.github: Bump github/codeql-action from 3.28.11 to 3.28.12

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.11 to 3.28.12.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](6bb031afdd...5f8171a638)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/codeql-analysis.yml

@@ -55,7 +55,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/autobuild@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12

ALPINE.txt

@@ -1 +1 @@
-3.19
+3.18

Dockerfile

@@ -62,10 +62,8 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
       -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
       -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
 
-FROM alpine:3.19
+FROM alpine:3.18
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
-RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
-RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be

Dockerfile.base

@@ -1,12 +1,5 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
-FROM alpine:3.19
-RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tables iputils
-# Alpine 3.19 replaces legacy iptables with nftables based implementation.  We
-# can't be certain that all hosts that run Tailscale containers currently
-# suppport nftables, so link back to legacy for backwards compatibility reasons.
-# TODO(irbekrm): add some way how to determine if we still run on nodes that
-# don't support nftables, so that we can eventually remove these symlinks.
-RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
-RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils

VERSION.txt

@@ -1 +1 @@
-1.83.0
+1.81.0

build_docker.sh

@@ -16,7 +16,7 @@ eval "$(./build_dist.sh shellvars)"
 
 DEFAULT_TARGET="client"
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_BASE="tailscale/alpine-base:3.19"
+DEFAULT_BASE="tailscale/alpine-base:3.18"
 # Set a few pre-defined OCI annotations. The source annotation is used by tools such as Renovate that scan the linked
 # Github repo to find release notes for any new image tags. Note that for official Tailscale images the default
 # annotations defined here will be overriden by release scripts that call this script.

clientupdate/clientupdate.go

@@ -28,7 +28,6 @@ import (
 	"strings"
 
 	"tailscale.com/hostinfo"
-	"tailscale.com/types/lazy"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cmpver"
 	"tailscale.com/version"
@@ -250,13 +249,9 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 	return nil, false
 }
 
-var canAutoUpdateCache lazy.SyncValue[bool]
-
 // CanAutoUpdate reports whether auto-updating via the clientupdate package
 // is supported for the current os/distro.
-func CanAutoUpdate() bool { return canAutoUpdateCache.Get(canAutoUpdateUncached) }
-
-func canAutoUpdateUncached() bool {
+func CanAutoUpdate() bool {
 	if version.IsMacSysExt() {
 		// Macsys uses Sparkle for auto-updates, which doesn't have an update
 		// function in this package.

cmd/containerboot/certs.go

@@ -60,9 +60,6 @@ func (cm *certManager) ensureCertLoops(ctx context.Context, sc *ipn.ServeConfig)
 		if _, exists := cm.certLoops[domain]; !exists {
 			cancelCtx, cancel := context.WithCancel(ctx)
 			mak.Set(&cm.certLoops, domain, cancel)
-			// Note that most of the issuance anyway happens
-			// serially because the cert client has a shared lock
-			// that's held during any issuance.
 			cm.tracker.Go(func() { cm.runCertLoop(cancelCtx, domain) })
 		}
 	}
@@ -119,13 +116,7 @@ func (cm *certManager) runCertLoop(ctx context.Context, domain string) {
 			// issuance endpoint that explicitly only triggers
 			// issuance and stores certs in the relevant store, but
 			// does not return certs to the caller?
-
-			// An issuance holds a shared lock, so we need to avoid
-			// a situation where other services cannot issue certs
-			// because a single one is holding the lock.
-			ctxT, cancel := context.WithTimeout(ctx, time.Second*300)
-			defer cancel()
-			_, _, err := cm.lc.CertPair(ctxT, domain)
+			_, _, err := cm.lc.CertPair(ctx, domain)
 			if err != nil {
 				log.Printf("error refreshing certificate for %s: %v", domain, err)
 			}

cmd/derper/cert.go

@@ -128,17 +128,16 @@ func (m *manualCertManager) TLSConfig() *tls.Config {
 }
 
 func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	// if hi.ServerName != m.hostname && !m.noHostname {
-	// 	return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
-	// }
+	if hi.ServerName != m.hostname && !m.noHostname {
+		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
+	}
 
 	// Return a shallow copy of the cert so the caller can append to its
 	// Certificate field.
-	// certCopy := new(tls.Certificate)
-	// *certCopy = *m.cert
-	// certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
-	// return certCopy, nil
-	return m.cert, nil
+	certCopy := new(tls.Certificate)
+	*certCopy = *m.cert
+	certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
+	return certCopy, nil
 }
 
 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {

cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml

@@ -103,7 +103,7 @@ spec:
                     pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
                 type:
                   description: |-
-                    Type of the ProxyGroup proxies. Currently the only supported type is egress.
+                    Type of the ProxyGroup proxies. Supported types are egress and ingress.
                     Type is immutable once a ProxyGroup is created.
                   type: string
                   enum:

cmd/k8s-operator/deploy/manifests/operator.yaml

@@ -2876,7 +2876,7 @@ spec:
                                 type: array
                             type:
                                 description: |-
-                                    Type of the ProxyGroup proxies. Currently the only supported type is egress.
+                                    Type of the ProxyGroup proxies. Supported types are egress and ingress.
                                     Type is immutable once a ProxyGroup is created.
                                 enum:
                                     - egress

cmd/k8s-operator/ingress-for-pg.go

@@ -49,11 +49,10 @@ const (
 	// FinalizerNamePG is the finalizer used by the IngressPGReconciler
 	FinalizerNamePG = "tailscale.com/ingress-pg-finalizer"
 
+	indexIngressProxyGroup = ".metadata.annotations.ingress-proxy-group"
 	// annotationHTTPEndpoint can be used to configure the Ingress to expose an HTTP endpoint to tailnet (as
 	// well as the default HTTPS endpoint).
 	annotationHTTPEndpoint = "tailscale.com/http-endpoint"
-
-	labelDomain = "tailscale.com/domain"
 )
 
 var gaugePGIngressResources = clientmetric.NewGauge(kubetypes.MetricIngressPGResourceCount)
@@ -242,7 +241,7 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		return false, nil
 	}
 	// 3. Ensure that TLS Secret and RBAC exists
-	if err := r.ensureCertResources(ctx, pgName, dnsName, ing); err != nil {
+	if err := r.ensureCertResources(ctx, pgName, dnsName); err != nil {
 		return false, fmt.Errorf("error ensuring cert resources: %w", err)
 	}
 
@@ -339,11 +338,7 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 
 	// 5. Update tailscaled's AdvertiseServices config, which should add the VIPService
 	// IPs to the ProxyGroup Pods' AllowedIPs in the next netmap update if approved.
-	mode := serviceAdvertisementHTTPS
-	if isHTTPEndpointEnabled(ing) {
-		mode = serviceAdvertisementHTTPAndHTTPS
-	}
-	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg.Name, serviceName, mode, logger); err != nil {
+	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg.Name, serviceName, true, logger); err != nil {
 		return false, fmt.Errorf("failed to update tailscaled config: %w", err)
 	}
 
@@ -359,17 +354,11 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 	case 0:
 		ing.Status.LoadBalancer.Ingress = nil
 	default:
-		var ports []networkingv1.IngressPortStatus
-		hasCerts, err := r.hasCerts(ctx, serviceName)
-		if err != nil {
-			return false, fmt.Errorf("error checking TLS credentials provisioned for Ingress: %w", err)
-		}
-		// If TLS certs have not been issued (yet), do not set port 443.
-		if hasCerts {
-			ports = append(ports, networkingv1.IngressPortStatus{
+		ports := []networkingv1.IngressPortStatus{
+			{
 				Protocol: "TCP",
 				Port:     443,
-			})
+			},
 		}
 		if isHTTPEndpointEnabled(ing) {
 			ports = append(ports, networkingv1.IngressPortStatus{
@@ -377,14 +366,9 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 				Port:     80,
 			})
 		}
-		// Set Ingress status hostname only if either port 443 or 80 is advertised.
-		var hostname string
-		if len(ports) != 0 {
-			hostname = dnsName
-		}
 		ing.Status.LoadBalancer.Ingress = []networkingv1.IngressLoadBalancerIngress{
 			{
-				Hostname: hostname,
+				Hostname: dnsName,
 				Ports:    ports,
 			},
 		}
@@ -445,7 +429,7 @@ func (r *HAIngressReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyG
 			}
 
 			// Make sure the VIPService is not advertised in tailscaled or serve config.
-			if err = r.maybeUpdateAdvertiseServicesConfig(ctx, proxyGroupName, vipServiceName, serviceAdvertisementOff, logger); err != nil {
+			if err = r.maybeUpdateAdvertiseServicesConfig(ctx, proxyGroupName, vipServiceName, false, logger); err != nil {
 				return false, fmt.Errorf("failed to update tailscaled config services: %w", err)
 			}
 			_, ok := cfg.Services[vipServiceName]
@@ -528,7 +512,7 @@ func (r *HAIngressReconciler) maybeCleanup(ctx context.Context, hostname string,
 	}
 
 	// 4. Unadvertise the VIPService in tailscaled config.
-	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg, serviceName, serviceAdvertisementOff, logger); err != nil {
+	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg, serviceName, false, logger); err != nil {
 		return false, fmt.Errorf("failed to update tailscaled config services: %w", err)
 	}
 
@@ -725,16 +709,8 @@ func isHTTPEndpointEnabled(ing *networkingv1.Ingress) bool {
 	return ing.Annotations[annotationHTTPEndpoint] == "enabled"
 }
 
-// serviceAdvertisementMode describes the desired state of a VIPService.
-type serviceAdvertisementMode int
-
-const (
-	serviceAdvertisementOff          serviceAdvertisementMode = iota // Should not be advertised
-	serviceAdvertisementHTTPS                                        // Port 443 should be advertised
-	serviceAdvertisementHTTPAndHTTPS                                 // Both ports 80 and 443 should be advertised
-)
-
-func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Context, pgName string, serviceName tailcfg.ServiceName, mode serviceAdvertisementMode, logger *zap.SugaredLogger) (err error) {
+func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Context, pgName string, serviceName tailcfg.ServiceName, shouldBeAdvertised bool, logger *zap.SugaredLogger) (err error) {
+	logger.Debugf("Updating ProxyGroup tailscaled configs to advertise service %q: %v", serviceName, shouldBeAdvertised)
 
