1                from k8s.io/client-go/informers/networking
+        k8s.io/client-go/informers/node                              from k8s.io/client-go/informers
+        k8s.io/client-go/informers/node/v1                           from k8s.io/client-go/informers/node
+        k8s.io/client-go/informers/node/v1alpha1                     from k8s.io/client-go/informers/node
+        k8s.io/client-go/informers/node/v1beta1                      from k8s.io/client-go/informers/node
+        k8s.io/client-go/informers/policy                            from k8s.io/client-go/informers
+        k8s.io/client-go/informers/policy/v1                         from k8s.io/client-go/informers/policy
+        k8s.io/client-go/informers/policy/v1beta1                    from k8s.io/client-go/informers/policy
+        k8s.io/client-go/informers/rbac                              from k8s.io/client-go/informers
+        k8s.io/client-go/informers/rbac/v1                           from k8s.io/client-go/informers/rbac
+        k8s.io/client-go/informers/rbac/v1alpha1                     from k8s.io/client-go/informers/rbac
+        k8s.io/client-go/informers/rbac/v1beta1                      from k8s.io/client-go/informers/rbac
+        k8s.io/client-go/informers/resource                          from k8s.io/client-go/informers
+        k8s.io/client-go/informers/resource/v1alpha3                 from k8s.io/client-go/informers/resource
+        k8s.io/client-go/informers/resource/v1beta1                  from k8s.io/client-go/informers/resource
+        k8s.io/client-go/informers/scheduling                        from k8s.io/client-go/informers
+        k8s.io/client-go/informers/scheduling/v1                     from k8s.io/client-go/informers/scheduling
+        k8s.io/client-go/informers/scheduling/v1alpha1               from k8s.io/client-go/informers/scheduling
+        k8s.io/client-go/informers/scheduling/v1beta1                from k8s.io/client-go/informers/scheduling
+        k8s.io/client-go/informers/storage                           from k8s.io/client-go/informers
+        k8s.io/client-go/informers/storage/v1                        from k8s.io/client-go/informers/storage
+        k8s.io/client-go/informers/storage/v1alpha1                  from k8s.io/client-go/informers/storage
+        k8s.io/client-go/informers/storage/v1beta1                   from k8s.io/client-go/informers/storage
+        k8s.io/client-go/informers/storagemigration                  from k8s.io/client-go/informers
+        k8s.io/client-go/informers/storagemigration/v1alpha1         from k8s.io/client-go/informers/storagemigration
+        k8s.io/client-go/kubernetes                                  from k8s.io/client-go/tools/leaderelection/resourcelock+
        k8s.io/client-go/kubernetes/scheme                           from k8s.io/client-go/discovery+
        k8s.io/client-go/kubernetes/typed/admissionregistration/v1   from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1 from k8s.io/client-go/kubernetes
@@ -506,6 +584,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/kubernetes/typed/certificates/v1alpha1      from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/certificates/v1beta1       from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/coordination/v1            from k8s.io/client-go/kubernetes+
+        k8s.io/client-go/kubernetes/typed/coordination/v1alpha2      from k8s.io/client-go/kubernetes+
        k8s.io/client-go/kubernetes/typed/coordination/v1beta1       from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/core/v1                    from k8s.io/client-go/kubernetes+
        k8s.io/client-go/kubernetes/typed/discovery/v1               from k8s.io/client-go/kubernetes
@@ -528,7 +607,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/kubernetes/typed/rbac/v1                    from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/rbac/v1alpha1              from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/rbac/v1beta1               from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/resource/v1alpha2          from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/resource/v1alpha3          from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/resource/v1beta1           from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/scheduling/v1              from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1        from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/scheduling/v1beta1         from k8s.io/client-go/kubernetes
@@ -536,6 +616,56 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/kubernetes/typed/storage/v1alpha1           from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/storage/v1beta1            from k8s.io/client-go/kubernetes
        k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1  from k8s.io/client-go/kubernetes
+        k8s.io/client-go/listers                                     from k8s.io/client-go/listers/admissionregistration/v1+
+        k8s.io/client-go/listers/admissionregistration/v1            from k8s.io/client-go/informers/admissionregistration/v1
+        k8s.io/client-go/listers/admissionregistration/v1alpha1      from k8s.io/client-go/informers/admissionregistration/v1alpha1
+        k8s.io/client-go/listers/admissionregistration/v1beta1       from k8s.io/client-go/informers/admissionregistration/v1beta1
+        k8s.io/client-go/listers/apiserverinternal/v1alpha1          from k8s.io/client-go/informers/apiserverinternal/v1alpha1
+        k8s.io/client-go/listers/apps/v1                             from k8s.io/client-go/informers/apps/v1
+        k8s.io/client-go/listers/apps/v1beta1                        from k8s.io/client-go/informers/apps/v1beta1
+        k8s.io/client-go/listers/apps/v1beta2                        from k8s.io/client-go/informers/apps/v1beta2
+        k8s.io/client-go/listers/autoscaling/v1                      from k8s.io/client-go/informers/autoscaling/v1
+        k8s.io/client-go/listers/autoscaling/v2                      from k8s.io/client-go/informers/autoscaling/v2
+        k8s.io/client-go/listers/autoscaling/v2beta1                 from k8s.io/client-go/informers/autoscaling/v2beta1
+        k8s.io/client-go/listers/autoscaling/v2beta2                 from k8s.io/client-go/informers/autoscaling/v2beta2
+        k8s.io/client-go/listers/batch/v1                            from k8s.io/client-go/informers/batch/v1
+        k8s.io/client-go/listers/batch/v1beta1                       from k8s.io/client-go/informers/batch/v1beta1
+        k8s.io/client-go/listers/certificates/v1                     from k8s.io/client-go/informers/certificates/v1
+        k8s.io/client-go/listers/certificates/v1alpha1               from k8s.io/client-go/informers/certificates/v1alpha1
+        k8s.io/client-go/listers/certificates/v1beta1                from k8s.io/client-go/informers/certificates/v1beta1
+        k8s.io/client-go/listers/coordination/v1                     from k8s.io/client-go/informers/coordination/v1
+        k8s.io/client-go/listers/coordination/v1alpha2               from k8s.io/client-go/informers/coordination/v1alpha2
+        k8s.io/client-go/listers/coordination/v1beta1                from k8s.io/client-go/informers/coordination/v1beta1
+        k8s.io/client-go/listers/core/v1                             from k8s.io/client-go/informers/core/v1
+        k8s.io/client-go/listers/discovery/v1                        from k8s.io/client-go/informers/discovery/v1
+        k8s.io/client-go/listers/discovery/v1beta1                   from k8s.io/client-go/informers/discovery/v1beta1
+        k8s.io/client-go/listers/events/v1                           from k8s.io/client-go/informers/events/v1
+        k8s.io/client-go/listers/events/v1beta1                      from k8s.io/client-go/informers/events/v1beta1
+        k8s.io/client-go/listers/extensions/v1beta1                  from k8s.io/client-go/informers/extensions/v1beta1
+        k8s.io/client-go/listers/flowcontrol/v1                      from k8s.io/client-go/informers/flowcontrol/v1
+        k8s.io/client-go/listers/flowcontrol/v1beta1                 from k8s.io/client-go/informers/flowcontrol/v1beta1
+        k8s.io/client-go/listers/flowcontrol/v1beta2                 from k8s.io/client-go/informers/flowcontrol/v1beta2
+        k8s.io/client-go/listers/flowcontrol/v1beta3                 from k8s.io/client-go/informers/flowcontrol/v1beta3
+        k8s.io/client-go/listers/networking/v1                       from k8s.io/client-go/informers/networking/v1
+        k8s.io/client-go/listers/networking/v1alpha1                 from k8s.io/client-go/informers/networking/v1alpha1
+        k8s.io/client-go/listers/networking/v1beta1                  from k8s.io/client-go/informers/networking/v1beta1
+        k8s.io/client-go/listers/node/v1                             from k8s.io/client-go/informers/node/v1
+        k8s.io/client-go/listers/node/v1alpha1                       from k8s.io/client-go/informers/node/v1alpha1
+        k8s.io/client-go/listers/node/v1beta1                        from k8s.io/client-go/informers/node/v1beta1
+        k8s.io/client-go/listers/policy/v1                           from k8s.io/client-go/informers/policy/v1
+        k8s.io/client-go/listers/policy/v1beta1                      from k8s.io/client-go/informers/policy/v1beta1
+        k8s.io/client-go/listers/rbac/v1                             from k8s.io/client-go/informers/rbac/v1
+        k8s.io/client-go/listers/rbac/v1alpha1                       from k8s.io/client-go/informers/rbac/v1alpha1
+        k8s.io/client-go/listers/rbac/v1beta1                        from k8s.io/client-go/informers/rbac/v1beta1
+        k8s.io/client-go/listers/resource/v1alpha3                   from k8s.io/client-go/informers/resource/v1alpha3
+        k8s.io/client-go/listers/resource/v1beta1                    from k8s.io/client-go/informers/resource/v1beta1
+        k8s.io/client-go/listers/scheduling/v1                       from k8s.io/client-go/informers/scheduling/v1
+        k8s.io/client-go/listers/scheduling/v1alpha1                 from k8s.io/client-go/informers/scheduling/v1alpha1
+        k8s.io/client-go/listers/scheduling/v1beta1                  from k8s.io/client-go/informers/scheduling/v1beta1
+        k8s.io/client-go/listers/storage/v1                          from k8s.io/client-go/informers/storage/v1
+        k8s.io/client-go/listers/storage/v1alpha1                    from k8s.io/client-go/informers/storage/v1alpha1
+        k8s.io/client-go/listers/storage/v1beta1                     from k8s.io/client-go/informers/storage/v1beta1
+        k8s.io/client-go/listers/storagemigration/v1alpha1           from k8s.io/client-go/informers/storagemigration/v1alpha1
        k8s.io/client-go/metadata                                    from sigs.k8s.io/controller-runtime/pkg/cache/internal+
        k8s.io/client-go/openapi                                     from k8s.io/client-go/discovery
        k8s.io/client-go/pkg/apis/clientauthentication               from k8s.io/client-go/pkg/apis/clientauthentication/install+
@@ -547,6 +677,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/rest                                        from k8s.io/client-go/discovery+
        k8s.io/client-go/rest/watch                                  from k8s.io/client-go/rest
        k8s.io/client-go/restmapper                                  from sigs.k8s.io/controller-runtime/pkg/client/apiutil
+        k8s.io/client-go/testing                                     from k8s.io/client-go/gentype
        k8s.io/client-go/tools/auth                                  from k8s.io/client-go/tools/clientcmd
        k8s.io/client-go/tools/cache                                 from sigs.k8s.io/controller-runtime/pkg/cache+
        k8s.io/client-go/tools/cache/synctrack                       from k8s.io/client-go/tools/cache
@@ -563,11 +694,14 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/client-go/tools/record/util                           from k8s.io/client-go/tools/record
        k8s.io/client-go/tools/reference                             from k8s.io/client-go/kubernetes/typed/core/v1+
        k8s.io/client-go/transport                                   from k8s.io/client-go/plugin/pkg/client/auth/exec+
+        k8s.io/client-go/util/apply                                  from k8s.io/client-go/dynamic+
        k8s.io/client-go/util/cert                                   from k8s.io/client-go/rest+
        k8s.io/client-go/util/connrotation                           from k8s.io/client-go/plugin/pkg/client/auth/exec+
+        k8s.io/client-go/util/consistencydetector                    from k8s.io/client-go/dynamic+
        k8s.io/client-go/util/flowcontrol                            from k8s.io/client-go/kubernetes+
        k8s.io/client-go/util/homedir                                from k8s.io/client-go/tools/clientcmd
        k8s.io/client-go/util/keyutil                                from k8s.io/client-go/util/cert
+        k8s.io/client-go/util/watchlist                              from k8s.io/client-go/dynamic+
        k8s.io/client-go/util/workqueue                              from k8s.io/client-go/transport+
        k8s.io/klog/v2                                               from k8s.io/apimachinery/pkg/api/meta+
        k8s.io/klog/v2/internal/buffer                               from k8s.io/klog/v2
@@ -588,11 +722,12 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        k8s.io/utils/buffer                                          from k8s.io/client-go/tools/cache
        k8s.io/utils/clock                                           from k8s.io/apimachinery/pkg/util/cache+
        k8s.io/utils/clock/testing                                   from k8s.io/client-go/util/flowcontrol
+        k8s.io/utils/internal/third_party/forked/golang/golang-lru   from k8s.io/utils/lru
        k8s.io/utils/internal/third_party/forked/golang/net          from k8s.io/utils/net
+        k8s.io/utils/lru                                             from k8s.io/client-go/tools/record
        k8s.io/utils/net                                             from k8s.io/apimachinery/pkg/util/net+
        k8s.io/utils/pointer                                         from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
        k8s.io/utils/ptr                                             from k8s.io/client-go/tools/cache+
-        k8s.io/utils/strings/slices                                  from k8s.io/apimachinery/pkg/labels
        k8s.io/utils/trace                                           from k8s.io/client-go/tools/cache
        sigs.k8s.io/controller-runtime/pkg/builder                   from tailscale.com/cmd/k8s-operator
        sigs.k8s.io/controller-runtime/pkg/cache                     from sigs.k8s.io/controller-runtime/pkg/cluster+
@@ -625,12 +760,12 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        sigs.k8s.io/controller-runtime/pkg/metrics                   from sigs.k8s.io/controller-runtime/pkg/certwatcher/metrics+
        sigs.k8s.io/controller-runtime/pkg/metrics/server            from sigs.k8s.io/controller-runtime/pkg/manager
        sigs.k8s.io/controller-runtime/pkg/predicate                 from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/ratelimiter               from sigs.k8s.io/controller-runtime/pkg/controller+
        sigs.k8s.io/controller-runtime/pkg/reconcile                 from sigs.k8s.io/controller-runtime/pkg/builder+
        sigs.k8s.io/controller-runtime/pkg/recorder                  from sigs.k8s.io/controller-runtime/pkg/leaderelection+
        sigs.k8s.io/controller-runtime/pkg/source                    from sigs.k8s.io/controller-runtime/pkg/builder+
        sigs.k8s.io/controller-runtime/pkg/webhook                   from sigs.k8s.io/controller-runtime/pkg/manager
        sigs.k8s.io/controller-runtime/pkg/webhook/admission         from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/webhook/admission/metrics from sigs.k8s.io/controller-runtime/pkg/webhook/admission
        sigs.k8s.io/controller-runtime/pkg/webhook/conversion        from sigs.k8s.io/controller-runtime/pkg/builder
        sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics  from sigs.k8s.io/controller-runtime/pkg/webhook+
        sigs.k8s.io/json                                             from k8s.io/apimachinery/pkg/runtime/serializer/json+
@@ -641,10 +776,10 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        sigs.k8s.io/structured-merge-diff/v4/typed                   from k8s.io/apimachinery/pkg/util/managedfields+
        sigs.k8s.io/structured-merge-diff/v4/value                   from k8s.io/apimachinery/pkg/runtime+
        sigs.k8s.io/yaml                                             from k8s.io/apimachinery/pkg/runtime/serializer/json+
-        sigs.k8s.io/yaml/goyaml.v2                                   from sigs.k8s.io/yaml
+        sigs.k8s.io/yaml/goyaml.v2                                   from sigs.k8s.io/yaml+
        tailscale.com                                                from tailscale.com/version
        tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
-        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+     💣 tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale                               from tailscale.com/client/web+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
        tailscale.com/client/web                                     from tailscale.com/ipn/ipnlocal
@@ -665,6 +800,11 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/drive                                          from tailscale.com/client/tailscale+
        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
        tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
+        tailscale.com/feature                                        from tailscale.com/feature/wakeonlan+
+        tailscale.com/feature/capture                                from tailscale.com/feature/condregister
+        tailscale.com/feature/condregister                           from tailscale.com/tsnet
+   L    tailscale.com/feature/tap                                    from tailscale.com/feature/condregister
+        tailscale.com/feature/wakeonlan                              from tailscale.com/feature/condregister
        tailscale.com/health                                         from tailscale.com/control/controlclient+
        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
        tailscale.com/hostinfo                                       from tailscale.com/client/web+
@@ -674,7 +814,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/localapi+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-        tailscale.com/ipn/localapi                                   from tailscale.com/tsnet
+        tailscale.com/ipn/localapi                                   from tailscale.com/tsnet+
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
        tailscale.com/ipn/store                                      from tailscale.com/ipn/ipnlocal+
   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
@@ -699,6 +839,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
        tailscale.com/logtail/filch                                  from tailscale.com/log/sockstatlog+
        tailscale.com/metrics                                        from tailscale.com/derp+
+        tailscale.com/net/bakedroots                                 from tailscale.com/net/tlsdial+
        tailscale.com/net/captivedetection                           from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
@@ -746,7 +887,9 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/tempfork/acme                                  from tailscale.com/ipn/ipnlocal
        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/tempfork/httprec                               from tailscale.com/control/controlclient
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
        tailscale.com/tsconst                                        from tailscale.com/net/netmon+
        tailscale.com/tsd                                            from tailscale.com/ipn/ipnlocal+
@@ -817,7 +960,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/testenv                                   from tailscale.com/control/controlclient+
        tailscale.com/util/truncate                                  from tailscale.com/logtail
-        tailscale.com/util/uniq                                      from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/usermetric                                from tailscale.com/health+
        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
     💣 tailscale.com/util/winutil                                   from tailscale.com/clientupdate+
@@ -829,7 +971,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/version                                        from tailscale.com/client/web+
        tailscale.com/version/distro                                 from tailscale.com/client/web+
        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap+
     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
@@ -852,6 +993,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
+        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
@@ -869,6 +1012,9 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
        golang.org/x/net/icmp                                        from github.com/prometheus-community/pro-bing+
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
+        golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
+        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
@@ -878,7 +1024,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/k8s-operator
        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from github.com/josharian/native+
+        golang.org/x/sys/cpu                                         from github.com/tailscale/certstore+
  LD    golang.org/x/sys/unix                                        from github.com/fsnotify/fsnotify+
   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
@@ -910,6 +1056,18 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
+        crypto/internal/boring                                       from crypto/aes+
+        crypto/internal/boring/bbig                                  from crypto/ecdsa+
+        crypto/internal/boring/sig                                   from crypto/internal/boring
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/hpke                                         from crypto/tls
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls+
@@ -920,6 +1078,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
        crypto/x509                                                  from crypto/tls+
+   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
        database/sql                                                 from github.com/prometheus/client_golang/prometheus/collectors
        database/sql/driver                                          from database/sql+
@@ -945,6 +1104,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        go/build/constraint                                          from go/parser
        go/doc                                                       from k8s.io/apimachinery/pkg/runtime
        go/doc/comment                                               from go/doc
+        go/internal/typeparams                                       from go/parser
        go/parser                                                    from k8s.io/apimachinery/pkg/runtime
        go/scanner                                                   from go/ast+
        go/token                                                     from go/ast+
@@ -955,6 +1115,46 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        hash/maphash                                                 from go4.org/mem
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
+        internal/abi                                                 from crypto/x509/internal/macos+
+        internal/asan                                                from syscall
+        internal/bisect                                              from internal/godebug
+        internal/bytealg                                             from bytes+
+        internal/byteorder                                           from crypto/aes+
+        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
+        internal/coverage/rtcov                                      from runtime
+        internal/cpu                                                 from crypto/aes+
+        internal/filepathlite                                        from os+
+        internal/fmtsort                                             from fmt+
+        internal/goarch                                              from crypto/aes+
+        internal/godebug                                             from archive/tar+
+        internal/godebugs                                            from internal/godebug+
+        internal/goexperiment                                        from runtime
+        internal/goos                                                from crypto/x509+
+        internal/itoa                                                from internal/poll+
+        internal/lazyregexp                                          from go/doc
+        internal/msan                                                from syscall
+        internal/nettrace                                            from net+
+        internal/oserror                                             from io/fs+
+        internal/poll                                                from net+
+        internal/profile                                             from net/http/pprof
+        internal/profilerecord                                       from runtime+
+        internal/race                                                from internal/poll+
+        internal/reflectlite                                         from context+
+        internal/runtime/atomic                                      from internal/runtime/exithook+
+        internal/runtime/exithook                                    from runtime
+   L    internal/runtime/syscall                                     from runtime+
+        internal/saferio                                             from debug/pe+
+        internal/singleflight                                        from net
+        internal/stringslite                                         from embed+
+        internal/syscall/execenv                                     from os+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
+   W    internal/syscall/windows/registry                            from mime+
+   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
+        internal/testlog                                             from os
+        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -963,6 +1163,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        log/internal                                                 from log+
        log/slog                                                     from github.com/go-logr/logr+
        log/slog/internal                                            from log/slog
+        log/slog/internal/buffer                                     from log/slog
        maps                                                         from sigs.k8s.io/controller-runtime/pkg/predicate+
        math                                                         from archive/tar+
        math/big                                                     from crypto/dsa+
@@ -974,10 +1175,10 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
-        net/http/httptest                                            from tailscale.com/control/controlclient
        net/http/httptrace                                           from github.com/prometheus-community/pro-bing+
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
+        net/http/internal/ascii                                      from net/http+
        net/http/pprof                                               from sigs.k8s.io/controller-runtime/pkg/manager+
        net/netip                                                    from github.com/gaissmai/bart+
        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
@@ -991,7 +1192,10 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        reflect                                                      from archive/tar+
        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints+
        regexp/syntax                                                from regexp
+        runtime                                                      from archive/tar+
        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof+
        runtime/trace                                                from net/http/pprof
@@ -1010,3 +1214,4 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
+        unsafe                                                       from bytes+
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+    controller-gen.kubebuilder.io/version: v0.17.0
  name: connectors.tailscale.com
 spec:
  group: tailscale.com
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+    controller-gen.kubebuilder.io/version: v0.17.0
  name: dnsconfigs.tailscale.com
 spec:
  group: tailscale.com
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+    controller-gen.kubebuilder.io/version: v0.17.0
  name: proxyclasses.tailscale.com
 spec:
  group: tailscale.com
@@ -428,7 +428,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                              Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -443,7 +443,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                              Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -600,7 +600,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                          Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -615,7 +615,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                          Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -773,7 +773,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                              Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -788,7 +788,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                              Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -945,7 +945,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                          Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -960,7 +960,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                          Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -1174,6 +1174,32 @@ spec:
                                Note that this field cannot be set when spec.os.name is windows.
                              type: integer
                              format: int64
+                            seLinuxChangePolicy:
+                              description: |-
+                                seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+                                It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+                                Valid values are "MountOption" and "Recursive".
+
+                                "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+                                This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+                                "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+                                This requires all Pods that share the same volume to use the same SELinux label.
+                                It is not possible to share the same volume among privileged and unprivileged Pods.
+                                Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+                                whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+                                CSIDriver instance. Other volumes are always re-labelled recursively.
+                                "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+                                If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+                                If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+                                and "Recursive" for all other volumes.
+
+                                This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+                                All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+                                Note that this field cannot be set when spec.os.name is windows.
+                              type: string
                            seLinuxOptions:
                              description: |-
                                The SELinux context to be applied to all containers.
@@ -1222,18 +1248,28 @@ spec:
                                  type: string
                            supplementalGroups:
                              description: |-
-                                A list of groups applied to the first process run in each container, in addition
-                                to the container's primary GID, the fsGroup (if specified), and group memberships
-                                defined in the container image for the uid of the container process. If unspecified,
-                                no additional groups are added to any container. Note that group memberships
-                                defined in the container image for the uid of the container process are still effective,
-                                even if they are not included in this list.
+                                A list of groups applied to the first process run in each container, in
+                                addition to the container's primary GID and fsGroup (if specified).  If
+                                the SupplementalGroupsPolicy feature is enabled, the
+                                supplementalGroupsPolicy field determines whether these are in addition
+                                to or instead of any group memberships defined in the container image.
+                                If unspecified, no additional groups are added, though group memberships
+                                defined in the container image may still be used, depending on the
+                                supplementalGroupsPolicy field.
                                Note that this field cannot be set when spec.os.name is windows.
                              type: array
                              items:
                                type: integer
                                format: int64
                              x-kubernetes-list-type: atomic
+                            supplementalGroupsPolicy:
+                              description: |-
+                                Defines how supplemental groups of the first container processes are calculated.
+                                Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+                                (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+                                and the container runtime must implement support for this feature.
+                                Note that this field cannot be set when spec.os.name is windows.
+                              type: string
                            sysctls:
                              description: |-
                                Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -1389,6 +1425,12 @@ spec:
                                          the Pod where this field is used. It makes that resource available
                                          inside a container.
                                        type: string
+                                      request:
+                                        description: |-
+                                          Request is the name chosen for a request in the referenced claim.
+                                          If empty, everything from the claim is made available, otherwise
+                                          only the result of this request.
+                                        type: string
                                  x-kubernetes-list-map-keys:
                                    - name
                                  x-kubernetes-list-type: map
@@ -1493,7 +1535,7 @@ spec:
                                procMount:
                                  description: |-
                                    procMount denotes the type of proc mount to use for the containers.
-                                    The default is DefaultProcMount which uses the container runtime defaults for
+                                    The default value is Default which uses the container runtime defaults for
                                    readonly paths and masked paths.
                                    This requires the ProcMountType feature flag to be enabled.
                                    Note that this field cannot be set when spec.os.name is windows.
@@ -1713,6 +1755,12 @@ spec:
                                          the Pod where this field is used. It makes that resource available
                                          inside a container.
                                        type: string
+                                      request:
+                                        description: |-
+                                          Request is the name chosen for a request in the referenced claim.
+                                          If empty, everything from the claim is made available, otherwise
+                                          only the result of this request.
+                                        type: string
                                  x-kubernetes-list-map-keys:
                                    - name
                                  x-kubernetes-list-type: map
@@ -1817,7 +1865,7 @@ spec:
                                procMount:
                                  description: |-
                                    procMount denotes the type of proc mount to use for the containers.
-                                    The default is DefaultProcMount which uses the container runtime defaults for
+                                    The default value is Default which uses the container runtime defaults for
                                    readonly paths and masked paths.
                                    This requires the ProcMountType feature flag to be enabled.
                                    Note that this field cannot be set when spec.os.name is windows.
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+    controller-gen.kubebuilder.io/version: v0.17.0
  name: proxygroups.tailscale.com
 spec:
  group: tailscale.com
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_recorders.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_recorders.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+    controller-gen.kubebuilder.io/version: v0.17.0
  name: recorders.tailscale.com
 spec:
  group: tailscale.com
@@ -372,7 +372,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                              Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -387,7 +387,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                              Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -544,7 +544,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                          Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -559,7 +559,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                          Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -717,7 +717,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                              Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -732,7 +732,7 @@ spec:
                                              pod labels will be ignored. The default value is empty.
                                              The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                              Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                            type: array
                                            items:
                                              type: string
@@ -889,7 +889,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                          Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -904,7 +904,7 @@ spec:
                                          pod labels will be ignored. The default value is empty.
                                          The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                          Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                        type: array
                                        items:
                                          type: string
@@ -1066,6 +1066,12 @@ spec:
                                          the Pod where this field is used. It makes that resource available
                                          inside a container.
                                        type: string
+                                      request:
+                                        description: |-
+                                          Request is the name chosen for a request in the referenced claim.
+                                          If empty, everything from the claim is made available, otherwise
+                                          only the result of this request.
+                                        type: string
                                  x-kubernetes-list-map-keys:
                                    - name
                                  x-kubernetes-list-type: map
@@ -1165,7 +1171,7 @@ spec:
                                procMount:
                                  description: |-
                                    procMount denotes the type of proc mount to use for the containers.
-                                    The default is DefaultProcMount which uses the container runtime defaults for
+                                    The default value is Default which uses the container runtime defaults for
                                    readonly paths and masked paths.
                                    This requires the ProcMountType feature flag to be enabled.
                                    Note that this field cannot be set when spec.os.name is windows.
@@ -1401,6 +1407,32 @@ spec:
                                Note that this field cannot be set when spec.os.name is windows.
                              type: integer
                              format: int64
+                            seLinuxChangePolicy:
+                              description: |-
+                                seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+                                It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+                                Valid values are "MountOption" and "Recursive".
+
+                                "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+                                This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+                                "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+                                This requires all Pods that share the same volume to use the same SELinux label.
+                                It is not possible to share the same volume among privileged and unprivileged Pods.
+                                Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+                                whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+                                CSIDriver instance. Other volumes are always re-labelled recursively.
+                                "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+                                If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+                                If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+                                and "Recursive" for all other volumes.
+
+                                This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+                                All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+                                Note that this field cannot be set when spec.os.name is windows.
+                              type: string
                            seLinuxOptions:
                              description: |-
                                The SELinux context to be applied to all containers.
@@ -1449,18 +1481,28 @@ spec:
                                  type: string
                            supplementalGroups:
                              description: |-
-                                A list of groups applied to the first process run in each container, in addition
-                                to the container's primary GID, the fsGroup (if specified), and group memberships
-                                defined in the container image for the uid of the container process. If unspecified,
-                                no additional groups are added to any container. Note that group memberships
-                                defined in the container image for the uid of the container process are still effective,
-                                even if they are not included in this list.
+                                A list of groups applied to the first process run in each container, in
+                                addition to the container's primary GID and fsGroup (if specified).  If
+                                the SupplementalGroupsPolicy feature is enabled, the
+                                supplementalGroupsPolicy field determines whether these are in addition
+                                to or instead of any group memberships defined in the container image.
+                                If unspecified, no additional groups are added, though group memberships
+                                defined in the container image may still be used, depending on the
+                                supplementalGroupsPolicy field.
                                Note that this field cannot be set when spec.os.name is windows.
                              type: array
                              items:
                                type: integer
                                format: int64
                              x-kubernetes-list-type: atomic
+                            supplementalGroupsPolicy:
+                              description: |-
+                                Defines how supplemental groups of the first container processes are calculated.
+                                Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+                                (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+                                and the container runtime must implement support for this feature.
+                                Note that this field cannot be set when spec.os.name is windows.
+                              type: string
                            sysctls:
                              description: |-
                                Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -31,7 +31,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
    annotations:
-        controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+        controller-gen.kubebuilder.io/version: v0.17.0
    name: connectors.tailscale.com
 spec:
    group: tailscale.com
@@ -294,7 +294,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
    annotations:
-        controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+        controller-gen.kubebuilder.io/version: v0.17.0
    name: dnsconfigs.tailscale.com
 spec:
    group: tailscale.com
@@ -476,7 +476,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
    annotations:
-        controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+        controller-gen.kubebuilder.io/version: v0.17.0
    name: proxyclasses.tailscale.com
 spec:
    group: tailscale.com
@@ -886,7 +886,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -901,7 +901,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -1062,7 +1062,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -1077,7 +1077,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -1231,7 +1231,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -1246,7 +1246,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -1407,7 +1407,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -1422,7 +1422,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -1641,6 +1641,32 @@ spec:
                                                            Note that this field cannot be set when spec.os.name is windows.
                                                        format: int64
                                                        type: integer
+                                                    seLinuxChangePolicy:
+                                                        description: |-
+                                                            seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+                                                            It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+                                                            Valid values are "MountOption" and "Recursive".
+
+                                                            "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+                                                            This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+                                                            "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+                                                            This requires all Pods that share the same volume to use the same SELinux label.
+                                                            It is not possible to share the same volume among privileged and unprivileged Pods.
+                                                            Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+                                                            whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+                                                            CSIDriver instance. Other volumes are always re-labelled recursively.
+                                                            "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+                                                            If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+                                                            If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+                                                            and "Recursive" for all other volumes.
+
+                                                            This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+                                                            All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+                                                            Note that this field cannot be set when spec.os.name is windows.
+                                                        type: string
                                                    seLinuxOptions:
                                                        description: |-
                                                            The SELinux context to be applied to all containers.
@@ -1689,18 +1715,28 @@ spec:
                                                        type: object
                                                    supplementalGroups:
                                                        description: |-
-                                                            A list of groups applied to the first process run in each container, in addition
-                                                            to the container's primary GID, the fsGroup (if specified), and group memberships
-                                                            defined in the container image for the uid of the container process. If unspecified,
-                                                            no additional groups are added to any container. Note that group memberships
-                                                            defined in the container image for the uid of the container process are still effective,
-                                                            even if they are not included in this list.
+                                                            A list of groups applied to the first process run in each container, in
+                                                            addition to the container's primary GID and fsGroup (if specified).  If
+                                                            the SupplementalGroupsPolicy feature is enabled, the
+                                                            supplementalGroupsPolicy field determines whether these are in addition
+                                                            to or instead of any group memberships defined in the container image.
+                                                            If unspecified, no additional groups are added, though group memberships
+                                                            defined in the container image may still be used, depending on the
+                                                            supplementalGroupsPolicy field.
                                                            Note that this field cannot be set when spec.os.name is windows.
                                                        items:
                                                            format: int64
                                                            type: integer
                                                        type: array
                                                        x-kubernetes-list-type: atomic
+                                                    supplementalGroupsPolicy:
+                                                        description: |-
+                                                            Defines how supplemental groups of the first container processes are calculated.
+                                                            Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+                                                            (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+                                                            and the container runtime must implement support for this feature.
+                                                            Note that this field cannot be set when spec.os.name is windows.
+                                                        type: string
                                                    sysctls:
                                                        description: |-
                                                            Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
@@ -1851,6 +1887,12 @@ spec:
                                                                                the Pod where this field is used. It makes that resource available
                                                                                inside a container.
                                                                            type: string
+                                                                        request:
+                                                                            description: |-
+                                                                                Request is the name chosen for a request in the referenced claim.
+                                                                                If empty, everything from the claim is made available, otherwise
+                                                                                only the result of this request.
+                                                                            type: string
                                                                    required:
                                                                        - name
                                                                    type: object
@@ -1959,7 +2001,7 @@ spec:
                                                            procMount:
                                                                description: |-
                                                                    procMount denotes the type of proc mount to use for the containers.
-                                                                    The default is DefaultProcMount which uses the container runtime defaults for
+                                                                    The default value is Default which uses the container runtime defaults for
                                                                    readonly paths and masked paths.
                                                                    This requires the ProcMountType feature flag to be enabled.
                                                                    Note that this field cannot be set when spec.os.name is windows.
@@ -2175,6 +2217,12 @@ spec:
                                                                                the Pod where this field is used. It makes that resource available
                                                                                inside a container.
                                                                            type: string
+                                                                        request:
+                                                                            description: |-
+                                                                                Request is the name chosen for a request in the referenced claim.
+                                                                                If empty, everything from the claim is made available, otherwise
+                                                                                only the result of this request.
+                                                                            type: string
                                                                    required:
                                                                        - name
                                                                    type: object
@@ -2283,7 +2331,7 @@ spec:
                                                            procMount:
                                                                description: |-
                                                                    procMount denotes the type of proc mount to use for the containers.
-                                                                    The default is DefaultProcMount which uses the container runtime defaults for
+                                                                    The default value is Default which uses the container runtime defaults for
                                                                    readonly paths and masked paths.
                                                                    This requires the ProcMountType feature flag to be enabled.
                                                                    Note that this field cannot be set when spec.os.name is windows.
@@ -2717,7 +2765,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
    annotations:
-        controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+        controller-gen.kubebuilder.io/version: v0.17.0
    name: proxygroups.tailscale.com
 spec:
    group: tailscale.com
@@ -2927,7 +2975,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
    annotations:
-        controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+        controller-gen.kubebuilder.io/version: v0.17.0
    name: recorders.tailscale.com
 spec:
    group: tailscale.com
@@ -3281,7 +3329,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -3296,7 +3344,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -3457,7 +3505,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -3472,7 +3520,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -3626,7 +3674,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -3641,7 +3689,7 @@ spec:
                                                                                        pod labels will be ignored. The default value is empty.
                                                                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                                    items:
                                                                                        type: string
                                                                                    type: array
@@ -3802,7 +3850,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -3817,7 +3865,7 @@ spec:
                                                                                pod labels will be ignored. The default value is empty.
                                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                                                                This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                                                            items:
                                                                                type: string
                                                                            type: array
@@ -3979,6 +4027,12 @@ spec:
                                                                                the Pod where this field is used. It makes that resource available
                                                                                inside a container.
                                                                            type: string
+                                                                        request:
+                                                                            description: |-
+                                                                                Request is the name chosen for a request in the referenced claim.
+                                                                                If empty, everything from the claim is made available, otherwise
+                                                                                only the result of this request.
+                                                                            type: string
                                                                    required:
                                                                        - name
                                                                    type: object
@@ -4082,7 +4136,7 @@ spec:
                                                            procMount:
                                                                description: |-
                                                                    procMount denotes the type of proc mount to use for the containers.
-                                                                    The default is DefaultProcMount which uses the container runtime defaults for
+                                                                    The default value is Default which uses the container runtime defaults for
                                                                    readonly paths and masked paths.
                                                                    This requires the ProcMountType feature flag to be enabled.
                                                                    Note that this field cannot be set when spec.os.name is windows.
@@ -4319,6 +4373,32 @@ spec:
                                                            Note that this field cannot be set when spec.os.name is windows.
                                                        format: int64
                                                        type: integer
+                                                    seLinuxChangePolicy:
+                                                        description: |-
+                                                            seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+                                                            It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+                                                            Valid values are "MountOption" and "Recursive".
+
+                                                            "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+                                                            This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+                                                            "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+                                                            This requires all Pods that share the same volume to use the same SELinux label.
+                                                            It is not possible to share the same volume among privileged and unprivileged Pods.
+                                                            Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+                                                            whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+                                                            CSIDriver instance. Other volumes are always re-labelled recursively.
+                                                            "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+                                                            If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+                                                            If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+                                                            and "Recursive" for all other volumes.
+
+                                                            This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+                                                            All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+                                                            Note that this field cannot be set when spec.os.name is windows.
+                                                        type: string
                                                    seLinuxOptions:
                                                        description: |-
                                                            The SELinux context to be applied to all containers.
@@ -4367,18 +4447,28 @@ spec:
                                                        type: object
                                                    supplementalGroups:
                                                        description: |-
-                                                            A list of groups applied to the first process run in each container, in addition
-                                                            to the container's primary GID, the fsGroup (if specified), and group memberships
-                                                            defined in the container image for the uid of the container process. If unspecified,
-                                                            no additional groups are added to any container. Note that group memberships
-                                                            defined in the container image for the uid of the container process are still effective,
-                                                            even if they are not included in this list.
+                                                            A list of groups applied to the first process run in each container, in
+                                                            addition to the container's primary GID and fsGroup (if specified).  If
+                                                            the SupplementalGroupsPolicy feature is enabled, the
+                                                            supplementalGroupsPolicy field determines whether these are in addition
+                                                            to or instead of any group memberships defined in the container image.
+                                                            If unspecified, no additional groups are added, though group memberships
+                                                            defined in the container image may still be used, depending on the
+                                                            supplementalGroupsPolicy field.
                                                            Note that this field cannot be set when spec.os.name is windows.
                                                        items:
                                                            format: int64
                                                            type: integer
                                                        type: array
                                                        x-kubernetes-list-type: atomic
+                                                    supplementalGroupsPolicy:
+                                                        description: |-
+                                                            Defines how supplemental groups of the first container processes are calculated.
+                                                            Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+                                                            (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+                                                            and the container runtime must implement support for this feature.
+                                                            Note that this field cannot be set when spec.os.name is windows.
+                                                        type: string
                                                    sysctls:
                                                        description: |-
                                                            Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
--- a/cmd/k8s-operator/egress-eps_test.go
+++ b/cmd/k8s-operator/egress-eps_test.go
@@ -112,7 +112,7 @@ func TestTailscaleEgressEndpointSlices(t *testing.T) {
 				Terminating: pointer.ToBool(false),
 			},
 		})
-		expectEqual(t, fc, eps, nil)
+		expectEqual(t, fc, eps)
 	})
 	t.Run("status_does_not_match_pod_ip", func(t *testing.T) {
 		_, stateS := podAndSecretForProxyGroup("foo")           // replica Pod has IP 10.0.0.1
@@ -122,7 +122,7 @@ func TestTailscaleEgressEndpointSlices(t *testing.T) {
 		})
 		expectReconciled(t, er, "operator-ns", "foo")
 		eps.Endpoints = []discoveryv1.Endpoint{}
-		expectEqual(t, fc, eps, nil)
+		expectEqual(t, fc, eps)
 	})
 }

