WIP

Signed-off-by: Percy Wegmann <percy@tailscale.com>

.github/workflows/codeql-analysis.yml

@@ -55,7 +55,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+      uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5

.github/workflows/golangci-lint.yml

@@ -31,9 +31,9 @@ jobs:
           cache: false
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
-          version: v1.64
+          version: v1.60
 
           # Show only new issues if it's a pull request.
           only-new-issues: true

.github/workflows/govulncheck.yml

@@ -30,7 +30,7 @@ jobs:
           token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
           payload: |
             {
-              "channel": "C08FGKZCQTW",
+              "channel": "C05PXRM304B",
               "blocks": [
                 {
                   "type": "section",

.github/workflows/natlab-integrationtest.yml

@@ -1,27 +0,0 @@
-# Run some natlab integration tests.
-# See https://github.com/tailscale/tailscale/issues/13038
-name: "natlab-integrationtest"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-    paths:
-      - "tstest/integration/nat/nat_test.go"
-jobs:
-  natlab-integrationtest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Install qemu
-        run: |
-          sudo rm /var/lib/man-db/auto-update
-          sudo apt-get -y update
-          sudo apt-get -y remove man-db
-          sudo apt-get install -y qemu-system-x86 qemu-utils
-      - name: Run natlab integration tests
-        run: |
-          ./tool/go test -v -run=^TestEasyEasy$ -timeout=3m -count=1 ./tstest/integration/nat  --run-vm-tests

.github/workflows/test.yml

@@ -64,6 +64,7 @@ jobs:
       matrix:
         include:
           - goarch: amd64
+            coverflags: "-coverprofile=/tmp/coverage.out"
           - goarch: amd64
             buildflags: "-race"
             shard: '1/3'
@@ -79,7 +80,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -118,10 +119,15 @@ jobs:
     - name: build test wrapper
       run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
     - name: test all
-      run: NOBASHDEBUG=true PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}}
+      run: NOBASHDEBUG=true PATH=$PWD/tool:$PATH /tmp/testwrapper ${{matrix.coverflags}} ./... ${{matrix.buildflags}}
       env:
         GOARCH: ${{ matrix.goarch }}
         TS_TEST_SHARD: ${{ matrix.shard }}
+    - name: Publish to coveralls.io
+      if: matrix.coverflags != '' # only publish results if we've tracked coverage
+      uses: shogo82148/actions-goveralls@v1
+      with:
+        path-to-profile: /tmp/coverage.out
     - name: bench all
       run: ./tool/go test ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ $(for x in $(git grep -l "^func Benchmark" | xargs dirname | sort | uniq); do echo "./$x"; done)
       env:
@@ -139,11 +145,7 @@ jobs:
           echo "Build/test created untracked files in the repo (file names above)."
           exit 1
         fi
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
+
   windows:
     runs-on: windows-2022
     steps:
@@ -157,7 +159,7 @@ jobs:
         cache: false
 
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -180,11 +182,6 @@ jobs:
       # Somewhere in the layers (powershell?)
       # the equals signs cause great confusion.
       run: go test ./... -bench . -benchtime 1x -run "^$"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
 
   privileged:
     runs-on: ubuntu-22.04
@@ -263,7 +260,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -292,11 +289,6 @@ jobs:
         GOOS: ${{ matrix.goos }}
         GOARCH: ${{ matrix.goarch }}
         CGO_ENABLED: "0"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
 
   ios: # similar to cross above, but iOS can't build most of the repo. So, just
        #make it build a few smoke packages.
@@ -333,7 +325,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -356,11 +348,6 @@ jobs:
         GOARCH: ${{ matrix.goarch }}
         GOARM: ${{ matrix.goarm }}
         CGO_ENABLED: "0"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
 
   android:
     # similar to cross above, but android fails to build a few pieces of the
@@ -386,7 +373,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -413,11 +400,6 @@ jobs:
       run: |
         ./tool/go run ./cmd/tsconnect --fast-compression build
         ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
 
   tailscale_go: # Subset of tests that depend on our custom Go toolchain.
     runs-on: ubuntu-22.04
@@ -485,7 +467,7 @@ jobs:
       run: |
         echo "artifacts_path=$(realpath .)" >> $GITHUB_ENV
     - name: upload crash
-      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
       with:
         name: artifacts

.github/workflows/update-flake.yml

@@ -36,7 +36,7 @@ jobs:
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: Flakes Updater <noreply+flakes-updater@tailscale.com>

.github/workflows/update-webclient-prebuilt.yml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Send pull request
         id: pull-request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: OSS Updater <noreply+oss-updater@tailscale.com>

.golangci.yml

@@ -26,11 +26,16 @@ issues:
 
 # Per-linter settings are contained in this top-level key
 linters-settings:
+  # Enable all rules by default; we don't use invisible unicode runes.
+  bidichk:
+
   gofmt:
     rewrite-rules:
       - pattern: 'interface{}'
         replacement: 'any'
 
+  goimports:
+
   govet:
     # Matches what we use in corp as of 2023-12-07
     enable:
@@ -73,6 +78,8 @@ linters-settings:
           # analyzer doesn't support type declarations
           #- github.com/tailscale/tailscale/types/logger.Logf
 
+  misspell:
+
   revive:
     enable-all-rules: false
     ignore-generated-header: true

Dockerfile

@@ -27,7 +27,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.24-alpine AS build-env
+FROM golang:1.23-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 

appc/appconnector.go

@@ -289,11 +289,9 @@ func (e *AppConnector) updateDomains(domains []string) {
 				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
 			}
 		}
-		e.queue.Add(func() {
-			if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-				e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
-			}
-		})
+		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+			e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
+		}
 	}
 
 	e.logf("handling domains: %v and wildcards: %v", slicesx.MapKeys(e.domains), e.wildcards)
@@ -312,6 +310,11 @@ func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
 		return
 	}
 
+	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+		e.logf("failed to advertise routes: %v: %v", routes, err)
+		return
+	}
+
 	var toRemove []netip.Prefix
 
 	// If we're storing routes and know e.controlRoutes is a good
@@ -335,14 +338,9 @@ nextRoute:
 		}
 	}
 
-	e.queue.Add(func() {
-		if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-			e.logf("failed to advertise routes: %v: %v", routes, err)
-		}
-		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-			e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
-		}
-	})
+	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
+	}
 
 	e.controlRoutes = routes
 	if err := e.storeRoutesLocked(); err != nil {

appc/appconnector_test.go

@@ -8,7 +8,6 @@ import (
 	"net/netip"
 	"reflect"
 	"slices"
-	"sync/atomic"
 	"testing"
 	"time"
 
@@ -87,7 +86,6 @@ func TestUpdateRoutes(t *testing.T) {
 
 		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
 		a.updateRoutes(routes)
-		a.Wait(ctx)
 
 		slices.SortFunc(rc.Routes(), prefixCompare)
 		rc.SetRoutes(slices.Compact(rc.Routes()))
@@ -107,7 +105,6 @@ func TestUpdateRoutes(t *testing.T) {
 }
 
 func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
-	ctx := context.Background()
 	for _, shouldStore := range []bool{false, true} {
 		rc := &appctest.RouteCollector{}
 		var a *AppConnector
@@ -120,7 +117,6 @@ func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
 		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
 		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
 		a.updateRoutes(routes)
-		a.Wait(ctx)
 
 		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
 			t.Fatalf("got %v, want %v", rc.Routes(), routes)
@@ -640,57 +636,3 @@ func TestMetricBucketsAreSorted(t *testing.T) {
 		t.Errorf("metricStoreRoutesNBuckets must be in order")
 	}
 }
-
-// TestUpdateRoutesDeadlock is a regression test for a deadlock in
-// LocalBackend<->AppConnector interaction. When using real LocalBackend as the
-// routeAdvertiser, calls to Advertise/UnadvertiseRoutes can end up calling
-// back into AppConnector via authReconfig. If everything is called
-// synchronously, this results in a deadlock on AppConnector.mu.
-func TestUpdateRoutesDeadlock(t *testing.T) {
-	ctx := context.Background()
-	rc := &appctest.RouteCollector{}
-	a := NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-
-	advertiseCalled := new(atomic.Bool)
-	unadvertiseCalled := new(atomic.Bool)
-	rc.AdvertiseCallback = func() {
-		// Call something that requires a.mu to be held.
-		a.DomainRoutes()
-		advertiseCalled.Store(true)
-	}
-	rc.UnadvertiseCallback = func() {
-		// Call something that requires a.mu to be held.
-		a.DomainRoutes()
-		unadvertiseCalled.Store(true)
-	}
-
-	a.updateDomains([]string{"example.com"})
-	a.Wait(ctx)
-
-	// Trigger rc.AdveriseRoute.
-	a.updateRoutes(
-		[]netip.Prefix{
-			netip.MustParsePrefix("127.0.0.1/32"),
-			netip.MustParsePrefix("127.0.0.2/32"),
-		},
-	)
-	a.Wait(ctx)
-	// Trigger rc.UnadveriseRoute.
-	a.updateRoutes(
-		[]netip.Prefix{
-			netip.MustParsePrefix("127.0.0.1/32"),
-		},
-	)
-	a.Wait(ctx)
-
-	if !advertiseCalled.Load() {
-		t.Error("AdvertiseRoute was not called")
-	}
-	if !unadvertiseCalled.Load() {
-		t.Error("UnadvertiseRoute was not called")
-	}
-
-	if want := []netip.Prefix{netip.MustParsePrefix("127.0.0.1/32")}; !slices.Equal(slices.Compact(rc.Routes()), want) {
-		t.Fatalf("got %v, want %v", rc.Routes(), want)
-	}
-}

appc/appctest/appctest.go

@@ -11,22 +11,12 @@ import (
 
 // RouteCollector is a test helper that collects the list of routes advertised
 type RouteCollector struct {
-	// AdvertiseCallback (optional) is called synchronously from
-	// AdvertiseRoute.
-	AdvertiseCallback func()
-	// UnadvertiseCallback (optional) is called synchronously from
-	// UnadvertiseRoute.
-	UnadvertiseCallback func()
-
 	routes        []netip.Prefix
 	removedRoutes []netip.Prefix
 }
 
 func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
 	rc.routes = append(rc.routes, pfx...)
-	if rc.AdvertiseCallback != nil {
-		rc.AdvertiseCallback()
-	}
 	return nil
 }
 
@@ -40,9 +30,6 @@ func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
 			rc.removedRoutes = append(rc.removedRoutes, r)
 		}
 	}
-	if rc.UnadvertiseCallback != nil {
-		rc.UnadvertiseCallback()
-	}
 	return nil
 }
 

client/systray/systray.go

@@ -26,9 +26,9 @@ import (
 	"github.com/atotto/clipboard"
 	dbus "github.com/godbus/dbus/v5"
 	"github.com/toqueteos/webbrowser"
-	"tailscale.com/client/local"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/slicesx"
 	"tailscale.com/util/stringsx"
@@ -67,16 +67,11 @@ func (menu *Menu) Run() {
 type Menu struct {
 	mu sync.Mutex // protects the entire Menu
 
-	lc          local.Client
+	lc          tailscale.LocalClient
 	status      *ipnstate.Status
 	curProfile  ipn.LoginProfile
 	allProfiles []ipn.LoginProfile
 
-	// readonly is whether the systray app is running in read-only mode.
-	// This is set if LocalAPI returns a permission error,
-	// typically because the user needs to run `tailscale set --operator=$USER`.
-	readonly bool
-
 	bgCtx    context.Context // ctx for background tasks not involving menu item clicks
 	bgCancel context.CancelFunc
 
@@ -158,8 +153,6 @@ func (menu *Menu) updateState() {
 	defer menu.mu.Unlock()
 	menu.init()
 
-	menu.readonly = false
-
 	var err error
 	menu.status, err = menu.lc.Status(menu.bgCtx)
 	if err != nil {
@@ -167,9 +160,6 @@ func (menu *Menu) updateState() {
 	}
 	menu.curProfile, menu.allProfiles, err = menu.lc.ProfileStatus(menu.bgCtx)
 	if err != nil {
-		if local.IsAccessDeniedError(err) {
-			menu.readonly = true
-		}
 		log.Print(err)
 	}
 }
@@ -192,15 +182,6 @@ func (menu *Menu) rebuild() {
 
 	systray.ResetMenu()
 
-	if menu.readonly {
-		const readonlyMsg = "No permission to manage Tailscale.\nSee tailscale.com/s/cli-operator"
-		m := systray.AddMenuItem(readonlyMsg, "")
-		onClick(ctx, m, func(_ context.Context) {
-			webbrowser.Open("https://tailscale.com/s/cli-operator")
-		})
-		systray.AddSeparator()
-	}
-
 	menu.connect = systray.AddMenuItem("Connect", "")
 	menu.disconnect = systray.AddMenuItem("Disconnect", "")
 	menu.disconnect.Hide()
@@ -241,35 +222,28 @@ func (menu *Menu) rebuild() {
 		setAppIcon(disconnected)
 	}
 
-	if menu.readonly {
-		menu.connect.Disable()
-		menu.disconnect.Disable()
-	}
-
 	account := "Account"
 	if pt := profileTitle(menu.curProfile); pt != "" {
 		account = pt
 	}
-	if !menu.readonly {
-		accounts := systray.AddMenuItem(account, "")
-		setRemoteIcon(accounts, menu.curProfile.UserProfile.ProfilePicURL)
-		time.Sleep(newMenuDelay)
-		for _, profile := range menu.allProfiles {
-			title := profileTitle(profile)
-			var item *systray.MenuItem
-			if profile.ID == menu.curProfile.ID {
-				item = accounts.AddSubMenuItemCheckbox(title, "", true)
-			} else {
-				item = accounts.AddSubMenuItem(title, "")
-			}
-			setRemoteIcon(item, profile.UserProfile.ProfilePicURL)
-			onClick(ctx, item, func(ctx context.Context) {
-				select {
-				case <-ctx.Done():
-				case menu.accountsCh <- profile.ID:
-				}
-			})
+	accounts := systray.AddMenuItem(account, "")
+	setRemoteIcon(accounts, menu.curProfile.UserProfile.ProfilePicURL)
+	time.Sleep(newMenuDelay)
+	for _, profile := range menu.allProfiles {
+		title := profileTitle(profile)
+		var item *systray.MenuItem
+		if profile.ID == menu.curProfile.ID {
+			item = accounts.AddSubMenuItemCheckbox(title, "", true)
+		} else {
+			item = accounts.AddSubMenuItem(title, "")
 		}
+		setRemoteIcon(item, profile.UserProfile.ProfilePicURL)
+		onClick(ctx, item, func(ctx context.Context) {
+			select {
+			case <-ctx.Done():
+			case menu.accountsCh <- profile.ID:
+			}
+		})
 	}
 
 	if menu.status != nil && menu.status.Self != nil && len(menu.status.Self.TailscaleIPs) > 0 {
@@ -281,9 +255,7 @@ func (menu *Menu) rebuild() {
 	}
 	systray.AddSeparator()
 
-	if !menu.readonly {
-		menu.rebuildExitNodeMenu(ctx)
-	}
+	menu.rebuildExitNodeMenu(ctx)
 
 	if menu.status != nil {
 		menu.more = systray.AddMenuItem("More settings", "")

client/tailscale/acl.go

@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
-	"net/url"
 )
 
 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -84,7 +83,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 		}
 	}()
 
-	path := c.BuildTailnetURL("acl")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -98,7 +97,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	// Otherwise, try to decode the response.
@@ -127,7 +126,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		}
 	}()
 
-	path := c.BuildTailnetURL("acl", url.Values{"details": {"1"}})
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -139,7 +138,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	data := struct {
@@ -147,7 +146,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		Warnings []string `json:"warnings"`
 	}{}
 	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, fmt.Errorf("json.Unmarshal %q: %w", b, err)
+		return nil, err
 	}
 
 	acl = &ACLHuJSON{
@@ -185,7 +184,7 @@ func (e ACLTestError) Error() string {
 }
 
 func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := c.BuildTailnetURL("acl")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, "", err
@@ -329,7 +328,7 @@ type ACLPreview struct {
 }
 
 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := c.BuildTailnetURL("acl", "preview")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, err
@@ -351,7 +350,7 @@ func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, preview
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 	if err = json.Unmarshal(b, &res); err != nil {
 		return nil, err
@@ -489,7 +488,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		return nil, err
 	}
 
-	path := c.BuildTailnetURL("acl", "validate")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
 	if err != nil {
 		return nil, err

client/tailscale/devices.go

@@ -79,13 +79,6 @@ type Device struct {
 	// Tailscale have attempted to collect this from the device but it has not
 	// opted in, PostureIdentity will have Disabled=true.
 	PostureIdentity *DevicePostureIdentity `json:"postureIdentity"`
-
-	// TailnetLockKey is the tailnet lock public key of the node as a hex string.
-	TailnetLockKey string `json:"tailnetLockKey,omitempty"`
-
-	// TailnetLockErr indicates an issue with the tailnet lock node-key signature
-	// on this device. This field is only populated when tailnet lock is enabled.
-	TailnetLockErr string `json:"tailnetLockError,omitempty"`
 }
 
 type DevicePostureIdentity struct {
@@ -138,7 +131,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 		}
 	}()
 
-	path := c.BuildTailnetURL("devices")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -156,7 +149,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var devices GetDevicesResponse
@@ -195,7 +188,7 @@ func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFiel
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	err = json.Unmarshal(b, &device)
@@ -228,7 +221,7 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 	return nil
 }
@@ -260,7 +253,7 @@ func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 
 	return nil
@@ -288,7 +281,7 @@ func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 
 	return nil

client/tailscale/dns.go

@@ -12,7 +12,7 @@ import (
 	"fmt"
 	"net/http"
 
-	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/localclient/tailscale/apitype"
 )
 
 // DNSNameServers is returned when retrieving the list of nameservers.
@@ -44,7 +44,7 @@ type DNSPreferences struct {
 }
 
 func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := c.BuildTailnetURL("dns", endpoint)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -57,14 +57,14 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	return b, nil
 }
 
 func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
-	path := c.BuildTailnetURL("dns", endpoint)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {
 		return nil, err
@@ -84,7 +84,7 @@ func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData a
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	return b, nil

client/tailscale/example/servetls/servetls.go

@@ -11,14 +11,13 @@ import (
 	"log"
 	"net/http"
 
-	"tailscale.com/client/local"
+	"tailscale.com/localclient/tailscale"
 )
 
 func main() {
-	var lc local.Client
 	s := &http.Server{
 		TLSConfig: &tls.Config{
-			GetCertificate: lc.GetCertificate,
+			GetCertificate: tailscale.GetCertificate,
 		},
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")

client/tailscale/keys.go

@@ -40,7 +40,7 @@ type KeyDeviceCreateCapabilities struct {
 
 // Keys returns the list of keys for the current user.
 func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := c.BuildTailnetURL("keys")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -51,7 +51,7 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var keys struct {
@@ -99,7 +99,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}
 
-	path := c.BuildTailnetURL("keys")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
 	if err != nil {
 		return "", nil, err
@@ -110,7 +110,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return "", nil, HandleErrorResponse(b, resp)
+		return "", nil, handleErrorResponse(b, resp)
 	}
 
 	var key struct {
@@ -126,7 +126,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 // Key returns the metadata for the given key ID. Currently, capabilities are
 // only returned for auth keys, API keys only return general metadata.
 func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := c.BuildTailnetURL("keys", id)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -137,7 +137,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var key Key
@@ -149,7 +149,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 
 // DeleteKey deletes the key with the given ID.
 func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := c.BuildTailnetURL("keys", id)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
 	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
 	if err != nil {
 		return err
@@ -160,7 +160,7 @@ func (c *Client) DeleteKey(ctx context.Context, id string) error {
 		return err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 	return nil
 }

client/tailscale/localclient_aliases.go

@@ -1,106 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"context"
-	"crypto/tls"
-
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn/ipnstate"
-)
-
-// ErrPeerNotFound is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-var ErrPeerNotFound = local.ErrPeerNotFound
-
-// LocalClient is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type LocalClient = local.Client
-
-// IPNBusWatcher is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type IPNBusWatcher = local.IPNBusWatcher
-
-// BugReportOpts is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type BugReportOpts = local.BugReportOpts
-
-// DebugPortMapOpts is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type DebugPortmapOpts = local.DebugPortmapOpts
-
-// PingOpts is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-type PingOpts = local.PingOpts
-
-// GetCertificate is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return local.GetCertificate(hi)
-}
-
-// SetVersionMismatchHandler is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	local.SetVersionMismatchHandler(f)
-}
-
-// IsAccessDeniedError is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func IsAccessDeniedError(err error) bool {
-	return local.IsAccessDeniedError(err)
-}
-
-// IsPreconditionsFailedError is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func IsPreconditionsFailedError(err error) bool {
-	return local.IsPreconditionsFailedError(err)
-}
-
-// WhoIs is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	return local.WhoIs(ctx, remoteAddr)
-}
-
-// Status is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func Status(ctx context.Context) (*ipnstate.Status, error) {
-	return local.Status(ctx)
-}
-
-// StatusWithoutPeers is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return local.StatusWithoutPeers(ctx)
-}
-
-// CertPair is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return local.CertPair(ctx, domain)
-}
-
-// ExpandSNIName is an alias for tailscale.com/client/local.
-//
-// Deprecated: import tailscale.com/client/local instead.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	return local.ExpandSNIName(ctx, name)
-}

client/tailscale/localclient_stub.go

@@ -0,0 +1,7 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscale
+
+// LocalClient has moved to tailscale.com/localclient/tailscale.
+type LocalClient struct{}

client/tailscale/routes.go

@@ -44,7 +44,7 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var sr Routes
@@ -84,7 +84,7 @@ func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 
 	var srr *Routes

client/tailscale/tailnet.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"tailscale.com/util/httpm"
 )
@@ -21,7 +22,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 		}
 	}()
 
-	path := c.BuildTailnetURL("tailnet")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
 	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
 	if err != nil {
 		return err
@@ -34,7 +35,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 
 	return nil

client/tailscale/tailscale.go

@@ -5,10 +5,8 @@
 
 // Package tailscale contains a Go client for the Tailscale control plane API.
 //
-// This package is only intended for internal and transitional use.
-//
-// Deprecated: the official control plane client is available at
-// tailscale.com/client/tailscale/v2.
+// Deprecated: This package is no longer maintained. Use
+// tailscale.com/client/tailscale/v2 instead.
 package tailscale
 
 import (
@@ -17,12 +15,13 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/url"
-	"path"
 )
 
 // I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. This package is being replaced by tailscale.com/client/tailscale/v2.
+// for now. It was added 2022-04-29 when it was moved to this git repo
+// and will be removed when the public API has settled.
+//
+// TODO(bradfitz): remove this after the we're happy with the public API.
 var I_Acknowledge_This_API_Is_Unstable = false
 
 // TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
@@ -65,46 +64,6 @@ func (c *Client) httpClient() *http.Client {
 	return http.DefaultClient
 }
 
-// BuildURL builds a url to http(s)://<apiserver>/api/v2/<slash-separated-pathElements>
-// using the given pathElements. It url escapes each path element, so the
-// caller doesn't need to worry about that. The last item of pathElements can
-// be of type url.Values to add a query string to the URL.
-//
-// For example, BuildURL(devices, 5) with the default server URL would result in
-// https://api.tailscale.com/api/v2/devices/5.
-func (c *Client) BuildURL(pathElements ...any) string {
-	elem := make([]string, 1, len(pathElements)+1)
-	elem[0] = "/api/v2"
-	var query string
-	for i, pathElement := range pathElements {
-		if uv, ok := pathElement.(url.Values); ok && i == len(pathElements)-1 {
-			query = uv.Encode()
-		} else {
-			elem = append(elem, url.PathEscape(fmt.Sprint(pathElement)))
-		}
-	}
-	url := c.baseURL() + path.Join(elem...)
-	if query != "" {
-		url += "?" + query
-	}
-	return url
-}
-
-// BuildTailnetURL builds a url to http(s)://<apiserver>/api/v2/tailnet/<tailnet>/<slash-separated-pathElements>
-// using the given pathElements. It url escapes each path element, so the
-// caller doesn't need to worry about that. The last item of pathElements can
-// be of type url.Values to add a query string to the URL.
-//
-// For example, BuildTailnetURL(policy, validate) with the default server URL and a tailnet of "example.com"
-// would result in https://api.tailscale.com/api/v2/tailnet/example.com/policy/validate.
-func (c *Client) BuildTailnetURL(pathElements ...any) string {
-	allElements := make([]any, 2, len(pathElements)+2)
-	allElements[0] = "tailnet"
-	allElements[1] = c.tailnet
-	allElements = append(allElements, pathElements...)
-	return c.BuildURL(allElements...)
-}
-
 func (c *Client) baseURL() string {
 	if c.BaseURL != "" {
 		return c.BaseURL
@@ -140,8 +99,6 @@ func (c *Client) setAuth(r *http.Request) {
 // If httpClient is nil, then http.DefaultClient is used.
 // "api.tailscale.com" is set as the BaseURL for the returned client
 // and can be changed manually by the user.
-//
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
 func NewClient(tailnet string, auth AuthMethod) *Client {
 	return &Client{
 		tailnet:   tailnet,
@@ -192,14 +149,12 @@ func (e ErrResponse) Error() string {
 	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
 }
 
-// HandleErrorResponse decodes the error message from the server and returns
+// handleErrorResponse decodes the error message from the server and returns
 // an ErrResponse from it.
-//
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
-func HandleErrorResponse(b []byte, resp *http.Response) error {
+func handleErrorResponse(b []byte, resp *http.Response) error {
 	var errResp ErrResponse
 	if err := json.Unmarshal(b, &errResp); err != nil {
-		return fmt.Errorf("json.Unmarshal %q: %w", b, err)
+		return err
 	}
 	errResp.Status = resp.StatusCode
 	return errResp

client/tailscale/tailscale_test.go

@@ -1,86 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"net/url"
-	"testing"
-)
-
-func TestClientBuildURL(t *testing.T) {
-	c := Client{BaseURL: "http://127.0.0.1:1234"}
-	for _, tt := range []struct {
-		desc     string
-		elements []any
-		want     string
-	}{
-		{
-			desc:     "single-element",
-			elements: []any{"devices"},
-			want:     "http://127.0.0.1:1234/api/v2/devices",
-		},
-		{
-			desc:     "multiple-elements",
-			elements: []any{"tailnet", "example.com"},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com",
-		},
-		{
-			desc:     "escape-element",
-			elements: []any{"tailnet", "example dot com?foo=bar"},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example%20dot%20com%3Ffoo=bar`,
-		},
-		{
-			desc:     "url.Values",
-			elements: []any{"tailnet", "example.com", "acl", url.Values{"details": {"1"}}},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
-		},
-	} {
-		t.Run(tt.desc, func(t *testing.T) {
-			got := c.BuildURL(tt.elements...)
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestClientBuildTailnetURL(t *testing.T) {
-	c := Client{
-		BaseURL: "http://127.0.0.1:1234",
-		tailnet: "example.com",
-	}
-	for _, tt := range []struct {
-		desc     string
-		elements []any
-		want     string
-	}{
-		{
-			desc:     "single-element",
-			elements: []any{"devices"},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices",
-		},
-		{
-			desc:     "multiple-elements",
-			elements: []any{"devices", 123},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices/123",
-		},
-		{
-			desc:     "escape-element",
-			elements: []any{"foo bar?baz=qux"},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/foo%20bar%3Fbaz=qux`,
-		},
-		{
-			desc:     "url.Values",
-			elements: []any{"acl", url.Values{"details": {"1"}}},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
-		},
-	} {
-		t.Run(tt.desc, func(t *testing.T) {
-			got := c.BuildTailnetURL(tt.elements...)
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}

client/web/auth.go

@@ -15,8 +15,8 @@ import (
 	"strings"
 	"time"
 
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale/apitype"
 	"tailscale.com/tailcfg"
 )
 

client/web/web.go

@@ -22,8 +22,6 @@ import (
 	"time"
 
 	"github.com/gorilla/csrf"
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/clientupdate"
 	"tailscale.com/envknob"
 	"tailscale.com/envknob/featureknob"
@@ -31,6 +29,8 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/licenses"
+	"tailscale.com/localclient/tailscale"
+	"tailscale.com/localclient/tailscale/apitype"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
@@ -50,7 +50,7 @@ type Server struct {
 	mode ServerMode
 
 	logf    logger.Logf
-	lc      *local.Client
+	lc      *tailscale.LocalClient
 	timeNow func() time.Time
 
 	// devMode indicates that the server run with frontend assets
@@ -125,9 +125,9 @@ type ServerOpts struct {
 	// PathPrefix is the URL prefix added to requests by CGI or reverse proxy.
 	PathPrefix string
 
-	// LocalClient is the local.Client to use for this web server.
+	// LocalClient is the tailscale.LocalClient to use for this web server.
 	// If nil, a new one will be created.
-	LocalClient *local.Client
+	LocalClient *tailscale.LocalClient
 
 	// TimeNow optionally provides a time function.
 	// time.Now is used as default.
@@ -166,7 +166,7 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 		return nil, fmt.Errorf("invalid Mode provided")
 	}
 	if opts.LocalClient == nil {
-		opts.LocalClient = &local.Client{}
+		opts.LocalClient = &tailscale.LocalClient{}
 	}
 	s = &Server{
 		mode:        opts.Mode,
@@ -203,9 +203,35 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	}
 	s.assetsHandler, s.assetsCleanup = assetsHandler(s.devMode)
 
-	var metric string
-	s.apiHandler, metric = s.modeAPIHandler(s.mode)
-	s.apiHandler = s.withCSRF(s.apiHandler)
+	var metric string // clientmetric to report on startup
+
+	// Create handler for "/api" requests with CSRF protection.
+	// We don't require secure cookies, since the web client is regularly used
+	// on network appliances that are served on local non-https URLs.
+	// The client is secured by limiting the interface it listens on,
+	// or by authenticating requests before they reach the web client.
+	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
+
+	// signal to the CSRF middleware that the request is being served over
+	// plaintext HTTP to skip TLS-only header checks.
+	withSetPlaintext := func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			r = csrf.PlaintextHTTPRequest(r)
+			h.ServeHTTP(w, r)
+		})
+	}
+
+	switch s.mode {
+	case LoginServerMode:
+		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveLoginAPI)))
+		metric = "web_login_client_initialization"
+	case ReadOnlyServerMode:
+		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveLoginAPI)))
+		metric = "web_readonly_client_initialization"
+	case ManageServerMode:
+		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveAPI)))
+		metric = "web_client_initialization"
+	}
 