 	// Get all config Secrets for this ProxyGroup.
 	secrets := &corev1.SecretList{}
@@ -742,21 +718,6 @@ func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Con
 		return fmt.Errorf("failed to list config Secrets: %w", err)
 	}
 
-	// Verify that TLS cert for the VIPService has been successfully issued
-	// before attempting to advertise the service.
-	// This is so that in multi-cluster setups where some Ingresses succeed
-	// to issue certs and some do not (rate limits), clients are not pinned
-	// to a backend that is not able to serve HTTPS.
-	// The only exception is Ingresses with an HTTP endpoint enabled - if an
-	// Ingress has an HTTP endpoint enabled, it will be advertised even if the
-	// TLS cert is not yet provisioned.
-	hasCert, err := a.hasCerts(ctx, serviceName)
-	if err != nil {
-		return fmt.Errorf("error checking TLS credentials provisioned for service %q: %w", serviceName, err)
-	}
-	shouldBeAdvertised := (mode == serviceAdvertisementHTTPAndHTTPS) ||
-		(mode == serviceAdvertisementHTTPS && hasCert) // if we only expose port 443 and don't have certs (yet), do not advertise
-
 	for _, secret := range secrets.Items {
 		var updated bool
 		for fileName, confB := range secret.Data {
@@ -909,8 +870,8 @@ func ownersAreSetAndEqual(a, b *tailscale.VIPService) bool {
 // (domain) is a valid Kubernetes resource name.
 // https://github.com/tailscale/tailscale/blob/8b1e7f646ee4730ad06c9b70c13e7861b964949b/util/dnsname/dnsname.go#L99
 // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
-func (r *HAIngressReconciler) ensureCertResources(ctx context.Context, pgName, domain string, ing *networkingv1.Ingress) error {
-	secret := certSecret(pgName, r.tsNamespace, domain, ing)
+func (r *HAIngressReconciler) ensureCertResources(ctx context.Context, pgName, domain string) error {
+	secret := certSecret(pgName, r.tsNamespace, domain)
 	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, secret, nil); err != nil {
 		return fmt.Errorf("failed to create or update Secret %s: %w", secret.Name, err)
 	}
@@ -1005,14 +966,9 @@ func certSecretRoleBinding(pgName, namespace, domain string) *rbacv1.RoleBinding
 
 // certSecret creates a Secret that will store the TLS certificate and private
 // key for the given domain. Domain must be a valid Kubernetes resource name.
-func certSecret(pgName, namespace, domain string, ing *networkingv1.Ingress) *corev1.Secret {
+func certSecret(pgName, namespace, domain string) *corev1.Secret {
 	labels := certResourceLabels(pgName, domain)
 	labels[kubetypes.LabelSecretType] = "certs"
-	// Labels that let us identify the Ingress resource lets us reconcile
-	// the Ingress when the TLS Secret is updated (for example, when TLS
-	// certs have been provisioned).
-	labels[LabelParentName] = ing.Name
-	labels[LabelParentNamespace] = ing.Namespace
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
@@ -1033,9 +989,9 @@ func certSecret(pgName, namespace, domain string, ing *networkingv1.Ingress) *co
 
 func certResourceLabels(pgName, domain string) map[string]string {
 	return map[string]string{
-		kubetypes.LabelManaged: "true",
-		labelProxyGroup:        pgName,
-		labelDomain:            domain,
+		kubetypes.LabelManaged:      "true",
+		"tailscale.com/proxy-group": pgName,
+		"tailscale.com/domain":      domain,
 	}
 }
 
@@ -1048,28 +1004,3 @@ func (r *HAIngressReconciler) dnsNameForService(ctx context.Context, svc tailcfg
 	}
 	return s + "." + tcd, nil
 }
-
-// hasCerts checks if the TLS Secret for the given service has non-zero cert and key data.
-func (r *HAIngressReconciler) hasCerts(ctx context.Context, svc tailcfg.ServiceName) (bool, error) {
-	domain, err := r.dnsNameForService(ctx, svc)
-	if err != nil {
-		return false, fmt.Errorf("failed to get DNS name for service: %w", err)
-	}
-	secret := &corev1.Secret{}
-	err = r.Get(ctx, client.ObjectKey{
-		Namespace: r.tsNamespace,
-		Name:      domain,
-	}, secret)
-
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			return false, nil
-		}
-		return false, fmt.Errorf("failed to get TLS Secret: %w", err)
-	}
-
-	cert := secret.Data[corev1.TLSCertKey]
-	key := secret.Data[corev1.TLSPrivateKeyKey]
-
-	return len(cert) > 0 && len(key) > 0, nil
-}

cmd/k8s-operator/ingress-for-pg_test.go

@@ -31,7 +31,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/ptr"
 )
@@ -60,7 +59,7 @@ func TestIngressPGReconciler(t *testing.T) {
 				},
 			},
 			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc"}},
+				{Hosts: []string{"my-svc.tailnetxyz.ts.net"}},
 			},
 		},
 	}
@@ -68,14 +67,12 @@ func TestIngressPGReconciler(t *testing.T) {
 
 	// Verify initial reconciliation
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:my-svc", false)
 	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
 	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
 
-	// Verify that Role and RoleBinding have been created for the first Ingress.
-	// Do not verify the cert Secret as that was already verified implicitly above.
+	// Verify cert resources were created for the first Ingress
+	expectEqual(t, fc, certSecret("test-pg", "operator-ns", "my-svc.ts.net"))
 	expectEqual(t, fc, certSecretRole("test-pg", "operator-ns", "my-svc.ts.net"))
 	expectEqual(t, fc, certSecretRoleBinding("test-pg", "operator-ns", "my-svc.ts.net"))
 
@@ -130,13 +127,11 @@ func TestIngressPGReconciler(t *testing.T) {
 
 	// Verify second Ingress reconciliation
 	expectReconciled(t, ingPGR, "default", "my-other-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-other-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "my-other-ingress")
 	verifyServeConfig(t, fc, "svc:my-other-svc", false)
 	verifyVIPService(t, ft, "svc:my-other-svc", []string{"443"})
 
-	// Verify that Role and RoleBinding have been created for the first Ingress.
-	// Do not verify the cert Secret as that was already verified implicitly above.
+	// Verify cert resources were created for the second Ingress
+	expectEqual(t, fc, certSecret("test-pg", "operator-ns", "my-other-svc.ts.net"))
 	expectEqual(t, fc, certSecretRole("test-pg", "operator-ns", "my-other-svc.ts.net"))
 	expectEqual(t, fc, certSecretRoleBinding("test-pg", "operator-ns", "my-other-svc.ts.net"))
 
@@ -236,7 +231,7 @@ func TestIngressPGReconciler_UpdateIngressHostname(t *testing.T) {
 				},
 			},
 			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc"}},
+				{Hosts: []string{"my-svc.tailnetxyz.ts.net"}},
 			},
 		},
 	}
@@ -244,19 +239,15 @@ func TestIngressPGReconciler_UpdateIngressHostname(t *testing.T) {
 
 	// Verify initial reconciliation
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:my-svc", false)
 	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
 	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
 
 	// Update the Ingress hostname and make sure the original VIPService is deleted.
 	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
-		ing.Spec.TLS[0].Hosts[0] = "updated-svc"
+		ing.Spec.TLS[0].Hosts[0] = "updated-svc.tailnetxyz.ts.net"
 	})
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "updated-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:updated-svc", false)
 	verifyVIPService(t, ft, "svc:updated-svc", []string{"443"})
 	verifyTailscaledConfig(t, fc, []string{"svc:updated-svc"})
@@ -477,8 +468,6 @@ func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {
 
 	// Verify initial reconciliation with HTTP enabled
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyVIPService(t, ft, "svc:my-svc", []string{"80", "443"})
 	verifyServeConfig(t, fc, "svc:my-svc", true)
 
@@ -622,7 +611,6 @@ func verifyServeConfig(t *testing.T, fc client.Client, serviceName string, wantH
 }
 
 func verifyTailscaledConfig(t *testing.T, fc client.Client, expectedServices []string) {
-	t.Helper()
 	var expected string
 	if expectedServices != nil {
 		expectedServicesJSON, err := json.Marshal(expectedServices)
@@ -816,28 +804,3 @@ func TestIngressPGReconciler_MultiCluster(t *testing.T) {
 		t.Errorf("incorrect owner refs after deletion\ngot:  %+v\nwant: %+v", o.OwnerRefs, wantOwnerRefs)
 	}
 }
-
-func populateTLSSecret(ctx context.Context, c client.Client, pgName, domain string) error {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      domain,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				kubetypes.LabelManaged:    "true",
-				labelProxyGroup:           pgName,
-				labelDomain:               domain,
-				kubetypes.LabelSecretType: "certs",
-			},
-		},
-		Type: corev1.SecretTypeTLS,
-		Data: map[string][]byte{
-			corev1.TLSCertKey:       []byte("fake-cert"),
-			corev1.TLSPrivateKeyKey: []byte("fake-key"),
-		},
-	}
-
-	_, err := createOrUpdate(ctx, c, "operator-ns", secret, func(s *corev1.Secret) {
-		s.Data = secret.Data
-	})
-	return err
-}

cmd/k8s-operator/operator.go

@@ -9,6 +9,7 @@ package main
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"os"
 	"regexp"
@@ -39,6 +40,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/client/local"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -331,6 +333,40 @@ func runReconcilers(opts reconcilerOpts) {
 	if err != nil {
 		startlog.Fatalf("could not create ingress reconciler: %v", err)
 	}
+	lc, err := opts.tsServer.LocalClient()
+	if err != nil {
+		startlog.Fatalf("could not get local client: %v", err)
+	}
+	id, err := id(context.Background(), lc)
+	if err != nil {
+		startlog.Fatalf("error determining stable ID of the operator's Tailscale device: %v", err)
+	}
+	ingressProxyGroupFilter := handler.EnqueueRequestsFromMapFunc(ingressesFromIngressProxyGroup(mgr.GetClient(), opts.log))
+	err = builder.
+		ControllerManagedBy(mgr).
+		For(&networkingv1.Ingress{}).
+		Named("ingress-pg-reconciler").
+		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))).
+		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(ingressesFromPGStateSecret(mgr.GetClient(), startlog))).
+		Watches(&tsapi.ProxyGroup{}, ingressProxyGroupFilter).
+		Complete(&HAIngressReconciler{
+			recorder:    eventRecorder,
+			tsClient:    opts.tsClient,
+			tsnetServer: opts.tsServer,
+			defaultTags: strings.Split(opts.proxyTags, ","),
+			Client:      mgr.GetClient(),
+			logger:      opts.log.Named("ingress-pg-reconciler"),
+			lc:          lc,
+			operatorID:  id,
+			tsNamespace: opts.tailscaleNamespace,
+		})
+	if err != nil {
+		startlog.Fatalf("could not create ingress-pg-reconciler: %v", err)
+	}
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), new(networkingv1.Ingress), indexIngressProxyGroup, indexPGIngresses); err != nil {
+		startlog.Fatalf("failed setting up indexer for HA Ingresses: %v", err)
+	}
+
 	connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("connector"))
 	// If a ProxyClassChanges, enqueue all Connectors that have
 	// .spec.proxyClass set to the name of this ProxyClass.
@@ -1003,6 +1039,45 @@ func reconcileRequestsForPG(pg string, cl client.Client, ns string) []reconcile.
 	return reqs
 }
 