--- a/cmd/k8s-operator/egress-services-readiness_test.go
+++ b/cmd/k8s-operator/egress-services-readiness_test.go
@@ -67,24 +67,24 @@ func TestEgressServiceReadiness(t *testing.T) {
 	setClusterNotReady(egressSvc, cl, zl.Sugar())
 	t.Run("endpointslice_does_not_exist", func(t *testing.T) {
 		expectReconciled(t, rec, "dev", "my-app")
-		expectEqual(t, fc, egressSvc, nil) // not ready
+		expectEqual(t, fc, egressSvc) // not ready
 	})
 	t.Run("proxy_group_does_not_exist", func(t *testing.T) {
 		mustCreate(t, fc, eps)
 		expectReconciled(t, rec, "dev", "my-app")
-		expectEqual(t, fc, egressSvc, nil) // still not ready
+		expectEqual(t, fc, egressSvc) // still not ready
 	})
 	t.Run("proxy_group_not_ready", func(t *testing.T) {
 		mustCreate(t, fc, pg)
 		expectReconciled(t, rec, "dev", "my-app")
-		expectEqual(t, fc, egressSvc, nil) // still not ready
+		expectEqual(t, fc, egressSvc) // still not ready
 	})
 	t.Run("no_ready_replicas", func(t *testing.T) {
 		setPGReady(pg, cl, zl.Sugar())
 		mustUpdateStatus(t, fc, pg.Namespace, pg.Name, func(p *tsapi.ProxyGroup) {
 			p.Status = pg.Status
 		})
-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		for i := range pgReplicas(pg) {
 			p := pod(pg, i)
 			mustCreate(t, fc, p)
@@ -94,7 +94,7 @@ func TestEgressServiceReadiness(t *testing.T) {
 		}
 		expectReconciled(t, rec, "dev", "my-app")
 		setNotReady(egressSvc, cl, zl.Sugar(), pgReplicas(pg))
-		expectEqual(t, fc, egressSvc, nil) // still not ready
+		expectEqual(t, fc, egressSvc) // still not ready
 	})
 	t.Run("one_ready_replica", func(t *testing.T) {
 		setEndpointForReplica(pg, 0, eps)
@@ -103,7 +103,7 @@ func TestEgressServiceReadiness(t *testing.T) {
 		})
 		setReady(egressSvc, cl, zl.Sugar(), pgReplicas(pg), 1)
 		expectReconciled(t, rec, "dev", "my-app")
-		expectEqual(t, fc, egressSvc, nil) // partially ready
+		expectEqual(t, fc, egressSvc) // partially ready
 	})
 	t.Run("all_replicas_ready", func(t *testing.T) {
 		for i := range pgReplicas(pg) {
@@ -114,7 +114,7 @@ func TestEgressServiceReadiness(t *testing.T) {
 		})
 		setReady(egressSvc, cl, zl.Sugar(), pgReplicas(pg), pgReplicas(pg))
 		expectReconciled(t, rec, "dev", "my-app")
-		expectEqual(t, fc, egressSvc, nil) // ready
+		expectEqual(t, fc, egressSvc) // ready
 	})
 }

--- a/cmd/k8s-operator/egress-services_test.go
+++ b/cmd/k8s-operator/egress-services_test.go
@@ -96,7 +96,7 @@ func TestTailscaleEgressServices(t *testing.T) {
 		expectReconciled(t, esr, "default", "test")
 		// Service should have EgressSvcValid condition set to Unknown.
 		svc.Status.Conditions = []metav1.Condition{condition(tsapi.EgressSvcValid, metav1.ConditionUnknown, reasonProxyGroupNotReady, reasonProxyGroupNotReady, clock)}
-		expectEqual(t, fc, svc, nil)
+		expectEqual(t, fc, svc)
 	})

 	t.Run("proxy_group_ready", func(t *testing.T) {
@@ -162,7 +162,7 @@ func validateReadyService(t *testing.T, fc client.WithWatch, esr *egressSvcsReco
 	expectEqual(t, fc, clusterIPSvc(name, svc), removeTargetPortsFromSvc)
 	clusterSvc := mustGetClusterIPSvc(t, fc, name)
 	// Verify that an EndpointSlice has been created.
-	expectEqual(t, fc, endpointSlice(name, svc, clusterSvc), nil)
+	expectEqual(t, fc, endpointSlice(name, svc, clusterSvc))
 	// Verify that ConfigMap contains configuration for the new egress service.
 	mustHaveConfigForSvc(t, fc, svc, clusterSvc, cm)
 	r := svcConfiguredReason(svc, true, zl.Sugar())
@@ -174,7 +174,7 @@ func validateReadyService(t *testing.T, fc client.WithWatch, esr *egressSvcsReco
 	}
 	svc.ObjectMeta.Finalizers = []string{"tailscale.com/finalizer"}
 	svc.Spec.ExternalName = fmt.Sprintf("%s.operator-ns.svc.cluster.local", name)
-	expectEqual(t, fc, svc, nil)
+	expectEqual(t, fc, svc)

 }

--- a/cmd/k8s-operator/ingress-for-pg.go
+++ b/cmd/k8s-operator/ingress-for-pg.go
@@ -0,0 +1,569 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"reflect"
+	"slices"
+	"strings"
+	"sync"
+
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	tsoperator "tailscale.com/k8s-operator"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/kube/kubetypes"
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/dnsname"
+	"tailscale.com/util/mak"
+	"tailscale.com/util/set"
+)
+
+const (
+	serveConfigKey = "serve-config.json"
+	VIPSvcOwnerRef = "tailscale.com/k8s-operator:owned-by:%s"
+	// FinalizerNamePG is the finalizer used by the IngressPGReconciler
+	FinalizerNamePG = "tailscale.com/ingress-pg-finalizer"
+)
+
+var gaugePGIngressResources = clientmetric.NewGauge(kubetypes.MetricIngressPGResourceCount)
+
+// IngressPGReconciler is a controller that reconciles Tailscale Ingresses should be exposed on an ingress ProxyGroup
+// (in HA mode).
+type IngressPGReconciler struct {
+	client.Client
+
+	recorder    record.EventRecorder
+	logger      *zap.SugaredLogger
+	tsClient    tsClient
+	tsnetServer tsnetServer
+	tsNamespace string
+	lc          localClient
+	defaultTags []string
+
+	mu sync.Mutex // protects following
+	// managedIngresses is a set of all ingress resources that we're currently
+	// managing. This is only used for metrics.
+	managedIngresses set.Slice[types.UID]
+}
+
+// Reconcile reconciles Ingresses that should be exposed over Tailscale in HA mode (on a ProxyGroup). It looks at all
+// Ingresses with tailscale.com/proxy-group annotation. For each such Ingress, it ensures that a VIPService named after
+// the hostname of the Ingress exists and is up to date. It also ensures that the serve config for the ingress
+// ProxyGroup is updated to route traffic for the VIPService to the Ingress's backend Services.
+// When an Ingress is deleted or unexposed, the VIPService and the associated serve config are cleaned up.
+// Ingress hostname change also results in the VIPService for the previous hostname being cleaned up and a new VIPService
+// being created for the new hostname.
+func (a *IngressPGReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
+	logger := a.logger.With("Ingress", req.NamespacedName)
+	logger.Debugf("starting reconcile")
+	defer logger.Debugf("reconcile finished")
+
+	ing := new(networkingv1.Ingress)
+	err = a.Get(ctx, req.NamespacedName, ing)
+	if apierrors.IsNotFound(err) {
+		// Request object not found, could have been deleted after reconcile request.
+		logger.Debugf("Ingress not found, assuming it was deleted")
+		return res, nil
+	} else if err != nil {
+		return res, fmt.Errorf("failed to get Ingress: %w", err)
+	}
+
+	// hostname is the name of the VIPService that will be created for this Ingress as well as the first label in
+	// the MagicDNS name of the Ingress.
+	hostname := hostnameForIngress(ing)
+	logger = logger.With("hostname", hostname)
+
+	if !ing.DeletionTimestamp.IsZero() || !a.shouldExpose(ing) {
+		return res, a.maybeCleanup(ctx, hostname, ing, logger)
+	}
+
+	if err := a.maybeProvision(ctx, hostname, ing, logger); err != nil {
+		return res, fmt.Errorf("failed to provision: %w", err)
+	}
+	return res, nil
+}
+
+// maybeProvision ensures that the VIPService and serve config for the Ingress are created or updated.
+func (a *IngressPGReconciler) maybeProvision(ctx context.Context, hostname string, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
+	if err := validateIngressClass(ctx, a.Client); err != nil {
+		logger.Infof("error validating tailscale IngressClass: %v.", err)
+		return nil
+	}
+
+	// Get and validate ProxyGroup readiness
+	pgName := ing.Annotations[AnnotationProxyGroup]
+	if pgName == "" {
+		logger.Infof("[unexpected] no ProxyGroup annotation, skipping VIPService provisioning")
+		return nil
+	}
+	pg := &tsapi.ProxyGroup{}
+	if err := a.Get(ctx, client.ObjectKey{Name: pgName}, pg); err != nil {
+		if apierrors.IsNotFound(err) {
+			logger.Infof("ProxyGroup %q does not exist", pgName)
+			return nil
+		}
+		return fmt.Errorf("getting ProxyGroup %q: %w", pgName, err)
+	}
+	if !tsoperator.ProxyGroupIsReady(pg) {
+		// TODO(irbekrm): we need to reconcile ProxyGroup Ingresses on ProxyGroup changes to not miss the status update
+		// in this case.
+		logger.Infof("ProxyGroup %q is not ready", pgName)
+		return nil
+	}
+
+	// Validate Ingress configuration
+	if err := a.validateIngress(ing, pg); err != nil {
+		logger.Infof("invalid Ingress configuration: %v", err)
+		a.recorder.Event(ing, corev1.EventTypeWarning, "InvalidIngressConfiguration", err.Error())
+		return nil
+	}
+
+	if !IsHTTPSEnabledOnTailnet(a.tsnetServer) {
+		a.recorder.Event(ing, corev1.EventTypeWarning, "HTTPSNotEnabled", "HTTPS is not enabled on the tailnet; ingress may not work")
+	}
+
+	logger = logger.With("proxy-group", pg)
+
+	if !slices.Contains(ing.Finalizers, FinalizerNamePG) {
+		// This log line is printed exactly once during initial provisioning,
+		// because once the finalizer is in place this block gets skipped. So,
+		// this is a nice place to tell the operator that the high level,
+		// multi-reconcile operation is underway.
+		logger.Infof("exposing Ingress over tailscale")
+		ing.Finalizers = append(ing.Finalizers, FinalizerNamePG)
+		if err := a.Update(ctx, ing); err != nil {
+			return fmt.Errorf("failed to add finalizer: %w", err)
+		}
+		a.mu.Lock()
+		a.managedIngresses.Add(ing.UID)
+		gaugePGIngressResources.Set(int64(a.managedIngresses.Len()))
+		a.mu.Unlock()
+	}
+
+	// 1. Ensure that if Ingress' hostname has changed, any VIPService resources corresponding to the old hostname
+	// are cleaned up.
+	// In practice, this function will ensure that any VIPServices that are associated with the provided ProxyGroup
+	// and no longer owned by an Ingress are cleaned up. This is fine- it is not expensive and ensures that in edge
+	// cases (a single update changed both hostname and removed ProxyGroup annotation) the VIPService is more likely
+	// to be (eventually) removed.
+	if err := a.maybeCleanupProxyGroup(ctx, pgName, logger); err != nil {
+		return fmt.Errorf("failed to cleanup VIPService resources for ProxyGroup: %w", err)
+	}
+
+	// 2. Ensure that there isn't a VIPService with the same hostname already created and not owned by this Ingress.
+	// TODO(irbekrm): perhaps in future we could have record names being stored on VIPServices. I am not certain if
+	// there might not be edge cases (custom domains, etc?) where attempting to determine the DNS name of the
+	// VIPService in this way won't be incorrect.
+	tcd, err := a.tailnetCertDomain(ctx)
+	if err != nil {
+		return fmt.Errorf("error determining DNS name base: %w", err)
+	}
+	dnsName := hostname + "." + tcd
+	existingVIPSvc, err := a.tsClient.getVIPServiceByName(ctx, hostname)
+	// TODO(irbekrm): here and when creating the VIPService, verify if the error is not terminal (and therefore
+	// should not be reconciled). For example, if the hostname is already a hostname of a Tailscale node, the GET
+	// here will fail.
+	if err != nil {
+		errResp := &tailscale.ErrResponse{}
+		if ok := errors.As(err, errResp); ok && errResp.Status != http.StatusNotFound {
+			return fmt.Errorf("error getting VIPService %q: %w", hostname, err)
+		}
+	}
+	if existingVIPSvc != nil && !isVIPServiceForIngress(existingVIPSvc, ing) {
+		logger.Infof("VIPService %q for MagicDNS name %q  already exists, but is not owned by this Ingress. Please delete it manually and recreate this Ingress to proceed or create an Ingress for a different MagicDNS name", hostname, dnsName)
+		a.recorder.Event(ing, corev1.EventTypeWarning, "ConflictingVIPServiceExists", fmt.Sprintf("VIPService %q for MagicDNS name %q already exists, but is not owned by this Ingress. Please delete it manually to proceed or create an Ingress for a different MagicDNS name", hostname, dnsName))
+		return nil
+	}
+
+	// 3. Ensure that the serve config for the ProxyGroup contains the VIPService
+	cm, cfg, err := a.proxyGroupServeConfig(ctx, pgName)
+	if err != nil {
+		return fmt.Errorf("error getting ingress serve config: %w", err)
+	}
+	if cm == nil {
+		logger.Infof("no ingress serve config ConfigMap found, unable to update serve config. Ensure that ProxyGroup is healthy.")
+		return nil
+	}
+	ep := ipn.HostPort(fmt.Sprintf("%s:443", dnsName))
+	handlers, err := handlersForIngress(ctx, ing, a.Client, a.recorder, dnsName, logger)
+	if err != nil {
+		return fmt.Errorf("failed to get handlers for ingress: %w", err)
+	}
+	ingCfg := &ipn.ServiceConfig{
+		TCP: map[uint16]*ipn.TCPPortHandler{
+			443: {
+				HTTPS: true,
+			},
+		},
+		Web: map[ipn.HostPort]*ipn.WebServerConfig{
+			ep: {
+				Handlers: handlers,
+			},
+		},
+	}
+	serviceName := tailcfg.ServiceName("svc:" + hostname)
+	var gotCfg *ipn.ServiceConfig
+	if cfg != nil && cfg.Services != nil {
+		gotCfg = cfg.Services[serviceName]
+	}
+	if !reflect.DeepEqual(gotCfg, ingCfg) {
+		logger.Infof("Updating serve config")
+		mak.Set(&cfg.Services, serviceName, ingCfg)
+		cfgBytes, err := json.Marshal(cfg)
+		if err != nil {
+			return fmt.Errorf("error marshaling serve config: %w", err)
+		}
+		mak.Set(&cm.BinaryData, serveConfigKey, cfgBytes)
+		if err := a.Update(ctx, cm); err != nil {
+			return fmt.Errorf("error updating serve config: %w", err)
+		}
+	}
+
+	// 4. Ensure that the VIPService exists and is up to date.
+	tags := a.defaultTags
+	if tstr, ok := ing.Annotations[AnnotationTags]; ok {
+		tags = strings.Split(tstr, ",")
+	}
+
+	vipSvc := &VIPService{
+		Name:    hostname,
+		Tags:    tags,
+		Ports:   []string{"443"}, // always 443 for Ingress
+		Comment: fmt.Sprintf(VIPSvcOwnerRef, ing.UID),
+	}
+	if existingVIPSvc != nil {
+		vipSvc.Addrs = existingVIPSvc.Addrs
+	}
+	if existingVIPSvc == nil || !reflect.DeepEqual(vipSvc.Tags, existingVIPSvc.Tags) {
+		logger.Infof("Ensuring VIPService %q exists and is up to date", hostname)
+		if err := a.tsClient.createOrUpdateVIPServiceByName(ctx, vipSvc); err != nil {
+			logger.Infof("error creating VIPService: %v", err)
+			return fmt.Errorf("error creating VIPService: %w", err)
+		}
+	}
+
+	// 5. Update Ingress status
+	oldStatus := ing.Status.DeepCopy()
+	// TODO(irbekrm): once we have ingress ProxyGroup, we can determine if instances are ready to route traffic to the VIPService
+	ing.Status.LoadBalancer.Ingress = []networkingv1.IngressLoadBalancerIngress{
+		{
+			Hostname: dnsName,
+			Ports: []networkingv1.IngressPortStatus{
+				{
+					Protocol: "TCP",
+					Port:     443,
+				},
+			},
+		},
+	}
+	if apiequality.Semantic.DeepEqual(oldStatus, ing.Status) {
+		return nil
+	}
+	if err := a.Status().Update(ctx, ing); err != nil {
+		return fmt.Errorf("failed to update Ingress status: %w", err)
+	}
+	return nil
+}
+
+// maybeCleanupProxyGroup ensures that if an Ingress hostname has changed, any VIPService resources created for the
+// Ingress' ProxyGroup corresponding to the old hostname are cleaned up. A run of this function will ensure that any
+// VIPServices that are associated with the provided ProxyGroup and no longer owned by an Ingress are cleaned up.
+func (a *IngressPGReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyGroupName string, logger *zap.SugaredLogger) error {
+	// Get serve config for the ProxyGroup
+	cm, cfg, err := a.proxyGroupServeConfig(ctx, proxyGroupName)
+	if err != nil {
+		return fmt.Errorf("getting serve config: %w", err)
+	}
+	if cfg == nil {
+		return nil // ProxyGroup does not have any VIPServices
+	}
+
+	ingList := &networkingv1.IngressList{}
+	if err := a.List(ctx, ingList); err != nil {
+		return fmt.Errorf("listing Ingresses: %w", err)
+	}
+	serveConfigChanged := false
+	// For each VIPService in serve config...
+	for vipHostname := range cfg.Services {
+		// ...check if there is currently an Ingress with this hostname
+		found := false
+		for _, i := range ingList.Items {
+			ingressHostname := hostnameForIngress(&i)
+			if ingressHostname == vipHostname.WithoutPrefix() {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			logger.Infof("VIPService %q is not owned by any Ingress, cleaning up", vipHostname)
+			svc, err := a.getVIPService(ctx, vipHostname.WithoutPrefix(), logger)
+			if err != nil {
+				errResp := &tailscale.ErrResponse{}
+				if errors.As(err, &errResp) && errResp.Status == http.StatusNotFound {
+					delete(cfg.Services, vipHostname)
+					serveConfigChanged = true
+					continue
+				}
+				return err
+			}
+			if isVIPServiceForAnyIngress(svc) {
+				logger.Infof("cleaning up orphaned VIPService %q", vipHostname)
+				if err := a.tsClient.deleteVIPServiceByName(ctx, vipHostname.WithoutPrefix()); err != nil {
+					errResp := &tailscale.ErrResponse{}
+					if !errors.As(err, &errResp) || errResp.Status != http.StatusNotFound {
+						return fmt.Errorf("deleting VIPService %q: %w", vipHostname, err)
+					}
+				}
+			}
+			delete(cfg.Services, vipHostname)
+			serveConfigChanged = true
+		}
+	}
+
+	if serveConfigChanged {
+		cfgBytes, err := json.Marshal(cfg)
+		if err != nil {
+			return fmt.Errorf("marshaling serve config: %w", err)
+		}
+		mak.Set(&cm.BinaryData, serveConfigKey, cfgBytes)
+		if err := a.Update(ctx, cm); err != nil {
+			return fmt.Errorf("updating serve config: %w", err)
+		}
+	}
+	return nil
+}
+
+// maybeCleanup ensures that any resources, such as a VIPService created for this Ingress, are cleaned up when the
+// Ingress is being deleted or is unexposed.
+func (a *IngressPGReconciler) maybeCleanup(ctx context.Context, hostname string, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
+	logger.Debugf("Ensuring any resources for Ingress are cleaned up")
+	ix := slices.Index(ing.Finalizers, FinalizerNamePG)
+	if ix < 0 {
+		logger.Debugf("no finalizer, nothing to do")
+		a.mu.Lock()
+		defer a.mu.Unlock()
+		a.managedIngresses.Remove(ing.UID)
+		gaugePGIngressResources.Set(int64(a.managedIngresses.Len()))
+		return nil
+	}
+
+	// 1. Check if there is a VIPService created for this Ingress.
+	pg := ing.Annotations[AnnotationProxyGroup]
+	cm, cfg, err := a.proxyGroupServeConfig(ctx, pg)
+	if err != nil {
+		return fmt.Errorf("error getting ProxyGroup serve config: %w", err)
+	}
+	serviceName := tailcfg.ServiceName("svc:" + hostname)
+	// VIPService is always first added to serve config and only then created in the Tailscale API, so if it is not
+	// found in the serve config, we can assume that there is no VIPService. TODO(irbekrm): once we have ingress
+	// ProxyGroup, we will probably add currently exposed VIPServices to its status. At that point, we can use the
+	// status rather than checking the serve config each time.
+	if cfg == nil || cfg.Services == nil || cfg.Services[serviceName] == nil {
+		return nil
+	}
+	logger.Infof("Ensuring that VIPService %q configuration is cleaned up", hostname)
+
+	// 2. Delete the VIPService.
+	if err := a.deleteVIPServiceIfExists(ctx, hostname, ing, logger); err != nil {
+		return fmt.Errorf("error deleting VIPService: %w", err)
+	}
+
+	// 3. Remove the VIPService from the serve config for the ProxyGroup.
+	logger.Infof("Removing VIPService %q from serve config for ProxyGroup %q", hostname, pg)
+	delete(cfg.Services, serviceName)
+	cfgBytes, err := json.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("error marshaling serve config: %w", err)
+	}
+	mak.Set(&cm.BinaryData, serveConfigKey, cfgBytes)
+	if err := a.Update(ctx, cm); err != nil {
+		return fmt.Errorf("error updating ConfigMap %q: %w", cm.Name, err)
+	}
+
+	if err := a.deleteFinalizer(ctx, ing, logger); err != nil {
+		return fmt.Errorf("failed to remove finalizer: %w", err)
+	}
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.managedIngresses.Remove(ing.UID)
+	gaugePGIngressResources.Set(int64(a.managedIngresses.Len()))
+	return nil
+}
+
+func (a *IngressPGReconciler) deleteFinalizer(ctx context.Context, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
+	found := false
+	ing.Finalizers = slices.DeleteFunc(ing.Finalizers, func(f string) bool {
+		found = true
+		return f == FinalizerNamePG
+	})
+	if !found {
+		return nil
+	}
+	logger.Debug("ensure %q finalizer is removed", FinalizerNamePG)
+
+	if err := a.Update(ctx, ing); err != nil {
+		return fmt.Errorf("failed to remove finalizer %q: %w", FinalizerNamePG, err)
+	}
+	return nil
+}
+
+func pgIngressCMName(pg string) string {
+	return fmt.Sprintf("%s-ingress-config", pg)
+}
+
+func (a *IngressPGReconciler) proxyGroupServeConfig(ctx context.Context, pg string) (cm *corev1.ConfigMap, cfg *ipn.ServeConfig, err error) {
+	name := pgIngressCMName(pg)
+	cm = &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: a.tsNamespace,
+		},
+	}
+	if err := a.Get(ctx, client.ObjectKeyFromObject(cm), cm); err != nil && !apierrors.IsNotFound(err) {
+		return nil, nil, fmt.Errorf("error retrieving ingress serve config ConfigMap %s: %v", name, err)
+	}
+	if apierrors.IsNotFound(err) {
+		return nil, nil, nil
+	}
+	cfg = &ipn.ServeConfig{}
+	if len(cm.BinaryData[serveConfigKey]) != 0 {
+		if err := json.Unmarshal(cm.BinaryData[serveConfigKey], cfg); err != nil {
+			return nil, nil, fmt.Errorf("error unmarshaling ingress serve config %v: %w", cm.BinaryData[serveConfigKey], err)
+		}
+	}
+	return cm, cfg, nil
+}
+
+type localClient interface {
+	StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error)
+}
+
+// tailnetCertDomain returns the base domain (TCD) of the current tailnet.
+func (a *IngressPGReconciler) tailnetCertDomain(ctx context.Context) (string, error) {
+	st, err := a.lc.StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", fmt.Errorf("error getting tailscale status: %w", err)
+	}
+	return st.CurrentTailnet.MagicDNSSuffix, nil
+}
+
+// shouldExpose returns true if the Ingress should be exposed over Tailscale in HA mode (on a ProxyGroup)
+func (a *IngressPGReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
+	isTSIngress := ing != nil &&
+		ing.Spec.IngressClassName != nil &&
+		*ing.Spec.IngressClassName == tailscaleIngressClassName
+	pgAnnot := ing.Annotations[AnnotationProxyGroup]
+	return isTSIngress && pgAnnot != ""
+}
+
+func (a *IngressPGReconciler) getVIPService(ctx context.Context, hostname string, logger *zap.SugaredLogger) (*VIPService, error) {
+	svc, err := a.tsClient.getVIPServiceByName(ctx, hostname)
+	if err != nil {
+		errResp := &tailscale.ErrResponse{}
+		if ok := errors.As(err, errResp); ok && errResp.Status != http.StatusNotFound {
+			logger.Infof("error getting VIPService %q: %v", hostname, err)
+			return nil, fmt.Errorf("error getting VIPService %q: %w", hostname, err)
+		}
+	}
+	return svc, nil
+}
+
+func isVIPServiceForIngress(svc *VIPService, ing *networkingv1.Ingress) bool {
+	if svc == nil || ing == nil {
+		return false
+	}
+	return strings.EqualFold(svc.Comment, fmt.Sprintf(VIPSvcOwnerRef, ing.UID))
+}
+
+func isVIPServiceForAnyIngress(svc *VIPService) bool {
+	if svc == nil {
+		return false
+	}
+	return strings.HasPrefix(svc.Comment, "tailscale.com/k8s-operator:owned-by:")
+}
+
+// validateIngress validates that the Ingress is properly configured.
+// Currently validates:
+// - Any tags provided via tailscale.com/tags annotation are valid Tailscale ACL tags
+// - The derived hostname is a valid DNS label
+// - The referenced ProxyGroup exists and is of type 'ingress'
+// - Ingress' TLS block is invalid
+func (a *IngressPGReconciler) validateIngress(ing *networkingv1.Ingress, pg *tsapi.ProxyGroup) error {
+	var errs []error
+
+	// Validate tags if present
+	if tstr, ok := ing.Annotations[AnnotationTags]; ok {
+		tags := strings.Split(tstr, ",")
+		for _, tag := range tags {
+			tag = strings.TrimSpace(tag)
+			if err := tailcfg.CheckTag(tag); err != nil {
+				errs = append(errs, fmt.Errorf("tailscale.com/tags annotation contains invalid tag %q: %w", tag, err))
+			}
+		}
+	}
+
+	// Validate TLS configuration
+	if ing.Spec.TLS != nil && len(ing.Spec.TLS) > 0 && (len(ing.Spec.TLS) > 1 || len(ing.Spec.TLS[0].Hosts) > 1) {
+		errs = append(errs, fmt.Errorf("Ingress contains invalid TLS block %v: only a single TLS entry with a single host is allowed", ing.Spec.TLS))
+	}
+
+	// Validate that the hostname will be a valid DNS label
+	hostname := hostnameForIngress(ing)
+	if err := dnsname.ValidLabel(hostname); err != nil {
+		errs = append(errs, fmt.Errorf("invalid hostname %q: %w. Ensure that the hostname is a valid DNS label", hostname, err))
+	}
+
+	// Validate ProxyGroup type
+	if pg.Spec.Type != tsapi.ProxyGroupTypeIngress {
+		errs = append(errs, fmt.Errorf("ProxyGroup %q is of type %q but must be of type %q",
+			pg.Name, pg.Spec.Type, tsapi.ProxyGroupTypeIngress))
+	}
+
+	// Validate ProxyGroup readiness
+	if !tsoperator.ProxyGroupIsReady(pg) {
+		errs = append(errs, fmt.Errorf("ProxyGroup %q is not ready", pg.Name))
+	}
+
+	return errors.Join(errs...)
+}
+
+// deleteVIPServiceIfExists attempts to delete the VIPService if it exists and is owned by the given Ingress.
+func (a *IngressPGReconciler) deleteVIPServiceIfExists(ctx context.Context, name string, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
+	svc, err := a.getVIPService(ctx, name, logger)
+	if err != nil {
+		return fmt.Errorf("error getting VIPService: %w", err)
+	}
+
+	// isVIPServiceForIngress handles nil svc, so we don't need to check it here
+	if !isVIPServiceForIngress(svc, ing) {
+		return nil
+	}
+
+	logger.Infof("Deleting VIPService %q", name)
+	if err = a.tsClient.deleteVIPServiceByName(ctx, name); err != nil {
+		return fmt.Errorf("error deleting VIPService: %w", err)
+	}
+	return nil
+}
--- a/cmd/k8s-operator/ingress-for-pg_test.go
+++ b/cmd/k8s-operator/ingress-for-pg_test.go
@@ -0,0 +1,337 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"slices"
+
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/types/ptr"
+)
+
+func TestIngressPGReconciler(t *testing.T) {
+	tsIngressClass := &networkingv1.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{Name: "tailscale"},
+		Spec:       networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"},
+	}
+
+	// Pre-create the ProxyGroup
+	pg := &tsapi.ProxyGroup{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test-pg",
+			Generation: 1,
+		},
+		Spec: tsapi.ProxyGroupSpec{
+			Type: tsapi.ProxyGroupTypeIngress,
+		},
+	}
+
+	// Pre-create the ConfigMap for the ProxyGroup
+	pgConfigMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pg-ingress-config",
+			Namespace: "operator-ns",
+		},
+		BinaryData: map[string][]byte{
+			"serve-config.json": []byte(`{"Services":{}}`),
+		},
+	}
+
+	fc := fake.NewClientBuilder().
+		WithScheme(tsapi.GlobalScheme).
+		WithObjects(pg, pgConfigMap, tsIngressClass).
+		WithStatusSubresource(pg).
+		Build()
+	mustUpdateStatus(t, fc, "", pg.Name, func(pg *tsapi.ProxyGroup) {
+		pg.Status.Conditions = []metav1.Condition{
+			{
+				Type:               string(tsapi.ProxyGroupReady),
+				Status:             metav1.ConditionTrue,
+				ObservedGeneration: 1,
+			},
+		}
+	})
+	ft := &fakeTSClient{}
+	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lc := &fakeLocalClient{
+		status: &ipnstate.Status{
+			CurrentTailnet: &ipnstate.TailnetStatus{
+				MagicDNSSuffix: "ts.net",
+			},
+		},
+	}
+	ingPGR := &IngressPGReconciler{
+		Client:      fc,
+		tsClient:    ft,
+		tsnetServer: fakeTsnetServer,
+		defaultTags: []string{"tag:k8s"},
+		tsNamespace: "operator-ns",
+		logger:      zl.Sugar(),
+		recorder:    record.NewFakeRecorder(10),
+		lc:          lc,
+	}
+
+	// Test 1: Default tags
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-ingress",
+			Namespace: "default",
+			UID:       types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/proxy-group": "test-pg",
+			},
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"my-svc.tailnetxyz.ts.net"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+
+	// Verify initial reconciliation
+	expectReconciled(t, ingPGR, "default", "test-ingress")
+
+	// Get and verify the ConfigMap was updated
+	cm := &corev1.ConfigMap{}
+	if err := fc.Get(context.Background(), types.NamespacedName{
+		Name:      "test-pg-ingress-config",
+		Namespace: "operator-ns",
+	}, cm); err != nil {
+		t.Fatalf("getting ConfigMap: %v", err)
+	}
+
+	cfg := &ipn.ServeConfig{}
+	if err := json.Unmarshal(cm.BinaryData[serveConfigKey], cfg); err != nil {
+		t.Fatalf("unmarshaling serve config: %v", err)
+	}
+
+	if cfg.Services["svc:my-svc"] == nil {
+		t.Error("expected serve config to contain VIPService configuration")
+	}
+
+	// Verify VIPService uses default tags
+	vipSvc, err := ft.getVIPServiceByName(context.Background(), "my-svc")
+	if err != nil {
+		t.Fatalf("getting VIPService: %v", err)
+	}
+	if vipSvc == nil {
+		t.Fatal("VIPService not created")
+	}
+	wantTags := []string{"tag:k8s"} // default tags
+	if !slices.Equal(vipSvc.Tags, wantTags) {
+		t.Errorf("incorrect VIPService tags: got %v, want %v", vipSvc.Tags, wantTags)
+	}
+
+	// Test 2: Custom tags
+	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
+		ing.Annotations["tailscale.com/tags"] = "tag:custom,tag:test"
+	})
+	expectReconciled(t, ingPGR, "default", "test-ingress")
+
+	// Verify VIPService uses custom tags
+	vipSvc, err = ft.getVIPServiceByName(context.Background(), "my-svc")
+	if err != nil {
+		t.Fatalf("getting VIPService: %v", err)
+	}
+	if vipSvc == nil {
+		t.Fatal("VIPService not created")
+	}
+	wantTags = []string{"tag:custom", "tag:test"} // custom tags only
+	gotTags := slices.Clone(vipSvc.Tags)
+	slices.Sort(gotTags)
+	slices.Sort(wantTags)
+	if !slices.Equal(gotTags, wantTags) {
+		t.Errorf("incorrect VIPService tags: got %v, want %v", gotTags, wantTags)
+	}
+
+	// Delete the Ingress and verify cleanup
+	if err := fc.Delete(context.Background(), ing); err != nil {
+		t.Fatalf("deleting Ingress: %v", err)
+	}
+
+	expectReconciled(t, ingPGR, "default", "test-ingress")
+
+	// Verify the ConfigMap was cleaned up
+	cm = &corev1.ConfigMap{}
+	if err := fc.Get(context.Background(), types.NamespacedName{
+		Name:      "test-pg-ingress-config",
+		Namespace: "operator-ns",
+	}, cm); err != nil {
+		t.Fatalf("getting ConfigMap: %v", err)
+	}
+
+	cfg = &ipn.ServeConfig{}
+	if err := json.Unmarshal(cm.BinaryData[serveConfigKey], cfg); err != nil {
+		t.Fatalf("unmarshaling serve config: %v", err)
+	}
+
+	if len(cfg.Services) > 0 {
+		t.Error("serve config not cleaned up")
+	}
+}
+
+func TestValidateIngress(t *testing.T) {
+	baseIngress := &networkingv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-ingress",
+			Namespace: "default",
+		},
+	}
+
+	readyProxyGroup := &tsapi.ProxyGroup{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test-pg",
+			Generation: 1,
+		},
+		Spec: tsapi.ProxyGroupSpec{
+			Type: tsapi.ProxyGroupTypeIngress,
+		},
+		Status: tsapi.ProxyGroupStatus{
+			Conditions: []metav1.Condition{
+				{
+					Type:               string(tsapi.ProxyGroupReady),
+					Status:             metav1.ConditionTrue,
+					ObservedGeneration: 1,
+				},
+			},
+		},
+	}
+
+	tests := []struct {
+		name    string
+		ing     *networkingv1.Ingress
+		pg      *tsapi.ProxyGroup
+		wantErr string
+	}{
+		{
+			name: "valid_ingress_with_hostname",
+			ing: &networkingv1.Ingress{
+				ObjectMeta: baseIngress.ObjectMeta,
+				Spec: networkingv1.IngressSpec{
+					TLS: []networkingv1.IngressTLS{
+						{Hosts: []string{"test.example.com"}},
+					},
+				},
+			},
+			pg: readyProxyGroup,
+		},
+		{
+			name: "valid_ingress_with_default_hostname",
+			ing:  baseIngress,
+			pg:   readyProxyGroup,
+		},
+		{
+			name: "invalid_tags",
+			ing: &networkingv1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      baseIngress.Name,
+					Namespace: baseIngress.Namespace,
+					Annotations: map[string]string{
+						AnnotationTags: "tag:invalid!",
+					},
+				},
+			},
+			pg:      readyProxyGroup,
+			wantErr: "tailscale.com/tags annotation contains invalid tag \"tag:invalid!\": tag names can only contain numbers, letters, or dashes",
+		},
+		{
+			name: "multiple_TLS_entries",
+			ing: &networkingv1.Ingress{
+				ObjectMeta: baseIngress.ObjectMeta,
+				Spec: networkingv1.IngressSpec{
+					TLS: []networkingv1.IngressTLS{
+						{Hosts: []string{"test1.example.com"}},
+						{Hosts: []string{"test2.example.com"}},
+					},
+				},
+			},
+			pg:      readyProxyGroup,
+			wantErr: "Ingress contains invalid TLS block [{[test1.example.com] } {[test2.example.com] }]: only a single TLS entry with a single host is allowed",
+		},
+		{
+			name: "multiple_hosts_in_TLS_entry",
+			ing: &networkingv1.Ingress{
+				ObjectMeta: baseIngress.ObjectMeta,
+				Spec: networkingv1.IngressSpec{
+					TLS: []networkingv1.IngressTLS{
+						{Hosts: []string{"test1.example.com", "test2.example.com"}},
+					},
+				},
+			},
+			pg:      readyProxyGroup,
+			wantErr: "Ingress contains invalid TLS block [{[test1.example.com test2.example.com] }]: only a single TLS entry with a single host is allowed",
+		},
+		{
+			name: "wrong_proxy_group_type",
+			ing:  baseIngress,
+			pg: &tsapi.ProxyGroup{
+				ObjectMeta: readyProxyGroup.ObjectMeta,
+				Spec: tsapi.ProxyGroupSpec{
+					Type: tsapi.ProxyGroupType("foo"),
+				},
+				Status: readyProxyGroup.Status,
+			},
+			wantErr: "ProxyGroup \"test-pg\" is of type \"foo\" but must be of type \"ingress\"",
+		},
+		{
+			name: "proxy_group_not_ready",
+			ing:  baseIngress,
+			pg: &tsapi.ProxyGroup{
+				ObjectMeta: readyProxyGroup.ObjectMeta,
+				Spec:       readyProxyGroup.Spec,
+				Status: tsapi.ProxyGroupStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:               string(tsapi.ProxyGroupReady),
+							Status:             metav1.ConditionFalse,
+							ObservedGeneration: 1,
+						},
+					},
+				},
+			},
+			wantErr: "ProxyGroup \"test-pg\" is not ready",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &IngressPGReconciler{}
+			err := r.validateIngress(tt.ing, tt.pg)
+			if (err == nil && tt.wantErr != "") || (err != nil && err.Error() != tt.wantErr) {
+				t.Errorf("validateIngress() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/cmd/k8s-operator/ingress.go
+++ b/cmd/k8s-operator/ingress.go
@@ -26,6 +26,7 @@ import (
 	"tailscale.com/kube/kubetypes"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/set"
 )