 	// Don't block startup on reporting metric.
 	// Report in separate go routine with 5 second timeout.
@@ -218,39 +244,6 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	return s, nil
 }
 
-func (s *Server) withCSRF(h http.Handler) http.Handler {
-	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-
-	// ref https://github.com/tailscale/tailscale/pull/14822
-	// signal to the CSRF middleware that the request is being served over
-	// plaintext HTTP to skip TLS-only header checks.
-	withSetPlaintext := func(h http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			r = csrf.PlaintextHTTPRequest(r)
-			h.ServeHTTP(w, r)
-		})
-	}
-
-	// NB: the order of the withSetPlaintext and csrfProtect calls is important
-	// to ensure that we signal to the CSRF middleware that the request is being
-	// served over plaintext HTTP and not over TLS as it presumes by default.
-	return withSetPlaintext(csrfProtect(h))
-}
-
-func (s *Server) modeAPIHandler(mode ServerMode) (http.Handler, string) {
-	switch mode {
-	case LoginServerMode:
-		return http.HandlerFunc(s.serveLoginAPI), "web_login_client_initialization"
-	case ReadOnlyServerMode:
-		return http.HandlerFunc(s.serveLoginAPI), "web_readonly_client_initialization"
-	case ManageServerMode:
-		return http.HandlerFunc(s.serveAPI), "web_client_initialization"
-	default: // invalid mode
-		log.Fatalf("invalid mode: %v", mode)
-	}
-	return nil, ""
-}
-
 func (s *Server) Shutdown() {
 	s.logf("web.Server: shutting down")
 	if s.assetsCleanup != nil {
@@ -335,8 +328,7 @@ func (s *Server) requireTailscaleIP(w http.ResponseWriter, r *http.Request) (han
 		ipv6ServiceHost = "[" + tsaddr.TailscaleServiceIPv6String + "]"
 	)
 	// allow requests on quad-100 (or ipv6 equivalent)
-	host := strings.TrimSuffix(r.Host, ":80")
-	if host == ipv4ServiceHost || host == ipv6ServiceHost {
+	if r.Host == ipv4ServiceHost || r.Host == ipv6ServiceHost {
 		return false
 	}
 

client/web/web_test.go

@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/http/cookiejar"
 	"net/http/httptest"
 	"net/netip"
 	"net/url"
@@ -21,11 +20,10 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/gorilla/csrf"
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale"
+	"tailscale.com/localclient/tailscale/apitype"
 	"tailscale.com/net/memnet"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/views"
@@ -122,7 +120,7 @@ func TestServeAPI(t *testing.T) {
 
 	s := &Server{
 		mode:    ManageServerMode,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow: time.Now,
 	}
 
@@ -290,7 +288,7 @@ func TestGetTailscaleBrowserSession(t *testing.T) {
 
 	s := &Server{
 		timeNow: time.Now,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 	}
 
 	// Add some browser sessions to cache state.
@@ -459,7 +457,7 @@ func TestAuthorizeRequest(t *testing.T) {
 
 	s := &Server{
 		mode:    ManageServerMode,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow: time.Now,
 	}
 	validCookie := "ts-cookie"
@@ -574,7 +572,7 @@ func TestServeAuth(t *testing.T) {
 
 	s := &Server{
 		mode:        ManageServerMode,
-		lc:          &local.Client{Dial: lal.Dial},
+		lc:          &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow:     func() time.Time { return timeNow },
 		newAuthURL:  mockNewAuthURL,
 		waitAuthURL: mockWaitAuthURL,
@@ -916,7 +914,7 @@ func TestServeAPIAuthMetricLogging(t *testing.T) {
 
 	s := &Server{
 		mode:        ManageServerMode,
-		lc:          &local.Client{Dial: lal.Dial},
+		lc:          &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow:     func() time.Time { return timeNow },
 		newAuthURL:  mockNewAuthURL,
 		waitAuthURL: mockWaitAuthURL,
@@ -1128,7 +1126,7 @@ func TestRequireTailscaleIP(t *testing.T) {
 
 	s := &Server{
 		mode:    ManageServerMode,
-		lc:      &local.Client{Dial: lal.Dial},
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
 		timeNow: time.Now,
 		logf:    t.Logf,
 	}
@@ -1177,16 +1175,6 @@ func TestRequireTailscaleIP(t *testing.T) {
 			target:      "http://[fd7a:115c:a1e0::53]/",
 			wantHandled: false,
 		},
-		{
-			name:        "quad-100:80",
-			target:      "http://100.100.100.100:80/",
-			wantHandled: false,
-		},
-		{
-			name:        "ipv6-service-addr:80",
-			target:      "http://[fd7a:115c:a1e0::53]:80/",
-			wantHandled: false,
-		},
 	}
 
 	for _, tt := range tests {
@@ -1489,83 +1477,3 @@ func mockWaitAuthURL(_ context.Context, id string, src tailcfg.NodeID) (*tailcfg
 		return nil, errors.New("unknown id")
 	}
 }
-
-func TestCSRFProtect(t *testing.T) {
-	s := &Server{}
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("GET /test/csrf-token", func(w http.ResponseWriter, r *http.Request) {
-		token := csrf.Token(r)
-		_, err := io.WriteString(w, token)
-		if err != nil {
-			t.Fatal(err)
-		}
-	})
-	mux.HandleFunc("POST /test/csrf-protected", func(w http.ResponseWriter, r *http.Request) {
-		_, err := io.WriteString(w, "ok")
-		if err != nil {
-			t.Fatal(err)
-		}
-	})
-	h := s.withCSRF(mux)
-	ser := httptest.NewServer(h)
-	defer ser.Close()
-
-	jar, err := cookiejar.New(nil)
-	if err != nil {
-		t.Fatalf("unable to construct cookie jar: %v", err)
-	}
-
-	client := ser.Client()
-	client.Jar = jar
-
-	// make GET request to populate cookie jar
-	resp, err := client.Get(ser.URL + "/test/csrf-token")
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-	tokenBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("unable to read body: %v", err)
-	}
-
-	csrfToken := strings.TrimSpace(string(tokenBytes))
-	if csrfToken == "" {
-		t.Fatal("empty csrf token")
-	}
-
-	// make a POST request without the CSRF header; ensure it fails
-	resp, err = client.Post(ser.URL+"/test/csrf-protected", "text/plain", nil)
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	if resp.StatusCode != http.StatusForbidden {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-
-	// make a POST request with the CSRF header; ensure it succeeds
-	req, err := http.NewRequest("POST", ser.URL+"/test/csrf-protected", nil)
-	if err != nil {
-		t.Fatalf("error building request: %v", err)
-	}
-	req.Header.Set("X-CSRF-Token", csrfToken)
-	resp, err = client.Do(req)
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("unable to read body: %v", err)
-	}
-	if string(out) != "ok" {
-		t.Fatalf("unexpected body: %q", out)
-	}
-}

clientupdate/clientupdate.go

@@ -27,7 +27,6 @@ import (
 	"strconv"
 	"strings"
 
-	"tailscale.com/hostinfo"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cmpver"
 	"tailscale.com/version"
@@ -170,12 +169,6 @@ func NewUpdater(args Arguments) (*Updater, error) {
 type updateFunction func() error
 
 func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
-	hi := hostinfo.New()
-	// We don't know how to update custom tsnet binaries, it's up to the user.
-	if hi.Package == "tsnet" {
-		return nil, false
-	}
-
 	switch runtime.GOOS {
 	case "windows":
 		return up.updateWindows, true

cmd/containerboot/certs.go

@@ -1,147 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net"
-	"sync"
-	"time"
-
-	"tailscale.com/ipn"
-	"tailscale.com/util/goroutines"
-	"tailscale.com/util/mak"
-)
-
-// certManager is responsible for issuing certificates for known domains and for
-// maintaining a loop that re-attempts issuance daily.
-// Currently cert manager logic is only run on ingress ProxyGroup replicas that are responsible for managing certs for
-// HA Ingress HTTPS endpoints ('write' replicas).
-type certManager struct {
-	lc      localClient
-	tracker goroutines.Tracker // tracks running goroutines
-	mu      sync.Mutex         // guards the following
-	// certLoops contains a map of DNS names, for which we currently need to
-	// manage certs to cancel functions that allow stopping a goroutine when
-	// we no longer need to manage certs for the DNS name.
-	certLoops map[string]context.CancelFunc
-}
-
-// ensureCertLoops ensures that, for all currently managed Service HTTPS
-// endpoints, there is a cert loop responsible for issuing and ensuring the
-// renewal of the TLS certs.
-// ServeConfig must not be nil.
-func (cm *certManager) ensureCertLoops(ctx context.Context, sc *ipn.ServeConfig) error {
-	if sc == nil {
-		return fmt.Errorf("[unexpected] ensureCertLoops called with nil ServeConfig")
-	}
-	currentDomains := make(map[string]bool)
-	const httpsPort = "443"
-	for _, service := range sc.Services {
-		for hostPort := range service.Web {
-			domain, port, err := net.SplitHostPort(string(hostPort))
-			if err != nil {
-				return fmt.Errorf("[unexpected] unable to parse HostPort %s", hostPort)
-			}
-			if port != httpsPort { // HA Ingress' HTTP endpoint
-				continue
-			}
-			currentDomains[domain] = true
-		}
-	}
-	cm.mu.Lock()
-	defer cm.mu.Unlock()
-	for domain := range currentDomains {
-		if _, exists := cm.certLoops[domain]; !exists {
-			cancelCtx, cancel := context.WithCancel(ctx)
-			mak.Set(&cm.certLoops, domain, cancel)
-			cm.tracker.Go(func() { cm.runCertLoop(cancelCtx, domain) })
-		}
-	}
-
-	// Stop goroutines for domain names that are no longer in the config.
-	for domain, cancel := range cm.certLoops {
-		if !currentDomains[domain] {
-			cancel()
-			delete(cm.certLoops, domain)
-		}
-	}
-	return nil
-}
-
-// runCertLoop:
-// - calls localAPI certificate endpoint to ensure that certs are issued for the
-// given domain name
-// - calls localAPI certificate endpoint daily to ensure that certs are renewed
-// - if certificate issuance failed retries after an exponential backoff period
-// starting at 1 minute and capped at 24 hours. Reset the backoff once issuance succeeds.
-// Note that renewal check also happens when the node receives an HTTPS request and it is possible that certs get
-// renewed at that point. Renewal here is needed to prevent the shared certs from expiry in edge cases where the 'write'
-// replica does not get any HTTPS requests.
-// https://letsencrypt.org/docs/integration-guide/#retrying-failures
-func (cm *certManager) runCertLoop(ctx context.Context, domain string) {
-	const (
-		normalInterval   = 24 * time.Hour  // regular renewal check
-		initialRetry     = 1 * time.Minute // initial backoff after a failure
-		maxRetryInterval = 24 * time.Hour  // max backoff period
-	)
-	timer := time.NewTimer(0) // fire off timer immediately
-	defer timer.Stop()
-	retryCount := 0
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-timer.C:
-			// We call the certificate endpoint, but don't do anything
-			// with the returned certs here.
-			// The call to the certificate endpoint will ensure that
-			// certs are issued/renewed as needed and stored in the
-			// relevant state store. For example, for HA Ingress
-			// 'write' replica, the cert and key will be stored in a
-			// Kubernetes Secret named after the domain for which we
-			// are issuing.
-			// Note that renewals triggered by the call to the
-			// certificates endpoint here and by renewal check
-			// triggered during a call to node's HTTPS endpoint
-			// share the same state/renewal lock mechanism, so we
-			// should not run into redundant issuances during
-			// concurrent renewal checks.
-			// TODO(irbekrm): maybe it is worth adding a new
-			// issuance endpoint that explicitly only triggers
-			// issuance and stores certs in the relevant store, but
-			// does not return certs to the caller?
-			_, _, err := cm.lc.CertPair(ctx, domain)
-			if err != nil {
-				log.Printf("error refreshing certificate for %s: %v", domain, err)
-			}
-			var nextInterval time.Duration
-			// TODO(irbekrm): distinguish between LE rate limit
-			// errors and other error types like transient network
-			// errors.
-			if err == nil {
-				retryCount = 0
-				nextInterval = normalInterval
-			} else {
-				retryCount++
-				// Calculate backoff: initialRetry * 2^(retryCount-1)
-				// For retryCount=1: 1min * 2^0 = 1min
-				// For retryCount=2: 1min * 2^1 = 2min
-				// For retryCount=3: 1min * 2^2 = 4min
-				backoff := initialRetry * time.Duration(1<<(retryCount-1))
-				if backoff > maxRetryInterval {
-					backoff = maxRetryInterval
-				}
-				nextInterval = backoff
-				log.Printf("Error refreshing certificate for %s (retry %d): %v. Will retry in %v\n",
-					domain, retryCount, err, nextInterval)
-			}
-			timer.Reset(nextInterval)
-		}
-	}
-}

cmd/containerboot/certs_test.go

@@ -1,229 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
-)
-
-// TestEnsureCertLoops tests that the certManager correctly starts and stops
-// update loops for certs when the serve config changes. It tracks goroutine
-// count and uses that as a validator that the expected number of cert loops are
-// running.
-func TestEnsureCertLoops(t *testing.T) {
-	tests := []struct {
-		name              string
-		initialConfig     *ipn.ServeConfig
-		updatedConfig     *ipn.ServeConfig
-		initialGoroutines int64 // after initial serve config is applied
-		updatedGoroutines int64 // after updated serve config is applied
-		wantErr           bool
-	}{
-		{
-			name:              "empty_serve_config",
-			initialConfig:     &ipn.ServeConfig{},
-			initialGoroutines: 0,
-		},
-		{
-			name:              "nil_serve_config",
-			initialConfig:     nil,
-			initialGoroutines: 0,
-			wantErr:           true,
-		},
-		{
-			name:          "empty_to_one_service",
-			initialConfig: &ipn.ServeConfig{},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 0,
-			updatedGoroutines: 1,
-		},
-		{
-			name: "single_service",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1,
-		},
-		{
-			name: "multiple_services",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 2, // one loop per domain across all services
-		},
-		{
-			name: "ignore_non_https_ports",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-							"my-app.tailnetxyz.ts.net:80":  {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1, // only one loop for the 443 endpoint
-		},
-		{
-			name: "remove_domain",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 2, // initially two loops (one per service)
-			updatedGoroutines: 1, // one loop after removing service2
-		},
-		{
-			name: "add_domain",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1,
-			updatedGoroutines: 2,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			cm := &certManager{
-				lc:        &fakeLocalClient{},
-				certLoops: make(map[string]context.CancelFunc),
-			}
-
-			allDone := make(chan bool, 1)
-			defer cm.tracker.AddDoneCallback(func() {
-				cm.mu.Lock()
-				defer cm.mu.Unlock()
-				if cm.tracker.RunningGoroutines() > 0 {
-					return
-				}
-				select {
-				case allDone <- true:
-				default:
-				}
-			})()
-
-			err := cm.ensureCertLoops(ctx, tt.initialConfig)
-			if (err != nil) != tt.wantErr {
-				t.Fatalf("ensureCertLoops() error = %v", err)
-			}
-
-			if got := cm.tracker.RunningGoroutines(); got != tt.initialGoroutines {
-				t.Errorf("after initial config: got %d running goroutines, want %d", got, tt.initialGoroutines)
-			}
-
-			if tt.updatedConfig != nil {
-				if err := cm.ensureCertLoops(ctx, tt.updatedConfig); err != nil {
-					t.Fatalf("ensureCertLoops() error on update = %v", err)
-				}
-
-				// Although starting goroutines and cancelling
-				// the context happens in the main goroutine, it
-				// the actual goroutine exit when a context is
-				// cancelled does not- so wait for a bit for the
-				// running goroutine count to reach the expected
-				// number.
-				deadline := time.After(5 * time.Second)
-				for {
-					if got := cm.tracker.RunningGoroutines(); got == tt.updatedGoroutines {
-						break
-					}
-					select {
-					case <-deadline:
-						t.Fatalf("timed out waiting for goroutine count to reach %d, currently at %d",
-							tt.updatedGoroutines, cm.tracker.RunningGoroutines())
-					case <-time.After(10 * time.Millisecond):
-						continue
-					}
-				}
-			}
-
-			if tt.updatedGoroutines == 0 {
-				return // no goroutines to wait for
-			}
-			// cancel context to make goroutines exit
-			cancel()
-			select {
-			case <-time.After(5 * time.Second):
-				t.Fatal("timed out waiting for goroutine to finish")
-			case <-allDone:
-			}
-		})
-	}
-}

cmd/containerboot/main.go

@@ -646,7 +646,7 @@ runLoop:
 
 				if cfg.ServeConfigPath != "" {
 					triggerWatchServeConfigChanges.Do(func() {
-						go watchServeConfigChanges(ctx, certDomainChanged, certDomain, client, kc, cfg)
+						go watchServeConfigChanges(ctx, cfg.ServeConfigPath, certDomainChanged, certDomain, client, kc)
 					})
 				}
 

cmd/containerboot/metrics.go

@@ -10,15 +10,15 @@ import (
 	"io"
 	"net/http"
 
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/localclient/tailscale"
+	"tailscale.com/localclient/tailscale/apitype"
 )
 
 // metrics is a simple metrics HTTP server, if enabled it forwards requests to
 // the tailscaled's LocalAPI usermetrics endpoint at /localapi/v0/usermetrics.
 type metrics struct {
 	debugEndpoint string
-	lc            *local.Client
+	lc            *tailscale.LocalClient
 }
 
 func proxy(w http.ResponseWriter, r *http.Request, url string, do func(*http.Request) (*http.Response, error)) {
@@ -68,7 +68,7 @@ func (m *metrics) handleDebug(w http.ResponseWriter, r *http.Request) {
 // In 1.78.x and 1.80.x, it also proxies debug paths to tailscaled's debug
 // endpoint if configured to ease migration for a breaking change serving user
 // metrics instead of debug metrics on the "metrics" port.
-func metricsHandlers(mux *http.ServeMux, lc *local.Client, debugAddrPort string) {
+func metricsHandlers(mux *http.ServeMux, lc *tailscale.LocalClient, debugAddrPort string) {
 	m := &metrics{
 		lc:            lc,
 		debugEndpoint: debugAddrPort,

cmd/containerboot/serve.go

@@ -17,9 +17,9 @@ import (
 	"time"
 
 	"github.com/fsnotify/fsnotify"
-	"tailscale.com/client/local"
 	"tailscale.com/ipn"
 	"tailscale.com/kube/kubetypes"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/types/netmap"
 )
 
@@ -28,23 +28,20 @@ import (
 // applies it to lc. It exits when ctx is canceled. cdChanged is a channel that
 // is written to when the certDomain changes, causing the serve config to be
 // re-read and applied.
-func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDomainAtomic *atomic.Pointer[string], lc *local.Client, kc *kubeClient, cfg *settings) {
+func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan bool, certDomainAtomic *atomic.Pointer[string], lc *tailscale.LocalClient, kc *kubeClient) {
 	if certDomainAtomic == nil {
 		panic("certDomainAtomic must not be nil")
 	}
-
 	var tickChan <-chan time.Time
 	var eventChan <-chan fsnotify.Event
 	if w, err := fsnotify.NewWatcher(); err != nil {
-		// Creating a new fsnotify watcher would fail for example if inotify was not able to create a new file descriptor.
-		// See https://github.com/tailscale/tailscale/issues/15081
 		log.Printf("serve proxy: failed to create fsnotify watcher, timer-only mode: %v", err)
 		ticker := time.NewTicker(5 * time.Second)
 		defer ticker.Stop()
 		tickChan = ticker.C
 	} else {
 		defer w.Close()
-		if err := w.Add(filepath.Dir(cfg.ServeConfigPath)); err != nil {
+		if err := w.Add(filepath.Dir(path)); err != nil {
 			log.Fatalf("serve proxy: failed to add fsnotify watch: %v", err)
 		}
 		eventChan = w.Events
@@ -52,12 +49,6 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom
 
 	var certDomain string
 	var prevServeConfig *ipn.ServeConfig
-	var cm certManager
-	if cfg.CertShareMode == "rw" {
-		cm = certManager{
-			lc: lc,
-		}
-	}
 	for {
 		select {
 		case <-ctx.Done():
@@ -70,12 +61,12 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom
 			// k8s handles these mounts. So just re-read the file and apply it
 			// if it's changed.
 		}
-		sc, err := readServeConfig(cfg.ServeConfigPath, certDomain)
+		sc, err := readServeConfig(path, certDomain)
 		if err != nil {
 			log.Fatalf("serve proxy: failed to read serve config: %v", err)
 		}
 		if sc == nil {
-			log.Printf("serve proxy: no serve config at %q, skipping", cfg.ServeConfigPath)
+			log.Printf("serve proxy: no serve config at %q, skipping", path)
 			continue
 		}
 		if prevServeConfig != nil && reflect.DeepEqual(sc, prevServeConfig) {
@@ -90,12 +81,6 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom
 			}
 		}
 		prevServeConfig = sc
-		if cfg.CertShareMode != "rw" {
-			continue
-		}
-		if err := cm.ensureCertLoops(ctx, sc); err != nil {
-			log.Fatalf("serve proxy: error ensuring cert loops: %v", err)
-		}
 	}
 }
 
@@ -106,10 +91,9 @@ func certDomainFromNetmap(nm *netmap.NetworkMap) string {
 	return nm.DNS.CertDomains[0]
 }
 
-// localClient is a subset of [local.Client] that can be mocked for testing.
+// localClient is a subset of tailscale.LocalClient that can be mocked for testing.
 type localClient interface {
 	SetServeConfig(context.Context, *ipn.ServeConfig) error
-	CertPair(context.Context, string) ([]byte, []byte, error)
 }
 
 func updateServeConfig(ctx context.Context, sc *ipn.ServeConfig, certDomain string, lc localClient) error {

cmd/containerboot/serve_test.go

@@ -12,9 +12,9 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"tailscale.com/client/local"
 	"tailscale.com/ipn"
 	"tailscale.com/kube/kubetypes"
+	"tailscale.com/localclient/tailscale"
 )
 
 func TestUpdateServeConfig(t *testing.T) {
@@ -197,7 +197,7 @@ func TestReadServeConfig(t *testing.T) {
 }
 
 type fakeLocalClient struct {
-	*local.Client
+	*tailscale.LocalClient
 	setServeCalled bool
 }
 
@@ -206,10 +206,6 @@ func (m *fakeLocalClient) SetServeConfig(ctx context.Context, cfg *ipn.ServeConf
 	return nil
 }
 
-func (m *fakeLocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return nil, nil, nil
-}
-
 func TestHasHTTPSEndpoint(t *testing.T) {
 	tests := []struct {
 		name string

cmd/containerboot/services.go

@@ -21,11 +21,11 @@ import (
 	"time"
 
 	"github.com/fsnotify/fsnotify"
-	"tailscale.com/client/local"
 	"tailscale.com/ipn"
 	"tailscale.com/kube/egressservices"
 	"tailscale.com/kube/kubeclient"
 	"tailscale.com/kube/kubetypes"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/httpm"
@@ -50,7 +50,7 @@ type egressProxy struct {
 	kc          kubeclient.Client // never nil
 	stateSecret string            // name of the kube state Secret
 
-	tsClient *local.Client // never nil
+	tsClient *tailscale.LocalClient // never nil
 
 	netmapChan chan ipn.Notify // chan to receive netmap updates on
 
@@ -131,7 +131,7 @@ type egressProxyRunOpts struct {
 	cfgPath      string
 	nfr          linuxfw.NetfilterRunner
 	kc           kubeclient.Client
-	tsClient     *local.Client
+	tsClient     *tailscale.LocalClient
 	stateSecret  string
 	netmapChan   chan ipn.Notify
 	podIPv4      string

cmd/containerboot/settings.go

@@ -74,12 +74,6 @@ type settings struct {
 	HealthCheckEnabled   bool
 	DebugAddrPort        string
 	EgressProxiesCfgPath string
-	// CertShareMode is set for Kubernetes Pods running cert share mode.
-	// Possible values are empty (containerboot doesn't run any certs
-	// logic),  'ro' (for Pods that shold never attempt to issue/renew
-	// certs) and 'rw' for Pods that should manage the TLS certs shared
-	// amongst the replicas.
-	CertShareMode string
 }
 
 func configFromEnv() (*settings, error) {
@@ -134,17 +128,6 @@ func configFromEnv() (*settings, error) {
 			cfg.PodIPv6 = parsed.String()
 		}
 	}
-	// If cert share is enabled, set the replica as read or write. Only 0th
-	// replica should be able to write.
-	isInCertShareMode := defaultBool("TS_EXPERIMENTAL_CERT_SHARE", false)
-	if isInCertShareMode {
-		cfg.CertShareMode = "ro"
-		podName := os.Getenv("POD_NAME")
-		if strings.HasSuffix(podName, "-0") {
-			cfg.CertShareMode = "rw"
-		}
-	}
-
 	if err := cfg.validate(); err != nil {
 		return nil, fmt.Errorf("invalid configuration: %v", err)
 	}

cmd/containerboot/tailscaled.go

@@ -20,10 +20,10 @@ import (
 	"time"
 
 	"github.com/fsnotify/fsnotify"
-	"tailscale.com/client/local"
+	"tailscale.com/localclient/tailscale"
 )
 
-func startTailscaled(ctx context.Context, cfg *settings) (*local.Client, *os.Process, error) {
+func startTailscaled(ctx context.Context, cfg *settings) (*tailscale.LocalClient, *os.Process, error) {
 	args := tailscaledArgs(cfg)
 	// tailscaled runs without context, since it needs to persist
 	// beyond the startup timeout in ctx.
@@ -33,9 +33,6 @@ func startTailscaled(ctx context.Context, cfg *settings) (*local.Client, *os.Pro
 	cmd.SysProcAttr = &syscall.SysProcAttr{
 		Setpgid: true,
 	}
-	if cfg.CertShareMode != "" {
-		cmd.Env = append(os.Environ(), "TS_CERT_SHARE_MODE="+cfg.CertShareMode)
-	}
 	log.Printf("Starting tailscaled")
 	if err := cmd.Start(); err != nil {
 		return nil, nil, fmt.Errorf("starting tailscaled failed: %v", err)
@@ -57,7 +54,7 @@ func startTailscaled(ctx context.Context, cfg *settings) (*local.Client, *os.Pro
 		break
 	}
 
-	tsClient := &local.Client{
+	tsClient := &tailscale.LocalClient{
 		Socket:        cfg.Socket,
 		UseSocketOnly: true,
 	}
@@ -173,17 +170,14 @@ func tailscaleSet(ctx context.Context, cfg *settings) error {
 	return nil
 }
 
-func watchTailscaledConfigChanges(ctx context.Context, path string, lc *local.Client, errCh chan<- error) {
+func watchTailscaledConfigChanges(ctx context.Context, path string, lc *tailscale.LocalClient, errCh chan<- error) {
 	var (
 		tickChan          <-chan time.Time
-		eventChan         <-chan fsnotify.Event
-		errChan           <-chan error
 		tailscaledCfgDir  = filepath.Dir(path)
 		prevTailscaledCfg []byte
 	)
-	if w, err := fsnotify.NewWatcher(); err != nil {
-		// Creating a new fsnotify watcher would fail for example if inotify was not able to create a new file descriptor.
-		// See https://github.com/tailscale/tailscale/issues/15081
+	w, err := fsnotify.NewWatcher()
+	if err != nil {
 		log.Printf("tailscaled config watch: failed to create fsnotify watcher, timer-only mode: %v", err)
 		ticker := time.NewTicker(5 * time.Second)
 		defer ticker.Stop()
@@ -194,8 +188,6 @@ func watchTailscaledConfigChanges(ctx context.Context, path string, lc *local.Cl
 			errCh <- fmt.Errorf("failed to add fsnotify watch: %w", err)
 			return
 		}
-		eventChan = w.Events
-		errChan = w.Errors
 	}
 	b, err := os.ReadFile(path)
 	if err != nil {
@@ -213,11 +205,11 @@ func watchTailscaledConfigChanges(ctx context.Context, path string, lc *local.Cl
 		select {
 		case <-ctx.Done():
 			return
-		case err := <-errChan:
+		case err := <-w.Errors:
 			errCh <- fmt.Errorf("watcher error: %w", err)
 			return
 		case <-tickChan:
-		case event := <-eventChan:
+		case event := <-w.Events:
 			if event.Name != toWatch {
 				continue
 			}

cmd/derper/cert.go

@@ -4,28 +4,16 @@
 package main
 
 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/json"
-	"encoding/pem"
 	"errors"
 	"fmt"
-	"log"
-	"math/big"
 	"net"
 	"net/http"
-	"os"
 	"path/filepath"
 	"regexp"
-	"time"
 
