go.mod.sri: update SRI hash for go.mod changes

Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
2025-03-13 17:38:34 +00:00
98 changed files with 770 additions and 4232 deletions
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -30,7 +30,7 @@ jobs:
          token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
          payload: |
            {
-              "channel": "C08FGKZCQTW",
+              "channel": "C05PXRM304B",
              "blocks": [
                {
                  "type": "section",
--- a/ALPINE.txt
+++ b/ALPINE.txt
@@ -1 +1 @@
-3.19
+3.18
--- a/4
+++ b/4
@@ -62,10 +62,8 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot

-FROM alpine:3.19
+FROM alpine:3.18
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
-RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
-RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables

 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,12 +1,5 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause

-FROM alpine:3.19
-RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tables iputils
-# Alpine 3.19 replaces legacy iptables with nftables based implementation.  We
-# can't be certain that all hosts that run Tailscale containers currently
-# suppport nftables, so link back to legacy for backwards compatibility reasons.
-# TODO(irbekrm): add some way how to determine if we still run on nodes that
-# don't support nftables, so that we can eventually remove these symlinks.
-RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
-RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.83.0
+1.81.0
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -16,7 +16,7 @@ eval "$(./build_dist.sh shellvars)"

 DEFAULT_TARGET="client"
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_BASE="tailscale/alpine-base:3.19"
+DEFAULT_BASE="tailscale/alpine-base:3.18"
 # Set a few pre-defined OCI annotations. The source annotation is used by tools such as Renovate that scan the linked
 # Github repo to find release notes for any new image tags. Note that for official Tailscale images the default
 # annotations defined here will be overriden by release scripts that call this script.
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -79,13 +79,6 @@ type Device struct {
 	// Tailscale have attempted to collect this from the device but it has not
 	// opted in, PostureIdentity will have Disabled=true.
 	PostureIdentity *DevicePostureIdentity `json:"postureIdentity"`
-
-	// TailnetLockKey is the tailnet lock public key of the node as a hex string.
-	TailnetLockKey string `json:"tailnetLockKey,omitempty"`
-
-	// TailnetLockErr indicates an issue with the tailnet lock node-key signature
-	// on this device. This field is only populated when tailnet lock is enabled.
-	TailnetLockErr string `json:"tailnetLockError,omitempty"`
 }

 type DevicePostureIdentity struct {
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -335,8 +335,7 @@ func (s *Server) requireTailscaleIP(w http.ResponseWriter, r *http.Request) (han
 		ipv6ServiceHost = "[" + tsaddr.TailscaleServiceIPv6String + "]"
 	)
 	// allow requests on quad-100 (or ipv6 equivalent)
-	host := strings.TrimSuffix(r.Host, ":80")
-	if host == ipv4ServiceHost || host == ipv6ServiceHost {
+	if r.Host == ipv4ServiceHost || r.Host == ipv6ServiceHost {
 		return false
 	}

--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -1177,16 +1177,6 @@ func TestRequireTailscaleIP(t *testing.T) {
 			target:      "http://[fd7a:115c:a1e0::53]/",
 			wantHandled: false,
 		},
-		{
-			name:        "quad-100:80",
-			target:      "http://100.100.100.100:80/",
-			wantHandled: false,
-		},
-		{
-			name:        "ipv6-service-addr:80",
-			target:      "http://[fd7a:115c:a1e0::53]:80/",
-			wantHandled: false,
-		},
 	}

 	for _, tt := range tests {
--- a/clientupdate/clientupdate.go
+++ b/clientupdate/clientupdate.go
@@ -28,7 +28,6 @@ import (
 	"strings"

 	"tailscale.com/hostinfo"
-	"tailscale.com/types/lazy"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cmpver"
 	"tailscale.com/version"
@@ -250,13 +249,9 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 	return nil, false
 }

-var canAutoUpdateCache lazy.SyncValue[bool]
-
 // CanAutoUpdate reports whether auto-updating via the clientupdate package
 // is supported for the current os/distro.
-func CanAutoUpdate() bool { return canAutoUpdateCache.Get(canAutoUpdateUncached) }
-
-func canAutoUpdateUncached() bool {
+func CanAutoUpdate() bool {
 	if version.IsMacSysExt() {
 		// Macsys uses Sparkle for auto-updates, which doesn't have an update
 		// function in this package.
--- a/cmd/containerboot/certs.go
+++ b/cmd/containerboot/certs.go
@@ -1,156 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net"
-	"sync"
-	"time"
-
-	"tailscale.com/ipn"
-	"tailscale.com/util/goroutines"
-	"tailscale.com/util/mak"
-)
-
-// certManager is responsible for issuing certificates for known domains and for
-// maintaining a loop that re-attempts issuance daily.
-// Currently cert manager logic is only run on ingress ProxyGroup replicas that are responsible for managing certs for
-// HA Ingress HTTPS endpoints ('write' replicas).
-type certManager struct {
-	lc      localClient
-	tracker goroutines.Tracker // tracks running goroutines
-	mu      sync.Mutex         // guards the following
-	// certLoops contains a map of DNS names, for which we currently need to
-	// manage certs to cancel functions that allow stopping a goroutine when
-	// we no longer need to manage certs for the DNS name.
-	certLoops map[string]context.CancelFunc
-}
-
-// ensureCertLoops ensures that, for all currently managed Service HTTPS
-// endpoints, there is a cert loop responsible for issuing and ensuring the
-// renewal of the TLS certs.
-// ServeConfig must not be nil.
-func (cm *certManager) ensureCertLoops(ctx context.Context, sc *ipn.ServeConfig) error {
-	if sc == nil {
-		return fmt.Errorf("[unexpected] ensureCertLoops called with nil ServeConfig")
-	}
-	currentDomains := make(map[string]bool)
-	const httpsPort = "443"
-	for _, service := range sc.Services {
-		for hostPort := range service.Web {
-			domain, port, err := net.SplitHostPort(string(hostPort))
-			if err != nil {
-				return fmt.Errorf("[unexpected] unable to parse HostPort %s", hostPort)
-			}
-			if port != httpsPort { // HA Ingress' HTTP endpoint
-				continue
-			}
-			currentDomains[domain] = true
-		}
-	}
-	cm.mu.Lock()
-	defer cm.mu.Unlock()
-	for domain := range currentDomains {
-		if _, exists := cm.certLoops[domain]; !exists {
-			cancelCtx, cancel := context.WithCancel(ctx)
-			mak.Set(&cm.certLoops, domain, cancel)
-			// Note that most of the issuance anyway happens
-			// serially because the cert client has a shared lock
-			// that's held during any issuance.
-			cm.tracker.Go(func() { cm.runCertLoop(cancelCtx, domain) })
-		}
-	}
-
-	// Stop goroutines for domain names that are no longer in the config.
-	for domain, cancel := range cm.certLoops {
-		if !currentDomains[domain] {
-			cancel()
-			delete(cm.certLoops, domain)
-		}
-	}
-	return nil
-}
-
-// runCertLoop:
-// - calls localAPI certificate endpoint to ensure that certs are issued for the
-// given domain name
-// - calls localAPI certificate endpoint daily to ensure that certs are renewed
-// - if certificate issuance failed retries after an exponential backoff period
-// starting at 1 minute and capped at 24 hours. Reset the backoff once issuance succeeds.
-// Note that renewal check also happens when the node receives an HTTPS request and it is possible that certs get
-// renewed at that point. Renewal here is needed to prevent the shared certs from expiry in edge cases where the 'write'
-// replica does not get any HTTPS requests.
-// https://letsencrypt.org/docs/integration-guide/#retrying-failures
-func (cm *certManager) runCertLoop(ctx context.Context, domain string) {
-	const (
-		normalInterval   = 24 * time.Hour  // regular renewal check
-		initialRetry     = 1 * time.Minute // initial backoff after a failure
-		maxRetryInterval = 24 * time.Hour  // max backoff period
-	)
-	timer := time.NewTimer(0) // fire off timer immediately
-	defer timer.Stop()
-	retryCount := 0
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-timer.C:
-			// We call the certificate endpoint, but don't do anything
-			// with the returned certs here.
-			// The call to the certificate endpoint will ensure that
-			// certs are issued/renewed as needed and stored in the
-			// relevant state store. For example, for HA Ingress
-			// 'write' replica, the cert and key will be stored in a
-			// Kubernetes Secret named after the domain for which we
-			// are issuing.
-			// Note that renewals triggered by the call to the
-			// certificates endpoint here and by renewal check
-			// triggered during a call to node's HTTPS endpoint
-			// share the same state/renewal lock mechanism, so we
-			// should not run into redundant issuances during
-			// concurrent renewal checks.
-			// TODO(irbekrm): maybe it is worth adding a new
-			// issuance endpoint that explicitly only triggers
-			// issuance and stores certs in the relevant store, but
-			// does not return certs to the caller?
-
-			// An issuance holds a shared lock, so we need to avoid
-			// a situation where other services cannot issue certs
-			// because a single one is holding the lock.
-			ctxT, cancel := context.WithTimeout(ctx, time.Second*300)
-			defer cancel()
-			_, _, err := cm.lc.CertPair(ctxT, domain)
-			if err != nil {
-				log.Printf("error refreshing certificate for %s: %v", domain, err)
-			}
-			var nextInterval time.Duration
-			// TODO(irbekrm): distinguish between LE rate limit
-			// errors and other error types like transient network
-			// errors.
-			if err == nil {
-				retryCount = 0
-				nextInterval = normalInterval
-			} else {
-				retryCount++
-				// Calculate backoff: initialRetry * 2^(retryCount-1)
-				// For retryCount=1: 1min * 2^0 = 1min
-				// For retryCount=2: 1min * 2^1 = 2min
-				// For retryCount=3: 1min * 2^2 = 4min
-				backoff := initialRetry * time.Duration(1<<(retryCount-1))
-				if backoff > maxRetryInterval {
-					backoff = maxRetryInterval
-				}
-				nextInterval = backoff
-				log.Printf("Error refreshing certificate for %s (retry %d): %v. Will retry in %v\n",
-					domain, retryCount, err, nextInterval)
-			}
-			timer.Reset(nextInterval)
-		}
-	}
-}
--- a/cmd/containerboot/certs_test.go
+++ b/cmd/containerboot/certs_test.go
@@ -1,229 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
-)
-
-// TestEnsureCertLoops tests that the certManager correctly starts and stops
-// update loops for certs when the serve config changes. It tracks goroutine
-// count and uses that as a validator that the expected number of cert loops are
-// running.
-func TestEnsureCertLoops(t *testing.T) {
-	tests := []struct {
-		name              string
-		initialConfig     *ipn.ServeConfig
-		updatedConfig     *ipn.ServeConfig
-		initialGoroutines int64 // after initial serve config is applied
-		updatedGoroutines int64 // after updated serve config is applied
-		wantErr           bool
-	}{
-		{
-			name:              "empty_serve_config",
-			initialConfig:     &ipn.ServeConfig{},
-			initialGoroutines: 0,
-		},
-		{
-			name:              "nil_serve_config",
-			initialConfig:     nil,
-			initialGoroutines: 0,
-			wantErr:           true,
-		},
-		{
-			name:          "empty_to_one_service",
-			initialConfig: &ipn.ServeConfig{},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 0,
-			updatedGoroutines: 1,
-		},
-		{
-			name: "single_service",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1,
-		},
-		{
-			name: "multiple_services",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 2, // one loop per domain across all services
-		},
-		{
-			name: "ignore_non_https_ports",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-							"my-app.tailnetxyz.ts.net:80":  {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1, // only one loop for the 443 endpoint
-		},
-		{
-			name: "remove_domain",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 2, // initially two loops (one per service)
-			updatedGoroutines: 1, // one loop after removing service2
-		},
-		{
-			name: "add_domain",
-			initialConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			updatedConfig: &ipn.ServeConfig{
-				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
-					"svc:my-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-					"svc:my-other-app": {
-						Web: map[ipn.HostPort]*ipn.WebServerConfig{
-							"my-other-app.tailnetxyz.ts.net:443": {},
-						},
-					},
-				},
-			},
-			initialGoroutines: 1,
-			updatedGoroutines: 2,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			cm := &certManager{
-				lc:        &fakeLocalClient{},
-				certLoops: make(map[string]context.CancelFunc),
-			}
-
-			allDone := make(chan bool, 1)
-			defer cm.tracker.AddDoneCallback(func() {
-				cm.mu.Lock()
-				defer cm.mu.Unlock()
-				if cm.tracker.RunningGoroutines() > 0 {
-					return
-				}
-				select {
-				case allDone <- true:
-				default:
-				}
-			})()
-
-			err := cm.ensureCertLoops(ctx, tt.initialConfig)
-			if (err != nil) != tt.wantErr {
-				t.Fatalf("ensureCertLoops() error = %v", err)
-			}
-
-			if got := cm.tracker.RunningGoroutines(); got != tt.initialGoroutines {
-				t.Errorf("after initial config: got %d running goroutines, want %d", got, tt.initialGoroutines)
-			}
-
-			if tt.updatedConfig != nil {
-				if err := cm.ensureCertLoops(ctx, tt.updatedConfig); err != nil {
-					t.Fatalf("ensureCertLoops() error on update = %v", err)
-				}
-
-				// Although starting goroutines and cancelling
-				// the context happens in the main goroutine, it
-				// the actual goroutine exit when a context is
-				// cancelled does not- so wait for a bit for the
-				// running goroutine count to reach the expected
-				// number.
-				deadline := time.After(5 * time.Second)
-				for {
-					if got := cm.tracker.RunningGoroutines(); got == tt.updatedGoroutines {
-						break
-					}
-					select {
-					case <-deadline:
-						t.Fatalf("timed out waiting for goroutine count to reach %d, currently at %d",
-							tt.updatedGoroutines, cm.tracker.RunningGoroutines())
-					case <-time.After(10 * time.Millisecond):
-						continue
-					}
-				}
-			}
-
-			if tt.updatedGoroutines == 0 {
-				return // no goroutines to wait for
-			}
-			// cancel context to make goroutines exit
-			cancel()
-			select {
-			case <-time.After(5 * time.Second):
-				t.Fatal("timed out waiting for goroutine to finish")
-			case <-allDone:
-			}
-		})
-	}
-}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -646,7 +646,7 @@ runLoop:

 				if cfg.ServeConfigPath != "" {
 					triggerWatchServeConfigChanges.Do(func() {
-						go watchServeConfigChanges(ctx, certDomainChanged, certDomain, client, kc, cfg)
+						go watchServeConfigChanges(ctx, cfg.ServeConfigPath, certDomainChanged, certDomain, client, kc)
 					})
 				}