@@ -58,7 +59,7 @@ var (
 )

 func (a *IngressReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
-	logger := a.logger.With("ingress-ns", req.Namespace, "ingress-name", req.Name)
+	logger := a.logger.With("Ingress", req.NamespacedName)
 	logger.Debugf("starting reconcile")
 	defer logger.Debugf("reconcile finished")

@@ -128,9 +129,8 @@ func (a *IngressReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 // This function adds a finalizer to ing, ensuring that we can handle orderly
 // deprovisioning later.
 func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, ing *networkingv1.Ingress) error {
-	if err := a.validateIngressClass(ctx); err != nil {
+	if err := validateIngressClass(ctx, a.Client); err != nil {
 		logger.Warnf("error validating tailscale IngressClass: %v. In future this might be a terminal error.", err)
-
 	}
 	if !slices.Contains(ing.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
@@ -159,7 +159,7 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
 	a.mu.Unlock()

-	if !a.ssr.IsHTTPSEnabledOnTailnet() {
+	if !IsHTTPSEnabledOnTailnet(a.ssr.tsnetServer) {
 		a.recorder.Event(ing, corev1.EventTypeWarning, "HTTPSNotEnabled", "HTTPS is not enabled on the tailnet; ingress may not work")
 	}

@@ -185,73 +185,16 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	}

 	web := sc.Web[magic443]
-	addIngressBackend := func(b *networkingv1.IngressBackend, path string) {
-		if b == nil {
-			return
-		}
-		if b.Service == nil {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q is missing service", path)
-			return
-		}
-		var svc corev1.Service
-		if err := a.Get(ctx, types.NamespacedName{Namespace: ing.Namespace, Name: b.Service.Name}, &svc); err != nil {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "failed to get service %q for path %q: %v", b.Service.Name, path, err)
-			return
-		}
-		if svc.Spec.ClusterIP == "" || svc.Spec.ClusterIP == "None" {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q has invalid ClusterIP", path)
-			return
-		}
-		var port int32
-		if b.Service.Port.Name != "" {
-			for _, p := range svc.Spec.Ports {
-				if p.Name == b.Service.Port.Name {
-					port = p.Port
-					break
-				}
-			}
-		} else {
-			port = b.Service.Port.Number
-		}
-		if port == 0 {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q has invalid port", path)
-			return
-		}
-		proto := "http://"
-		if port == 443 || b.Service.Port.Name == "https" {
-			proto = "https+insecure://"
-		}
-		web.Handlers[path] = &ipn.HTTPHandler{
-			Proxy: proto + svc.Spec.ClusterIP + ":" + fmt.Sprint(port) + path,
-		}
-	}
-	addIngressBackend(ing.Spec.DefaultBackend, "/")

 	var tlsHost string // hostname or FQDN or empty
 	if ing.Spec.TLS != nil && len(ing.Spec.TLS) > 0 && len(ing.Spec.TLS[0].Hosts) > 0 {
 		tlsHost = ing.Spec.TLS[0].Hosts[0]
 	}
-	for _, rule := range ing.Spec.Rules {
-		// Host is optional, but if it's present it must match the TLS host
-		// otherwise we ignore the rule.
-		if rule.Host != "" && rule.Host != tlsHost {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "rule with host %q ignored, unsupported", rule.Host)
-			continue
-		}
-		for _, p := range rule.HTTP.Paths {
-			// Send a warning if folks use Exact path type - to make
-			// it easier for us to support Exact path type matching
-			// in the future if needed.
-			// https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
-			if *p.PathType == networkingv1.PathTypeExact {
-				msg := "Exact path type strict matching is currently not supported and requests will be routed as for Prefix path type. This behaviour might change in the future."
-				logger.Warnf(fmt.Sprintf("Unsupported Path type exact for path %s. %s", p.Path, msg))
-				a.recorder.Eventf(ing, corev1.EventTypeWarning, "UnsupportedPathTypeExact", msg)
-			}
-			addIngressBackend(&p.Backend, p.Path)
-		}
+	handlers, err := handlersForIngress(ctx, ing, a.Client, a.recorder, tlsHost, logger)
+	if err != nil {
+		return fmt.Errorf("failed to get handlers for ingress: %w", err)
 	}
-
+	web.Handlers = handlers
 	if len(web.Handlers) == 0 {
 		logger.Warn("Ingress contains no valid backends")
 		a.recorder.Eventf(ing, corev1.EventTypeWarning, "NoValidBackends", "no valid backends")
@@ -263,10 +206,7 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	if tstr, ok := ing.Annotations[AnnotationTags]; ok {
 		tags = strings.Split(tstr, ",")
 	}
-	hostname := ing.Namespace + "-" + ing.Name + "-ingress"
-	if tlsHost != "" {
-		hostname, _, _ = strings.Cut(tlsHost, ".")
-	}
+	hostname := hostnameForIngress(ing)

 	sts := &tailscaleSTSConfig{
 		Hostname:            hostname,
@@ -322,28 +262,106 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 func (a *IngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	return ing != nil &&
 		ing.Spec.IngressClassName != nil &&
-		*ing.Spec.IngressClassName == tailscaleIngressClassName
+		*ing.Spec.IngressClassName == tailscaleIngressClassName &&
+		ing.Annotations[AnnotationProxyGroup] == ""
 }

 // validateIngressClass attempts to validate that 'tailscale' IngressClass
 // included in Tailscale installation manifests exists and has not been modified
 // to attempt to enable features that we do not support.
-func (a *IngressReconciler) validateIngressClass(ctx context.Context) error {
+func validateIngressClass(ctx context.Context, cl client.Client) error {
 	ic := &networkingv1.IngressClass{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: tailscaleIngressClassName,
 		},
 	}
-	if err := a.Get(ctx, client.ObjectKeyFromObject(ic), ic); apierrors.IsNotFound(err) {
-		return errors.New("Tailscale IngressClass not found in cluster. Latest installation manifests include a tailscale IngressClass - please update")
+	if err := cl.Get(ctx, client.ObjectKeyFromObject(ic), ic); apierrors.IsNotFound(err) {
+		return errors.New("'tailscale' IngressClass not found in cluster.")
 	} else if err != nil {
 		return fmt.Errorf("error retrieving 'tailscale' IngressClass: %w", err)
 	}
 	if ic.Spec.Controller != tailscaleIngressControllerName {
-		return fmt.Errorf("Tailscale Ingress class controller name %s does not match tailscale Ingress controller name %s. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ic.Spec.Controller, tailscaleIngressControllerName)
+		return fmt.Errorf("'tailscale' Ingress class controller name %s does not match tailscale Ingress controller name %s. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ic.Spec.Controller, tailscaleIngressControllerName)
 	}
 	if ic.GetAnnotations()[ingressClassDefaultAnnotation] != "" {
 		return fmt.Errorf("%s annotation is set on 'tailscale' IngressClass, but Tailscale Ingress controller does not support default Ingress class. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ingressClassDefaultAnnotation)
 	}
 	return nil
 }
+
+func handlersForIngress(ctx context.Context, ing *networkingv1.Ingress, cl client.Client, rec record.EventRecorder, tlsHost string, logger *zap.SugaredLogger) (handlers map[string]*ipn.HTTPHandler, err error) {
+	addIngressBackend := func(b *networkingv1.IngressBackend, path string) {
+		if b == nil {
+			return
+		}
+		if b.Service == nil {
+			rec.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q is missing service", path)
+			return
+		}
+		var svc corev1.Service
+		if err := cl.Get(ctx, types.NamespacedName{Namespace: ing.Namespace, Name: b.Service.Name}, &svc); err != nil {
+			rec.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "failed to get service %q for path %q: %v", b.Service.Name, path, err)
+			return
+		}
+		if svc.Spec.ClusterIP == "" || svc.Spec.ClusterIP == "None" {
+			rec.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q has invalid ClusterIP", path)
+			return
+		}
+		var port int32
+		if b.Service.Port.Name != "" {
+			for _, p := range svc.Spec.Ports {
+				if p.Name == b.Service.Port.Name {
+					port = p.Port
+					break
+				}
+			}
+		} else {
+			port = b.Service.Port.Number
+		}
+		if port == 0 {
+			rec.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q has invalid port", path)
+			return
+		}
+		proto := "http://"
+		if port == 443 || b.Service.Port.Name == "https" {
+			proto = "https+insecure://"
+		}
+		mak.Set(&handlers, path, &ipn.HTTPHandler{
+			Proxy: proto + svc.Spec.ClusterIP + ":" + fmt.Sprint(port) + path,
+		})
+	}
+	addIngressBackend(ing.Spec.DefaultBackend, "/")
+	for _, rule := range ing.Spec.Rules {
+		// Host is optional, but if it's present it must match the TLS host
+		// otherwise we ignore the rule.
+		if rule.Host != "" && rule.Host != tlsHost {
+			rec.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "rule with host %q ignored, unsupported", rule.Host)
+			continue
+		}
+		for _, p := range rule.HTTP.Paths {
+			// Send a warning if folks use Exact path type - to make
+			// it easier for us to support Exact path type matching
+			// in the future if needed.
+			// https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
+			if *p.PathType == networkingv1.PathTypeExact {
+				msg := "Exact path type strict matching is currently not supported and requests will be routed as for Prefix path type. This behaviour might change in the future."
+				logger.Warnf(fmt.Sprintf("Unsupported Path type exact for path %s. %s", p.Path, msg))
+				rec.Eventf(ing, corev1.EventTypeWarning, "UnsupportedPathTypeExact", msg)
+			}
+			addIngressBackend(&p.Backend, p.Path)
+		}
+	}
+	return handlers, nil
+}
+
+// hostnameForIngress returns the hostname for an Ingress resource.
+// If the Ingress has TLS configured with a host, it returns the first component of that host.
+// Otherwise, it returns a hostname derived from the Ingress name and namespace.
+func hostnameForIngress(ing *networkingv1.Ingress) string {
+	if ing.Spec.TLS != nil && len(ing.Spec.TLS) > 0 && len(ing.Spec.TLS[0].Hosts) > 0 {
+		h := ing.Spec.TLS[0].Hosts[0]
+		hostname, _, _ := strings.Cut(h, ".")
+		return hostname
+	}
+	return ing.Namespace + "-" + ing.Name + "-ingress"
+}
--- a/cmd/k8s-operator/ingress_test.go
+++ b/cmd/k8s-operator/ingress_test.go
@@ -103,9 +103,9 @@ func TestTailscaleIngress(t *testing.T) {
 	}
 	opts.serveConfig = serveConfig

-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"), nil)
-	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"))
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 2. Ingress status gets updated with ingress proxy's MagicDNS name
 	// once that becomes available.
@@ -120,7 +120,7 @@ func TestTailscaleIngress(t *testing.T) {
 			{Hostname: "foo.tailnetxyz.ts.net", Ports: []networkingv1.IngressPortStatus{{Port: 443, Protocol: "TCP"}}},
 		},
 	}
-	expectEqual(t, fc, ing, nil)
+	expectEqual(t, fc, ing)

 	// 3. Resources get created for Ingress that should allow forwarding
 	// cluster traffic
@@ -129,7 +129,7 @@ func TestTailscaleIngress(t *testing.T) {
 	})
 	opts.shouldEnableForwardingClusterTrafficViaIngress = true
 	expectReconciled(t, ingR, "default", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 4. Resources get cleaned up when Ingress class is unset
 	mustUpdate(t, fc, "default", "test", func(ing *networkingv1.Ingress) {
@@ -229,9 +229,9 @@ func TestTailscaleIngressHostname(t *testing.T) {
 	}
 	opts.serveConfig = serveConfig

-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"), nil)
-	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"))
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 2. Ingress proxy with capability version >= 110 does not have an HTTPS endpoint set
 	mustUpdate(t, fc, "operator-ns", opts.secretName, func(secret *corev1.Secret) {
@@ -243,7 +243,7 @@ func TestTailscaleIngressHostname(t *testing.T) {
 	expectReconciled(t, ingR, "default", "test")
 	ing.Finalizers = append(ing.Finalizers, "tailscale.com/finalizer")

-	expectEqual(t, fc, ing, nil)
+	expectEqual(t, fc, ing)

 	// 3. Ingress proxy with capability version >= 110 advertises HTTPS endpoint
 	mustUpdate(t, fc, "operator-ns", opts.secretName, func(secret *corev1.Secret) {
@@ -259,7 +259,7 @@ func TestTailscaleIngressHostname(t *testing.T) {
 			{Hostname: "foo.tailnetxyz.ts.net", Ports: []networkingv1.IngressPortStatus{{Port: 443, Protocol: "TCP"}}},
 		},
 	}
-	expectEqual(t, fc, ing, nil)
+	expectEqual(t, fc, ing)

 	// 4. Ingress proxy with capability version >= 110 does not have an HTTPS endpoint ready
 	mustUpdate(t, fc, "operator-ns", opts.secretName, func(secret *corev1.Secret) {
@@ -271,7 +271,7 @@ func TestTailscaleIngressHostname(t *testing.T) {
 	})
 	expectReconciled(t, ingR, "default", "test")
 	ing.Status.LoadBalancer.Ingress = nil
-	expectEqual(t, fc, ing, nil)
+	expectEqual(t, fc, ing)

 	// 5. Ingress proxy's state has https_endpoints set, but its capver is not matching Pod UID (downgrade)
 	mustUpdate(t, fc, "operator-ns", opts.secretName, func(secret *corev1.Secret) {
@@ -287,7 +287,7 @@ func TestTailscaleIngressHostname(t *testing.T) {
 		},
 	}
 	expectReconciled(t, ingR, "default", "test")
-	expectEqual(t, fc, ing, nil)
+	expectEqual(t, fc, ing)
 }

 func TestTailscaleIngressWithProxyClass(t *testing.T) {
@@ -383,9 +383,9 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 	}
 	opts.serveConfig = serveConfig

-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"), nil)
-	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"))
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 2. Ingress is updated to specify a ProxyClass, ProxyClass is not yet
 	// ready, so proxy resource configuration does not change.
@@ -393,7 +393,7 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 		mak.Set(&ing.ObjectMeta.Labels, LabelProxyClass, "custom-metadata")
 	})
 	expectReconciled(t, ingR, "default", "test")
-	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 3. ProxyClass is set to Ready by proxy-class reconciler. Ingress get
 	// reconciled and configuration from the ProxyClass is applied to the
@@ -408,7 +408,7 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 	})
 	expectReconciled(t, ingR, "default", "test")
 	opts.proxyClass = pc.Name
-	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 4. tailscale.com/proxy-class label is removed from the Ingress, the
 	// Ingress gets reconciled and the custom ProxyClass configuration is
@@ -418,7 +418,7 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 	})
 	expectReconciled(t, ingR, "default", "test")
 	opts.proxyClass = ""
-	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation, removeResourceReqs)
 }

 func TestTailscaleIngressWithServiceMonitor(t *testing.T) {
@@ -526,20 +526,20 @@ func TestTailscaleIngressWithServiceMonitor(t *testing.T) {

 	expectReconciled(t, ingR, "default", "test")

-	expectEqual(t, fc, expectedMetricsService(opts), nil)
+	expectEqual(t, fc, expectedMetricsService(opts))

 	// 2. Enable ServiceMonitor - should not error when there is no ServiceMonitor CRD in cluster
 	mustUpdate(t, fc, "", "metrics", func(pc *tsapi.ProxyClass) {
 		pc.Spec.Metrics.ServiceMonitor = &tsapi.ServiceMonitor{Enable: true, Labels: tsapi.Labels{"foo": "bar"}}
 	})
 	expectReconciled(t, ingR, "default", "test")
-	expectEqual(t, fc, expectedMetricsService(opts), nil)
+	expectEqual(t, fc, expectedMetricsService(opts))

 	// 3. Create ServiceMonitor CRD and reconcile- ServiceMonitor should get created
 	mustCreate(t, fc, crd)
 	expectReconciled(t, ingR, "default", "test")
 	opts.serviceMonitorLabels = tsapi.Labels{"foo": "bar"}
-	expectEqual(t, fc, expectedMetricsService(opts), nil)
+	expectEqual(t, fc, expectedMetricsService(opts))
 	expectEqualUnstructured(t, fc, expectedServiceMonitor(t, opts))

 	// 4. Update ServiceMonitor CRD and reconcile- ServiceMonitor should get updated
@@ -549,7 +549,7 @@ func TestTailscaleIngressWithServiceMonitor(t *testing.T) {
 	expectReconciled(t, ingR, "default", "test")
 	opts.serviceMonitorLabels = nil
 	opts.resourceVersion = "2"
-	expectEqual(t, fc, expectedMetricsService(opts), nil)
+	expectEqual(t, fc, expectedMetricsService(opts))
 	expectEqualUnstructured(t, fc, expectedServiceMonitor(t, opts))

 	// 5. Disable metrics - metrics resources should get deleted.
--- a/cmd/k8s-operator/nameserver_test.go
+++ b/cmd/k8s-operator/nameserver_test.go
@@ -69,7 +69,7 @@ func TestNameserverReconciler(t *testing.T) {
 	wantsDeploy.Namespace = "tailscale"
 	labels := nameserverResourceLabels("test", "tailscale")
 	wantsDeploy.ObjectMeta.Labels = labels
-	expectEqual(t, fc, wantsDeploy, nil)
+	expectEqual(t, fc, wantsDeploy)

 	// Verify that DNSConfig advertizes the nameserver's Service IP address,
 	// has the ready status condition and tailscale finalizer.
@@ -88,7 +88,7 @@ func TestNameserverReconciler(t *testing.T) {
 		Message:            reasonNameserverCreated,
 		LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
 	})
-	expectEqual(t, fc, dnsCfg, nil)
+	expectEqual(t, fc, dnsCfg)

 	// // Verify that nameserver image gets updated to match DNSConfig spec.
 	mustUpdate(t, fc, "", "test", func(dnsCfg *tsapi.DNSConfig) {
@@ -96,7 +96,7 @@ func TestNameserverReconciler(t *testing.T) {
 	})
 	expectReconciled(t, nr, "", "test")
 	wantsDeploy.Spec.Template.Spec.Containers[0].Image = "test:v0.0.2"
-	expectEqual(t, fc, wantsDeploy, nil)
+	expectEqual(t, fc, wantsDeploy)

 	// Verify that when another actor sets ConfigMap data, it does not get
 	// overwritten by nameserver reconciler.
@@ -114,7 +114,7 @@ func TestNameserverReconciler(t *testing.T) {
 		TypeMeta: metav1.TypeMeta{Kind: "ConfigMap", APIVersion: "v1"},
 		Data:     map[string]string{"records.json": string(bs)},
 	}
-	expectEqual(t, fc, wantCm, nil)
+	expectEqual(t, fc, wantCm)

 	// Verify that if dnsconfig.spec.nameserver.image.{repo,tag} are unset,
 	// the nameserver image defaults to tailscale/k8s-nameserver:unstable.
@@ -123,5 +123,5 @@ func TestNameserverReconciler(t *testing.T) {
 	})
 	expectReconciled(t, nr, "", "test")
 	wantsDeploy.Spec.Template.Spec.Containers[0].Image = "tailscale/k8s-nameserver:unstable"
-	expectEqual(t, fc, wantsDeploy, nil)
+	expectEqual(t, fc, wantsDeploy)
 }
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -18,7 +18,6 @@ import (
 	"github.com/go-logr/zapr"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
-	"golang.org/x/oauth2/clientcredentials"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
@@ -88,6 +87,15 @@ func main() {
 	zlog := kzap.NewRaw(opts...).Sugar()
 	logf.SetLogger(zapr.NewLogger(zlog.Desugar()))

+	if tsNamespace == "" {
+		const namespaceFile = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
+		b, err := os.ReadFile(namespaceFile)
+		if err != nil {
+			zlog.Fatalf("Could not get operator namespace from OPERATOR_NAMESPACE environment variable or default projected volume: %v", err)
+		}
+		tsNamespace = strings.TrimSpace(string(b))
+	}
+
 	// The operator can run either as a plain operator or it can
 	// additionally act as api-server proxy
 	// https://tailscale.com/kb/1236/kubernetes-operator/?q=kubernetes#accessing-the-kubernetes-control-plane-using-an-api-server-proxy.
@@ -98,14 +106,14 @@ func main() {
 		hostinfo.SetApp(kubetypes.AppAPIServerProxy)
 	}

-	s, tsClient := initTSNet(zlog)
+	s, tsc := initTSNet(zlog)
 	defer s.Close()
 	restConfig := config.GetConfigOrDie()
 	maybeLaunchAPIServerProxy(zlog, restConfig, s, mode)
 	rOpts := reconcilerOpts{
 		log:                           zlog,
 		tsServer:                      s,
-		tsClient:                      tsClient,
+		tsClient:                      tsc,
 		tailscaleNamespace:            tsNamespace,
 		restConfig:                    restConfig,
 		proxyImage:                    image,
@@ -121,7 +129,7 @@ func main() {
 // initTSNet initializes the tsnet.Server and logs in to Tailscale. It uses the
 // CLIENT_ID_FILE and CLIENT_SECRET_FILE environment variables to authenticate
 // with Tailscale.
-func initTSNet(zlog *zap.SugaredLogger) (*tsnet.Server, *tailscale.Client) {
+func initTSNet(zlog *zap.SugaredLogger) (*tsnet.Server, tsClient) {
 	var (
 		clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
 		clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
@@ -133,23 +141,10 @@ func initTSNet(zlog *zap.SugaredLogger) (*tsnet.Server, *tailscale.Client) {
 	if clientIDPath == "" || clientSecretPath == "" {
 		startlog.Fatalf("CLIENT_ID_FILE and CLIENT_SECRET_FILE must be set")
 	}
-	clientID, err := os.ReadFile(clientIDPath)
+	tsc, err := newTSClient(context.Background(), clientIDPath, clientSecretPath)
 	if err != nil {
-		startlog.Fatalf("reading client ID %q: %v", clientIDPath, err)
+		startlog.Fatalf("error creating Tailscale client: %v", err)
 	}
-	clientSecret, err := os.ReadFile(clientSecretPath)
-	if err != nil {
-		startlog.Fatalf("reading client secret %q: %v", clientSecretPath, err)
-	}
-	credentials := clientcredentials.Config{
-		ClientID:     string(clientID),
-		ClientSecret: string(clientSecret),
-		TokenURL:     "https://login.tailscale.com/api/v2/oauth/token",
-	}
-	tsClient := tailscale.NewClient("-", nil)
-	tsClient.UserAgent = "tailscale-k8s-operator"
-	tsClient.HTTPClient = credentials.Client(context.Background())
-
 	s := &tsnet.Server{
 		Hostname: hostname,
 		Logf:     zlog.Named("tailscaled").Debugf,
@@ -202,7 +197,7 @@ waitOnline:
 					},
 				},
 			}
-			authkey, _, err := tsClient.CreateKey(ctx, caps)
+			authkey, _, err := tsc.CreateKey(ctx, caps)
 			if err != nil {
 				startlog.Fatalf("creating operator authkey: %v", err)
 			}
@@ -226,7 +221,7 @@ waitOnline:
 		}
 		time.Sleep(time.Second)
 	}
-	return s, tsClient
+	return s, tsc
 }

 // runReconcilers starts the controller-runtime manager and registers the
@@ -320,6 +315,7 @@ func runReconcilers(opts reconcilerOpts) {
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&networkingv1.Ingress{}).
+		Named("ingress-reconciler").
 		Watches(&appsv1.StatefulSet{}, ingressChildFilter).
 		Watches(&corev1.Secret{}, ingressChildFilter).
 		Watches(&corev1.Service{}, svcHandlerForIngress).
@@ -334,6 +330,28 @@ func runReconcilers(opts reconcilerOpts) {
 	if err != nil {
 		startlog.Fatalf("could not create ingress reconciler: %v", err)
 	}
+	lc, err := opts.tsServer.LocalClient()
+	if err != nil {
+		startlog.Fatalf("could not get local client: %v", err)
+	}
+	err = builder.
+		ControllerManagedBy(mgr).
+		For(&networkingv1.Ingress{}).
+		Named("ingress-pg-reconciler").
+		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))).
+		Complete(&IngressPGReconciler{
+			recorder:    eventRecorder,
+			tsClient:    opts.tsClient,
+			tsnetServer: opts.tsServer,
+			defaultTags: strings.Split(opts.proxyTags, ","),
+			Client:      mgr.GetClient(),
+			logger:      opts.log.Named("ingress-pg-reconciler"),
+			lc:          lc,
+			tsNamespace: opts.tailscaleNamespace,
+		})
+	if err != nil {
+		startlog.Fatalf("could not create ingress-pg-reconciler: %v", err)
+	}

 	connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("connector"))
 	// If a ProxyClassChanges, enqueue all Connectors that have
@@ -341,6 +359,7 @@ func runReconcilers(opts reconcilerOpts) {
 	proxyClassFilterForConnector := handler.EnqueueRequestsFromMapFunc(proxyClassHandlerForConnector(mgr.GetClient(), startlog))
 	err = builder.ControllerManagedBy(mgr).
 		For(&tsapi.Connector{}).
+		Named("connector-reconciler").
 		Watches(&appsv1.StatefulSet{}, connectorFilter).
 		Watches(&corev1.Secret{}, connectorFilter).
 		Watches(&tsapi.ProxyClass{}, proxyClassFilterForConnector).
@@ -360,6 +379,7 @@ func runReconcilers(opts reconcilerOpts) {
 	nameserverFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("nameserver"))
 	err = builder.ControllerManagedBy(mgr).
 		For(&tsapi.DNSConfig{}).
+		Named("nameserver-reconciler").
 		Watches(&appsv1.Deployment{}, nameserverFilter).
 		Watches(&corev1.ConfigMap{}, nameserverFilter).
 		Watches(&corev1.Service{}, nameserverFilter).
@@ -439,6 +459,7 @@ func runReconcilers(opts reconcilerOpts) {
 	serviceMonitorFilter := handler.EnqueueRequestsFromMapFunc(proxyClassesWithServiceMonitor(mgr.GetClient(), opts.log))
 	err = builder.ControllerManagedBy(mgr).
 		For(&tsapi.ProxyClass{}).
+		Named("proxyclass-reconciler").
 		Watches(&apiextensionsv1.CustomResourceDefinition{}, serviceMonitorFilter).
 		Complete(&ProxyClassReconciler{
 			Client:   mgr.GetClient(),
@@ -482,6 +503,7 @@ func runReconcilers(opts reconcilerOpts) {
 	recorderFilter := handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &tsapi.Recorder{})
 	err = builder.ControllerManagedBy(mgr).
 		For(&tsapi.Recorder{}).
+		Named("recorder-reconciler").
 		Watches(&appsv1.StatefulSet{}, recorderFilter).
 		Watches(&corev1.ServiceAccount{}, recorderFilter).
 		Watches(&corev1.Secret{}, recorderFilter).
@@ -504,7 +526,9 @@ func runReconcilers(opts reconcilerOpts) {
 	proxyClassFilterForProxyGroup := handler.EnqueueRequestsFromMapFunc(proxyClassHandlerForProxyGroup(mgr.GetClient(), startlog))
 	err = builder.ControllerManagedBy(mgr).
 		For(&tsapi.ProxyGroup{}).
+		Named("proxygroup-reconciler").
 		Watches(&appsv1.StatefulSet{}, ownedByProxyGroupFilter).
+		Watches(&corev1.ConfigMap{}, ownedByProxyGroupFilter).
 		Watches(&corev1.ServiceAccount{}, ownedByProxyGroupFilter).
 		Watches(&corev1.Secret{}, ownedByProxyGroupFilter).
 		Watches(&rbacv1.Role{}, ownedByProxyGroupFilter).
@@ -536,7 +560,7 @@ func runReconcilers(opts reconcilerOpts) {
 type reconcilerOpts struct {
 	log                *zap.SugaredLogger
 	tsServer           *tsnet.Server
-	tsClient           *tailscale.Client
+	tsClient           tsClient
 	tailscaleNamespace string       // namespace in which operator resources will be deployed
 	restConfig         *rest.Config // config for connecting to the kube API server
 	proxyImage         string       // <proxy-image-repo>:<proxy-image-tag>
@@ -661,12 +685,6 @@ func dnsRecordsReconcilerIngressHandler(ns string, isDefaultLoadBalancer bool, c
 	}
 }

-type tsClient interface {
-	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
-	Device(ctx context.Context, deviceID string, fields *tailscale.DeviceFieldsOpts) (*tailscale.Device, error)
-	DeleteDevice(ctx context.Context, nodeStableID string) error
-}
-
 func isManagedResource(o client.Object) bool {
 	ls := o.GetLabels()
 	return ls[LabelManaged] == "true"
@@ -802,6 +820,10 @@ func serviceHandlerForIngress(cl client.Client, logger *zap.SugaredLogger) handl
 			if ing.Spec.IngressClassName == nil || *ing.Spec.IngressClassName != tailscaleIngressClassName {
 				return nil
 			}
+			if hasProxyGroupAnnotation(&ing) {
+				// We don't want to reconcile backend Services for Ingresses for ProxyGroups.
+				continue
+			}
 			if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil && ing.Spec.DefaultBackend.Service.Name == o.GetName() {
 				reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
 			}
@@ -1085,3 +1107,44 @@ func indexEgressServices(o client.Object) []string {
 	}
 	return []string{o.GetAnnotations()[AnnotationProxyGroup]}
 }
+
+// serviceHandlerForIngressPG returns a handler for Service events that ensures that if the Service
+// associated with an event is a backend Service for a tailscale Ingress with ProxyGroup annotation,
+// the associated Ingress gets reconciled.
+func serviceHandlerForIngressPG(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		ingList := networkingv1.IngressList{}
+		if err := cl.List(ctx, &ingList, client.InNamespace(o.GetNamespace())); err != nil {
+			logger.Debugf("error listing Ingresses: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, ing := range ingList.Items {
+			if ing.Spec.IngressClassName == nil || *ing.Spec.IngressClassName != tailscaleIngressClassName {
+				continue
+			}
+			if !hasProxyGroupAnnotation(&ing) {
+				continue
+			}
+			if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil && ing.Spec.DefaultBackend.Service.Name == o.GetName() {
+				reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+			}
+			for _, rule := range ing.Spec.Rules {
+				if rule.HTTP == nil {
+					continue
+				}
+				for _, path := range rule.HTTP.Paths {
+					if path.Backend.Service != nil && path.Backend.Service.Name == o.GetName() {
+						reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+					}
+				}
+			}
+		}
+		return reqs
+	}
+}
+
+func hasProxyGroupAnnotation(obj client.Object) bool {
+	ing := obj.(*networkingv1.Ingress)
+	return ing.Annotations[AnnotationProxyGroup] != ""
+}
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -106,7 +106,7 @@ func TestLoadBalancerClass(t *testing.T) {
 			}},
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)

 	// Delete the misconfiguration so the proxy starts getting created on the
 	// next reconcile.
@@ -128,9 +128,9 @@ func TestLoadBalancerClass(t *testing.T) {
 		app:             kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	want.Annotations = nil
 	want.ObjectMeta.Finalizers = []string{"tailscale.com/finalizer"}
@@ -143,7 +143,7 @@ func TestLoadBalancerClass(t *testing.T) {
 			Message:            "no Tailscale hostname known yet, waiting for proxy pod to finish auth",
 		}},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -169,7 +169,7 @@ func TestLoadBalancerClass(t *testing.T) {
 			},
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)

 	// Turn the service back into a ClusterIP service, which should make the
 	// operator clean up.
@@ -206,7 +206,7 @@ func TestLoadBalancerClass(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)
 }

 func TestTailnetTargetFQDNAnnotation(t *testing.T) {
@@ -266,9 +266,9 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 		app:               kubetypes.AppEgressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 	want := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
@@ -288,10 +288,10 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, want)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)

 	// Change the tailscale-target-fqdn annotation which should update the
 	// StatefulSet
@@ -378,9 +378,9 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 		app:             kubetypes.AppEgressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 	want := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
@@ -400,10 +400,10 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, want)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)

 	// Change the tailscale-target-ip annotation which should update the
 	// StatefulSet
@@ -501,7 +501,7 @@ func TestTailnetTargetIPAnnotation_IPCouldNotBeParsed(t *testing.T) {
 		},
 	}

-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)
 }

 func TestTailnetTargetIPAnnotation_InvalidIP(t *testing.T) {
@@ -572,7 +572,7 @@ func TestTailnetTargetIPAnnotation_InvalidIP(t *testing.T) {
 		},
 	}

-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)
 }

 func TestAnnotations(t *testing.T) {
@@ -629,9 +629,9 @@ func TestAnnotations(t *testing.T) {
 		app:             kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 	want := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
@@ -650,7 +650,7 @@ func TestAnnotations(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)