 	"golang.org/x/crypto/acme/autocert"
-	"tailscale.com/tailcfg"
 )
 
 var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)
@@ -77,18 +65,8 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	crtPath := filepath.Join(certdir, keyname+".crt")
 	keyPath := filepath.Join(certdir, keyname+".key")
 	cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-	hostnameIP := net.ParseIP(hostname) // or nil if hostname isn't an IP address
 	if err != nil {
-		// If the hostname is an IP address, automatically create a
-		// self-signed certificate for it.
-		var certp *tls.Certificate
-		if os.IsNotExist(err) && hostnameIP != nil {
-			certp, err = createSelfSignedIPCert(crtPath, keyPath, hostname)
-		}
-		if err != nil {
-			return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
-		}
-		cert = *certp
+		return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
 	}
 	// ensure hostname matches with the certificate
 	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
@@ -98,18 +76,6 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	if err := x509Cert.VerifyHostname(hostname); err != nil {
 		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
 	}
-	if hostnameIP != nil {
-		// If the hostname is an IP address, print out information on how to
-		// confgure this in the derpmap.
-		dn := &tailcfg.DERPNode{
-			Name:     "custom",
-			RegionID: 900,
-			HostName: hostname,
-			CertName: fmt.Sprintf("sha256-raw:%-02x", sha256.Sum256(x509Cert.Raw)),
-		}
-		dnJSON, _ := json.Marshal(dn)
-		log.Printf("Using self-signed certificate for IP address %q. Configure it in DERPMap using: (https://tailscale.com/s/custom-derp)\n  %s", hostname, dnJSON)
-	}
 	return &manualCertManager{
 		cert:       &cert,
 		hostname:   hostname,
@@ -143,69 +109,3 @@ func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certif
 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
 	return fallback
 }
-
-func createSelfSignedIPCert(crtPath, keyPath, ipStr string) (*tls.Certificate, error) {
-	ip := net.ParseIP(ipStr)
-	if ip == nil {
-		return nil, fmt.Errorf("invalid IP address: %s", ipStr)
-	}
-
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate EC private key: %v", err)
-	}
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate serial number: %v", err)
-	}
-
-	now := time.Now()
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: ipStr,
-		},
-		NotBefore: now,
-		NotAfter:  now.AddDate(1, 0, 0), // expires in 1 year; a bit over that is rejected by macOS etc
-
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	// Set the IP as a SAN.
-	template.IPAddresses = []net.IP{ip}
-
-	// Create the self-signed certificate.
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create certificate: %v", err)
-	}
-
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-
-	keyBytes, err := x509.MarshalECPrivateKey(priv)
-	if err != nil {
-		return nil, fmt.Errorf("unable to marshal EC private key: %v", err)
-	}
-
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes})
-
-	if err := os.MkdirAll(filepath.Dir(crtPath), 0700); err != nil {
-		return nil, fmt.Errorf("failed to create directory for certificate: %v", err)
-	}
-	if err := os.WriteFile(crtPath, certPEM, 0644); err != nil {
-		return nil, fmt.Errorf("failed to write certificate to %s: %v", crtPath, err)
-	}
-	if err := os.WriteFile(keyPath, keyPEM, 0600); err != nil {
-		return nil, fmt.Errorf("failed to write key to %s: %v", keyPath, err)
-	}
-
-	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create tls.Certificate: %v", err)
-	}
-	return &tlsCert, nil
-}

cmd/derper/cert_test.go

@@ -4,29 +4,19 @@
 package main
 
 import (
-	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	"fmt"
 	"math/big"
 	"net"
-	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
-
-	"tailscale.com/derp"
-	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/netmon"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 )
 
 // Verify that in --certmode=manual mode, we can use a bare IP address
@@ -105,66 +95,3 @@ func TestCertIP(t *testing.T) {
 		t.Fatalf("GetCertificate returned nil")
 	}
 }
-
-// Test that we can dial a raw IP without using a hostname and without a WebPKI
-// cert, validating the cert against the signature of the cert in the DERP map's
-// DERPNode.
-//
-// See https://github.com/tailscale/tailscale/issues/11776.
-func TestPinnedCertRawIP(t *testing.T) {
-	td := t.TempDir()
-	cp, err := NewManualCertManager(td, "127.0.0.1")
-	if err != nil {
-		t.Fatalf("NewManualCertManager: %v", err)
-	}
-
-	cert, err := cp.TLSConfig().GetCertificate(&tls.ClientHelloInfo{
-		ServerName: "127.0.0.1",
-	})
-	if err != nil {
-		t.Fatalf("GetCertificate: %v", err)
-	}
-
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("Listen: %v", err)
-	}
-	defer ln.Close()
-
-	ds := derp.NewServer(key.NewNode(), t.Logf)
-
-	derpHandler := derphttp.Handler(ds)
-	mux := http.NewServeMux()
-	mux.Handle("/derp", derpHandler)
-
-	var hs http.Server
-	hs.Handler = mux
-	hs.TLSConfig = cp.TLSConfig()
-	go hs.ServeTLS(ln, "", "")
-
-	lnPort := ln.Addr().(*net.TCPAddr).Port
-
-	reg := &tailcfg.DERPRegion{
-		RegionID: 900,
-		Nodes: []*tailcfg.DERPNode{
-			{
-				RegionID: 900,
-				HostName: "127.0.0.1",
-				CertName: fmt.Sprintf("sha256-raw:%-02x", sha256.Sum256(cert.Leaf.Raw)),
-				DERPPort: lnPort,
-			},
-		},
-	}
-
-	netMon := netmon.NewStatic()
-	dc := derphttp.NewRegionClient(key.NewNode(), t.Logf, netMon, func() *tailcfg.DERPRegion {
-		return reg
-	})
-	defer dc.Close()
-
-	_, connClose, _, err := dc.DialRegionTLS(context.Background(), reg)
-	if err != nil {
-		t.Fatalf("DialRegionTLS: %v", err)
-	}
-	defer connClose.Close()
-}

cmd/derper/depaware.txt

@@ -51,11 +51,9 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
    L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
    L 💣 github.com/tailscale/netlink/nl                              from github.com/tailscale/netlink
-        github.com/tailscale/setec/client/setec                      from tailscale.com/cmd/derper
-        github.com/tailscale/setec/types/api                         from github.com/tailscale/setec/client/setec
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/client/local+
+     💣 go4.org/mem                                                  from tailscale.com/derp+
         go4.org/netipx                                               from tailscale.com/net/tsaddr
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/netmon+
         google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
@@ -88,20 +86,18 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
         tailscale.com                                                from tailscale.com/version
      💣 tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
-        tailscale.com/client/local                                   from tailscale.com/client/tailscale+
-        tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
         tailscale.com/derp                                           from tailscale.com/cmd/derper+
         tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
         tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/drive                                          from tailscale.com/client/local+
-        tailscale.com/envknob                                        from tailscale.com/client/local+
-        tailscale.com/feature                                        from tailscale.com/tsweb
+        tailscale.com/drive                                          from tailscale.com/ipn+
+        tailscale.com/envknob                                        from tailscale.com/derp+
         tailscale.com/health                                         from tailscale.com/net/tlsdial+
         tailscale.com/hostinfo                                       from tailscale.com/net/netmon+
-        tailscale.com/ipn                                            from tailscale.com/client/local
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/local+
+        tailscale.com/ipn                                            from tailscale.com/localclient/tailscale
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/ipn+
         tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
+        tailscale.com/localclient/tailscale                          from tailscale.com/derp
+        tailscale.com/localclient/tailscale/apitype                  from tailscale.com/localclient/tailscale
         tailscale.com/metrics                                        from tailscale.com/cmd/derper+
         tailscale.com/net/bakedroots                                 from tailscale.com/net/tlsdial
         tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
@@ -110,7 +106,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
      💣 tailscale.com/net/netmon                                     from tailscale.com/derp/derphttp+
      💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
-        tailscale.com/net/netutil                                    from tailscale.com/client/local
+        tailscale.com/net/netutil                                    from tailscale.com/localclient/tailscale
         tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
         tailscale.com/net/stun                                       from tailscale.com/net/stunserver
         tailscale.com/net/stunserver                                 from tailscale.com/cmd/derper
@@ -120,32 +116,32 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
         tailscale.com/net/wsconn                                     from tailscale.com/cmd/derper
-        tailscale.com/paths                                          from tailscale.com/client/local
-     💣 tailscale.com/safesocket                                     from tailscale.com/client/local
+        tailscale.com/paths                                          from tailscale.com/localclient/tailscale
+     💣 tailscale.com/safesocket                                     from tailscale.com/localclient/tailscale
         tailscale.com/syncs                                          from tailscale.com/cmd/derper+
-        tailscale.com/tailcfg                                        from tailscale.com/client/local+
-        tailscale.com/tka                                            from tailscale.com/client/local+
+        tailscale.com/tailcfg                                        from tailscale.com/derp+
+        tailscale.com/tka                                            from tailscale.com/ipn/ipnstate+
    W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
         tailscale.com/tstime                                         from tailscale.com/derp+
         tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/derp
-        tailscale.com/tsweb                                          from tailscale.com/cmd/derper+
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/cmd/derper
+        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
         tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg+
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/tailcfg+
-        tailscale.com/types/key                                      from tailscale.com/client/local+
+        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
         tailscale.com/types/lazy                                     from tailscale.com/version+
         tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
         tailscale.com/types/netmap                                   from tailscale.com/ipn
-        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/opt                                      from tailscale.com/envknob+
         tailscale.com/types/persist                                  from tailscale.com/ipn
         tailscale.com/types/preftype                                 from tailscale.com/ipn
         tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
         tailscale.com/types/result                                   from tailscale.com/util/lineiter
         tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/client/local+
+        tailscale.com/types/tkatype                                  from tailscale.com/localclient/tailscale+
         tailscale.com/types/views                                    from tailscale.com/ipn+
         tailscale.com/util/cibuild                                   from tailscale.com/health
         tailscale.com/util/clientmetric                              from tailscale.com/net/netmon+
@@ -156,7 +152,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
-        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
         tailscale.com/util/lineiter                                  from tailscale.com/hostinfo+
    L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
         tailscale.com/util/mak                                       from tailscale.com/health+
@@ -192,11 +187,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
    W    golang.org/x/exp/constraints                                 from tailscale.com/util/winutil
         golang.org/x/exp/maps                                        from tailscale.com/util/syspolicy/setting+
    L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
@@ -209,7 +206,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
         golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sync/singleflight                               from github.com/tailscale/setec/client/setec
         golang.org/x/sys/cpu                                         from golang.org/x/crypto/argon2+
   LD    golang.org/x/sys/unix                                        from github.com/google/nftables+
    W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
@@ -229,7 +225,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509
@@ -238,58 +234,31 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
         crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
         crypto/tls                                                   from golang.org/x/crypto/acme+
-        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from google.golang.org/protobuf/internal/editiondefaults+
+        embed                                                        from crypto/internal/nistec+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -310,22 +279,23 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         html                                                         from net/http/pprof+
         html/template                                                from tailscale.com/cmd/derper
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
         internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
-        internal/godebug                                             from crypto/internal/fips140deps/godebug+
+        internal/goarch                                              from crypto/aes+
+        internal/godebug                                             from crypto/tls+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -335,20 +305,17 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
    L    io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -360,7 +327,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
         math/rand                                                    from github.com/mdlayher/netlink+
-        math/rand/v2                                                 from crypto/ecdsa+
+        math/rand/v2                                                 from internal/concurrent+
         mime                                                         from github.com/prometheus/common/expfmt+
         mime/multipart                                               from net/http
         mime/quotedprintable                                         from mime/multipart
@@ -373,7 +340,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
         os/exec                                                      from github.com/coreos/go-iptables/iptables+
         os/signal                                                    from tailscale.com/cmd/derper
    W    os/user                                                      from tailscale.com/util/winutil+
@@ -382,8 +349,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         reflect                                                      from crypto/x509+
         regexp                                                       from github.com/coreos/go-iptables/iptables+
         regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/fips140+
+        runtime                                                      from crypto/internal/nistec+
         runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
         runtime/trace                                                from net/http/pprof
@@ -393,7 +362,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         strings                                                      from bufio+
         sync                                                         from compress/flate+
         sync/atomic                                                  from context+
-        syscall                                                      from crypto/internal/sysrand+
+        syscall                                                      from crypto/rand+
         text/tabwriter                                               from runtime/pprof
         text/template                                                from html/template
         text/template/parse                                          from html/template+
@@ -403,4 +372,3 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
-        weak                                                         from unique

cmd/derper/derper.go

@@ -27,7 +27,6 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"path"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -37,7 +36,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/tailscale/setec/client/setec"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
@@ -49,9 +47,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )
 
 var (
@@ -66,22 +61,15 @@ var (
 	hostname    = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443. When --certmode=manual, this can be an IP address to avoid SNI checks")
 	runSTUN     = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
 	runDERP     = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
-	flagHome    = flag.String("home", "", "what to serve at the root path. It may be left empty (the default, for a default homepage), \"blank\" for a blank page, or a URL to redirect to")
 
 	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
 	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list. If an entry contains a slash, the second part names a hostname to be used when dialing the target.")
-	secretsURL      = flag.String("secrets-url", "", "SETEC server URL for secrets retrieval of mesh key")
-	secretPrefix    = flag.String("secrets-path-prefix", "prod/derp", "setec path prefix for \""+setecMeshKeyName+"\" secret for DERP mesh key")
-	secretsCacheDir = flag.String("secrets-cache-dir", defaultSetecCacheDir(), "directory to cache setec secrets in (required if --secrets-url is set)")
 	bootstrapDNS    = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
 	unpublishedDNS  = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list. If an entry contains a slash, the second part names a DNS record to poll for its TXT record with a `0` to `100` value for rollout percentage.")
-
 	verifyClients   = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
 	verifyClientURL = flag.String("verify-client-url", "", "if non-empty, an admission controller URL for permitting client connections; see tailcfg.DERPAdmitClientRequest")
 	verifyFailOpen  = flag.Bool("verify-client-url-fail-open", true, "whether we fail open if --verify-client-url is unreachable")
 
-	socket = flag.String("socket", "", "optional alternate path to tailscaled socket (only relevant when using --verify-clients)")
-
 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
 
@@ -96,14 +84,8 @@ var (
 var (
 	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
 	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
-
-	// Exactly 64 hexadecimal lowercase digits.
-	validMeshKey = regexp.MustCompile(`^[0-9a-f]{64}$`)
 )
 
-const setecMeshKeyName = "meshkey"
-const meshKeyEnvVar = "TAILSCALE_DERPER_MESH_KEY"
-
 func init() {
 	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
 	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
@@ -159,14 +141,6 @@ func writeNewConfig() config {
 	return cfg
 }
 
-func checkMeshKey(key string) (string, error) {
-	key = strings.TrimSpace(key)
-	if !validMeshKey.MatchString(key) {
-		return "", errors.New("key must contain exactly 64 hex digits")
-	}
-	return key, nil
-}
-
 func main() {
 	flag.Parse()
 	if *versionFlag {
@@ -199,70 +173,27 @@ func main() {
 
 	s := derp.NewServer(cfg.PrivateKey, log.Printf)
 	s.SetVerifyClient(*verifyClients)
-	s.SetTailscaledSocketPath(*socket)
 	s.SetVerifyClientURL(*verifyClientURL)
 	s.SetVerifyClientURLFailOpen(*verifyFailOpen)
 	s.SetTCPWriteTimeout(*tcpWriteTimeout)
 
-	var meshKey string
-	if *dev {
-		meshKey = os.Getenv(meshKeyEnvVar)
-		if meshKey == "" {
-			log.Printf("No mesh key specified for dev via %s\n", meshKeyEnvVar)
-		} else {
-			log.Printf("Set mesh key from %s\n", meshKeyEnvVar)
-		}
-	} else if *secretsURL != "" {
-		meshKeySecret := path.Join(*secretPrefix, setecMeshKeyName)
-		fc, err := setec.NewFileCache(*secretsCacheDir)
+	if *meshPSKFile != "" {
+		b, err := os.ReadFile(*meshPSKFile)
 		if err != nil {
-			log.Fatalf("NewFileCache: %v", err)
+			log.Fatal(err)
 		}
-		log.Printf("Setting up setec store from %q", *secretsURL)
-		st, err := setec.NewStore(ctx,
-			setec.StoreConfig{
-				Client: setec.Client{Server: *secretsURL},
-				Secrets: []string{
-					meshKeySecret,
-				},
-				Cache: fc,
-			})
-		if err != nil {
-			log.Fatalf("NewStore: %v", err)
+		key := strings.TrimSpace(string(b))
+		if matched, _ := regexp.MatchString(`(?i)^[0-9a-f]{64,}$`, key); !matched {
+			log.Fatalf("key in %s must contain 64+ hex digits", *meshPSKFile)
 		}
-		meshKey = st.Secret(meshKeySecret).GetString()
-		log.Println("Got mesh key from setec store")
-		st.Close()
-	} else if *meshPSKFile != "" {
-		b, err := setec.StaticFile(*meshPSKFile)
-		if err != nil {
-			log.Fatalf("StaticFile failed to get key: %v", err)
-		}
-		log.Println("Got mesh key from static file")
-		meshKey = b.GetString()
-	}
-
-	if meshKey == "" && *dev {
-		log.Printf("No mesh key configured for --dev mode")
-	} else if meshKey == "" {
-		log.Printf("No mesh key configured")
-	} else if key, err := checkMeshKey(meshKey); err != nil {
-		log.Fatalf("invalid mesh key: %v", err)
-	} else {
 		s.SetMeshKey(key)
-		log.Println("DERP mesh key configured")
+		log.Printf("DERP mesh key configured")
 	}
-
 	if err := startMesh(s); err != nil {
 		log.Fatalf("startMesh: %v", err)
 	}
 	expvar.Publish("derp", s.ExpVar())
 
-	handleHome, ok := getHomeHandler(*flagHome)
-	if !ok {
-		log.Fatalf("unknown --home value %q", *flagHome)
-	}
-
 	mux := http.NewServeMux()
 	if *runDERP {
 		derpHandler := derphttp.Handler(s)
@@ -283,7 +214,19 @@ func main() {
 	mux.HandleFunc("/bootstrap-dns", tsweb.BrowserHeaderHandlerFunc(handleBootstrapDNS))
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tsweb.AddBrowserHeaders(w)
-		handleHome.ServeHTTP(w, r)
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(200)
+		err := homePageTemplate.Execute(w, templateData{
+			ShowAbuseInfo: validProdHostname.MatchString(*hostname),
+			Disabled:      !*runDERP,
+			AllowDebug:    tsweb.AllowDebugAccess(r),
+		})
+		if err != nil {
+			if r.Context().Err() == nil {
+				log.Printf("homePageTemplate.Execute: %v", err)
+			}
+			return
+		}
 	}))
 	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tsweb.AddBrowserHeaders(w)
@@ -325,9 +268,6 @@ func main() {
 		Control:   ktimeout.UserTimeout(*tcpUserTimeout),
 		KeepAlive: *tcpKeepAlive,
 	}
-	// As of 2025-02-19, MPTCP does not support TCP_USER_TIMEOUT socket option
-	// set in ktimeout.UserTimeout above.
-	lc.SetMultipathTCP(false)
 
 	quietLogger := log.New(logger.HTTPServerLogFilter{Inner: log.Printf}, "", 0)
 	httpsrv := &http.Server{
@@ -442,10 +382,6 @@ func prodAutocertHostPolicy(_ context.Context, host string) error {
 	return errors.New("invalid hostname")
 }
 
-func defaultSetecCacheDir() string {
-	return filepath.Join(os.Getenv("HOME"), ".cache", "derper-secrets")
-}
-
 func defaultMeshPSKFile() string {
 	try := []string{
 		"/home/derp/keys/derp-mesh.key",
@@ -576,35 +512,3 @@ var homePageTemplate = template.Must(template.New("home").Parse(`<html><body>
 </body>
 </html>
 `))
-
-// getHomeHandler returns a handler for the home page based on a flag string
-// as documented on the --home flag.
-func getHomeHandler(val string) (_ http.Handler, ok bool) {
-	if val == "" {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			w.WriteHeader(200)
-			err := homePageTemplate.Execute(w, templateData{
-				ShowAbuseInfo: validProdHostname.MatchString(*hostname),
-				Disabled:      !*runDERP,
-				AllowDebug:    tsweb.AllowDebugAccess(r),
-			})
-			if err != nil {
-				if r.Context().Err() == nil {
-					log.Printf("homePageTemplate.Execute: %v", err)
-				}
-				return
-			}
-		}), true
-	}
-	if val == "blank" {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			w.WriteHeader(200)
-		}), true
-	}
-	if strings.HasPrefix(val, "http://") || strings.HasPrefix(val, "https://") {
-		return http.RedirectHandler(val, http.StatusFound), true
-	}
-	return nil, false
-}

cmd/derper/derper_test.go

@@ -138,46 +138,3 @@ func TestTemplate(t *testing.T) {
 		t.Error("Output is missing debug info")
 	}
 }
-
-func TestCheckMeshKey(t *testing.T) {
-	testCases := []struct {
-		name    string
-		input   string
-		want    string
-		wantErr bool
-	}{
-		{
-			name:    "KeyOkay",
-			input:   "f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6",
-			want:    "f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6",
-			wantErr: false,
-		},
-		{
-			name:    "TrimKeyOkay",
-			input:   "  f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6  ",
-			want:    "f1ffafffffffffffffffffffffffffffffffffffffffffffffffff2ffffcfff6",
-			wantErr: false,
-		},
-		{
-			name:    "NotAKey",
-			input:   "zzthisisnotakey",
-			want:    "",
-			wantErr: true,
-		},
-	}
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			k, err := checkMeshKey(tt.input)
-			if err != nil && !tt.wantErr {
-				t.Errorf("unexpected error: %v", err)
-			}
-			if k != tt.want && err == nil {
-				t.Errorf("want: %s doesn't match expected: %s", tt.want, k)
-			}
-
-		})
-	}
-
-}

cmd/derpprobe/derpprobe.go

@@ -15,9 +15,6 @@ import (
 	"tailscale.com/prober"
 	"tailscale.com/tsweb"
 	"tailscale.com/version"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )
 
 var (

cmd/get-authkey/main.go

@@ -16,10 +16,14 @@ import (
 	"strings"
 
 	"golang.org/x/oauth2/clientcredentials"
-	"tailscale.com/internal/client/tailscale"
+	"tailscale.com/client/tailscale"
 )
 
 func main() {
+	// Required to use our client API. We're fine with the instability since the
+	// client lives in the same repo as this code.
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+
 	reusable := flag.Bool("reusable", false, "allocate a reusable authkey")
 	ephemeral := flag.Bool("ephemeral", false, "allocate an ephemeral authkey")
 	preauth := flag.Bool("preauth", true, "set the authkey as pre-authorized")

cmd/gitops-pusher/gitops-pusher.go

@@ -13,7 +13,6 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io"
 	"log"
 	"net/http"
 	"os"
@@ -406,8 +405,7 @@ func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
-		errorDetails, _ := io.ReadAll(resp.Body)
-		return "", fmt.Errorf("wanted HTTP status code %d but got %d: %#q", want, got, string(errorDetails))
+		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
 	}
 
 	return Shuck(resp.Header.Get("ETag")), nil

cmd/hello/hello.go

@@ -18,9 +18,8 @@ import (
 	"strings"
 	"time"
 
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/tailcfg"
+	"tailscale.com/localclient/tailscale"
+	"tailscale.com/localclient/tailscale/apitype"
 )
 
 var (
@@ -32,7 +31,7 @@ var (
 //go:embed hello.tmpl.html
 var embeddedTemplate string
 
-var localClient local.Client
+var localClient tailscale.LocalClient
 
 func main() {
 	flag.Parse()
@@ -135,10 +134,6 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 	if who == nil {
 		return ""
 	}
-	vals, err := tailcfg.UnmarshalNodeCapJSON[string](who.Node.CapMap, tailcfg.NodeAttrNativeIPV4)
-	if err == nil && len(vals) > 0 {
-		return vals[0]
-	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.Addr().Is4() && nodeIP.IsSingleIP() {
 			return nodeIP.Addr().String()

cmd/k8s-operator/depaware.txt

@@ -9,6 +9,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
    L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
    L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
+   L    github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics  from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/xml                from github.com/aws/aws-sdk-go-v2/service/sts
@@ -30,12 +31,10 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
    L    github.com/aws/aws-sdk-go-v2/internal/auth                   from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
    L    github.com/aws/aws-sdk-go-v2/internal/auth/smithy            from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/internal/configsources          from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/internal/context                from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/aws-sdk-go-v2/internal/endpoints              from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn   from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/internal/endpoints/v2           from github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints+
    L    github.com/aws/aws-sdk-go-v2/internal/ini                    from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/internal/middleware             from github.com/aws/aws-sdk-go-v2/service/sso+
    L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
@@ -70,17 +69,16 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
    L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
    L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
    L    github.com/aws/smithy-go/logging                             from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/smithy-go/metrics                             from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/smithy-go/middleware                          from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/smithy-go/private/requestcompression          from github.com/aws/aws-sdk-go-v2/config
    L    github.com/aws/smithy-go/ptr                                 from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/smithy-go/rand                                from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/smithy-go/time                                from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/smithy-go/tracing                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
         github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
+        github.com/bits-and-blooms/bitset                            from github.com/gaissmai/bart
      💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
      💣 github.com/davecgh/go-spew/spew                              from k8s.io/apimachinery/pkg/util/dump
@@ -98,8 +96,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
      💣 github.com/fsnotify/fsnotify                                 from sigs.k8s.io/controller-runtime/pkg/certwatcher
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka+
         github.com/gaissmai/bart                                     from tailscale.com/net/ipset+
-        github.com/gaissmai/bart/internal/bitset                     from github.com/gaissmai/bart+
-        github.com/gaissmai/bart/internal/sparse                     from github.com/gaissmai/bart
         github.com/go-json-experiment/json                           from tailscale.com/types/opt+
         github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json/internal/jsonflags+
         github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json/internal/jsonopts+
@@ -143,8 +139,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         github.com/gorilla/csrf                                      from tailscale.com/client/web
         github.com/gorilla/securecookie                              from github.com/gorilla/csrf
         github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
-   L 💣 github.com/illarion/gonotify/v3                              from tailscale.com/net/dns
-   L    github.com/illarion/gonotify/v3/syscallf                     from github.com/illarion/gonotify/v3
+   L 💣 github.com/illarion/gonotify/v2                              from tailscale.com/net/dns
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/feature/tap
    L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
    L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -237,7 +232,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         go.uber.org/zap/internal/pool                                from go.uber.org/zap+
         go.uber.org/zap/internal/stacktrace                          from go.uber.org/zap
         go.uber.org/zap/zapcore                                      from github.com/go-logr/zapr+
-     💣 go4.org/mem                                                  from tailscale.com/client/local+
+     💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
         go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
    W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/dns+
@@ -298,7 +293,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
         gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
+        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
         gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -782,9 +777,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         tailscale.com                                                from tailscale.com/version
         tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
      💣 tailscale.com/atomicfile                                     from tailscale.com/ipn+
-        tailscale.com/client/local                                   from tailscale.com/client/tailscale+
         tailscale.com/client/tailscale                               from tailscale.com/cmd/k8s-operator+
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
         tailscale.com/client/web                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/clientupdate                                   from tailscale.com/client/web+
   LW    tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
@@ -800,8 +793,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         tailscale.com/doctor/ethtool                                 from tailscale.com/ipn/ipnlocal
      💣 tailscale.com/doctor/permissions                             from tailscale.com/ipn/ipnlocal
         tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
-        tailscale.com/drive                                          from tailscale.com/client/local+
-        tailscale.com/envknob                                        from tailscale.com/client/local+
+        tailscale.com/drive                                          from tailscale.com/ipn+
+        tailscale.com/envknob                                        from tailscale.com/client/web+
         tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
         tailscale.com/feature                                        from tailscale.com/feature/wakeonlan+
         tailscale.com/feature/capture                                from tailscale.com/feature/condregister
@@ -811,15 +804,12 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
-        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/k8s-operator
         tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
-        tailscale.com/ipn                                            from tailscale.com/client/local+
-        tailscale.com/ipn/auditlog                                   from tailscale.com/ipn/ipnlocal+
+        tailscale.com/ipn                                            from tailscale.com/client/web+
         tailscale.com/ipn/conffile                                   from tailscale.com/ipn/ipnlocal+
-     💣 tailscale.com/ipn/desktop                                    from tailscale.com/ipn/ipnlocal+
      💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/localapi+
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/local+
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/web+
         tailscale.com/ipn/localapi                                   from tailscale.com/tsnet+
         tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/ipn/store                                      from tailscale.com/ipn/ipnlocal+
@@ -838,6 +828,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         tailscale.com/kube/kubeclient                                from tailscale.com/ipn/store/kubestore
         tailscale.com/kube/kubetypes                                 from tailscale.com/cmd/k8s-operator+
         tailscale.com/licenses                                       from tailscale.com/client/web
+        tailscale.com/localclient/tailscale                          from tailscale.com/client/web+
+        tailscale.com/localclient/tailscale/apitype                  from tailscale.com/client/tailscale+
         tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
         tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
         tailscale.com/logpolicy                                      from tailscale.com/ipn/ipnlocal+
@@ -866,7 +858,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
      💣 tailscale.com/net/netmon                                     from tailscale.com/control/controlclient+
      💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
    W 💣 tailscale.com/net/netstat                                    from tailscale.com/portlist
-        tailscale.com/net/netutil                                    from tailscale.com/client/local+
+        tailscale.com/net/netutil                                    from tailscale.com/client/web+
         tailscale.com/net/packet                                     from tailscale.com/net/connstats+
         tailscale.com/net/packet/checksum                            from tailscale.com/net/tstun
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
@@ -884,19 +876,19 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/clientupdate/distsign+
         tailscale.com/net/tstun                                      from tailscale.com/tsd+
         tailscale.com/omit                                           from tailscale.com/ipn/conffile
-        tailscale.com/paths                                          from tailscale.com/client/local+
+        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
      💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/posture                                        from tailscale.com/ipn/ipnlocal
         tailscale.com/proxymap                                       from tailscale.com/tsd+
-     💣 tailscale.com/safesocket                                     from tailscale.com/client/local+
+     💣 tailscale.com/safesocket                                     from tailscale.com/ipn/ipnauth+
         tailscale.com/sessionrecording                               from tailscale.com/k8s-operator/sessionrecording+
         tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
-        tailscale.com/tailcfg                                        from tailscale.com/client/local+
+        tailscale.com/tailcfg                                        from tailscale.com/client/web+
         tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
         tailscale.com/tempfork/acme                                  from tailscale.com/ipn/ipnlocal
         tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
         tailscale.com/tempfork/httprec                               from tailscale.com/control/controlclient
-        tailscale.com/tka                                            from tailscale.com/client/local+
+        tailscale.com/tka                                            from tailscale.com/control/controlclient+
         tailscale.com/tsconst                                        from tailscale.com/net/netmon+
         tailscale.com/tsd                                            from tailscale.com/ipn/ipnlocal+
         tailscale.com/tsnet                                          from tailscale.com/cmd/k8s-operator+
@@ -905,11 +897,10 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         tailscale.com/tstime/rate                                    from tailscale.com/derp+
         tailscale.com/tsweb/varz                                     from tailscale.com/util/usermetric
         tailscale.com/types/appctype                                 from tailscale.com/ipn/ipnlocal
-        tailscale.com/types/bools                                    from tailscale.com/tsnet
         tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/types/empty                                    from tailscale.com/ipn+
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/client/local+
+        tailscale.com/types/key                                      from tailscale.com/control/controlbase+
         tailscale.com/types/lazy                                     from tailscale.com/ipn/ipnlocal+
         tailscale.com/types/logger                                   from tailscale.com/appc+
         tailscale.com/types/logid                                    from tailscale.com/ipn/ipnlocal+
@@ -922,7 +913,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         tailscale.com/types/ptr                                      from tailscale.com/cmd/k8s-operator+
         tailscale.com/types/result                                   from tailscale.com/util/lineiter
         tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/tkatype                                  from tailscale.com/client/local+
+        tailscale.com/types/tkatype                                  from tailscale.com/control/controlclient+
         tailscale.com/types/views                                    from tailscale.com/appc+
         tailscale.com/util/cibuild                                   from tailscale.com/health
         tailscale.com/util/clientmetric                              from tailscale.com/cmd/k8s-operator+
@@ -999,13 +990,14 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/ssh+
-        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ipn/ipnlocal
   LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
         golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
@@ -1020,7 +1012,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
         golang.org/x/net/icmp                                        from github.com/prometheus-community/pro-bing+
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/internal/httpcommon                         from golang.org/x/net/http2
         golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
         golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
         golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
@@ -1056,7 +1047,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509+
@@ -1065,54 +1056,27 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
         crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls+
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
         crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
-        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
@@ -1120,7 +1084,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         database/sql/driver                                          from database/sql+
    W    debug/dwarf                                                  from debug/pe
    W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from github.com/tailscale/web-client-prebuilt+
+        embed                                                        from crypto/internal/nistec+
         encoding                                                     from encoding/gob+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -1140,6 +1104,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         go/build/constraint                                          from go/parser
         go/doc                                                       from k8s.io/apimachinery/pkg/runtime
         go/doc/comment                                               from go/doc
+        go/internal/typeparams                                       from go/parser
         go/parser                                                    from k8s.io/apimachinery/pkg/runtime
         go/scanner                                                   from go/ast+
         go/token                                                     from go/ast+
@@ -1151,23 +1116,24 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         html                                                         from html/template+
         html/template                                                from github.com/gorilla/csrf
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
         internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
         internal/godebug                                             from archive/tar+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
         internal/lazyregexp                                          from go/doc
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -1177,21 +1143,18 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/saferio                                             from debug/pe+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
         io                                                           from archive/tar+
         io/fs                                                        from archive/tar+
         io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -1220,7 +1183,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         net/netip                                                    from github.com/gaissmai/bart+
         net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
         os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
         os/signal                                                    from sigs.k8s.io/controller-runtime/pkg/manager/signals
         os/user                                                      from archive/tar+
@@ -1231,6 +1194,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         regexp/syntax                                                from regexp
         runtime                                                      from archive/tar+
         runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof+
         runtime/trace                                                from net/http/pprof
@@ -1250,4 +1215,3 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
-        weak                                                         from unique

cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml

@@ -75,7 +75,7 @@ rules:
   verbs: ["get", "list", "watch", "create", "update", "deletecollection"]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["roles", "rolebindings"]
-  verbs: ["get", "create", "patch", "update", "list", "watch", "deletecollection"]
+  verbs: ["get", "create", "patch", "update", "list", "watch"]
 - apiGroups: ["monitoring.coreos.com"]
   resources: ["servicemonitors"]
   verbs: ["get", "list", "update", "create", "delete"]

cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml

@@ -2215,22 +2215,6 @@ spec:
                         https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-devices
                         Defaults to false.
                       type: boolean
-                useLetsEncryptStagingEnvironment:
-                  description: |-
-                    Set UseLetsEncryptStagingEnvironment to true to issue TLS
-                    certificates for any HTTPS endpoints exposed to the tailnet from
-                    LetsEncrypt's staging environment.
-                    https://letsencrypt.org/docs/staging-environment/
-                    This setting only affects Tailscale Ingress resources.
-                    By default Ingress TLS certificates are issued from LetsEncrypt's
-                    production environment.
-                    Changing this setting true -> false, will result in any
-                    existing certs being re-issued from the production environment.
-                    Changing this setting false (default) -> true, when certs have already
-                    been provisioned from production environment will NOT result in certs
-                    being re-issued from the staging environment before they need to be
-                    renewed.
-                  type: boolean
             status:
               description: |-
                 Status of the ProxyClass. This is set and managed automatically.