--- a/cmd/containerboot/serve.go
+++ b/cmd/containerboot/serve.go
@@ -28,11 +28,10 @@ import (
 // applies it to lc. It exits when ctx is canceled. cdChanged is a channel that
 // is written to when the certDomain changes, causing the serve config to be
 // re-read and applied.
-func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDomainAtomic *atomic.Pointer[string], lc *local.Client, kc *kubeClient, cfg *settings) {
+func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan bool, certDomainAtomic *atomic.Pointer[string], lc *local.Client, kc *kubeClient) {
 	if certDomainAtomic == nil {
 		panic("certDomainAtomic must not be nil")
 	}
-
 	var tickChan <-chan time.Time
 	var eventChan <-chan fsnotify.Event
 	if w, err := fsnotify.NewWatcher(); err != nil {
@@ -44,7 +43,7 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom
 		tickChan = ticker.C
 	} else {
 		defer w.Close()
-		if err := w.Add(filepath.Dir(cfg.ServeConfigPath)); err != nil {
+		if err := w.Add(filepath.Dir(path)); err != nil {
 			log.Fatalf("serve proxy: failed to add fsnotify watch: %v", err)
 		}
 		eventChan = w.Events
@@ -52,12 +51,6 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom

 	var certDomain string
 	var prevServeConfig *ipn.ServeConfig
-	var cm certManager
-	if cfg.CertShareMode == "rw" {
-		cm = certManager{
-			lc: lc,
-		}
-	}
 	for {
 		select {
 		case <-ctx.Done():
@@ -70,12 +63,12 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom
 			// k8s handles these mounts. So just re-read the file and apply it
 			// if it's changed.
 		}
-		sc, err := readServeConfig(cfg.ServeConfigPath, certDomain)
+		sc, err := readServeConfig(path, certDomain)
 		if err != nil {
 			log.Fatalf("serve proxy: failed to read serve config: %v", err)
 		}
 		if sc == nil {
-			log.Printf("serve proxy: no serve config at %q, skipping", cfg.ServeConfigPath)
+			log.Printf("serve proxy: no serve config at %q, skipping", path)
 			continue
 		}
 		if prevServeConfig != nil && reflect.DeepEqual(sc, prevServeConfig) {
@@ -90,12 +83,6 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom
 			}
 		}
 		prevServeConfig = sc
-		if cfg.CertShareMode != "rw" {
-			continue
-		}
-		if err := cm.ensureCertLoops(ctx, sc); err != nil {
-			log.Fatalf("serve proxy: error ensuring cert loops: %v", err)
-		}
 	}
 }

@@ -109,7 +96,6 @@ func certDomainFromNetmap(nm *netmap.NetworkMap) string {
 // localClient is a subset of [local.Client] that can be mocked for testing.
 type localClient interface {
 	SetServeConfig(context.Context, *ipn.ServeConfig) error
-	CertPair(context.Context, string) ([]byte, []byte, error)
 }

 func updateServeConfig(ctx context.Context, sc *ipn.ServeConfig, certDomain string, lc localClient) error {
--- a/cmd/containerboot/serve_test.go
+++ b/cmd/containerboot/serve_test.go
@@ -206,10 +206,6 @@ func (m *fakeLocalClient) SetServeConfig(ctx context.Context, cfg *ipn.ServeConf
 	return nil
 }

-func (m *fakeLocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return nil, nil, nil
-}
-
 func TestHasHTTPSEndpoint(t *testing.T) {
 	tests := []struct {
 		name string
--- a/cmd/containerboot/settings.go
+++ b/cmd/containerboot/settings.go
@@ -74,12 +74,6 @@ type settings struct {
 	HealthCheckEnabled   bool
 	DebugAddrPort        string
 	EgressProxiesCfgPath string
-	// CertShareMode is set for Kubernetes Pods running cert share mode.
-	// Possible values are empty (containerboot doesn't run any certs
-	// logic),  'ro' (for Pods that shold never attempt to issue/renew
-	// certs) and 'rw' for Pods that should manage the TLS certs shared
-	// amongst the replicas.
-	CertShareMode string
 }

 func configFromEnv() (*settings, error) {
@@ -134,17 +128,6 @@ func configFromEnv() (*settings, error) {
 			cfg.PodIPv6 = parsed.String()
 		}
 	}
-	// If cert share is enabled, set the replica as read or write. Only 0th
-	// replica should be able to write.
-	isInCertShareMode := defaultBool("TS_EXPERIMENTAL_CERT_SHARE", false)
-	if isInCertShareMode {
-		cfg.CertShareMode = "ro"
-		podName := os.Getenv("POD_NAME")
-		if strings.HasSuffix(podName, "-0") {
-			cfg.CertShareMode = "rw"
-		}
-	}
-
 	if err := cfg.validate(); err != nil {
 		return nil, fmt.Errorf("invalid configuration: %v", err)
 	}
--- a/cmd/containerboot/tailscaled.go
+++ b/cmd/containerboot/tailscaled.go
@@ -33,9 +33,6 @@ func startTailscaled(ctx context.Context, cfg *settings) (*local.Client, *os.Pro
 	cmd.SysProcAttr = &syscall.SysProcAttr{
 		Setpgid: true,
 	}
-	if cfg.CertShareMode != "" {
-		cmd.Env = append(os.Environ(), "TS_CERT_SHARE_MODE="+cfg.CertShareMode)
-	}
 	log.Printf("Starting tailscaled")
 	if err := cmd.Start(); err != nil {
 		return nil, nil, fmt.Errorf("starting tailscaled failed: %v", err)
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -128,17 +128,16 @@ func (m *manualCertManager) TLSConfig() *tls.Config {
 }

 func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	// if hi.ServerName != m.hostname && !m.noHostname {
-	// 	return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
-	// }
+	if hi.ServerName != m.hostname && !m.noHostname {
+		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
+	}

 	// Return a shallow copy of the cert so the caller can append to its
 	// Certificate field.
-	// certCopy := new(tls.Certificate)
-	// *certCopy = *m.cert
-	// certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
-	// return certCopy, nil
-	return m.cert, nil
+	certCopy := new(tls.Certificate)
+	*certCopy = *m.cert
+	certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
+	return certCopy, nil
 }

 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -96,7 +96,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/disco                                          from tailscale.com/derp
        tailscale.com/drive                                          from tailscale.com/client/local+
        tailscale.com/envknob                                        from tailscale.com/client/local+
-        tailscale.com/feature                                        from tailscale.com/tsweb
        tailscale.com/health                                         from tailscale.com/net/tlsdial+
        tailscale.com/hostinfo                                       from tailscale.com/net/netmon+
        tailscale.com/ipn                                            from tailscale.com/client/local
@@ -129,8 +128,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/tstime                                         from tailscale.com/derp+
        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/derp
-        tailscale.com/tsweb                                          from tailscale.com/cmd/derper+
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/cmd/derper
+        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg+
        tailscale.com/types/empty                                    from tailscale.com/ipn
@@ -310,7 +309,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        html                                                         from net/http/pprof+
        html/template                                                from tailscale.com/cmd/derper
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall+
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
        internal/byteorder                                           from crypto/cipher+
@@ -320,12 +319,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        internal/filepathlite                                        from os+
        internal/fmtsort                                             from fmt+
        internal/goarch                                              from crypto/internal/fips140deps/cpu+
-        internal/godebug                                             from crypto/internal/fips140deps/godebug+
+        internal/godebug                                             from crypto/tls+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime+
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall+
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -49,9 +49,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )

 var (
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -15,9 +15,6 @@ import (
 	"tailscale.com/prober"
 	"tailscale.com/tsweb"
 	"tailscale.com/version"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )

 var (
--- a/cmd/k8s-operator/depaware.txt
+++ b/cmd/k8s-operator/depaware.txt
@@ -1151,7 +1151,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall+
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
        internal/byteorder                                           from crypto/cipher+
@@ -1163,11 +1163,11 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        internal/goarch                                              from crypto/internal/fips140deps/cpu+
        internal/godebug                                             from archive/tar+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime+
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
        internal/lazyregexp                                          from go/doc
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall+
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
--- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
@@ -75,7 +75,7 @@ rules:
  verbs: ["get", "list", "watch", "create", "update", "deletecollection"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
-  verbs: ["get", "create", "patch", "update", "list", "watch", "deletecollection"]
+  verbs: ["get", "create", "patch", "update", "list", "watch"]
 - apiGroups: ["monitoring.coreos.com"]
  resources: ["servicemonitors"]
  verbs: ["get", "list", "update", "create", "delete"]
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
@@ -2215,22 +2215,6 @@ spec:
                        https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-devices
                        Defaults to false.
                      type: boolean
-                useLetsEncryptStagingEnvironment:
-                  description: |-
-                    Set UseLetsEncryptStagingEnvironment to true to issue TLS
-                    certificates for any HTTPS endpoints exposed to the tailnet from
-                    LetsEncrypt's staging environment.
-                    https://letsencrypt.org/docs/staging-environment/
-                    This setting only affects Tailscale Ingress resources.
-                    By default Ingress TLS certificates are issued from LetsEncrypt's
-                    production environment.
-                    Changing this setting true -> false, will result in any
-                    existing certs being re-issued from the production environment.
-                    Changing this setting false (default) -> true, when certs have already
-                    been provisioned from production environment will NOT result in certs
-                    being re-issued from the staging environment before they need to be
-                    renewed.
-                  type: boolean
            status:
              description: |-
                Status of the ProxyClass. This is set and managed automatically.
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
@@ -103,7 +103,7 @@ spec:
                    pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
                type:
                  description: |-
-                    Type of the ProxyGroup proxies. Currently the only supported type is egress.
+                    Type of the ProxyGroup proxies. Supported types are egress and ingress.
                    Type is immutable once a ProxyGroup is created.
                  type: string
                  enum:
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -2685,22 +2685,6 @@ spec:
                                            Defaults to false.
                                        type: boolean
                                type: object
-                            useLetsEncryptStagingEnvironment:
-                                description: |-
-                                    Set UseLetsEncryptStagingEnvironment to true to issue TLS
-                                    certificates for any HTTPS endpoints exposed to the tailnet from
-                                    LetsEncrypt's staging environment.
-                                    https://letsencrypt.org/docs/staging-environment/
-                                    This setting only affects Tailscale Ingress resources.
-                                    By default Ingress TLS certificates are issued from LetsEncrypt's
-                                    production environment.
-                                    Changing this setting true -> false, will result in any
-                                    existing certs being re-issued from the production environment.
-                                    Changing this setting false (default) -> true, when certs have already
-                                    been provisioned from production environment will NOT result in certs
-                                    being re-issued from the staging environment before they need to be
-                                    renewed.
-                                type: boolean
                        type: object
                    status:
                        description: |-
@@ -2876,7 +2860,7 @@ spec:
                                type: array
                            type:
                                description: |-
-                                    Type of the ProxyGroup proxies. Currently the only supported type is egress.
+                                    Type of the ProxyGroup proxies. Supported types are egress and ingress.
                                    Type is immutable once a ProxyGroup is created.
                                enum:
                                    - egress
@@ -4914,7 +4898,6 @@ rules:
        - update
        - list
        - watch
-        - deletecollection
    - apiGroups:
        - monitoring.coreos.com
      resources:
--- a/cmd/k8s-operator/dnsrecords_test.go
+++ b/cmd/k8s-operator/dnsrecords_test.go
@@ -22,7 +22,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	operatorutils "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tstest"
 	"tailscale.com/types/ptr"
 )
@@ -164,10 +163,10 @@ func headlessSvcForParent(o client.Object, typ string) *corev1.Service {
 			Name:      o.GetName(),
 			Namespace: "tailscale",
 			Labels: map[string]string{
-				kubetypes.LabelManaged: "true",
-				LabelParentName:        o.GetName(),
-				LabelParentNamespace:   o.GetNamespace(),
-				LabelParentType:        typ,
+				LabelManaged:         "true",
+				LabelParentName:      o.GetName(),
+				LabelParentNamespace: o.GetNamespace(),
+				LabelParentType:      typ,
 			},
 		},
 		Spec: corev1.ServiceSpec{
--- a/cmd/k8s-operator/egress-pod-readiness.go
+++ b/cmd/k8s-operator/egress-pod-readiness.go
@@ -112,9 +112,9 @@ func (er *egressPodsReconciler) Reconcile(ctx context.Context, req reconcile.Req
 	}
 	// Get all ClusterIP Services for all egress targets exposed to cluster via this ProxyGroup.
 	lbls := map[string]string{
-		kubetypes.LabelManaged: "true",
-		labelProxyGroup:        proxyGroupName,
-		labelSvcType:           typeEgress,
+		LabelManaged:    "true",
+		labelProxyGroup: proxyGroupName,
+		labelSvcType:    typeEgress,
 	}
 	svcs := &corev1.ServiceList{}
 	if err := er.List(ctx, svcs, client.InNamespace(er.tsNamespace), client.MatchingLabels(lbls)); err != nil {
--- a/cmd/k8s-operator/egress-pod-readiness_test.go
+++ b/cmd/k8s-operator/egress-pod-readiness_test.go
@@ -450,9 +450,9 @@ func newSvc(name string, port int32) (*corev1.Service, string) {
 			Namespace: "operator-ns",
 			Name:      name,
 			Labels: map[string]string{
-				kubetypes.LabelManaged: "true",
-				labelProxyGroup:        "dev",
-				labelSvcType:           typeEgress,
+				LabelManaged:    "true",
+				labelProxyGroup: "dev",
+				labelSvcType:    typeEgress,
 			},
 		},
 		Spec: corev1.ServiceSpec{},
--- a/cmd/k8s-operator/egress-services.go
+++ b/cmd/k8s-operator/egress-services.go
@@ -680,12 +680,12 @@ func egressSvcsConfigs(ctx context.Context, cl client.Client, proxyGroupName, ts
 // should probably validate and truncate (?) the names is they are too long.
 func egressSvcChildResourceLabels(svc *corev1.Service) map[string]string {
 	return map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentType:        "svc",
-		LabelParentName:        svc.Name,
-		LabelParentNamespace:   svc.Namespace,
-		labelProxyGroup:        svc.Annotations[AnnotationProxyGroup],
-		labelSvcType:           typeEgress,
+		LabelManaged:         "true",
+		LabelParentType:      "svc",
+		LabelParentName:      svc.Name,
+		LabelParentNamespace: svc.Namespace,
+		labelProxyGroup:      svc.Annotations[AnnotationProxyGroup],
+		labelSvcType:         typeEgress,
 	}
 }