+func ingressesFromPGStateSecret(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		secret, ok := o.(*corev1.Secret)
+		if !ok {
+			logger.Infof("[unexpected] ProxyGroup handler triggered for an object that is not a ProxyGroup")
+			return nil
+		}
+		if secret.ObjectMeta.Labels[kubetypes.LabelManaged] != "true" {
+			return nil
+		}
+		if secret.ObjectMeta.Labels[LabelParentType] != "proxygroup" {
+			return nil
+		}
+		if secret.ObjectMeta.Labels[kubetypes.LabelSecretType] != "state" {
+			return nil
+		}
+		pgName, ok := secret.ObjectMeta.Labels[LabelParentName]
+		if !ok {
+			return nil
+		}
+
+		ingList := &networkingv1.IngressList{}
+		if err := cl.List(ctx, ingList, client.MatchingFields{indexIngressProxyGroup: pgName}); err != nil {
+			logger.Infof("error listing Ingresses, skipping a reconcile for event on Secret %s: %v", secret.Name, err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, ing := range ingList.Items {
+			reqs = append(reqs, reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Namespace: ing.Namespace,
+					Name:      ing.Name,
+				},
+			})
+		}
+		return reqs
+	}
+}
+
 // egressSvcsFromEgressProxyGroup is an event handler for egress ProxyGroups. It returns reconcile requests for all
 // user-created ExternalName Services that should be exposed on this ProxyGroup.
 func egressSvcsFromEgressProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
@@ -1033,6 +1108,36 @@ func egressSvcsFromEgressProxyGroup(cl client.Client, logger *zap.SugaredLogger)
 	}
 }
 
+// ingressesFromIngressProxyGroup is an event handler for ingress ProxyGroups. It returns reconcile requests for all
+// user-created Ingresses that should be exposed on this ProxyGroup.
+func ingressesFromIngressProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		pg, ok := o.(*tsapi.ProxyGroup)
+		if !ok {
+			logger.Infof("[unexpected] ProxyGroup handler triggered for an object that is not a ProxyGroup")
+			return nil
+		}
+		if pg.Spec.Type != tsapi.ProxyGroupTypeIngress {
+			return nil
+		}
+		ingList := &networkingv1.IngressList{}
+		if err := cl.List(ctx, ingList, client.MatchingFields{indexIngressProxyGroup: pg.Name}); err != nil {
+			logger.Infof("error listing Ingresses: %v, skipping a reconcile for event on ProxyGroup %s", err, pg.Name)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, svc := range ingList.Items {
+			reqs = append(reqs, reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Namespace: svc.Namespace,
+					Name:      svc.Name,
+				},
+			})
+		}
+		return reqs
+	}
+}
+
 // epsFromExternalNameService is an event handler for ExternalName Services that define a Tailscale egress service that
 // should be exposed on a ProxyGroup. It returns reconcile requests for EndpointSlices created for this Service.
 func epsFromExternalNameService(cl client.Client, logger *zap.SugaredLogger, ns string) handler.MapFunc {
@@ -1153,7 +1258,63 @@ func indexEgressServices(o client.Object) []string {
 	return []string{o.GetAnnotations()[AnnotationProxyGroup]}
 }
 
+// indexPGIngresses adds a local index to a cached Tailscale Ingresses meant to be exposed on a ProxyGroup. The index is
+// used a list filter.
+func indexPGIngresses(o client.Object) []string {
+	if !hasProxyGroupAnnotation(o) {
+		return nil
+	}
+	return []string{o.GetAnnotations()[AnnotationProxyGroup]}
+}
+
+// serviceHandlerForIngressPG returns a handler for Service events that ensures that if the Service
+// associated with an event is a backend Service for a tailscale Ingress with ProxyGroup annotation,
+// the associated Ingress gets reconciled.
+func serviceHandlerForIngressPG(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		ingList := networkingv1.IngressList{}
+		if err := cl.List(ctx, &ingList, client.InNamespace(o.GetNamespace())); err != nil {
+			logger.Debugf("error listing Ingresses: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, ing := range ingList.Items {
+			if ing.Spec.IngressClassName == nil || *ing.Spec.IngressClassName != tailscaleIngressClassName {
+				continue
+			}
+			if !hasProxyGroupAnnotation(&ing) {
+				continue
+			}
+			if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil && ing.Spec.DefaultBackend.Service.Name == o.GetName() {
+				reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+			}
+			for _, rule := range ing.Spec.Rules {
+				if rule.HTTP == nil {
+					continue
+				}
+				for _, path := range rule.HTTP.Paths {
+					if path.Backend.Service != nil && path.Backend.Service.Name == o.GetName() {
+						reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+					}
+				}
+			}
+		}
+		return reqs
+	}
+}
+
 func hasProxyGroupAnnotation(obj client.Object) bool {
 	ing := obj.(*networkingv1.Ingress)
 	return ing.Annotations[AnnotationProxyGroup] != ""
 }
+
+func id(ctx context.Context, lc *local.Client) (string, error) {
+	st, err := lc.StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", fmt.Errorf("error getting tailscale status: %w", err)
+	}
+	if st.Self == nil {
+		return "", fmt.Errorf("unexpected: device's status does not contain node's metadata")
+	}
+	return string(st.Self.ID), nil
+}

cmd/natc/natc.go

@@ -94,24 +94,18 @@ func main() {
 		}
 		ignoreDstTable.Insert(pfx, true)
 	}
-	var (
-		v4Prefixes    []netip.Prefix
-		numV4DNSAddrs int
-	)
+	var v4Prefixes []netip.Prefix
 	for _, s := range strings.Split(*v4PfxStr, ",") {
 		p := netip.MustParsePrefix(strings.TrimSpace(s))
 		if p.Masked() != p {
 			log.Fatalf("v4 prefix %v is not a masked prefix", p)
 		}
 		v4Prefixes = append(v4Prefixes, p)
-		numIPs := 1 << (32 - p.Bits())
-		numV4DNSAddrs += numIPs
 	}
 	if len(v4Prefixes) == 0 {
 		log.Fatalf("no v4 prefixes specified")
 	}
 	dnsAddr := v4Prefixes[0].Addr()
-	numV4DNSAddrs -= 1 // Subtract the dnsAddr allocated above.
 	ts := &tsnet.Server{
 		Hostname: *hostname,
 	}
@@ -159,13 +153,12 @@ func main() {
 	}
 
 	c := &connector{
-		ts:            ts,
-		lc:            lc,
-		dnsAddr:       dnsAddr,
-		v4Ranges:      v4Prefixes,
-		numV4DNSAddrs: numV4DNSAddrs,
-		v6ULA:         ula(uint16(*siteID)),
-		ignoreDsts:    ignoreDstTable,
+		ts:         ts,
+		lc:         lc,
+		dnsAddr:    dnsAddr,
+		v4Ranges:   v4Prefixes,
+		v6ULA:      ula(uint16(*siteID)),
+		ignoreDsts: ignoreDstTable,
 	}
 	c.run(ctx)
 }
@@ -184,11 +177,6 @@ type connector struct {
 	// v4Ranges is the list of IPv4 ranges to advertise and assign addresses from.
 	// These are masked prefixes.
 	v4Ranges []netip.Prefix
-
-	// numV4DNSAddrs is the total size of the IPv4 ranges in addresses, minus the
-	// dnsAddr allocation.
-	numV4DNSAddrs int
-
 	// v6ULA is the ULA prefix used by the app connector to assign IPv6 addresses.
 	v6ULA netip.Prefix
 
@@ -514,7 +502,6 @@ type perPeerState struct {
 	mu           sync.Mutex
 	domainToAddr map[string][]netip.Addr
 	addrToDomain *bart.Table[string]
-	numV4Allocs  int
 }
 
 // domainForIP returns the domain name assigned to the given IP address and
@@ -560,25 +547,17 @@ func (ps *perPeerState) isIPUsedLocked(ip netip.Addr) bool {
 
 // unusedIPv4Locked returns an unused IPv4 address from the available ranges.
 func (ps *perPeerState) unusedIPv4Locked() netip.Addr {
-	// All addresses have been allocated.
-	if ps.numV4Allocs >= ps.c.numV4DNSAddrs {
-		return netip.Addr{}
-	}
-
 	// TODO: skip ranges that have been exhausted
-	// TODO: implement a much more efficient algorithm for finding unused IPs,
-	// this is fairly crazy.
-	for {
-		for _, r := range ps.c.v4Ranges {
-			ip := randV4(r)
-			if !r.Contains(ip) {
-				panic("error: randV4 returned invalid address")
-			}
+	for _, r := range ps.c.v4Ranges {
+		ip := randV4(r)
+		for r.Contains(ip) {
 			if !ps.isIPUsedLocked(ip) && ip != ps.c.dnsAddr {
 				return ip
 			}
+			ip = ip.Next()
 		}
 	}
+	return netip.Addr{}
 }
 