cmd/k8s-operator/deploy/manifests/operator.yaml

@@ -2685,22 +2685,6 @@ spec:
                                             Defaults to false.
                                         type: boolean
                                 type: object
-                            useLetsEncryptStagingEnvironment:
-                                description: |-
-                                    Set UseLetsEncryptStagingEnvironment to true to issue TLS
-                                    certificates for any HTTPS endpoints exposed to the tailnet from
-                                    LetsEncrypt's staging environment.
-                                    https://letsencrypt.org/docs/staging-environment/
-                                    This setting only affects Tailscale Ingress resources.
-                                    By default Ingress TLS certificates are issued from LetsEncrypt's
-                                    production environment.
-                                    Changing this setting true -> false, will result in any
-                                    existing certs being re-issued from the production environment.
-                                    Changing this setting false (default) -> true, when certs have already
-                                    been provisioned from production environment will NOT result in certs
-                                    being re-issued from the staging environment before they need to be
-                                    renewed.
-                                type: boolean
                         type: object
                     status:
                         description: |-
@@ -4914,7 +4898,6 @@ rules:
         - update
         - list
         - watch
-        - deletecollection
     - apiGroups:
         - monitoring.coreos.com
       resources:

cmd/k8s-operator/dnsrecords_test.go

@@ -22,7 +22,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	operatorutils "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tstest"
 	"tailscale.com/types/ptr"
 )
@@ -164,10 +163,10 @@ func headlessSvcForParent(o client.Object, typ string) *corev1.Service {
 			Name:      o.GetName(),
 			Namespace: "tailscale",
 			Labels: map[string]string{
-				kubetypes.LabelManaged: "true",
-				LabelParentName:        o.GetName(),
-				LabelParentNamespace:   o.GetNamespace(),
-				LabelParentType:        typ,
+				LabelManaged:         "true",
+				LabelParentName:      o.GetName(),
+				LabelParentNamespace: o.GetNamespace(),
+				LabelParentType:      typ,
 			},
 		},
 		Spec: corev1.ServiceSpec{

cmd/k8s-operator/e2e/main_test.go

@@ -21,7 +21,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	kzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
-	"tailscale.com/internal/client/tailscale"
+	"tailscale.com/client/tailscale"
 )
 
 const (
@@ -64,6 +64,7 @@ func TestMain(m *testing.M) {
 func runTests(m *testing.M) (int, error) {
 	zlog := kzap.NewRaw([]kzap.Opts{kzap.UseDevMode(true), kzap.Level(zapcore.DebugLevel)}...).Sugar()
 	logf.SetLogger(zapr.NewLogger(zlog.Desugar()))
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
 
 	if clientID := os.Getenv("TS_API_CLIENT_ID"); clientID != "" {
 		cleanup, err := setupClientAndACLs()

cmd/k8s-operator/egress-pod-readiness.go

@@ -112,9 +112,9 @@ func (er *egressPodsReconciler) Reconcile(ctx context.Context, req reconcile.Req
 	}
 	// Get all ClusterIP Services for all egress targets exposed to cluster via this ProxyGroup.
 	lbls := map[string]string{
-		kubetypes.LabelManaged: "true",
-		labelProxyGroup:        proxyGroupName,
-		labelSvcType:           typeEgress,
+		LabelManaged:    "true",
+		labelProxyGroup: proxyGroupName,
+		labelSvcType:    typeEgress,
 	}
 	svcs := &corev1.ServiceList{}
 	if err := er.List(ctx, svcs, client.InNamespace(er.tsNamespace), client.MatchingLabels(lbls)); err != nil {

cmd/k8s-operator/egress-pod-readiness_test.go

@@ -450,9 +450,9 @@ func newSvc(name string, port int32) (*corev1.Service, string) {
 			Namespace: "operator-ns",
 			Name:      name,
 			Labels: map[string]string{
-				kubetypes.LabelManaged: "true",
-				labelProxyGroup:        "dev",
-				labelSvcType:           typeEgress,
+				LabelManaged:    "true",
+				labelProxyGroup: "dev",
+				labelSvcType:    typeEgress,
 			},
 		},
 		Spec: corev1.ServiceSpec{},

cmd/k8s-operator/egress-services.go

@@ -630,11 +630,7 @@ func tailnetTargetFromSvc(svc *corev1.Service) egressservices.TailnetTarget {
 
 func portMap(p corev1.ServicePort) egressservices.PortMap {
 	// TODO (irbekrm): out of bounds check?
-	return egressservices.PortMap{
-		Protocol:   string(p.Protocol),
-		MatchPort:  uint16(p.TargetPort.IntVal),
-		TargetPort: uint16(p.Port),
-	}
+	return egressservices.PortMap{Protocol: string(p.Protocol), MatchPort: uint16(p.TargetPort.IntVal), TargetPort: uint16(p.Port)}
 }
 
 func isEgressSvcForProxyGroup(obj client.Object) bool {
@@ -680,12 +676,12 @@ func egressSvcsConfigs(ctx context.Context, cl client.Client, proxyGroupName, ts
 // should probably validate and truncate (?) the names is they are too long.
 func egressSvcChildResourceLabels(svc *corev1.Service) map[string]string {
 	return map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentType:        "svc",
-		LabelParentName:        svc.Name,
-		LabelParentNamespace:   svc.Namespace,
-		labelProxyGroup:        svc.Annotations[AnnotationProxyGroup],
-		labelSvcType:           typeEgress,
+		LabelManaged:         "true",
+		LabelParentType:      "svc",
+		LabelParentName:      svc.Name,
+		LabelParentNamespace: svc.Namespace,
+		labelProxyGroup:      svc.Annotations[AnnotationProxyGroup],
+		labelSvcType:         typeEgress,
 	}
 }
 

cmd/k8s-operator/ingress-for-pg_test.go

@@ -8,11 +8,6 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"errors"
-	"fmt"
-	"maps"
-	"net/http"
-	"reflect"
 	"testing"
 
 	"slices"
@@ -20,24 +15,84 @@ import (
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/ptr"
 )
 
 func TestIngressPGReconciler(t *testing.T) {
-	ingPGR, fc, ft := setupIngressTest(t)
+	tsIngressClass := &networkingv1.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{Name: "tailscale"},
+		Spec:       networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"},
+	}
 
+	// Pre-create the ProxyGroup
+	pg := &tsapi.ProxyGroup{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test-pg",
+			Generation: 1,
+		},
+		Spec: tsapi.ProxyGroupSpec{
+			Type: tsapi.ProxyGroupTypeIngress,
+		},
+	}
+
+	// Pre-create the ConfigMap for the ProxyGroup
+	pgConfigMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pg-ingress-config",
+			Namespace: "operator-ns",
+		},
+		BinaryData: map[string][]byte{
+			"serve-config.json": []byte(`{"Services":{}}`),
+		},
+	}
+
+	fc := fake.NewClientBuilder().
+		WithScheme(tsapi.GlobalScheme).
+		WithObjects(pg, pgConfigMap, tsIngressClass).
+		WithStatusSubresource(pg).
+		Build()
+	mustUpdateStatus(t, fc, "", pg.Name, func(pg *tsapi.ProxyGroup) {
+		pg.Status.Conditions = []metav1.Condition{
+			{
+				Type:               string(tsapi.ProxyGroupReady),
+				Status:             metav1.ConditionTrue,
+				ObservedGeneration: 1,
+			},
+		}
+	})
+	ft := &fakeTSClient{}
+	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lc := &fakeLocalClient{
+		status: &ipnstate.Status{
+			CurrentTailnet: &ipnstate.TailnetStatus{
+				MagicDNSSuffix: "ts.net",
+			},
+		},
+	}
+	ingPGR := &IngressPGReconciler{
+		Client:      fc,
+		tsClient:    ft,
+		tsnetServer: fakeTsnetServer,
+		defaultTags: []string{"tag:k8s"},
+		tsNamespace: "operator-ns",
+		logger:      zl.Sugar(),
+		recorder:    record.NewFakeRecorder(10),
+		lc:          lc,
+	}
+
+	// Test 1: Default tags
 	ing := &networkingv1.Ingress{
 		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
 		ObjectMeta: metav1.ObjectMeta{
@@ -67,87 +122,8 @@ func TestIngressPGReconciler(t *testing.T) {
 
 	// Verify initial reconciliation
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyServeConfig(t, fc, "svc:my-svc", false)
-	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
 
-	// Verify cert resources were created for the first Ingress
-	expectEqual(t, fc, certSecret("test-pg", "operator-ns", "my-svc.ts.net"))
-	expectEqual(t, fc, certSecretRole("test-pg", "operator-ns", "my-svc.ts.net"))
-	expectEqual(t, fc, certSecretRoleBinding("test-pg", "operator-ns", "my-svc.ts.net"))
-
-	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
-		ing.Annotations["tailscale.com/tags"] = "tag:custom,tag:test"
-	})
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-
-	// Verify VIPService uses custom tags
-	vipSvc, err := ft.GetVIPService(context.Background(), "svc:my-svc")
-	if err != nil {
-		t.Fatalf("getting VIPService: %v", err)
-	}
-	if vipSvc == nil {
-		t.Fatal("VIPService not created")
-	}
-	wantTags := []string{"tag:custom", "tag:test"} // custom tags only
-	gotTags := slices.Clone(vipSvc.Tags)
-	slices.Sort(gotTags)
-	slices.Sort(wantTags)
-	if !slices.Equal(gotTags, wantTags) {
-		t.Errorf("incorrect VIPService tags: got %v, want %v", gotTags, wantTags)
-	}
-
-	// Create second Ingress
-	ing2 := &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "my-other-ingress",
-			Namespace: "default",
-			UID:       types.UID("5678-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/proxy-group": "test-pg",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			DefaultBackend: &networkingv1.IngressBackend{
-				Service: &networkingv1.IngressServiceBackend{
-					Name: "test",
-					Port: networkingv1.ServiceBackendPort{
-						Number: 8080,
-					},
-				},
-			},
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-other-svc.tailnetxyz.ts.net"}},
-			},
-		},
-	}
-	mustCreate(t, fc, ing2)
-
-	// Verify second Ingress reconciliation
-	expectReconciled(t, ingPGR, "default", "my-other-ingress")
-	verifyServeConfig(t, fc, "svc:my-other-svc", false)
-	verifyVIPService(t, ft, "svc:my-other-svc", []string{"443"})
-
-	// Verify cert resources were created for the second Ingress
-	expectEqual(t, fc, certSecret("test-pg", "operator-ns", "my-other-svc.ts.net"))
-	expectEqual(t, fc, certSecretRole("test-pg", "operator-ns", "my-other-svc.ts.net"))
-	expectEqual(t, fc, certSecretRoleBinding("test-pg", "operator-ns", "my-other-svc.ts.net"))
-
-	// Verify first Ingress is still working
-	verifyServeConfig(t, fc, "svc:my-svc", false)
-	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
-
-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc", "svc:my-other-svc"})
-
-	// Delete second Ingress
-	if err := fc.Delete(context.Background(), ing2); err != nil {
-		t.Fatalf("deleting second Ingress: %v", err)
-	}
-	expectReconciled(t, ingPGR, "default", "my-other-ingress")
-
-	// Verify second Ingress cleanup
+	// Get and verify the ConfigMap was updated
 	cm := &corev1.ConfigMap{}
 	if err := fc.Get(context.Background(), types.NamespacedName{
 		Name:      "test-pg-ingress-config",
@@ -161,21 +137,46 @@ func TestIngressPGReconciler(t *testing.T) {
 		t.Fatalf("unmarshaling serve config: %v", err)
 	}
 
-	// Verify first Ingress is still configured
 	if cfg.Services["svc:my-svc"] == nil {
-		t.Error("first Ingress service config was incorrectly removed")
-	}
-	// Verify second Ingress was cleaned up
-	if cfg.Services["svc:my-other-svc"] != nil {
-		t.Error("second Ingress service config was not cleaned up")
+		t.Error("expected serve config to contain VIPService configuration")
 	}
 
-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
-	expectMissing[corev1.Secret](t, fc, "operator-ns", "my-other-svc.ts.net")
-	expectMissing[rbacv1.Role](t, fc, "operator-ns", "my-other-svc.ts.net")
-	expectMissing[rbacv1.RoleBinding](t, fc, "operator-ns", "my-other-svc.ts.net")
+	// Verify VIPService uses default tags
+	vipSvc, err := ft.getVIPService(context.Background(), "svc:my-svc")
+	if err != nil {
+		t.Fatalf("getting VIPService: %v", err)
+	}
+	if vipSvc == nil {
+		t.Fatal("VIPService not created")
+	}
+	wantTags := []string{"tag:k8s"} // default tags
+	if !slices.Equal(vipSvc.Tags, wantTags) {
+		t.Errorf("incorrect VIPService tags: got %v, want %v", vipSvc.Tags, wantTags)
+	}
 
-	// Delete the first Ingress and verify cleanup
+	// Test 2: Custom tags
+	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
+		ing.Annotations["tailscale.com/tags"] = "tag:custom,tag:test"
+	})
+	expectReconciled(t, ingPGR, "default", "test-ingress")
+
+	// Verify VIPService uses custom tags
+	vipSvc, err = ft.getVIPService(context.Background(), "svc:my-svc")
+	if err != nil {
+		t.Fatalf("getting VIPService: %v", err)
+	}
+	if vipSvc == nil {
+		t.Fatal("VIPService not created")
+	}
+	wantTags = []string{"tag:custom", "tag:test"} // custom tags only
+	gotTags := slices.Clone(vipSvc.Tags)
+	slices.Sort(gotTags)
+	slices.Sort(wantTags)
+	if !slices.Equal(gotTags, wantTags) {
+		t.Errorf("incorrect VIPService tags: got %v, want %v", gotTags, wantTags)
+	}
+
+	// Delete the Ingress and verify cleanup
 	if err := fc.Delete(context.Background(), ing); err != nil {
 		t.Fatalf("deleting Ingress: %v", err)
 	}
@@ -199,67 +200,6 @@ func TestIngressPGReconciler(t *testing.T) {
 	if len(cfg.Services) > 0 {
 		t.Error("serve config not cleaned up")
 	}
-	verifyTailscaledConfig(t, fc, nil)
-
-	// Add verification that cert resources were cleaned up
-	expectMissing[corev1.Secret](t, fc, "operator-ns", "my-svc.ts.net")
-	expectMissing[rbacv1.Role](t, fc, "operator-ns", "my-svc.ts.net")
-	expectMissing[rbacv1.RoleBinding](t, fc, "operator-ns", "my-svc.ts.net")
-}
-
-func TestIngressPGReconciler_UpdateIngressHostname(t *testing.T) {
-	ingPGR, fc, ft := setupIngressTest(t)
-
-	ing := &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-ingress",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/proxy-group": "test-pg",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			DefaultBackend: &networkingv1.IngressBackend{
-				Service: &networkingv1.IngressServiceBackend{
-					Name: "test",
-					Port: networkingv1.ServiceBackendPort{
-						Number: 8080,
-					},
-				},
-			},
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc.tailnetxyz.ts.net"}},
-			},
-		},
-	}
-	mustCreate(t, fc, ing)
-
-	// Verify initial reconciliation
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyServeConfig(t, fc, "svc:my-svc", false)
-	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
-
-	// Update the Ingress hostname and make sure the original VIPService is deleted.
-	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
-		ing.Spec.TLS[0].Hosts[0] = "updated-svc.tailnetxyz.ts.net"
-	})
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyServeConfig(t, fc, "svc:updated-svc", false)
-	verifyVIPService(t, ft, "svc:updated-svc", []string{"443"})
-	verifyTailscaledConfig(t, fc, []string{"svc:updated-svc"})
-
-	_, err := ft.GetVIPService(context.Background(), tailcfg.ServiceName("svc:my-svc"))
-	if err == nil {
-		t.Fatalf("svc:my-svc not cleaned up")
-	}
-	var errResp *tailscale.ErrResponse
-	if !errors.As(err, &errResp) || errResp.Status != http.StatusNotFound {
-		t.Fatalf("unexpected error: %v", err)
-	}
 }
 
 func TestValidateIngress(t *testing.T) {
@@ -267,15 +207,6 @@ func TestValidateIngress(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-ingress",
 			Namespace: "default",
-			Annotations: map[string]string{
-				AnnotationProxyGroup: "test-pg",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"test"}},
-			},
 		},
 	}
 
@@ -299,11 +230,10 @@ func TestValidateIngress(t *testing.T) {
 	}
 
 	tests := []struct {
-		name         string
-		ing          *networkingv1.Ingress
-		pg           *tsapi.ProxyGroup
-		existingIngs []networkingv1.Ingress
-		wantErr      string
+		name    string
+		ing     *networkingv1.Ingress
+		pg      *tsapi.ProxyGroup
+		wantErr string
 	}{
 		{
 			name: "valid_ingress_with_hostname",
@@ -393,414 +323,15 @@ func TestValidateIngress(t *testing.T) {
 			},
 			wantErr: "ProxyGroup \"test-pg\" is not ready",
 		},
-		{
-			name: "duplicate_hostname",
-			ing:  baseIngress,
-			pg:   readyProxyGroup,
-			existingIngs: []networkingv1.Ingress{{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "existing-ingress",
-					Namespace: "default",
-					Annotations: map[string]string{
-						AnnotationProxyGroup: "test-pg",
-					},
-				},
-				Spec: networkingv1.IngressSpec{
-					IngressClassName: ptr.To("tailscale"),
-					TLS: []networkingv1.IngressTLS{
-						{Hosts: []string{"test"}},
-					},
-				},
-			}},
-			wantErr: `found duplicate Ingress "existing-ingress" for hostname "test" - multiple Ingresses for the same hostname in the same cluster are not allowed`,
-		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			fc := fake.NewClientBuilder().
-				WithScheme(tsapi.GlobalScheme).
-				WithObjects(tt.ing).
-				WithLists(&networkingv1.IngressList{Items: tt.existingIngs}).
-				Build()
-			r := &HAIngressReconciler{Client: fc}
-			err := r.validateIngress(context.Background(), tt.ing, tt.pg)
+			r := &IngressPGReconciler{}
+			err := r.validateIngress(tt.ing, tt.pg)
 			if (err == nil && tt.wantErr != "") || (err != nil && err.Error() != tt.wantErr) {
 				t.Errorf("validateIngress() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
-
-func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {
-	ingPGR, fc, ft := setupIngressTest(t)
-
-	// Create test Ingress with HTTP endpoint enabled
-	ing := &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-ingress",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/proxy-group":   "test-pg",
-				"tailscale.com/http-endpoint": "enabled",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			DefaultBackend: &networkingv1.IngressBackend{
-				Service: &networkingv1.IngressServiceBackend{
-					Name: "test",
-					Port: networkingv1.ServiceBackendPort{
-						Number: 8080,
-					},
-				},
-			},
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc"}},
-			},
-		},
-	}
-	if err := fc.Create(context.Background(), ing); err != nil {
-		t.Fatal(err)
-	}
-
-	// Verify initial reconciliation with HTTP enabled
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyVIPService(t, ft, "svc:my-svc", []string{"80", "443"})
-	verifyServeConfig(t, fc, "svc:my-svc", true)
-
-	// Verify Ingress status
-	ing = &networkingv1.Ingress{}
-	if err := fc.Get(context.Background(), types.NamespacedName{
-		Name:      "test-ingress",
-		Namespace: "default",
-	}, ing); err != nil {
-		t.Fatal(err)
-	}
-
-	// Status will be empty until the VIPService shows up in prefs.
-	if !reflect.DeepEqual(ing.Status.LoadBalancer.Ingress, []networkingv1.IngressLoadBalancerIngress(nil)) {
-		t.Errorf("incorrect Ingress status: got %v, want empty",
-			ing.Status.LoadBalancer.Ingress)
-	}
-
-	// Add the VIPService to prefs to have the Ingress recognised as ready.
-	mustCreate(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-pg-0",
-			Namespace: "operator-ns",
-			Labels:    pgSecretLabels("test-pg", "state"),
-		},
-		Data: map[string][]byte{
-			"_current-profile": []byte("profile-foo"),
-			"profile-foo":      []byte(`{"AdvertiseServices":["svc:my-svc"],"Config":{"NodeID":"node-foo"}}`),
-		},
-	})
-
-	// Reconcile and re-fetch Ingress.
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	if err := fc.Get(context.Background(), client.ObjectKeyFromObject(ing), ing); err != nil {
-		t.Fatal(err)
-	}
-
-	wantStatus := []networkingv1.IngressPortStatus{
-		{Port: 443, Protocol: "TCP"},
-		{Port: 80, Protocol: "TCP"},
-	}
-	if !reflect.DeepEqual(ing.Status.LoadBalancer.Ingress[0].Ports, wantStatus) {
-		t.Errorf("incorrect status ports: got %v, want %v",
-			ing.Status.LoadBalancer.Ingress[0].Ports, wantStatus)
-	}
-
-	// Remove HTTP endpoint annotation
-	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
-		delete(ing.Annotations, "tailscale.com/http-endpoint")
-	})
-
-	// Verify reconciliation after removing HTTP
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
-	verifyServeConfig(t, fc, "svc:my-svc", false)
-
-	// Verify Ingress status
-	ing = &networkingv1.Ingress{}
-	if err := fc.Get(context.Background(), types.NamespacedName{
-		Name:      "test-ingress",
-		Namespace: "default",
-	}, ing); err != nil {
-		t.Fatal(err)
-	}
-
-	wantStatus = []networkingv1.IngressPortStatus{
-		{Port: 443, Protocol: "TCP"},
-	}
-	if !reflect.DeepEqual(ing.Status.LoadBalancer.Ingress[0].Ports, wantStatus) {
-		t.Errorf("incorrect status ports: got %v, want %v",
-			ing.Status.LoadBalancer.Ingress[0].Ports, wantStatus)
-	}
-}
-
-func verifyVIPService(t *testing.T, ft *fakeTSClient, serviceName string, wantPorts []string) {
-	t.Helper()
-	vipSvc, err := ft.GetVIPService(context.Background(), tailcfg.ServiceName(serviceName))
-	if err != nil {
-		t.Fatalf("getting VIPService %q: %v", serviceName, err)
-	}
-	if vipSvc == nil {
-		t.Fatalf("VIPService %q not created", serviceName)
-	}
-	gotPorts := slices.Clone(vipSvc.Ports)
-	slices.Sort(gotPorts)
-	slices.Sort(wantPorts)
-	if !slices.Equal(gotPorts, wantPorts) {
-		t.Errorf("incorrect ports for VIPService %q: got %v, want %v", serviceName, gotPorts, wantPorts)
-	}
-}
-
-func verifyServeConfig(t *testing.T, fc client.Client, serviceName string, wantHTTP bool) {
-	t.Helper()
-
-	cm := &corev1.ConfigMap{}
-	if err := fc.Get(context.Background(), types.NamespacedName{
-		Name:      "test-pg-ingress-config",
-		Namespace: "operator-ns",
-	}, cm); err != nil {
-		t.Fatalf("getting ConfigMap: %v", err)
-	}
-
-	cfg := &ipn.ServeConfig{}
-	if err := json.Unmarshal(cm.BinaryData["serve-config.json"], cfg); err != nil {
-		t.Fatalf("unmarshaling serve config: %v", err)
-	}
-
-	t.Logf("Looking for service %q in config: %+v", serviceName, cfg)
-
-	svc := cfg.Services[tailcfg.ServiceName(serviceName)]
-	if svc == nil {
-		t.Fatalf("service %q not found in serve config, services: %+v", serviceName, maps.Keys(cfg.Services))
-	}
-
-	wantHandlers := 1
-	if wantHTTP {
-		wantHandlers = 2
-	}
-
-	// Check TCP handlers
-	if len(svc.TCP) != wantHandlers {
-		t.Errorf("incorrect number of TCP handlers for service %q: got %d, want %d", serviceName, len(svc.TCP), wantHandlers)
-	}
-	if wantHTTP {
-		if h, ok := svc.TCP[uint16(80)]; !ok {
-			t.Errorf("HTTP (port 80) handler not found for service %q", serviceName)
-		} else if !h.HTTP {
-			t.Errorf("HTTP not enabled for port 80 handler for service %q", serviceName)
-		}
-	}
-	if h, ok := svc.TCP[uint16(443)]; !ok {
-		t.Errorf("HTTPS (port 443) handler not found for service %q", serviceName)
-	} else if !h.HTTPS {
-		t.Errorf("HTTPS not enabled for port 443 handler for service %q", serviceName)
-	}
-
-	// Check Web handlers
-	if len(svc.Web) != wantHandlers {
-		t.Errorf("incorrect number of Web handlers for service %q: got %d, want %d", serviceName, len(svc.Web), wantHandlers)
-	}
-}
-
-func verifyTailscaledConfig(t *testing.T, fc client.Client, expectedServices []string) {
-	var expected string
-	if expectedServices != nil {
-		expectedServicesJSON, err := json.Marshal(expectedServices)
-		if err != nil {
-			t.Fatalf("marshaling expected services: %v", err)
-		}
-		expected = fmt.Sprintf(`,"AdvertiseServices":%s`, expectedServicesJSON)
-	}
-	expectEqual(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pgConfigSecretName("test-pg", 0),
-			Namespace: "operator-ns",
-			Labels:    pgSecretLabels("test-pg", "config"),
-		},
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): []byte(fmt.Sprintf(`{"Version":""%s}`, expected)),
-		},
-	})
-}
-
-func setupIngressTest(t *testing.T) (*HAIngressReconciler, client.Client, *fakeTSClient) {
-
-	tsIngressClass := &networkingv1.IngressClass{
-		ObjectMeta: metav1.ObjectMeta{Name: "tailscale"},
-		Spec:       networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"},
-	}
-
-	// Pre-create the ProxyGroup
-	pg := &tsapi.ProxyGroup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "test-pg",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyGroupSpec{
-			Type: tsapi.ProxyGroupTypeIngress,
-		},
-	}
-
-	// Pre-create the ConfigMap for the ProxyGroup
-	pgConfigMap := &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-pg-ingress-config",
-			Namespace: "operator-ns",
-		},
-		BinaryData: map[string][]byte{
-			"serve-config.json": []byte(`{"Services":{}}`),
-		},
-	}
-
-	// Pre-create a config Secret for the ProxyGroup
-	pgCfgSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pgConfigSecretName("test-pg", 0),
-			Namespace: "operator-ns",
-			Labels:    pgSecretLabels("test-pg", "config"),
-		},
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): []byte("{}"),
-		},
-	}
-
-	fc := fake.NewClientBuilder().
-		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pg, pgCfgSecret, pgConfigMap, tsIngressClass).
-		WithStatusSubresource(pg).
-		Build()
-
-	// Set ProxyGroup status to ready
-	pg.Status.Conditions = []metav1.Condition{
-		{
-			Type:               string(tsapi.ProxyGroupReady),
-			Status:             metav1.ConditionTrue,
-			ObservedGeneration: 1,
-		},
-	}
-	if err := fc.Status().Update(context.Background(), pg); err != nil {
-		t.Fatal(err)
-	}
-	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
-
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	lc := &fakeLocalClient{
-		status: &ipnstate.Status{
-			CurrentTailnet: &ipnstate.TailnetStatus{
-				MagicDNSSuffix: "ts.net",
-			},
-		},
-	}
-
-	ingPGR := &HAIngressReconciler{
-		Client:      fc,
-		tsClient:    ft,
-		defaultTags: []string{"tag:k8s"},
-		tsNamespace: "operator-ns",
-		tsnetServer: fakeTsnetServer,
-		logger:      zl.Sugar(),
-		recorder:    record.NewFakeRecorder(10),
-		lc:          lc,
-	}
-
-	return ingPGR, fc, ft
-}
-
-func TestIngressPGReconciler_MultiCluster(t *testing.T) {
-	ingPGR, fc, ft := setupIngressTest(t)
-	ingPGR.operatorID = "operator-1"
-
-	// Create initial Ingress
-	ing := &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-ingress",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/proxy-group": "test-pg",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc"}},
-			},
-		},
-	}
-	mustCreate(t, fc, ing)
-
-	// Simulate existing VIPService from another cluster
-	existingVIPSvc := &tailscale.VIPService{
-		Name: "svc:my-svc",
-		Annotations: map[string]string{
-			ownerAnnotation: `{"ownerrefs":[{"operatorID":"operator-2"}]}`,
-		},
-	}
-	ft.vipServices = map[tailcfg.ServiceName]*tailscale.VIPService{
-		"svc:my-svc": existingVIPSvc,
-	}
-
-	// Verify reconciliation adds our operator reference
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-
-	vipSvc, err := ft.GetVIPService(context.Background(), "svc:my-svc")
-	if err != nil {
-		t.Fatalf("getting VIPService: %v", err)
-	}
-	if vipSvc == nil {
-		t.Fatal("VIPService not found")
-	}
-
-	o, err := parseOwnerAnnotation(vipSvc)
-	if err != nil {
-		t.Fatalf("parsing owner annotation: %v", err)
-	}
-
-	wantOwnerRefs := []OwnerRef{
-		{OperatorID: "operator-2"},
-		{OperatorID: "operator-1"},
-	}
-	if !reflect.DeepEqual(o.OwnerRefs, wantOwnerRefs) {
-		t.Errorf("incorrect owner refs\ngot:  %+v\nwant: %+v", o.OwnerRefs, wantOwnerRefs)
-	}
-
-	// Delete the Ingress and verify VIPService still exists with one owner ref
-	if err := fc.Delete(context.Background(), ing); err != nil {
-		t.Fatalf("deleting Ingress: %v", err)
-	}
-	expectRequeue(t, ingPGR, "default", "test-ingress")
-
-	vipSvc, err = ft.GetVIPService(context.Background(), "svc:my-svc")
-	if err != nil {
-		t.Fatalf("getting VIPService after deletion: %v", err)
-	}
-	if vipSvc == nil {
-		t.Fatal("VIPService was incorrectly deleted")
-	}
-
-	o, err = parseOwnerAnnotation(vipSvc)
-	if err != nil {
-		t.Fatalf("parsing owner annotation: %v", err)
-	}
-
-	wantOwnerRefs = []OwnerRef{
-		{OperatorID: "operator-2"},
-	}
-	if !reflect.DeepEqual(o.OwnerRefs, wantOwnerRefs) {
-		t.Errorf("incorrect owner refs after deletion\ngot:  %+v\nwant: %+v", o.OwnerRefs, wantOwnerRefs)
-	}
-}