--- a/cmd/k8s-operator/ingress-for-pg.go
+++ b/cmd/k8s-operator/ingress-for-pg.go
@@ -22,7 +22,6 @@ import (
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -49,11 +48,10 @@ const (
 	// FinalizerNamePG is the finalizer used by the IngressPGReconciler
 	FinalizerNamePG = "tailscale.com/ingress-pg-finalizer"

+	indexIngressProxyGroup = ".metadata.annotations.ingress-proxy-group"
 	// annotationHTTPEndpoint can be used to configure the Ingress to expose an HTTP endpoint to tailnet (as
 	// well as the default HTTPS endpoint).
 	annotationHTTPEndpoint = "tailscale.com/http-endpoint"
-
-	labelDomain = "tailscale.com/domain"
 )

 var gaugePGIngressResources = clientmetric.NewGauge(kubetypes.MetricIngressPGResourceCount)
@@ -156,13 +154,13 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 	pg := &tsapi.ProxyGroup{}
 	if err := r.Get(ctx, client.ObjectKey{Name: pgName}, pg); err != nil {
 		if apierrors.IsNotFound(err) {
-			logger.Infof("ProxyGroup does not exist")
+			logger.Infof("ProxyGroup %q does not exist", pgName)
 			return false, nil
 		}
 		return false, fmt.Errorf("getting ProxyGroup %q: %w", pgName, err)
 	}
 	if !tsoperator.ProxyGroupIsReady(pg) {
-		logger.Infof("ProxyGroup is not (yet) ready")
+		logger.Infof("ProxyGroup %q is not (yet) ready", pgName)
 		return false, nil
 	}

@@ -177,6 +175,8 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		r.recorder.Event(ing, corev1.EventTypeWarning, "HTTPSNotEnabled", "HTTPS is not enabled on the tailnet; ingress may not work")
 	}

+	logger = logger.With("proxy-group", pg.Name)
+
 	if !slices.Contains(ing.Finalizers, FinalizerNamePG) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
@@ -229,11 +229,12 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 			return false, fmt.Errorf("error getting VIPService %q: %w", hostname, err)
 		}
 	}
-	// Generate the VIPService owner annotation for new or existing VIPService.
-	// This checks and ensures that VIPService's owner references are updated
-	// for this Ingress and errors if that is not possible (i.e. because it
-	// appears that the VIPService has been created by a non-operator actor).
-	updatedAnnotations, err := r.ownerAnnotations(existingVIPSvc)
+	// Generate the VIPService comment for new or existing VIPService. This
+	// checks and ensures that VIPService's owner references are updated for
+	// this Ingress and errors if that is not possible (i.e. because it
+	// appears that the VIPService has been created by a non-operator
+	// actor).
+	svcComment, err := r.ownerRefsComment(existingVIPSvc)
 	if err != nil {
 		const instr = "To proceed, you can either manually delete the existing VIPService or choose a different MagicDNS name at `.spec.tls.hosts[0] in the Ingress definition"
 		msg := fmt.Sprintf("error ensuring ownership of VIPService %s: %v. %s", hostname, err, instr)
@@ -241,12 +242,8 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		r.recorder.Event(ing, corev1.EventTypeWarning, "InvalidVIPService", msg)
 		return false, nil
 	}
-	// 3. Ensure that TLS Secret and RBAC exists
-	if err := r.ensureCertResources(ctx, pgName, dnsName, ing); err != nil {
-		return false, fmt.Errorf("error ensuring cert resources: %w", err)
-	}

-	// 4. Ensure that the serve config for the ProxyGroup contains the VIPService.
+	// 3. Ensure that the serve config for the ProxyGroup contains the VIPService.
 	cm, cfg, err := r.proxyGroupServeConfig(ctx, pgName)
 	if err != nil {
 		return false, fmt.Errorf("error getting Ingress serve config: %w", err)
@@ -313,13 +310,11 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		vipPorts = append(vipPorts, "80")
 	}

-	const managedVIPServiceComment = "This VIPService is managed by the Tailscale Kubernetes Operator, do not modify"
 	vipSvc := &tailscale.VIPService{
-		Name:        serviceName,
-		Tags:        tags,
-		Ports:       vipPorts,
-		Comment:     managedVIPServiceComment,
-		Annotations: updatedAnnotations,
+		Name:    serviceName,
+		Tags:    tags,
+		Ports:   vipPorts,
+		Comment: svcComment,
 	}
 	if existingVIPSvc != nil {
 		vipSvc.Addrs = existingVIPSvc.Addrs
@@ -330,8 +325,8 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 	if existingVIPSvc == nil ||
 		!reflect.DeepEqual(vipSvc.Tags, existingVIPSvc.Tags) ||
 		!reflect.DeepEqual(vipSvc.Ports, existingVIPSvc.Ports) ||
-		!ownersAreSetAndEqual(vipSvc, existingVIPSvc) {
-		logger.Infof("Ensuring VIPService exists and is up to date")
+		!strings.EqualFold(vipSvc.Comment, existingVIPSvc.Comment) {
+		logger.Infof("Ensuring VIPService %q exists and is up to date", hostname)
 		if err := r.tsClient.CreateOrUpdateVIPService(ctx, vipSvc); err != nil {
 			return false, fmt.Errorf("error creating VIPService: %w", err)
 		}
@@ -339,67 +334,35 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin

 	// 5. Update tailscaled's AdvertiseServices config, which should add the VIPService
 	// IPs to the ProxyGroup Pods' AllowedIPs in the next netmap update if approved.
-	mode := serviceAdvertisementHTTPS
-	if isHTTPEndpointEnabled(ing) {
-		mode = serviceAdvertisementHTTPAndHTTPS
-	}
-	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg.Name, serviceName, mode, logger); err != nil {
+	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg.Name, serviceName, true, logger); err != nil {
 		return false, fmt.Errorf("failed to update tailscaled config: %w", err)
 	}

-	// 6. Update Ingress status if ProxyGroup Pods are ready.
-	count, err := r.numberPodsAdvertising(ctx, pg.Name, serviceName)
-	if err != nil {
-		return false, fmt.Errorf("failed to check if any Pods are configured: %w", err)
-	}
-
+	// TODO(irbekrm): check that the replicas are ready to route traffic for the VIPService before updating Ingress
+	// status.
+	// 6. Update Ingress status
 	oldStatus := ing.Status.DeepCopy()
-
-	switch count {
-	case 0:
-		ing.Status.LoadBalancer.Ingress = nil
-	default:
-		var ports []networkingv1.IngressPortStatus
-		hasCerts, err := r.hasCerts(ctx, serviceName)
-		if err != nil {
-			return false, fmt.Errorf("error checking TLS credentials provisioned for Ingress: %w", err)
-		}
-		// If TLS certs have not been issued (yet), do not set port 443.
-		if hasCerts {
-			ports = append(ports, networkingv1.IngressPortStatus{
-				Protocol: "TCP",
-				Port:     443,
-			})
-		}
-		if isHTTPEndpointEnabled(ing) {
-			ports = append(ports, networkingv1.IngressPortStatus{
-				Protocol: "TCP",
-				Port:     80,
-			})
-		}
-		// Set Ingress status hostname only if either port 443 or 80 is advertised.
-		var hostname string
-		if len(ports) != 0 {
-			hostname = dnsName
-		}
-		ing.Status.LoadBalancer.Ingress = []networkingv1.IngressLoadBalancerIngress{
-			{
-				Hostname: hostname,
-				Ports:    ports,
-			},
-		}
+	ports := []networkingv1.IngressPortStatus{
+		{
+			Protocol: "TCP",
+			Port:     443,
+		},
 	}
-	if apiequality.Semantic.DeepEqual(oldStatus, &ing.Status) {
+	if isHTTPEndpointEnabled(ing) {
+		ports = append(ports, networkingv1.IngressPortStatus{
+			Protocol: "TCP",
+			Port:     80,
+		})
+	}
+	ing.Status.LoadBalancer.Ingress = []networkingv1.IngressLoadBalancerIngress{
+		{
+			Hostname: dnsName,
+			Ports:    ports,
+		},
+	}
+	if apiequality.Semantic.DeepEqual(oldStatus, ing.Status) {
 		return svcsChanged, nil
 	}
-
-	const prefix = "Updating Ingress status"
-	if count == 0 {
-		logger.Infof("%s. No Pods are advertising VIPService yet", prefix)
-	} else {
-		logger.Infof("%s. %d Pod(s) advertising VIPService", prefix, count)
-	}
-
 	if err := r.Status().Update(ctx, ing); err != nil {
 		return false, fmt.Errorf("failed to update Ingress status: %w", err)
 	}
@@ -439,24 +402,24 @@ func (r *HAIngressReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyG
 			logger.Infof("VIPService %q is not owned by any Ingress, cleaning up", vipServiceName)

 			// Delete the VIPService from control if necessary.
-			svcsChanged, err = r.cleanupVIPService(ctx, vipServiceName, logger)
-			if err != nil {
-				return false, fmt.Errorf("deleting VIPService %q: %w", vipServiceName, err)
+			svc, _ := r.tsClient.GetVIPService(ctx, vipServiceName)
+			if svc != nil && isVIPServiceForAnyIngress(svc) {
+				logger.Infof("cleaning up orphaned VIPService %q", vipServiceName)
+				svcsChanged, err = r.cleanupVIPService(ctx, vipServiceName, logger)
+				if err != nil {
+					errResp := &tailscale.ErrResponse{}
+					if !errors.As(err, &errResp) || errResp.Status != http.StatusNotFound {
+						return false, fmt.Errorf("deleting VIPService %q: %w", vipServiceName, err)
+					}
+				}
 			}

 			// Make sure the VIPService is not advertised in tailscaled or serve config.
-			if err = r.maybeUpdateAdvertiseServicesConfig(ctx, proxyGroupName, vipServiceName, serviceAdvertisementOff, logger); err != nil {
+			if err = r.maybeUpdateAdvertiseServicesConfig(ctx, proxyGroupName, vipServiceName, false, logger); err != nil {
 				return false, fmt.Errorf("failed to update tailscaled config services: %w", err)
 			}
-			_, ok := cfg.Services[vipServiceName]
-			if ok {
-				logger.Infof("Removing VIPService %q from serve config", vipServiceName)
-				delete(cfg.Services, vipServiceName)
-				serveConfigChanged = true
-			}
-			if err := r.cleanupCertResources(ctx, proxyGroupName, vipServiceName); err != nil {
-				return false, fmt.Errorf("failed to clean up cert resources: %w", err)
-			}
+			delete(cfg.Services, vipServiceName)
+			serveConfigChanged = true
 		}
 	}