 // randV4 returns a random IPv4 address within the given prefix.
@@ -604,7 +583,6 @@ func (ps *perPeerState) assignAddrsLocked(domain string) []netip.Addr {
 	if !v4.IsValid() {
 		return nil
 	}
-	ps.numV4Allocs++
 	as16 := ps.c.v6ULA.Addr().As16()
 	as4 := v4.As4()
 	copy(as16[12:], as4[:])

cmd/natc/natc_test.go

@@ -1,429 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-	"slices"
-	"testing"
-
-	"github.com/gaissmai/bart"
-	"github.com/google/go-cmp/cmp"
-	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/tailcfg"
-)
-
-func prefixEqual(a, b netip.Prefix) bool {
-	return a.Bits() == b.Bits() && a.Addr() == b.Addr()
-}
-
-func TestULA(t *testing.T) {
-	tests := []struct {
-		name     string
-		siteID   uint16
-		expected string
-	}{
-		{"zero", 0, "fd7a:115c:a1e0:a99c:0000::/80"},
-		{"one", 1, "fd7a:115c:a1e0:a99c:0001::/80"},
-		{"max", 65535, "fd7a:115c:a1e0:a99c:ffff::/80"},
-		{"random", 12345, "fd7a:115c:a1e0:a99c:3039::/80"},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := ula(tc.siteID)
-			expected := netip.MustParsePrefix(tc.expected)
-			if !prefixEqual(got, expected) {
-				t.Errorf("ula(%d) = %s; want %s", tc.siteID, got, expected)
-			}
-		})
-	}
-}
-
-func TestRandV4(t *testing.T) {
-	pfx := netip.MustParsePrefix("100.64.1.0/24")
-
-	for i := 0; i < 512; i++ {
-		ip := randV4(pfx)
-		if !pfx.Contains(ip) {
-			t.Errorf("randV4(%s) = %s; not contained in prefix", pfx, ip)
-		}
-	}
-}
-
-func TestDNSResponse(t *testing.T) {
-	tests := []struct {
-		name        string
-		questions   []dnsmessage.Question
-		addrs       []netip.Addr
-		wantEmpty   bool
-		wantAnswers []struct {
-			name  string
-			qType dnsmessage.Type
-			addr  netip.Addr
-		}
-	}{
-		{
-			name:        "empty_request",
-			questions:   []dnsmessage.Question{},
-			addrs:       []netip.Addr{},
-			wantEmpty:   false,
-			wantAnswers: nil,
-		},
-		{
-			name: "a_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeA,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs: []netip.Addr{netip.MustParseAddr("100.64.1.5")},
-			wantAnswers: []struct {
-				name  string
-				qType dnsmessage.Type
-				addr  netip.Addr
-			}{
-				{
-					name:  "example.com.",
-					qType: dnsmessage.TypeA,
-					addr:  netip.MustParseAddr("100.64.1.5"),
-				},
-			},
-		},
-		{
-			name: "aaaa_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeAAAA,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs: []netip.Addr{netip.MustParseAddr("fd7a:115c:a1e0:a99c:0001:0505:0505:0505")},
-			wantAnswers: []struct {
-				name  string
-				qType dnsmessage.Type
-				addr  netip.Addr
-			}{
-				{
-					name:  "example.com.",
-					qType: dnsmessage.TypeAAAA,
-					addr:  netip.MustParseAddr("fd7a:115c:a1e0:a99c:0001:0505:0505:0505"),
-				},
-			},
-		},
-		{
-			name: "soa_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeSOA,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs:       []netip.Addr{},
-			wantAnswers: nil,
-		},
-		{
-			name: "ns_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeNS,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs:       []netip.Addr{},
-			wantAnswers: nil,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			req := &dnsmessage.Message{
-				Header: dnsmessage.Header{
-					ID: 1234,
-				},
-				Questions: tc.questions,
-			}
-
-			resp, err := dnsResponse(req, tc.addrs)
-			if err != nil {
-				t.Fatalf("dnsResponse() error = %v", err)
-			}
-
-			if tc.wantEmpty && len(resp) != 0 {
-				t.Errorf("dnsResponse() returned non-empty response when expected empty")
-			}
-
-			if !tc.wantEmpty && len(resp) == 0 {
-				t.Errorf("dnsResponse() returned empty response when expected non-empty")
-			}
-
-			if len(resp) > 0 {
-				var msg dnsmessage.Message
-				err = msg.Unpack(resp)
-				if err != nil {
-					t.Fatalf("Failed to unpack response: %v", err)
-				}
-
-				if !msg.Header.Response {
-					t.Errorf("Response header is not set")
-				}
-
-				if msg.Header.ID != req.Header.ID {
-					t.Errorf("Response ID = %d, want %d", msg.Header.ID, req.Header.ID)
-				}
-
-				if len(tc.wantAnswers) > 0 {
-					if len(msg.Answers) != len(tc.wantAnswers) {
-						t.Errorf("got %d answers, want %d", len(msg.Answers), len(tc.wantAnswers))
-					} else {
-						for i, want := range tc.wantAnswers {
-							ans := msg.Answers[i]
-
-							gotName := ans.Header.Name.String()
-							if gotName != want.name {
-								t.Errorf("answer[%d] name = %s, want %s", i, gotName, want.name)
-							}
-
-							if ans.Header.Type != want.qType {
-								t.Errorf("answer[%d] type = %v, want %v", i, ans.Header.Type, want.qType)
-							}
-
-							var gotIP netip.Addr
-							switch want.qType {
-							case dnsmessage.TypeA:
-								if ans.Body.(*dnsmessage.AResource) == nil {
-									t.Errorf("answer[%d] not an A record", i)
-									continue
-								}
-								resource := ans.Body.(*dnsmessage.AResource)
-								gotIP = netip.AddrFrom4([4]byte(resource.A))
-							case dnsmessage.TypeAAAA:
-								if ans.Body.(*dnsmessage.AAAAResource) == nil {
-									t.Errorf("answer[%d] not an AAAA record", i)
-									continue
-								}
-								resource := ans.Body.(*dnsmessage.AAAAResource)
-								gotIP = netip.AddrFrom16([16]byte(resource.AAAA))
-							}
-
-							if gotIP != want.addr {
-								t.Errorf("answer[%d] IP = %s, want %s", i, gotIP, want.addr)
-							}
-						}
-					}
-				}
-			}
-		})
-	}
-}
-
-func TestPerPeerState(t *testing.T) {
-	c := &connector{
-		v4Ranges:      []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")},
-		v6ULA:         netip.MustParsePrefix("fd7a:115c:a1e0:a99c:0001::/80"),
-		dnsAddr:       netip.MustParseAddr("100.64.1.0"),
-		numV4DNSAddrs: (1<<(32-24) - 1),
-	}
-
-	ps := &perPeerState{c: c}
-
-	addrs, err := ps.ipForDomain("example.com")
-	if err != nil {
-		t.Fatalf("ipForDomain() error = %v", err)
-	}
-
-	if len(addrs) != 2 {
-		t.Fatalf("ipForDomain() returned %d addresses, want 2", len(addrs))
-	}
-
-	v4 := addrs[0]
-	v6 := addrs[1]
-
-	if !v4.Is4() {
-		t.Errorf("First address is not IPv4: %s", v4)
-	}
-
-	if !v6.Is6() {
-		t.Errorf("Second address is not IPv6: %s", v6)
-	}
-
-	if !c.v4Ranges[0].Contains(v4) {
-		t.Errorf("IPv4 address %s not in range %s", v4, c.v4Ranges[0])
-	}
-
-	domain, ok := ps.domainForIP(v4)
-	if !ok {
-		t.Errorf("domainForIP(%s) not found", v4)
-	} else if domain != "example.com" {
-		t.Errorf("domainForIP(%s) = %s, want %s", v4, domain, "example.com")
-	}
-
-	domain, ok = ps.domainForIP(v6)
-	if !ok {
-		t.Errorf("domainForIP(%s) not found", v6)
-	} else if domain != "example.com" {
-		t.Errorf("domainForIP(%s) = %s, want %s", v6, domain, "example.com")
-	}
-
-	addrs2, err := ps.ipForDomain("example.com")
-	if err != nil {
-		t.Fatalf("ipForDomain() second call error = %v", err)
-	}
-
-	if !slices.Equal(addrs, addrs2) {
-		t.Errorf("ipForDomain() second call = %v, want %v", addrs2, addrs)
-	}
-}
-
-func TestIgnoreDestination(t *testing.T) {
-	ignoreDstTable := &bart.Table[bool]{}
-	ignoreDstTable.Insert(netip.MustParsePrefix("192.168.1.0/24"), true)
-	ignoreDstTable.Insert(netip.MustParsePrefix("10.0.0.0/8"), true)
-
-	c := &connector{
-		ignoreDsts: ignoreDstTable,
-	}
-
-	tests := []struct {
-		name     string
-		addrs    []netip.Addr
-		expected bool
-	}{
-		{
-			name:     "no_match",
-			addrs:    []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
-			expected: false,
-		},
-		{
-			name:     "one_match",
-			addrs:    []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("192.168.1.5")},
-			expected: true,
-		},
-		{
-			name:     "all_match",
-			addrs:    []netip.Addr{netip.MustParseAddr("10.0.0.1"), netip.MustParseAddr("192.168.1.5")},
-			expected: true,
-		},
-		{
-			name:     "empty_addrs",
-			addrs:    []netip.Addr{},
-			expected: false,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := c.ignoreDestination(tc.addrs)
-			if got != tc.expected {
-				t.Errorf("ignoreDestination(%v) = %v, want %v", tc.addrs, got, tc.expected)
-			}
-		})
-	}
-}
-
-func TestConnectorGenerateDNSResponse(t *testing.T) {
-	c := &connector{
-		v4Ranges:      []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")},
-		v6ULA:         netip.MustParsePrefix("fd7a:115c:a1e0:a99c:0001::/80"),
-		dnsAddr:       netip.MustParseAddr("100.64.1.0"),
-		numV4DNSAddrs: (1<<(32-24) - 1),
-	}
-
-	req := &dnsmessage.Message{
-		Header: dnsmessage.Header{ID: 1234},
-		Questions: []dnsmessage.Question{
-			{
-				Name:  dnsmessage.MustNewName("example.com."),
-				Type:  dnsmessage.TypeA,
-				Class: dnsmessage.ClassINET,
-			},
-		},
-	}
-
-	nodeID := tailcfg.NodeID(12345)
-
-	resp1, err := c.generateDNSResponse(req, nodeID)
-	if err != nil {
-		t.Fatalf("generateDNSResponse() error = %v", err)
-	}
-	if len(resp1) == 0 {
-		t.Fatalf("generateDNSResponse() returned empty response")
-	}
-
-	resp2, err := c.generateDNSResponse(req, nodeID)
-	if err != nil {
-		t.Fatalf("generateDNSResponse() second call error = %v", err)
-	}
-
-	if !cmp.Equal(resp1, resp2) {
-		t.Errorf("generateDNSResponse() responses differ between calls")
-	}
-}
-
-func TestIPPoolExhaustion(t *testing.T) {
-	smallPrefix := netip.MustParsePrefix("100.64.1.0/30") // Only 4 IPs: .0, .1, .2, .3
-	c := &connector{
-		v6ULA:         netip.MustParsePrefix("fd7a:115c:a1e0:a99c:0001::/80"),
-		v4Ranges:      []netip.Prefix{smallPrefix},
-		dnsAddr:       netip.MustParseAddr("100.64.1.0"),
-		numV4DNSAddrs: 3,
-	}
-
-	ps := &perPeerState{c: c}
-
-	assignedIPs := make(map[netip.Addr]string)
-
-	domains := []string{"a.example.com", "b.example.com", "c.example.com", "d.example.com"}
-
-	var errs []error
-
-	for i := 0; i < 5; i++ {
-		for _, domain := range domains {
-			addrs, err := ps.ipForDomain(domain)
-			if err != nil {
-				errs = append(errs, fmt.Errorf("failed to get IP for domain %q: %w", domain, err))
-				continue
-			}
-
-			for _, addr := range addrs {
-				if d, ok := assignedIPs[addr]; ok {
-					if d != domain {
-						t.Errorf("IP %s reused for domain %q, previously assigned to %q", addr, domain, d)
-					}
-				} else {
-					assignedIPs[addr] = domain
-				}
-			}
-		}
-	}
-
-	for addr, domain := range assignedIPs {
-		if addr.Is4() && !smallPrefix.Contains(addr) {
-			t.Errorf("IP %s for domain %q not in expected range %s", addr, domain, smallPrefix)
-		}
-		if addr.Is6() && !c.v6ULA.Contains(addr) {
-			t.Errorf("IP %s for domain %q not in expected range %s", addr, domain, c.v6ULA)
-		}
-		if addr == c.dnsAddr {
-			t.Errorf("IP %s for domain %q is the reserved DNS address", addr, domain)
-		}
-	}
-
-	// expect one error for each iteration with the 4th domain
-	if len(errs) != 5 {
-		t.Errorf("Expected 5 errors, got %d: %v", len(errs), errs)
-	}
-	for _, err := range errs {
-		if !errors.Is(err, ErrNoIPsAvailable) {
-			t.Errorf("generateDNSResponse() error = %v, want ErrNoIPsAvailable", err)
-		}
-	}
-}