 	// Turn the service back into a ClusterIP service, which should make the
 	// operator clean up.
@@ -678,7 +678,7 @@ func TestAnnotations(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)
 }

 func TestAnnotationIntoLB(t *testing.T) {
@@ -735,9 +735,9 @@ func TestAnnotationIntoLB(t *testing.T) {
 		app:             kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -769,7 +769,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)

 	// Remove Tailscale's annotation, and at the same time convert the service
 	// into a tailscale LoadBalancer.
@@ -780,8 +780,8 @@ func TestAnnotationIntoLB(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 	// ... but the service should have a LoadBalancer status.

 	want = &corev1.Service{
@@ -810,7 +810,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)
 }

 func TestLBIntoAnnotation(t *testing.T) {
@@ -865,9 +865,9 @@ func TestLBIntoAnnotation(t *testing.T) {
 		app:             kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -907,7 +907,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)

 	// Turn the service back into a ClusterIP service, but also add the
 	// tailscale annotation.
@@ -926,8 +926,8 @@ func TestLBIntoAnnotation(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")

-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)

 	want = &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
@@ -947,7 +947,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)
 }

 func TestCustomHostname(t *testing.T) {
@@ -1005,9 +1005,9 @@ func TestCustomHostname(t *testing.T) {
 		app:             kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 	want := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
@@ -1027,7 +1027,7 @@ func TestCustomHostname(t *testing.T) {
 			Conditions: proxyCreatedCondition(clock),
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)

 	// Turn the service back into a ClusterIP service, which should make the
 	// operator clean up.
@@ -1058,7 +1058,7 @@ func TestCustomHostname(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, want)
 }

 func TestCustomPriorityClassName(t *testing.T) {
@@ -1118,7 +1118,7 @@ func TestCustomPriorityClassName(t *testing.T) {
 		app:               kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 }

 func TestProxyClassForService(t *testing.T) {
@@ -1186,9 +1186,9 @@ func TestProxyClassForService(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 		app:             kubetypes.AppIngressProxy,
 	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 2. The Service gets updated with tailscale.com/proxy-class label
 	// pointing at the 'custom-metadata' ProxyClass. The ProxyClass is not
@@ -1197,8 +1197,8 @@ func TestProxyClassForService(t *testing.T) {
 		mak.Set(&svc.Labels, LabelProxyClass, "custom-metadata")
 	})
 	expectReconciled(t, sr, "default", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))

 	// 3. ProxyClass is set to Ready, the Service gets reconciled by the
 	// services-reconciler and the customization from the ProxyClass is
@@ -1213,7 +1213,7 @@ func TestProxyClassForService(t *testing.T) {
 	})
 	opts.proxyClass = pc.Name
 	expectReconciled(t, sr, "default", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)
 	expectEqual(t, fc, expectedSecret(t, fc, opts), removeAuthKeyIfExistsModifier(t))

 	// 4. tailscale.com/proxy-class label is removed from the Service, the
@@ -1224,7 +1224,7 @@ func TestProxyClassForService(t *testing.T) {
 	})
 	opts.proxyClass = ""
 	expectReconciled(t, sr, "default", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)
 }

 func TestDefaultLoadBalancer(t *testing.T) {
@@ -1270,7 +1270,7 @@ func TestDefaultLoadBalancer(t *testing.T) {

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")

-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
 	o := configOpts{
 		stsName:         shortName,
 		secretName:      fullName,
@@ -1280,8 +1280,7 @@ func TestDefaultLoadBalancer(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 		app:             kubetypes.AppIngressProxy,
 	}
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
-
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 }

 func TestProxyFirewallMode(t *testing.T) {
@@ -1337,7 +1336,7 @@ func TestProxyFirewallMode(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 		app:             kubetypes.AppIngressProxy,
 	}
-	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 }

 func TestTailscaledConfigfileHash(t *testing.T) {
@@ -1393,7 +1392,7 @@ func TestTailscaledConfigfileHash(t *testing.T) {
 		confFileHash:    "848bff4b5ba83ac999e6984c8464e597156daba961ae045e7dbaef606d54ab5e",
 		app:             kubetypes.AppIngressProxy,
 	}
-	expectEqual(t, fc, expectedSTS(t, fc, o), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeResourceReqs)

 	// 2. Hostname gets changed, configfile is updated and a new hash value
 	// is produced.
@@ -1403,7 +1402,7 @@ func TestTailscaledConfigfileHash(t *testing.T) {
 	o.hostname = "another-test"
 	o.confFileHash = "d4cc13f09f55f4f6775689004f9a466723325b84d2b590692796bfe22aeaa389"
 	expectReconciled(t, sr, "default", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, o), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeResourceReqs)
 }
 func Test_isMagicDNSName(t *testing.T) {
 	tests := []struct {
@@ -1681,9 +1680,9 @@ func Test_authKeyRemoval(t *testing.T) {
 		app:             kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 2. Apply update to the Secret that imitates the proxy setting device_id.
 	s := expectedSecret(t, fc, opts)
@@ -1695,7 +1694,7 @@ func Test_authKeyRemoval(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	opts.shouldRemoveAuthKey = true
 	opts.secretExtraData = map[string][]byte{"device_id": []byte("dkkdi4CNTRL")}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
 }

 func Test_externalNameService(t *testing.T) {
@@ -1755,9 +1754,9 @@ func Test_externalNameService(t *testing.T) {
 		app:              kubetypes.AppIngressProxy,
 	}

-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, fc, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)

 	// 2. Change the ExternalName and verify that changes get propagated.
 	mustUpdate(t, sr, "default", "test", func(s *corev1.Service) {
@@ -1765,7 +1764,7 @@ func Test_externalNameService(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")
 	opts.clusterTargetDNS = "bar.com"
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation, removeResourceReqs)
 }

 func Test_metricsResourceCreation(t *testing.T) {
@@ -1835,7 +1834,7 @@ func Test_metricsResourceCreation(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")
 	opts.enableMetrics = true
-	expectEqual(t, fc, expectedMetricsService(opts), nil)
+	expectEqual(t, fc, expectedMetricsService(opts))

 	// 2. Enable ServiceMonitor - should not error when there is no ServiceMonitor CRD in cluster
 	mustUpdate(t, fc, "", "metrics", func(pc *tsapi.ProxyClass) {
@@ -1855,7 +1854,7 @@ func Test_metricsResourceCreation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	opts.serviceMonitorLabels = tsapi.Labels{"foo": "bar"}
 	opts.resourceVersion = "2"
-	expectEqual(t, fc, expectedMetricsService(opts), nil)
+	expectEqual(t, fc, expectedMetricsService(opts))
 	expectEqualUnstructured(t, fc, expectedServiceMonitor(t, opts))

 	// 5. Disable metrics- expect metrics Service to be deleted
--- a/cmd/k8s-operator/proxyclass_test.go
+++ b/cmd/k8s-operator/proxyclass_test.go
@@ -78,7 +78,7 @@ func TestProxyClass(t *testing.T) {
 		LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
 	})

-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)

 	// 2. A ProxyClass resource with invalid labels gets its status updated to Invalid with an error message.
 	pc.Spec.StatefulSet.Labels["foo"] = "?!someVal"
@@ -88,7 +88,7 @@ func TestProxyClass(t *testing.T) {
 	expectReconciled(t, pcr, "", "test")
 	msg := `ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: "?!someVal": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')`
 	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)
 	expectedEvent := "Warning ProxyClassInvalid ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: \"?!someVal\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"
 	expectEvents(t, fr, []string{expectedEvent})

@@ -102,7 +102,7 @@ func TestProxyClass(t *testing.T) {
 	expectReconciled(t, pcr, "", "test")
 	msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
 	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)
 	expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
 	expectEvents(t, fr, []string{expectedEvent})

@@ -121,7 +121,7 @@ func TestProxyClass(t *testing.T) {
 	expectReconciled(t, pcr, "", "test")
 	msg = `ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
 	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)
 	expectedEvent = `Warning ProxyClassInvalid ProxyClass is not valid: spec.statefulSet.pod.tailscaleInitContainer.image: Invalid value: "FOO bar": invalid reference format: repository name (library/FOO bar) must be lowercase`
 	expectEvents(t, fr, []string{expectedEvent})

@@ -145,7 +145,7 @@ func TestProxyClass(t *testing.T) {
 	expectReconciled(t, pcr, "", "test")
 	msg = `ProxyClass is not valid: spec.metrics.serviceMonitor: Invalid value: "enable": ProxyClass defines that a ServiceMonitor custom resource should be created, but "servicemonitors.monitoring.coreos.com" CRD was not found`
 	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)
 	expectedEvent = "Warning ProxyClassInvalid " + msg
 	expectEvents(t, fr, []string{expectedEvent})

@@ -154,7 +154,7 @@ func TestProxyClass(t *testing.T) {
 	mustCreate(t, fc, crd)
 	expectReconciled(t, pcr, "", "test")
 	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionTrue, reasonProxyClassValid, reasonProxyClassValid, 0, cl, zl.Sugar())
-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)

 	// 7. A ProxyClass with invalid ServiceMonitor labels gets its status updated to Invalid with an error message.
 	pc.Spec.Metrics.ServiceMonitor.Labels = tsapi.Labels{"foo": "bar!"}
@@ -164,7 +164,7 @@ func TestProxyClass(t *testing.T) {
 	expectReconciled(t, pcr, "", "test")
 	msg = `ProxyClass is not valid: .spec.metrics.serviceMonitor.labels: Invalid value: "bar!": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')`
 	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)

 	// 8. A ProxyClass with valid ServiceMonitor labels gets its status updated to Valid.
 	pc.Spec.Metrics.ServiceMonitor.Labels = tsapi.Labels{"foo": "bar", "xyz1234": "abc567", "empty": "", "onechar": "a"}
@@ -173,7 +173,7 @@ func TestProxyClass(t *testing.T) {
 	})
 	expectReconciled(t, pcr, "", "test")
 	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassReady, metav1.ConditionTrue, reasonProxyClassValid, reasonProxyClassValid, 0, cl, zl.Sugar())
-	expectEqual(t, fc, pc, nil)
+	expectEqual(t, fc, pc)
 }

 func TestValidateProxyClass(t *testing.T) {
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -258,7 +258,16 @@ func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.Pro
 			existing.ObjectMeta.Labels = cm.ObjectMeta.Labels
 			existing.ObjectMeta.OwnerReferences = cm.ObjectMeta.OwnerReferences
 		}); err != nil {
-			return fmt.Errorf("error provisioning ConfigMap: %w", err)
+			return fmt.Errorf("error provisioning egress ConfigMap %q: %w", cm.Name, err)
+		}
+	}
+	if pg.Spec.Type == tsapi.ProxyGroupTypeIngress {
+		cm := pgIngressCM(pg, r.tsNamespace)
+		if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, cm, func(existing *corev1.ConfigMap) {
+			existing.ObjectMeta.Labels = cm.ObjectMeta.Labels
+			existing.ObjectMeta.OwnerReferences = cm.ObjectMeta.OwnerReferences
+		}); err != nil {
+			return fmt.Errorf("error provisioning ingress ConfigMap %q: %w", cm.Name, err)
 		}
 	}
 	ss, err := pgStatefulSet(pg, r.tsNamespace, r.proxyImage, r.tsFirewallMode)
--- a/cmd/k8s-operator/proxygroup_specs.go
+++ b/cmd/k8s-operator/proxygroup_specs.go
@@ -56,6 +56,10 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 	}
 	tmpl.Spec.ServiceAccountName = pg.Name
 	tmpl.Spec.InitContainers[0].Image = image
+	proxyConfigVolName := pgEgressCMName(pg.Name)
+	if pg.Spec.Type == tsapi.ProxyGroupTypeIngress {
+		proxyConfigVolName = pgIngressCMName(pg.Name)
+	}
 	tmpl.Spec.Volumes = func() []corev1.Volume {
 		var volumes []corev1.Volume
 		for i := range pgReplicas(pg) {
@@ -69,18 +73,16 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 			})
 		}

-		if pg.Spec.Type == tsapi.ProxyGroupTypeEgress {
-			volumes = append(volumes, corev1.Volume{
-				Name: pgEgressCMName(pg.Name),
-				VolumeSource: corev1.VolumeSource{
-					ConfigMap: &corev1.ConfigMapVolumeSource{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: pgEgressCMName(pg.Name),
-						},
+		volumes = append(volumes, corev1.Volume{
+			Name: proxyConfigVolName,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: proxyConfigVolName,
 					},
 				},
-			})
-		}
+			},
+		})

 		return volumes
 	}()
@@ -102,13 +104,11 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 			})
 		}

-		if pg.Spec.Type == tsapi.ProxyGroupTypeEgress {
-			mounts = append(mounts, corev1.VolumeMount{
-				Name:      pgEgressCMName(pg.Name),
-				MountPath: "/etc/proxies",
-				ReadOnly:  true,
-			})
-		}
+		mounts = append(mounts, corev1.VolumeMount{
+			Name:      proxyConfigVolName,
+			MountPath: "/etc/proxies",
+			ReadOnly:  true,
+		})

 		return mounts
 	}()
@@ -154,11 +154,15 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 					Value: kubetypes.AppProxyGroupEgress,
 				},
 			)
-		} else {
+		} else { // ingress
 			envs = append(envs, corev1.EnvVar{
 				Name:  "TS_INTERNAL_APP",
 				Value: kubetypes.AppProxyGroupIngress,
-			})
+			},
+				corev1.EnvVar{
+					Name:  "TS_SERVE_CONFIG",
+					Value: fmt.Sprintf("/etc/proxies/%s", serveConfigKey),
+				})
 		}
 		return append(c.Env, envs...)
 	}()
@@ -264,6 +268,16 @@ func pgEgressCM(pg *tsapi.ProxyGroup, namespace string) *corev1.ConfigMap {
 		},
 	}
 }
+func pgIngressCM(pg *tsapi.ProxyGroup, namespace string) *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            pgIngressCMName(pg.Name),
+			Namespace:       namespace,
+			Labels:          pgLabels(pg.Name, nil),
+			OwnerReferences: pgOwnerReference(pg),
+		},
+	}
+}

 func pgSecretLabels(pgName, typ string) map[string]string {
 	return pgLabels(pgName, map[string]string{
--- a/cmd/k8s-operator/proxygroup_test.go
+++ b/cmd/k8s-operator/proxygroup_test.go
@@ -96,7 +96,7 @@ func TestProxyGroup(t *testing.T) {
 		expectReconciled(t, reconciler, "", pg.Name)

 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "the ProxyGroup's ProxyClass default-pc is not yet in a ready state, waiting...", 0, cl, zl.Sugar())
-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, false, "")
 	})

@@ -117,7 +117,7 @@ func TestProxyGroup(t *testing.T) {
 		expectReconciled(t, reconciler, "", pg.Name)

 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, "")
 		if expected := 1; reconciler.egressProxyGroups.Len() != expected {
 			t.Fatalf("expected %d egress ProxyGroups, got %d", expected, reconciler.egressProxyGroups.Len())
@@ -153,7 +153,7 @@ func TestProxyGroup(t *testing.T) {
 			},
 		}
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady, 0, cl, zl.Sugar())
-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)
 	})

@@ -164,7 +164,7 @@ func TestProxyGroup(t *testing.T) {
 		})
 		expectReconciled(t, reconciler, "", pg.Name)
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "2/3 ProxyGroup pods running", 0, cl, zl.Sugar())
-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)

 		addNodeIDToStateSecrets(t, fc, pg)
@@ -174,7 +174,7 @@ func TestProxyGroup(t *testing.T) {
 			Hostname:   "hostname-nodeid-2",
 			TailnetIPs: []string{"1.2.3.4", "::1"},
 		})
-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)
 	})

@@ -187,7 +187,7 @@ func TestProxyGroup(t *testing.T) {
 		expectReconciled(t, reconciler, "", pg.Name)

 		pg.Status.Devices = pg.Status.Devices[:1] // truncate to only the first device.
-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)
 	})

@@ -201,7 +201,7 @@ func TestProxyGroup(t *testing.T) {

 		expectReconciled(t, reconciler, "", pg.Name)

-		expectEqual(t, fc, pg, nil)
+		expectEqual(t, fc, pg)
 		expectProxyGroupResources(t, fc, pg, true, "518a86e9fae64f270f8e0ec2a2ea6ca06c10f725035d3d6caca132cd61e42a74")
 	})

@@ -211,7 +211,7 @@ func TestProxyGroup(t *testing.T) {
 			p.Spec = pc.Spec
 		})
 		expectReconciled(t, reconciler, "", pg.Name)
-		expectEqual(t, fc, expectedMetricsService(opts), nil)
+		expectEqual(t, fc, expectedMetricsService(opts))
 	})
 	t.Run("enable_service_monitor_no_crd", func(t *testing.T) {
 		pc.Spec.Metrics.ServiceMonitor = &tsapi.ServiceMonitor{Enable: true}
@@ -332,7 +332,8 @@ func TestProxyGroupTypes(t *testing.T) {
 				UID:  "test-ingress-uid",
 			},
 			Spec: tsapi.ProxyGroupSpec{
-				Type: tsapi.ProxyGroupTypeIngress,
+				Type:     tsapi.ProxyGroupTypeIngress,
+				Replicas: ptr.To[int32](0),
 			},
 		}
 		if err := fc.Create(context.Background(), pg); err != nil {
@@ -347,6 +348,34 @@ func TestProxyGroupTypes(t *testing.T) {
 			t.Fatalf("failed to get StatefulSet: %v", err)
 		}
 		verifyEnvVar(t, sts, "TS_INTERNAL_APP", kubetypes.AppProxyGroupIngress)
+		verifyEnvVar(t, sts, "TS_SERVE_CONFIG", "/etc/proxies/serve-config.json")
+
+		// Verify ConfigMap volume mount
+		cmName := fmt.Sprintf("%s-ingress-config", pg.Name)
+		expectedVolume := corev1.Volume{
+			Name: cmName,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: cmName,
+					},
+				},
+			},
+		}
+
+		expectedVolumeMount := corev1.VolumeMount{
+			Name:      cmName,
+			MountPath: "/etc/proxies",
+			ReadOnly:  true,
+		}
+
+		if diff := cmp.Diff([]corev1.Volume{expectedVolume}, sts.Spec.Template.Spec.Volumes); diff != "" {
+			t.Errorf("unexpected volumes (-want +got):\n%s", diff)
+		}
+
+		if diff := cmp.Diff([]corev1.VolumeMount{expectedVolumeMount}, sts.Spec.Template.Spec.Containers[0].VolumeMounts); diff != "" {
+			t.Errorf("unexpected volume mounts (-want +got):\n%s", diff)
+		}
 	})
 }

@@ -389,10 +418,10 @@ func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.Prox
 	}

 	if shouldExist {
-		expectEqual(t, fc, role, nil)
-		expectEqual(t, fc, roleBinding, nil)
-		expectEqual(t, fc, serviceAccount, nil)
-		expectEqual(t, fc, statefulSet, nil)
+		expectEqual(t, fc, role)
+		expectEqual(t, fc, roleBinding)
+		expectEqual(t, fc, serviceAccount)
+		expectEqual(t, fc, statefulSet, removeResourceReqs)
 	} else {
 		expectMissing[rbacv1.Role](t, fc, role.Namespace, role.Name)
 		expectMissing[rbacv1.RoleBinding](t, fc, roleBinding.Namespace, roleBinding.Name)
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -172,8 +172,8 @@ func (sts tailscaleSTSReconciler) validate() error {
 }

 // IsHTTPSEnabledOnTailnet reports whether HTTPS is enabled on the tailnet.
-func (a *tailscaleSTSReconciler) IsHTTPSEnabledOnTailnet() bool {
-	return len(a.tsnetServer.CertDomains()) > 0
+func IsHTTPSEnabledOnTailnet(tsnetServer tsnetServer) bool {
+	return len(tsnetServer.CertDomains()) > 0
 }

 // Provision ensures that the StatefulSet for the given service is running and
--- a/cmd/k8s-operator/testutils_test.go
+++ b/cmd/k8s-operator/testutils_test.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"net/netip"
 	"reflect"
 	"strings"
@@ -29,6 +30,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
@@ -618,7 +620,7 @@ func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client,
 // modify func to ensure that they are removed from the cluster object and the
 // object passed as 'want'. If no such modifications are needed, you can pass
 // nil in place of the modify function.
-func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O, modifier func(O)) {
+func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O, modifiers ...func(O)) {
 	t.Helper()
 	got := O(new(T))
 	if err := client.Get(context.Background(), types.NamespacedName{
@@ -632,7 +634,7 @@ func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want
 	// so just remove it from both got and want.
 	got.SetResourceVersion("")
 	want.SetResourceVersion("")
-	if modifier != nil {
+	for _, modifier := range modifiers {
 		modifier(want)
 		modifier(got)
 	}
@@ -737,6 +739,7 @@ type fakeTSClient struct {
 	sync.Mutex
 	keyRequests []tailscale.KeyCapabilities
 	deleted     []string
+	vipServices map[string]*VIPService
 }
 type fakeTSNetServer struct {
 	certDomains []string
@@ -799,6 +802,12 @@ func removeHashAnnotation(sts *appsv1.StatefulSet) {
 	}
 }

+func removeResourceReqs(sts *appsv1.StatefulSet) {
+	if sts != nil {
+		sts.Spec.Template.Spec.Resources = nil
+	}
+}
+
 func removeTargetPortsFromSvc(svc *corev1.Service) {
 	newPorts := make([]corev1.ServicePort, 0)
 	for _, p := range svc.Spec.Ports {
@@ -836,3 +845,50 @@ func removeAuthKeyIfExistsModifier(t *testing.T) func(s *corev1.Secret) {
 		}
 	}
 }
+
+func (c *fakeTSClient) getVIPServiceByName(ctx context.Context, name string) (*VIPService, error) {
+	c.Lock()
+	defer c.Unlock()
+	if c.vipServices == nil {
+		return nil, &tailscale.ErrResponse{Status: http.StatusNotFound}
+	}
+	svc, ok := c.vipServices[name]
+	if !ok {
+		return nil, &tailscale.ErrResponse{Status: http.StatusNotFound}
+	}
+	return svc, nil
+}
+
+func (c *fakeTSClient) createOrUpdateVIPServiceByName(ctx context.Context, svc *VIPService) error {
+	c.Lock()
+	defer c.Unlock()
+	if c.vipServices == nil {
+		c.vipServices = make(map[string]*VIPService)
+	}
+	c.vipServices[svc.Name] = svc
+	return nil
+}
+
+func (c *fakeTSClient) deleteVIPServiceByName(ctx context.Context, name string) error {
+	c.Lock()
+	defer c.Unlock()
+	if c.vipServices != nil {
+		delete(c.vipServices, name)
+	}
+	return nil
+}
+
+type fakeLocalClient struct {
+	status *ipnstate.Status
+}
+
+func (f *fakeLocalClient) StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	if f.status == nil {
+		return &ipnstate.Status{
+			Self: &ipnstate.PeerStatus{
+				DNSName: "test-node.test.ts.net.",
+			},
+		}, nil
+	}
+	return f.status, nil
+}
--- a/cmd/k8s-operator/tsclient.go
+++ b/cmd/k8s-operator/tsclient.go
@@ -0,0 +1,185 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+
+	"golang.org/x/oauth2/clientcredentials"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/util/httpm"
+)
+
+// defaultTailnet is a value that can be used in Tailscale API calls instead of tailnet name to indicate that the API
+// call should be performed on the default tailnet for the provided credentials.
+const (
+	defaultTailnet = "-"
+	defaultBaseURL = "https://api.tailscale.com"
+)
+
+func newTSClient(ctx context.Context, clientIDPath, clientSecretPath string) (tsClient, error) {
+	clientID, err := os.ReadFile(clientIDPath)
+	if err != nil {
+		return nil, fmt.Errorf("error reading client ID %q: %w", clientIDPath, err)
+	}
+	clientSecret, err := os.ReadFile(clientSecretPath)
+	if err != nil {
+		return nil, fmt.Errorf("reading client secret %q: %w", clientSecretPath, err)
+	}
+	credentials := clientcredentials.Config{
+		ClientID:     string(clientID),
+		ClientSecret: string(clientSecret),
+		TokenURL:     "https://login.tailscale.com/api/v2/oauth/token",
+	}
+	c := tailscale.NewClient(defaultTailnet, nil)
+	c.UserAgent = "tailscale-k8s-operator"
+	c.HTTPClient = credentials.Client(ctx)
+	tsc := &tsClientImpl{
+		Client:  c,
+		baseURL: defaultBaseURL,
+		tailnet: defaultTailnet,
+	}
+	return tsc, nil
+}
+
+type tsClient interface {
+	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
+	Device(ctx context.Context, deviceID string, fields *tailscale.DeviceFieldsOpts) (*tailscale.Device, error)
+	DeleteDevice(ctx context.Context, nodeStableID string) error
+	getVIPServiceByName(ctx context.Context, name string) (*VIPService, error)
+	createOrUpdateVIPServiceByName(ctx context.Context, svc *VIPService) error
+	deleteVIPServiceByName(ctx context.Context, name string) error
+}
+
+type tsClientImpl struct {
+	*tailscale.Client
+	baseURL string
+	tailnet string
+}
+
+// VIPService is a Tailscale VIPService with Tailscale API JSON representation.
+type VIPService struct {
+	// Name is the leftmost label of the DNS name of the VIP service.
+	// Name is required.
+	Name string `json:"name,omitempty"`
+	// Addrs are the IP addresses of the VIP Service. There are two addresses:
+	// the first is IPv4 and the second is IPv6.
+	// When creating a new VIP Service, the IP addresses are optional: if no
+	// addresses are specified then they will be selected. If an IPv4 address is
+	// specified at index 0, then that address will attempt to be used. An IPv6
+	// address can not be specified upon creation.
+	Addrs []string `json:"addrs,omitempty"`
+	// Comment is an optional text string for display in the admin panel.
+	Comment string `json:"comment,omitempty"`
+	// Ports are the ports of a VIPService that will be configured via Tailscale serve config.
+	// If set, any node wishing to advertise this VIPService must have this port configured via Tailscale serve.
+	Ports []string `json:"ports,omitempty"`
+	// Tags are optional ACL tags that will be applied to the VIPService.
+	Tags []string `json:"tags,omitempty"`
+}
+
+// GetVIPServiceByName retrieves a VIPService by its name. It returns 404 if the VIPService is not found.
+func (c *tsClientImpl) getVIPServiceByName(ctx context.Context, name string) (*VIPService, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/by-name/%s", c.baseURL, c.tailnet, url.PathEscape(name))
+	req, err := http.NewRequestWithContext(ctx, httpm.GET, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("error making Tailsale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+	svc := &VIPService{}
+	if err := json.Unmarshal(b, svc); err != nil {
+		return nil, err
+	}
+	return svc, nil
+}
+
+// CreateOrUpdateVIPServiceByName creates or updates a VIPService by its name. Caller must ensure that, if the
+// VIPService already exists, the VIPService is fetched first to ensure that any auto-allocated IP addresses are not
+// lost during the update. If the VIPService was created without any IP addresses explicitly set (so that they were
+// auto-allocated by Tailscale) any subsequent request to this function that does not set any IP addresses will error.
+func (c *tsClientImpl) createOrUpdateVIPServiceByName(ctx context.Context, svc *VIPService) error {
+	data, err := json.Marshal(svc)
+	if err != nil {
+		return err
+	}
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/by-name/%s", c.baseURL, c.tailnet, url.PathEscape(svc.Name))
+	req, err := http.NewRequestWithContext(ctx, httpm.PUT, path, bytes.NewBuffer(data))
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// DeleteVIPServiceByName deletes a VIPService by its name. It returns an error if the VIPService
+// does not exist or if the deletion fails.
+func (c *tsClientImpl) deleteVIPServiceByName(ctx context.Context, name string) error {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/by-name/%s", c.baseURL, c.tailnet, url.PathEscape(name))
+	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// sendRequest add the authentication key to the request and sends it. It
+// receives the response and reads up to 10MB of it.
+func (c *tsClientImpl) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
+	resp, err := c.Do(req)
+	if err != nil {
+		return nil, resp, fmt.Errorf("error actually doing request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	// Read response
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		err = fmt.Errorf("error reading response body: %v", err)
+	}
+	return b, resp, err
+}
+
+// handleErrorResponse decodes the error message from the server and returns
+// an ErrResponse from it.
+func handleErrorResponse(b []byte, resp *http.Response) error {
+	var errResp tailscale.ErrResponse
+	if err := json.Unmarshal(b, &errResp); err != nil {
+		return err
+	}
+	errResp.Status = resp.StatusCode
+	return errResp
+}
--- a/cmd/k8s-operator/tsrecorder_test.go
+++ b/cmd/k8s-operator/tsrecorder_test.go
@@ -57,7 +57,7 @@ func TestRecorder(t *testing.T) {

 		msg := "Recorder is invalid: must either enable UI or use S3 storage to ensure recordings are accessible"
 		tsoperator.SetRecorderCondition(tsr, tsapi.RecorderReady, metav1.ConditionFalse, reasonRecorderInvalid, msg, 0, cl, zl.Sugar())
-		expectEqual(t, fc, tsr, nil)
+		expectEqual(t, fc, tsr)
 		if expected := 0; reconciler.recorders.Len() != expected {
 			t.Fatalf("expected %d recorders, got %d", expected, reconciler.recorders.Len())
 		}
@@ -76,7 +76,7 @@ func TestRecorder(t *testing.T) {
 		expectReconciled(t, reconciler, "", tsr.Name)

 		tsoperator.SetRecorderCondition(tsr, tsapi.RecorderReady, metav1.ConditionTrue, reasonRecorderCreated, reasonRecorderCreated, 0, cl, zl.Sugar())
-		expectEqual(t, fc, tsr, nil)
+		expectEqual(t, fc, tsr)
 		if expected := 1; reconciler.recorders.Len() != expected {
 			t.Fatalf("expected %d recorders, got %d", expected, reconciler.recorders.Len())
 		}
@@ -112,7 +112,7 @@ func TestRecorder(t *testing.T) {
 				URL:        "https://test-0.example.ts.net",
 			},
 		}
-		expectEqual(t, fc, tsr, nil)
+		expectEqual(t, fc, tsr)
 	})

 	t.Run("delete the Recorder and observe cleanup", func(t *testing.T) {
@@ -145,12 +145,12 @@ func expectRecorderResources(t *testing.T, fc client.WithWatch, tsr *tsapi.Recor
 	statefulSet := tsrStatefulSet(tsr, tsNamespace)

 	if shouldExist {
-		expectEqual(t, fc, auth, nil)
-		expectEqual(t, fc, state, nil)
-		expectEqual(t, fc, role, nil)
-		expectEqual(t, fc, roleBinding, nil)
-		expectEqual(t, fc, serviceAccount, nil)
-		expectEqual(t, fc, statefulSet, nil)
+		expectEqual(t, fc, auth)
+		expectEqual(t, fc, state)
+		expectEqual(t, fc, role)
+		expectEqual(t, fc, roleBinding)
+		expectEqual(t, fc, serviceAccount)
+		expectEqual(t, fc, statefulSet, removeResourceReqs)
 	} else {
 		expectMissing[corev1.Secret](t, fc, auth.Namespace, auth.Name)
 		expectMissing[corev1.Secret](t, fc, state.Namespace, state.Name)
--- a/cmd/natc/natc.go
+++ b/cmd/natc/natc.go
@@ -10,6 +10,7 @@ import (
 	"context"
 	"encoding/binary"
 	"errors"
+	"expvar"
 	"flag"
 	"fmt"
 	"log"
@@ -26,6 +27,8 @@ import (
 	"github.com/inetaf/tcpproxy"
 	"github.com/peterbourgon/ff/v3"
 	"golang.org/x/net/dns/dnsmessage"
+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
@@ -37,6 +40,7 @@ import (
 	"tailscale.com/tsweb"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
+	"tailscale.com/wgengine/netstack"
 )

 func main() {
@@ -112,6 +116,7 @@ func main() {
 		ts.Port = uint16(*wgPort)
 	}
 	defer ts.Close()
+
 	if *verboseTSNet {
 		ts.Logf = log.Printf
 	}
@@ -129,6 +134,36 @@ func main() {
 			log.Fatalf("debug serve: %v", http.Serve(dln, mux))
 		}()
 	}
+
+	if err := ts.Start(); err != nil {
+		log.Fatalf("ts.Start: %v", err)
+	}
+	// TODO(raggi): this is not a public interface or guarantee.
+	ns := ts.Sys().Netstack.Get().(*netstack.Impl)
+	tcpRXBufOpt := tcpip.TCPReceiveBufferSizeRangeOption{
+		Min:     tcp.MinBufferSize,
+		Default: tcp.DefaultReceiveBufferSize,
+		Max:     tcp.MaxBufferSize,
+	}
+	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpRXBufOpt); err != nil {
+		log.Fatalf("could not set TCP RX buf size: %v", err)
+	}
+	tcpTXBufOpt := tcpip.TCPSendBufferSizeRangeOption{
+		Min:     tcp.MinBufferSize,
+		Default: tcp.DefaultSendBufferSize,
+		Max:     tcp.MaxBufferSize,
+	}
+	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpTXBufOpt); err != nil {
+		log.Fatalf("could not set TCP TX buf size: %v", err)
+	}
+	mslOpt := tcpip.TCPTimeWaitTimeoutOption(5 * time.Second)
+	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &mslOpt); err != nil {
+		log.Fatalf("could not set TCP MSL: %v", err)
+	}
+	if *debugPort != 0 {
+		expvar.Publish("netstack", ns.ExpVar())
+	}
+
 	lc, err := ts.LocalClient()
 	if err != nil {
 		log.Fatalf("LocalClient() failed: %v", err)
--- a/cmd/stund/depaware.txt
+++ b/cmd/stund/depaware.txt
@@ -8,11 +8,11 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json+
        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json+
        github.com/go-json-experiment/json/jsontext                  from github.com/go-json-experiment/json+
+        github.com/munnerz/goautoneg                                 from github.com/prometheus/common/expfmt
     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
@@ -89,6 +89,8 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
+        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
@@ -123,6 +125,18 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
+        crypto/internal/boring                                       from crypto/aes+
+        crypto/internal/boring/bbig                                  from crypto/ecdsa+
+        crypto/internal/boring/sig                                   from crypto/internal/boring
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/hpke                                         from crypto/tls
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
@@ -133,6 +147,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from net/http+
        crypto/x509                                                  from crypto/tls
+   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
@@ -153,9 +168,46 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
+        internal/abi                                                 from crypto/x509/internal/macos+
+        internal/asan                                                from syscall
+        internal/bisect                                              from internal/godebug
+        internal/bytealg                                             from bytes+
+        internal/byteorder                                           from crypto/aes+
+        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
+        internal/coverage/rtcov                                      from runtime
+        internal/cpu                                                 from crypto/aes+
+        internal/filepathlite                                        from os+
+        internal/fmtsort                                             from fmt
+        internal/goarch                                              from crypto/aes+
+        internal/godebug                                             from crypto/tls+
+        internal/godebugs                                            from internal/godebug+
+        internal/goexperiment                                        from runtime
+        internal/goos                                                from crypto/x509+
+        internal/itoa                                                from internal/poll+
+        internal/msan                                                from syscall
+        internal/nettrace                                            from net+
+        internal/oserror                                             from io/fs+
+        internal/poll                                                from net+
+        internal/profile                                             from net/http/pprof
+        internal/profilerecord                                       from runtime+
+        internal/race                                                from internal/poll+
+        internal/reflectlite                                         from context+
+        internal/runtime/atomic                                      from internal/runtime/exithook+
+        internal/runtime/exithook                                    from runtime
+   L    internal/runtime/syscall                                     from runtime+
+        internal/singleflight                                        from net
+        internal/stringslite                                         from embed+
+        internal/syscall/execenv                                     from os
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
+   W    internal/syscall/windows/registry                            from mime+
+   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
+        internal/testlog                                             from os
+        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from google.golang.org/protobuf/internal/impl
        iter                                                         from maps+
        log                                                          from expvar+
        log/internal                                                 from log
@@ -172,6 +224,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        net/http                                                     from expvar+
        net/http/httptrace                                           from net/http
        net/http/internal                                            from net/http
+        net/http/internal/ascii                                      from net/http
        net/http/pprof                                               from tailscale.com/tsweb
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
@@ -183,7 +236,10 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
        regexp/syntax                                                from regexp
+        runtime                                                      from crypto/internal/nistec+
        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
@@ -200,3 +256,4 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
+        unsafe                                                       from bytes+
--- a/cmd/tailscale/cli/advertise.go
+++ b/cmd/tailscale/cli/advertise.go
@@ -21,23 +21,21 @@ var advertiseArgs struct {