@@ -517,22 +480,16 @@ func (r *HAIngressReconciler) maybeCleanup(ctx context.Context, hostname string,
 	if err != nil {
 		return false, fmt.Errorf("error deleting VIPService: %w", err)
 	}
-
-	// 3. Clean up any cluster resources
-	if err := r.cleanupCertResources(ctx, pg, serviceName); err != nil {
-		return false, fmt.Errorf("failed to clean up cert resources: %w", err)
-	}
-
 	if cfg == nil || cfg.Services == nil { // user probably deleted the ProxyGroup
 		return svcChanged, nil
 	}

-	// 4. Unadvertise the VIPService in tailscaled config.
-	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg, serviceName, serviceAdvertisementOff, logger); err != nil {
+	// 3. Unadvertise the VIPService in tailscaled config.
+	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg, serviceName, false, logger); err != nil {
 		return false, fmt.Errorf("failed to update tailscaled config services: %w", err)
 	}

-	// 5. Remove the VIPService from the serve config for the ProxyGroup.
+	// 4. Remove the VIPService from the serve config for the ProxyGroup.
 	logger.Infof("Removing VIPService %q from serve config for ProxyGroup %q", hostname, pg)
 	delete(cfg.Services, serviceName)
 	cfgBytes, err := json.Marshal(cfg)
@@ -613,6 +570,13 @@ func (r *HAIngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	return isTSIngress && pgAnnot != ""
 }

+func isVIPServiceForAnyIngress(svc *tailscale.VIPService) bool {
+	if svc == nil {
+		return false
+	}
+	return strings.HasPrefix(svc.Comment, "tailscale.com/k8s-operator:owned-by:")
+}
+
 // validateIngress validates that the Ingress is properly configured.
 // Currently validates:
 // - Any tags provided via tailscale.com/tags annotation are valid Tailscale ACL tags
@@ -686,34 +650,34 @@ func (r *HAIngressReconciler) cleanupVIPService(ctx context.Context, name tailcf
 	if svc == nil {
 		return false, nil
 	}
-	o, err := parseOwnerAnnotation(svc)
+	c, err := parseComment(svc)
 	if err != nil {
-		return false, fmt.Errorf("error parsing VIPService owner annotation")
+		return false, fmt.Errorf("error parsing VIPService comment")
 	}
-	if o == nil || len(o.OwnerRefs) == 0 {
+	if c == nil || len(c.OwnerRefs) == 0 {
 		return false, nil
 	}
 	// Comparing with the operatorID only means that we will not be able to
 	// clean up VIPServices in cases where the operator was deleted from the
 	// cluster before deleting the Ingress. Perhaps the comparison could be
 	// 'if or.OperatorID === r.operatorID || or.ingressUID == r.ingressUID'.
-	ix := slices.IndexFunc(o.OwnerRefs, func(or OwnerRef) bool {
+	ix := slices.IndexFunc(c.OwnerRefs, func(or OwnerRef) bool {
 		return or.OperatorID == r.operatorID
 	})
 	if ix == -1 {
 		return false, nil
 	}
-	if len(o.OwnerRefs) == 1 {
+	if len(c.OwnerRefs) == 1 {
 		logger.Infof("Deleting VIPService %q", name)
 		return false, r.tsClient.DeleteVIPService(ctx, name)
 	}
-	o.OwnerRefs = slices.Delete(o.OwnerRefs, ix, ix+1)
+	c.OwnerRefs = slices.Delete(c.OwnerRefs, ix, ix+1)
 	logger.Infof("Deleting VIPService %q", name)
-	json, err := json.Marshal(o)
+	json, err := json.Marshal(c)
 	if err != nil {
 		return false, fmt.Errorf("error marshalling updated VIPService owner reference: %w", err)
 	}
-	svc.Annotations[ownerAnnotation] = string(json)
+	svc.Comment = string(json)
 	return true, r.tsClient.CreateOrUpdateVIPService(ctx, svc)
 }

@@ -725,16 +689,8 @@ func isHTTPEndpointEnabled(ing *networkingv1.Ingress) bool {
 	return ing.Annotations[annotationHTTPEndpoint] == "enabled"
 }

-// serviceAdvertisementMode describes the desired state of a VIPService.
-type serviceAdvertisementMode int
-
-const (
-	serviceAdvertisementOff          serviceAdvertisementMode = iota // Should not be advertised
-	serviceAdvertisementHTTPS                                        // Port 443 should be advertised
-	serviceAdvertisementHTTPAndHTTPS                                 // Both ports 80 and 443 should be advertised
-)
-
-func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Context, pgName string, serviceName tailcfg.ServiceName, mode serviceAdvertisementMode, logger *zap.SugaredLogger) (err error) {
+func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Context, pgName string, serviceName tailcfg.ServiceName, shouldBeAdvertised bool, logger *zap.SugaredLogger) (err error) {
+	logger.Debugf("Updating ProxyGroup tailscaled configs to advertise service %q: %v", serviceName, shouldBeAdvertised)

 	// Get all config Secrets for this ProxyGroup.
 	secrets := &corev1.SecretList{}
@@ -742,21 +698,6 @@ func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Con
 		return fmt.Errorf("failed to list config Secrets: %w", err)
 	}

-	// Verify that TLS cert for the VIPService has been successfully issued
-	// before attempting to advertise the service.
-	// This is so that in multi-cluster setups where some Ingresses succeed
-	// to issue certs and some do not (rate limits), clients are not pinned
-	// to a backend that is not able to serve HTTPS.
-	// The only exception is Ingresses with an HTTP endpoint enabled - if an
-	// Ingress has an HTTP endpoint enabled, it will be advertised even if the
-	// TLS cert is not yet provisioned.
-	hasCert, err := a.hasCerts(ctx, serviceName)
-	if err != nil {
-		return fmt.Errorf("error checking TLS credentials provisioned for service %q: %w", serviceName, err)
-	}
-	shouldBeAdvertised := (mode == serviceAdvertisementHTTPAndHTTPS) ||
-		(mode == serviceAdvertisementHTTPS && hasCert) // if we only expose port 443 and don't have certs (yet), do not advertise
-
 	for _, secret := range secrets.Items {
 		var updated bool
 		for fileName, confB := range secret.Data {
@@ -799,39 +740,6 @@ func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Con
 	return nil
 }

-func (a *HAIngressReconciler) numberPodsAdvertising(ctx context.Context, pgName string, serviceName tailcfg.ServiceName) (int, error) {
-	// Get all state Secrets for this ProxyGroup.
-	secrets := &corev1.SecretList{}
-	if err := a.List(ctx, secrets, client.InNamespace(a.tsNamespace), client.MatchingLabels(pgSecretLabels(pgName, "state"))); err != nil {
-		return 0, fmt.Errorf("failed to list ProxyGroup %q state Secrets: %w", pgName, err)
-	}
-
-	var count int
-	for _, secret := range secrets.Items {
-		prefs, ok, err := getDevicePrefs(&secret)
-		if err != nil {
-			return 0, fmt.Errorf("error getting node metadata: %w", err)
-		}
-		if !ok {
-			continue
-		}
-		if slices.Contains(prefs.AdvertiseServices, serviceName.String()) {
-			count++
-		}
-	}
-
-	return count, nil
-}
-
-const ownerAnnotation = "tailscale.com/owner-references"
-
-// ownerAnnotationValue is the content of the VIPService.Annotation[ownerAnnotation] field.
-type ownerAnnotationValue struct {
-	// OwnerRefs is a list of owner references that identify all operator
-	// instances that manage this VIPService.
-	OwnerRefs []OwnerRef `json:"ownerRefs,omitempty"`
-}
-
 // OwnerRef is an owner reference that uniquely identifies a Tailscale
 // Kubernetes operator instance.
 type OwnerRef struct {
@@ -839,110 +747,60 @@ type OwnerRef struct {
 	OperatorID string `json:"operatorID,omitempty"`
 }

-// ownerAnnotations returns the updated annotations required to ensure this
-// instance of the operator is included as an owner. If the VIPService is not
-// nil, but does not contain an owner we return an error as this likely means
-// that the VIPService was created by somthing other than a Tailscale
-// Kubernetes operator.
-func (r *HAIngressReconciler) ownerAnnotations(svc *tailscale.VIPService) (map[string]string, error) {
+// comment is the content of the VIPService.Comment field.
+type comment struct {
+	// OwnerRefs is a list of owner references that identify all operator
+	// instances that manage this VIPService.
+	OwnerRefs []OwnerRef `json:"ownerRefs,omitempty"`
+}
+
+// ownerRefsComment return VIPService Comment that includes owner reference for this
+// operator instance for the provided VIPService. If the VIPService is nil, a
+// new comment with owner ref is returned. If the VIPService is not nil, the
+// existing comment is returned with the owner reference added, if not already
+// present. If the VIPService is not nil, but does not contain a comment we
+// return an error as this likely means that the VIPService was created by
+// somthing other than a Tailscale Kubernetes operator.
+func (r *HAIngressReconciler) ownerRefsComment(svc *tailscale.VIPService) (string, error) {
 	ref := OwnerRef{
 		OperatorID: r.operatorID,
 	}
 	if svc == nil {
-		c := ownerAnnotationValue{OwnerRefs: []OwnerRef{ref}}
+		c := &comment{OwnerRefs: []OwnerRef{ref}}
 		json, err := json.Marshal(c)
 		if err != nil {
-			return nil, fmt.Errorf("[unexpected] unable to marshal VIPService owner annotation contents: %w, please report this", err)
+			return "", fmt.Errorf("[unexpected] unable to marshal VIPService comment contents: %w, please report this", err)
 		}
-		return map[string]string{
-			ownerAnnotation: string(json),
-		}, nil
+		return string(json), nil
 	}
-	o, err := parseOwnerAnnotation(svc)
+	c, err := parseComment(svc)
 	if err != nil {
-		return nil, err
+		return "", fmt.Errorf("error parsing existing VIPService comment: %w", err)
 	}
-	if o == nil || len(o.OwnerRefs) == 0 {
-		return nil, fmt.Errorf("VIPService %s exists, but does not contain owner annotation with owner references; not proceeding as this is likely a resource created by something other than the Tailscale Kubernetes operator", svc.Name)
+	if c == nil || len(c.OwnerRefs) == 0 {
+		return "", fmt.Errorf("VIPService %s exists, but does not contain Comment field with owner references- not proceeding as this is likely a resource created by something other than a Tailscale Kubernetes Operator", svc.Name)
 	}
-	if slices.Contains(o.OwnerRefs, ref) { // up to date
-		return svc.Annotations, nil
+	if slices.Contains(c.OwnerRefs, ref) { // up to date
+		return svc.Comment, nil
 	}
-	o.OwnerRefs = append(o.OwnerRefs, ref)
-	json, err := json.Marshal(o)
+	c.OwnerRefs = append(c.OwnerRefs, ref)
+	json, err := json.Marshal(c)
 	if err != nil {
-		return nil, fmt.Errorf("error marshalling updated owner references: %w", err)
+		return "", fmt.Errorf("error marshalling updated owner references: %w", err)
 	}
-
-	newAnnots := make(map[string]string, len(svc.Annotations)+1)
-	for k, v := range svc.Annotations {
-		newAnnots[k] = v
-	}
-	newAnnots[ownerAnnotation] = string(json)
-	return newAnnots, nil
+	return string(json), nil
 }