control/controlhttp/client.go

@@ -96,9 +96,6 @@ func (a *Dialer) httpsFallbackDelay() time.Duration {
 var _ = envknob.RegisterBool("TS_USE_CONTROL_DIAL_PLAN") // to record at init time whether it's in use
 
 func (a *Dialer) dial(ctx context.Context) (*ClientConn, error) {
-
-	a.logPort80Failure.Store(true)
-
 	// If we don't have a dial plan, just fall back to dialing the single
 	// host we know about.
 	useDialPlan := envknob.BoolDefaultTrue("TS_USE_CONTROL_DIAL_PLAN")
@@ -281,9 +278,7 @@ func (d *Dialer) forceNoise443() bool {
 		// This heuristic works around networks where port 80 is MITMed and
 		// appears to work for a bit post-Upgrade but then gets closed,
 		// such as seen in https://github.com/tailscale/tailscale/issues/13597.
-		if d.logPort80Failure.CompareAndSwap(true, false) {
-			d.logf("controlhttp: forcing port 443 dial due to recent noise dial")
-		}
+		d.logf("controlhttp: forcing port 443 dial due to recent noise dial")
 		return true
 	}
 

control/controlhttp/constants.go

@@ -6,7 +6,6 @@ package controlhttp
 import (
 	"net/http"
 	"net/url"
-	"sync/atomic"
 	"time"
 
 	"tailscale.com/health"
@@ -91,11 +90,6 @@ type Dialer struct {
 
 	proxyFunc func(*http.Request) (*url.URL, error) // or nil
 
-	// logPort80Failure is whether we should log about port 80 interceptions
-	// and forcing a port 443 dial. We do this only once per "dial" method
-	// which can result in many concurrent racing dialHost calls.
-	logPort80Failure atomic.Bool
-
 	// For tests only
 	drainFinished        chan struct{}
 	omitCertErrorLogging bool

ipn/ipnlocal/local.go

@@ -958,9 +958,7 @@ func (b *LocalBackend) linkChange(delta *netmon.ChangeDelta) {
 
 	if peerAPIListenAsync && b.netMap != nil && b.state == ipn.Running {
 		want := b.netMap.GetAddresses().Len()
-		have := len(b.peerAPIListeners)
-		b.logf("[v1] linkChange: have %d peerAPIListeners, want %d", have, want)
-		if have < want {
+		if len(b.peerAPIListeners) < want {
 			b.logf("linkChange: peerAPIListeners too low; trying again")
 			b.goTracker.Go(b.initPeerAPIListener)
 		}
@@ -2404,9 +2402,11 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	}
 
 	var auditLogShutdown func()
+	// Audit logging is only available if the client has set up a proper persistent
+	// store for the logs in sys.
 	store, ok := b.sys.AuditLogStore.GetOK()
 	if !ok {
-		// Use memory store by default if no explicit store is provided.
+		b.logf("auditlog: [unexpected] no persistent audit log storage configured.  using memory store.")
 		store = auditlog.NewLogStore(&memstore.Store{})
 	}
 
@@ -3479,20 +3479,18 @@ func (b *LocalBackend) onTailnetDefaultAutoUpdate(au bool) {
 		// can still manually enable auto-updates on this node.
 		return
 	}
-	if clientupdate.CanAutoUpdate() {
-		b.logf("using tailnet default auto-update setting: %v", au)
-		prefsClone := prefs.AsStruct()
-		prefsClone.AutoUpdate.Apply = opt.NewBool(au)
-		_, err := b.editPrefsLockedOnEntry(&ipn.MaskedPrefs{
-			Prefs: *prefsClone,
-			AutoUpdateSet: ipn.AutoUpdatePrefsMask{
-				ApplySet: true,
-			},
-		}, unlock)
-		if err != nil {
-			b.logf("failed to apply tailnet-wide default for auto-updates (%v): %v", au, err)
-			return
-		}
+	b.logf("using tailnet default auto-update setting: %v", au)
+	prefsClone := prefs.AsStruct()
+	prefsClone.AutoUpdate.Apply = opt.NewBool(au)
+	_, err := b.editPrefsLockedOnEntry(&ipn.MaskedPrefs{
+		Prefs: *prefsClone,
+		AutoUpdateSet: ipn.AutoUpdatePrefsMask{
+			ApplySet: true,
+		},
+	}, unlock)
+	if err != nil {
+		b.logf("failed to apply tailnet-wide default for auto-updates (%v): %v", au, err)
+		return
 	}
 }
 
@@ -4968,7 +4966,7 @@ func (b *LocalBackend) authReconfig() {
 		return
 	}
 
-	oneCGNATRoute := shouldUseOneCGNATRoute(b.logf, b.sys.NetMon.Get(), b.sys.ControlKnobs(), version.OS())
+	oneCGNATRoute := shouldUseOneCGNATRoute(b.logf, b.sys.ControlKnobs(), version.OS())
 	rcfg := b.routerConfig(cfg, prefs, oneCGNATRoute)
 
 	err = b.e.Reconfig(cfg, rcfg, dcfg)
@@ -4992,7 +4990,7 @@ func (b *LocalBackend) authReconfig() {
 //
 // The versionOS is a Tailscale-style version ("iOS", "macOS") and not
 // a runtime.GOOS.
-func shouldUseOneCGNATRoute(logf logger.Logf, mon *netmon.Monitor, controlKnobs *controlknobs.Knobs, versionOS string) bool {
+func shouldUseOneCGNATRoute(logf logger.Logf, controlKnobs *controlknobs.Knobs, versionOS string) bool {
 	if controlKnobs != nil {
 		// Explicit enabling or disabling always take precedence.
 		if v, ok := controlKnobs.OneCGNAT.Load().Get(); ok {
@@ -5007,7 +5005,7 @@ func shouldUseOneCGNATRoute(logf logger.Logf, mon *netmon.Monitor, controlKnobs
 	// use fine-grained routes if another interfaces is also using the CGNAT
 	// IP range.
 	if versionOS == "macOS" {
-		hasCGNATInterface, err := mon.HasCGNATInterface()
+		hasCGNATInterface, err := netmon.HasCGNATInterface()
 		if err != nil {
 			logf("shouldUseOneCGNATRoute: Could not determine if any interfaces use CGNAT: %v", err)
 			return false
@@ -5369,7 +5367,6 @@ func (b *LocalBackend) initPeerAPIListener() {
 			ln, err = ps.listen(a.Addr(), b.prevIfState)
 			if err != nil {
 				if peerAPIListenAsync {
-					b.logf("possibly transient peerapi listen(%q) error, will try again on linkChange: %v", a.Addr(), err)
 					// Expected. But we fix it later in linkChange
 					// ("peerAPIListeners too low").
 					continue

ipn/ipnlocal/peerapi.go

@@ -481,7 +481,7 @@ func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Re
 		fmt.Fprintf(w, "<h3>Could not get the default route: %s</h3>\n", html.EscapeString(err.Error()))
 	}
 