cmd/k8s-operator/ingress.go

@@ -73,7 +73,6 @@ func (a *IngressReconciler) Reconcile(ctx context.Context, req reconcile.Request
 		return reconcile.Result{}, fmt.Errorf("failed to get ing: %w", err)
 	}
 	if !ing.DeletionTimestamp.IsZero() || !a.shouldExpose(ing) {
-		// TODO(irbekrm): this message is confusing if the Ingress is an HA Ingress
 		logger.Debugf("ingress is being deleted or should not be exposed, cleaning up")
 		return reconcile.Result{}, a.maybeCleanup(ctx, logger, ing)
 	}

cmd/k8s-operator/ingress_test.go

@@ -6,7 +6,6 @@
 package main
 
 import (
-	"context"
 	"testing"
 
 	"go.uber.org/zap"
@@ -16,18 +15,17 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"tailscale.com/ipn"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
-	"tailscale.com/tstest"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
 )
 
 func TestTailscaleIngress(t *testing.T) {
-	fc := fake.NewFakeClient(ingressClass())
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
+	fc := fake.NewFakeClient(tsIngressClass)
 	ft := &fakeTSClient{}
 	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
 	zl, err := zap.NewDevelopment()
@@ -48,8 +46,45 @@ func TestTailscaleIngress(t *testing.T) {
 	}
 
 	// 1. Resources get created for regular Ingress
-	mustCreate(t, fc, ingress())
-	mustCreate(t, fc, service())
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})
 
 	expectReconciled(t, ingR, "default", "test")
 
@@ -79,9 +114,6 @@ func TestTailscaleIngress(t *testing.T) {
 		mak.Set(&secret.Data, "device_fqdn", []byte("foo.tailnetxyz.ts.net"))
 	})
 	expectReconciled(t, ingR, "default", "test")
-
-	// Get the ingress and update it with expected changes
-	ing := ingress()
 	ing.Finalizers = append(ing.Finalizers, "tailscale.com/finalizer")
 	ing.Status.LoadBalancer = networkingv1.IngressLoadBalancerStatus{
 		Ingress: []networkingv1.IngressLoadBalancerIngress{
@@ -111,7 +143,8 @@ func TestTailscaleIngress(t *testing.T) {
 }
 
 func TestTailscaleIngressHostname(t *testing.T) {
-	fc := fake.NewFakeClient(ingressClass())
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
+	fc := fake.NewFakeClient(tsIngressClass)
 	ft := &fakeTSClient{}
 	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
 	zl, err := zap.NewDevelopment()
@@ -132,8 +165,45 @@ func TestTailscaleIngressHostname(t *testing.T) {
 	}
 
 	// 1. Resources get created for regular Ingress
-	mustCreate(t, fc, ingress())
-	mustCreate(t, fc, service())
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})
 
 	expectReconciled(t, ingR, "default", "test")
 
@@ -171,10 +241,8 @@ func TestTailscaleIngressHostname(t *testing.T) {
 		mak.Set(&secret.Data, "device_fqdn", []byte("foo.tailnetxyz.ts.net"))
 	})
 	expectReconciled(t, ingR, "default", "test")
-
-	// Get the ingress and update it with expected changes
-	ing := ingress()
 	ing.Finalizers = append(ing.Finalizers, "tailscale.com/finalizer")
+
 	expectEqual(t, fc, ing)
 
 	// 3. Ingress proxy with capability version >= 110 advertises HTTPS endpoint
@@ -231,9 +299,10 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 			Annotations: map[string]string{"bar.io/foo": "some-val"},
 			Pod:         &tsapi.Pod{Annotations: map[string]string{"foo.io/bar": "some-val"}}}},
 	}
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
 	fc := fake.NewClientBuilder().
 		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pc, ingressClass()).
+		WithObjects(pc, tsIngressClass).
 		WithStatusSubresource(pc).
 		Build()
 	ft := &fakeTSClient{}
@@ -257,8 +326,45 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 
 	// 1. Ingress is created with no ProxyClass specified, default proxy
 	// resources get configured.
-	mustCreate(t, fc, ingress())
-	mustCreate(t, fc, service())
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})
 
 	expectReconciled(t, ingR, "default", "test")
 
@@ -326,19 +432,54 @@ func TestTailscaleIngressWithServiceMonitor(t *testing.T) {
 				ObservedGeneration: 1,
 			}}},
 	}
-	crd := &apiextensionsv1.CustomResourceDefinition{ObjectMeta: metav1.ObjectMeta{Name: serviceMonitorCRD}}
-
-	// Create fake client with ProxyClass, IngressClass, Ingress with metrics ProxyClass, and Service
-	ing := ingress()
-	ing.Labels = map[string]string{
-		LabelProxyClass: "metrics",
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Labels: map[string]string{
+				"tailscale.com/proxy-class": "metrics",
+			},
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
 	}
+	svc := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	}
+	crd := &apiextensionsv1.CustomResourceDefinition{ObjectMeta: metav1.ObjectMeta{Name: serviceMonitorCRD}}
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
 	fc := fake.NewClientBuilder().
 		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pc, ingressClass(), ing, service()).
+		WithObjects(pc, tsIngressClass, ing, svc).
 		WithStatusSubresource(pc).
 		Build()
-
 	ft := &fakeTSClient{}
 	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
 	zl, err := zap.NewDevelopment()
@@ -419,118 +560,3 @@ func TestTailscaleIngressWithServiceMonitor(t *testing.T) {
 	expectMissing[corev1.Service](t, fc, "operator-ns", metricsResourceName(shortName))
 	// ServiceMonitor gets garbage collected when the Service is deleted - we cannot test that here.
 }
-
-func TestIngressLetsEncryptStaging(t *testing.T) {
-	cl := tstest.NewClock(tstest.ClockOpts{})
-	zl := zap.Must(zap.NewDevelopment())
-
-	pcLEStaging, pcLEStagingFalse, pcOther := proxyClassesForLEStagingTest()
-
-	testCases := testCasesForLEStagingTests(pcLEStaging, pcLEStagingFalse, pcOther)
-
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			builder := fake.NewClientBuilder().
-				WithScheme(tsapi.GlobalScheme)
-
-			builder = builder.WithObjects(pcLEStaging, pcLEStagingFalse, pcOther).
-				WithStatusSubresource(pcLEStaging, pcLEStagingFalse, pcOther)
-
-			fc := builder.Build()
-
-			if tt.proxyClassPerResource != "" || tt.defaultProxyClass != "" {
-				name := tt.proxyClassPerResource
-				if name == "" {
-					name = tt.defaultProxyClass
-				}
-				setProxyClassReady(t, fc, cl, name)
-			}
-
-			mustCreate(t, fc, ingressClass())
-			mustCreate(t, fc, service())
-			ing := ingress()
-			if tt.proxyClassPerResource != "" {
-				ing.Labels = map[string]string{
-					LabelProxyClass: tt.proxyClassPerResource,
-				}
-			}
-			mustCreate(t, fc, ing)
-
-			ingR := &IngressReconciler{
-				Client: fc,
-				ssr: &tailscaleSTSReconciler{
-					Client:            fc,
-					tsClient:          &fakeTSClient{},
-					tsnetServer:       &fakeTSNetServer{certDomains: []string{"test-host"}},
-					defaultTags:       []string{"tag:test"},
-					operatorNamespace: "operator-ns",
-					proxyImage:        "tailscale/tailscale:test",
-				},
-				logger:            zl.Sugar(),
-				defaultProxyClass: tt.defaultProxyClass,
-			}
-
-			expectReconciled(t, ingR, "default", "test")
-
-			_, shortName := findGenName(t, fc, "default", "test", "ingress")
-			sts := &appsv1.StatefulSet{}
-			if err := fc.Get(context.Background(), client.ObjectKey{Namespace: "operator-ns", Name: shortName}, sts); err != nil {
-				t.Fatalf("failed to get StatefulSet: %v", err)
-			}
-
-			if tt.useLEStagingEndpoint {
-				verifyEnvVar(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL", letsEncryptStagingEndpoint)
-			} else {
-				verifyEnvVarNotPresent(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL")
-			}
-		})
-	}
-}
-
-func ingressClass() *networkingv1.IngressClass {
-	return &networkingv1.IngressClass{
-		ObjectMeta: metav1.ObjectMeta{Name: "tailscale"},
-		Spec:       networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"},
-	}
-}
-
-func service() *corev1.Service {
-	return &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "1.2.3.4",
-			Ports: []corev1.ServicePort{{
-				Port: 8080,
-				Name: "http"},
-			},
-		},
-	}
-}
-
-func ingress() *networkingv1.Ingress {
-	return &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			DefaultBackend: &networkingv1.IngressBackend{
-				Service: &networkingv1.IngressServiceBackend{
-					Name: "test",
-					Port: networkingv1.ServiceBackendPort{
-						Number: 8080,
-					},
-				},
-			},
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"default-test"}},
-			},
-		},
-	}
-}

cmd/k8s-operator/metrics_resources.go

@@ -19,7 +19,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 )
 
 const (
@@ -223,7 +222,7 @@ func metricsResourceName(stsName string) string {
 // proxy.
 func metricsResourceLabels(opts *metricsOpts) map[string]string {
 	lbls := map[string]string{
-		kubetypes.LabelManaged:   "true",
+		LabelManaged:             "true",
 		labelMetricsTarget:       opts.proxyStsName,
 		labelPromProxyType:       opts.proxyType,
 		labelPromProxyParentName: opts.proxyLabels[LabelParentName],

cmd/k8s-operator/operator.go

@@ -9,7 +9,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"os"
 	"regexp"
@@ -40,13 +39,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale"
+	remoteclient "tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/kubestore"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tsnet"
 	"tailscale.com/tstime"
 	"tailscale.com/types/logger"
@@ -191,9 +190,9 @@ waitOnline:
 			if loginDone {
 				break
 			}
-			caps := tailscale.KeyCapabilities{
-				Devices: tailscale.KeyDeviceCapabilities{
-					Create: tailscale.KeyDeviceCreateCapabilities{
+			caps := remoteclient.KeyCapabilities{
+				Devices: remoteclient.KeyDeviceCapabilities{
+					Create: remoteclient.KeyDeviceCreateCapabilities{
 						Reusable:      false,
 						Preauthorized: true,
 						Tags:          strings.Split(operatorTags, ","),
@@ -337,19 +336,14 @@ func runReconcilers(opts reconcilerOpts) {
 	if err != nil {
 		startlog.Fatalf("could not get local client: %v", err)
 	}
-	id, err := id(context.Background(), lc)
-	if err != nil {
-		startlog.Fatalf("error determining stable ID of the operator's Tailscale device: %v", err)
-	}
 	ingressProxyGroupFilter := handler.EnqueueRequestsFromMapFunc(ingressesFromIngressProxyGroup(mgr.GetClient(), opts.log))
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&networkingv1.Ingress{}).
 		Named("ingress-pg-reconciler").
 		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))).
-		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(ingressesFromPGStateSecret(mgr.GetClient(), startlog))).
 		Watches(&tsapi.ProxyGroup{}, ingressProxyGroupFilter).
-		Complete(&HAIngressReconciler{
+		Complete(&IngressPGReconciler{
 			recorder:    eventRecorder,
 			tsClient:    opts.tsClient,
 			tsnetServer: opts.tsServer,
@@ -357,7 +351,6 @@ func runReconcilers(opts reconcilerOpts) {
 			Client:      mgr.GetClient(),
 			logger:      opts.log.Named("ingress-pg-reconciler"),
 			lc:          lc,
-			operatorID:  id,
 			tsNamespace: opts.tailscaleNamespace,
 		})
 	if err != nil {
@@ -637,8 +630,8 @@ func enqueueAllIngressEgressProxySvcsInNS(ns string, cl client.Client, logger *z
 
 		// Get all headless Services for proxies configured using Service.
 		svcProxyLabels := map[string]string{
-			kubetypes.LabelManaged: "true",
-			LabelParentType:        "svc",
+			LabelManaged:    "true",
+			LabelParentType: "svc",
 		}
 		svcHeadlessSvcList := &corev1.ServiceList{}
 		if err := cl.List(ctx, svcHeadlessSvcList, client.InNamespace(ns), client.MatchingLabels(svcProxyLabels)); err != nil {
@@ -651,8 +644,8 @@ func enqueueAllIngressEgressProxySvcsInNS(ns string, cl client.Client, logger *z
 
 		// Get all headless Services for proxies configured using Ingress.
 		ingProxyLabels := map[string]string{
-			kubetypes.LabelManaged: "true",
-			LabelParentType:        "ingress",
+			LabelManaged:    "true",
+			LabelParentType: "ingress",
 		}
 		ingHeadlessSvcList := &corev1.ServiceList{}
 		if err := cl.List(ctx, ingHeadlessSvcList, client.InNamespace(ns), client.MatchingLabels(ingProxyLabels)); err != nil {
@@ -719,7 +712,7 @@ func dnsRecordsReconcilerIngressHandler(ns string, isDefaultLoadBalancer bool, c
 
 func isManagedResource(o client.Object) bool {
 	ls := o.GetLabels()
-	return ls[kubetypes.LabelManaged] == "true"
+	return ls[LabelManaged] == "true"
 }
 
 func isManagedByType(o client.Object, typ string) bool {
@@ -956,7 +949,7 @@ func egressPodsHandler(_ context.Context, o client.Object) []reconcile.Request {
 // returns reconciler requests for all egress EndpointSlices for that ProxyGroup.
 func egressEpsFromPGPods(cl client.Client, ns string) handler.MapFunc {
 	return func(_ context.Context, o client.Object) []reconcile.Request {
-		if v, ok := o.GetLabels()[kubetypes.LabelManaged]; !ok || v != "true" {
+		if v, ok := o.GetLabels()[LabelManaged]; !ok || v != "true" {
 			return nil
 		}
 		// TODO(irbekrm): for now this is good enough as all ProxyGroups are egress. Add a type check once we
@@ -976,13 +969,15 @@ func egressEpsFromPGPods(cl client.Client, ns string) handler.MapFunc {
 // returns reconciler requests for all egress EndpointSlices for that ProxyGroup.
 func egressEpsFromPGStateSecrets(cl client.Client, ns string) handler.MapFunc {
 	return func(_ context.Context, o client.Object) []reconcile.Request {
-		if v, ok := o.GetLabels()[kubetypes.LabelManaged]; !ok || v != "true" {
+		if v, ok := o.GetLabels()[LabelManaged]; !ok || v != "true" {
 			return nil
 		}
+		// TODO(irbekrm): for now this is good enough as all ProxyGroups are egress. Add a type check once we
+		// have ingress ProxyGroups.
 		if parentType := o.GetLabels()[LabelParentType]; parentType != "proxygroup" {
 			return nil
 		}
-		if secretType := o.GetLabels()[kubetypes.LabelSecretType]; secretType != "state" {
+		if secretType := o.GetLabels()[labelSecretType]; secretType != "state" {
 			return nil
 		}
 		pg, ok := o.GetLabels()[LabelParentName]
@@ -999,7 +994,7 @@ func egressSvcFromEps(_ context.Context, o client.Object) []reconcile.Request {
 	if typ := o.GetLabels()[labelSvcType]; typ != typeEgress {
 		return nil
 	}
-	if v, ok := o.GetLabels()[kubetypes.LabelManaged]; !ok || v != "true" {
+	if v, ok := o.GetLabels()[LabelManaged]; !ok || v != "true" {
 		return nil
 	}
 	svcName, ok := o.GetLabels()[LabelParentName]
@@ -1039,45 +1034,6 @@ func reconcileRequestsForPG(pg string, cl client.Client, ns string) []reconcile.
 	return reqs
 }
 
-func ingressesFromPGStateSecret(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
-	return func(ctx context.Context, o client.Object) []reconcile.Request {
-		secret, ok := o.(*corev1.Secret)
-		if !ok {
-			logger.Infof("[unexpected] ProxyGroup handler triggered for an object that is not a ProxyGroup")
-			return nil
-		}
-		if secret.ObjectMeta.Labels[kubetypes.LabelManaged] != "true" {
-			return nil
-		}
-		if secret.ObjectMeta.Labels[LabelParentType] != "proxygroup" {
-			return nil
-		}
-		if secret.ObjectMeta.Labels[kubetypes.LabelSecretType] != "state" {
-			return nil
-		}
-		pgName, ok := secret.ObjectMeta.Labels[LabelParentName]
-		if !ok {
-			return nil
-		}
-
-		ingList := &networkingv1.IngressList{}
-		if err := cl.List(ctx, ingList, client.MatchingFields{indexIngressProxyGroup: pgName}); err != nil {
-			logger.Infof("error listing Ingresses, skipping a reconcile for event on Secret %s: %v", secret.Name, err)
-			return nil
-		}
-		reqs := make([]reconcile.Request, 0)
-		for _, ing := range ingList.Items {
-			reqs = append(reqs, reconcile.Request{
-				NamespacedName: types.NamespacedName{
-					Namespace: ing.Namespace,
-					Name:      ing.Name,
-				},
-			})
-		}
-		return reqs
-	}
-}
-
 // egressSvcsFromEgressProxyGroup is an event handler for egress ProxyGroups. It returns reconcile requests for all
 // user-created ExternalName Services that should be exposed on this ProxyGroup.
 func egressSvcsFromEgressProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
@@ -1183,9 +1139,9 @@ func podsFromEgressEps(cl client.Client, logger *zap.SugaredLogger, ns string) h
 			return nil
 		}
 		podLabels := map[string]string{
-			kubetypes.LabelManaged: "true",
-			LabelParentType:        "proxygroup",
-			LabelParentName:        eps.Labels[labelProxyGroup],
+			LabelManaged:    "true",
+			LabelParentType: "proxygroup",
+			LabelParentName: eps.Labels[labelProxyGroup],
 		}
 		podList := &corev1.PodList{}
 		if err := cl.List(ctx, podList, client.InNamespace(ns),
@@ -1307,14 +1263,3 @@ func hasProxyGroupAnnotation(obj client.Object) bool {
 	ing := obj.(*networkingv1.Ingress)
 	return ing.Annotations[AnnotationProxyGroup] != ""
 }
-
-func id(ctx context.Context, lc *local.Client) (string, error) {
-	st, err := lc.StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", fmt.Errorf("error getting tailscale status: %w", err)
-	}
-	if st.Self == nil {
-		return "", fmt.Errorf("unexpected: device's status does not contain node's metadata")
-	}
-	return string(st.Self.ID), nil
-}

cmd/k8s-operator/operator_test.go

@@ -1387,10 +1387,10 @@ func Test_serviceHandlerForIngress(t *testing.T) {
 			Name:      "headless-1",
 			Namespace: "tailscale",
 			Labels: map[string]string{
-				kubetypes.LabelManaged: "true",
-				LabelParentName:        "ing-1",
-				LabelParentNamespace:   "ns-1",
-				LabelParentType:        "ingress",
+				LabelManaged:         "true",
+				LabelParentName:      "ing-1",
+				LabelParentNamespace: "ns-1",
+				LabelParentType:      "ingress",
 			},
 		},
 	}

cmd/k8s-operator/proxy.go

@@ -20,10 +20,10 @@ import (
 	"go.uber.org/zap"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale/apitype"
 	ksr "tailscale.com/k8s-operator/sessionrecording"
 	"tailscale.com/kube/kubetypes"
+	"tailscale.com/localclient/tailscale"
+	"tailscale.com/localclient/tailscale/apitype"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/util/clientmetric"
@@ -189,7 +189,7 @@ func runAPIServerProxy(ts *tsnet.Server, rt http.RoundTripper, log *zap.SugaredL
 // LocalAPI and then proxies them to the Kubernetes API.
 type apiserverProxy struct {
 	log *zap.SugaredLogger
-	lc  *local.Client
+	lc  *tailscale.LocalClient
 	rp  *httputil.ReverseProxy
 
 	mode        apiServerProxyMode

cmd/k8s-operator/proxy_test.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"go.uber.org/zap"
-	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/localclient/tailscale/apitype"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/must"
 )

cmd/k8s-operator/proxygroup.go

@@ -302,10 +302,7 @@ func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.Pro
 	if err != nil {
 		return fmt.Errorf("error generating StatefulSet spec: %w", err)
 	}
-	cfg := &tailscaleSTSConfig{
-		proxyType: string(pg.Spec.Type),
-	}
-	ss = applyProxyClassToStatefulSet(proxyClass, ss, cfg, logger)
+	ss = applyProxyClassToStatefulSet(proxyClass, ss, nil, logger)
 	capver, err := r.capVerForPG(ctx, pg, logger)
 	if err != nil {
 		return fmt.Errorf("error getting device info: %w", err)
@@ -455,7 +452,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 	for i := range pgReplicas(pg) {
 		cfgSecret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:            pgConfigSecretName(pg.Name, i),
+				Name:            fmt.Sprintf("%s-%d-config", pg.Name, i),
 				Namespace:       r.tsNamespace,
 				Labels:          pgSecretLabels(pg.Name, "config"),
 				OwnerReferences: pgOwnerReference(pg),
@@ -464,7 +461,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 
 		var existingCfgSecret *corev1.Secret // unmodified copy of secret
 		if err := r.Get(ctx, client.ObjectKeyFromObject(cfgSecret), cfgSecret); err == nil {
-			logger.Debugf("Secret %s/%s already exists", cfgSecret.GetNamespace(), cfgSecret.GetName())
+			logger.Debugf("secret %s/%s already exists", cfgSecret.GetNamespace(), cfgSecret.GetName())
 			existingCfgSecret = cfgSecret.DeepCopy()
 		} else if !apierrors.IsNotFound(err) {
 			return "", err
@@ -472,7 +469,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 
 		var authKey string
 		if existingCfgSecret == nil {
-			logger.Debugf("Creating authkey for new ProxyGroup proxy")
+			logger.Debugf("creating authkey for new ProxyGroup proxy")
 			tags := pg.Spec.Tags.Stringify()
 			if len(tags) == 0 {
 				tags = r.defaultTags
@@ -493,7 +490,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 			if err != nil {
 				return "", fmt.Errorf("error marshalling tailscaled config: %w", err)
 			}
-			mak.Set(&cfgSecret.Data, tsoperator.TailscaledConfigFileName(cap), cfgJSON)
+			mak.Set(&cfgSecret.StringData, tsoperator.TailscaledConfigFileName(cap), string(cfgJSON))
 		}
 
 		// The config sha256 sum is a value for a hash annotation used to trigger
@@ -523,14 +520,12 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 		}
 
 		if existingCfgSecret != nil {
-			if !apiequality.Semantic.DeepEqual(existingCfgSecret, cfgSecret) {
-				logger.Debugf("Updating the existing ProxyGroup config Secret %s", cfgSecret.Name)
-				if err := r.Update(ctx, cfgSecret); err != nil {
-					return "", err
-				}
+			logger.Debugf("patching the existing ProxyGroup config Secret %s", cfgSecret.Name)
+			if err := r.Patch(ctx, cfgSecret, client.MergeFrom(existingCfgSecret)); err != nil {
+				return "", err
 			}
 		} else {
-			logger.Debugf("Creating a new config Secret %s for the ProxyGroup", cfgSecret.Name)
+			logger.Debugf("creating a new config Secret %s for the ProxyGroup", cfgSecret.Name)
 			if err := r.Create(ctx, cfgSecret); err != nil {
 				return "", err
 			}
@@ -601,35 +596,10 @@ func pgTailscaledConfig(pg *tsapi.ProxyGroup, class *tsapi.ProxyClass, idx int32
 		conf.AuthKey = key
 	}
 	capVerConfigs := make(map[tailcfg.CapabilityVersion]ipn.ConfigVAlpha)
-
-	// AdvertiseServices config is set by ingress-pg-reconciler, so make sure we
-	// don't overwrite it here.
-	if err := copyAdvertiseServicesConfig(conf, oldSecret, 106); err != nil {
-		return nil, err
-	}
 	capVerConfigs[106] = *conf
 	return capVerConfigs, nil
 }
 
-func copyAdvertiseServicesConfig(conf *ipn.ConfigVAlpha, oldSecret *corev1.Secret, capVer tailcfg.CapabilityVersion) error {
-	if oldSecret == nil {
-		return nil
-	}
-
-	oldConfB := oldSecret.Data[tsoperator.TailscaledConfigFileName(capVer)]
-	if len(oldConfB) == 0 {
-		return nil
-	}
-
-	var oldConf ipn.ConfigVAlpha
-	if err := json.Unmarshal(oldConfB, &oldConf); err != nil {
-		return fmt.Errorf("error unmarshalling existing config: %w", err)
-	}
-	conf.AdvertiseServices = oldConf.AdvertiseServices
-
-	return nil
-}
-
 func (r *ProxyGroupReconciler) validate(_ *tsapi.ProxyGroup) error {
 	return nil
 }
@@ -650,7 +620,7 @@ func (r *ProxyGroupReconciler) getNodeMetadata(ctx context.Context, pg *tsapi.Pr
 			return nil, fmt.Errorf("unexpected secret %s was labelled as owned by the ProxyGroup %s: %w", secret.Name, pg.Name, err)
 		}
 