-// parseOwnerAnnotation returns nil if no valid owner found.
-func parseOwnerAnnotation(vipSvc *tailscale.VIPService) (*ownerAnnotationValue, error) {
-	if vipSvc.Annotations == nil || vipSvc.Annotations[ownerAnnotation] == "" {
+// parseComment returns VIPService comment or nil if none found or not matching the expected format.
+func parseComment(vipSvc *tailscale.VIPService) (*comment, error) {
+	if vipSvc.Comment == "" {
 		return nil, nil
 	}
-	o := &ownerAnnotationValue{}
-	if err := json.Unmarshal([]byte(vipSvc.Annotations[ownerAnnotation]), o); err != nil {
-		return nil, fmt.Errorf("error parsing VIPService %s annotation %q: %w", ownerAnnotation, vipSvc.Annotations[ownerAnnotation], err)
+	c := &comment{}
+	if err := json.Unmarshal([]byte(vipSvc.Comment), c); err != nil {
+		return nil, fmt.Errorf("error parsing VIPService Comment field %q: %w", vipSvc.Comment, err)
 	}
-	return o, nil
-}
-
-func ownersAreSetAndEqual(a, b *tailscale.VIPService) bool {
-	return a != nil && b != nil &&
-		a.Annotations != nil && b.Annotations != nil &&
-		a.Annotations[ownerAnnotation] != "" &&
-		b.Annotations[ownerAnnotation] != "" &&
-		strings.EqualFold(a.Annotations[ownerAnnotation], b.Annotations[ownerAnnotation])
-}
-
-// ensureCertResources ensures that the TLS Secret for an HA Ingress and RBAC
-// resources that allow proxies to manage the Secret are created.
-// Note that Tailscale VIPService name validation matches Kubernetes
-// resource name validation, so we can be certain that the VIPService name
-// (domain) is a valid Kubernetes resource name.
-// https://github.com/tailscale/tailscale/blob/8b1e7f646ee4730ad06c9b70c13e7861b964949b/util/dnsname/dnsname.go#L99
-// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
-func (r *HAIngressReconciler) ensureCertResources(ctx context.Context, pgName, domain string, ing *networkingv1.Ingress) error {
-	secret := certSecret(pgName, r.tsNamespace, domain, ing)
-	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, secret, nil); err != nil {
-		return fmt.Errorf("failed to create or update Secret %s: %w", secret.Name, err)
-	}
-	role := certSecretRole(pgName, r.tsNamespace, domain)
-	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, role, nil); err != nil {
-		return fmt.Errorf("failed to create or update Role %s: %w", role.Name, err)
-	}
-	rb := certSecretRoleBinding(pgName, r.tsNamespace, domain)
-	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, rb, nil); err != nil {
-		return fmt.Errorf("failed to create or update RoleBinding %s: %w", rb.Name, err)
-	}
-	return nil
-}
-
-// cleanupCertResources ensures that the TLS Secret and associated RBAC
-// resources that allow proxies to read/write to the Secret are deleted.
-func (r *HAIngressReconciler) cleanupCertResources(ctx context.Context, pgName string, name tailcfg.ServiceName) error {
-	domainName, err := r.dnsNameForService(ctx, tailcfg.ServiceName(name))
-	if err != nil {
-		return fmt.Errorf("error getting DNS name for VIPService %s: %w", name, err)
-	}
-	labels := certResourceLabels(pgName, domainName)
-	if err := r.DeleteAllOf(ctx, &rbacv1.RoleBinding{}, client.InNamespace(r.tsNamespace), client.MatchingLabels(labels)); err != nil {
-		return fmt.Errorf("error deleting RoleBinding for domain name %s: %w", domainName, err)
-	}
-	if err := r.DeleteAllOf(ctx, &rbacv1.Role{}, client.InNamespace(r.tsNamespace), client.MatchingLabels(labels)); err != nil {
-		return fmt.Errorf("error deleting Role for domain name %s: %w", domainName, err)
-	}
-	if err := r.DeleteAllOf(ctx, &corev1.Secret{}, client.InNamespace(r.tsNamespace), client.MatchingLabels(labels)); err != nil {
-		return fmt.Errorf("error deleting Secret for domain name %s: %w", domainName, err)
-	}
-	return nil
+	return c, nil
 }

 // requeueInterval returns a time duration between 5 and 10 minutes, which is
@@ -953,123 +811,3 @@ func (r *HAIngressReconciler) cleanupCertResources(ctx context.Context, pgName s
 func requeueInterval() time.Duration {
 	return time.Duration(rand.N(5)+5) * time.Minute
 }
-
-// certSecretRole creates a Role that will allow proxies to manage the TLS
-// Secret for the given domain. Domain must be a valid Kubernetes resource name.
-func certSecretRole(pgName, namespace, domain string) *rbacv1.Role {
-	return &rbacv1.Role{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      domain,
-			Namespace: namespace,
-			Labels:    certResourceLabels(pgName, domain),
-		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups:     []string{""},
-				Resources:     []string{"secrets"},
-				ResourceNames: []string{domain},
-				Verbs: []string{
-					"get",
-					"list",
-					"patch",
-					"update",
-				},
-			},
-		},
-	}
-}
-
-// certSecretRoleBinding creates a RoleBinding for Role that will allow proxies
-// to manage the TLS Secret for the given domain. Domain must be a valid
-// Kubernetes resource name.
-func certSecretRoleBinding(pgName, namespace, domain string) *rbacv1.RoleBinding {
-	return &rbacv1.RoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      domain,
-			Namespace: namespace,
-			Labels:    certResourceLabels(pgName, domain),
-		},
-		Subjects: []rbacv1.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      pgName,
-				Namespace: namespace,
-			},
-		},
-		RoleRef: rbacv1.RoleRef{
-			Kind: "Role",
-			Name: domain,
-		},
-	}
-}
-
-// certSecret creates a Secret that will store the TLS certificate and private
-// key for the given domain. Domain must be a valid Kubernetes resource name.
-func certSecret(pgName, namespace, domain string, ing *networkingv1.Ingress) *corev1.Secret {
-	labels := certResourceLabels(pgName, domain)
-	labels[kubetypes.LabelSecretType] = "certs"
-	// Labels that let us identify the Ingress resource lets us reconcile
-	// the Ingress when the TLS Secret is updated (for example, when TLS
-	// certs have been provisioned).
-	labels[LabelParentName] = ing.Name
-	labels[LabelParentNamespace] = ing.Namespace
-	return &corev1.Secret{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "v1",
-			Kind:       "Secret",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      domain,
-			Namespace: namespace,
-			Labels:    labels,
-		},
-		Data: map[string][]byte{
-			corev1.TLSCertKey:       nil,
-			corev1.TLSPrivateKeyKey: nil,
-		},
-		Type: corev1.SecretTypeTLS,
-	}
-}
-
-func certResourceLabels(pgName, domain string) map[string]string {
-	return map[string]string{
-		kubetypes.LabelManaged: "true",
-		labelProxyGroup:        pgName,
-		labelDomain:            domain,
-	}
-}
-
-// dnsNameForService returns the DNS name for the given VIPService name.
-func (r *HAIngressReconciler) dnsNameForService(ctx context.Context, svc tailcfg.ServiceName) (string, error) {
-	s := svc.WithoutPrefix()
-	tcd, err := r.tailnetCertDomain(ctx)
-	if err != nil {
-		return "", fmt.Errorf("error determining DNS name base: %w", err)
-	}
-	return s + "." + tcd, nil
-}
-
-// hasCerts checks if the TLS Secret for the given service has non-zero cert and key data.
-func (r *HAIngressReconciler) hasCerts(ctx context.Context, svc tailcfg.ServiceName) (bool, error) {
-	domain, err := r.dnsNameForService(ctx, svc)
-	if err != nil {
-		return false, fmt.Errorf("failed to get DNS name for service: %w", err)
-	}
-	secret := &corev1.Secret{}
-	err = r.Get(ctx, client.ObjectKey{
-		Namespace: r.tsNamespace,
-		Name:      domain,
-	}, secret)
-
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			return false, nil
-		}
-		return false, fmt.Errorf("failed to get TLS Secret: %w", err)
-	}
-
-	cert := secret.Data[corev1.TLSCertKey]
-	key := secret.Data[corev1.TLSPrivateKeyKey]
-
-	return len(cert) > 0 && len(key) > 0, nil
-}
--- a/cmd/k8s-operator/ingress-for-pg_test.go
+++ b/cmd/k8s-operator/ingress-for-pg_test.go
@@ -8,10 +8,8 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"maps"
-	"net/http"
 	"reflect"
 	"testing"

@@ -20,7 +18,6 @@ import (
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
@@ -31,7 +28,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/ptr"
 )
@@ -60,7 +56,7 @@ func TestIngressPGReconciler(t *testing.T) {
 				},
 			},
 			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc"}},
+				{Hosts: []string{"my-svc.tailnetxyz.ts.net"}},
 			},
 		},
 	}
@@ -68,17 +64,10 @@ func TestIngressPGReconciler(t *testing.T) {

 	// Verify initial reconciliation
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:my-svc", false)
 	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
 	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})

-	// Verify that Role and RoleBinding have been created for the first Ingress.
-	// Do not verify the cert Secret as that was already verified implicitly above.
-	expectEqual(t, fc, certSecretRole("test-pg", "operator-ns", "my-svc.ts.net"))
-	expectEqual(t, fc, certSecretRoleBinding("test-pg", "operator-ns", "my-svc.ts.net"))
-
 	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
 		ing.Annotations["tailscale.com/tags"] = "tag:custom,tag:test"
 	})
@@ -130,16 +119,9 @@ func TestIngressPGReconciler(t *testing.T) {

 	// Verify second Ingress reconciliation
 	expectReconciled(t, ingPGR, "default", "my-other-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-other-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "my-other-ingress")
 	verifyServeConfig(t, fc, "svc:my-other-svc", false)
 	verifyVIPService(t, ft, "svc:my-other-svc", []string{"443"})

-	// Verify that Role and RoleBinding have been created for the first Ingress.
-	// Do not verify the cert Secret as that was already verified implicitly above.
-	expectEqual(t, fc, certSecretRole("test-pg", "operator-ns", "my-other-svc.ts.net"))
-	expectEqual(t, fc, certSecretRoleBinding("test-pg", "operator-ns", "my-other-svc.ts.net"))
-
 	// Verify first Ingress is still working
 	verifyServeConfig(t, fc, "svc:my-svc", false)
 	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
@@ -176,9 +158,6 @@ func TestIngressPGReconciler(t *testing.T) {
 	}

 	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
-	expectMissing[corev1.Secret](t, fc, "operator-ns", "my-other-svc.ts.net")
-	expectMissing[rbacv1.Role](t, fc, "operator-ns", "my-other-svc.ts.net")
-	expectMissing[rbacv1.RoleBinding](t, fc, "operator-ns", "my-other-svc.ts.net")

 	// Delete the first Ingress and verify cleanup
 	if err := fc.Delete(context.Background(), ing); err != nil {
@@ -205,70 +184,6 @@ func TestIngressPGReconciler(t *testing.T) {
 		t.Error("serve config not cleaned up")
 	}
 	verifyTailscaledConfig(t, fc, nil)
-
-	// Add verification that cert resources were cleaned up
-	expectMissing[corev1.Secret](t, fc, "operator-ns", "my-svc.ts.net")
-	expectMissing[rbacv1.Role](t, fc, "operator-ns", "my-svc.ts.net")
-	expectMissing[rbacv1.RoleBinding](t, fc, "operator-ns", "my-svc.ts.net")
-}
-
-func TestIngressPGReconciler_UpdateIngressHostname(t *testing.T) {
-	ingPGR, fc, ft := setupIngressTest(t)
-
-	ing := &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-ingress",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/proxy-group": "test-pg",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			DefaultBackend: &networkingv1.IngressBackend{
-				Service: &networkingv1.IngressServiceBackend{
-					Name: "test",
-					Port: networkingv1.ServiceBackendPort{
-						Number: 8080,
-					},
-				},
-			},
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc"}},
-			},
-		},
-	}
-	mustCreate(t, fc, ing)
-
-	// Verify initial reconciliation
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyServeConfig(t, fc, "svc:my-svc", false)
-	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
-
-	// Update the Ingress hostname and make sure the original VIPService is deleted.
-	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
-		ing.Spec.TLS[0].Hosts[0] = "updated-svc"
-	})
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "updated-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	verifyServeConfig(t, fc, "svc:updated-svc", false)
-	verifyVIPService(t, ft, "svc:updated-svc", []string{"443"})
-	verifyTailscaledConfig(t, fc, []string{"svc:updated-svc"})
-
-	_, err := ft.GetVIPService(context.Background(), tailcfg.ServiceName("svc:my-svc"))
-	if err == nil {
-		t.Fatalf("svc:my-svc not cleaned up")
-	}
-	var errResp *tailscale.ErrResponse
-	if !errors.As(err, &errResp) || errResp.Status != http.StatusNotFound {
-		t.Fatalf("unexpected error: %v", err)
-	}
 }

 func TestValidateIngress(t *testing.T) {
@@ -477,8 +392,6 @@ func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {

 	// Verify initial reconciliation with HTTP enabled
 	expectReconciled(t, ingPGR, "default", "test-ingress")
-	populateTLSSecret(context.Background(), fc, "test-pg", "my-svc.ts.net")
-	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyVIPService(t, ft, "svc:my-svc", []string{"80", "443"})
 	verifyServeConfig(t, fc, "svc:my-svc", true)

@@ -491,31 +404,6 @@ func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {
 		t.Fatal(err)
 	}

-	// Status will be empty until the VIPService shows up in prefs.
-	if !reflect.DeepEqual(ing.Status.LoadBalancer.Ingress, []networkingv1.IngressLoadBalancerIngress(nil)) {
-		t.Errorf("incorrect Ingress status: got %v, want empty",
-			ing.Status.LoadBalancer.Ingress)
-	}
-
-	// Add the VIPService to prefs to have the Ingress recognised as ready.
-	mustCreate(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-pg-0",
-			Namespace: "operator-ns",
-			Labels:    pgSecretLabels("test-pg", "state"),
-		},
-		Data: map[string][]byte{
-			"_current-profile": []byte("profile-foo"),
-			"profile-foo":      []byte(`{"AdvertiseServices":["svc:my-svc"],"Config":{"NodeID":"node-foo"}}`),
-		},
-	})
-
-	// Reconcile and re-fetch Ingress.
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-	if err := fc.Get(context.Background(), client.ObjectKeyFromObject(ing), ing); err != nil {
-		t.Fatal(err)
-	}
-
 	wantStatus := []networkingv1.IngressPortStatus{
 		{Port: 443, Protocol: "TCP"},
 		{Port: 80, Protocol: "TCP"},
@@ -622,7 +510,6 @@ func verifyServeConfig(t *testing.T, fc client.Client, serviceName string, wantH
 }

 func verifyTailscaledConfig(t *testing.T, fc client.Client, expectedServices []string) {
-	t.Helper()
 	var expected string
 	if expectedServices != nil {
 		expectedServicesJSON, err := json.Marshal(expectedServices)
@@ -757,10 +644,8 @@ func TestIngressPGReconciler_MultiCluster(t *testing.T) {