-	if hasCGNATInterface, err := h.ps.b.sys.NetMon.Get().HasCGNATInterface(); hasCGNATInterface {
+	if hasCGNATInterface, err := netmon.HasCGNATInterface(); hasCGNATInterface {
 		fmt.Fprintln(w, "<p>There is another interface using the CGNAT range.</p>")
 	} else if err != nil {
 		fmt.Fprintf(w, "<p>Could not check for CGNAT interfaces: %s</p>\n", html.EscapeString(err.Error()))

ipn/store/kubestore/store_kube.go

@@ -143,6 +143,15 @@ func (s *Store) WriteTLSCertAndKey(domain string, cert, key []byte) (err error)
 	if err := dnsname.ValidHostname(domain); err != nil {
 		return fmt.Errorf("invalid domain name %q: %w", domain, err)
 	}
+	defer func() {
+		// TODO(irbekrm): a read between these two separate writes would
+		// get a mismatched cert and key.  Allow writing both cert and
+		// key to the memory store in a single, lock-protected operation.
+		if err == nil {
+			s.memory.WriteState(ipn.StateKey(domain+".crt"), cert)
+			s.memory.WriteState(ipn.StateKey(domain+".key"), key)
+		}
+	}()
 	secretName := s.secretName
 	data := map[string][]byte{
 		domain + ".crt": cert,
@@ -157,32 +166,19 @@ func (s *Store) WriteTLSCertAndKey(domain string, cert, key []byte) (err error)
 			keyTLSKey:  key,
 		}
 	}
-	if err := s.updateSecret(data, secretName); err != nil {
-		return fmt.Errorf("error writing TLS cert and key to Secret: %w", err)
-	}
-	// TODO(irbekrm): certs for write replicas are currently not
-	// written to memory to avoid out of sync memory state after
-	// Ingress resources have been recreated.  This means that TLS
-	// certs for write replicas are retrieved from the Secret on
-	// each HTTPS request.  This is a temporary solution till we
-	// implement a Secret watch.
-	if s.certShareMode != "rw" {
-		s.memory.WriteState(ipn.StateKey(domain+".crt"), cert)
-		s.memory.WriteState(ipn.StateKey(domain+".key"), key)
-	}
-	return nil
+	return s.updateSecret(data, secretName)
 }
 
 // ReadTLSCertAndKey reads a TLS cert and key from memory or from a
 // domain-specific Secret. It first checks the in-memory store, if not found in
 // memory and running cert store in read-only mode, looks up a Secret.
-// Note that write replicas of HA Ingress always retrieve TLS certs from Secrets.
 func (s *Store) ReadTLSCertAndKey(domain string) (cert, key []byte, err error) {
 	if err := dnsname.ValidHostname(domain); err != nil {
 		return nil, nil, fmt.Errorf("invalid domain name %q: %w", domain, err)
 	}
 	certKey := domain + ".crt"
 	keyKey := domain + ".key"
+
 	cert, err = s.memory.ReadState(ipn.StateKey(certKey))
 	if err == nil {
 		key, err = s.memory.ReadState(ipn.StateKey(keyKey))
@@ -190,12 +186,16 @@ func (s *Store) ReadTLSCertAndKey(domain string) (cert, key []byte, err error) {
 			return cert, key, nil
 		}
 	}
-	if s.certShareMode == "" {
+	if s.certShareMode != "ro" {
 		return nil, nil, ipn.ErrStateNotExist
 	}
+	// If we are in cert share read only mode, it is possible that a write
+	// replica just issued the TLS cert for this DNS name and it has not
+	// been loaded to store yet, so check the Secret.
 
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
+
 	secret, err := s.client.GetSecret(ctx, domain)
 	if err != nil {
 		if kubeclient.IsNotFoundErr(err) {
@@ -212,18 +212,9 @@ func (s *Store) ReadTLSCertAndKey(domain string) (cert, key []byte, err error) {
 	}
 	// TODO(irbekrm): a read between these two separate writes would
 	// get a mismatched cert and key.  Allow writing both cert and
-	// key to the memory store in a single, lock-protected operation.
-	//
-	// TODO(irbekrm): currently certs for write replicas of HA Ingress get
-	// retrieved from the cluster Secret on each HTTPS request to avoid a
-	// situation when after Ingress recreation stale certs are read from
-	// memory.
-	// Fix this by watching Secrets to ensure that memory store gets updated
-	// when Secrets are deleted.
-	if s.certShareMode == "ro" {
-		s.memory.WriteState(ipn.StateKey(certKey), cert)
-		s.memory.WriteState(ipn.StateKey(keyKey), key)
-	}
+	// key to the memory store in a single lock-protected operation.
+	s.memory.WriteState(ipn.StateKey(certKey), cert)
+	s.memory.WriteState(ipn.StateKey(keyKey), key)
 	return cert, key, nil
 }
 

ipn/store/kubestore/store_kube_test.go

@@ -201,6 +201,10 @@ func TestWriteTLSCertAndKey(t *testing.T) {
 				"tls.crt": []byte(testCert),
 				"tls.key": []byte(testKey),
 			},
+			wantMemoryStore: map[ipn.StateKey][]byte{
+				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
+				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
+			},
 		},
 		{
 			name: "cert_share_mode_write_update_existing",
@@ -215,6 +219,10 @@ func TestWriteTLSCertAndKey(t *testing.T) {
 				"tls.crt": []byte(testCert),
 				"tls.key": []byte(testKey),
 			},
+			wantMemoryStore: map[ipn.StateKey][]byte{
+				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
+				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
+			},
 		},
 		{
 			name: "update_existing",
@@ -359,7 +367,7 @@ func TestReadTLSCertAndKey(t *testing.T) {
 		wantMemoryStore map[ipn.StateKey][]byte
 	}{
 		{
-			name: "found_in_memory",
+			name: "found",
 			memoryStore: map[ipn.StateKey][]byte{
 				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
 				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
@@ -373,7 +381,7 @@ func TestReadTLSCertAndKey(t *testing.T) {
 			},
 		},
 		{
-			name:    "not_found_in_memory",
+			name:    "not_found",
 			domain:  testDomain,
 			wantErr: ipn.ErrStateNotExist,
 		},
@@ -392,17 +400,6 @@ func TestReadTLSCertAndKey(t *testing.T) {
 				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
 			},
 		},
-		{
-			name:          "cert_share_rw_mode_found_in_secret",
-			certShareMode: "rw",
-			domain:        testDomain,
-			secretData: map[string][]byte{
-				"tls.crt": []byte(testCert),
-				"tls.key": []byte(testKey),
-			},
-			wantCert: []byte(testCert),
-			wantKey:  []byte(testKey),
-		},
 		{
 			name:          "cert_share_ro_mode_found_in_memory",
 			certShareMode: "ro",

k8s-operator/api.md

@@ -600,7 +600,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `type` _[ProxyGroupType](#proxygrouptype)_ | Type of the ProxyGroup proxies. Currently the only supported type is egress.<br />Type is immutable once a ProxyGroup is created. |  | Enum: [egress ingress] <br />Type: string <br /> |
+| `type` _[ProxyGroupType](#proxygrouptype)_ | Type of the ProxyGroup proxies. Supported types are egress and ingress.<br />Type is immutable once a ProxyGroup is created. |  | Enum: [egress ingress] <br />Type: string <br /> |
 | `tags` _[Tags](#tags)_ | Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s].<br />If you specify custom tags here, make sure you also make the operator<br />an owner of these tags.<br />See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.<br />Tags cannot be changed once a ProxyGroup device has been created.<br />Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. |  | Pattern: `^tag:[a-zA-Z][a-zA-Z0-9-]*$` <br />Type: string <br /> |
 | `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.<br />Defaults to 2. |  | Minimum: 0 <br /> |
 | `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. |  | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> |

k8s-operator/apis/v1alpha1/types_proxygroup.go

@@ -48,7 +48,7 @@ type ProxyGroupList struct {
 }
 
 type ProxyGroupSpec struct {
-	// Type of the ProxyGroup proxies. Currently the only supported type is egress.
+	// Type of the ProxyGroup proxies. Supported types are egress and ingress.
 	// Type is immutable once a ProxyGroup is created.
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ProxyGroup type is immutable"
 	Type ProxyGroupType `json:"type"`

net/netmon/interfaces_test.go

@@ -13,7 +13,7 @@ import (
 )
 
 func TestGetState(t *testing.T) {
-	st, err := getState("")
+	st, err := GetState()
 	if err != nil {
 		t.Fatal(err)
 	}

net/netmon/netmon.go

@@ -161,7 +161,7 @@ func (m *Monitor) InterfaceState() *State {
 }
 
 func (m *Monitor) interfaceStateUncached() (*State, error) {
-	return getState(m.tsIfName)
+	return GetState()
 }
 
 // SetTailscaleInterfaceName sets the name of the Tailscale interface. For

net/netmon/state.go

@@ -461,22 +461,21 @@ func isTailscaleInterface(name string, ips []netip.Prefix) bool {
 // getPAC, if non-nil, returns the current PAC file URL.
 var getPAC func() string
 
-// getState returns the state of all the current machine's network interfaces.
+// GetState returns the state of all the current machine's network interfaces.
 //
 // It does not set the returned State.IsExpensive. The caller can populate that.
 //
-// optTSInterfaceName is the name of the Tailscale interface, if known.
-func getState(optTSInterfaceName string) (*State, error) {
+// Deprecated: use netmon.Monitor.InterfaceState instead.
+func GetState() (*State, error) {
 	s := &State{
 		InterfaceIPs: make(map[string][]netip.Prefix),
 		Interface:    make(map[string]Interface),
 	}
 	if err := ForeachInterface(func(ni Interface, pfxs []netip.Prefix) {
-		isTSInterfaceName := optTSInterfaceName != "" && ni.Name == optTSInterfaceName
 		ifUp := ni.IsUp()
 		s.Interface[ni.Name] = ni
 		s.InterfaceIPs[ni.Name] = append(s.InterfaceIPs[ni.Name], pfxs...)
-		if !ifUp || isTSInterfaceName || isTailscaleInterface(ni.Name, pfxs) {
+		if !ifUp || isTailscaleInterface(ni.Name, pfxs) {
 			return
 		}
 		for _, pfx := range pfxs {
@@ -756,12 +755,11 @@ func DefaultRoute() (DefaultRouteDetails, error) {
 