-		prefs, ok, err := getDevicePrefs(&secret)
+		id, dnsName, ok, err := getNodeMetadata(ctx, &secret)
 		if err != nil {
 			return nil, err
 		}
@@ -661,8 +631,8 @@ func (r *ProxyGroupReconciler) getNodeMetadata(ctx context.Context, pg *tsapi.Pr
 		nm := nodeMetadata{
 			ordinal:     ordinal,
 			stateSecret: &secret,
-			tsID:        prefs.Config.NodeID,
-			dnsName:     prefs.Config.UserProfile.LoginName,
+			tsID:        id,
+			dnsName:     dnsName,
 		}
 		pod := &corev1.Pod{}
 		if err := r.Get(ctx, client.ObjectKey{Namespace: r.tsNamespace, Name: secret.Name}, pod); err != nil && !apierrors.IsNotFound(err) {

cmd/k8s-operator/proxygroup_specs.go

@@ -73,7 +73,7 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 				Name: fmt.Sprintf("tailscaledconfig-%d", i),
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
-						SecretName: pgConfigSecretName(pg.Name, i),
+						SecretName: fmt.Sprintf("%s-%d-config", pg.Name, i),
 					},
 				},
 			})
@@ -178,15 +178,7 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 				corev1.EnvVar{
 					Name:  "TS_SERVE_CONFIG",
 					Value: fmt.Sprintf("/etc/proxies/%s", serveConfigKey),
-				},
-				corev1.EnvVar{
-					// Run proxies in cert share mode to
-					// ensure that only one TLS cert is
-					// issued for an HA Ingress.
-					Name:  "TS_EXPERIMENTAL_CERT_SHARE",
-					Value: "true",
-				},
-			)
+				})
 		}
 		return append(c.Env, envs...)
 	}()
@@ -233,13 +225,6 @@ func pgRole(pg *tsapi.ProxyGroup, namespace string) *rbacv1.Role {
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"secrets"},
-				Verbs: []string{
-					"list",
-				},
-			},
 			{
 				APIGroups: []string{""},
 				Resources: []string{"secrets"},
@@ -251,8 +236,8 @@ func pgRole(pg *tsapi.ProxyGroup, namespace string) *rbacv1.Role {
 				ResourceNames: func() (secrets []string) {
 					for i := range pgReplicas(pg) {
 						secrets = append(secrets,
-							pgConfigSecretName(pg.Name, i),   // Config with auth key.
-							fmt.Sprintf("%s-%d", pg.Name, i), // State.
+							fmt.Sprintf("%s-%d-config", pg.Name, i), // Config with auth key.
+							fmt.Sprintf("%s-%d", pg.Name, i),        // State.
 						)
 					}
 					return secrets
@@ -333,9 +318,9 @@ func pgIngressCM(pg *tsapi.ProxyGroup, namespace string) *corev1.ConfigMap {
 	}
 }
 
-func pgSecretLabels(pgName, secretType string) map[string]string {
+func pgSecretLabels(pgName, typ string) map[string]string {
 	return pgLabels(pgName, map[string]string{
-		kubetypes.LabelSecretType: secretType, // "config" or "state".
+		labelSecretType: typ, // "config" or "state".
 	})
 }
 
@@ -345,7 +330,7 @@ func pgLabels(pgName string, customLabels map[string]string) map[string]string {
 		l[k] = v
 	}
 
-	l[kubetypes.LabelManaged] = "true"
+	l[LabelManaged] = "true"
 	l[LabelParentType] = "proxygroup"
 	l[LabelParentName] = pgName
 
@@ -364,10 +349,6 @@ func pgReplicas(pg *tsapi.ProxyGroup) int32 {
 	return 2
 }
 
-func pgConfigSecretName(pgName string, i int32) string {
-	return fmt.Sprintf("%s-%d-config", pgName, i)
-}
-
 func pgEgressCMName(pg string) string {
 	return fmt.Sprintf("%s-egress-config", pg)
 }

cmd/k8s-operator/proxygroup_test.go

@@ -24,7 +24,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
@@ -247,6 +246,7 @@ func TestProxyGroup(t *testing.T) {
 		// The fake client does not clean up objects whose owner has been
 		// deleted, so we can't test for the owned resources getting deleted.
 	})
+
 }
 
 func TestProxyGroupTypes(t *testing.T) {
@@ -416,7 +416,6 @@ func TestProxyGroupTypes(t *testing.T) {
 		}
 		verifyEnvVar(t, sts, "TS_INTERNAL_APP", kubetypes.AppProxyGroupIngress)
 		verifyEnvVar(t, sts, "TS_SERVE_CONFIG", "/etc/proxies/serve-config.json")
-		verifyEnvVar(t, sts, "TS_EXPERIMENTAL_CERT_SHARE", "true")
 
 		// Verify ConfigMap volume mount
 		cmName := fmt.Sprintf("%s-ingress-config", pg.Name)
@@ -447,131 +446,6 @@ func TestProxyGroupTypes(t *testing.T) {
 	})
 }
 
-func TestIngressAdvertiseServicesConfigPreserved(t *testing.T) {
-	fc := fake.NewClientBuilder().
-		WithScheme(tsapi.GlobalScheme).
-		Build()
-	reconciler := &ProxyGroupReconciler{
-		tsNamespace: tsNamespace,
-		proxyImage:  testProxyImage,
-		Client:      fc,
-		l:           zap.Must(zap.NewDevelopment()).Sugar(),
-		tsClient:    &fakeTSClient{},
-		clock:       tstest.NewClock(tstest.ClockOpts{}),
-	}
-
-	existingServices := []string{"svc1", "svc2"}
-	existingConfigBytes, err := json.Marshal(ipn.ConfigVAlpha{
-		AdvertiseServices: existingServices,
-		Version:           "should-get-overwritten",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	const pgName = "test-ingress"
-	mustCreate(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pgConfigSecretName(pgName, 0),
-			Namespace: tsNamespace,
-		},
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): existingConfigBytes,
-		},
-	})
-
-	mustCreate(t, fc, &tsapi.ProxyGroup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: pgName,
-			UID:  "test-ingress-uid",
-		},
-		Spec: tsapi.ProxyGroupSpec{
-			Type:     tsapi.ProxyGroupTypeIngress,
-			Replicas: ptr.To[int32](1),
-		},
-	})
-	expectReconciled(t, reconciler, "", pgName)
-
-	expectedConfigBytes, err := json.Marshal(ipn.ConfigVAlpha{
-		// Preserved.
-		AdvertiseServices: existingServices,
-
-		// Everything else got updated in the reconcile:
-		Version:      "alpha0",
-		AcceptDNS:    "false",
-		AcceptRoutes: "false",
-		Locked:       "false",
-		Hostname:     ptr.To(fmt.Sprintf("%s-%d", pgName, 0)),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	expectEqual(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:            pgConfigSecretName(pgName, 0),
-			Namespace:       tsNamespace,
-			ResourceVersion: "2",
-		},
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): expectedConfigBytes,
-		},
-	})
-}
-
-func proxyClassesForLEStagingTest() (*tsapi.ProxyClass, *tsapi.ProxyClass, *tsapi.ProxyClass) {
-	pcLEStaging := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "le-staging",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyClassSpec{
-			UseLetsEncryptStagingEnvironment: true,
-		},
-	}
-
-	pcLEStagingFalse := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "le-staging-false",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyClassSpec{
-			UseLetsEncryptStagingEnvironment: false,
-		},
-	}
-
-	pcOther := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "other",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyClassSpec{},
-	}
-
-	return pcLEStaging, pcLEStagingFalse, pcOther
-}
-
-func setProxyClassReady(t *testing.T, fc client.Client, cl *tstest.Clock, name string) *tsapi.ProxyClass {
-	t.Helper()
-	pc := &tsapi.ProxyClass{}
-	if err := fc.Get(context.Background(), client.ObjectKey{Name: name}, pc); err != nil {
-		t.Fatal(err)
-	}
-	pc.Status = tsapi.ProxyClassStatus{
-		Conditions: []metav1.Condition{{
-			Type:               string(tsapi.ProxyClassReady),
-			Status:             metav1.ConditionTrue,
-			Reason:             reasonProxyClassValid,
-			Message:            reasonProxyClassValid,
-			LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
-			ObservedGeneration: pc.Generation,
-		}},
-	}
-	if err := fc.Status().Update(context.Background(), pc); err != nil {
-		t.Fatal(err)
-	}
-	return pc
-}
-
 func verifyProxyGroupCounts(t *testing.T, r *ProxyGroupReconciler, wantIngress, wantEgress int) {
 	t.Helper()
 	if r.ingressProxyGroups.Len() != wantIngress {
@@ -595,16 +469,6 @@ func verifyEnvVar(t *testing.T, sts *appsv1.StatefulSet, name, expectedValue str
 	t.Errorf("%s environment variable not found", name)
 }
 
-func verifyEnvVarNotPresent(t *testing.T, sts *appsv1.StatefulSet, name string) {
-	t.Helper()
-	for _, env := range sts.Spec.Template.Spec.Containers[0].Env {
-		if env.Name == name {
-			t.Errorf("environment variable %s should not be present", name)
-			return
-		}
-	}
-}
-
 func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.ProxyGroup, shouldExist bool, cfgHash string, proxyClass *tsapi.ProxyClass) {
 	t.Helper()
 
@@ -637,7 +501,7 @@ func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.Prox
 		for i := range pgReplicas(pg) {
 			expectedSecrets = append(expectedSecrets,
 				fmt.Sprintf("%s-%d", pg.Name, i),
-				pgConfigSecretName(pg.Name, i),
+				fmt.Sprintf("%s-%d-config", pg.Name, i),
 			)
 		}
 	}
@@ -682,146 +546,3 @@ func addNodeIDToStateSecrets(t *testing.T, fc client.WithWatch, pg *tsapi.ProxyG
 		})
 	}
 }
-
-func TestProxyGroupLetsEncryptStaging(t *testing.T) {
-	cl := tstest.NewClock(tstest.ClockOpts{})
-	zl := zap.Must(zap.NewDevelopment())
-
-	// Set up test cases- most are shared with non-HA Ingress.
-	type proxyGroupLETestCase struct {
-		leStagingTestCase
-		pgType tsapi.ProxyGroupType
-	}
-	pcLEStaging, pcLEStagingFalse, pcOther := proxyClassesForLEStagingTest()
-	sharedTestCases := testCasesForLEStagingTests(pcLEStaging, pcLEStagingFalse, pcOther)
-	var tests []proxyGroupLETestCase
-	for _, tt := range sharedTestCases {
-		tests = append(tests, proxyGroupLETestCase{
-			leStagingTestCase: tt,
-			pgType:            tsapi.ProxyGroupTypeIngress,
-		})
-	}
-	tests = append(tests, proxyGroupLETestCase{
-		leStagingTestCase: leStagingTestCase{
-			name:                  "egress_pg_with_staging_proxyclass",
-			proxyClassPerResource: "le-staging",
-			useLEStagingEndpoint:  false,
-		},
-		pgType: tsapi.ProxyGroupTypeEgress,
-	})
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			builder := fake.NewClientBuilder().
-				WithScheme(tsapi.GlobalScheme)
-
-			// Pre-populate the fake client with ProxyClasses.
-			builder = builder.WithObjects(pcLEStaging, pcLEStagingFalse, pcOther).
-				WithStatusSubresource(pcLEStaging, pcLEStagingFalse, pcOther)
-
-			fc := builder.Build()
-
-			// If the test case needs a ProxyClass to exist, ensure it is set to Ready.
-			if tt.proxyClassPerResource != "" || tt.defaultProxyClass != "" {
-				name := tt.proxyClassPerResource
-				if name == "" {
-					name = tt.defaultProxyClass
-				}
-				setProxyClassReady(t, fc, cl, name)
-			}
-
-			// Create ProxyGroup
-			pg := &tsapi.ProxyGroup{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test",
-				},
-				Spec: tsapi.ProxyGroupSpec{
-					Type:       tt.pgType,
-					Replicas:   ptr.To[int32](1),
-					ProxyClass: tt.proxyClassPerResource,
-				},
-			}
-			mustCreate(t, fc, pg)
-
-			reconciler := &ProxyGroupReconciler{
-				tsNamespace:       tsNamespace,
-				proxyImage:        testProxyImage,
-				defaultTags:       []string{"tag:test"},
-				defaultProxyClass: tt.defaultProxyClass,
-				Client:            fc,
-				tsClient:          &fakeTSClient{},
-				l:                 zl.Sugar(),
-				clock:             cl,
-			}
-
-			expectReconciled(t, reconciler, "", pg.Name)
-
-			// Verify that the StatefulSet created for ProxyGrup has
-			// the expected setting for the staging endpoint.
-			sts := &appsv1.StatefulSet{}
-			if err := fc.Get(context.Background(), client.ObjectKey{Namespace: tsNamespace, Name: pg.Name}, sts); err != nil {
-				t.Fatalf("failed to get StatefulSet: %v", err)
-			}
-
-			if tt.useLEStagingEndpoint {
-				verifyEnvVar(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL", letsEncryptStagingEndpoint)
-			} else {
-				verifyEnvVarNotPresent(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL")
-			}
-		})
-	}
-}
-
-type leStagingTestCase struct {
-	name string
-	// ProxyClass set on ProxyGroup or Ingress resource.
-	proxyClassPerResource string
-	// Default ProxyClass.
-	defaultProxyClass    string
-	useLEStagingEndpoint bool
-}
-
-// Shared test cases for LE staging endpoint configuration for ProxyGroup and
-// non-HA Ingress.
-func testCasesForLEStagingTests(pcLEStaging, pcLEStagingFalse, pcOther *tsapi.ProxyClass) []leStagingTestCase {
-	return []leStagingTestCase{
-		{
-			name:                  "with_staging_proxyclass",
-			proxyClassPerResource: "le-staging",
-			useLEStagingEndpoint:  true,
-		},
-		{
-			name:                  "with_staging_proxyclass_false",
-			proxyClassPerResource: "le-staging-false",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "with_other_proxyclass",
-			proxyClassPerResource: "other",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "no_proxyclass",
-			proxyClassPerResource: "",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "with_default_staging_proxyclass",
-			proxyClassPerResource: "",
-			defaultProxyClass:     "le-staging",
-			useLEStagingEndpoint:  true,
-		},
-		{
-			name:                  "with_default_other_proxyclass",
-			proxyClassPerResource: "",
-			defaultProxyClass:     "other",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "with_default_staging_proxyclass_false",
-			proxyClassPerResource: "",
-			defaultProxyClass:     "le-staging-false",
-			useLEStagingEndpoint:  false,
-		},
-	}
-}

cmd/k8s-operator/sts.go

@@ -44,9 +44,11 @@ const (
 	// Labels that the operator sets on StatefulSets and Pods. If you add a
 	// new label here, do also add it to tailscaleManagedLabels var to
 	// ensure that it does not get overwritten by ProxyClass configuration.
+	LabelManaged         = "tailscale.com/managed"
 	LabelParentType      = "tailscale.com/parent-resource-type"
 	LabelParentName      = "tailscale.com/parent-resource"
 	LabelParentNamespace = "tailscale.com/parent-resource-ns"
+	labelSecretType      = "tailscale.com/secret-type" // "config" or "state".
 
 	// LabelProxyClass can be set by users on tailscale Ingresses and Services that define cluster ingress or
 	// cluster egress, to specify that configuration in this ProxyClass should be applied to resources created for
@@ -102,13 +104,11 @@ const (
 
 	envVarTSLocalAddrPort = "TS_LOCAL_ADDR_PORT"
 	defaultLocalAddrPort  = 9002 // metrics and health check port
-
-	letsEncryptStagingEndpoint = "https://acme-staging-v02.api.letsencrypt.org/directory"
 )
 
 var (
 	// tailscaleManagedLabels are label keys that tailscale operator sets on StatefulSets and Pods.
-	tailscaleManagedLabels = []string{kubetypes.LabelManaged, LabelParentType, LabelParentName, LabelParentNamespace, "app"}
+	tailscaleManagedLabels = []string{LabelManaged, LabelParentType, LabelParentName, LabelParentNamespace, "app"}
 	// tailscaleManagedAnnotations are annotation keys that tailscale operator sets on StatefulSets and Pods.
 	tailscaleManagedAnnotations = []string{podAnnotationLastSetClusterIP, podAnnotationLastSetTailnetTargetIP, podAnnotationLastSetTailnetTargetFQDN, podAnnotationLastSetConfigFileHash}
 )
@@ -785,17 +785,6 @@ func applyProxyClassToStatefulSet(pc *tsapi.ProxyClass, ss *appsv1.StatefulSet,
 			enableEndpoints(ss, metricsEnabled, debugEnabled)
 		}
 	}
-	if pc.Spec.UseLetsEncryptStagingEnvironment && (stsCfg.proxyType == proxyTypeIngressResource || stsCfg.proxyType == string(tsapi.ProxyGroupTypeIngress)) {
-		for i, c := range ss.Spec.Template.Spec.Containers {
-			if c.Name == "tailscale" {
-				ss.Spec.Template.Spec.Containers[i].Env = append(ss.Spec.Template.Spec.Containers[i].Env, corev1.EnvVar{
-					Name:  "TS_DEBUG_ACME_DIRECTORY_URL",
-					Value: letsEncryptStagingEndpoint,
-				})
-				break
-			}
-		}
-	}
 
 	if pc.Spec.StatefulSet == nil {
 		return ss

cmd/k8s-operator/sts_test.go

@@ -21,7 +21,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/yaml"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/types/ptr"
 )
 
@@ -157,8 +156,8 @@ func Test_applyProxyClassToStatefulSet(t *testing.T) {
 	// Set a couple additional fields so we can test that we don't
 	// mistakenly override those.
 	labels := map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentName:        "foo",
+		LabelManaged:    "true",
+		LabelParentName: "foo",
 	}
 	annots := map[string]string{
 		podAnnotationLastSetClusterIP: "1.2.3.4",
@@ -304,28 +303,28 @@ func Test_mergeStatefulSetLabelsOrAnnots(t *testing.T) {
 	}{
 		{
 			name:    "no custom labels specified and none present in current labels, return current labels",
-			current: map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
-			want:    map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{
 			name:    "no custom labels specified, but some present in current labels, return tailscale managed labels only from the current labels",
-			current: map[string]string{"foo": "bar", "something.io/foo": "bar", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
-			want:    map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{"foo": "bar", "something.io/foo": "bar", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{
 			name:    "custom labels specified, current labels only contain tailscale managed labels, return a union of both",
-			current: map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
-			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{
 			name:    "custom labels specified, current labels contain tailscale managed labels and custom labels, some of which re not present in the new custom labels, return a union of managed labels and the desired custom labels",
-			current: map[string]string{"foo": "bar", "bar": "baz", "app": "1234", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{"foo": "bar", "bar": "baz", "app": "1234", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
-			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", "app": "1234", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", "app": "1234", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{

cmd/k8s-operator/svc.go

@@ -84,10 +84,10 @@ func childResourceLabels(name, ns, typ string) map[string]string {
 	// proxying. Instead, we have to do our own filtering and tracking with
 	// labels.
 	return map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentName:        name,
-		LabelParentNamespace:   ns,
-		LabelParentType:        typ,
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      typ,
 	}
 }
 

cmd/k8s-operator/testutils_test.go

@@ -28,11 +28,10 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/internal/client/tailscale"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
@@ -564,10 +563,10 @@ func expectedSecret(t *testing.T, cl client.Client, opts configOpts) *corev1.Sec
 func findGenName(t *testing.T, client client.Client, ns, name, typ string) (full, noSuffix string) {
 	t.Helper()
 	labels := map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentName:        name,
-		LabelParentNamespace:   ns,
-		LabelParentType:        typ,
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      typ,
 	}
 	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
 	if err != nil {
@@ -769,7 +768,7 @@ type fakeTSClient struct {
 	sync.Mutex
 	keyRequests []tailscale.KeyCapabilities
 	deleted     []string
-	vipServices map[tailcfg.ServiceName]*tailscale.VIPService
+	vipServices map[tailcfg.ServiceName]*VIPService
 }
 type fakeTSNetServer struct {
 	certDomains []string
@@ -876,7 +875,7 @@ func removeAuthKeyIfExistsModifier(t *testing.T) func(s *corev1.Secret) {
 	}
 }
 
-func (c *fakeTSClient) GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*tailscale.VIPService, error) {
+func (c *fakeTSClient) getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices == nil {
@@ -889,17 +888,17 @@ func (c *fakeTSClient) GetVIPService(ctx context.Context, name tailcfg.ServiceNa
 	return svc, nil
 }
 
-func (c *fakeTSClient) CreateOrUpdateVIPService(ctx context.Context, svc *tailscale.VIPService) error {
+func (c *fakeTSClient) createOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices == nil {
-		c.vipServices = make(map[tailcfg.ServiceName]*tailscale.VIPService)
+		c.vipServices = make(map[tailcfg.ServiceName]*VIPService)
 	}
 	c.vipServices[svc.Name] = svc
 	return nil
 }
 
-func (c *fakeTSClient) DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
+func (c *fakeTSClient) deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices != nil {

cmd/k8s-operator/tsclient.go

@@ -6,13 +6,19 @@
 package main
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
+	"net/http"
+	"net/url"
 	"os"
 
 	"golang.org/x/oauth2/clientcredentials"
-	"tailscale.com/internal/client/tailscale"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/tailcfg"
+	"tailscale.com/util/httpm"
 )
 
 // defaultTailnet is a value that can be used in Tailscale API calls instead of tailnet name to indicate that the API
@@ -39,14 +45,141 @@ func newTSClient(ctx context.Context, clientIDPath, clientSecretPath string) (ts
 	c := tailscale.NewClient(defaultTailnet, nil)
 	c.UserAgent = "tailscale-k8s-operator"
 	c.HTTPClient = credentials.Client(ctx)
-	return c, nil
+	tsc := &tsClientImpl{
+		Client:  c,
+		baseURL: defaultBaseURL,
+		tailnet: defaultTailnet,
+	}
+	return tsc, nil
 }
 
 type tsClient interface {
 	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
 	Device(ctx context.Context, deviceID string, fields *tailscale.DeviceFieldsOpts) (*tailscale.Device, error)
 	DeleteDevice(ctx context.Context, nodeStableID string) error
-	GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*tailscale.VIPService, error)
-	CreateOrUpdateVIPService(ctx context.Context, svc *tailscale.VIPService) error
-	DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error
+	getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error)
+	createOrUpdateVIPService(ctx context.Context, svc *VIPService) error
+	deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error
+}
+
+type tsClientImpl struct {
+	*tailscale.Client
+	baseURL string
+	tailnet string
+}
+
+// VIPService is a Tailscale VIPService with Tailscale API JSON representation.
+type VIPService struct {
+	// Name is a VIPService name in form svc:<leftmost-label-of-service-DNS-name>.
+	Name tailcfg.ServiceName `json:"name,omitempty"`
+	// Addrs are the IP addresses of the VIP Service. There are two addresses:
+	// the first is IPv4 and the second is IPv6.
+	// When creating a new VIP Service, the IP addresses are optional: if no
+	// addresses are specified then they will be selected. If an IPv4 address is
+	// specified at index 0, then that address will attempt to be used. An IPv6
+	// address can not be specified upon creation.
+	Addrs []string `json:"addrs,omitempty"`
+	// Comment is an optional text string for display in the admin panel.
+	Comment string `json:"comment,omitempty"`
+	// Ports are the ports of a VIPService that will be configured via Tailscale serve config.
+	// If set, any node wishing to advertise this VIPService must have this port configured via Tailscale serve.
+	Ports []string `json:"ports,omitempty"`
+	// Tags are optional ACL tags that will be applied to the VIPService.
+	Tags []string `json:"tags,omitempty"`
+}
+
+// GetVIPServiceByName retrieves a VIPService by its name. It returns 404 if the VIPService is not found.
+func (c *tsClientImpl) getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(name.String()))
+	req, err := http.NewRequestWithContext(ctx, httpm.GET, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("error making Tailsale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+	svc := &VIPService{}
+	if err := json.Unmarshal(b, svc); err != nil {
+		return nil, err
+	}
+	return svc, nil
+}
+
+// createOrUpdateVIPService creates or updates a VIPService by its name. Caller must ensure that, if the
+// VIPService already exists, the VIPService is fetched first to ensure that any auto-allocated IP addresses are not
+// lost during the update. If the VIPService was created without any IP addresses explicitly set (so that they were
+// auto-allocated by Tailscale) any subsequent request to this function that does not set any IP addresses will error.
+func (c *tsClientImpl) createOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
+	data, err := json.Marshal(svc)
+	if err != nil {
+		return err
+	}
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(svc.Name.String()))
+	req, err := http.NewRequestWithContext(ctx, httpm.PUT, path, bytes.NewBuffer(data))
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// DeleteVIPServiceByName deletes a VIPService by its name. It returns an error if the VIPService
+// does not exist or if the deletion fails.
+func (c *tsClientImpl) deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(name.String()))
+	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// sendRequest add the authentication key to the request and sends it. It
+// receives the response and reads up to 10MB of it.
+func (c *tsClientImpl) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
+	resp, err := c.Do(req)
+	if err != nil {
+		return nil, resp, fmt.Errorf("error actually doing request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	// Read response
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		err = fmt.Errorf("error reading response body: %v", err)
+	}
+	return b, resp, err
+}
+
+// handleErrorResponse decodes the error message from the server and returns
+// an ErrResponse from it.
+func handleErrorResponse(b []byte, resp *http.Response) error {
+	var errResp tailscale.ErrResponse
+	if err := json.Unmarshal(b, &errResp); err != nil {
+		return err
+	}
+	errResp.Status = resp.StatusCode
+	return errResp
 }

cmd/k8s-operator/tsrecorder.go

@@ -230,7 +230,7 @@ func (r *RecorderReconciler) maybeProvision(ctx context.Context, tsr *tsapi.Reco
 func (r *RecorderReconciler) maybeCleanup(ctx context.Context, tsr *tsapi.Recorder) (bool, error) {
 	logger := r.logger(tsr.Name)
 
-	prefs, ok, err := r.getDevicePrefs(ctx, tsr.Name)
+	id, _, ok, err := r.getNodeMetadata(ctx, tsr.Name)
 	if err != nil {
 		return false, err
 	}
@@ -243,7 +243,6 @@ func (r *RecorderReconciler) maybeCleanup(ctx context.Context, tsr *tsapi.Record
 		return true, nil
 	}
 
-	id := string(prefs.Config.NodeID)
 	logger.Debugf("deleting device %s from control", string(id))
 	if err := r.tsClient.DeleteDevice(ctx, string(id)); err != nil {
 		errResp := &tailscale.ErrResponse{}
@@ -328,33 +327,34 @@ func (r *RecorderReconciler) getStateSecret(ctx context.Context, tsrName string)
 	return secret, nil
 }
 
-func (r *RecorderReconciler) getDevicePrefs(ctx context.Context, tsrName string) (prefs prefs, ok bool, err error) {
+func (r *RecorderReconciler) getNodeMetadata(ctx context.Context, tsrName string) (id tailcfg.StableNodeID, dnsName string, ok bool, err error) {
 	secret, err := r.getStateSecret(ctx, tsrName)
 	if err != nil || secret == nil {
-		return prefs, false, err
+		return "", "", false, err
 	}
 
-	return getDevicePrefs(secret)
+	return getNodeMetadata(ctx, secret)
 }
 
-// getDevicePrefs returns 'ok == true' iff the node ID is found. The dnsName
+// getNodeMetadata returns 'ok == true' iff the node ID is found. The dnsName
 // is expected to always be non-empty if the node ID is, but not required.
-func getDevicePrefs(secret *corev1.Secret) (prefs prefs, ok bool, err error) {
+func getNodeMetadata(ctx context.Context, secret *corev1.Secret) (id tailcfg.StableNodeID, dnsName string, ok bool, err error) {
 	// TODO(tomhjp): Should maybe use ipn to parse the following info instead.
 	currentProfile, ok := secret.Data[currentProfileKey]
 	if !ok {
-		return prefs, false, nil
+		return "", "", false, nil
 	}
 	profileBytes, ok := secret.Data[string(currentProfile)]
 	if !ok {
-		return prefs, false, nil
+		return "", "", false, nil
 	}
-	if err := json.Unmarshal(profileBytes, &prefs); err != nil {
-		return prefs, false, fmt.Errorf("failed to extract node profile info from state Secret %s: %w", secret.Name, err)
+	var profile profile
+	if err := json.Unmarshal(profileBytes, &profile); err != nil {
+		return "", "", false, fmt.Errorf("failed to extract node profile info from state Secret %s: %w", secret.Name, err)
 	}
 
-	ok = prefs.Config.NodeID != ""
-	return prefs, ok, nil
+	ok = profile.Config.NodeID != ""
+	return tailcfg.StableNodeID(profile.Config.NodeID), profile.Config.UserProfile.LoginName, ok, nil
 }
 
 func (r *RecorderReconciler) getDeviceInfo(ctx context.Context, tsrName string) (d tsapi.RecorderTailnetDevice, ok bool, err error) {
@@ -367,14 +367,14 @@ func (r *RecorderReconciler) getDeviceInfo(ctx context.Context, tsrName string)
 }
 
 func getDeviceInfo(ctx context.Context, tsClient tsClient, secret *corev1.Secret) (d tsapi.RecorderTailnetDevice, ok bool, err error) {
-	prefs, ok, err := getDevicePrefs(secret)
+	nodeID, dnsName, ok, err := getNodeMetadata(ctx, secret)
 	if !ok || err != nil {
 		return tsapi.RecorderTailnetDevice{}, false, err
 	}
 
 	// TODO(tomhjp): The profile info doesn't include addresses, which is why we
 	// need the API. Should we instead update the profile to include addresses?
-	device, err := tsClient.Device(ctx, string(prefs.Config.NodeID), nil)
+	device, err := tsClient.Device(ctx, string(nodeID), nil)
 	if err != nil {
 		return tsapi.RecorderTailnetDevice{}, false, fmt.Errorf("failed to get device info from API: %w", err)
 	}
@@ -383,25 +383,20 @@ func getDeviceInfo(ctx context.Context, tsClient tsClient, secret *corev1.Secret
 		Hostname:   device.Hostname,
 		TailnetIPs: device.Addresses,
 	}
-	if dnsName := prefs.Config.UserProfile.LoginName; dnsName != "" {
+	if dnsName != "" {
 		d.URL = fmt.Sprintf("https://%s", dnsName)
 	}
 
 	return d, true, nil
 }
 
-// [prefs] is a subset of the ipn.Prefs struct used for extracting information
-// from the state Secret of Tailscale devices.
-type prefs struct {
+type profile struct {
 	Config struct {
-		NodeID      tailcfg.StableNodeID `json:"NodeID"`
+		NodeID      string `json:"NodeID"`
 		UserProfile struct {
-			// LoginName is the MagicDNS name of the device, e.g. foo.tail-scale.ts.net.
 			LoginName string `json:"LoginName"`
 		} `json:"UserProfile"`
 	} `json:"Config"`
-
-	AdvertiseServices []string `json:"AdvertiseServices"`
 }
 
 func markedForDeletion(obj metav1.Object) bool {

cmd/natc/natc.go

@@ -27,10 +27,12 @@ import (
 	"github.com/inetaf/tcpproxy"
 	"github.com/peterbourgon/ff/v3"
 	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/client/local"
+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/net/netutil"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
@@ -41,8 +43,6 @@ import (
 	"tailscale.com/wgengine/netstack"
 )
 