 	// Simulate existing VIPService from another cluster
 	existingVIPSvc := &tailscale.VIPService{
-		Name: "svc:my-svc",
-		Annotations: map[string]string{
-			ownerAnnotation: `{"ownerrefs":[{"operatorID":"operator-2"}]}`,
-		},
+		Name:    "svc:my-svc",
+		Comment: `{"ownerrefs":[{"operatorID":"operator-2"}]}`,
 	}
 	ft.vipServices = map[tailcfg.ServiceName]*tailscale.VIPService{
 		"svc:my-svc": existingVIPSvc,
@@ -777,17 +662,17 @@ func TestIngressPGReconciler_MultiCluster(t *testing.T) {
 		t.Fatal("VIPService not found")
 	}

-	o, err := parseOwnerAnnotation(vipSvc)
-	if err != nil {
-		t.Fatalf("parsing owner annotation: %v", err)
+	c := &comment{}
+	if err := json.Unmarshal([]byte(vipSvc.Comment), c); err != nil {
+		t.Fatalf("parsing comment: %v", err)
 	}

 	wantOwnerRefs := []OwnerRef{
 		{OperatorID: "operator-2"},
 		{OperatorID: "operator-1"},
 	}
-	if !reflect.DeepEqual(o.OwnerRefs, wantOwnerRefs) {
-		t.Errorf("incorrect owner refs\ngot:  %+v\nwant: %+v", o.OwnerRefs, wantOwnerRefs)
+	if !reflect.DeepEqual(c.OwnerRefs, wantOwnerRefs) {
+		t.Errorf("incorrect owner refs\ngot:  %+v\nwant: %+v", c.OwnerRefs, wantOwnerRefs)
 	}

 	// Delete the Ingress and verify VIPService still exists with one owner ref
@@ -804,40 +689,15 @@ func TestIngressPGReconciler_MultiCluster(t *testing.T) {
 		t.Fatal("VIPService was incorrectly deleted")
 	}

-	o, err = parseOwnerAnnotation(vipSvc)
-	if err != nil {
-		t.Fatalf("parsing owner annotation: %v", err)
+	c = &comment{}
+	if err := json.Unmarshal([]byte(vipSvc.Comment), c); err != nil {
+		t.Fatalf("parsing comment after deletion: %v", err)
 	}

 	wantOwnerRefs = []OwnerRef{
 		{OperatorID: "operator-2"},
 	}
-	if !reflect.DeepEqual(o.OwnerRefs, wantOwnerRefs) {
-		t.Errorf("incorrect owner refs after deletion\ngot:  %+v\nwant: %+v", o.OwnerRefs, wantOwnerRefs)
+	if !reflect.DeepEqual(c.OwnerRefs, wantOwnerRefs) {
+		t.Errorf("incorrect owner refs after deletion\ngot:  %+v\nwant: %+v", c.OwnerRefs, wantOwnerRefs)
 	}
 }
-
-func populateTLSSecret(ctx context.Context, c client.Client, pgName, domain string) error {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      domain,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				kubetypes.LabelManaged:    "true",
-				labelProxyGroup:           pgName,
-				labelDomain:               domain,
-				kubetypes.LabelSecretType: "certs",
-			},
-		},
-		Type: corev1.SecretTypeTLS,
-		Data: map[string][]byte{
-			corev1.TLSCertKey:       []byte("fake-cert"),
-			corev1.TLSPrivateKeyKey: []byte("fake-key"),
-		},
-	}
-
-	_, err := createOrUpdate(ctx, c, "operator-ns", secret, func(s *corev1.Secret) {
-		s.Data = secret.Data
-	})
-	return err
-}
--- a/cmd/k8s-operator/ingress_test.go
+++ b/cmd/k8s-operator/ingress_test.go
@@ -6,7 +6,6 @@
 package main

 import (
-	"context"
 	"testing"

 	"go.uber.org/zap"
@@ -16,18 +15,17 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"tailscale.com/ipn"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
-	"tailscale.com/tstest"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
 )

 func TestTailscaleIngress(t *testing.T) {
-	fc := fake.NewFakeClient(ingressClass())
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
+	fc := fake.NewFakeClient(tsIngressClass)
 	ft := &fakeTSClient{}
 	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
 	zl, err := zap.NewDevelopment()
@@ -48,8 +46,45 @@ func TestTailscaleIngress(t *testing.T) {
 	}

 	// 1. Resources get created for regular Ingress
-	mustCreate(t, fc, ingress())
-	mustCreate(t, fc, service())
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})

 	expectReconciled(t, ingR, "default", "test")

@@ -79,9 +114,6 @@ func TestTailscaleIngress(t *testing.T) {
 		mak.Set(&secret.Data, "device_fqdn", []byte("foo.tailnetxyz.ts.net"))
 	})
 	expectReconciled(t, ingR, "default", "test")
-
-	// Get the ingress and update it with expected changes
-	ing := ingress()
 	ing.Finalizers = append(ing.Finalizers, "tailscale.com/finalizer")
 	ing.Status.LoadBalancer = networkingv1.IngressLoadBalancerStatus{
 		Ingress: []networkingv1.IngressLoadBalancerIngress{
@@ -111,7 +143,8 @@ func TestTailscaleIngress(t *testing.T) {
 }

 func TestTailscaleIngressHostname(t *testing.T) {
-	fc := fake.NewFakeClient(ingressClass())
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
+	fc := fake.NewFakeClient(tsIngressClass)
 	ft := &fakeTSClient{}
 	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
 	zl, err := zap.NewDevelopment()
@@ -132,8 +165,45 @@ func TestTailscaleIngressHostname(t *testing.T) {
 	}

 	// 1. Resources get created for regular Ingress
-	mustCreate(t, fc, ingress())
-	mustCreate(t, fc, service())
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})

 	expectReconciled(t, ingR, "default", "test")

@@ -171,10 +241,8 @@ func TestTailscaleIngressHostname(t *testing.T) {
 		mak.Set(&secret.Data, "device_fqdn", []byte("foo.tailnetxyz.ts.net"))
 	})
 	expectReconciled(t, ingR, "default", "test")
-
-	// Get the ingress and update it with expected changes
-	ing := ingress()
 	ing.Finalizers = append(ing.Finalizers, "tailscale.com/finalizer")
+
 	expectEqual(t, fc, ing)

 	// 3. Ingress proxy with capability version >= 110 advertises HTTPS endpoint
@@ -231,9 +299,10 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 			Annotations: map[string]string{"bar.io/foo": "some-val"},
 			Pod:         &tsapi.Pod{Annotations: map[string]string{"foo.io/bar": "some-val"}}}},
 	}
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
 	fc := fake.NewClientBuilder().
 		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pc, ingressClass()).
+		WithObjects(pc, tsIngressClass).
 		WithStatusSubresource(pc).
 		Build()
 	ft := &fakeTSClient{}
@@ -257,8 +326,45 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {

 	// 1. Ingress is created with no ProxyClass specified, default proxy
 	// resources get configured.
-	mustCreate(t, fc, ingress())
-	mustCreate(t, fc, service())
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})

 	expectReconciled(t, ingR, "default", "test")

@@ -326,19 +432,54 @@ func TestTailscaleIngressWithServiceMonitor(t *testing.T) {
 				ObservedGeneration: 1,
 			}}},
 	}
-	crd := &apiextensionsv1.CustomResourceDefinition{ObjectMeta: metav1.ObjectMeta{Name: serviceMonitorCRD}}
-
-	// Create fake client with ProxyClass, IngressClass, Ingress with metrics ProxyClass, and Service
-	ing := ingress()
-	ing.Labels = map[string]string{
-		LabelProxyClass: "metrics",
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Labels: map[string]string{
+				"tailscale.com/proxy-class": "metrics",
+			},
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
 	}
+	svc := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	}
+	crd := &apiextensionsv1.CustomResourceDefinition{ObjectMeta: metav1.ObjectMeta{Name: serviceMonitorCRD}}
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
 	fc := fake.NewClientBuilder().
 		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pc, ingressClass(), ing, service()).
+		WithObjects(pc, tsIngressClass, ing, svc).
 		WithStatusSubresource(pc).
 		Build()
-
 	ft := &fakeTSClient{}
 	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
 	zl, err := zap.NewDevelopment()
@@ -419,118 +560,3 @@ func TestTailscaleIngressWithServiceMonitor(t *testing.T) {
 	expectMissing[corev1.Service](t, fc, "operator-ns", metricsResourceName(shortName))
 	// ServiceMonitor gets garbage collected when the Service is deleted - we cannot test that here.
 }
-
-func TestIngressLetsEncryptStaging(t *testing.T) {
-	cl := tstest.NewClock(tstest.ClockOpts{})
-	zl := zap.Must(zap.NewDevelopment())
-
-	pcLEStaging, pcLEStagingFalse, pcOther := proxyClassesForLEStagingTest()
-
-	testCases := testCasesForLEStagingTests(pcLEStaging, pcLEStagingFalse, pcOther)
-
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			builder := fake.NewClientBuilder().
-				WithScheme(tsapi.GlobalScheme)
-
-			builder = builder.WithObjects(pcLEStaging, pcLEStagingFalse, pcOther).
-				WithStatusSubresource(pcLEStaging, pcLEStagingFalse, pcOther)
-
-			fc := builder.Build()
-
-			if tt.proxyClassPerResource != "" || tt.defaultProxyClass != "" {
-				name := tt.proxyClassPerResource
-				if name == "" {
-					name = tt.defaultProxyClass
-				}
-				setProxyClassReady(t, fc, cl, name)
-			}
-
-			mustCreate(t, fc, ingressClass())
-			mustCreate(t, fc, service())
-			ing := ingress()
-			if tt.proxyClassPerResource != "" {
-				ing.Labels = map[string]string{
-					LabelProxyClass: tt.proxyClassPerResource,
-				}
-			}
-			mustCreate(t, fc, ing)
-
-			ingR := &IngressReconciler{
-				Client: fc,
-				ssr: &tailscaleSTSReconciler{
-					Client:            fc,
-					tsClient:          &fakeTSClient{},
-					tsnetServer:       &fakeTSNetServer{certDomains: []string{"test-host"}},
-					defaultTags:       []string{"tag:test"},
-					operatorNamespace: "operator-ns",
-					proxyImage:        "tailscale/tailscale:test",
-				},
-				logger:            zl.Sugar(),
-				defaultProxyClass: tt.defaultProxyClass,
-			}
-
-			expectReconciled(t, ingR, "default", "test")
-
-			_, shortName := findGenName(t, fc, "default", "test", "ingress")
-			sts := &appsv1.StatefulSet{}
-			if err := fc.Get(context.Background(), client.ObjectKey{Namespace: "operator-ns", Name: shortName}, sts); err != nil {
-				t.Fatalf("failed to get StatefulSet: %v", err)
-			}
-
-			if tt.useLEStagingEndpoint {
-				verifyEnvVar(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL", letsEncryptStagingEndpoint)
-			} else {
-				verifyEnvVarNotPresent(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL")
-			}
-		})
-	}
-}
-
-func ingressClass() *networkingv1.IngressClass {
-	return &networkingv1.IngressClass{
-		ObjectMeta: metav1.ObjectMeta{Name: "tailscale"},
-		Spec:       networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"},
-	}
-}
-
-func service() *corev1.Service {
-	return &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "1.2.3.4",
-			Ports: []corev1.ServicePort{{
-				Port: 8080,
-				Name: "http"},
-			},
-		},
-	}
-}
-
-func ingress() *networkingv1.Ingress {
-	return &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			DefaultBackend: &networkingv1.IngressBackend{
-				Service: &networkingv1.IngressServiceBackend{
-					Name: "test",
-					Port: networkingv1.ServiceBackendPort{
-						Number: 8080,
-					},
-				},
-			},
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"default-test"}},
-			},
-		},
-	}
-}
--- a/cmd/k8s-operator/metrics_resources.go
+++ b/cmd/k8s-operator/metrics_resources.go
@@ -19,7 +19,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 )

 const (
@@ -223,7 +222,7 @@ func metricsResourceName(stsName string) string {
 // proxy.
 func metricsResourceLabels(opts *metricsOpts) map[string]string {
 	lbls := map[string]string{
-		kubetypes.LabelManaged:   "true",
+		LabelManaged:             "true",
 		labelMetricsTarget:       opts.proxyStsName,
 		labelPromProxyType:       opts.proxyType,
 		labelPromProxyParentName: opts.proxyLabels[LabelParentName],
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -9,6 +9,7 @@ package main