 // HasCGNATInterface reports whether there are any non-Tailscale interfaces that
 // use a CGNAT IP range.
-func (m *Monitor) HasCGNATInterface() (bool, error) {
+func HasCGNATInterface() (bool, error) {
 	hasCGNATInterface := false
 	cgnatRange := tsaddr.CGNATRange()
 	err := ForeachInterface(func(i Interface, pfxs []netip.Prefix) {
-		isTSInterfaceName := m.tsIfName != "" && i.Name == m.tsIfName
-		if hasCGNATInterface || !i.IsUp() || isTSInterfaceName || isTailscaleInterface(i.Name, pfxs) {
+		if hasCGNATInterface || !i.IsUp() || isTailscaleInterface(i.Name, pfxs) {
 			return
 		}
 		for _, pfx := range pfxs {

prober/derp.go

@@ -596,23 +596,11 @@ func (d *derpProber) updateMap(ctx context.Context) error {
 }
 
 func (d *derpProber) ProbeUDP(ipaddr string, port int) ProbeClass {
-	initLabels := make(Labels)
-	ip := net.ParseIP(ipaddr)
-
-	if ip.To4() != nil {
-		initLabels["address_family"] = "ipv4"
-	} else if ip.To16() != nil { // Will return an IPv4 as 16 byte, so ensure the check for IPv4 precedes this
-		initLabels["address_family"] = "ipv6"
-	} else {
-		initLabels["address_family"] = "unknown"
-	}
-
 	return ProbeClass{
 		Probe: func(ctx context.Context) error {
 			return derpProbeUDP(ctx, ipaddr, port)
 		},
-		Class:  "derp_udp",
-		Labels: initLabels,
+		Class: "derp_udp",
 	}
 }
 

prober/prober.go

@@ -404,14 +404,10 @@ func (p *Probe) recordEndLocked(err error) {
 		p.mSeconds.WithLabelValues("ok").Add(latency.Seconds())
 		p.latencyHist.Value = latency
 		p.latencyHist = p.latencyHist.Next()
-		p.mAttempts.WithLabelValues("fail").Add(0)
-		p.mSeconds.WithLabelValues("fail").Add(0)
 	} else {
 		p.latency = 0
 		p.mAttempts.WithLabelValues("fail").Inc()
 		p.mSeconds.WithLabelValues("fail").Add(latency.Seconds())
-		p.mAttempts.WithLabelValues("ok").Add(0)
-		p.mSeconds.WithLabelValues("ok").Add(0)
 	}
 	p.successHist.Value = p.succeeded
 	p.successHist = p.successHist.Next()

tsnet/tsnet.go

@@ -505,11 +505,6 @@ func (s *Server) start() (reterr error) {
 			// directory and hostname when they're not supplied. But we can fall
 			// back to "tsnet" as well.
 			exe = "tsnet"
-		case "ios":
-			// When compiled as a framework (via TailscaleKit in libtailscale),
-			// os.Executable() returns an error, so fall back to "tsnet" there
-			// too.
-			exe = "tsnet"
 		default:
 			return err
 		}

tstest/integration/testcontrol/testcontrol.go

@@ -839,17 +839,15 @@ func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey key.Machi
 
 	w.WriteHeader(200)
 	for {
-		// Only send raw map responses to the streaming poll, to avoid a
-		// non-streaming map request beating the streaming poll in a race and
-		// potentially dropping the map response.
-		if streaming {
-			if resBytes, ok := s.takeRawMapMessage(req.NodeKey); ok {
-				if err := s.sendMapMsg(w, compress, resBytes); err != nil {
-					s.logf("sendMapMsg of raw message: %v", err)
-					return
-				}
+		if resBytes, ok := s.takeRawMapMessage(req.NodeKey); ok {
+			if err := s.sendMapMsg(w, compress, resBytes); err != nil {
+				s.logf("sendMapMsg of raw message: %v", err)
+				return
+			}
+			if streaming {
 				continue
 			}
+			return
 		}
 