-var ErrNoIPsAvailable = errors.New("no IPs available")
-
 func main() {
 	hostinfo.SetApp("natc")
 	if !envknob.UseWIPCode() {
@@ -140,6 +140,26 @@ func main() {
 	}
 	// TODO(raggi): this is not a public interface or guarantee.
 	ns := ts.Sys().Netstack.Get().(*netstack.Impl)
+	tcpRXBufOpt := tcpip.TCPReceiveBufferSizeRangeOption{
+		Min:     tcp.MinBufferSize,
+		Default: tcp.DefaultReceiveBufferSize,
+		Max:     tcp.MaxBufferSize,
+	}
+	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpRXBufOpt); err != nil {
+		log.Fatalf("could not set TCP RX buf size: %v", err)
+	}
+	tcpTXBufOpt := tcpip.TCPSendBufferSizeRangeOption{
+		Min:     tcp.MinBufferSize,
+		Default: tcp.DefaultSendBufferSize,
+		Max:     tcp.MaxBufferSize,
+	}
+	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpTXBufOpt); err != nil {
+		log.Fatalf("could not set TCP TX buf size: %v", err)
+	}
+	mslOpt := tcpip.TCPTimeWaitTimeoutOption(5 * time.Second)
+	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &mslOpt); err != nil {
+		log.Fatalf("could not set TCP MSL: %v", err)
+	}
 	if *debugPort != 0 {
 		expvar.Publish("netstack", ns.ExpVar())
 	}
@@ -166,9 +186,9 @@ func main() {
 type connector struct {
 	// ts is the tsnet.Server used to host the connector.
 	ts *tsnet.Server
-	// lc is the local.Client used to interact with the tsnet.Server hosting this
+	// lc is the LocalClient used to interact with the tsnet.Server hosting this
 	// connector.
-	lc *local.Client
+	lc *tailscale.LocalClient
 
 	// dnsAddr is the IPv4 address to listen on for DNS requests. It is used to
 	// prevent the app connector from assigning it to a domain.
@@ -279,14 +299,14 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 	defer cancel()
 	who, err := c.lc.WhoIs(ctx, remoteAddr.String())
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): WhoIs failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: WhoIs failed: %v\n", err)
 		return
 	}
 
 	var msg dnsmessage.Message
 	err = msg.Unpack(buf)
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): dnsmessage unpack failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: dnsmessage unpack failed: %v\n ", err)
 		return
 	}
 
@@ -299,19 +319,19 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 			case dnsmessage.TypeAAAA, dnsmessage.TypeA:
 				dstAddrs, err := lookupDestinationIP(q.Name.String())
 				if err != nil {
-					log.Printf("HandleDNS(remote=%s): lookup destination failed: %v\n", remoteAddr.String(), err)
+					log.Printf("HandleDNS: lookup destination failed: %v\n ", err)
 					return
 				}
 				if c.ignoreDestination(dstAddrs) {
 					bs, err := dnsResponse(&msg, dstAddrs)
 					// TODO (fran): treat as SERVFAIL
 					if err != nil {
-						log.Printf("HandleDNS(remote=%s): generate ignore response failed: %v\n", remoteAddr.String(), err)
+						log.Printf("HandleDNS: generate ignore response failed: %v\n", err)
 						return
 					}
 					_, err = pc.WriteTo(bs, remoteAddr)
 					if err != nil {
-						log.Printf("HandleDNS(remote=%s): write failed: %v\n", remoteAddr.String(), err)
+						log.Printf("HandleDNS: write failed: %v\n", err)
 					}
 					return
 				}
@@ -324,7 +344,7 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 	resp, err := c.generateDNSResponse(&msg, who.Node.ID)
 	// TODO (fran): treat as SERVFAIL
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): connector handling failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: connector handling failed: %v\n", err)
 		return
 	}
 	// TODO (fran): treat as NXDOMAIN
@@ -334,7 +354,7 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 	// This connector handled the DNS request
 	_, err = pc.WriteTo(resp, remoteAddr)
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): write failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: write failed: %v\n", err)
 	}
 }
 
@@ -531,9 +551,6 @@ func (ps *perPeerState) ipForDomain(domain string) ([]netip.Addr, error) {
 		return addrs, nil
 	}
 	addrs := ps.assignAddrsLocked(domain)
-	if addrs == nil {
-		return nil, ErrNoIPsAvailable
-	}
 	return addrs, nil
 }
 
@@ -580,9 +597,6 @@ func (ps *perPeerState) assignAddrsLocked(domain string) []netip.Addr {
 		ps.addrToDomain = &bart.Table[string]{}
 	}
 	v4 := ps.unusedIPv4Locked()
-	if !v4.IsValid() {
-		return nil
-	}
 	as16 := ps.c.v6ULA.Addr().As16()
 	as4 := v4.As4()
 	copy(as16[12:], as4[:])

cmd/nginx-auth/nginx-auth.go

@@ -21,7 +21,7 @@ import (
 	"strings"
 
 	"github.com/coreos/go-systemd/activation"
-	"tailscale.com/client/tailscale"
+	"tailscale.com/localclient/tailscale"
 )
 
 var (

cmd/pgproxy/pgproxy.go

@@ -24,7 +24,7 @@ import (
 	"strings"
 	"time"
 
-	"tailscale.com/client/local"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/metrics"
 	"tailscale.com/tsnet"
 	"tailscale.com/tsweb"
@@ -105,7 +105,7 @@ type proxy struct {
 	upstreamHost     string // "my.database.com"
 	upstreamCertPool *x509.CertPool
 	downstreamCert   []tls.Certificate
-	client           *local.Client
+	client           *tailscale.LocalClient
 
 	activeSessions  expvar.Int
 	startedSessions expvar.Int
@@ -115,7 +115,7 @@ type proxy struct {
 // newProxy returns a proxy that forwards connections to
 // upstreamAddr. The upstream's TLS session is verified using the CA
 // cert(s) in upstreamCAPath.
-func newProxy(upstreamAddr, upstreamCAPath string, client *local.Client) (*proxy, error) {
+func newProxy(upstreamAddr, upstreamCAPath string, client *tailscale.LocalClient) (*proxy, error) {
 	bs, err := os.ReadFile(upstreamCAPath)
 	if err != nil {
 		return nil, err

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -19,25 +19,8 @@
 //	header_property = username
 //	auto_sign_up = true
 //	whitelist = 127.0.0.1
-//	headers = Email:X-Webauth-User, Name:X-Webauth-Name, Role:X-Webauth-Role
+//	headers = Name:X-WEBAUTH-NAME
 //	enable_login_token = true
-//
-// You can use grants in Tailscale ACL to give users different roles in Grafana.
-// For example, to give group:eng the Editor role, add the following to your ACLs:
-//
-//	 "grants": [
-//			{
-//				"src": ["group:eng"],
-//				"dst": ["tag:grafana"],
-//				"app": {
-//					"tailscale.com/cap/proxy-to-grafana": [{
-//						"role": "editor",
-//					}],
-//				},
-//			},
-//	 ],
-//
-// If multiple roles are specified, the most permissive role is used.
 package main
 
 import (
@@ -53,7 +36,7 @@ import (
 	"strings"
 	"time"
 
-	"tailscale.com/client/local"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 )
@@ -66,57 +49,6 @@ var (
 	loginServer  = flag.String("login-server", "", "URL to alternative control server. If empty, the default Tailscale control is used.")
 )
 
-// aclCap is the Tailscale ACL capability used to configure proxy-to-grafana.
-const aclCap tailcfg.PeerCapability = "tailscale.com/cap/proxy-to-grafana"
-
-// aclGrant is an access control rule that assigns Grafana permissions
-// while provisioning a user.
-type aclGrant struct {
-	// Role is one of: "viewer", "editor", "admin".
-	Role string `json:"role"`
-}
-
-// grafanaRole defines possible Grafana roles.
-type grafanaRole int
-
-const (
-	// Roles are ordered by their permissions, with the least permissive role first.
-	// If a user has multiple roles, the most permissive role is used.
-	ViewerRole grafanaRole = iota
-	EditorRole
-	AdminRole
-)
-
-// String returns the string representation of a grafanaRole.
-// It is used as a header value in the HTTP request to Grafana.
-func (r grafanaRole) String() string {
-	switch r {
-	case ViewerRole:
-		return "Viewer"
-	case EditorRole:
-		return "Editor"
-	case AdminRole:
-		return "Admin"
-	default:
-		// A safe default.
-		return "Viewer"
-	}
-}
-
-// roleFromString converts a string to a grafanaRole.
-// It is used to parse the role from the ACL grant.
-func roleFromString(s string) (grafanaRole, error) {
-	switch strings.ToLower(s) {
-	case "viewer":
-		return ViewerRole, nil
-	case "editor":
-		return EditorRole, nil
-	case "admin":
-		return AdminRole, nil
-	}
-	return ViewerRole, fmt.Errorf("unknown role: %q", s)
-}
-
 func main() {
 	flag.Parse()
 	if *hostname == "" || strings.Contains(*hostname, ".") {
@@ -195,22 +127,14 @@ func main() {
 	log.Fatal(http.Serve(ln, proxy))
 }
 
-func modifyRequest(req *http.Request, localClient *local.Client) {
+func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
 	// with enable_login_token set to true, we get a cookie that handles
 	// auth for paths that are not /login
 	if req.URL.Path != "/login" {
 		return
 	}
 
-	// Delete any existing X-Webauth-* headers to prevent possible spoofing
-	// if getting Tailnet identity fails.
-	for h := range req.Header {
-		if strings.HasPrefix(h, "X-Webauth-") {
-			req.Header.Del(h)
-		}
-	}
-
-	user, role, err := getTailscaleIdentity(req.Context(), localClient, req.RemoteAddr)
+	user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
 	if err != nil {
 		log.Printf("error getting Tailscale user: %v", err)
 		return
@@ -218,33 +142,19 @@ func modifyRequest(req *http.Request, localClient *local.Client) {
 
 	req.Header.Set("X-Webauth-User", user.LoginName)
 	req.Header.Set("X-Webauth-Name", user.DisplayName)
-	req.Header.Set("X-Webauth-Role", role.String())
 }
 
-func getTailscaleIdentity(ctx context.Context, localClient *local.Client, ipPort string) (*tailcfg.UserProfile, grafanaRole, error) {
+func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, ipPort string) (*tailcfg.UserProfile, error) {
 	whois, err := localClient.WhoIs(ctx, ipPort)
 	if err != nil {
-		return nil, ViewerRole, fmt.Errorf("failed to identify remote host: %w", err)
+		return nil, fmt.Errorf("failed to identify remote host: %w", err)
 	}
 	if whois.Node.IsTagged() {
-		return nil, ViewerRole, fmt.Errorf("tagged nodes are not users")
+		return nil, fmt.Errorf("tagged nodes are not users")
 	}
 	if whois.UserProfile == nil || whois.UserProfile.LoginName == "" {
-		return nil, ViewerRole, fmt.Errorf("failed to identify remote user")
+		return nil, fmt.Errorf("failed to identify remote user")
 	}
 
-	role := ViewerRole
-	grants, err := tailcfg.UnmarshalCapJSON[aclGrant](whois.CapMap, aclCap)
-	if err != nil {
-		return nil, ViewerRole, fmt.Errorf("failed to unmarshal ACL grants: %w", err)
-	}
-	for _, g := range grants {
-		r, err := roleFromString(g.Role)
-		if err != nil {
-			return nil, ViewerRole, fmt.Errorf("failed to parse role: %w", err)
-		}
-		role = max(role, r)
-	}
-
-	return whois.UserProfile, role, nil
+	return whois.UserProfile, nil
 }

cmd/sniproxy/sniproxy.go

@@ -22,9 +22,9 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3"
-	"tailscale.com/client/local"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/tsweb"
@@ -183,7 +183,7 @@ func run(ctx context.Context, ts *tsnet.Server, wgPort int, hostname string, pro
 type sniproxy struct {
 	srv Server
 	ts  *tsnet.Server
-	lc  *local.Client
+	lc  *tailscale.LocalClient
 }
 
 func (s *sniproxy) advertiseRoutesFromConfig(ctx context.Context, c *appctype.AppConnectorConfig) error {

cmd/stund/depaware.txt

@@ -49,7 +49,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
         tailscale.com                                                from tailscale.com/version
         tailscale.com/envknob                                        from tailscale.com/tsweb+
-        tailscale.com/feature                                        from tailscale.com/tsweb
         tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
         tailscale.com/metrics                                        from tailscale.com/net/stunserver+
         tailscale.com/net/netaddr                                    from tailscale.com/net/tsaddr
@@ -58,8 +57,8 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         tailscale.com/net/tsaddr                                     from tailscale.com/tsweb
         tailscale.com/syncs                                          from tailscale.com/metrics
         tailscale.com/tailcfg                                        from tailscale.com/version
-        tailscale.com/tsweb                                          from tailscale.com/cmd/stund+
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/cmd/stund
+        tailscale.com/tsweb                                          from tailscale.com/cmd/stund
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
         tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/ipproto                                  from tailscale.com/tailcfg
@@ -89,11 +88,13 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http
         golang.org/x/net/http/httpproxy                              from net/http
@@ -115,7 +116,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509
@@ -123,59 +124,32 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         crypto/ecdsa                                                 from crypto/tls+
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls
+        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
         crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
         crypto/tls                                                   from net/http+
-        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509
-        embed                                                        from google.golang.org/protobuf/internal/editiondefaults+
+        embed                                                        from crypto/internal/nistec+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/go-json-experiment/json
@@ -195,22 +169,23 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         hash/maphash                                                 from go4.org/mem
         html                                                         from net/http/pprof+
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
         internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
-        internal/godebug                                             from crypto/internal/fips140deps/godebug+
+        internal/goarch                                              from crypto/aes+
+        internal/godebug                                             from crypto/tls+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -220,20 +195,17 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
         iter                                                         from maps+
@@ -244,7 +216,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
         math/rand                                                    from math/big+
-        math/rand/v2                                                 from crypto/ecdsa+
+        math/rand/v2                                                 from internal/concurrent+
         mime                                                         from github.com/prometheus/common/expfmt+
         mime/multipart                                               from net/http
         mime/quotedprintable                                         from mime/multipart
@@ -257,15 +229,17 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
         os/signal                                                    from tailscale.com/cmd/stund
         path                                                         from github.com/prometheus/client_golang/prometheus/internal+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+
         regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
         regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/fips140+
+        runtime                                                      from crypto/internal/nistec+
         runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
         runtime/trace                                                from net/http/pprof
@@ -275,7 +249,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         strings                                                      from bufio+
         sync                                                         from compress/flate+
         sync/atomic                                                  from context+
-        syscall                                                      from crypto/internal/sysrand+
+        syscall                                                      from crypto/rand+
         text/tabwriter                                               from runtime/pprof
         time                                                         from compress/gzip+
         unicode                                                      from bytes+
@@ -283,4 +257,3 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
-        weak                                                         from unique

cmd/stund/stund.go

@@ -15,9 +15,6 @@ import (
 
 	"tailscale.com/net/stunserver"
 	"tailscale.com/tsweb"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )
 
 var (

cmd/tailscale/cli/bugreport.go

@@ -10,7 +10,7 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
+	"tailscale.com/localclient/tailscale"
 )
 
 var bugReportCmd = &ffcli.Command{

cmd/tailscale/cli/cli.go

@@ -21,10 +21,9 @@ import (
 	"github.com/mattn/go-colorable"
 	"github.com/mattn/go-isatty"
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/local"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/cmd/tailscale/cli/ffcomplete"
 	"tailscale.com/envknob"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/paths"
 	"tailscale.com/util/slicesx"
 	"tailscale.com/version/distro"
@@ -80,7 +79,7 @@ func CleanUpArgs(args []string) []string {
 	return out
 }
 
-var localClient = local.Client{
+var localClient = tailscale.LocalClient{
 	Socket: paths.DefaultTailscaledSocket(),
 }
 

cmd/tailscale/cli/debug.go

@@ -29,12 +29,12 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/net/http/httpproxy"
 	"golang.org/x/net/http2"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
 	"tailscale.com/internal/noiseconn"
 	"tailscale.com/ipn"
+	"tailscale.com/localclient/tailscale"
+	"tailscale.com/localclient/tailscale/apitype"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tshttpproxy"
@@ -136,17 +136,6 @@ func debugCmd() *ffcli.Command {
 				Exec:       runLocalCreds,
 				ShortHelp:  "Print how to access Tailscale LocalAPI",
 			},
-			{
-				Name:       "localapi",
-				ShortUsage: "tailscale debug localapi [<method>] <path> [<body| \"-\">]",
-				Exec:       runLocalAPI,
-				ShortHelp:  "Call a LocalAPI method directly",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("localapi")
-					fs.BoolVar(&localAPIFlags.verbose, "v", false, "verbose; dump HTTP headers")
-					return fs
-				})(),
-			},
 			{
 				Name:       "restun",
 				ShortUsage: "tailscale debug restun",
@@ -462,81 +451,6 @@ func runLocalCreds(ctx context.Context, args []string) error {
 	return nil
 }
 
-func looksLikeHTTPMethod(s string) bool {
-	if len(s) > len("OPTIONS") {
-		return false
-	}
-	for _, r := range s {
-		if r < 'A' || r > 'Z' {
-			return false
-		}
-	}
-	return true
-}
-
-var localAPIFlags struct {
-	verbose bool
-}
-
-func runLocalAPI(ctx context.Context, args []string) error {
-	if len(args) == 0 {
-		return errors.New("expected at least one argument")
-	}
-	method := "GET"
-	if looksLikeHTTPMethod(args[0]) {
-		method = args[0]
-		args = args[1:]
-		if len(args) == 0 {
-			return errors.New("expected at least one argument after method")
-		}
-	}
-	path := args[0]
-	if !strings.HasPrefix(path, "/localapi/") {
-		if !strings.Contains(path, "/") {
-			path = "/localapi/v0/" + path
-		} else {
-			path = "/localapi/" + path
-		}
-	}
-
-	var body io.Reader
-	if len(args) > 1 {
-		if args[1] == "-" {
-			fmt.Fprintf(Stderr, "# reading request body from stdin...\n")
-			all, err := io.ReadAll(os.Stdin)
-			if err != nil {
-				return fmt.Errorf("reading Stdin: %q", err)
-			}
-			body = bytes.NewReader(all)
-		} else {
-			body = strings.NewReader(args[1])
-		}
-	}
-	req, err := http.NewRequest(method, "http://local-tailscaled.sock"+path, body)
-	if err != nil {
-		return err
-	}
-	fmt.Fprintf(Stderr, "# doing request %s %s\n", method, path)
-
-	res, err := localClient.DoLocalRequest(req)
-	if err != nil {
-		return err
-	}
-	is2xx := res.StatusCode >= 200 && res.StatusCode <= 299
-	if localAPIFlags.verbose {
-		res.Write(Stdout)
-	} else {
-		if !is2xx {
-			fmt.Fprintf(Stderr, "# Response status %s\n", res.Status)
-		}
-		io.Copy(Stdout, res.Body)
-	}
-	if is2xx {
-		return nil
-	}
-	return errors.New(res.Status)
-}
-
 type localClientRoundTripper struct{}
 
 func (localClientRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {

cmd/tailscale/cli/down.go

@@ -9,8 +9,8 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
+	"tailscale.com/localclient/tailscale/apitype"
 )
 
 var downCmd = &ffcli.Command{

cmd/tailscale/cli/file.go

@@ -25,10 +25,9 @@ import (
 	"github.com/mattn/go-isatty"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/cmd/tailscale/cli/ffcomplete"
 	"tailscale.com/envknob"
-	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale/apitype"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
@@ -269,77 +268,46 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 	if err != nil {
 		return "", false, err
 	}
-
-	st, err := localClient.Status(ctx)
+	fts, err := localClient.FileTargets(ctx)
 	if err != nil {
-		// This likely means tailscaled is unreachable or returned an error on /localapi/v0/status.
-		return "", false, fmt.Errorf("failed to get local status: %w", err)
+		return "", false, err
 	}
-	if st == nil {
-		// Handle the case if the daemon returns nil with no error.
-		return "", false, errors.New("no status available")
-	}
-	if st.Self == nil {
-		// We have a status structure, but it doesn’t include Self info. Probably not connected.
-		return "", false, errors.New("local node is not configured or missing Self information")
+	for _, ft := range fts {
+		n := ft.Node
+		for _, a := range n.Addresses {
+			if a.Addr() != ip {
+				continue
+			}
+			isOffline = n.Online != nil && !*n.Online
+			return n.StableID, isOffline, nil
+		}
 	}
+	return "", false, fileTargetErrorDetail(ctx, ip)
+}
 
-	// Find the PeerStatus that corresponds to ip.
-	var foundPeer *ipnstate.PeerStatus
-peerLoop:
-	for _, ps := range st.Peer {
-		for _, pip := range ps.TailscaleIPs {
-			if pip == ip {
-				foundPeer = ps
-				break peerLoop
+// fileTargetErrorDetail returns a non-nil error saying why ip is an
+// invalid file sharing target.
+func fileTargetErrorDetail(ctx context.Context, ip netip.Addr) error {
+	found := false
+	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
+		for _, peer := range st.Peer {
+			for _, pip := range peer.TailscaleIPs {
+				if pip == ip {
+					found = true
+					if peer.UserID != st.Self.UserID {
+						return errors.New("owned by different user; can only send files to your own devices")
+					}
+				}
 			}
 		}
 	}
-
-	// If we didn’t find a matching peer at all:
-	if foundPeer == nil {
-		if !tsaddr.IsTailscaleIP(ip) {
-			return "", false, fmt.Errorf("unknown target; %v is not a Tailscale IP address", ip)
-		}
-		return "", false, errors.New("unknown target; not in your Tailnet")
+	if found {
+		return errors.New("target seems to be running an old Tailscale version")
 	}
-
-	// We found a peer. Decide whether we can send files to it:
-	isOffline = !foundPeer.Online
-
-	switch foundPeer.TaildropTarget {
-	case ipnstate.TaildropTargetAvailable:
-		return foundPeer.ID, isOffline, nil
-
-	case ipnstate.TaildropTargetNoNetmapAvailable:
-		return "", isOffline, errors.New("cannot send files: no netmap available on this node")
-
-	case ipnstate.TaildropTargetIpnStateNotRunning:
-		return "", isOffline, errors.New("cannot send files: local Tailscale is not connected to the tailnet")
-
-	case ipnstate.TaildropTargetMissingCap:
-		return "", isOffline, errors.New("cannot send files: missing required Taildrop capability")
-
-	case ipnstate.TaildropTargetOffline:
-		return "", isOffline, errors.New("cannot send files: peer is offline")
-
-	case ipnstate.TaildropTargetNoPeerInfo:
-		return "", isOffline, errors.New("cannot send files: invalid or unrecognized peer")
-
-	case ipnstate.TaildropTargetUnsupportedOS:
-		return "", isOffline, errors.New("cannot send files: target's OS does not support Taildrop")
-
-	case ipnstate.TaildropTargetNoPeerAPI:
-		return "", isOffline, errors.New("cannot send files: target is not advertising a file sharing API")
-
-	case ipnstate.TaildropTargetOwnedByOtherUser:
-		return "", isOffline, errors.New("cannot send files: peer is owned by a different user")
-
-	case ipnstate.TaildropTargetUnknown:
-		fallthrough
-	default:
-		return "", isOffline, fmt.Errorf("cannot send files: unknown or indeterminate reason")
+	if !tsaddr.IsTailscaleIP(ip) {
+		return fmt.Errorf("unknown target; %v is not a Tailscale IP address", ip)
 	}
+	return errors.New("unknown target; not in your Tailnet")
 }
 
 const maxSniff = 4 << 20

cmd/tailscale/cli/ping.go

@@ -16,9 +16,9 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/cmd/tailscale/cli/ffcomplete"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tailcfg"
 )
 

cmd/tailscale/cli/serve_legacy.go

@@ -23,9 +23,9 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/slicesx"
 	"tailscale.com/version"
@@ -130,7 +130,7 @@ func (e *serveEnv) newFlags(name string, setup func(fs *flag.FlagSet)) *flag.Fla
 }
 
 // localServeClient is an interface conforming to the subset of
-// local.Client. It includes only the methods used by the
+// tailscale.LocalClient. It includes only the methods used by the
 // serve command.
 //
 // The purpose of this interface is to allow tests to provide a mock.

cmd/tailscale/cli/serve_legacy_test.go

@@ -18,9 +18,9 @@ import (
 	"testing"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 	"tailscale.com/types/logger"
@@ -850,7 +850,7 @@ func TestVerifyFunnelEnabled(t *testing.T) {
 	}
 }
 
-// fakeLocalServeClient is a fake local.Client for tests.
+// fakeLocalServeClient is a fake tailscale.LocalClient for tests.
 // It's not a full implementation, just enough to test the serve command.
 //
 // The fake client is stateful, and is used to test manipulating

cmd/tailscale/cli/serve_v2.go

@@ -23,9 +23,9 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/slicesx"

cmd/tailscale/cli/ssh.go

@@ -84,6 +84,10 @@ func runSSH(ctx context.Context, args []string) error {
 		// of failing. But for now:
 		return fmt.Errorf("no system 'ssh' command found: %w", err)
 	}
+	tailscaleBin, err := os.Executable()
+	if err != nil {
+		return err
+	}
 	knownHostsFile, err := writeKnownHosts(st)
 	if err != nil {
 		return err
@@ -112,9 +116,7 @@ func runSSH(ctx context.Context, args []string) error {
 
 		argv = append(argv,
 			"-o", fmt.Sprintf("ProxyCommand %q %s nc %%h %%p",
-				// os.Executable() would return the real running binary but in case tailscale is built with the ts_include_cli tag,
-				// we need to return the started symlink instead
-				os.Args[0],
+				tailscaleBin,
 				socketArg,
 			))
 	}

cmd/tailscale/cli/up.go

@@ -27,8 +27,8 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
 	"golang.org/x/oauth2/clientcredentials"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/health/healthmsg"
-	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/netutil"
@@ -1097,6 +1097,12 @@ func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
 	return
 }
 