 import (
 	"context"
+	"fmt"
 	"net/http"
 	"os"
 	"regexp"
@@ -39,6 +40,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/client/local"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -331,6 +333,39 @@ func runReconcilers(opts reconcilerOpts) {
 	if err != nil {
 		startlog.Fatalf("could not create ingress reconciler: %v", err)
 	}
+	lc, err := opts.tsServer.LocalClient()
+	if err != nil {
+		startlog.Fatalf("could not get local client: %v", err)
+	}
+	id, err := id(context.Background(), lc)
+	if err != nil {
+		startlog.Fatalf("error determining stable ID of the operator's Tailscale device: %v", err)
+	}
+	ingressProxyGroupFilter := handler.EnqueueRequestsFromMapFunc(ingressesFromIngressProxyGroup(mgr.GetClient(), opts.log))
+	err = builder.
+		ControllerManagedBy(mgr).
+		For(&networkingv1.Ingress{}).
+		Named("ingress-pg-reconciler").
+		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))).
+		Watches(&tsapi.ProxyGroup{}, ingressProxyGroupFilter).
+		Complete(&HAIngressReconciler{
+			recorder:    eventRecorder,
+			tsClient:    opts.tsClient,
+			tsnetServer: opts.tsServer,
+			defaultTags: strings.Split(opts.proxyTags, ","),
+			Client:      mgr.GetClient(),
+			logger:      opts.log.Named("ingress-pg-reconciler"),
+			lc:          lc,
+			operatorID:  id,
+			tsNamespace: opts.tailscaleNamespace,
+		})
+	if err != nil {
+		startlog.Fatalf("could not create ingress-pg-reconciler: %v", err)
+	}
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), new(networkingv1.Ingress), indexIngressProxyGroup, indexPGIngresses); err != nil {
+		startlog.Fatalf("failed setting up indexer for HA Ingresses: %v", err)
+	}
+
 	connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("connector"))
 	// If a ProxyClassChanges, enqueue all Connectors that have
 	// .spec.proxyClass set to the name of this ProxyClass.
@@ -601,8 +636,8 @@ func enqueueAllIngressEgressProxySvcsInNS(ns string, cl client.Client, logger *z

 		// Get all headless Services for proxies configured using Service.
 		svcProxyLabels := map[string]string{
-			kubetypes.LabelManaged: "true",
-			LabelParentType:        "svc",
+			LabelManaged:    "true",
+			LabelParentType: "svc",
 		}
 		svcHeadlessSvcList := &corev1.ServiceList{}
 		if err := cl.List(ctx, svcHeadlessSvcList, client.InNamespace(ns), client.MatchingLabels(svcProxyLabels)); err != nil {
@@ -615,8 +650,8 @@ func enqueueAllIngressEgressProxySvcsInNS(ns string, cl client.Client, logger *z

 		// Get all headless Services for proxies configured using Ingress.
 		ingProxyLabels := map[string]string{
-			kubetypes.LabelManaged: "true",
-			LabelParentType:        "ingress",
+			LabelManaged:    "true",
+			LabelParentType: "ingress",
 		}
 		ingHeadlessSvcList := &corev1.ServiceList{}
 		if err := cl.List(ctx, ingHeadlessSvcList, client.InNamespace(ns), client.MatchingLabels(ingProxyLabels)); err != nil {
@@ -683,7 +718,7 @@ func dnsRecordsReconcilerIngressHandler(ns string, isDefaultLoadBalancer bool, c

 func isManagedResource(o client.Object) bool {
 	ls := o.GetLabels()
-	return ls[kubetypes.LabelManaged] == "true"
+	return ls[LabelManaged] == "true"
 }

 func isManagedByType(o client.Object, typ string) bool {
@@ -920,7 +955,7 @@ func egressPodsHandler(_ context.Context, o client.Object) []reconcile.Request {
 // returns reconciler requests for all egress EndpointSlices for that ProxyGroup.
 func egressEpsFromPGPods(cl client.Client, ns string) handler.MapFunc {
 	return func(_ context.Context, o client.Object) []reconcile.Request {
-		if v, ok := o.GetLabels()[kubetypes.LabelManaged]; !ok || v != "true" {
+		if v, ok := o.GetLabels()[LabelManaged]; !ok || v != "true" {
 			return nil
 		}
 		// TODO(irbekrm): for now this is good enough as all ProxyGroups are egress. Add a type check once we
@@ -940,13 +975,15 @@ func egressEpsFromPGPods(cl client.Client, ns string) handler.MapFunc {
 // returns reconciler requests for all egress EndpointSlices for that ProxyGroup.
 func egressEpsFromPGStateSecrets(cl client.Client, ns string) handler.MapFunc {
 	return func(_ context.Context, o client.Object) []reconcile.Request {
-		if v, ok := o.GetLabels()[kubetypes.LabelManaged]; !ok || v != "true" {
+		if v, ok := o.GetLabels()[LabelManaged]; !ok || v != "true" {
 			return nil
 		}
+		// TODO(irbekrm): for now this is good enough as all ProxyGroups are egress. Add a type check once we
+		// have ingress ProxyGroups.
 		if parentType := o.GetLabels()[LabelParentType]; parentType != "proxygroup" {
 			return nil
 		}
-		if secretType := o.GetLabels()[kubetypes.LabelSecretType]; secretType != "state" {
+		if secretType := o.GetLabels()[labelSecretType]; secretType != "state" {
 			return nil
 		}
 		pg, ok := o.GetLabels()[LabelParentName]
@@ -963,7 +1000,7 @@ func egressSvcFromEps(_ context.Context, o client.Object) []reconcile.Request {
 	if typ := o.GetLabels()[labelSvcType]; typ != typeEgress {
 		return nil
 	}
-	if v, ok := o.GetLabels()[kubetypes.LabelManaged]; !ok || v != "true" {
+	if v, ok := o.GetLabels()[LabelManaged]; !ok || v != "true" {
 		return nil
 	}
 	svcName, ok := o.GetLabels()[LabelParentName]
@@ -1033,6 +1070,36 @@ func egressSvcsFromEgressProxyGroup(cl client.Client, logger *zap.SugaredLogger)
 	}
 }

+// ingressesFromIngressProxyGroup is an event handler for ingress ProxyGroups. It returns reconcile requests for all
+// user-created Ingresses that should be exposed on this ProxyGroup.
+func ingressesFromIngressProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		pg, ok := o.(*tsapi.ProxyGroup)
+		if !ok {
+			logger.Infof("[unexpected] ProxyGroup handler triggered for an object that is not a ProxyGroup")
+			return nil
+		}
+		if pg.Spec.Type != tsapi.ProxyGroupTypeIngress {
+			return nil
+		}
+		ingList := &networkingv1.IngressList{}
+		if err := cl.List(ctx, ingList, client.MatchingFields{indexIngressProxyGroup: pg.Name}); err != nil {
+			logger.Infof("error listing Ingresses: %v, skipping a reconcile for event on ProxyGroup %s", err, pg.Name)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, svc := range ingList.Items {
+			reqs = append(reqs, reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Namespace: svc.Namespace,
+					Name:      svc.Name,
+				},
+			})
+		}
+		return reqs
+	}
+}
+
 // epsFromExternalNameService is an event handler for ExternalName Services that define a Tailscale egress service that
 // should be exposed on a ProxyGroup. It returns reconcile requests for EndpointSlices created for this Service.
 func epsFromExternalNameService(cl client.Client, logger *zap.SugaredLogger, ns string) handler.MapFunc {
@@ -1078,9 +1145,9 @@ func podsFromEgressEps(cl client.Client, logger *zap.SugaredLogger, ns string) h
 			return nil
 		}
 		podLabels := map[string]string{
-			kubetypes.LabelManaged: "true",
-			LabelParentType:        "proxygroup",
-			LabelParentName:        eps.Labels[labelProxyGroup],
+			LabelManaged:    "true",
+			LabelParentType: "proxygroup",
+			LabelParentName: eps.Labels[labelProxyGroup],
 		}
 		podList := &corev1.PodList{}
 		if err := cl.List(ctx, podList, client.InNamespace(ns),
@@ -1153,7 +1220,63 @@ func indexEgressServices(o client.Object) []string {
 	return []string{o.GetAnnotations()[AnnotationProxyGroup]}
 }

+// indexPGIngresses adds a local index to a cached Tailscale Ingresses meant to be exposed on a ProxyGroup. The index is
+// used a list filter.
+func indexPGIngresses(o client.Object) []string {
+	if !hasProxyGroupAnnotation(o) {
+		return nil
+	}
+	return []string{o.GetAnnotations()[AnnotationProxyGroup]}
+}
+
+// serviceHandlerForIngressPG returns a handler for Service events that ensures that if the Service
+// associated with an event is a backend Service for a tailscale Ingress with ProxyGroup annotation,
+// the associated Ingress gets reconciled.
+func serviceHandlerForIngressPG(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		ingList := networkingv1.IngressList{}
+		if err := cl.List(ctx, &ingList, client.InNamespace(o.GetNamespace())); err != nil {
+			logger.Debugf("error listing Ingresses: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, ing := range ingList.Items {
+			if ing.Spec.IngressClassName == nil || *ing.Spec.IngressClassName != tailscaleIngressClassName {
+				continue
+			}
+			if !hasProxyGroupAnnotation(&ing) {
+				continue
+			}
+			if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil && ing.Spec.DefaultBackend.Service.Name == o.GetName() {
+				reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+			}
+			for _, rule := range ing.Spec.Rules {
+				if rule.HTTP == nil {
+					continue
+				}
+				for _, path := range rule.HTTP.Paths {
+					if path.Backend.Service != nil && path.Backend.Service.Name == o.GetName() {
+						reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+					}
+				}
+			}
+		}
+		return reqs
+	}
+}
+
 func hasProxyGroupAnnotation(obj client.Object) bool {
 	ing := obj.(*networkingv1.Ingress)
 	return ing.Annotations[AnnotationProxyGroup] != ""
 }
+
+func id(ctx context.Context, lc *local.Client) (string, error) {
+	st, err := lc.StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", fmt.Errorf("error getting tailscale status: %w", err)
+	}
+	if st.Self == nil {
+		return "", fmt.Errorf("unexpected: device's status does not contain node's metadata")
+	}
+	return string(st.Self.ID), nil
+}
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -1387,10 +1387,10 @@ func Test_serviceHandlerForIngress(t *testing.T) {
 			Name:      "headless-1",
 			Namespace: "tailscale",
 			Labels: map[string]string{
-				kubetypes.LabelManaged: "true",
-				LabelParentName:        "ing-1",
-				LabelParentNamespace:   "ns-1",
-				LabelParentType:        "ingress",
+				LabelManaged:         "true",
+				LabelParentName:      "ing-1",
+				LabelParentNamespace: "ns-1",
+				LabelParentType:      "ingress",
 			},
 		},
 	}
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -302,10 +302,7 @@ func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.Pro
 	if err != nil {
 		return fmt.Errorf("error generating StatefulSet spec: %w", err)
 	}
-	cfg := &tailscaleSTSConfig{
-		proxyType: string(pg.Spec.Type),
-	}
-	ss = applyProxyClassToStatefulSet(proxyClass, ss, cfg, logger)
+	ss = applyProxyClassToStatefulSet(proxyClass, ss, nil, logger)
 	capver, err := r.capVerForPG(ctx, pg, logger)
 	if err != nil {
 		return fmt.Errorf("error getting device info: %w", err)
@@ -464,7 +461,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p

 		var existingCfgSecret *corev1.Secret // unmodified copy of secret
 		if err := r.Get(ctx, client.ObjectKeyFromObject(cfgSecret), cfgSecret); err == nil {
-			logger.Debugf("Secret %s/%s already exists", cfgSecret.GetNamespace(), cfgSecret.GetName())
+			logger.Debugf("secret %s/%s already exists", cfgSecret.GetNamespace(), cfgSecret.GetName())
 			existingCfgSecret = cfgSecret.DeepCopy()
 		} else if !apierrors.IsNotFound(err) {
 			return "", err
@@ -472,7 +469,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p

 		var authKey string
 		if existingCfgSecret == nil {
-			logger.Debugf("Creating authkey for new ProxyGroup proxy")
+			logger.Debugf("creating authkey for new ProxyGroup proxy")
 			tags := pg.Spec.Tags.Stringify()
 			if len(tags) == 0 {
 				tags = r.defaultTags
@@ -493,7 +490,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 			if err != nil {
 				return "", fmt.Errorf("error marshalling tailscaled config: %w", err)
 			}
-			mak.Set(&cfgSecret.Data, tsoperator.TailscaledConfigFileName(cap), cfgJSON)
+			mak.Set(&cfgSecret.StringData, tsoperator.TailscaledConfigFileName(cap), string(cfgJSON))
 		}