 // TODO(naman): This flag may move to set.go or serve_v2.go after the WIPCode
 // envknob is not needed.
-var advertiseCmd = &ffcli.Command{
-	Name:       "advertise",
-	ShortUsage: "tailscale advertise --services=<services>",
-	ShortHelp:  "Advertise this node as a destination for a service",
-	Exec:       runAdvertise,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("advertise")
-		fs.StringVar(&advertiseArgs.services, "services", "", "comma-separated services to advertise; each must start with \"svc:\" (e.g. \"svc:idp,svc:nas,svc:database\")")
-		return fs
-	})(),
-}
-
-func maybeAdvertiseCmd() []*ffcli.Command {
+func advertiseCmd() *ffcli.Command {
 	if !envknob.UseWIPCode() {
 		return nil
 	}
-	return []*ffcli.Command{advertiseCmd}
+	return &ffcli.Command{
+		Name:       "advertise",
+		ShortUsage: "tailscale advertise --services=<services>",
+		ShortHelp:  "Advertise this node as a destination for a service",
+		Exec:       runAdvertise,
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("advertise")
+			fs.StringVar(&advertiseArgs.services, "services", "", "comma-separated services to advertise; each must start with \"svc:\" (e.g. \"svc:idp,svc:nas,svc:database\")")
+			return fs
+		})(),
+	}
 }

 func runAdvertise(ctx context.Context, args []string) error {
@@ -68,7 +66,7 @@ func parseServiceNames(servicesArg string) ([]string, error) {
 	if servicesArg != "" {
 		services = strings.Split(servicesArg, ",")
 		for _, svc := range services {
-			err := tailcfg.CheckServiceName(svc)
+			err := tailcfg.ServiceName(svc).Validate()
 			if err != nil {
 				return nil, fmt.Errorf("service %q: %s", svc, err)
 			}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -25,6 +25,7 @@ import (
 	"tailscale.com/cmd/tailscale/cli/ffcomplete"
 	"tailscale.com/envknob"
 	"tailscale.com/paths"
+	"tailscale.com/util/slicesx"
 	"tailscale.com/version/distro"
 )

@@ -84,9 +85,9 @@ var localClient = tailscale.LocalClient{

 // Run runs the CLI. The args do not include the binary name.
 func Run(args []string) (err error) {
-	if runtime.GOOS == "linux" && os.Getenv("GOKRAZY_FIRST_START") == "1" && distro.Get() == distro.Gokrazy && os.Getppid() == 1 {
-		// We're running on gokrazy and it's the first start.
-		// Don't run the tailscale CLI as a service; just exit.
+	if runtime.GOOS == "linux" && os.Getenv("GOKRAZY_FIRST_START") == "1" && distro.Get() == distro.Gokrazy && os.Getppid() == 1 && len(args) == 0 {
+		// We're running on gokrazy and the user did not specify 'up'.
+		// Don't run the tailscale CLI and spam logs with usage; just exit.
 		// See https://gokrazy.org/development/process-interface/
 		os.Exit(0)
 	}
@@ -182,14 +183,14 @@ For help on subcommands, add --help after: "tailscale status --help".
 This CLI is still under active development. Commands and flags will
 change in the future.
 `),
-		Subcommands: append([]*ffcli.Command{
+		Subcommands: nonNilCmds(
 			upCmd,
 			downCmd,
 			setCmd,
 			loginCmd,
 			logoutCmd,
 			switchCmd,
-			configureCmd,
+			configureCmd(),
 			syspolicyCmd,
 			netcheckCmd,
 			ipCmd,
@@ -211,10 +212,12 @@ change in the future.
 			exitNodeCmd(),
 			updateCmd,
 			whoisCmd,
-			debugCmd,
+			debugCmd(),
 			driveCmd,
 			idTokenCmd,
-		}, maybeAdvertiseCmd()...),
+			advertiseCmd(),
+			configureHostCmd(),
+		),
 		FlagSet: rootfs,
 		Exec: func(ctx context.Context, args []string) error {
 			if len(args) > 0 {
@@ -224,10 +227,6 @@ change in the future.
 		},
 	}

-	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
-		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
-	}
-
 	walkCommands(rootCmd, func(w cmdWalk) bool {
 		if w.UsageFunc == nil {
 			w.UsageFunc = usageFunc
@@ -239,6 +238,10 @@ change in the future.
 	return rootCmd
 }

+func nonNilCmds(cmds ...*ffcli.Command) []*ffcli.Command {
+	return slicesx.AppendNonzero(cmds[:0], cmds)
+}
+
 func fatalf(format string, a ...any) {
 	if Fatalf != nil {
 		Fatalf(format, a...)
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -17,6 +17,7 @@ import (

 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
+	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/envknob"
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
@@ -24,10 +25,12 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstest"
+	"tailscale.com/tstest/deptest"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
+	"tailscale.com/util/set"
 	"tailscale.com/version/distro"
 )

@@ -601,6 +604,19 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			goos: "linux",
 			want: "",
 		},
+		{
+			name:  "losing_posture_checking",
+			flags: []string{"--accept-dns"},
+			curPrefs: &ipn.Prefs{
+				ControlURL:          ipn.DefaultControlURL,
+				WantRunning:         false,
+				CorpDNS:             true,
+				PostureChecking:     true,
+				NetfilterMode:       preftype.NetfilterOn,
+				NoStatefulFiltering: opt.NewBool(true),
+			},
+			want: accidentalUpPrefix + " --accept-dns --posture-checking",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1045,6 +1061,7 @@ func TestUpdatePrefs(t *testing.T) {
 				NoSNATSet:                 true,
 				NoStatefulFilteringSet:    true,
 				OperatorUserSet:           true,
+				PostureCheckingSet:        true,
 				RouteAllSet:               true,
 				RunSSHSet:                 true,
 				ShieldsUpSet:              true,
@@ -1511,3 +1528,73 @@ func TestHelpAlias(t *testing.T) {
 		t.Fatalf("Run: %v", err)
 	}
 }
+
+func TestDocs(t *testing.T) {
+	root := newRootCmd()
+	check := func(t *testing.T, c *ffcli.Command) {
+		shortVerb, _, ok := strings.Cut(c.ShortHelp, " ")
+		if !ok || shortVerb == "" {
+			t.Errorf("couldn't find verb+space in ShortHelp")
+		} else {
+			if strings.HasSuffix(shortVerb, ".") {
+				t.Errorf("ShortHelp shouldn't end in period; got %q", c.ShortHelp)
+			}
+			if b := shortVerb[0]; b >= 'a' && b <= 'z' {
+				t.Errorf("ShortHelp should start with upper-case letter; got %q", c.ShortHelp)
+			}
+			if strings.HasSuffix(shortVerb, "s") && shortVerb != "Does" {
+				t.Errorf("verb %q ending in 's' is unexpected, from %q", shortVerb, c.ShortHelp)
+			}
+		}
+
+		name := t.Name()
+		wantPfx := strings.ReplaceAll(strings.TrimPrefix(name, "TestDocs/"), "/", " ")
+		switch name {
+		case "TestDocs/tailscale/completion/bash",
+			"TestDocs/tailscale/completion/zsh":
+			wantPfx = "" // special-case exceptions
+		}
+		if !strings.HasPrefix(c.ShortUsage, wantPfx) {
+			t.Errorf("ShortUsage should start with %q; got %q", wantPfx, c.ShortUsage)
+		}
+	}
+
+	var walk func(t *testing.T, c *ffcli.Command)
+	walk = func(t *testing.T, c *ffcli.Command) {
+		t.Run(c.Name, func(t *testing.T) {
+			check(t, c)
+			for _, sub := range c.Subcommands {
+				walk(t, sub)
+			}
+		})
+	}
+	walk(t, root)
+}
+
+func TestDeps(t *testing.T) {
+	deptest.DepChecker{
+		GOOS:   "linux",
+		GOARCH: "arm64",
+		WantDeps: set.Of(
+			"tailscale.com/feature/capture/dissector", // want the Lua by default
+		),
+		BadDeps: map[string]string{
+			"tailscale.com/feature/capture": "don't link capture code",
+			"tailscale.com/net/packet":      "why we passing packets in the CLI?",
+			"tailscale.com/net/flowtrack":   "why we tracking flows in the CLI?",
+		},
+	}.Check(t)
+}
+
+func TestDepsNoCapture(t *testing.T) {
+	deptest.DepChecker{
+		GOOS:   "linux",
+		GOARCH: "arm64",
+		Tags:   "ts_omit_capture",
+		BadDeps: map[string]string{
+			"tailscale.com/feature/capture":           "don't link capture code",
+			"tailscale.com/feature/capture/dissector": "don't like the Lua",
+		},
+	}.Check(t)
+
+}
--- a/cmd/tailscale/cli/configure-kube.go
+++ b/cmd/tailscale/cli/configure-kube.go
@@ -20,33 +20,31 @@ import (
 	"tailscale.com/version"
 )

-func init() {
-	configureCmd.Subcommands = append(configureCmd.Subcommands, configureKubeconfigCmd)
-}
-
-var configureKubeconfigCmd = &ffcli.Command{
-	Name:       "kubeconfig",
-	ShortHelp:  "[ALPHA] Connect to a Kubernetes cluster using a Tailscale Auth Proxy",
-	ShortUsage: "tailscale configure kubeconfig <hostname-or-fqdn>",
-	LongHelp: strings.TrimSpace(`
+func configureKubeconfigCmd() *ffcli.Command {
+	return &ffcli.Command{
+		Name:       "kubeconfig",
+		ShortHelp:  "[ALPHA] Connect to a Kubernetes cluster using a Tailscale Auth Proxy",
+		ShortUsage: "tailscale configure kubeconfig <hostname-or-fqdn>",
+		LongHelp: strings.TrimSpace(`
 Run this command to configure kubectl to connect to a Kubernetes cluster over Tailscale.

 The hostname argument should be set to the Tailscale hostname of the peer running as an auth proxy in the cluster.

 See: https://tailscale.com/s/k8s-auth-proxy
 `),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("kubeconfig")
-		return fs
-	})(),
-	Exec: runConfigureKubeconfig,
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("kubeconfig")
+			return fs
+		})(),
+		Exec: runConfigureKubeconfig,
+	}
 }

 // kubeconfigPath returns the path to the kubeconfig file for the current user.
 func kubeconfigPath() (string, error) {
 	if kubeconfig := os.Getenv("KUBECONFIG"); kubeconfig != "" {
 		if version.IsSandboxedMacOS() {
-			return "", errors.New("$KUBECONFIG is incompatible with the App Store version")
+			return "", errors.New("cannot read $KUBECONFIG on GUI builds of the macOS client: this requires the open-source tailscaled distribution")
 		}
 		var out string
 		for _, out = range filepath.SplitList(kubeconfig) {
--- a/cmd/tailscale/cli/configure-kube_omit.go
+++ b/cmd/tailscale/cli/configure-kube_omit.go
@@ -0,0 +1,13 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build ts_omit_kube
+
+package cli
+
+import "github.com/peterbourgon/ff/v3/ffcli"
+
+func configureKubeconfigCmd() *ffcli.Command {
+	// omitted from the build when the ts_omit_kube build tag is set
+	return nil
+}
--- a/cmd/tailscale/cli/configure-synology-cert.go
+++ b/cmd/tailscale/cli/configure-synology-cert.go
@@ -22,22 +22,27 @@ import (
 	"tailscale.com/version/distro"
 )

-var synologyConfigureCertCmd = &ffcli.Command{
-	Name:       "synology-cert",
-	Exec:       runConfigureSynologyCert,
-	ShortHelp:  "Configure Synology with a TLS certificate for your tailnet",
-	ShortUsage: "synology-cert [--domain <domain>]",
-	LongHelp: strings.TrimSpace(`
+func synologyConfigureCertCmd() *ffcli.Command {
+	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
+		return nil
+	}
+	return &ffcli.Command{
+		Name:       "synology-cert",
+		Exec:       runConfigureSynologyCert,
+		ShortHelp:  "Configure Synology with a TLS certificate for your tailnet",
+		ShortUsage: "synology-cert [--domain <domain>]",
+		LongHelp: strings.TrimSpace(`
 This command is intended to run periodically as root on a Synology device to
 create or refresh the TLS certificate for the tailnet domain.

 See: https://tailscale.com/kb/1153/enabling-https
 `),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("synology-cert")
-		fs.StringVar(&synologyConfigureCertArgs.domain, "domain", "", "Tailnet domain to create or refresh certificates for. Ignored if only one domain exists.")
-		return fs
-	})(),
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("synology-cert")
+			fs.StringVar(&synologyConfigureCertArgs.domain, "domain", "", "Tailnet domain to create or refresh certificates for. Ignored if only one domain exists.")
+			return fs
+		})(),
+	}
 }

 var synologyConfigureCertArgs struct {
--- a/cmd/tailscale/cli/configure-synology.go
+++ b/cmd/tailscale/cli/configure-synology.go
@@ -21,34 +21,49 @@ import (
 // configureHostCmd is the "tailscale configure-host" command which was once
 // used to configure Synology devices, but is now a compatibility alias to
 // "tailscale configure synology".
-var configureHostCmd = &ffcli.Command{
-	Name:       "configure-host",
-	Exec:       runConfigureSynology,
-	ShortUsage: "tailscale configure-host\n" + synologyConfigureCmd.ShortUsage,
-	ShortHelp:  synologyConfigureCmd.ShortHelp,
-	LongHelp:   hidden + synologyConfigureCmd.LongHelp,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("configure-host")
-		return fs
-	})(),
+//
+// It returns nil if the actual "tailscale configure synology" command is not
+// available.
+func configureHostCmd() *ffcli.Command {
+	synologyConfigureCmd := synologyConfigureCmd()
+	if synologyConfigureCmd == nil {
+		// No need to offer this compatibility alias if the actual command is not available.
+		return nil
+	}
+	return &ffcli.Command{
+		Name:       "configure-host",
+		Exec:       runConfigureSynology,
+		ShortUsage: "tailscale configure-host\n" + synologyConfigureCmd.ShortUsage,
+		ShortHelp:  synologyConfigureCmd.ShortHelp,
+		LongHelp:   hidden + synologyConfigureCmd.LongHelp,
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("configure-host")
+			return fs
+		})(),
+	}
 }

-var synologyConfigureCmd = &ffcli.Command{
-	Name:       "synology",
-	Exec:       runConfigureSynology,
-	ShortUsage: "tailscale configure synology",
-	ShortHelp:  "Configure Synology to enable outbound connections",
-	LongHelp: strings.TrimSpace(`
+func synologyConfigureCmd() *ffcli.Command {
+	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
+		return nil
+	}
+	return &ffcli.Command{
+		Name:       "synology",
+		Exec:       runConfigureSynology,
+		ShortUsage: "tailscale configure synology",
+		ShortHelp:  "Configure Synology to enable outbound connections",
+		LongHelp: strings.TrimSpace(`
 This command is intended to run at boot as root on a Synology device to
 create the /dev/net/tun device and give the tailscaled binary permission
 to use it.

 See: https://tailscale.com/s/synology-outbound
 `),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("synology")
-		return fs
-	})(),
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("synology")
+			return fs
+		})(),
+	}
 }

 func runConfigureSynology(ctx context.Context, args []string) error {
--- a/cmd/tailscale/cli/configure.go
+++ b/cmd/tailscale/cli/configure.go
@@ -5,32 +5,41 @@ package cli

 import (
 	"flag"
-	"runtime"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/version/distro"
 )

-var configureCmd = &ffcli.Command{
-	Name:       "configure",
-	ShortUsage: "tailscale configure <subcommand>",
-	ShortHelp:  "[ALPHA] Configure the host to enable more Tailscale features",
-	LongHelp: strings.TrimSpace(`
+func configureCmd() *ffcli.Command {
+	return &ffcli.Command{
+		Name:       "configure",
+		ShortUsage: "tailscale configure <subcommand>",
+		ShortHelp:  "Configure the host to enable more Tailscale features",
+		LongHelp: strings.TrimSpace(`
 The 'configure' set of commands are intended to provide a way to enable different
 services on the host to use Tailscale in more ways.
 `),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("configure")
-		return fs
-	})(),
-	Subcommands: configureSubcommands(),
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("configure")
+			return fs
+		})(),
+		Subcommands: nonNilCmds(
+			configureKubeconfigCmd(),
+			synologyConfigureCmd(),
+			synologyConfigureCertCmd(),
+			ccall(maybeSysExtCmd),
+			ccall(maybeVPNConfigCmd),
+		),
+	}
 }

-func configureSubcommands() (out []*ffcli.Command) {
-	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
-		out = append(out, synologyConfigureCmd)
-		out = append(out, synologyConfigureCertCmd)
+// ccall calls the function f if it is non-nil, and returns its result.
+//
+// It returns the zero value of the type T if f is nil.
+func ccall[T any](f func() T) T {
+	var zero T
+	if f == nil {
+		return zero
 	}
-	return out
+	return f()
 }
--- a/cmd/tailscale/cli/configure_apple-all.go
+++ b/cmd/tailscale/cli/configure_apple-all.go
@@ -0,0 +1,11 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import "github.com/peterbourgon/ff/v3/ffcli"
+
+var (
+	maybeSysExtCmd    func() *ffcli.Command // non-nil only on macOS, see configure_apple.go
+	maybeVPNConfigCmd func() *ffcli.Command // non-nil only on macOS, see configure_apple.go
+)
--- a/cmd/tailscale/cli/configure_apple.go
+++ b/cmd/tailscale/cli/configure_apple.go
@@ -0,0 +1,97 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build darwin
+
+package cli
+
+import (
+	"context"
+	"errors"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+)
+
+func init() {
+	maybeSysExtCmd = sysExtCmd
+	maybeVPNConfigCmd = vpnConfigCmd
+}
+
+// Functions in this file provide a dummy Exec function that only prints an error message for users of the open-source
+// tailscaled distribution. On GUI builds, the Swift code in the macOS client handles these commands by not passing the
+// flow of execution to the CLI.
+
+// sysExtCmd returns a command for managing the Tailscale system extension on macOS
+// (for the Standalone variant of the client only).
+func sysExtCmd() *ffcli.Command {
+	return &ffcli.Command{
+		Name:       "sysext",
+		ShortUsage: "tailscale configure sysext [activate|deactivate|status]",
+		ShortHelp:  "Manage the system extension for macOS (Standalone variant)",
+		LongHelp: "The sysext set of commands provides a way to activate, deactivate, or manage the state of the Tailscale system extension on macOS. " +
+			"This is only relevant if you are running the Standalone variant of the Tailscale client for macOS. " +
+			"To access more detailed information about system extensions installed on this Mac, run 'systemextensionsctl list'.",
+		Subcommands: []*ffcli.Command{
+			{
+				Name:       "activate",
+				ShortUsage: "tailscale configure sysext activate",
+				ShortHelp:  "Register the Tailscale system extension with macOS.",
+				LongHelp:   "This command registers the Tailscale system extension with macOS. To run Tailscale, you'll also need to install the VPN configuration separately (run `tailscale configure vpn-config install`). After running this command, you need to approve the extension in System Settings > Login Items and Extensions > Network Extensions.",
+				Exec:       requiresStandalone,
+			},
+			{
+				Name:       "deactivate",
+				ShortUsage: "tailscale configure sysext deactivate",
+				ShortHelp:  "Deactivate the Tailscale system extension on macOS",
+				LongHelp:   "This command deactivates the Tailscale system extension on macOS. To completely remove Tailscale, you'll also need to delete the VPN configuration separately (use `tailscale configure vpn-config uninstall`).",
+				Exec:       requiresStandalone,
+			},
+			{
+				Name:       "status",
+				ShortUsage: "tailscale configure sysext status",
+				ShortHelp:  "Print the enablement status of the Tailscale system extension",
+				LongHelp:   "This command prints the enablement status of the Tailscale system extension. If the extension is not enabled, run `tailscale sysext activate` to enable it.",
+				Exec:       requiresStandalone,
+			},
+		},
+		Exec: requiresStandalone,
+	}
+}
+
+// vpnConfigCmd returns a command for managing the Tailscale VPN configuration on macOS
+// (the entry that appears in System Settings > VPN).
+func vpnConfigCmd() *ffcli.Command {
+	return &ffcli.Command{
+		Name:       "mac-vpn",
+		ShortUsage: "tailscale configure mac-vpn [install|uninstall]",
+		ShortHelp:  "Manage the VPN configuration on macOS (App Store and Standalone variants)",
+		LongHelp:   "The vpn-config set of commands provides a way to add or remove the Tailscale VPN configuration from the macOS settings. This is the entry that appears in System Settings > VPN.",
+		Subcommands: []*ffcli.Command{
+			{
+				Name:       "install",
+				ShortUsage: "tailscale configure mac-vpn install",
+				ShortHelp:  "Write the Tailscale VPN configuration to the macOS settings",
+				LongHelp:   "This command writes the Tailscale VPN configuration to the macOS settings. This is the entry that appears in System Settings > VPN. If you are running the Standalone variant of the client, you'll also need to install the system extension separately (run `tailscale configure sysext activate`).",
+				Exec:       requiresGUI,
+			},
+			{
+				Name:       "uninstall",
+				ShortUsage: "tailscale configure mac-vpn uninstall",
+				ShortHelp:  "Delete the Tailscale VPN configuration from the macOS settings",
+				LongHelp:   "This command removes the Tailscale VPN configuration from the macOS settings. This is the entry that appears in System Settings > VPN. If you are running the Standalone variant of the client, you'll also need to deactivate the system extension separately (run `tailscale configure sysext deactivate`).",
+				Exec:       requiresGUI,
+			},
+		},
+		Exec: func(ctx context.Context, args []string) error {
+			return errors.New("unsupported command: requires a GUI build of the macOS client")
+		},
+	}
+}
+
+func requiresStandalone(ctx context.Context, args []string) error {
+	return errors.New("unsupported command: requires the Standalone (.pkg installer) GUI build of the client")
+}
+
+func requiresGUI(ctx context.Context, args []string) error {
+	return errors.New("unsupported command: requires a GUI build of the macOS client")
+}
--- a/cmd/tailscale/cli/debug-capture.go
+++ b/cmd/tailscale/cli/debug-capture.go
@@ -0,0 +1,80 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ios && !ts_omit_capture
+
+package cli
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/feature/capture/dissector"
+)
+
+func init() {
+	debugCaptureCmd = mkDebugCaptureCmd
+}
+
+func mkDebugCaptureCmd() *ffcli.Command {
+	return &ffcli.Command{
+		Name:       "capture",
+		ShortUsage: "tailscale debug capture",
+		Exec:       runCapture,
+		ShortHelp:  "Stream pcaps for debugging",
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("capture")
+			fs.StringVar(&captureArgs.outFile, "o", "", "path to stream the pcap (or - for stdout), leave empty to start wireshark")
+			return fs
+		})(),
+	}
+}
+
+var captureArgs struct {
+	outFile string
+}
+
+func runCapture(ctx context.Context, args []string) error {
+	stream, err := localClient.StreamDebugCapture(ctx)
+	if err != nil {
+		return err
+	}
+	defer stream.Close()
+
+	switch captureArgs.outFile {
+	case "-":
+		fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
+		_, err = io.Copy(os.Stdout, stream)
+		return err
+	case "":
+		lua, err := os.CreateTemp("", "ts-dissector")
+		if err != nil {
+			return err
+		}
+		defer os.Remove(lua.Name())
+		io.WriteString(lua, dissector.Lua)
+		if err := lua.Close(); err != nil {
+			return err
+		}
+
+		wireshark := exec.CommandContext(ctx, "wireshark", "-X", "lua_script:"+lua.Name(), "-k", "-i", "-")
+		wireshark.Stdin = stream
+		wireshark.Stdout = os.Stdout
+		wireshark.Stderr = os.Stderr
+		return wireshark.Run()
+	}
+
+	f, err := os.OpenFile(captureArgs.outFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
+	_, err = io.Copy(f, stream)
+	return err
+}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -20,7 +20,6 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
-	"os/exec"
 	"runtime"
 	"runtime/debug"
 	"strconv"
@@ -45,307 +44,302 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/must"
-	"tailscale.com/wgengine/capture"
 )

-var debugCmd = &ffcli.Command{
-	Name:       "debug",
-	Exec:       runDebug,
-	ShortUsage: "tailscale debug <debug-flags | subcommand>",
-	ShortHelp:  "Debug commands",
-	LongHelp:   hidden + `"tailscale debug" contains misc debug facilities; it is not a stable interface.`,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("debug")
-		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
-		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-seconds seconds and write it to this file; - for stdout")
-		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
-		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
-		return fs
-	})(),
-	Subcommands: []*ffcli.Command{
-		{
-			Name:       "derp-map",
-			ShortUsage: "tailscale debug derp-map",
-			Exec:       runDERPMap,
-			ShortHelp:  "Print DERP map",
-		},
-		{
-			Name:       "component-logs",
-			ShortUsage: "tailscale debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]",
-			Exec:       runDebugComponentLogs,
-			ShortHelp:  "Enable/disable debug logs for a component",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("component-logs")
-				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
-				return fs
-			})(),
-		},
-		{
-			Name:       "daemon-goroutines",
-			ShortUsage: "tailscale debug daemon-goroutines",
-			Exec:       runDaemonGoroutines,
-			ShortHelp:  "Print tailscaled's goroutines",
-		},
-		{
-			Name:       "daemon-logs",
-			ShortUsage: "tailscale debug daemon-logs",
-			Exec:       runDaemonLogs,
-			ShortHelp:  "Watch tailscaled's server logs",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("daemon-logs")
-				fs.IntVar(&daemonLogsArgs.verbose, "verbose", 0, "verbosity level")
-				fs.BoolVar(&daemonLogsArgs.time, "time", false, "include client time")
-				return fs
-			})(),
-		},
-		{
-			Name:       "metrics",
-			ShortUsage: "tailscale debug metrics",
-			Exec:       runDaemonMetrics,
-			ShortHelp:  "Print tailscaled's metrics",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("metrics")
-				fs.BoolVar(&metricsArgs.watch, "watch", false, "print JSON dump of delta values")
-				return fs
-			})(),
-		},
-		{
-			Name:       "env",
-			ShortUsage: "tailscale debug env",
-			Exec:       runEnv,
-			ShortHelp:  "Print cmd/tailscale environment",
-		},
-		{
-			Name:       "stat",
-			ShortUsage: "tailscale debug stat <files...>",
-			Exec:       runStat,
-			ShortHelp:  "Stat a file",
-		},
-		{
-			Name:       "hostinfo",
-			ShortUsage: "tailscale debug hostinfo",
-			Exec:       runHostinfo,
-			ShortHelp:  "Print hostinfo",
-		},
-		{
-			Name:       "local-creds",
-			ShortUsage: "tailscale debug local-creds",
-			Exec:       runLocalCreds,
-			ShortHelp:  "Print how to access Tailscale LocalAPI",
-		},
-		{
-			Name:       "restun",
-			ShortUsage: "tailscale debug restun",
-			Exec:       localAPIAction("restun"),
-			ShortHelp:  "Force a magicsock restun",
-		},
-		{
-			Name:       "rebind",
-			ShortUsage: "tailscale debug rebind",
-			Exec:       localAPIAction("rebind"),
-			ShortHelp:  "Force a magicsock rebind",
-		},
-		{
-			Name:       "derp-set-on-demand",
-			ShortUsage: "tailscale debug derp-set-on-demand",
-			Exec:       localAPIAction("derp-set-homeless"),
-			ShortHelp:  "Enable DERP on-demand mode (breaks reachability)",
-		},
-		{
-			Name:       "derp-unset-on-demand",
-			ShortUsage: "tailscale debug derp-unset-on-demand",
-			Exec:       localAPIAction("derp-unset-homeless"),
-			ShortHelp:  "Disable DERP on-demand mode",
-		},
-		{
-			Name:       "break-tcp-conns",
-			ShortUsage: "tailscale debug break-tcp-conns",
-			Exec:       localAPIAction("break-tcp-conns"),
-			ShortHelp:  "Break any open TCP connections from the daemon",
-		},
-		{
-			Name:       "break-derp-conns",
-			ShortUsage: "tailscale debug break-derp-conns",
-			Exec:       localAPIAction("break-derp-conns"),
-			ShortHelp:  "Break any open DERP connections from the daemon",
-		},
-		{
-			Name:       "pick-new-derp",
-			ShortUsage: "tailscale debug pick-new-derp",
-			Exec:       localAPIAction("pick-new-derp"),
-			ShortHelp:  "Switch to some other random DERP home region for a short time",
-		},
-		{
-			Name:       "force-prefer-derp",
-			ShortUsage: "tailscale debug force-prefer-derp",
-			Exec:       forcePreferDERP,
-			ShortHelp:  "Prefer the given region ID if reachable (until restart, or 0 to clear)",
-		},
-		{
-			Name:       "force-netmap-update",
-			ShortUsage: "tailscale debug force-netmap-update",
-			Exec:       localAPIAction("force-netmap-update"),
-			ShortHelp:  "Force a full no-op netmap update (for load testing)",
-		},
-		{
-			// TODO(bradfitz,maisem): eventually promote this out of debug
-			Name:       "reload-config",
-			ShortUsage: "tailscale debug reload-config",
-			Exec:       reloadConfig,
-			ShortHelp:  "Reload config",
-		},
-		{
-			Name:       "control-knobs",
-			ShortUsage: "tailscale debug control-knobs",
-			Exec:       debugControlKnobs,
-			ShortHelp:  "See current control knobs",
-		},
-		{
-			Name:       "prefs",
-			ShortUsage: "tailscale debug prefs",
-			Exec:       runPrefs,
-			ShortHelp:  "Print prefs",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("prefs")
-				fs.BoolVar(&prefsArgs.pretty, "pretty", false, "If true, pretty-print output")
-				return fs
-			})(),
-		},
-		{
-			Name:       "watch-ipn",
-			ShortUsage: "tailscale debug watch-ipn",
-			Exec:       runWatchIPN,
-			ShortHelp:  "Subscribe to IPN message bus",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("watch-ipn")
-				fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
-				fs.BoolVar(&watchIPNArgs.initial, "initial", false, "include initial status")
-				fs.BoolVar(&watchIPNArgs.rateLimit, "rate-limit", true, "rate limit messags")
-				fs.BoolVar(&watchIPNArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
-				fs.IntVar(&watchIPNArgs.count, "count", 0, "exit after printing this many statuses, or 0 to keep going forever")
-				return fs
-			})(),
-		},
-		{
-			Name:       "netmap",
-			ShortUsage: "tailscale debug netmap",
-			Exec:       runNetmap,
-			ShortHelp:  "Print the current network map",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("netmap")
-				fs.BoolVar(&netmapArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
-				return fs
-			})(),
-		},
-		{
-			Name: "via",
-			ShortUsage: "tailscale debug via <site-id> <v4-cidr>\n" +
-				"tailscale debug via <v6-route>",
-			Exec:      runVia,
-			ShortHelp: "Convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
-		},
-		{
-			Name:       "ts2021",
-			ShortUsage: "tailscale debug ts2021",
-			Exec:       runTS2021,
-			ShortHelp:  "Debug ts2021 protocol connectivity",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("ts2021")
-				fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
-				fs.IntVar(&ts2021Args.version, "version", int(tailcfg.CurrentCapabilityVersion), "protocol version")
-				fs.BoolVar(&ts2021Args.verbose, "verbose", false, "be extra verbose")
-				return fs
-			})(),
-		},
-		{
-			Name:       "set-expire",
-			ShortUsage: "tailscale debug set-expire --in=1m",
-			Exec:       runSetExpire,
-			ShortHelp:  "Manipulate node key expiry for testing",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("set-expire")
-				fs.DurationVar(&setExpireArgs.in, "in", 0, "if non-zero, set node key to expire this duration from now")
-				return fs
-			})(),
-		},
-		{
-			Name:       "dev-store-set",
-			ShortUsage: "tailscale debug dev-store-set",
-			Exec:       runDevStoreSet,
-			ShortHelp:  "Set a key/value pair during development",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("store-set")
-				fs.BoolVar(&devStoreSetArgs.danger, "danger", false, "accept danger")
-				return fs
-			})(),
-		},
-		{
-			Name:       "derp",
-			ShortUsage: "tailscale debug derp",
-			Exec:       runDebugDERP,
-			ShortHelp:  "Test a DERP configuration",
-		},
-		{
-			Name:       "capture",
-			ShortUsage: "tailscale debug capture",
-			Exec:       runCapture,
-			ShortHelp:  "Streams pcaps for debugging",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("capture")
-				fs.StringVar(&captureArgs.outFile, "o", "", "path to stream the pcap (or - for stdout), leave empty to start wireshark")
-				return fs
-			})(),
-		},
-		{
-			Name:       "portmap",
-			ShortUsage: "tailscale debug portmap",
-			Exec:       debugPortmap,
-			ShortHelp:  "Run portmap debugging",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("portmap")
-				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
-				fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
-				fs.StringVar(&debugPortmapArgs.gatewayAddr, "gateway-addr", "", `override gateway IP (must also pass --self-addr)`)
-				fs.StringVar(&debugPortmapArgs.selfAddr, "self-addr", "", `override self IP (must also pass --gateway-addr)`)
-				fs.BoolVar(&debugPortmapArgs.logHTTP, "log-http", false, `print all HTTP requests and responses to the log`)
-				return fs
-			})(),
-		},
-		{
-			Name:       "peer-endpoint-changes",
-			ShortUsage: "tailscale debug peer-endpoint-changes <hostname-or-IP>",
-			Exec:       runPeerEndpointChanges,
-			ShortHelp:  "Prints debug information about a peer's endpoint changes",
-		},
-		{
-			Name:       "dial-types",
-			ShortUsage: "tailscale debug dial-types <hostname-or-IP> <port>",
-			Exec:       runDebugDialTypes,
-			ShortHelp:  "Prints debug information about connecting to a given host or IP",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("dial-types")
-				fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
-				return fs
-			})(),
-		},
-		{
-			Name:       "resolve",
-			ShortUsage: "tailscale debug resolve <hostname>",
-			Exec:       runDebugResolve,
-			ShortHelp:  "Does a DNS lookup",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("resolve")
-				fs.StringVar(&resolveArgs.net, "net", "ip", "network type to resolve (ip, ip4, ip6)")
-				return fs
-			})(),
-		},
-		{
-			Name:       "go-buildinfo",
-			ShortUsage: "tailscale debug go-buildinfo",
-			ShortHelp:  "Prints Go's runtime/debug.BuildInfo",
-			Exec:       runGoBuildInfo,
-		},
-	},
+var (
+	debugCaptureCmd func() *ffcli.Command // or nil
+)
+
+func debugCmd() *ffcli.Command {
+	return &ffcli.Command{
+		Name:       "debug",
+		Exec:       runDebug,
+		ShortUsage: "tailscale debug <debug-flags | subcommand>",
+		ShortHelp:  "Debug commands",
+		LongHelp:   hidden + `"tailscale debug" contains misc debug facilities; it is not a stable interface.`,
+		FlagSet: (func() *flag.FlagSet {
+			fs := newFlagSet("debug")
+			fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
+			fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-seconds seconds and write it to this file; - for stdout")
+			fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
+			fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
+			return fs
+		})(),
+		Subcommands: nonNilCmds([]*ffcli.Command{
+			{
+				Name:       "derp-map",
+				ShortUsage: "tailscale debug derp-map",
+				Exec:       runDERPMap,
+				ShortHelp:  "Print DERP map",
+			},
+			{
+				Name:       "component-logs",
+				ShortUsage: "tailscale debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]",
+				Exec:       runDebugComponentLogs,
+				ShortHelp:  "Enable/disable debug logs for a component",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("component-logs")
+					fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
+					return fs
+				})(),
+			},
+			{
+				Name:       "daemon-goroutines",
+				ShortUsage: "tailscale debug daemon-goroutines",
+				Exec:       runDaemonGoroutines,
+				ShortHelp:  "Print tailscaled's goroutines",
+			},
+			{
+				Name:       "daemon-logs",
+				ShortUsage: "tailscale debug daemon-logs",
+				Exec:       runDaemonLogs,
+				ShortHelp:  "Watch tailscaled's server logs",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("daemon-logs")
+					fs.IntVar(&daemonLogsArgs.verbose, "verbose", 0, "verbosity level")
+					fs.BoolVar(&daemonLogsArgs.time, "time", false, "include client time")
+					return fs
+				})(),
+			},
+			{
+				Name:       "metrics",
+				ShortUsage: "tailscale debug metrics",
+				Exec:       runDaemonMetrics,
+				ShortHelp:  "Print tailscaled's metrics",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("metrics")
+					fs.BoolVar(&metricsArgs.watch, "watch", false, "print JSON dump of delta values")
+					return fs
+				})(),
+			},
+			{
+				Name:       "env",
+				ShortUsage: "tailscale debug env",
+				Exec:       runEnv,
+				ShortHelp:  "Print cmd/tailscale environment",
+			},
+			{
+				Name:       "stat",
+				ShortUsage: "tailscale debug stat <files...>",
+				Exec:       runStat,
+				ShortHelp:  "Stat a file",
+			},
+			{
+				Name:       "hostinfo",
+				ShortUsage: "tailscale debug hostinfo",
+				Exec:       runHostinfo,
+				ShortHelp:  "Print hostinfo",
+			},
+			{
+				Name:       "local-creds",
+				ShortUsage: "tailscale debug local-creds",
+				Exec:       runLocalCreds,
+				ShortHelp:  "Print how to access Tailscale LocalAPI",
+			},
+			{
+				Name:       "restun",
+				ShortUsage: "tailscale debug restun",
+				Exec:       localAPIAction("restun"),
+				ShortHelp:  "Force a magicsock restun",
+			},
+			{
+				Name:       "rebind",
+				ShortUsage: "tailscale debug rebind",
+				Exec:       localAPIAction("rebind"),
+				ShortHelp:  "Force a magicsock rebind",
+			},
+			{
+				Name:       "derp-set-on-demand",
+				ShortUsage: "tailscale debug derp-set-on-demand",
+				Exec:       localAPIAction("derp-set-homeless"),
+				ShortHelp:  "Enable DERP on-demand mode (breaks reachability)",
+			},
+			{
+				Name:       "derp-unset-on-demand",
+				ShortUsage: "tailscale debug derp-unset-on-demand",
+				Exec:       localAPIAction("derp-unset-homeless"),
+				ShortHelp:  "Disable DERP on-demand mode",
+			},
+			{
+				Name:       "break-tcp-conns",
+				ShortUsage: "tailscale debug break-tcp-conns",
+				Exec:       localAPIAction("break-tcp-conns"),
+				ShortHelp:  "Break any open TCP connections from the daemon",
+			},
+			{
+				Name:       "break-derp-conns",
+				ShortUsage: "tailscale debug break-derp-conns",
+				Exec:       localAPIAction("break-derp-conns"),
+				ShortHelp:  "Break any open DERP connections from the daemon",
+			},
+			{
+				Name:       "pick-new-derp",
+				ShortUsage: "tailscale debug pick-new-derp",
+				Exec:       localAPIAction("pick-new-derp"),
+				ShortHelp:  "Switch to some other random DERP home region for a short time",
+			},
+			{
+				Name:       "force-prefer-derp",
+				ShortUsage: "tailscale debug force-prefer-derp",
+				Exec:       forcePreferDERP,
+				ShortHelp:  "Prefer the given region ID if reachable (until restart, or 0 to clear)",
+			},
+			{
+				Name:       "force-netmap-update",
+				ShortUsage: "tailscale debug force-netmap-update",
+				Exec:       localAPIAction("force-netmap-update"),
+				ShortHelp:  "Force a full no-op netmap update (for load testing)",
+			},
+			{
+				// TODO(bradfitz,maisem): eventually promote this out of debug
+				Name:       "reload-config",
+				ShortUsage: "tailscale debug reload-config",
+				Exec:       reloadConfig,
+				ShortHelp:  "Reload config",
+			},
+			{
+				Name:       "control-knobs",
+				ShortUsage: "tailscale debug control-knobs",
+				Exec:       debugControlKnobs,
+				ShortHelp:  "See current control knobs",
+			},
+			{
+				Name:       "prefs",
+				ShortUsage: "tailscale debug prefs",
+				Exec:       runPrefs,
+				ShortHelp:  "Print prefs",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("prefs")
+					fs.BoolVar(&prefsArgs.pretty, "pretty", false, "If true, pretty-print output")
+					return fs
+				})(),
+			},
+			{
+				Name:       "watch-ipn",
+				ShortUsage: "tailscale debug watch-ipn",
+				Exec:       runWatchIPN,
+				ShortHelp:  "Subscribe to IPN message bus",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("watch-ipn")
+					fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
+					fs.BoolVar(&watchIPNArgs.initial, "initial", false, "include initial status")
+					fs.BoolVar(&watchIPNArgs.rateLimit, "rate-limit", true, "rate limit messags")
+					fs.BoolVar(&watchIPNArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
+					fs.IntVar(&watchIPNArgs.count, "count", 0, "exit after printing this many statuses, or 0 to keep going forever")
+					return fs
+				})(),
+			},
+			{
+				Name:       "netmap",
+				ShortUsage: "tailscale debug netmap",
+				Exec:       runNetmap,
+				ShortHelp:  "Print the current network map",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("netmap")
+					fs.BoolVar(&netmapArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
+					return fs
+				})(),
+			},
+			{
+				Name: "via",
+				ShortUsage: "tailscale debug via <site-id> <v4-cidr>\n" +
+					"tailscale debug via <v6-route>",
+				Exec:      runVia,
+				ShortHelp: "Convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
+			},
+			{
+				Name:       "ts2021",
+				ShortUsage: "tailscale debug ts2021",
+				Exec:       runTS2021,
+				ShortHelp:  "Debug ts2021 protocol connectivity",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("ts2021")
+					fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
+					fs.IntVar(&ts2021Args.version, "version", int(tailcfg.CurrentCapabilityVersion), "protocol version")
+					fs.BoolVar(&ts2021Args.verbose, "verbose", false, "be extra verbose")
+					return fs
+				})(),
+			},
+			{
+				Name:       "set-expire",
+				ShortUsage: "tailscale debug set-expire --in=1m",
+				Exec:       runSetExpire,
+				ShortHelp:  "Manipulate node key expiry for testing",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("set-expire")
+					fs.DurationVar(&setExpireArgs.in, "in", 0, "if non-zero, set node key to expire this duration from now")
+					return fs
+				})(),
+			},
+			{
+				Name:       "dev-store-set",
+				ShortUsage: "tailscale debug dev-store-set",
+				Exec:       runDevStoreSet,
+				ShortHelp:  "Set a key/value pair during development",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("store-set")
+					fs.BoolVar(&devStoreSetArgs.danger, "danger", false, "accept danger")
+					return fs
+				})(),
+			},
+			{
+				Name:       "derp",
+				ShortUsage: "tailscale debug derp",
+				Exec:       runDebugDERP,
+				ShortHelp:  "Test a DERP configuration",
+			},
+			ccall(debugCaptureCmd),
+			{
+				Name:       "portmap",
+				ShortUsage: "tailscale debug portmap",
+				Exec:       debugPortmap,
+				ShortHelp:  "Run portmap debugging",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("portmap")
+					fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
+					fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
+					fs.StringVar(&debugPortmapArgs.gatewayAddr, "gateway-addr", "", `override gateway IP (must also pass --self-addr)`)
+					fs.StringVar(&debugPortmapArgs.selfAddr, "self-addr", "", `override self IP (must also pass --gateway-addr)`)
+					fs.BoolVar(&debugPortmapArgs.logHTTP, "log-http", false, `print all HTTP requests and responses to the log`)
+					return fs
+				})(),
+			},
+			{
+				Name:       "peer-endpoint-changes",
+				ShortUsage: "tailscale debug peer-endpoint-changes <hostname-or-IP>",
+				Exec:       runPeerEndpointChanges,
+				ShortHelp:  "Print debug information about a peer's endpoint changes",
+			},
+			{
+				Name:       "dial-types",
+				ShortUsage: "tailscale debug dial-types <hostname-or-IP> <port>",
+				Exec:       runDebugDialTypes,
+				ShortHelp:  "Print debug information about connecting to a given host or IP",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("dial-types")
+					fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
+					return fs
+				})(),
+			},
+			{
+				Name:       "resolve",
+				ShortUsage: "tailscale debug resolve <hostname>",
+				Exec:       runDebugResolve,
+				ShortHelp:  "Does a DNS lookup",
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("resolve")
+					fs.StringVar(&resolveArgs.net, "net", "ip", "network type to resolve (ip, ip4, ip6)")
+					return fs
+				})(),
+			},
+			{
+				Name:       "go-buildinfo",
+				ShortUsage: "tailscale debug go-buildinfo",
+				ShortHelp:  "Print Go's runtime/debug.BuildInfo",
+				Exec:       runGoBuildInfo,
+			},
+		}...),
+	}
 }