+func init() {
+	// Required to use our client API. We're fine with the instability since the
+	// client lives in the same repo as this code.
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+}
+
 // resolveAuthKey either returns v unchanged (in the common case) or, if it
 // starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
 //

cmd/tailscale/depaware.txt

@@ -60,7 +60,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/client/local+
+     💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
         go4.org/netipx                                               from tailscale.com/net/tsaddr
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/netmon+
         k8s.io/client-go/util/homedir                                from tailscale.com/cmd/tailscale/cli
@@ -70,9 +70,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         software.sslmate.com/src/go-pkcs12/internal/rc2              from software.sslmate.com/src/go-pkcs12
         tailscale.com                                                from tailscale.com/version
      💣 tailscale.com/atomicfile                                     from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/client/local                                   from tailscale.com/client/tailscale+
-        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
+        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/client/web                                     from tailscale.com/cmd/tailscale/cli
         tailscale.com/clientupdate                                   from tailscale.com/client/web+
   LW    tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
@@ -86,19 +84,20 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/derp                                           from tailscale.com/derp/derphttp
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
         tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/drive                                          from tailscale.com/client/local+
-        tailscale.com/envknob                                        from tailscale.com/client/local+
+        tailscale.com/drive                                          from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/envknob                                        from tailscale.com/client/web+
         tailscale.com/envknob/featureknob                            from tailscale.com/client/web
         tailscale.com/feature/capture/dissector                      from tailscale.com/cmd/tailscale/cli
         tailscale.com/health                                         from tailscale.com/net/tlsdial+
         tailscale.com/health/healthmsg                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
-        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/tailscale/cli
         tailscale.com/internal/noiseconn                             from tailscale.com/cmd/tailscale/cli
-        tailscale.com/ipn                                            from tailscale.com/client/local+
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/local+
+        tailscale.com/ipn                                            from tailscale.com/client/web+
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/web+
         tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
         tailscale.com/licenses                                       from tailscale.com/client/web+
+        tailscale.com/localclient/tailscale                          from tailscale.com/client/web+
+        tailscale.com/localclient/tailscale/apitype                  from tailscale.com/client/tailscale+
         tailscale.com/metrics                                        from tailscale.com/derp+
         tailscale.com/net/bakedroots                                 from tailscale.com/net/tlsdial
         tailscale.com/net/captivedetection                           from tailscale.com/net/netcheck
@@ -111,7 +110,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
      💣 tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscale/cli+
      💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
-        tailscale.com/net/netutil                                    from tailscale.com/client/local+
+        tailscale.com/net/netutil                                    from tailscale.com/client/web+
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
@@ -121,12 +120,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/tlsdial/blockblame                         from tailscale.com/net/tlsdial
         tailscale.com/net/tsaddr                                     from tailscale.com/client/web+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/clientupdate/distsign+
-        tailscale.com/paths                                          from tailscale.com/client/local+
-     💣 tailscale.com/safesocket                                     from tailscale.com/client/local+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
+     💣 tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
         tailscale.com/syncs                                          from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/tailcfg                                        from tailscale.com/client/local+
+        tailscale.com/tailcfg                                        from tailscale.com/client/web+
         tailscale.com/tempfork/spf13/cobra                           from tailscale.com/cmd/tailscale/cli/ffcomplete+
-        tailscale.com/tka                                            from tailscale.com/client/local+
+        tailscale.com/tka                                            from tailscale.com/cmd/tailscale/cli+
         tailscale.com/tsconst                                        from tailscale.com/net/netmon+
         tailscale.com/tstime                                         from tailscale.com/control/controlhttp+
         tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
@@ -135,7 +134,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg+
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/ipn+
-        tailscale.com/types/key                                      from tailscale.com/client/local+
+        tailscale.com/types/key                                      from tailscale.com/cmd/tailscale/cli+
         tailscale.com/types/lazy                                     from tailscale.com/util/testenv+
         tailscale.com/types/logger                                   from tailscale.com/client/web+
         tailscale.com/types/netmap                                   from tailscale.com/ipn+
@@ -195,13 +194,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
    W    golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
         golang.org/x/exp/maps                                        from tailscale.com/util/syspolicy/internal/metrics+
         golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
@@ -212,7 +212,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/net/http2/hpack                                 from net/http+
         golang.org/x/net/icmp                                        from tailscale.com/net/ping
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/internal/httpcommon                         from golang.org/x/net/http2
         golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
         golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
         golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
@@ -245,7 +244,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509
@@ -254,61 +253,34 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
         crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
         crypto/tls                                                   from github.com/miekg/dns+
-        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
   DW    database/sql/driver                                          from github.com/google/uuid
    W    debug/dwarf                                                  from debug/pe
    W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from github.com/peterbourgon/ff/v3+
+        embed                                                        from crypto/internal/nistec+
         encoding                                                     from encoding/gob+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -333,22 +305,23 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
         internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
         internal/godebug                                             from archive/tar+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -357,21 +330,18 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/saferio                                             from debug/pe+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
         io                                                           from archive/tar+
         io/fs                                                        from archive/tar+
         io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -397,7 +367,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
         os/exec                                                      from github.com/coreos/go-iptables/iptables+
         os/signal                                                    from tailscale.com/cmd/tailscale/cli
         os/user                                                      from archive/tar+
@@ -408,6 +378,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         regexp/syntax                                                from regexp
         runtime                                                      from archive/tar+
         runtime/debug                                                from tailscale.com+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
         slices                                                       from tailscale.com/client/web+
         sort                                                         from compress/flate+
         strconv                                                      from archive/tar+
@@ -424,4 +396,3 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
-        weak                                                         from unique

cmd/tailscaled/depaware.txt

@@ -10,6 +10,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
    L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
+   L    github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics  from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/xml                from github.com/aws/aws-sdk-go-v2/service/sts
@@ -31,12 +32,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2/internal/auth                   from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
    L    github.com/aws/aws-sdk-go-v2/internal/auth/smithy            from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/internal/configsources          from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/internal/context                from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/aws-sdk-go-v2/internal/endpoints              from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn   from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/internal/endpoints/v2           from github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints+
    L    github.com/aws/aws-sdk-go-v2/internal/ini                    from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/internal/middleware             from github.com/aws/aws-sdk-go-v2/service/sso+
    L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
@@ -71,16 +70,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
    L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
    L    github.com/aws/smithy-go/logging                             from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/smithy-go/metrics                             from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/smithy-go/middleware                          from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/smithy-go/private/requestcompression          from github.com/aws/aws-sdk-go-v2/config
    L    github.com/aws/smithy-go/ptr                                 from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/smithy-go/rand                                from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/smithy-go/time                                from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/smithy-go/tracing                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
+        github.com/bits-and-blooms/bitset                            from github.com/gaissmai/bart
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
   LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
    W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com+
@@ -92,8 +90,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 github.com/djherbis/times                                    from tailscale.com/drive/driveimpl
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/gaissmai/bart                                     from tailscale.com/net/tstun+
-        github.com/gaissmai/bart/internal/bitset                     from github.com/gaissmai/bart+
-        github.com/gaissmai/bart/internal/sparse                     from github.com/gaissmai/bart
         github.com/go-json-experiment/json                           from tailscale.com/types/opt+
         github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json/internal/jsonflags+
         github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json/internal/jsonopts+
@@ -115,8 +111,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/gorilla/csrf                                      from tailscale.com/client/web
         github.com/gorilla/securecookie                              from github.com/gorilla/csrf
         github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
-   L 💣 github.com/illarion/gonotify/v3                              from tailscale.com/net/dns
-   L    github.com/illarion/gonotify/v3/syscallf                     from github.com/illarion/gonotify/v3
+   L 💣 github.com/illarion/gonotify/v2                              from tailscale.com/net/dns
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/feature/tap
    L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
    L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -186,7 +181,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/client/local+
+     💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
         go4.org/netipx                                               from github.com/tailscale/wf+
    W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun+
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
@@ -210,7 +205,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
         gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
+        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
         gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -235,9 +230,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
      💣 tailscale.com/atomicfile                                     from tailscale.com/ipn+
   LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
-        tailscale.com/client/local                                   from tailscale.com/client/tailscale+
-        tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
         tailscale.com/client/web                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/clientupdate                                   from tailscale.com/client/web+
   LW    tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
@@ -254,12 +246,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/doctor/ethtool                                 from tailscale.com/ipn/ipnlocal
      💣 tailscale.com/doctor/permissions                             from tailscale.com/ipn/ipnlocal
         tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
-        tailscale.com/drive                                          from tailscale.com/client/local+
+        tailscale.com/drive                                          from tailscale.com/drive/driveimpl+
         tailscale.com/drive/driveimpl                                from tailscale.com/cmd/tailscaled
         tailscale.com/drive/driveimpl/compositedav                   from tailscale.com/drive/driveimpl
         tailscale.com/drive/driveimpl/dirfs                          from tailscale.com/drive/driveimpl+
         tailscale.com/drive/driveimpl/shared                         from tailscale.com/drive/driveimpl+
-        tailscale.com/envknob                                        from tailscale.com/client/local+
+        tailscale.com/envknob                                        from tailscale.com/client/web+
         tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
         tailscale.com/feature                                        from tailscale.com/feature/wakeonlan+
         tailscale.com/feature/capture                                from tailscale.com/feature/condregister
@@ -270,14 +262,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
         tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
-        tailscale.com/ipn                                            from tailscale.com/client/local+
-        tailscale.com/ipn/auditlog                                   from tailscale.com/ipn/ipnlocal+
+        tailscale.com/ipn                                            from tailscale.com/client/web+
         tailscale.com/ipn/conffile                                   from tailscale.com/cmd/tailscaled+
-     💣 tailscale.com/ipn/desktop                                    from tailscale.com/cmd/tailscaled+
      💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/ipn/ipnlocal                                   from tailscale.com/cmd/tailscaled+
         tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/local+
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/web+
         tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver+
         tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled+
@@ -286,8 +276,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/ipnlocal+
    L    tailscale.com/kube/kubeapi                                   from tailscale.com/ipn/store/kubestore+
    L    tailscale.com/kube/kubeclient                                from tailscale.com/ipn/store/kubestore
-        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob+
+        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
         tailscale.com/licenses                                       from tailscale.com/client/web
+        tailscale.com/localclient/tailscale                          from tailscale.com/client/web+
+        tailscale.com/localclient/tailscale/apitype                  from tailscale.com/client/web+
         tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
         tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
         tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
@@ -315,7 +307,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscaled+
      💣 tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
    W 💣 tailscale.com/net/netstat                                    from tailscale.com/portlist
-        tailscale.com/net/netutil                                    from tailscale.com/client/local+
+        tailscale.com/net/netutil                                    from tailscale.com/client/web+
         tailscale.com/net/packet                                     from tailscale.com/net/connstats+
         tailscale.com/net/packet/checksum                            from tailscale.com/net/tstun
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
@@ -333,21 +325,21 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/clientupdate/distsign+
         tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
         tailscale.com/omit                                           from tailscale.com/ipn/conffile
-        tailscale.com/paths                                          from tailscale.com/client/local+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
      💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/posture                                        from tailscale.com/ipn/ipnlocal
         tailscale.com/proxymap                                       from tailscale.com/tsd+
-     💣 tailscale.com/safesocket                                     from tailscale.com/client/local+
+     💣 tailscale.com/safesocket                                     from tailscale.com/cmd/tailscaled+
   LD    tailscale.com/sessionrecording                               from tailscale.com/ssh/tailssh
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
         tailscale.com/syncs                                          from tailscale.com/cmd/tailscaled+
-        tailscale.com/tailcfg                                        from tailscale.com/client/local+
+        tailscale.com/tailcfg                                        from tailscale.com/client/web+
         tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
         tailscale.com/tempfork/acme                                  from tailscale.com/ipn/ipnlocal
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
         tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
         tailscale.com/tempfork/httprec                               from tailscale.com/control/controlclient
-        tailscale.com/tka                                            from tailscale.com/client/local+
+        tailscale.com/tka                                            from tailscale.com/control/controlclient+
         tailscale.com/tsconst                                        from tailscale.com/net/netmon+
         tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
         tailscale.com/tstime                                         from tailscale.com/control/controlclient+
@@ -359,14 +351,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/empty                                    from tailscale.com/ipn+
         tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/client/local+
+        tailscale.com/types/key                                      from tailscale.com/cmd/tailscaled+
         tailscale.com/types/lazy                                     from tailscale.com/ipn/ipnlocal+
         tailscale.com/types/logger                                   from tailscale.com/appc+
         tailscale.com/types/logid                                    from tailscale.com/cmd/tailscaled+
         tailscale.com/types/netlogtype                               from tailscale.com/net/connstats+
         tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
         tailscale.com/types/nettype                                  from tailscale.com/ipn/localapi+
-        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/opt                                      from tailscale.com/control/controlknobs+
         tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
         tailscale.com/types/preftype                                 from tailscale.com/ipn+
         tailscale.com/types/ptr                                      from tailscale.com/control/controlclient+
@@ -387,7 +379,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/groupmember                               from tailscale.com/client/web+
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/httphdr                                   from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
+        tailscale.com/util/httpm                                     from tailscale.com/client/web+
         tailscale.com/util/lineiter                                  from tailscale.com/hostinfo+
    L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
         tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
@@ -450,13 +442,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/ssh+
-        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
   LD    golang.org/x/crypto/ssh                                      from github.com/pkg/sftp+
   LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
         golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
@@ -470,7 +463,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
         golang.org/x/net/icmp                                        from tailscale.com/net/ping+
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/internal/httpcommon                         from golang.org/x/net/http2
         golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
         golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
         golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
@@ -504,7 +496,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509+
@@ -513,61 +505,34 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
         crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls+
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
         crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
-        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
   DW    database/sql/driver                                          from github.com/google/uuid
    W    debug/dwarf                                                  from debug/pe
    W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from github.com/tailscale/web-client-prebuilt+
+        embed                                                        from crypto/internal/nistec+
         encoding                                                     from encoding/gob+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -589,22 +554,23 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         html                                                         from html/template+
         html/template                                                from github.com/gorilla/csrf
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
         internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
         internal/godebug                                             from archive/tar+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -614,21 +580,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/saferio                                             from debug/pe+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
         io                                                           from archive/tar+
         io/fs                                                        from archive/tar+
         io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -655,7 +618,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         net/netip                                                    from github.com/tailscale/wireguard-go/conn+
         net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
         os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
         os/signal                                                    from tailscale.com/cmd/tailscaled
         os/user                                                      from archive/tar+
@@ -666,6 +629,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         regexp/syntax                                                from regexp
         runtime                                                      from archive/tar+
         runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
         runtime/pprof                                                from net/http/pprof+
         runtime/trace                                                from net/http/pprof
         slices                                                       from tailscale.com/appc+
@@ -684,4 +649,3 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
-        weak                                                         from unique

cmd/tailscaled/tailscaled.go

@@ -30,7 +30,6 @@ import (
 	"syscall"
 	"time"
 
-	"tailscale.com/client/local"
 	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/drive/driveimpl"
@@ -42,6 +41,7 @@ import (
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/logpolicy"
 	"tailscale.com/logtail"
 	"tailscale.com/net/dns"
@@ -621,7 +621,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	if root := lb.TailscaleVarRoot(); root != "" {
 		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf)
 	}
-	lb.ConfigureWebClient(&local.Client{
+	lb.ConfigureWebClient(&tailscale.LocalClient{
 		Socket:        args.socketpath,
 		UseSocketOnly: args.socketpath != paths.DefaultTailscaledSocket(),
 	})

cmd/tailscaled/tailscaled_windows.go

@@ -44,7 +44,6 @@ import (
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/drive/driveimpl"
 	"tailscale.com/envknob"
-	"tailscale.com/ipn/desktop"
 	"tailscale.com/logpolicy"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dns"
@@ -336,13 +335,6 @@ func beWindowsSubprocess() bool {
 
 	sys.Set(driveimpl.NewFileSystemForRemote(log.Printf))
 
-	if sessionManager, err := desktop.NewSessionManager(log.Printf); err == nil {
-		sys.Set(sessionManager)
-	} else {
-		// Errors creating the session manager are unexpected, but not fatal.
-		log.Printf("[unexpected]: error creating a desktop session manager: %v", err)
-	}
-
 	publicLogID, _ := logid.ParsePublicID(logID)
 	err = startIPNServer(ctx, log.Printf, publicLogID, sys)
 	if err != nil {

cmd/testwrapper/flakytest/flakytest.go

@@ -9,12 +9,8 @@ package flakytest
 import (
 	"fmt"
 	"os"
-	"path"
 	"regexp"
-	"sync"
 	"testing"
-
-	"tailscale.com/util/mak"
 )
 
 // FlakyTestLogMessage is a sentinel value that is printed to stderr when a
@@ -29,11 +25,6 @@ const FlakeAttemptEnv = "TS_TESTWRAPPER_ATTEMPT"
 
 var issueRegexp = regexp.MustCompile(`\Ahttps://github\.com/tailscale/[a-zA-Z0-9_.-]+/issues/\d+\z`)
 
-var (
-	rootFlakesMu sync.Mutex
-	rootFlakes   map[string]bool
-)
-
 // Mark sets the current test as a flaky test, such that if it fails, it will
 // be retried a few times on failure. issue must be a GitHub issue that tracks
 // the status of the flaky test being marked, of the format:
@@ -50,24 +41,4 @@ func Mark(t testing.TB, issue string) {
 		fmt.Fprintf(os.Stderr, "%s: %s\n", FlakyTestLogMessage, issue)
 	}
 	t.Logf("flakytest: issue tracking this flaky test: %s", issue)
-
-	// Record the root test name as flakey.
-	rootFlakesMu.Lock()
-	defer rootFlakesMu.Unlock()
-	mak.Set(&rootFlakes, t.Name(), true)
-}
-
-// Marked reports whether the current test or one of its parents was marked flaky.
-func Marked(t testing.TB) bool {
-	n := t.Name()
-	for {
-		if rootFlakes[n] {
-			return true
-		}
-		n = path.Dir(n)
-		if n == "." || n == "/" {
-			break
-		}
-	}
-	return false
 }

cmd/testwrapper/flakytest/flakytest_test.go

@@ -41,49 +41,3 @@ func TestFlakeRun(t *testing.T) {
 		t.Fatal("First run in testwrapper, failing so that test is retried. This is expected.")
 	}
 }
-
-func TestMarked_Root(t *testing.T) {
-	Mark(t, "https://github.com/tailscale/tailscale/issues/0")
-
-	t.Run("child", func(t *testing.T) {
-		t.Run("grandchild", func(t *testing.T) {
-			if got, want := Marked(t), true; got != want {
-				t.Fatalf("Marked(t) = %t, want %t", got, want)
-			}
-		})
-
-		if got, want := Marked(t), true; got != want {
-			t.Fatalf("Marked(t) = %t, want %t", got, want)
-		}
-	})
-
-	if got, want := Marked(t), true; got != want {
-		t.Fatalf("Marked(t) = %t, want %t", got, want)
-	}
-}
-
-func TestMarked_Subtest(t *testing.T) {
-	t.Run("flaky", func(t *testing.T) {
-		Mark(t, "https://github.com/tailscale/tailscale/issues/0")
-
-		t.Run("child", func(t *testing.T) {
-			t.Run("grandchild", func(t *testing.T) {
-				if got, want := Marked(t), true; got != want {
-					t.Fatalf("Marked(t) = %t, want %t", got, want)
-				}
-			})
-
-			if got, want := Marked(t), true; got != want {
-				t.Fatalf("Marked(t) = %t, want %t", got, want)
-			}
-		})
-
-		if got, want := Marked(t), true; got != want {
-			t.Fatalf("Marked(t) = %t, want %t", got, want)
-		}
-	})
-
-	if got, want := Marked(t), false; got != want {
-		t.Fatalf("Marked(t) = %t, want %t", got, want)
-	}
-}

cmd/testwrapper/testwrapper.go

@@ -10,7 +10,6 @@ package main
 import (
 	"bufio"
 	"bytes"
-	"cmp"
 	"context"
 	"encoding/json"
 	"errors"
@@ -23,7 +22,13 @@ import (
 	"sort"
 	"strings"
 	"time"
+	"unicode"
 
+	"github.com/dave/courtney/scanner"
+	"github.com/dave/courtney/shared"
+	"github.com/dave/courtney/tester"
+	"github.com/dave/patsy"
+	"github.com/dave/patsy/vos"
 	"tailscale.com/cmd/testwrapper/flakytest"
 	"tailscale.com/util/slicesx"
 )
@@ -60,12 +65,11 @@ type packageTests struct {
 }
 
 type goTestOutput struct {
-	Time       time.Time
-	Action     string
-	ImportPath string
-	Package    string
-	Test       string
-	Output     string
+	Time    time.Time
+	Action  string
+	Package string
+	Test    string
+	Output  string
 }
 
 var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
@@ -113,54 +117,45 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, goTestArgs, te
 	for s.Scan() {
 		var goOutput goTestOutput
 		if err := json.Unmarshal(s.Bytes(), &goOutput); err != nil {
-			return fmt.Errorf("failed to parse go test output %q: %w", s.Bytes(), err)
+			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
+				break
+			}
+
+			// `go test -json` outputs invalid JSON when a build fails.
+			// In that case, discard the the output and start reading again.
+			// The build error will be printed to stderr.
+			// See: https://github.com/golang/go/issues/35169
+			if _, ok := err.(*json.SyntaxError); ok {
+				fmt.Println(s.Text())
+				continue
+			}
+			panic(err)
 		}
-		pkg := cmp.Or(
-			goOutput.Package,
-			"build:"+goOutput.ImportPath, // can be "./cmd" while Package is "tailscale.com/cmd" so use separate namespace
-		)
+		pkg := goOutput.Package
 		pkgTests := resultMap[pkg]
 		if pkgTests == nil {
-			pkgTests = map[string]*testAttempt{
-				"": {}, // Used for start time and build logs.
-			}
+			pkgTests = make(map[string]*testAttempt)
 			resultMap[pkg] = pkgTests
 		}
 		if goOutput.Test == "" {
 			switch goOutput.Action {
 			case "start":
-				pkgTests[""].start = goOutput.Time
-			case "build-output":
-				pkgTests[""].logs.WriteString(goOutput.Output)
-			case "build-fail", "fail", "pass", "skip":
+				pkgTests[""] = &testAttempt{start: goOutput.Time}
+			case "fail", "pass", "skip":
 				for _, test := range pkgTests {
 					if test.testName != "" && test.outcome == "" {
 						test.outcome = "fail"
 						ch <- test
 					}
 				}
-				outcome := goOutput.Action
-				if outcome == "build-fail" {
-					outcome = "fail"
-				}
-				pkgTests[""].logs.WriteString(goOutput.Output)
 				ch <- &testAttempt{
 					pkg:         goOutput.Package,
-					outcome:     outcome,
+					outcome:     goOutput.Action,
 					start:       pkgTests[""].start,
 					end:         goOutput.Time,
-					logs:        pkgTests[""].logs,
 					pkgFinished: true,
 				}
-			case "output":
-				// Capture all output from the package except for the final
-				// "FAIL    tailscale.io/control    0.684s" line, as
-				// printPkgOutcome will output a similar line
-				if !strings.HasPrefix(goOutput.Output, fmt.Sprintf("FAIL\t%s\t", goOutput.Package)) {
-					pkgTests[""].logs.WriteString(goOutput.Output)
-				}
 			}
-
 			continue
 		}
 		testName := goOutput.Test
@@ -226,9 +221,6 @@ func main() {
 	}
 	toRun := []*nextRun{firstRun}
 	printPkgOutcome := func(pkg, outcome string, attempt int, runtime time.Duration) {
-		if pkg == "" {
-			return // We reach this path on a build error.
-		}
 		if outcome == "skip" {
 			fmt.Printf("?\t%s [skipped/no tests] \n", pkg)
 			return
@@ -246,6 +238,30 @@ func main() {
 		fmt.Printf("%s\t%s\t%.3fs\n", outcome, pkg, runtime.Seconds())
 	}
 
+	// Check for -coverprofile argument and filter it out
+	combinedCoverageFilename := ""
+	filteredGoTestArgs := make([]string, 0, len(goTestArgs))
+	preceededByCoverProfile := false
+	for _, arg := range goTestArgs {
+		if arg == "-coverprofile" {
+			preceededByCoverProfile = true
+		} else if preceededByCoverProfile {
+			combinedCoverageFilename = strings.TrimSpace(arg)
+			preceededByCoverProfile = false
+		} else {
+			filteredGoTestArgs = append(filteredGoTestArgs, arg)
+		}
+	}
+	goTestArgs = filteredGoTestArgs
+
+	runningWithCoverage := combinedCoverageFilename != ""
+	if runningWithCoverage {
+		fmt.Printf("Will log coverage to %v\n", combinedCoverageFilename)
+	}
+
+	// Keep track of all test coverage files. With each retry, we'll end up
+	// with additional coverage files that will be combined when we finish.
+	coverageFiles := make([]string, 0)
 	for len(toRun) > 0 {
 		var thisRun *nextRun
 		thisRun, toRun = toRun[0], toRun[1:]
@@ -259,14 +275,27 @@ func main() {
 			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\nflakytest failures JSON: %s\n\n", thisRun.attempt, j)
 		}
 
-		fatalFailures := make(map[string]struct{}) // pkg.Test key
+		goTestArgsWithCoverage := testArgs
+		if runningWithCoverage {
+			coverageFile := fmt.Sprintf("/tmp/coverage_%d.out", thisRun.attempt)
+			coverageFiles = append(coverageFiles, coverageFile)
+			goTestArgsWithCoverage = make([]string, len(goTestArgs), len(goTestArgs)+2)
+			copy(goTestArgsWithCoverage, goTestArgs)
+			goTestArgsWithCoverage = append(
+				goTestArgsWithCoverage,
+				fmt.Sprintf("-coverprofile=%v", coverageFile),
+				"-covermode=set",
+				"-coverpkg=./...",
+			)
+		}
+
 		toRetry := make(map[string][]*testAttempt) // pkg -> tests to retry
 		for _, pt := range thisRun.tests {
 			ch := make(chan *testAttempt)
 			runErr := make(chan error, 1)
 			go func() {
 				defer close(runErr)
-				runErr <- runTests(ctx, thisRun.attempt, pt, goTestArgs, testArgs, ch)
+				runErr <- runTests(ctx, thisRun.attempt, pt, goTestArgsWithCoverage, testArgs, ch)
 			}()
 
 			var failed bool
@@ -285,11 +314,6 @@ func main() {
 						// when a package times out.
 						failed = true
 					}
-					if testingVerbose || tr.outcome == "fail" {
-						// Output package-level output which is where e.g.
-						// panics outside tests will be printed
-						io.Copy(os.Stdout, &tr.logs)
-					}
 					printPkgOutcome(tr.pkg, tr.outcome, thisRun.attempt, tr.end.Sub(tr.start))
 					continue
 				}
@@ -302,24 +326,11 @@ func main() {
 				if tr.isMarkedFlaky {
 					toRetry[tr.pkg] = append(toRetry[tr.pkg], tr)
 				} else {
-					fatalFailures[tr.pkg+"."+tr.testName] = struct{}{}
 					failed = true
 				}
 			}
 			if failed {
 				fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
-
-				// Print the list of non-flakytest failures.
-				// We will later analyze the retried GitHub Action runs to see
-				// if non-flakytest failures succeeded upon retry. This will
-				// highlight tests which are flaky but not yet flagged as such.
-				if len(fatalFailures) > 0 {
-					tests := slicesx.MapKeys(fatalFailures)
-					sort.Strings(tests)
-					j, _ := json.Marshal(tests)
-					fmt.Printf("non-flakytest failures: %s\n", j)
-				}
-				fmt.Println()
 				os.Exit(1)
 			}
 
@@ -361,4 +372,107 @@ func main() {
 		}
 		toRun = append(toRun, nextRun)
 	}
+
+	if runningWithCoverage {
+		intermediateCoverageFilename := "/tmp/coverage.out_intermediate"
+		if err := combineCoverageFiles(intermediateCoverageFilename, coverageFiles); err != nil {
+			fmt.Printf("error combining coverage files: %v\n", err)
+			os.Exit(2)
+		}
+
+		if err := processCoverageWithCourtney(intermediateCoverageFilename, combinedCoverageFilename, testArgs); err != nil {
+			fmt.Printf("error processing coverage with courtney: %v\n", err)
+			os.Exit(3)
+		}
+
+		fmt.Printf("Wrote combined coverage to %v\n", combinedCoverageFilename)
+	}
+}
+
+func combineCoverageFiles(intermediateCoverageFilename string, coverageFiles []string) error {
+	combinedCoverageFile, err := os.OpenFile(intermediateCoverageFilename, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
+	if err != nil {
+		return fmt.Errorf("create /tmp/coverage.out: %w", err)
+	}
+	defer combinedCoverageFile.Close()
+	w := bufio.NewWriter(combinedCoverageFile)
+	defer w.Flush()
+
+	for fileNumber, coverageFile := range coverageFiles {
+		f, err := os.Open(coverageFile)
+		if err != nil {
+			return fmt.Errorf("open %v: %w", coverageFile, err)
+		}
+		defer f.Close()
+		in := bufio.NewReader(f)
+		line := 0
+		for {
+			r, _, err := in.ReadRune()
+			if err != nil {
+				if err != io.EOF {
+					return fmt.Errorf("read %v: %w", coverageFile, err)
+				}
+				break
+			}
+
+			// On all but the first coverage file, skip the coverage file header
+			if fileNumber > 0 && line == 0 {
+				continue
+			}
+			if r == '\n' {
+				line++
+			}
+
+			// filter for only printable characters because coverage file sometimes includes junk on 2nd line
+			if unicode.IsPrint(r) || r == '\n' {
+				if _, err := w.WriteRune(r); err != nil {
+					return fmt.Errorf("write %v: %w", combinedCoverageFile.Name(), err)
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// processCoverageWithCourtney post-processes code coverage to exclude less
+// meaningful sections like 'if err != nil { return err}', as well as
+// anything marked with a '// notest' comment.
+//
+// instead of running the courtney as a separate program, this embeds
+// courtney for easier integration.
+func processCoverageWithCourtney(intermediateCoverageFilename, combinedCoverageFilename string, testArgs []string) error {
+	env := vos.Os()
+
+	setup := &shared.Setup{
+		Env:      vos.Os(),
+		Paths:    patsy.NewCache(env),
+		TestArgs: testArgs,
+		Load:     intermediateCoverageFilename,
+		Output:   combinedCoverageFilename,
+	}
+	if err := setup.Parse(testArgs); err != nil {
+		return fmt.Errorf("parse args: %w", err)
+	}
+
+	s := scanner.New(setup)
+	if err := s.LoadProgram(); err != nil {
+		return fmt.Errorf("load program: %w", err)
+	}
+	if err := s.ScanPackages(); err != nil {
+		return fmt.Errorf("scan packages: %w", err)
+	}
+
+	t := tester.New(setup)
+	if err := t.Load(); err != nil {
+		return fmt.Errorf("load: %w", err)
+	}
+	if err := t.ProcessExcludes(s.Excludes); err != nil {
+		return fmt.Errorf("process excludes: %w", err)
+	}
+	if err := t.Save(); err != nil {
+		return fmt.Errorf("save: %w", err)
+	}
+
+	return nil
 }

cmd/testwrapper/testwrapper_test.go

@@ -11,7 +11,6 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
-	"strings"
 	"sync"
 	"testing"
 )
@@ -155,24 +154,24 @@ func TestBuildError(t *testing.T) {
 		t.Fatalf("writing package: %s", err)
 	}
 
-	wantErr := "builderror_test.go:3:1: expected declaration, found derp\nFAIL"
+	buildErr := []byte("builderror_test.go:3:1: expected declaration, found derp\nFAIL	command-line-arguments [setup failed]")
 
 	// Confirm `go test` exits with code 1.
 	goOut, err := exec.Command("go", "test", testfile).CombinedOutput()
 	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("go test %s: got exit code %d, want 1 (err: %v)", testfile, code, err)
+		t.Fatalf("go test %s: expected error with exit code 0 but got: %v", testfile, err)
 	}
-	if !strings.Contains(string(goOut), wantErr) {
-		t.Fatalf("go test %s: got output %q, want output containing %q", testfile, goOut, wantErr)
+	if !bytes.Contains(goOut, buildErr) {
+		t.Fatalf("go test %s: expected build error containing %q but got:\n%s", testfile, buildErr, goOut)
 	}
 
 	// Confirm `testwrapper` exits with code 1.
 	twOut, err := cmdTestwrapper(t, testfile).CombinedOutput()
 	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("testwrapper %s: got exit code %d, want 1 (err: %v)", testfile, code, err)
+		t.Fatalf("testwrapper %s: expected error with exit code 0 but got: %v", testfile, err)
 	}
-	if !strings.Contains(string(twOut), wantErr) {
-		t.Fatalf("testwrapper %s: got output %q, want output containing %q", testfile, twOut, wantErr)
+	if !bytes.Contains(twOut, buildErr) {
+		t.Fatalf("testwrapper %s: expected build error containing %q but got:\n%s", testfile, buildErr, twOut)
 	}
 
 	if testing.Verbose() {

cmd/tl-longchain/tl-longchain.go

@@ -22,8 +22,8 @@ import (
 	"log"
 	"time"
 
-	"tailscale.com/client/local"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/localclient/tailscale"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
 )
@@ -37,7 +37,7 @@ var (
 func main() {
 	flag.Parse()
 
-	lc := local.Client{Socket: *flagSocket}
+	lc := tailscale.LocalClient{Socket: *flagSocket}
 	if lc.Socket != "" {
 		lc.UseSocketOnly = true
 	}