 		if s.canGenerateAutomaticMapResponseFor(req.NodeKey) {

tstest/mts/mts.go

@@ -1,599 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux || darwin
-
-// The mts ("Multiple Tailscale") command runs multiple tailscaled instances for
-// development, managing their directories and sockets, and lets you easily direct
-// tailscale CLI commands to them.
-package main
-
-import (
-	"bufio"
-	"context"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"maps"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"regexp"
-	"slices"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"tailscale.com/client/local"
-	"tailscale.com/types/bools"
-	"tailscale.com/types/lazy"
-	"tailscale.com/util/mak"
-)
-
-func usage(args ...any) {
-	var format string
-	if len(args) > 0 {
-		format, args = args[0].(string), args[1:]
-	}
-	if format != "" {
-		format = strings.TrimSpace(format) + "\n\n"
-		fmt.Fprintf(os.Stderr, format, args...)
-	}
-	io.WriteString(os.Stderr, strings.TrimSpace(`
-usage:
-
-   mts server <subcommand>      # manage tailscaled instances
-   mts server run               # run the mts server (parent process of all tailscaled)
-   mts server list              # list all tailscaled and their state
-   mts server list <name>       # show details of named instance
-   mts server add <name>        # add+start new named tailscaled
-   mts server start <name>      # start a previously added tailscaled
-   mts server stop <name>       # stop & remove a named tailscaled
-   mts server rm <name>         # stop & remove a named tailscaled
-   mts server logs [-f] <name>  # get/follow tailscaled logs
-
-  mts <inst-name> [tailscale CLI args] # run Tailscale CLI against a named instance
-    e.g.
-      mts gmail1 up
-      mts github2 status --json
-	`)+"\n")
-	os.Exit(1)
-}
-
-func main() {
-	// Don't use flag.Parse here; we mostly just delegate through
-	// to the Tailscale CLI.
-
-	if len(os.Args) < 2 {
-		usage()
-	}
-	firstArg, args := os.Args[1], os.Args[2:]
-	if firstArg == "server" || firstArg == "s" {
-		if err := runMTSServer(args); err != nil {
-			log.Fatal(err)
-		}
-	} else {
-		var c Client
-		inst := firstArg
-		c.RunCommand(inst, args)
-	}
-}
-
-func runMTSServer(args []string) error {
-	if len(args) == 0 {
-		usage()
-	}
-	cmd, args := args[0], args[1:]
-	if cmd == "run" {
-		var s Server
-		return s.Run()
-	}
-
-	// Commands other than "run" all use the HTTP client to
-	// hit the mts server over its unix socket.
-	var c Client
-
-	switch cmd {
-	default:
-		usage("unknown mts server subcommand %q", cmd)
-	case "list", "ls":
-		list, err := c.List()
-		if err != nil {
-			return err
-		}
-		if len(args) == 0 {
-			names := slices.Sorted(maps.Keys(list.Instances))
-			for _, name := range names {
-				running := list.Instances[name].Running
-				fmt.Printf("%10s %s\n", bools.IfElse(running, "RUNNING", "stopped"), name)
-			}
-		} else {
-			for _, name := range args {
-				inst, ok := list.Instances[name]
-				if !ok {
-					return fmt.Errorf("no instance named %q", name)
-				}
-				je := json.NewEncoder(os.Stdout)
-				je.SetIndent("", "  ")
-				if err := je.Encode(inst); err != nil {
-					return err
-				}
-			}
-		}
-
-	case "rm":
-		if len(args) == 0 {
-			return fmt.Errorf("missing instance name(s) to remove")
-		}
-		log.SetFlags(0)
-		for _, name := range args {
-			ok, err := c.Remove(name)
-			if err != nil {
-				return err
-			}
-			if ok {
-				log.Printf("%s deleted.", name)
-			} else {
-				log.Printf("%s didn't exist.", name)
-			}
-		}
-	case "stop":
-		if len(args) == 0 {
-			return fmt.Errorf("missing instance name(s) to stop")
-		}
-		log.SetFlags(0)
-		for _, name := range args {
-			ok, err := c.Stop(name)
-			if err != nil {
-				return err
-			}
-			if ok {
-				log.Printf("%s stopped.", name)
-			} else {
-				log.Printf("%s didn't exist.", name)
-			}
-		}
-	case "start", "restart":
-		list, err := c.List()
-		if err != nil {
-			return err
-		}
-		shouldStop := cmd == "restart"
-		for _, arg := range args {
-			is, ok := list.Instances[arg]
-			if !ok {
-				return fmt.Errorf("no instance named %q", arg)
-			}
-			if is.Running {
-				if shouldStop {
-					if _, err := c.Stop(arg); err != nil {
-						return fmt.Errorf("stopping %q: %w", arg, err)
-					}
-				} else {
-					log.SetFlags(0)
-					log.Printf("%s already running.", arg)
-					continue
-				}
-			}
-			// Creating an existing one starts it up.
-			if err := c.Create(arg); err != nil {
-				return fmt.Errorf("starting %q: %w", arg, err)
-			}
-		}
-	case "add":
-		if len(args) == 0 {
-			return fmt.Errorf("missing instance name(s) to add")
-		}
-		for _, name := range args {
-			if err := c.Create(name); err != nil {
-				return fmt.Errorf("creating %q: %w", name, err)
-			}
-		}
-	case "logs":
-		fs := flag.NewFlagSet("logs", flag.ExitOnError)
-		fs.Usage = func() { usage() }
-		follow := fs.Bool("f", false, "follow logs")
-		fs.Parse(args)
-		log.Printf("Parsed; following=%v, args=%q", *follow, fs.Args())
-		if fs.NArg() != 1 {
-			usage()
-		}
-		cmd := bools.IfElse(*follow, "tail", "cat")
-		args := []string{cmd}
-		if *follow {
-			args = append(args, "-f")
-		}
-		path, err := exec.LookPath(cmd)
-		if err != nil {
-			return fmt.Errorf("looking up %q: %w", cmd, err)
-		}
-		args = append(args, instLogsFile(fs.Arg(0)))
-		log.Fatal(syscall.Exec(path, args, os.Environ()))
-	}
-	return nil
-}
-
-type Client struct {
-}
-
-func (c *Client) client() *http.Client {
-	return &http.Client{
-		Transport: &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return net.Dial("unix", mtsSock())
-			},
-		},
-	}
-}
-
-func getJSON[T any](res *http.Response, err error) (T, error) {
-	var ret T
-	if err != nil {
-		return ret, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(res.Body)
-		return ret, fmt.Errorf("unexpected status: %v: %s", res.Status, body)
-	}
-	if err := json.NewDecoder(res.Body).Decode(&ret); err != nil {
-		return ret, err
-	}
-	return ret, nil
-}
-
-func (c *Client) List() (listResponse, error) {
-	return getJSON[listResponse](c.client().Get("http://mts/list"))
-}
-
-func (c *Client) Remove(name string) (found bool, err error) {
-	return getJSON[bool](c.client().PostForm("http://mts/rm", url.Values{
-		"name": []string{name},
-	}))
-}
-
-func (c *Client) Stop(name string) (found bool, err error) {
-	return getJSON[bool](c.client().PostForm("http://mts/stop", url.Values{
-		"name": []string{name},
-	}))
-}
-
-func (c *Client) Create(name string) error {
-	req, err := http.NewRequest("POST", "http://mts/create/"+name, nil)
-	if err != nil {
-		return err
-	}
-	resp, err := c.client().Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(resp.Body)
-		return fmt.Errorf("unexpected status: %v: %s", resp.Status, body)
-	}
-	return nil
-}
-
-func (c *Client) RunCommand(name string, args []string) {
-	sock := instSock(name)
-	lc := &local.Client{
-		Socket:        sock,
-		UseSocketOnly: true,
-	}
-	probeCtx, cancel := context.WithTimeout(context.Background(), 250*time.Millisecond)
-	defer cancel()
-	if _, err := lc.StatusWithoutPeers(probeCtx); err != nil {
-		log.Fatalf("instance %q not running? start with 'mts server start %q'; got error: %v", name, name, err)
-	}
-	args = append([]string{"run", "tailscale.com/cmd/tailscale", "--socket=" + sock}, args...)
-	cmd := exec.Command("go", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	err := cmd.Run()
-	if err == nil {
-		os.Exit(0)
-	}
-	if exitErr, ok := err.(*exec.ExitError); ok {
-		os.Exit(exitErr.ExitCode())
-	}
-	panic(err)
-}
-
-type Server struct {
-	lazyTailscaled lazy.GValue[string]
-
-	mu   sync.Mutex
-	cmds map[string]*exec.Cmd // running tailscaled instances
-}
-
-func (s *Server) tailscaled() string {
-	v, err := s.lazyTailscaled.GetErr(func() (string, error) {
-		out, err := exec.Command("go", "list", "-f", "{{.Target}}", "tailscale.com/cmd/tailscaled").CombinedOutput()
-		if err != nil {
-			return "", err
-		}
-		return strings.TrimSpace(string(out)), nil
-	})
-	if err != nil {
-		panic(err)
-	}
-	return v
-}
-
-func (s *Server) Run() error {
-	if err := os.MkdirAll(mtsRoot(), 0700); err != nil {
-		return err
-	}
-	sock := mtsSock()
-	os.Remove(sock)
-	log.Printf("Multi-Tailscaled Server running; listening on %q ...", sock)
-	ln, err := net.Listen("unix", sock)
-	if err != nil {
-		return err
-	}
-	return http.Serve(ln, s)
-}
-
-var validNameRx = regexp.MustCompile(`^[a-zA-Z0-9_-]+$`)
-
-func validInstanceName(name string) bool {
-	return validNameRx.MatchString(name)
-}
-
-func (s *Server) InstanceRunning(name string) bool {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	_, ok := s.cmds[name]
-	return ok
-}
-
-func (s *Server) Stop(name string) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if cmd, ok := s.cmds[name]; ok {
-		if err := cmd.Process.Kill(); err != nil {
-			log.Printf("error killing %q: %v", name, err)
-		}
-		delete(s.cmds, name)
-	}
-}
-
-func (s *Server) RunInstance(name string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if _, ok := s.cmds[name]; ok {
-		return fmt.Errorf("instance %q already running", name)
-	}
-
-	if !validInstanceName(name) {
-		return fmt.Errorf("invalid instance name %q", name)
-	}
-	dir := filepath.Join(mtsRoot(), name)
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return err
-	}
-
-	env := os.Environ()
-	env = append(env, "TS_DEBUG_LOG_RATE=all")
-	if ef, err := os.Open(instEnvFile(name)); err == nil {
-		defer ef.Close()
-		sc := bufio.NewScanner(ef)
-		for sc.Scan() {
-			t := strings.TrimSpace(sc.Text())
-			if strings.HasPrefix(t, "#") || !strings.Contains(t, "=") {
-				continue
-			}
-			env = append(env, t)
-		}
-	} else if os.IsNotExist(err) {
-		// Write an example one.
-		os.WriteFile(instEnvFile(name), fmt.Appendf(nil, "# Example mts env.txt file; uncomment/add stuff you want for %q\n\n#TS_DEBUG_MAP=1\n#TS_DEBUG_REGISTER=1\n#TS_NO_LOGS_NO_SUPPORT=1\n", name), 0600)
-	}
-
-	extraArgs := []string{"--verbose=1"}
-	if af, err := os.Open(instArgsFile(name)); err == nil {
-		extraArgs = nil // clear default args
-		defer af.Close()
-		sc := bufio.NewScanner(af)
-		for sc.Scan() {
-			t := strings.TrimSpace(sc.Text())
-			if strings.HasPrefix(t, "#") || t == "" {
-				continue
-			}
-			extraArgs = append(extraArgs, t)
-		}
-	} else if os.IsNotExist(err) {
-		// Write an example one.
-		os.WriteFile(instArgsFile(name), fmt.Appendf(nil, "# Example mts args.txt file for instance %q.\n# One line per extra arg to tailscaled; no magic string quoting\n\n--verbose=1\n#--socks5-server=127.0.0.1:5000\n", name), 0600)
-	}
-
-	log.Printf("Running Tailscale daemon %q in %q", name, dir)
-
-	args := []string{
-		"--tun=userspace-networking",
-		"--statedir=" + filepath.Join(dir),
-		"--socket=" + filepath.Join(dir, "tailscaled.sock"),
-	}
-	args = append(args, extraArgs...)
-
-	cmd := exec.Command(s.tailscaled(), args...)
-	cmd.Dir = dir
-	cmd.Env = env
-
-	out, err := cmd.StdoutPipe()
-	if err != nil {
-		return err
-	}
-	cmd.Stderr = cmd.Stdout
-
-	logs := instLogsFile(name)
-	logFile, err := os.OpenFile(logs, os.O_CREATE|os.O_WRONLY|os.O_APPEND|os.O_TRUNC, 0644)
-	if err != nil {
-		return fmt.Errorf("opening logs file: %w", err)
-	}
-
-	go func() {
-		bs := bufio.NewScanner(out)
-		for bs.Scan() {
-			// TODO(bradfitz): record in memory too, serve via HTTP
-			line := strings.TrimSpace(bs.Text())
-			fmt.Fprintf(logFile, "%s\n", line)
-			fmt.Printf("tailscaled[%s]: %s\n", name, line)
-		}
-	}()
-
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	go func() {
-		err := cmd.Wait()
-		logFile.Close()
-		log.Printf("Tailscale daemon %q exited: %v", name, err)
-		s.mu.Lock()
-		defer s.mu.Unlock()
-		delete(s.cmds, name)
-	}()
-
-	mak.Set(&s.cmds, name, cmd)
-	return nil
-}
-
-type listResponse struct {
-	// Instances maps instance name to its details.
-	Instances map[string]listResponseInstance `json:"instances"`
-}
-
-type listResponseInstance struct {
-	Name    string `json:"name"`
-	Dir     string `json:"dir"`
-	Sock    string `json:"sock"`
-	Running bool   `json:"running"`
-	Env     string `json:"env"`
-	Args    string `json:"args"`
-	Logs    string `json:"logs"`
-}
-
-func writeJSON(w http.ResponseWriter, v any) {
-	w.Header().Set("Content-Type", "application/json")
-	e := json.NewEncoder(w)
-	e.SetIndent("", "  ")
-	e.Encode(v)
-}
-
-func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Path == "/list" {
-		var res listResponse
-		for _, name := range s.InstanceNames() {
-			mak.Set(&res.Instances, name, listResponseInstance{
-				Name:    name,
-				Dir:     instDir(name),
-				Sock:    instSock(name),
-				Running: s.InstanceRunning(name),
-				Env:     instEnvFile(name),
-				Args:    instArgsFile(name),
-				Logs:    instLogsFile(name),
-			})
-		}
-		writeJSON(w, res)
-		return
-	}
-	if r.URL.Path == "/rm" || r.URL.Path == "/stop" {
-		shouldRemove := r.URL.Path == "/rm"
-		if r.Method != "POST" {
-			http.Error(w, "POST required", http.StatusMethodNotAllowed)
-			return
-		}
-		target := r.FormValue("name")
-		var ok bool
-		for _, name := range s.InstanceNames() {
-			if name != target {
-				continue
-			}
-			ok = true
-			s.Stop(name)
-			if shouldRemove {
-				if err := os.RemoveAll(instDir(name)); err != nil {
-					http.Error(w, err.Error(), http.StatusInternalServerError)
-					return
-				}
-			}
-			break
-		}
-		writeJSON(w, ok)
-		return
-	}
-	if inst, ok := strings.CutPrefix(r.URL.Path, "/create/"); ok {
-		if !s.InstanceRunning(inst) {
-			if err := s.RunInstance(inst); err != nil {
-				http.Error(w, err.Error(), http.StatusInternalServerError)
-				return
-			}
-		}
-		fmt.Fprintf(w, "OK\n")
-		return
-	}
-	if r.URL.Path == "/" {
-		fmt.Fprintf(w, "This is mts, the multi-tailscaled server.\n")
-		return
-	}
-	http.NotFound(w, r)
-}
-
-func (s *Server) InstanceNames() []string {
-	var ret []string
-	des, err := os.ReadDir(mtsRoot())
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		panic(err)
-	}
-	for _, de := range des {
-		if !de.IsDir() {
-			continue
-		}
-		ret = append(ret, de.Name())
-	}
-	return ret
-}
-
-func mtsRoot() string {
-	dir, err := os.UserConfigDir()
-	if err != nil {
-		panic(err)
-	}
-	return filepath.Join(dir, "multi-tailscale-dev")
-}
-
-func instDir(name string) string {
-	return filepath.Join(mtsRoot(), name)
-}
-
-func instSock(name string) string {
-	return filepath.Join(instDir(name), "tailscaled.sock")
-}
-
-func instEnvFile(name string) string {
-	return filepath.Join(mtsRoot(), name, "env.txt")
-}
-
-func instArgsFile(name string) string {
-	return filepath.Join(mtsRoot(), name, "args.txt")
-}
-
-func instLogsFile(name string) string {
-	return filepath.Join(mtsRoot(), name, "logs.txt")
-}
-
-func mtsSock() string {
-	return filepath.Join(mtsRoot(), "mts.sock")
-}