 func runGoBuildInfo(ctx context.Context, args []string) error {
@@ -1036,50 +1030,6 @@ func runSetExpire(ctx context.Context, args []string) error {
 	return localClient.DebugSetExpireIn(ctx, setExpireArgs.in)
 }

-var captureArgs struct {
-	outFile string
-}
-
-func runCapture(ctx context.Context, args []string) error {
-	stream, err := localClient.StreamDebugCapture(ctx)
-	if err != nil {
-		return err
-	}
-	defer stream.Close()
-
-	switch captureArgs.outFile {
-	case "-":
-		fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
-		_, err = io.Copy(os.Stdout, stream)
-		return err
-	case "":
-		lua, err := os.CreateTemp("", "ts-dissector")
-		if err != nil {
-			return err
-		}
-		defer os.Remove(lua.Name())
-		lua.Write([]byte(capture.DissectorLua))
-		if err := lua.Close(); err != nil {
-			return err
-		}
-
-		wireshark := exec.CommandContext(ctx, "wireshark", "-X", "lua_script:"+lua.Name(), "-k", "-i", "-")
-		wireshark.Stdin = stream
-		wireshark.Stdout = os.Stdout
-		wireshark.Stderr = os.Stderr
-		return wireshark.Run()
-	}
-
-	f, err := os.OpenFile(captureArgs.outFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
-	_, err = io.Copy(f, stream)
-	return err
-}
-
 var debugPortmapArgs struct {
 	duration    time.Duration
 	gatewayAddr string
--- a/cmd/tailscale/cli/dns.go
+++ b/cmd/tailscale/cli/dns.go
@@ -20,7 +20,7 @@ var dnsCmd = &ffcli.Command{
 			Name:       "status",
 			ShortUsage: "tailscale dns status [--all]",
 			Exec:       runDNSStatus,
-			ShortHelp:  "Prints the current DNS status and configuration",
+			ShortHelp:  "Print the current DNS status and configuration",
 			LongHelp:   dnsStatusLongHelp(),
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("status")
--- a/cmd/tailscale/cli/exitnode.go
+++ b/cmd/tailscale/cli/exitnode.go
@@ -41,7 +41,7 @@ func exitNodeCmd() *ffcli.Command {
 			{
 				Name:       "suggest",
 				ShortUsage: "tailscale exit-node suggest",
-				ShortHelp:  "Suggests the best available exit node",
+				ShortHelp:  "Suggest the best available exit node",
 				Exec:       runExitNodeSuggest,
 			}},
 			(func() []*ffcli.Command {
--- a/cmd/tailscale/cli/metrics.go
+++ b/cmd/tailscale/cli/metrics.go
@@ -33,13 +33,13 @@ https://tailscale.com/s/client-metrics
 			Name:       "print",
 			ShortUsage: "tailscale metrics print",
 			Exec:       runMetricsPrint,
-			ShortHelp:  "Prints current metric values in the Prometheus text exposition format",
+			ShortHelp:  "Print current metric values in Prometheus text format",
 		},
 		{
 			Name:       "write",
 			ShortUsage: "tailscale metrics write <path>",
 			Exec:       runMetricsWrite,
-			ShortHelp:  "Writes metric values to a file",
+			ShortHelp:  "Write metric values to a file",
 			LongHelp: strings.TrimSpace(`

 The 'tailscale metrics write' command writes metric values to a text file provided as its
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -191,8 +191,7 @@ var nlStatusArgs struct {
 var nlStatusCmd = &ffcli.Command{
 	Name:       "status",
 	ShortUsage: "tailscale lock status",
-	ShortHelp:  "Outputs the state of tailnet lock",
-	LongHelp:   "Outputs the state of tailnet lock",
+	ShortHelp:  "Output the state of tailnet lock",
 	Exec:       runNetworkLockStatus,
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("lock status")
@@ -293,8 +292,7 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 var nlAddCmd = &ffcli.Command{
 	Name:       "add",
 	ShortUsage: "tailscale lock add <public-key>...",
-	ShortHelp:  "Adds one or more trusted signing keys to tailnet lock",
-	LongHelp:   "Adds one or more trusted signing keys to tailnet lock",
+	ShortHelp:  "Add one or more trusted signing keys to tailnet lock",
 	Exec: func(ctx context.Context, args []string) error {
 		return runNetworkLockModify(ctx, args, nil)
 	},
@@ -307,8 +305,7 @@ var nlRemoveArgs struct {
 var nlRemoveCmd = &ffcli.Command{
 	Name:       "remove",
 	ShortUsage: "tailscale lock remove [--re-sign=false] <public-key>...",
-	ShortHelp:  "Removes one or more trusted signing keys from tailnet lock",
-	LongHelp:   "Removes one or more trusted signing keys from tailnet lock",
+	ShortHelp:  "Remove one or more trusted signing keys from tailnet lock",
 	Exec:       runNetworkLockRemove,
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("lock remove")
@@ -448,7 +445,7 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
 var nlSignCmd = &ffcli.Command{
 	Name:       "sign",
 	ShortUsage: "tailscale lock sign <node-key> [<rotation-key>]\ntailscale lock sign <auth-key>",
-	ShortHelp:  "Signs a node or pre-approved auth key",
+	ShortHelp:  "Sign a node or pre-approved auth key",
 	LongHelp: `Either:
  - signs a node key and transmits the signature to the coordination
    server, or
@@ -510,7 +507,7 @@ func runNetworkLockSign(ctx context.Context, args []string) error {
 var nlDisableCmd = &ffcli.Command{
 	Name:       "disable",
 	ShortUsage: "tailscale lock disable <disablement-secret>",
-	ShortHelp:  "Consumes a disablement secret to shut down tailnet lock for the tailnet",
+	ShortHelp:  "Consume a disablement secret to shut down tailnet lock for the tailnet",
 	LongHelp: strings.TrimSpace(`

 The 'tailscale lock disable' command uses the specified disablement
@@ -539,7 +536,7 @@ func runNetworkLockDisable(ctx context.Context, args []string) error {
 var nlLocalDisableCmd = &ffcli.Command{
 	Name:       "local-disable",
 	ShortUsage: "tailscale lock local-disable",
-	ShortHelp:  "Disables tailnet lock for this node only",
+	ShortHelp:  "Disable tailnet lock for this node only",
 	LongHelp: strings.TrimSpace(`

 The 'tailscale lock local-disable' command disables tailnet lock for only
@@ -561,8 +558,8 @@ func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
 var nlDisablementKDFCmd = &ffcli.Command{
 	Name:       "disablement-kdf",
 	ShortUsage: "tailscale lock disablement-kdf <hex-encoded-disablement-secret>",
-	ShortHelp:  "Computes a disablement value from a disablement secret (advanced users only)",
-	LongHelp:   "Computes a disablement value from a disablement secret (advanced users only)",
+	ShortHelp:  "Compute a disablement value from a disablement secret (advanced users only)",
+	LongHelp:   "Compute a disablement value from a disablement secret (advanced users only)",
 	Exec:       runNetworkLockDisablementKDF,
 }

--- a/cmd/tailscale/cli/switch.go
+++ b/cmd/tailscale/cli/switch.go
@@ -20,7 +20,7 @@ import (
 var switchCmd = &ffcli.Command{
 	Name:       "switch",
 	ShortUsage: "tailscale switch <id>",
-	ShortHelp:  "Switches to a different Tailscale account",
+	ShortHelp:  "Switch to a different Tailscale account",
 	LongHelp: `"tailscale switch" switches between logged in accounts. You can
 use the ID that's returned from 'tailnet switch -list'
 to pick which profile you want to switch to. Alternatively, you
--- a/cmd/tailscale/cli/syspolicy.go
+++ b/cmd/tailscale/cli/syspolicy.go
@@ -31,7 +31,7 @@ var syspolicyCmd = &ffcli.Command{
 			Name:       "list",
 			ShortUsage: "tailscale syspolicy list",
 			Exec:       runSysPolicyList,
-			ShortHelp:  "Prints effective policy settings",
+			ShortHelp:  "Print effective policy settings",
 			LongHelp:   "The 'tailscale syspolicy list' subcommand displays the effective policy settings and their sources (e.g., MDM or environment variables).",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("syspolicy list")
@@ -43,7 +43,7 @@ var syspolicyCmd = &ffcli.Command{
 			Name:       "reload",
 			ShortUsage: "tailscale syspolicy reload",
 			Exec:       runSysPolicyReload,
-			ShortHelp:  "Forces a reload of policy settings, even if no changes are detected, and prints the result",
+			ShortHelp:  "Force a reload of policy settings, even if no changes are detected, and prints the result",
 			LongHelp:   "The 'tailscale syspolicy reload' subcommand forces a reload of policy settings, even if no changes are detected, and prints the result.",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("syspolicy reload")
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -116,6 +116,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 	upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
 	upf.BoolVar(&upArgs.advertiseConnector, "advertise-connector", false, "advertise this node as an app connector")
 	upf.BoolVar(&upArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
+	upf.BoolVar(&upArgs.postureChecking, "posture-checking", false, hidden+"allow management plane to gather device posture information")

 	if safesocket.GOOSUsesPeerCreds(goos) {
 		upf.StringVar(&upArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
@@ -138,7 +139,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 		// Some flags are only for "up", not "login".
 		upf.BoolVar(&upArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
 		upf.BoolVar(&upArgs.reset, "reset", false, "reset unspecified settings to their default values")
-		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
+		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication (WARNING: this will bring down the Tailscale connection and thus should not be done remotely over SSH or RDP)")
 		registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
 	}

@@ -194,6 +195,7 @@ type upArgsT struct {
 	timeout                time.Duration
 	acceptedRisks          string
 	profileName            string
+	postureChecking        bool
 }

 func (a upArgsT) getAuthKey() (string, error) {
@@ -304,6 +306,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.OperatorUser = upArgs.opUser
 	prefs.ProfileName = upArgs.profileName
 	prefs.AppConnector.Advertise = upArgs.advertiseConnector
+	prefs.PostureChecking = upArgs.postureChecking

 	if goos == "linux" {
 		prefs.NoSNAT = !upArgs.snat
@@ -1053,6 +1056,8 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]any) {
 			set(prefs.NetfilterMode.String())
 		case "unattended":
 			set(prefs.ForceDaemon)
+		case "posture-checking":
+			set(prefs.PostureChecking)
 		}
 	})
 	return ret
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -26,7 +26,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/gorilla/csrf                                      from tailscale.com/client/web
        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
        github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
@@ -70,7 +69,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        software.sslmate.com/src/go-pkcs12                           from tailscale.com/cmd/tailscale/cli
        software.sslmate.com/src/go-pkcs12/internal/rc2              from software.sslmate.com/src/go-pkcs12
        tailscale.com                                                from tailscale.com/version
-        tailscale.com/atomicfile                                     from tailscale.com/cmd/tailscale/cli+
+     💣 tailscale.com/atomicfile                                     from tailscale.com/cmd/tailscale/cli+
        tailscale.com/client/tailscale                               from tailscale.com/client/web+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
        tailscale.com/client/web                                     from tailscale.com/cmd/tailscale/cli
@@ -89,6 +88,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/drive                                          from tailscale.com/client/tailscale+
        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
        tailscale.com/envknob/featureknob                            from tailscale.com/client/web
+        tailscale.com/feature/capture/dissector                      from tailscale.com/cmd/tailscale/cli
        tailscale.com/health                                         from tailscale.com/net/tlsdial+
        tailscale.com/health/healthmsg                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/hostinfo                                       from tailscale.com/client/web+
@@ -98,11 +98,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
        tailscale.com/licenses                                       from tailscale.com/client/web+
        tailscale.com/metrics                                        from tailscale.com/derp+
+        tailscale.com/net/bakedroots                                 from tailscale.com/net/tlsdial
        tailscale.com/net/captivedetection                           from tailscale.com/net/netcheck
        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlhttp+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp+
-        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet
        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
@@ -110,7 +110,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscale/cli+
     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/capture
        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
@@ -133,7 +132,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/tsweb/varz                                     from tailscale.com/util/usermetric
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg+
        tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
+        tailscale.com/types/ipproto                                  from tailscale.com/ipn+
        tailscale.com/types/key                                      from tailscale.com/client/tailscale+
        tailscale.com/types/lazy                                     from tailscale.com/util/testenv+
        tailscale.com/types/logger                                   from tailscale.com/client/web+
@@ -185,7 +184,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/client/web+
        tailscale.com/version/distro                                 from tailscale.com/client/web+
-        tailscale.com/wgengine/capture                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
@@ -196,6 +194,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
+        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
@@ -211,6 +211,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/net/http2/hpack                                 from net/http+
        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
+        golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
+        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
@@ -219,7 +222,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/tailscale/cli
        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from github.com/josharian/native+
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/argon2+
  LD    golang.org/x/sys/unix                                        from github.com/google/nftables+
   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
@@ -249,6 +252,18 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
+        crypto/internal/boring                                       from crypto/aes+
+        crypto/internal/boring/bbig                                  from crypto/ecdsa+
+        crypto/internal/boring/sig                                   from crypto/internal/boring
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/hpke                                         from crypto/tls
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
@@ -259,6 +274,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/miekg/dns+
        crypto/x509                                                  from crypto/tls+
+   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
  DW    database/sql/driver                                          from github.com/google/uuid
   W    debug/dwarf                                                  from debug/pe
@@ -287,6 +303,44 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        image                                                        from github.com/skip2/go-qrcode+
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
+        internal/abi                                                 from crypto/x509/internal/macos+
+        internal/asan                                                from syscall
+        internal/bisect                                              from internal/godebug
+        internal/bytealg                                             from bytes+
+        internal/byteorder                                           from crypto/aes+
+        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
+        internal/coverage/rtcov                                      from runtime
+        internal/cpu                                                 from crypto/aes+
+        internal/filepathlite                                        from os+
+        internal/fmtsort                                             from fmt+
+        internal/goarch                                              from crypto/aes+
+        internal/godebug                                             from archive/tar+
+        internal/godebugs                                            from internal/godebug+
+        internal/goexperiment                                        from runtime
+        internal/goos                                                from crypto/x509+
+        internal/itoa                                                from internal/poll+
+        internal/msan                                                from syscall
+        internal/nettrace                                            from net+
+        internal/oserror                                             from io/fs+
+        internal/poll                                                from net+
+        internal/profilerecord                                       from runtime
+        internal/race                                                from internal/poll+
+        internal/reflectlite                                         from context+
+        internal/runtime/atomic                                      from internal/runtime/exithook+
+        internal/runtime/exithook                                    from runtime
+   L    internal/runtime/syscall                                     from runtime+
+        internal/saferio                                             from debug/pe+
+        internal/singleflight                                        from net
+        internal/stringslite                                         from embed+
+        internal/syscall/execenv                                     from os+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
+   W    internal/syscall/windows/registry                            from mime+
+   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
+        internal/testlog                                             from os
+        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -308,6 +362,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/http/httptrace                                           from golang.org/x/net/http2+
        net/http/httputil                                            from tailscale.com/client/web+
        net/http/internal                                            from net/http+
+        net/http/internal/ascii                                      from net/http+
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
@@ -320,7 +375,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        reflect                                                      from archive/tar+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
+        runtime                                                      from archive/tar+
        runtime/debug                                                from tailscale.com+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        slices                                                       from tailscale.com/client/web+
        sort                                                         from compress/flate+
        strconv                                                      from archive/tar+
@@ -336,3 +394,4 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
+        unsafe                                                       from bytes+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -112,13 +112,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
        github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
   L 💣 github.com/illarion/gonotify/v2                              from tailscale.com/net/dns
-   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
+   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/feature/tap
   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
        github.com/jellydator/ttlcache/v3                            from tailscale.com/drive/driveimpl/compositedav
   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
@@ -128,7 +127,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/util/zstdframe
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
+        github.com/kortschak/wol                                     from tailscale.com/feature/wakeonlan
  LD    github.com/kr/fs                                             from github.com/pkg/sftp
   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
   L 💣 github.com/mdlayher/netlink                                  from github.com/google/nftables+
@@ -153,7 +152,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
   W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
   W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
-        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
@@ -215,7 +213,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
        gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
        gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/feature/tap+
        gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack+
        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
@@ -233,7 +231,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
        tailscale.com                                                from tailscale.com/version
        tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
-        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+     💣 tailscale.com/atomicfile                                     from tailscale.com/ipn+
  LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
        tailscale.com/client/tailscale                               from tailscale.com/client/web+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
@@ -260,6 +258,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/drive/driveimpl/shared                         from tailscale.com/drive/driveimpl+
        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
        tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
+        tailscale.com/feature                                        from tailscale.com/feature/wakeonlan+
+        tailscale.com/feature/capture                                from tailscale.com/feature/condregister
+        tailscale.com/feature/condregister                           from tailscale.com/cmd/tailscaled
+   L    tailscale.com/feature/tap                                    from tailscale.com/feature/condregister
+        tailscale.com/feature/wakeonlan                              from tailscale.com/feature/condregister
        tailscale.com/health                                         from tailscale.com/control/controlclient+
        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
        tailscale.com/hostinfo                                       from tailscale.com/client/web+
@@ -270,7 +273,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
+        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled+
   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
@@ -287,6 +290,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
        tailscale.com/logtail/filch                                  from tailscale.com/log/sockstatlog+
        tailscale.com/metrics                                        from tailscale.com/derp+
+        tailscale.com/net/bakedroots                                 from tailscale.com/net/tlsdial+
        tailscale.com/net/captivedetection                           from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
        tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
@@ -334,8 +338,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/syncs                                          from tailscale.com/cmd/tailscaled+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/tempfork/acme                                  from tailscale.com/ipn/ipnlocal
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/tempfork/httprec                               from tailscale.com/control/controlclient
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
        tailscale.com/tsconst                                        from tailscale.com/net/netmon+
        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
@@ -406,7 +412,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/truncate                                  from tailscale.com/logtail
-        tailscale.com/util/uniq                                      from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/usermetric                                from tailscale.com/health+
        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
     💣 tailscale.com/util/winutil                                   from tailscale.com/clientupdate+
@@ -419,7 +424,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/version/distro                                 from tailscale.com/client/web+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
-        tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap+
     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
@@ -442,12 +446,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
+        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
  LD    golang.org/x/crypto/ssh                                      from github.com/pkg/sftp+
+  LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
        golang.org/x/exp/maps                                        from tailscale.com/ipn/store/mem+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
@@ -459,13 +466,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
        golang.org/x/net/icmp                                        from tailscale.com/net/ping+
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
+        golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
+        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
        golang.org/x/sync/singleflight                               from github.com/jellydator/ttlcache/v3
-        golang.org/x/sys/cpu                                         from github.com/josharian/native+
+        golang.org/x/sys/cpu                                         from github.com/tailscale/certstore+
  LD    golang.org/x/sys/unix                                        from github.com/google/nftables+
   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
@@ -498,6 +508,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
+        crypto/internal/boring                                       from crypto/aes+
+        crypto/internal/boring/bbig                                  from crypto/ecdsa+
+        crypto/internal/boring/sig                                   from crypto/internal/boring
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/hpke                                         from crypto/tls
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls+
@@ -508,6 +530,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
        crypto/x509                                                  from crypto/tls+
+   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
  DW    database/sql/driver                                          from github.com/google/uuid
   W    debug/dwarf                                                  from debug/pe
@@ -525,7 +548,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        encoding/xml                                                 from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+
        errors                                                       from archive/tar+
        expvar                                                       from tailscale.com/derp+
-        flag                                                         from net/http/httptest+
+        flag                                                         from tailscale.com/cmd/tailscaled+
        fmt                                                          from archive/tar+
        hash                                                         from compress/zlib+
        hash/adler32                                                 from compress/zlib+
@@ -533,6 +556,45 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        hash/maphash                                                 from go4.org/mem
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
+        internal/abi                                                 from crypto/x509/internal/macos+
+        internal/asan                                                from syscall
+        internal/bisect                                              from internal/godebug
+        internal/bytealg                                             from bytes+
+        internal/byteorder                                           from crypto/aes+
+        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
+        internal/coverage/rtcov                                      from runtime
+        internal/cpu                                                 from crypto/aes+
+        internal/filepathlite                                        from os+
+        internal/fmtsort                                             from fmt+
+        internal/goarch                                              from crypto/aes+
+        internal/godebug                                             from archive/tar+
+        internal/godebugs                                            from internal/godebug+
+        internal/goexperiment                                        from runtime
+        internal/goos                                                from crypto/x509+
+        internal/itoa                                                from internal/poll+
+        internal/msan                                                from syscall
+        internal/nettrace                                            from net+
+        internal/oserror                                             from io/fs+
+        internal/poll                                                from net+
+        internal/profile                                             from net/http/pprof
+        internal/profilerecord                                       from runtime+
+        internal/race                                                from internal/poll+
+        internal/reflectlite                                         from context+
+        internal/runtime/atomic                                      from internal/runtime/exithook+
+        internal/runtime/exithook                                    from runtime
+   L    internal/runtime/syscall                                     from runtime+
+        internal/saferio                                             from debug/pe+
+        internal/singleflight                                        from net
+        internal/stringslite                                         from embed+
+        internal/syscall/execenv                                     from os+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
+   W    internal/syscall/windows/registry                            from mime+
+   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
+        internal/testlog                                             from os
+        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -551,10 +613,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
-        net/http/httptest                                            from tailscale.com/control/controlclient
        net/http/httptrace                                           from github.com/prometheus-community/pro-bing+
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
+        net/http/internal/ascii                                      from net/http+
        net/http/pprof                                               from tailscale.com/cmd/tailscaled+
        net/netip                                                    from github.com/tailscale/wireguard-go/conn+
        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
@@ -568,7 +630,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        reflect                                                      from archive/tar+
        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn+
        regexp/syntax                                                from regexp
+        runtime                                                      from archive/tar+
        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/pprof                                                from net/http/pprof+
        runtime/trace                                                from net/http/pprof
        slices                                                       from tailscale.com/appc+
@@ -586,3 +651,4 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
+        unsafe                                                       from bytes+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -35,6 +35,7 @@ import (
 	"tailscale.com/control/controlclient"
 	"tailscale.com/drive/driveimpl"
 	"tailscale.com/envknob"
+	_ "tailscale.com/feature/condregister"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/conffile"
--- a/cmd/tailscaled/tailscaled_test.go
+++ b/cmd/tailscaled/tailscaled_test.go
@@ -22,6 +22,8 @@ func TestDeps(t *testing.T) {
 		BadDeps: map[string]string{
 			"testing":                        "do not use testing package in production code",
 			"gvisor.dev/gvisor/pkg/hostarch": "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
+			"net/http/httptest":              "do not use httptest in production code",
+			"net/http/internal/testcert":     "do not use httptest in production code",
 		},
 	}.Check(t)

@@ -29,8 +31,10 @@ func TestDeps(t *testing.T) {
 		GOOS:   "linux",
 		GOARCH: "arm64",
 		BadDeps: map[string]string{
-			"testing":                        "do not use testing package in production code",
-			"gvisor.dev/gvisor/pkg/hostarch": "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
+			"testing":                                        "do not use testing package in production code",
+			"gvisor.dev/gvisor/pkg/hostarch":                 "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
+			"google.golang.org/protobuf/proto":               "unexpected",
+			"github.com/prometheus/client_golang/prometheus": "use tailscale.com/metrics in tailscaled",
 		},
 	}.Check(t)
 }
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -55,6 +55,7 @@ import (
 	"tailscale.com/util/osdiag"
 	"tailscale.com/util/syspolicy"
 	"tailscale.com/util/winutil"
+	"tailscale.com/util/winutil/gp"
 	"tailscale.com/version"
 	"tailscale.com/wf"
 )
@@ -70,6 +71,22 @@ func init() {
 	}
 }

+// permitPolicyLocks is a function to be called to lift the restriction on acquiring
+// [gp.PolicyLock]s once the service is running.
+// It is safe to be called multiple times.
+var permitPolicyLocks = func() {}
+
+func init() {
+	if isWindowsService() {
+		// We prevent [gp.PolicyLock]s from being acquired until the service enters the running state.
+		// Otherwise, if tailscaled starts due to a GPSI policy installing Tailscale, it may deadlock
+		// while waiting for the write counterpart of the GP lock to be released by Group Policy,
+		// which is itself waiting for the installation to complete and tailscaled to start.
+		// See tailscale/tailscale#14416 for more information.
+		permitPolicyLocks = gp.RestrictPolicyLocks()
+	}
+}
+
 const serviceName = "Tailscale"

 // Application-defined command codes between 128 and 255
@@ -109,13 +126,13 @@ func tstunNewWithWindowsRetries(logf logger.Logf, tunName string) (_ tun.Device,
 	}
 }

-func isWindowsService() bool {
+var isWindowsService = sync.OnceValue(func() bool {
 	v, err := svc.IsWindowsService()
 	if err != nil {
 		log.Fatalf("svc.IsWindowsService failed: %v", err)
 	}
 	return v
-}
+})

 // syslogf is a logger function that writes to the Windows event log (ie, the
 // one that you see in the Windows Event Viewer). tailscaled may optionally
@@ -180,6 +197,10 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	changes <- svc.Status{State: svc.Running, Accepts: svcAccepts}
 	syslogf("Service running")

+	// It is safe to allow GP locks to be acquired now that the service
+	// is running.
+	permitPolicyLocks()
+
 	for {
 		select {
 		case <-doneCh:
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -282,7 +282,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 							MachineKey: p.Machine().String(),
 							NodeKey:    p.Key().String(),
 						},
-						Online:              p.Online(),
+						Online:              p.Online().Clone(),
 						TailscaleSSHEnabled: p.Hostinfo().TailscaleSSHEnabled(),
 					}
 				}),
--- a/cmd/tsconnect/yarn.lock
+++ b/cmd/tsconnect/yarn.lock
@@ -90,11 +90,11 @@ binary-extensions@^2.0.0:
  integrity sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==

 braces@^3.0.2, braces@~3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107"
-  integrity sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789"
+  integrity sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==
  dependencies:
-    fill-range "^7.0.1"
+    fill-range "^7.1.1"

 camelcase-css@^2.0.1:
  version "2.0.1"
@@ -231,10 +231,10 @@ fastq@^1.6.0:
  dependencies:
    reusify "^1.0.4"

-fill-range@^7.0.1:
-  version "7.0.1"
-  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.0.1.tgz#1919a6a7c75fe38b2c7c77e5198535da9acdda40"
-  integrity sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==
+fill-range@^7.1.1:
+  version "7.1.1"
+  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.1.1.tgz#44265d3cac07e3ea7dc247516380643754a05292"
+  integrity sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==
  dependencies:
    to-regex-range "^5.0.1"

@@ -349,9 +349,9 @@ minimist@^1.2.6:
  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==

 nanoid@^3.3.4:
-  version "3.3.4"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.4.tgz#730b67e3cd09e2deacf03c027c81c9d9dbc5e8ab"
-  integrity sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==
+  version "3.3.8"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
+  integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==

 normalize-path@^3.0.0, normalize-path@~3.0.0:
  version "3.0.0"
--- a/cmd/viewer/tests/tests.go
+++ b/cmd/viewer/tests/tests.go
@@ -37,9 +37,14 @@ type Map struct {
 	StructWithPtrKey map[StructWithPtrs]int `json:"-"`
 }

+type StructWithNoView struct {
+	Value int
+}
+
 type StructWithPtrs struct {
-	Value *StructWithoutPtrs
-	Int   *int
+	Value  *StructWithoutPtrs
+	Int    *int
+	NoView *StructWithNoView

 	NoCloneValue *StructWithoutPtrs `codegen:"noclone"`
 }
@@ -135,7 +140,7 @@ func (c *Container[T]) Clone() *Container[T] {
 	panic(fmt.Errorf("%T contains pointers, but is not cloneable", c.Item))
 }

-// ContainerView is a pre-defined readonly view of a Container[T].
+// ContainerView is a pre-defined read-only view of a Container[T].
 type ContainerView[T views.ViewCloner[T, V], V views.StructView[T]] struct {
 	// ж is the underlying mutable value, named with a hard-to-type
 	// character that looks pointy like a pointer.
@@ -173,7 +178,7 @@ func (c *MapContainer[K, V]) Clone() *MapContainer[K, V] {
 	return &MapContainer[K, V]{m}
 }

-// MapContainerView is a pre-defined readonly view of a [MapContainer][K, T].
+// MapContainerView is a pre-defined read-only view of a [MapContainer][K, T].
 type MapContainerView[K comparable, T views.ViewCloner[T, V], V views.StructView[T]] struct {
 	// ж is the underlying mutable value, named with a hard-to-type
 	// character that looks pointy like a pointer.
--- a/cmd/viewer/tests/tests_clone.go
+++ b/cmd/viewer/tests/tests_clone.go
@@ -28,6 +28,9 @@ func (src *StructWithPtrs) Clone() *StructWithPtrs {
 	if dst.Int != nil {
 		dst.Int = ptr.To(*src.Int)
 	}
+	if dst.NoView != nil {
+		dst.NoView = ptr.To(*src.NoView)
+	}
 	return dst
 }

@@ -35,6 +38,7 @@ func (src *StructWithPtrs) Clone() *StructWithPtrs {
 var _StructWithPtrsCloneNeedsRegeneration = StructWithPtrs(struct {
 	Value        *StructWithoutPtrs
 	Int          *int
+	NoView       *StructWithNoView
 	NoCloneValue *StructWithoutPtrs
 }{})

--- a/cmd/viewer/tests/tests_view.go
+++ b/cmd/viewer/tests/tests_view.go
@@ -16,7 +16,7 @@ import (

 //go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded,GenericIntStruct,GenericNoPtrsStruct,GenericCloneableStruct,StructWithContainers,StructWithTypeAliasFields,GenericTypeAliasStruct

-// View returns a readonly view of StructWithPtrs.
+// View returns a read-only view of StructWithPtrs.
 func (p *StructWithPtrs) View() StructWithPtrsView {
 	return StructWithPtrsView{ж: p}
 }
@@ -32,7 +32,7 @@ type StructWithPtrsView struct {
 	ж *StructWithPtrs
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v StructWithPtrsView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -61,20 +61,11 @@ func (v *StructWithPtrsView) UnmarshalJSON(b []byte) error {
 	return nil
 }

-func (v StructWithPtrsView) Value() *StructWithoutPtrs {
-	if v.ж.Value == nil {
-		return nil
-	}
-	x := *v.ж.Value
-	return &x
-}
+func (v StructWithPtrsView) Value() StructWithoutPtrsView { return v.ж.Value.View() }
+func (v StructWithPtrsView) Int() views.ValuePointer[int] { return views.ValuePointerOf(v.ж.Int) }

-func (v StructWithPtrsView) Int() *int {
-	if v.ж.Int == nil {
-		return nil
-	}
-	x := *v.ж.Int
-	return &x
+func (v StructWithPtrsView) NoView() views.ValuePointer[StructWithNoView] {
+	return views.ValuePointerOf(v.ж.NoView)
 }

 func (v StructWithPtrsView) NoCloneValue() *StructWithoutPtrs { return v.ж.NoCloneValue }
@@ -85,10 +76,11 @@ func (v StructWithPtrsView) Equal(v2 StructWithPtrsView) bool { return v.ж.Equa
 var _StructWithPtrsViewNeedsRegeneration = StructWithPtrs(struct {
 	Value        *StructWithoutPtrs
 	Int          *int
+	NoView       *StructWithNoView
 	NoCloneValue *StructWithoutPtrs
 }{})

-// View returns a readonly view of StructWithoutPtrs.
+// View returns a read-only view of StructWithoutPtrs.
 func (p *StructWithoutPtrs) View() StructWithoutPtrsView {
 	return StructWithoutPtrsView{ж: p}
 }
@@ -104,7 +96,7 @@ type StructWithoutPtrsView struct {
 	ж *StructWithoutPtrs
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v StructWithoutPtrsView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -142,7 +134,7 @@ var _StructWithoutPtrsViewNeedsRegeneration = StructWithoutPtrs(struct {
 	Pfx netip.Prefix
 }{})

-// View returns a readonly view of Map.
+// View returns a read-only view of Map.
 func (p *Map) View() MapView {
 	return MapView{ж: p}
 }
@@ -158,7 +150,7 @@ type MapView struct {
 	ж *Map
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v MapView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -248,7 +240,7 @@ var _MapViewNeedsRegeneration = Map(struct {
 	StructWithPtrKey    map[StructWithPtrs]int
 }{})

-// View returns a readonly view of StructWithSlices.
+// View returns a read-only view of StructWithSlices.
 func (p *StructWithSlices) View() StructWithSlicesView {
 	return StructWithSlicesView{ж: p}
 }
@@ -264,7 +256,7 @@ type StructWithSlicesView struct {
 	ж *StructWithSlices
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v StructWithSlicesView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -322,7 +314,7 @@ var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
 	Ints           []*int
 }{})

-// View returns a readonly view of StructWithEmbedded.
+// View returns a read-only view of StructWithEmbedded.
 func (p *StructWithEmbedded) View() StructWithEmbeddedView {
 	return StructWithEmbeddedView{ж: p}
 }
@@ -338,7 +330,7 @@ type StructWithEmbeddedView struct {
 	ж *StructWithEmbedded
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v StructWithEmbeddedView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -378,7 +370,7 @@ var _StructWithEmbeddedViewNeedsRegeneration = StructWithEmbedded(struct {
 	StructWithSlices
 }{})

-// View returns a readonly view of GenericIntStruct.
+// View returns a read-only view of GenericIntStruct.
 func (p *GenericIntStruct[T]) View() GenericIntStructView[T] {
 	return GenericIntStructView[T]{ж: p}
 }
@@ -394,7 +386,7 @@ type GenericIntStructView[T constraints.Integer] struct {
 	ж *GenericIntStruct[T]
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v GenericIntStructView[T]) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -424,12 +416,8 @@ func (v *GenericIntStructView[T]) UnmarshalJSON(b []byte) error {
 }

 func (v GenericIntStructView[T]) Value() T { return v.ж.Value }
-func (v GenericIntStructView[T]) Pointer() *T {
-	if v.ж.Pointer == nil {
-		return nil
-	}
-	x := *v.ж.Pointer
-	return &x
+func (v GenericIntStructView[T]) Pointer() views.ValuePointer[T] {
+	return views.ValuePointerOf(v.ж.Pointer)
 }

 func (v GenericIntStructView[T]) Slice() views.Slice[T] { return views.SliceOf(v.ж.Slice) }
@@ -454,7 +442,7 @@ func _GenericIntStructViewNeedsRegeneration[T constraints.Integer](GenericIntStr
 	}{})
 }

-// View returns a readonly view of GenericNoPtrsStruct.
+// View returns a read-only view of GenericNoPtrsStruct.
 func (p *GenericNoPtrsStruct[T]) View() GenericNoPtrsStructView[T] {
 	return GenericNoPtrsStructView[T]{ж: p}
 }
@@ -470,7 +458,7 @@ type GenericNoPtrsStructView[T StructWithoutPtrs | netip.Prefix | BasicType] str
 	ж *GenericNoPtrsStruct[T]
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v GenericNoPtrsStructView[T]) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -500,12 +488,8 @@ func (v *GenericNoPtrsStructView[T]) UnmarshalJSON(b []byte) error {
 }

 func (v GenericNoPtrsStructView[T]) Value() T { return v.ж.Value }
-func (v GenericNoPtrsStructView[T]) Pointer() *T {
-	if v.ж.Pointer == nil {
-		return nil
-	}
-	x := *v.ж.Pointer
-	return &x
+func (v GenericNoPtrsStructView[T]) Pointer() views.ValuePointer[T] {
+	return views.ValuePointerOf(v.ж.Pointer)
 }

 func (v GenericNoPtrsStructView[T]) Slice() views.Slice[T] { return views.SliceOf(v.ж.Slice) }
@@ -530,7 +514,7 @@ func _GenericNoPtrsStructViewNeedsRegeneration[T StructWithoutPtrs | netip.Prefi
 	}{})
 }

-// View returns a readonly view of GenericCloneableStruct.
+// View returns a read-only view of GenericCloneableStruct.
 func (p *GenericCloneableStruct[T, V]) View() GenericCloneableStructView[T, V] {
 	return GenericCloneableStructView[T, V]{ж: p}
 }
@@ -546,7 +530,7 @@ type GenericCloneableStructView[T views.ViewCloner[T, V], V views.StructView[T]]
 	ж *GenericCloneableStruct[T, V]
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v GenericCloneableStructView[T, V]) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -605,7 +589,7 @@ func _GenericCloneableStructViewNeedsRegeneration[T views.ViewCloner[T, V], V vi
 	}{})
 }

-// View returns a readonly view of StructWithContainers.
+// View returns a read-only view of StructWithContainers.
 func (p *StructWithContainers) View() StructWithContainersView {
 	return StructWithContainersView{ж: p}
 }
@@ -621,7 +605,7 @@ type StructWithContainersView struct {
 	ж *StructWithContainers
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v StructWithContainersView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -677,7 +661,7 @@ var _StructWithContainersViewNeedsRegeneration = StructWithContainers(struct {
 	CloneableGenericMap       MapContainer[int, *GenericNoPtrsStruct[int]]
 }{})

-// View returns a readonly view of StructWithTypeAliasFields.
+// View returns a read-only view of StructWithTypeAliasFields.
 func (p *StructWithTypeAliasFields) View() StructWithTypeAliasFieldsView {
 	return StructWithTypeAliasFieldsView{ж: p}
 }
@@ -693,7 +677,7 @@ type StructWithTypeAliasFieldsView struct {
 	ж *StructWithTypeAliasFields
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v StructWithTypeAliasFieldsView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -722,19 +706,14 @@ func (v *StructWithTypeAliasFieldsView) UnmarshalJSON(b []byte) error {
 	return nil
 }

-func (v StructWithTypeAliasFieldsView) WithPtr() StructWithPtrsView        { return v.ж.WithPtr.View() }
+func (v StructWithTypeAliasFieldsView) WithPtr() StructWithPtrsAliasView   { return v.ж.WithPtr.View() }
 func (v StructWithTypeAliasFieldsView) WithoutPtr() StructWithoutPtrsAlias { return v.ж.WithoutPtr }
 func (v StructWithTypeAliasFieldsView) WithPtrByPtr() StructWithPtrsAliasView {
 	return v.ж.WithPtrByPtr.View()
 }
-func (v StructWithTypeAliasFieldsView) WithoutPtrByPtr() *StructWithoutPtrsAlias {
-	if v.ж.WithoutPtrByPtr == nil {
-		return nil
-	}
-	x := *v.ж.WithoutPtrByPtr
-	return &x
+func (v StructWithTypeAliasFieldsView) WithoutPtrByPtr() StructWithoutPtrsAliasView {
+	return v.ж.WithoutPtrByPtr.View()
 }
-
 func (v StructWithTypeAliasFieldsView) SliceWithPtrs() views.SliceView[*StructWithPtrsAlias, StructWithPtrsAliasView] {
 	return views.SliceOfViews[*StructWithPtrsAlias, StructWithPtrsAliasView](v.ж.SliceWithPtrs)
 }
@@ -780,7 +759,7 @@ var _StructWithTypeAliasFieldsViewNeedsRegeneration = StructWithTypeAliasFields(
 	MapOfSlicesWithoutPtrs map[string][]*StructWithoutPtrsAlias
 }{})

-// View returns a readonly view of GenericTypeAliasStruct.
+// View returns a read-only view of GenericTypeAliasStruct.
 func (p *GenericTypeAliasStruct[T, T2, V2]) View() GenericTypeAliasStructView[T, T2, V2] {
 	return GenericTypeAliasStructView[T, T2, V2]{ж: p}
 }
@@ -796,7 +775,7 @@ type GenericTypeAliasStructView[T integer, T2 views.ViewCloner[T2, V2], V2 views
 	ж *GenericTypeAliasStruct[T, T2, V2]
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v GenericTypeAliasStructView[T, T2, V2]) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
--- a/cmd/viewer/viewer.go
+++ b/cmd/viewer/viewer.go
@@ -21,7 +21,7 @@ import (
 )

 const viewTemplateStr = `{{define "common"}}
-// View returns a readonly view of {{.StructName}}.
+// View returns a read-only view of {{.StructName}}.
 func (p *{{.StructName}}{{.TypeParamNames}}) View() {{.ViewName}}{{.TypeParamNames}} {
 	return {{.ViewName}}{{.TypeParamNames}}{ж: p}
 }
@@ -37,7 +37,7 @@ type {{.ViewName}}{{.TypeParams}} struct {
 	ж *{{.StructName}}{{.TypeParamNames}}
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v {{.ViewName}}{{.TypeParamNames}}) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
@@ -79,13 +79,7 @@ func (v *{{.ViewName}}{{.TypeParamNames}}) UnmarshalJSON(b []byte) error {
 {{end}}
 {{define "makeViewField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() {{.FieldViewName}} { return {{.MakeViewFnName}}(&v.ж.{{.FieldName}}) }
 {{end}}
-{{define "valuePointerField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() {{.FieldType}} {
-	if v.ж.{{.FieldName}} == nil {
-		return nil
-	}
-	x := *v.ж.{{.FieldName}}
-	return &x
-}
+{{define "valuePointerField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() views.ValuePointer[{{.FieldType}}] { return views.ValuePointerOf(v.ж.{{.FieldName}}) }

 {{end}}
 {{define "mapField"}}
@@ -126,7 +120,7 @@ func requiresCloning(t types.Type) (shallow, deep bool, base types.Type) {
 	return p, p, t
 }

-func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thisPkg *types.Package) {
+func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, _ *types.Package) {
 	t, ok := typ.Underlying().(*types.Struct)
 	if !ok || codegen.IsViewType(t) {
 		return
@@ -149,7 +143,7 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 		MapValueView string
 		MapFn        string

-		// MakeViewFnName is the name of the function that accepts a value and returns a readonly view of it.
+		// MakeViewFnName is the name of the function that accepts a value and returns a read-only view of it.
 		MakeViewFnName string
 	}{
 		StructName: typ.Obj().Name(),
@@ -354,10 +348,32 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 				} else {
 					writeTemplate("unsupportedField")
 				}
-			} else {
-				args.FieldType = it.QualifiedName(ptr)
-				writeTemplate("valuePointerField")
+				continue
 			}
+
+			// If a view type is already defined for the base type, use it as the field's view type.
+			if viewType := viewTypeForValueType(base); viewType != nil {
+				args.FieldType = it.QualifiedName(base)
+				args.FieldViewName = it.QualifiedName(viewType)
+				writeTemplate("viewField")
+				continue
+			}
+
+			// Otherwise, if the unaliased base type is a named type whose view type will be generated by this viewer invocation,
+			// append the "View" suffix to the unaliased base type name and use it as the field's view type.
+			if base, ok := types.Unalias(base).(*types.Named); ok && slices.Contains(typeNames, it.QualifiedName(base)) {
+				baseTypeName := it.QualifiedName(base)
+				args.FieldType = baseTypeName
+				args.FieldViewName = appendNameSuffix(args.FieldType, "View")
+				writeTemplate("viewField")
+				continue
+			}
+
+			// Otherwise, if the base type does not require deep cloning, has no existing view type,
+			// and will not have a generated view type, use views.ValuePointer[T] as the field's view type.
+			// Its Get/GetOk methods return stack-allocated shallow copies of the field's value.
+			args.FieldType = it.QualifiedName(base)
+			writeTemplate("valuePointerField")
 			continue
 		case *types.Interface:
 			// If fieldType is an interface with a "View() {ViewType}" method, it can be used to clone the field.
@@ -405,6 +421,33 @@ func appendNameSuffix(name, suffix string) string {
 	return name + suffix
 }

+func typeNameOf(typ types.Type) (name *types.TypeName, ok bool) {
+	switch t := typ.(type) {
+	case *types.Alias:
+		return t.Obj(), true
+	case *types.Named:
+		return t.Obj(), true
+	default:
+		return nil, false
+	}
+}
+
+func lookupViewType(typ types.Type) types.Type {
+	for {
+		if typeName, ok := typeNameOf(typ); ok && typeName.Pkg() != nil {
+			if viewTypeObj := typeName.Pkg().Scope().Lookup(typeName.Name() + "View"); viewTypeObj != nil {
+				return viewTypeObj.Type()
+			}
+		}
+		switch alias := typ.(type) {
+		case *types.Alias:
+			typ = alias.Rhs()
+		default:
+			return nil
+		}
+	}
+}
+
 func viewTypeForValueType(typ types.Type) types.Type {
 	if ptr, ok := typ.(*types.Pointer); ok {
 		return viewTypeForValueType(ptr.Elem())
@@ -417,7 +460,12 @@ func viewTypeForValueType(typ types.Type) types.Type {
 	if !ok || sig.Results().Len() != 1 {
 		return nil
 	}
-	return sig.Results().At(0).Type()
+	viewType := sig.Results().At(0).Type()
+	// Check if the typ's package defines an alias for the view type, and use it if so.
+	if viewTypeAlias, ok := lookupViewType(typ).(*types.Alias); ok && types.AssignableTo(viewType, viewTypeAlias) {
+		viewType = viewTypeAlias
+	}
+	return viewType
 }

 func viewTypeForContainerType(typ types.Type) (*types.Named, *types.Func) {
--- a/control/controlbase/conn_test.go
+++ b/control/controlbase/conn_test.go
@@ -280,7 +280,7 @@ func TestConnMemoryOverhead(t *testing.T) {
 	growthTotal := int64(ms.HeapAlloc) - int64(ms0.HeapAlloc)
 	growthEach := float64(growthTotal) / float64(num)
 	t.Logf("Alloced %v bytes, %.2f B/each", growthTotal, growthEach)
-	const max = 2000
+	const max = 2048
 	if growthEach > max {
 		t.Errorf("allocated more than expected; want max %v bytes/each", max)
 	}
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -21,6 +21,7 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/structs"
+	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/execqueue"
 )

@@ -131,6 +132,8 @@ type Auto struct {
 	// the server.
 	lastUpdateGen updateGen

+	lastStatus atomic.Pointer[Status]
+
 	paused         bool        // whether we should stop making HTTP requests
 	unpauseWaiters []chan bool // chans that gets sent true (once) on wake, or false on Shutdown
 	loggedIn       bool        // true if currently logged in
@@ -596,21 +599,85 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		// not logged in.
 		nm = nil
 	}
-	new := Status{
+	newSt := &Status{
 		URL:     url,
 		Persist: p,
 		NetMap:  nm,
 		Err:     err,
 		state:   state,
 	}
+	c.lastStatus.Store(newSt)

 	// Launch a new goroutine to avoid blocking the caller while the observer
 	// does its thing, which may result in a call back into the client.
+	metricQueued.Add(1)
 	c.observerQueue.Add(func() {
-		c.observer.SetControlClientStatus(c, new)
+		if canSkipStatus(newSt, c.lastStatus.Load()) {
+			metricSkippable.Add(1)
+			if !c.direct.controlKnobs.DisableSkipStatusQueue.Load() {
+				metricSkipped.Add(1)
+				return
+			}
+		}
+		c.observer.SetControlClientStatus(c, *newSt)
+		// Best effort stop retaining the memory now that
+		// we've sent it to the observer (LocalBackend).
+		// We CAS here because the caller goroutine is
+		// doing a Store which we want to want to win
+		// a race. This is only a memory optimization
+		// and is for correctness:
+		c.lastStatus.CompareAndSwap(newSt, nil)
 	})
 }

+var (
+	metricQueued    = clientmetric.NewCounter("controlclient_auto_status_queued")
+	metricSkippable = clientmetric.NewCounter("controlclient_auto_status_queue_skippable")
+	metricSkipped   = clientmetric.NewCounter("controlclient_auto_status_queue_skipped")
+)
+
+// canSkipStatus reports whether we can skip sending s1, knowing
+// that s2 is enqueued sometime in the future after s1.
+//
+// s1 must be non-nil. s2 may be nil.
+func canSkipStatus(s1, s2 *Status) bool {
+	if s2 == nil {
+		// Nothing in the future.
+		return false
+	}
+	if s1 == s2 {
+		// If the last item in the queue is the same as s1,
+		// we can't skip it.
+		return false
+	}
+	if s1.Err != nil || s1.URL != "" {
+		// If s1 has an error or a URL, we shouldn't skip it, lest the error go
+		// away in s2 or in-between. We want to make sure all the subsystems see
+		// it. Plus there aren't many of these, so not worth skipping.
+		return false
+	}
+	if !s1.Persist.Equals(s2.Persist) || s1.state != s2.state {
+		// If s1 has a different Persist or state than s2,
+		// don't skip it. We only care about skipping the typical
+		// entries where the only difference is the NetMap.
+		return false
+	}
+	// If nothing above precludes it, and both s1 and s2 have NetMaps, then
+	// we can skip it, because s2's NetMap is a newer version and we can
+	// jump straight from whatever state we had before to s2's state,
+	// without passing through s1's state first. A NetMap is regrettably a
+	// full snapshot of the state, not an incremental delta. We're slowly
+	// moving towards passing around only deltas around internally at all
+	// layers, but this is explicitly the case where we didn't have a delta
+	// path for the message we received over the wire and had to resort
+	// to the legacy full NetMap path. And then we can get behind processing
+	// these full NetMap snapshots in LocalBackend/wgengine/magicsock/netstack
+	// and this path (when it returns true) lets us skip over useless work
+	// and not get behind in the queue. This matters in particular for tailnets
+	// that are both very large + very churny.
+	return s1.NetMap != nil && s2.NetMap != nil
+}
+
 func (c *Auto) Login(flags LoginFlags) {
 	c.logf("client.Login(%v)", flags)

--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -4,8 +4,13 @@
 package controlclient

 import (
+	"io"
 	"reflect"
+	"slices"
 	"testing"
+
+	"tailscale.com/types/netmap"
+	"tailscale.com/types/persist"
 )

 func fieldsOf(t reflect.Type) (fields []string) {
@@ -62,3 +67,83 @@ func TestStatusEqual(t *testing.T) {
 		}
 	}
 }
+
+// tests [canSkipStatus].
+func TestCanSkipStatus(t *testing.T) {
+	st := new(Status)
+	nm1 := &netmap.NetworkMap{}
+	nm2 := &netmap.NetworkMap{}
+
+	tests := []struct {
+		name   string
+		s1, s2 *Status
+		want   bool
+	}{
+		{
+			name: "nil-s2",
+			s1:   st,
+			s2:   nil,
+			want: false,
+		},
+		{
+			name: "equal",
+			s1:   st,
+			s2:   st,
+			want: false,
+		},
+		{
+			name: "s1-error",
+			s1:   &Status{Err: io.EOF, NetMap: nm1},
+			s2:   &Status{NetMap: nm2},
+			want: false,
+		},
+		{
+			name: "s1-url",
+			s1:   &Status{URL: "foo", NetMap: nm1},
+			s2:   &Status{NetMap: nm2},
+			want: false,
+		},
+		{
+			name: "s1-persist-diff",
+			s1:   &Status{Persist: new(persist.Persist).View(), NetMap: nm1},
+			s2:   &Status{NetMap: nm2},
+			want: false,
+		},
+		{
+			name: "s1-state-diff",
+			s1:   &Status{state: 123, NetMap: nm1},
+			s2:   &Status{NetMap: nm2},
+			want: false,
+		},
+		{
+			name: "s1-no-netmap1",
+			s1:   &Status{NetMap: nil},
+			s2:   &Status{NetMap: nm2},
+			want: false,
+		},
+		{
+			name: "s1-no-netmap2",
+			s1:   &Status{NetMap: nm1},
+			s2:   &Status{NetMap: nil},
+			want: false,
+		},
+		{
+			name: "skip",
+			s1:   &Status{NetMap: nm1},
+			s2:   &Status{NetMap: nm2},
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := canSkipStatus(tt.s1, tt.s2); got != tt.want {
+				t.Errorf("canSkipStatus = %v, want %v", got, tt.want)
+			}
+		})
+	}
+
+	want := []string{"Err", "URL", "NetMap", "Persist", "state"}
+	if f := fieldsOf(reflect.TypeFor[Status]()); !slices.Equal(f, want) {
+		t.Errorf("Status fields = %q; this code was only written to handle fields %q", f, want)
+	}
+}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -15,7 +15,6 @@ import (
 	"log"
 	"net"
 	"net/http"
-	"net/http/httptest"
 	"net/netip"
 	"net/url"
 	"os"
@@ -42,6 +41,7 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tempfork/httprec"
 	"tailscale.com/tka"
 	"tailscale.com/tstime"
 	"tailscale.com/types/key"
@@ -650,7 +650,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			c.logf("RegisterReq sign error: %v", err)
 		}
 	}
-	if debugRegister() {
+	if DevKnob.DumpRegister() {
 		j, _ := json.MarshalIndent(request, "", "\t")
 		c.logf("RegisterRequest: %s", j)
 	}
@@ -691,7 +691,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
 		return regen, opt.URL, nil, fmt.Errorf("register request: %v", err)
 	}
-	if debugRegister() {
+	if DevKnob.DumpRegister() {
 		j, _ := json.MarshalIndent(resp, "", "\t")
 		c.logf("RegisterResponse: %s", j)
 	}
@@ -877,7 +877,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 	c.logf("[v1] PollNetMap: stream=%v ep=%v", isStreaming, epStrs)

 	vlogf := logger.Discard
-	if DevKnob.DumpNetMaps() {
+	if DevKnob.DumpNetMapsVerbose() {
 		// TODO(bradfitz): update this to use "[v2]" prefix perhaps? but we don't
 		// want to upload it always.
 		vlogf = c.logf
@@ -1170,11 +1170,6 @@ func decode(res *http.Response, v any) error {
 	return json.Unmarshal(msg, v)
 }

-var (
-	debugMap      = envknob.RegisterBool("TS_DEBUG_MAP")
-	debugRegister = envknob.RegisterBool("TS_DEBUG_REGISTER")
-)
-
 var jsonEscapedZero = []byte(`\u0000`)

 // decodeMsg is responsible for uncompressing msg and unmarshaling into v.
@@ -1183,7 +1178,7 @@ func (c *Direct) decodeMsg(compressedMsg []byte, v any) error {
 	if err != nil {
 		return err
 	}
-	if debugMap() {
+	if DevKnob.DumpNetMaps() {
 		var buf bytes.Buffer
 		json.Indent(&buf, b, "", "    ")
 		log.Printf("MapResponse: %s", buf.Bytes())
@@ -1205,7 +1200,7 @@ func encode(v any) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	if debugMap() {
+	if DevKnob.DumpNetMaps() {
 		if _, ok := v.(*tailcfg.MapRequest); ok {
 			log.Printf("MapRequest: %s", b)
 		}
@@ -1253,18 +1248,23 @@ func loadServerPubKeys(ctx context.Context, httpc *http.Client, serverURL string
 var DevKnob = initDevKnob()

 type devKnobs struct {
-	DumpNetMaps    func() bool
-	ForceProxyDNS  func() bool
-	StripEndpoints func() bool // strip endpoints from control (only use disco messages)
-	StripCaps      func() bool // strip all local node's control-provided capabilities
+	DumpRegister       func() bool
+	DumpNetMaps        func() bool
+	DumpNetMapsVerbose func() bool
+	ForceProxyDNS      func() bool
+	StripEndpoints     func() bool // strip endpoints from control (only use disco messages)
+	StripCaps          func() bool // strip all local node's control-provided capabilities
 }

 func initDevKnob() devKnobs {
+	nm := envknob.RegisterInt("TS_DEBUG_MAP")
 	return devKnobs{
-		DumpNetMaps:    envknob.RegisterBool("TS_DEBUG_NETMAP"),
-		ForceProxyDNS:  envknob.RegisterBool("TS_DEBUG_PROXY_DNS"),
-		StripEndpoints: envknob.RegisterBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		StripCaps:      envknob.RegisterBool("TS_DEBUG_STRIP_CAPS"),
+		DumpNetMaps:        func() bool { return nm() > 0 },
+		DumpNetMapsVerbose: func() bool { return nm() > 1 },
+		DumpRegister:       envknob.RegisterBool("TS_DEBUG_REGISTER"),
+		ForceProxyDNS:      envknob.RegisterBool("TS_DEBUG_PROXY_DNS"),
+		StripEndpoints:     envknob.RegisterBool("TS_DEBUG_STRIP_ENDPOINTS"),
+		StripCaps:          envknob.RegisterBool("TS_DEBUG_STRIP_CAPS"),
 	}
 }

@@ -1384,7 +1384,7 @@ func answerC2NPing(logf logger.Logf, c2nHandler http.Handler, c *http.Client, pr
 	handlerCtx, cancel := context.WithTimeout(context.Background(), handlerTimeout)
 	defer cancel()
 	hreq = hreq.WithContext(handlerCtx)
-	rec := httptest.NewRecorder()
+	rec := httprec.NewRecorder()
 	c2nHandler.ServeHTTP(rec, hreq)
 	cancel()

--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -7,7 +7,6 @@ import (
 	"cmp"
 	"context"
 	"encoding/json"
-	"fmt"
 	"maps"
 	"net"
 	"reflect"
@@ -166,6 +165,7 @@ func (ms *mapSession) HandleNonKeepAliveMapResponse(ctx context.Context, resp *t

 	// For responses that mutate the self node, check for updated nodeAttrs.
 	if resp.Node != nil {
+		upgradeNode(resp.Node)
 		if DevKnob.StripCaps() {
 			resp.Node.Capabilities = nil
 			resp.Node.CapMap = nil
@@ -181,6 +181,13 @@ func (ms *mapSession) HandleNonKeepAliveMapResponse(ctx context.Context, resp *t
 		ms.controlKnobs.UpdateFromNodeAttributes(resp.Node.CapMap)
 	}

+	for _, p := range resp.Peers {
+		upgradeNode(p)
+	}
+	for _, p := range resp.PeersChanged {
+		upgradeNode(p)
+	}
+
 	// Call Node.InitDisplayNames on any changed nodes.
 	initDisplayNames(cmp.Or(resp.Node.View(), ms.lastNode), resp)

@@ -188,6 +195,10 @@ func (ms *mapSession) HandleNonKeepAliveMapResponse(ctx context.Context, resp *t

 	ms.updateStateFromResponse(resp)

+	// Occasionally clean up old userprofile if it grows too much
+	// from e.g. ephemeral tagged nodes.
+	ms.cleanLastUserProfile()
+
 	if ms.tryHandleIncrementally(resp) {
 		ms.occasionallyPrintSummary(ms.lastNetmapSummary)
 		return nil
@@ -216,6 +227,30 @@ func (ms *mapSession) HandleNonKeepAliveMapResponse(ctx context.Context, resp *t
 	return nil
 }

+// upgradeNode upgrades Node fields from the server into the modern forms
+// not using deprecated fields.
+func upgradeNode(n *tailcfg.Node) {
+	if n == nil {
+		return
+	}
+	if n.LegacyDERPString != "" {
+		if n.HomeDERP == 0 {
+			ip, portStr, err := net.SplitHostPort(n.LegacyDERPString)
+			if ip == tailcfg.DerpMagicIP && err == nil {
+				port, err := strconv.Atoi(portStr)
+				if err == nil {
+					n.HomeDERP = port
+				}
+			}
+		}
+		n.LegacyDERPString = ""
+	}
+
+	if n.AllowedIPs == nil {
+		n.AllowedIPs = slices.Clone(n.Addresses)
+	}
+}
+
 func (ms *mapSession) tryHandleIncrementally(res *tailcfg.MapResponse) bool {
 	if ms.controlKnobs != nil && ms.controlKnobs.DisableDeltaUpdates.Load() {
 		return false
@@ -261,11 +296,19 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 	for _, up := range resp.UserProfiles {
 		ms.lastUserProfile[up.ID] = up
 	}
-	// TODO(bradfitz): clean up old user profiles? maybe not worth it.

 	if dm := resp.DERPMap; dm != nil {
 		ms.vlogf("netmap: new map contains DERP map")

+		// Guard against the control server accidentally sending
+		// a nil region definition, which at least Headscale was
+		// observed to send.
+		for rid, r := range dm.Regions {
+			if r == nil {
+				delete(dm.Regions, rid)
+			}
+		}
+
 		// Zero-valued fields in a DERPMap mean that we're not changing
 		// anything and are using the previous value(s).
 		if ldm := ms.lastDERPMap; ldm != nil {
@@ -443,7 +486,7 @@ func (ms *mapSession) updatePeersStateFromResponse(resp *tailcfg.MapResponse) (s
 		stats.changed++
 		mut := vp.AsStruct()
 		if pc.DERPRegion != 0 {
-			mut.DERP = fmt.Sprintf("%s:%v", tailcfg.DerpMagicIP, pc.DERPRegion)
+			mut.HomeDERP = pc.DERPRegion
 			patchDERPRegion.Add(1)
 		}
 		if pc.Cap != 0 {
@@ -501,6 +544,32 @@ func (ms *mapSession) addUserProfile(nm *netmap.NetworkMap, userID tailcfg.UserI
 	}
 }

+// cleanLastUserProfile deletes any entries from lastUserProfile
+// that are not referenced by any peer or the self node.
+//
+// This is expensive enough that we don't do this on every message
+// from the server, but only when it's grown enough to matter.
+func (ms *mapSession) cleanLastUserProfile() {
+	if len(ms.lastUserProfile) < len(ms.peers)*2 {
+		// Hasn't grown enough to be worth cleaning.
+		return
+	}
+
+	keep := set.Set[tailcfg.UserID]{}
+	if node := ms.lastNode; node.Valid() {
+		keep.Add(node.User())
+	}
+	for _, n := range ms.peers {
+		keep.Add(n.User())
+		keep.Add(n.Sharer())
+	}
+	for userID := range ms.lastUserProfile {
+		if !keep.Contains(userID) {
+			delete(ms.lastUserProfile, userID)
+		}
+	}
+}
+
 var debugPatchifyPeer = envknob.RegisterBool("TS_DEBUG_PATCHIFY_PEER")

 // patchifyPeersChanged mutates resp to promote PeersChanged entries to PeersChangedPatch
@@ -631,17 +700,13 @@ func peerChangeDiff(was tailcfg.NodeView, n *tailcfg.Node) (_ *tailcfg.PeerChang
 			if !views.SliceEqual(was.Endpoints(), views.SliceOf(n.Endpoints)) {
 				pc().Endpoints = slices.Clone(n.Endpoints)
 			}
-		case "DERP":
-			if was.DERP() != n.DERP {
-				ip, portStr, err := net.SplitHostPort(n.DERP)
-				if err != nil || ip != "127.3.3.40" {
-					return nil, false
-				}
-				port, err := strconv.Atoi(portStr)
-				if err != nil || port < 1 || port > 65535 {
-					return nil, false
-				}
-				pc().DERPRegion = port
+		case "LegacyDERPString":
+			if was.LegacyDERPString() != "" || n.LegacyDERPString != "" {
+				panic("unexpected; caller should've already called upgradeNode")
+			}
+		case "HomeDERP":
+			if was.HomeDERP() != n.HomeDERP {
+				pc().DERPRegion = n.HomeDERP
 			}
 		case "Hostinfo":
 			if !was.Hostinfo().Valid() && !n.Hostinfo.Valid() {
@@ -689,13 +754,11 @@ func peerChangeDiff(was tailcfg.NodeView, n *tailcfg.Node) (_ *tailcfg.PeerChang
 				return nil, false
 			}
 		case "Online":
-			wasOnline := was.Online()
-			if n.Online != nil && wasOnline != nil && *n.Online != *wasOnline {
+			if wasOnline, ok := was.Online().GetOk(); ok && n.Online != nil && *n.Online != wasOnline {
 				pc().Online = ptr.To(*n.Online)
 			}
 		case "LastSeen":
-			wasSeen := was.LastSeen()
-			if n.LastSeen != nil && wasSeen != nil && !wasSeen.Equal(*n.LastSeen) {
+			if wasSeen, ok := was.LastSeen().GetOk(); ok && n.LastSeen != nil && !wasSeen.Equal(*n.LastSeen) {
 				pc().LastSeen = ptr.To(*n.LastSeen)
 			}
 		case "MachineAuthorized":
@@ -720,18 +783,18 @@ func peerChangeDiff(was tailcfg.NodeView, n *tailcfg.Node) (_ *tailcfg.PeerChang
 			}
 		case "SelfNodeV4MasqAddrForThisPeer":
 			va, vb := was.SelfNodeV4MasqAddrForThisPeer(), n.SelfNodeV4MasqAddrForThisPeer
-			if va == nil && vb == nil {
+			if !va.Valid() && vb == nil {
 				continue
 			}
-			if va == nil || vb == nil || *va != *vb {
+			if va, ok := va.GetOk(); !ok || vb == nil || va != *vb {
 				return nil, false
 			}
 		case "SelfNodeV6MasqAddrForThisPeer":
 			va, vb := was.SelfNodeV6MasqAddrForThisPeer(), n.SelfNodeV6MasqAddrForThisPeer
-			if va == nil && vb == nil {
+			if !va.Valid() && vb == nil {
 				continue
 			}
-			if va == nil || vb == nil || *va != *vb {
+			if va, ok := va.GetOk(); !ok || vb == nil || va != *vb {
 				return nil, false
 			}
 		case "ExitNodeDNSResolvers":
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -50,9 +50,9 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 			n.LastSeen = &t
 		}
 	}
-	withDERP := func(d string) func(*tailcfg.Node) {
+	withDERP := func(regionID int) func(*tailcfg.Node) {
 		return func(n *tailcfg.Node) {
-			n.DERP = d
+			n.HomeDERP = regionID
 		}
 	}
 	withEP := func(ep string) func(*tailcfg.Node) {
@@ -189,14 +189,14 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 		},
 		{
 			name: "ep_change_derp",
-			prev: peers(n(1, "foo", withDERP("127.3.3.40:3"))),
+			prev: peers(n(1, "foo", withDERP(3))),
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:     1,
 					DERPRegion: 4,
 				}},
 			},
-			want:      peers(n(1, "foo", withDERP("127.3.3.40:4"))),
+			want:      peers(n(1, "foo", withDERP(4))),
 			wantStats: updateStats{changed: 1},
 		},
 		{
@@ -213,19 +213,19 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 		},
 		{
 			name: "ep_change_udp_2",
-			prev: peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:111"))),
+			prev: peers(n(1, "foo", withDERP(3), withEP("1.2.3.4:111"))),
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:    1,
 					Endpoints: eps("1.2.3.4:56"),
 				}},
 			},
-			want:      peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:56"))),
+			want:      peers(n(1, "foo", withDERP(3), withEP("1.2.3.4:56"))),
 			wantStats: updateStats{changed: 1},
 		},
 		{
 			name: "ep_change_both",
-			prev: peers(n(1, "foo", withDERP("127.3.3.40:3"), withEP("1.2.3.4:111"))),
+			prev: peers(n(1, "foo", withDERP(3), withEP("1.2.3.4:111"))),
 			mapRes: &tailcfg.MapResponse{
 				PeersChangedPatch: []*tailcfg.PeerChange{{
 					NodeID:     1,
@@ -233,7 +233,7 @@ func TestUpdatePeersStateFromResponse(t *testing.T) {
 					Endpoints:  eps("1.2.3.4:56"),
 				}},
 			},
-			want:      peers(n(1, "foo", withDERP("127.3.3.40:2"), withEP("1.2.3.4:56"))),
+			want:      peers(n(1, "foo", withDERP(2), withEP("1.2.3.4:56"))),
 			wantStats: updateStats{changed: 1},
 		},
 		{
@@ -744,8 +744,8 @@ func TestPeerChangeDiff(t *testing.T) {
 		},
 		{
 			name: "patch-derp",
-			a:    &tailcfg.Node{ID: 1, DERP: "127.3.3.40:1"},
-			b:    &tailcfg.Node{ID: 1, DERP: "127.3.3.40:2"},
+			a:    &tailcfg.Node{ID: 1, HomeDERP: 1},
+			b:    &tailcfg.Node{ID: 1, HomeDERP: 2},
 			want: &tailcfg.PeerChange{NodeID: 1, DERPRegion: 2},
 		},
 		{
@@ -929,23 +929,23 @@ func TestPatchifyPeersChanged(t *testing.T) {
 			mr0: &tailcfg.MapResponse{
 				Node: &tailcfg.Node{Name: "foo.bar.ts.net."},
 				Peers: []*tailcfg.Node{
-					{ID: 1, DERP: "127.3.3.40:1", Hostinfo: hi},
-					{ID: 2, DERP: "127.3.3.40:2", Hostinfo: hi},
-					{ID: 3, DERP: "127.3.3.40:3", Hostinfo: hi},
+					{ID: 1, HomeDERP: 1, Hostinfo: hi},
+					{ID: 2, HomeDERP: 2, Hostinfo: hi},
+					{ID: 3, HomeDERP: 3, Hostinfo: hi},
 				},
 			},
 			mr1: &tailcfg.MapResponse{
 				PeersChanged: []*tailcfg.Node{
-					{ID: 1, DERP: "127.3.3.40:11", Hostinfo: hi},
+					{ID: 1, HomeDERP: 11, Hostinfo: hi},
 					{ID: 2, StableID: "other-change", Hostinfo: hi},
-					{ID: 3, DERP: "127.3.3.40:33", Hostinfo: hi},
-					{ID: 4, DERP: "127.3.3.40:4", Hostinfo: hi},
+					{ID: 3, HomeDERP: 33, Hostinfo: hi},
+					{ID: 4, HomeDERP: 4, Hostinfo: hi},
 				},
 			},
 			want: &tailcfg.MapResponse{
 				PeersChanged: []*tailcfg.Node{
 					{ID: 2, StableID: "other-change", Hostinfo: hi},
-					{ID: 4, DERP: "127.3.3.40:4", Hostinfo: hi},
+					{ID: 4, HomeDERP: 4, Hostinfo: hi},
 				},
 				PeersChangedPatch: []*tailcfg.PeerChange{
 					{NodeID: 1, DERPRegion: 11},
@@ -1006,6 +1006,85 @@ func TestPatchifyPeersChanged(t *testing.T) {
 	}
 }

+func TestUpgradeNode(t *testing.T) {
+	a1 := netip.MustParsePrefix("0.0.0.1/32")
+	a2 := netip.MustParsePrefix("0.0.0.2/32")
+	a3 := netip.MustParsePrefix("0.0.0.3/32")
+	a4 := netip.MustParsePrefix("0.0.0.4/32")
+
+	tests := []struct {
+		name string
+		in   *tailcfg.Node
+		want *tailcfg.Node
+		also func(t *testing.T, got *tailcfg.Node) // optional
+	}{
+		{
+			name: "nil",
+			in:   nil,
+			want: nil,
+		},
+		{
+			name: "empty",
+			in:   new(tailcfg.Node),
+			want: new(tailcfg.Node),
+		},
+		{
+			name: "derp-both",
+			in:   &tailcfg.Node{HomeDERP: 1, LegacyDERPString: tailcfg.DerpMagicIP + ":2"},
+			want: &tailcfg.Node{HomeDERP: 1},
+		},
+		{
+			name: "derp-str-only",
+			in:   &tailcfg.Node{LegacyDERPString: tailcfg.DerpMagicIP + ":2"},
+			want: &tailcfg.Node{HomeDERP: 2},
+		},
+		{
+			name: "derp-int-only",
+			in:   &tailcfg.Node{HomeDERP: 2},
+			want: &tailcfg.Node{HomeDERP: 2},
+		},
+		{
+			name: "implicit-allowed-ips-all-set",
+			in:   &tailcfg.Node{Addresses: []netip.Prefix{a1, a2}, AllowedIPs: []netip.Prefix{a3, a4}},
+			want: &tailcfg.Node{Addresses: []netip.Prefix{a1, a2}, AllowedIPs: []netip.Prefix{a3, a4}},
+		},
+		{
+			name: "implicit-allowed-ips-only-address-set",
+			in:   &tailcfg.Node{Addresses: []netip.Prefix{a1, a2}},
+			want: &tailcfg.Node{Addresses: []netip.Prefix{a1, a2}, AllowedIPs: []netip.Prefix{a1, a2}},
+			also: func(t *testing.T, got *tailcfg.Node) {
+				if t.Failed() {
+					return
+				}
+				if &got.Addresses[0] == &got.AllowedIPs[0] {
+					t.Error("Addresses and AllowIPs alias the same memory")
+				}
+			},
+		},
+		{
+			name: "implicit-allowed-ips-set-empty-slice",
+			in:   &tailcfg.Node{Addresses: []netip.Prefix{a1, a2}, AllowedIPs: []netip.Prefix{}},
+			want: &tailcfg.Node{Addresses: []netip.Prefix{a1, a2}, AllowedIPs: []netip.Prefix{}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var got *tailcfg.Node
+			if tt.in != nil {
+				got = ptr.To(*tt.in) // shallow clone
+			}
+			upgradeNode(got)
+			if diff := cmp.Diff(tt.want, got); diff != "" {
+				t.Errorf("wrong result (-want +got):\n%s", diff)
+			}
+			if tt.also != nil {
+				tt.also(t, got)
+			}
+		})
+	}
+
+}
+
 func BenchmarkMapSessionDelta(b *testing.B) {
 	for _, size := range []int{10, 100, 1_000, 10_000} {
 		b.Run(fmt.Sprintf("size_%d", size), func(b *testing.B) {
@@ -1022,7 +1101,7 @@ func BenchmarkMapSessionDelta(b *testing.B) {
 				res.Peers = append(res.Peers, &tailcfg.Node{
 					ID:         tailcfg.NodeID(i + 2),
 					Name:       fmt.Sprintf("peer%d.bar.ts.net.", i),
-					DERP:       "127.3.3.40:10",
+					HomeDERP:   10,
 					Addresses:  []netip.Prefix{netip.MustParsePrefix("100.100.2.3/32"), netip.MustParsePrefix("fd7a:115c:a1e0::123/128")},
 					AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.100.2.3/32"), netip.MustParsePrefix("fd7a:115c:a1e0::123/128")},
 					Endpoints:  eps("192.168.1.2:345", "192.168.1.3:678"),
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -6,6 +6,8 @@
 package controlknobs

 import (
+	"fmt"
+	"reflect"
 	"sync/atomic"

 	"tailscale.com/syncs"
@@ -103,6 +105,11 @@ type Knobs struct {
 	// DisableCaptivePortalDetection is whether the node should not perform captive portal detection
 	// automatically when the network state changes.
 	DisableCaptivePortalDetection atomic.Bool
+
+	// DisableSkipStatusQueue is whether the node should disable skipping
+	// of queued netmap.NetworkMap between the controlclient and LocalBackend.
+	// See tailscale/tailscale#14768.
+	DisableSkipStatusQueue atomic.Bool
 }

 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -132,6 +139,7 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 		disableLocalDNSOverrideViaNRPT       = has(tailcfg.NodeAttrDisableLocalDNSOverrideViaNRPT)
 		disableCryptorouting                 = has(tailcfg.NodeAttrDisableMagicSockCryptoRouting)
 		disableCaptivePortalDetection        = has(tailcfg.NodeAttrDisableCaptivePortalDetection)
+		disableSkipStatusQueue               = has(tailcfg.NodeAttrDisableSkipStatusQueue)
 	)

 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -159,6 +167,7 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 	k.DisableLocalDNSOverrideViaNRPT.Store(disableLocalDNSOverrideViaNRPT)
 	k.DisableCryptorouting.Store(disableCryptorouting)
 	k.DisableCaptivePortalDetection.Store(disableCaptivePortalDetection)
+	k.DisableSkipStatusQueue.Store(disableSkipStatusQueue)
 }

 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -167,25 +176,19 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 	if k == nil {
 		return nil
 	}
-	return map[string]any{
-		"DisableUPnP":                          k.DisableUPnP.Load(),
-		"KeepFullWGConfig":                     k.KeepFullWGConfig.Load(),
-		"RandomizeClientPort":                  k.RandomizeClientPort.Load(),
-		"OneCGNAT":                             k.OneCGNAT.Load(),
-		"ForceBackgroundSTUN":                  k.ForceBackgroundSTUN.Load(),
-		"DisableDeltaUpdates":                  k.DisableDeltaUpdates.Load(),
-		"PeerMTUEnable":                        k.PeerMTUEnable.Load(),
-		"DisableDNSForwarderTCPRetries":        k.DisableDNSForwarderTCPRetries.Load(),
-		"SilentDisco":                          k.SilentDisco.Load(),
-		"LinuxForceIPTables":                   k.LinuxForceIPTables.Load(),
-		"LinuxForceNfTables":                   k.LinuxForceNfTables.Load(),
-		"SeamlessKeyRenewal":                   k.SeamlessKeyRenewal.Load(),
-		"ProbeUDPLifetime":                     k.ProbeUDPLifetime.Load(),
-		"AppCStoreRoutes":                      k.AppCStoreRoutes.Load(),
-		"UserDialUseRoutes":                    k.UserDialUseRoutes.Load(),
-		"DisableSplitDNSWhenNoCustomResolvers": k.DisableSplitDNSWhenNoCustomResolvers.Load(),
-		"DisableLocalDNSOverrideViaNRPT":       k.DisableLocalDNSOverrideViaNRPT.Load(),
-		"DisableCryptorouting":                 k.DisableCryptorouting.Load(),
-		"DisableCaptivePortalDetection":        k.DisableCaptivePortalDetection.Load(),
+	ret := map[string]any{}
+	rt := reflect.TypeFor[Knobs]()
+	rv := reflect.ValueOf(k).Elem() // of *k
+	for i := 0; i < rt.NumField(); i++ {
+		name := rt.Field(i).Name
+		switch v := rv.Field(i).Addr().Interface().(type) {
+		case *atomic.Bool:
+			ret[name] = v.Load()
+		case *syncs.AtomicValue[opt.Bool]:
+			ret[name] = v.Load()
+		default:
+			panic(fmt.Sprintf("unknown field type %T for %v", v, name))
+		}
 	}
+	return ret
 }
--- a/control/controlknobs/controlknobs_test.go
+++ b/control/controlknobs/controlknobs_test.go
@@ -6,6 +6,8 @@ package controlknobs
 import (
 	"reflect"
 	"testing"
+
+	"tailscale.com/types/logger"
 )

 func TestAsDebugJSON(t *testing.T) {
@@ -18,4 +20,5 @@ func TestAsDebugJSON(t *testing.T) {
 	if want := reflect.TypeFor[Knobs]().NumField(); len(got) != want {
 		t.Errorf("AsDebugJSON map has %d fields; want %v", len(got), want)
 	}
+	t.Logf("Got: %v", logger.AsJSON(got))
 }
--- a/derp/derp.go
+++ b/derp/derp.go
@@ -18,6 +18,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"time"
 )

@@ -79,8 +80,7 @@ const (
 	// framePeerGone to B so B can forget that a reverse path
 	// exists on that connection to get back to A. It is also sent
 	// if A tries to send a CallMeMaybe to B and the server has no
-	// record of B (which currently would only happen if there was
-	// a bug).
+	// record of B
 	framePeerGone = frameType(0x08) // 32B pub key of peer that's gone + 1 byte reason

 	// framePeerPresent is like framePeerGone, but for other members of the DERP
@@ -131,8 +131,8 @@ const (
 type PeerGoneReasonType byte

 const (
-	PeerGoneReasonDisconnected  = PeerGoneReasonType(0x00) // peer disconnected from this server
-	PeerGoneReasonNotHere       = PeerGoneReasonType(0x01) // server doesn't know about this peer, unexpected
+	PeerGoneReasonDisconnected  = PeerGoneReasonType(0x00) // is only sent when a peer disconnects from this server
+	PeerGoneReasonNotHere       = PeerGoneReasonType(0x01) // server doesn't know about this peer
 	PeerGoneReasonMeshConnBroke = PeerGoneReasonType(0xf0) // invented by Client.RunWatchConnectionLoop on disconnect; not sent on the wire
 )

@@ -255,3 +255,14 @@ func writeFrame(bw *bufio.Writer, t frameType, b []byte) error {
 	}
 	return bw.Flush()
 }
+
+// Conn is the subset of the underlying net.Conn the DERP Server needs.
+// It is a defined type so that non-net connections can be used.
+type Conn interface {
+	io.WriteCloser
+	LocalAddr() net.Addr
+	// The *Deadline methods follow the semantics of net.Conn.
+	SetDeadline(time.Time) error
+	SetReadDeadline(time.Time) error
+	SetWriteDeadline(time.Time) error
+}
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -23,7 +23,6 @@ import (
 	"math"
 	"math/big"
 	"math/rand/v2"
-	"net"
 	"net/http"
 	"net/netip"
 	"os"
@@ -85,7 +84,7 @@ func init() {

 const (
 	defaultPerClientSendQueueDepth = 32 // default packets buffered for sending
-	writeTimeout                   = 2 * time.Second
+	DefaultTCPWiteTimeout          = 2 * time.Second
 	privilegedWriteTimeout         = 30 * time.Second // for clients with the mesh key
 )

@@ -112,6 +111,14 @@ const (
 	disableFighters
 )

+// packetKind is the kind of packet being sent through DERP
+type packetKind string
+
+const (
+	packetKindDisco packetKind = "disco"
+	packetKindOther packetKind = "other"
+)
+
 type align64 [0]atomic.Int64 // for side effect of its 64-bit alignment

 // Server is a DERP server.
@@ -131,44 +138,37 @@ type Server struct {
 	debug       bool

 	// Counters:
-	packetsSent, bytesSent       expvar.Int
-	packetsRecv, bytesRecv       expvar.Int
-	packetsRecvByKind            metrics.LabelMap
-	packetsRecvDisco             *expvar.Int
-	packetsRecvOther             *expvar.Int
-	_                            align64
-	packetsDropped               expvar.Int
-	packetsDroppedReason         metrics.LabelMap
-	packetsDroppedReasonCounters []*expvar.Int // indexed by dropReason
-	packetsDroppedType           metrics.LabelMap
-	packetsDroppedTypeDisco      *expvar.Int
-	packetsDroppedTypeOther      *expvar.Int
-	_                            align64
-	packetsForwardedOut          expvar.Int
-	packetsForwardedIn           expvar.Int
-	peerGoneDisconnectedFrames   expvar.Int // number of peer disconnected frames sent
-	peerGoneNotHereFrames        expvar.Int // number of peer not here frames sent
-	gotPing                      expvar.Int // number of ping frames from client
-	sentPong                     expvar.Int // number of pong frames enqueued to client
-	accepts                      expvar.Int
-	curClients                   expvar.Int
-	curClientsNotIdeal           expvar.Int
-	curHomeClients               expvar.Int // ones with preferred
-	dupClientKeys                expvar.Int // current number of public keys we have 2+ connections for
-	dupClientConns               expvar.Int // current number of connections sharing a public key
-	dupClientConnTotal           expvar.Int // total number of accepted connections when a dup key existed
-	unknownFrames                expvar.Int
-	homeMovesIn                  expvar.Int // established clients announce home server moves in
-	homeMovesOut                 expvar.Int // established clients announce home server moves out
-	multiForwarderCreated        expvar.Int
-	multiForwarderDeleted        expvar.Int
-	removePktForwardOther        expvar.Int
-	sclientWriteTimeouts         expvar.Int
-	avgQueueDuration             *uint64          // In milliseconds; accessed atomically
-	tcpRtt                       metrics.LabelMap // histogram
-	meshUpdateBatchSize          *metrics.Histogram
-	meshUpdateLoopCount          *metrics.Histogram
-	bufferedWriteFrames          *metrics.Histogram // how many sendLoop frames (or groups of related frames) get written per flush
+	packetsSent, bytesSent     expvar.Int
+	packetsRecv, bytesRecv     expvar.Int
+	packetsRecvByKind          metrics.LabelMap
+	packetsRecvDisco           *expvar.Int
+	packetsRecvOther           *expvar.Int
+	_                          align64
+	packetsForwardedOut        expvar.Int
+	packetsForwardedIn         expvar.Int
+	peerGoneDisconnectedFrames expvar.Int // number of peer disconnected frames sent
+	peerGoneNotHereFrames      expvar.Int // number of peer not here frames sent
+	gotPing                    expvar.Int // number of ping frames from client
+	sentPong                   expvar.Int // number of pong frames enqueued to client
+	accepts                    expvar.Int
+	curClients                 expvar.Int
+	curClientsNotIdeal         expvar.Int
+	curHomeClients             expvar.Int // ones with preferred
+	dupClientKeys              expvar.Int // current number of public keys we have 2+ connections for
+	dupClientConns             expvar.Int // current number of connections sharing a public key
+	dupClientConnTotal         expvar.Int // total number of accepted connections when a dup key existed
+	unknownFrames              expvar.Int
+	homeMovesIn                expvar.Int // established clients announce home server moves in
+	homeMovesOut               expvar.Int // established clients announce home server moves out
+	multiForwarderCreated      expvar.Int
+	multiForwarderDeleted      expvar.Int
+	removePktForwardOther      expvar.Int
+	sclientWriteTimeouts       expvar.Int
+	avgQueueDuration           *uint64          // In milliseconds; accessed atomically
+	tcpRtt                     metrics.LabelMap // histogram
+	meshUpdateBatchSize        *metrics.Histogram
+	meshUpdateLoopCount        *metrics.Histogram
+	bufferedWriteFrames        *metrics.Histogram // how many sendLoop frames (or groups of related frames) get written per flush

 	// verifyClientsLocalTailscaled only accepts client connections to the DERP
 	// server if the clientKey is a known peer in the network, as specified by a
@@ -201,6 +201,8 @@ type Server struct {
 	// Sets the client send queue depth for the server.
 	perClientSendQueueDepth int

+	tcpWriteTimeout time.Duration
+
 	clock tstime.Clock
 }

@@ -340,16 +342,16 @@ type PacketForwarder interface {
 	String() string
 }

-// Conn is the subset of the underlying net.Conn the DERP Server needs.
-// It is a defined type so that non-net connections can be used.
-type Conn interface {
-	io.WriteCloser
-	LocalAddr() net.Addr
-	// The *Deadline methods follow the semantics of net.Conn.
-	SetDeadline(time.Time) error
-	SetReadDeadline(time.Time) error
-	SetWriteDeadline(time.Time) error
-}
+var packetsDropped = metrics.NewMultiLabelMap[dropReasonKindLabels](
+	"derp_packets_dropped",
+	"counter",
+	"DERP packets dropped by reason and by kind")
+
+var bytesDropped = metrics.NewMultiLabelMap[dropReasonKindLabels](
+	"derp_bytes_dropped",
+	"counter",
+	"DERP bytes dropped by reason and by kind",
+)

 // NewServer returns a new DERP server. It doesn't listen on its own.
 // Connections are given to it via Server.Accept.
@@ -358,61 +360,100 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 	runtime.ReadMemStats(&ms)

 	s := &Server{
-		debug:                envknob.Bool("DERP_DEBUG_LOGS"),
-		privateKey:           privateKey,
-		publicKey:            privateKey.Public(),
-		logf:                 logf,
-		limitedLogf:          logger.RateLimitedFn(logf, 30*time.Second, 5, 100),
-		packetsRecvByKind:    metrics.LabelMap{Label: "kind"},
-		packetsDroppedReason: metrics.LabelMap{Label: "reason"},
-		packetsDroppedType:   metrics.LabelMap{Label: "type"},
-		clients:              map[key.NodePublic]*clientSet{},
-		clientsMesh:          map[key.NodePublic]PacketForwarder{},
-		netConns:             map[Conn]chan struct{}{},
-		memSys0:              ms.Sys,
-		watchers:             set.Set[*sclient]{},
-		peerGoneWatchers:     map[key.NodePublic]set.HandleSet[func(key.NodePublic)]{},
-		avgQueueDuration:     new(uint64),
-		tcpRtt:               metrics.LabelMap{Label: "le"},
-		meshUpdateBatchSize:  metrics.NewHistogram([]float64{0, 1, 2, 5, 10, 20, 50, 100, 200, 500, 1000}),
-		meshUpdateLoopCount:  metrics.NewHistogram([]float64{0, 1, 2, 5, 10, 20, 50, 100}),
-		bufferedWriteFrames:  metrics.NewHistogram([]float64{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 20, 25, 50, 100}),
-		keyOfAddr:            map[netip.AddrPort]key.NodePublic{},
-		clock:                tstime.StdClock{},
+		debug:               envknob.Bool("DERP_DEBUG_LOGS"),
+		privateKey:          privateKey,
+		publicKey:           privateKey.Public(),
+		logf:                logf,
+		limitedLogf:         logger.RateLimitedFn(logf, 30*time.Second, 5, 100),
+		packetsRecvByKind:   metrics.LabelMap{Label: "kind"},
+		clients:             map[key.NodePublic]*clientSet{},
+		clientsMesh:         map[key.NodePublic]PacketForwarder{},
+		netConns:            map[Conn]chan struct{}{},
+		memSys0:             ms.Sys,
+		watchers:            set.Set[*sclient]{},
+		peerGoneWatchers:    map[key.NodePublic]set.HandleSet[func(key.NodePublic)]{},
+		avgQueueDuration:    new(uint64),
+		tcpRtt:              metrics.LabelMap{Label: "le"},
+		meshUpdateBatchSize: metrics.NewHistogram([]float64{0, 1, 2, 5, 10, 20, 50, 100, 200, 500, 1000}),
+		meshUpdateLoopCount: metrics.NewHistogram([]float64{0, 1, 2, 5, 10, 20, 50, 100}),
+		bufferedWriteFrames: metrics.NewHistogram([]float64{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 20, 25, 50, 100}),
+		keyOfAddr:           map[netip.AddrPort]key.NodePublic{},
+		clock:               tstime.StdClock{},
+		tcpWriteTimeout:     DefaultTCPWiteTimeout,
 	}
 	s.initMetacert()
-	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
-	s.packetsRecvOther = s.packetsRecvByKind.Get("other")
+	s.packetsRecvDisco = s.packetsRecvByKind.Get(string(packetKindDisco))
+	s.packetsRecvOther = s.packetsRecvByKind.Get(string(packetKindOther))

-	s.packetsDroppedReasonCounters = s.genPacketsDroppedReasonCounters()
-
-	s.packetsDroppedTypeDisco = s.packetsDroppedType.Get("disco")
-	s.packetsDroppedTypeOther = s.packetsDroppedType.Get("other")
+	genDroppedCounters()

 	s.perClientSendQueueDepth = getPerClientSendQueueDepth()
 	return s
 }

-func (s *Server) genPacketsDroppedReasonCounters() []*expvar.Int {
-	getMetric := s.packetsDroppedReason.Get
-	ret := []*expvar.Int{
-		dropReasonUnknownDest:      getMetric("unknown_dest"),
-		dropReasonUnknownDestOnFwd: getMetric("unknown_dest_on_fwd"),
-		dropReasonGoneDisconnected: getMetric("gone_disconnected"),
-		dropReasonQueueHead:        getMetric("queue_head"),
-		dropReasonQueueTail:        getMetric("queue_tail"),
-		dropReasonWriteError:       getMetric("write_error"),
-		dropReasonDupClient:        getMetric("dup_client"),
+func genDroppedCounters() {
+	initMetrics := func(reason dropReason) {
+		packetsDropped.Add(dropReasonKindLabels{
+			Kind:   string(packetKindDisco),
+			Reason: string(reason),
+		}, 0)
+		packetsDropped.Add(dropReasonKindLabels{
+			Kind:   string(packetKindOther),
+			Reason: string(reason),
+		}, 0)
+		bytesDropped.Add(dropReasonKindLabels{
+			Kind:   string(packetKindDisco),
+			Reason: string(reason),
+		}, 0)
+		bytesDropped.Add(dropReasonKindLabels{
+			Kind:   string(packetKindOther),
+			Reason: string(reason),
+		}, 0)
 	}
-	if len(ret) != int(numDropReasons) {
-		panic("dropReason metrics out of sync")
-	}
-	for i := range numDropReasons {
-		if ret[i] == nil {
-			panic("dropReason metrics out of sync")
+	getMetrics := func(reason dropReason) []expvar.Var {
+		return []expvar.Var{
+			packetsDropped.Get(dropReasonKindLabels{
+				Kind:   string(packetKindDisco),
+				Reason: string(reason),
+			}),
+			packetsDropped.Get(dropReasonKindLabels{
+				Kind:   string(packetKindOther),
+				Reason: string(reason),
+			}),
+			bytesDropped.Get(dropReasonKindLabels{
+				Kind:   string(packetKindDisco),
+				Reason: string(reason),
+			}),
+			bytesDropped.Get(dropReasonKindLabels{
+				Kind:   string(packetKindOther),
+				Reason: string(reason),
+			}),
+		}
+	}
+
+	dropReasons := []dropReason{
+		dropReasonUnknownDest,
+		dropReasonUnknownDestOnFwd,
+		dropReasonGoneDisconnected,
+		dropReasonQueueHead,
+		dropReasonQueueTail,
+		dropReasonWriteError,
+		dropReasonDupClient,
+	}
+
+	for _, dr := range dropReasons {
+		initMetrics(dr)
+		m := getMetrics(dr)
+		if len(m) != 4 {
+			panic("dropReason metrics out of sync")
+		}
+
+		for _, v := range m {
+			if v == nil {
+				panic("dropReason metrics out of sync")
+			}
 		}
 	}
-	return ret
 }

 // SetMesh sets the pre-shared key that regional DERP servers used to mesh
@@ -443,6 +484,13 @@ func (s *Server) SetVerifyClientURLFailOpen(v bool) {
 	s.verifyClientsURLFailOpen = v
 }

+// SetTCPWriteTimeout sets the timeout for writing to connected clients.
+// This timeout does not apply to mesh connections.
+// Defaults to 2 seconds.
+func (s *Server) SetTCPWriteTimeout(d time.Duration) {
+	s.tcpWriteTimeout = d
+}
+
 // HasMeshKey reports whether the server is configured with a mesh key.
 func (s *Server) HasMeshKey() bool { return s.meshKey != "" }

@@ -1152,31 +1200,37 @@ func (c *sclient) debugLogf(format string, v ...any) {
 	}
 }

-// dropReason is why we dropped a DERP frame.
-type dropReason int
+type dropReasonKindLabels struct {
+	Reason string // metric label corresponding to a given dropReason
+	Kind   string // either `disco` or `other`
+}

-//go:generate go run tailscale.com/cmd/addlicense -file dropreason_string.go go run golang.org/x/tools/cmd/stringer -type=dropReason -trimprefix=dropReason
+// dropReason is why we dropped a DERP frame.
+type dropReason string

 const (
-	dropReasonUnknownDest      dropReason = iota // unknown destination pubkey
-	dropReasonUnknownDestOnFwd                   // unknown destination pubkey on a derp-forwarded packet
-	dropReasonGoneDisconnected                   // destination tailscaled disconnected before we could send
-	dropReasonQueueHead                          // destination queue is full, dropped packet at queue head
-	dropReasonQueueTail                          // destination queue is full, dropped packet at queue tail
-	dropReasonWriteError                         // OS write() failed
-	dropReasonDupClient                          // the public key is connected 2+ times (active/active, fighting)
-	numDropReasons                               // unused; keep last
+	dropReasonUnknownDest      dropReason = "unknown_dest"        // unknown destination pubkey
+	dropReasonUnknownDestOnFwd dropReason = "unknown_dest_on_fwd" // unknown destination pubkey on a derp-forwarded packet
+	dropReasonGoneDisconnected dropReason = "gone_disconnected"   // destination tailscaled disconnected before we could send
+	dropReasonQueueHead        dropReason = "queue_head"          // destination queue is full, dropped packet at queue head
+	dropReasonQueueTail        dropReason = "queue_tail"          // destination queue is full, dropped packet at queue tail
+	dropReasonWriteError       dropReason = "write_error"         // OS write() failed
+	dropReasonDupClient        dropReason = "dup_client"          // the public key is connected 2+ times (active/active, fighting)
 )

 func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, reason dropReason) {
-	s.packetsDropped.Add(1)
-	s.packetsDroppedReasonCounters[reason].Add(1)
+	labels := dropReasonKindLabels{
+		Reason: string(reason),
+	}
 	looksDisco := disco.LooksLikeDiscoWrapper(packetBytes)
 	if looksDisco {
-		s.packetsDroppedTypeDisco.Add(1)
+		labels.Kind = string(packetKindDisco)
 	} else {
-		s.packetsDroppedTypeOther.Add(1)
+		labels.Kind = string(packetKindOther)
 	}
+	packetsDropped.Add(labels, 1)
+	bytesDropped.Add(labels, int64(len(packetBytes)))
+
 	if verboseDropKeys[dstKey] {
 		// Preformat the log string prior to calling limitedLogf. The
 		// limiter acts based on the format string, and we want to
@@ -1761,7 +1815,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 }

 func (c *sclient) setWriteDeadline() {
-	d := writeTimeout
+	d := c.s.tcpWriteTimeout
 	if c.canMesh {
 		// Trusted peers get more tolerance.
 		//
@@ -1773,7 +1827,10 @@ func (c *sclient) setWriteDeadline() {
 		// of connected peers.
 		d = privilegedWriteTimeout
 	}
-	c.nc.SetWriteDeadline(time.Now().Add(d))
+	// Ignore the error from setting the write deadline. In practice,
+	// setting the deadline will only fail if the connection is closed
+	// or closing, so the subsequent Write() will fail anyway.
+	_ = c.nc.SetWriteDeadline(time.Now().Add(d))
 }

 // sendKeepAlive sends a keep-alive frame, without flushing.
@@ -2095,9 +2152,6 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("accepts", &s.accepts)
 	m.Set("bytes_received", &s.bytesRecv)
 	m.Set("bytes_sent", &s.bytesSent)
-	m.Set("packets_dropped", &s.packetsDropped)
-	m.Set("counter_packets_dropped_reason", &s.packetsDroppedReason)
-	m.Set("counter_packets_dropped_type", &s.packetsDroppedType)
 	m.Set("counter_packets_received_kind", &s.packetsRecvByKind)
 	m.Set("packets_sent", &s.packetsSent)
 	m.Set("packets_received", &s.packetsRecv)
--- a/derp/dropreason_string.go
+++ b/derp/dropreason_string.go
@@ -1,33 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Code generated by "stringer -type=dropReason -trimprefix=dropReason"; DO NOT EDIT.
-
-package derp
-
-import "strconv"
-
-func _() {
-	// An "invalid array index" compiler error signifies that the constant values have changed.
-	// Re-run the stringer command to generate them again.
-	var x [1]struct{}
-	_ = x[dropReasonUnknownDest-0]
-	_ = x[dropReasonUnknownDestOnFwd-1]
-	_ = x[dropReasonGoneDisconnected-2]
-	_ = x[dropReasonQueueHead-3]
-	_ = x[dropReasonQueueTail-4]
-	_ = x[dropReasonWriteError-5]
-	_ = x[dropReasonDupClient-6]
-	_ = x[numDropReasons-7]
-}
-
-const _dropReason_name = "UnknownDestUnknownDestOnFwdGoneDisconnectedQueueHeadQueueTailWriteErrorDupClientnumDropReasons"
-
-var _dropReason_index = [...]uint8{0, 11, 27, 43, 52, 61, 71, 80, 94}
-
-func (i dropReason) String() string {
-	if i < 0 || i >= dropReason(len(_dropReason_index)-1) {
-		return "dropReason(" + strconv.FormatInt(int64(i), 10) + ")"
-	}
-	return _dropReason_name[_dropReason_index[i]:_dropReason_index[i+1]]
-}
--- a/drive/drive_view.go
+++ b/drive/drive_view.go
@@ -14,7 +14,7 @@ import (

 //go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type=Share

-// View returns a readonly view of Share.
+// View returns a read-only view of Share.
 func (p *Share) View() ShareView {
 	return ShareView{ж: p}
 }
@@ -30,7 +30,7 @@ type ShareView struct {
 	ж *Share
 }

-// Valid reports whether underlying value is non-nil.
+// Valid reports whether v's underlying value is non-nil.
 func (v ShareView) Valid() bool { return v.ж != nil }

 // AsStruct returns a clone of the underlying value which aliases no memory with
--- a/envknob/featureknob/featureknob.go
+++ b/envknob/featureknob/featureknob.go
@@ -55,8 +55,7 @@ func CanRunTailscaleSSH() error {
 func CanUseExitNode() error {
 	switch dist := distro.Get(); dist {
 	case distro.Synology, // see https://github.com/tailscale/tailscale/issues/1995
-		distro.QNAP,
-		distro.Unraid:
+		distro.QNAP:
 		return errors.New("Tailscale exit nodes cannot be used on " + string(dist))
 	}

--- a/wgengine/capture/capture.go
+++ b/wgengine/capture/capture.go
@@ -13,21 +13,44 @@ import (
 	"sync"
 	"time"

-	_ "embed"
-
+	"tailscale.com/feature"
+	"tailscale.com/ipn/localapi"
 	"tailscale.com/net/packet"
 	"tailscale.com/util/set"
 )

-//go:embed ts-dissector.lua
-var DissectorLua string
+func init() {
+	feature.Register("capture")
+	localapi.Register("debug-capture", serveLocalAPIDebugCapture)
+}

-// Callback describes a function which is called to
-// record packets when debugging packet-capture.
-// Such callbacks must not take ownership of the
-// provided data slice: it may only copy out of it
-// within the lifetime of the function.
-type Callback func(Path, time.Time, []byte, packet.CaptureMeta)
+func serveLocalAPIDebugCapture(h *localapi.Handler, w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" {
+		http.Error(w, "POST required", http.StatusMethodNotAllowed)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.(http.Flusher).Flush()
+
+	b := h.LocalBackend()
+	s := b.GetOrSetCaptureSink(newSink)
+
+	unregister := s.RegisterOutput(w)
+
+	select {
+	case <-ctx.Done():
+	case <-s.WaitCh():
+	}
+	unregister()
+
+	b.ClearCaptureSink()
+}

 var bufferPool = sync.Pool{
 	New: func() any {
@@ -57,29 +80,8 @@ func writePktHeader(w *bytes.Buffer, when time.Time, length int) {
 	binary.Write(w, binary.LittleEndian, uint32(length)) // total length
 }

-// Path describes where in the data path the packet was captured.
-type Path uint8
-
-// Valid Path values.
-const (
-	// FromLocal indicates the packet was logged as it traversed the FromLocal path:
-	// i.e.: A packet from the local system into the TUN.
-	FromLocal Path = 0
-	// FromPeer indicates the packet was logged upon reception from a remote peer.
-	FromPeer Path = 1
-	// SynthesizedToLocal indicates the packet was generated from within tailscaled,
-	// and is being routed to the local machine's network stack.
-	SynthesizedToLocal Path = 2
-	// SynthesizedToPeer indicates the packet was generated from within tailscaled,
-	// and is being routed to a remote Wireguard peer.
-	SynthesizedToPeer Path = 3
-
-	// PathDisco indicates the packet is information about a disco frame.
-	PathDisco Path = 254
-)
-
-// New creates a new capture sink.
-func New() *Sink {
+// newSink creates a new capture sink.
+func newSink() packet.CaptureSink {
 	ctx, c := context.WithCancel(context.Background())
 	return &Sink{
 		ctx:       ctx,
@@ -126,6 +128,10 @@ func (s *Sink) RegisterOutput(w io.Writer) (unregister func()) {
 	}
 }

+func (s *Sink) CaptureCallback() packet.CaptureCallback {
+	return s.LogPacket
+}
+
 // NumOutputs returns the number of outputs registered with the sink.
 func (s *Sink) NumOutputs() int {
 	s.mu.Lock()
@@ -174,7 +180,7 @@ func customDataLen(meta packet.CaptureMeta) int {
 // LogPacket is called to insert a packet into the capture.
 //
 // This function does not take ownership of the provided data slice.
-func (s *Sink) LogPacket(path Path, when time.Time, data []byte, meta packet.CaptureMeta) {
+func (s *Sink) LogPacket(path packet.CapturePath, when time.Time, data []byte, meta packet.CaptureMeta) {
 	select {
 	case <-s.ctx.Done():
 		return
--- a/feature/capture/dissector/dissector.go
+++ b/feature/capture/dissector/dissector.go
@@ -0,0 +1,12 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package dissector contains the Lua dissector for Tailscale packets.
+package dissector
+
+import (
+	_ "embed"
+)
+
+//go:embed ts-dissector.lua
+var Lua string
--- a/feature/capture/dissector/ts-dissector.lua
+++ b/feature/capture/dissector/ts-dissector.lua
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .21
 .18