 		// The config sha256 sum is a value for a hash annotation used to trigger
@@ -523,14 +520,12 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 		}

 		if existingCfgSecret != nil {
-			if !apiequality.Semantic.DeepEqual(existingCfgSecret, cfgSecret) {
-				logger.Debugf("Updating the existing ProxyGroup config Secret %s", cfgSecret.Name)
-				if err := r.Update(ctx, cfgSecret); err != nil {
-					return "", err
-				}
+			logger.Debugf("patching the existing ProxyGroup config Secret %s", cfgSecret.Name)
+			if err := r.Patch(ctx, cfgSecret, client.MergeFrom(existingCfgSecret)); err != nil {
+				return "", err
 			}
 		} else {
-			logger.Debugf("Creating a new config Secret %s for the ProxyGroup", cfgSecret.Name)
+			logger.Debugf("creating a new config Secret %s for the ProxyGroup", cfgSecret.Name)
 			if err := r.Create(ctx, cfgSecret); err != nil {
 				return "", err
 			}
@@ -650,7 +645,7 @@ func (r *ProxyGroupReconciler) getNodeMetadata(ctx context.Context, pg *tsapi.Pr
 			return nil, fmt.Errorf("unexpected secret %s was labelled as owned by the ProxyGroup %s: %w", secret.Name, pg.Name, err)
 		}

-		prefs, ok, err := getDevicePrefs(&secret)
+		id, dnsName, ok, err := getNodeMetadata(ctx, &secret)
 		if err != nil {
 			return nil, err
 		}
@@ -661,8 +656,8 @@ func (r *ProxyGroupReconciler) getNodeMetadata(ctx context.Context, pg *tsapi.Pr
 		nm := nodeMetadata{
 			ordinal:     ordinal,
 			stateSecret: &secret,
-			tsID:        prefs.Config.NodeID,
-			dnsName:     prefs.Config.UserProfile.LoginName,
+			tsID:        id,
+			dnsName:     dnsName,
 		}
 		pod := &corev1.Pod{}
 		if err := r.Get(ctx, client.ObjectKey{Namespace: r.tsNamespace, Name: secret.Name}, pod); err != nil && !apierrors.IsNotFound(err) {
--- a/cmd/k8s-operator/proxygroup_specs.go
+++ b/cmd/k8s-operator/proxygroup_specs.go
@@ -178,15 +178,7 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 				corev1.EnvVar{
 					Name:  "TS_SERVE_CONFIG",
 					Value: fmt.Sprintf("/etc/proxies/%s", serveConfigKey),
-				},
-				corev1.EnvVar{
-					// Run proxies in cert share mode to
-					// ensure that only one TLS cert is
-					// issued for an HA Ingress.
-					Name:  "TS_EXPERIMENTAL_CERT_SHARE",
-					Value: "true",
-				},
-			)
+				})
 		}
 		return append(c.Env, envs...)
 	}()
@@ -233,13 +225,6 @@ func pgRole(pg *tsapi.ProxyGroup, namespace string) *rbacv1.Role {
 			OwnerReferences: pgOwnerReference(pg),
 		},
 		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"secrets"},
-				Verbs: []string{
-					"list",
-				},
-			},
 			{
 				APIGroups: []string{""},
 				Resources: []string{"secrets"},
@@ -333,9 +318,9 @@ func pgIngressCM(pg *tsapi.ProxyGroup, namespace string) *corev1.ConfigMap {
 	}
 }

-func pgSecretLabels(pgName, secretType string) map[string]string {
+func pgSecretLabels(pgName, typ string) map[string]string {
 	return pgLabels(pgName, map[string]string{
-		kubetypes.LabelSecretType: secretType, // "config" or "state".
+		labelSecretType: typ, // "config" or "state".
 	})
 }

@@ -345,7 +330,7 @@ func pgLabels(pgName string, customLabels map[string]string) map[string]string {
 		l[k] = v
 	}

-	l[kubetypes.LabelManaged] = "true"
+	l[LabelManaged] = "true"
 	l[LabelParentType] = "proxygroup"
 	l[LabelParentName] = pgName

--- a/cmd/k8s-operator/proxygroup_test.go
+++ b/cmd/k8s-operator/proxygroup_test.go
@@ -247,6 +247,7 @@ func TestProxyGroup(t *testing.T) {
 		// The fake client does not clean up objects whose owner has been
 		// deleted, so we can't test for the owned resources getting deleted.
 	})
+
 }

 func TestProxyGroupTypes(t *testing.T) {
@@ -416,7 +417,6 @@ func TestProxyGroupTypes(t *testing.T) {
 		}
 		verifyEnvVar(t, sts, "TS_INTERNAL_APP", kubetypes.AppProxyGroupIngress)
 		verifyEnvVar(t, sts, "TS_SERVE_CONFIG", "/etc/proxies/serve-config.json")
-		verifyEnvVar(t, sts, "TS_EXPERIMENTAL_CERT_SHARE", "true")

 		// Verify ConfigMap volume mount
 		cmName := fmt.Sprintf("%s-ingress-config", pg.Name)
@@ -475,6 +475,8 @@ func TestIngressAdvertiseServicesConfigPreserved(t *testing.T) {
 			Name:      pgConfigSecretName(pgName, 0),
 			Namespace: tsNamespace,
 		},
+		// Write directly to Data because the fake client doesn't copy the write-only
+		// StringData field across to Data for us.
 		Data: map[string][]byte{
 			tsoperator.TailscaledConfigFileName(106): existingConfigBytes,
 		},
@@ -512,64 +514,10 @@ func TestIngressAdvertiseServicesConfigPreserved(t *testing.T) {
 			Namespace:       tsNamespace,
 			ResourceVersion: "2",
 		},
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): expectedConfigBytes,
+		StringData: map[string]string{
+			tsoperator.TailscaledConfigFileName(106): string(expectedConfigBytes),
 		},
-	})
-}
-
-func proxyClassesForLEStagingTest() (*tsapi.ProxyClass, *tsapi.ProxyClass, *tsapi.ProxyClass) {
-	pcLEStaging := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "le-staging",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyClassSpec{
-			UseLetsEncryptStagingEnvironment: true,
-		},
-	}
-
-	pcLEStagingFalse := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "le-staging-false",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyClassSpec{
-			UseLetsEncryptStagingEnvironment: false,
-		},
-	}
-
-	pcOther := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "other",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyClassSpec{},
-	}
-
-	return pcLEStaging, pcLEStagingFalse, pcOther
-}
-
-func setProxyClassReady(t *testing.T, fc client.Client, cl *tstest.Clock, name string) *tsapi.ProxyClass {
-	t.Helper()
-	pc := &tsapi.ProxyClass{}
-	if err := fc.Get(context.Background(), client.ObjectKey{Name: name}, pc); err != nil {
-		t.Fatal(err)
-	}
-	pc.Status = tsapi.ProxyClassStatus{
-		Conditions: []metav1.Condition{{
-			Type:               string(tsapi.ProxyClassReady),
-			Status:             metav1.ConditionTrue,
-			Reason:             reasonProxyClassValid,
-			Message:            reasonProxyClassValid,
-			LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
-			ObservedGeneration: pc.Generation,
-		}},
-	}
-	if err := fc.Status().Update(context.Background(), pc); err != nil {
-		t.Fatal(err)
-	}
-	return pc
+	}, omitSecretData)
 }

 func verifyProxyGroupCounts(t *testing.T, r *ProxyGroupReconciler, wantIngress, wantEgress int) {
@@ -595,16 +543,6 @@ func verifyEnvVar(t *testing.T, sts *appsv1.StatefulSet, name, expectedValue str
 	t.Errorf("%s environment variable not found", name)
 }

-func verifyEnvVarNotPresent(t *testing.T, sts *appsv1.StatefulSet, name string) {
-	t.Helper()
-	for _, env := range sts.Spec.Template.Spec.Containers[0].Env {
-		if env.Name == name {
-			t.Errorf("environment variable %s should not be present", name)
-			return
-		}
-	}
-}
-
 func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.ProxyGroup, shouldExist bool, cfgHash string, proxyClass *tsapi.ProxyClass) {
 	t.Helper()

@@ -683,145 +621,10 @@ func addNodeIDToStateSecrets(t *testing.T, fc client.WithWatch, pg *tsapi.ProxyG
 	}
 }

-func TestProxyGroupLetsEncryptStaging(t *testing.T) {
-	cl := tstest.NewClock(tstest.ClockOpts{})
-	zl := zap.Must(zap.NewDevelopment())
-
-	// Set up test cases- most are shared with non-HA Ingress.
-	type proxyGroupLETestCase struct {
-		leStagingTestCase
-		pgType tsapi.ProxyGroupType
-	}
-	pcLEStaging, pcLEStagingFalse, pcOther := proxyClassesForLEStagingTest()
-	sharedTestCases := testCasesForLEStagingTests(pcLEStaging, pcLEStagingFalse, pcOther)
-	var tests []proxyGroupLETestCase
-	for _, tt := range sharedTestCases {
-		tests = append(tests, proxyGroupLETestCase{
-			leStagingTestCase: tt,
-			pgType:            tsapi.ProxyGroupTypeIngress,
-		})
-	}
-	tests = append(tests, proxyGroupLETestCase{
-		leStagingTestCase: leStagingTestCase{
-			name:                  "egress_pg_with_staging_proxyclass",
-			proxyClassPerResource: "le-staging",
-			useLEStagingEndpoint:  false,
-		},
-		pgType: tsapi.ProxyGroupTypeEgress,
-	})
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			builder := fake.NewClientBuilder().
-				WithScheme(tsapi.GlobalScheme)
-
-			// Pre-populate the fake client with ProxyClasses.
-			builder = builder.WithObjects(pcLEStaging, pcLEStagingFalse, pcOther).
-				WithStatusSubresource(pcLEStaging, pcLEStagingFalse, pcOther)
-
-			fc := builder.Build()
-
-			// If the test case needs a ProxyClass to exist, ensure it is set to Ready.
-			if tt.proxyClassPerResource != "" || tt.defaultProxyClass != "" {
-				name := tt.proxyClassPerResource
-				if name == "" {
-					name = tt.defaultProxyClass
-				}
-				setProxyClassReady(t, fc, cl, name)
-			}
-
-			// Create ProxyGroup
-			pg := &tsapi.ProxyGroup{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test",
-				},
-				Spec: tsapi.ProxyGroupSpec{
-					Type:       tt.pgType,
-					Replicas:   ptr.To[int32](1),
-					ProxyClass: tt.proxyClassPerResource,
-				},
-			}
-			mustCreate(t, fc, pg)
-
-			reconciler := &ProxyGroupReconciler{
-				tsNamespace:       tsNamespace,
-				proxyImage:        testProxyImage,
-				defaultTags:       []string{"tag:test"},
-				defaultProxyClass: tt.defaultProxyClass,
-				Client:            fc,
-				tsClient:          &fakeTSClient{},
-				l:                 zl.Sugar(),
-				clock:             cl,
-			}
-
-			expectReconciled(t, reconciler, "", pg.Name)
-
-			// Verify that the StatefulSet created for ProxyGrup has
-			// the expected setting for the staging endpoint.
-			sts := &appsv1.StatefulSet{}
-			if err := fc.Get(context.Background(), client.ObjectKey{Namespace: tsNamespace, Name: pg.Name}, sts); err != nil {
-				t.Fatalf("failed to get StatefulSet: %v", err)
-			}
-
-			if tt.useLEStagingEndpoint {
-				verifyEnvVar(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL", letsEncryptStagingEndpoint)
-			} else {
-				verifyEnvVarNotPresent(t, sts, "TS_DEBUG_ACME_DIRECTORY_URL")
-			}
-		})
-	}
-}
-
-type leStagingTestCase struct {
-	name string
-	// ProxyClass set on ProxyGroup or Ingress resource.
-	proxyClassPerResource string
-	// Default ProxyClass.
-	defaultProxyClass    string
-	useLEStagingEndpoint bool
-}
-
-// Shared test cases for LE staging endpoint configuration for ProxyGroup and
-// non-HA Ingress.
-func testCasesForLEStagingTests(pcLEStaging, pcLEStagingFalse, pcOther *tsapi.ProxyClass) []leStagingTestCase {
-	return []leStagingTestCase{
-		{
-			name:                  "with_staging_proxyclass",
-			proxyClassPerResource: "le-staging",
-			useLEStagingEndpoint:  true,
-		},
-		{
-			name:                  "with_staging_proxyclass_false",
-			proxyClassPerResource: "le-staging-false",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "with_other_proxyclass",
-			proxyClassPerResource: "other",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "no_proxyclass",
-			proxyClassPerResource: "",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "with_default_staging_proxyclass",
-			proxyClassPerResource: "",
-			defaultProxyClass:     "le-staging",
-			useLEStagingEndpoint:  true,
-		},
-		{
-			name:                  "with_default_other_proxyclass",
-			proxyClassPerResource: "",
-			defaultProxyClass:     "other",
-			useLEStagingEndpoint:  false,
-		},
-		{
-			name:                  "with_default_staging_proxyclass_false",
-			proxyClassPerResource: "",
-			defaultProxyClass:     "le-staging-false",
-			useLEStagingEndpoint:  false,
-		},
-	}
+// The operator mostly writes to StringData and reads from Data, but the fake
+// client doesn't copy StringData across to Data on write. When comparing actual
+// vs expected Secrets, use this function to only check what the operator writes
+// to StringData.
+func omitSecretData(secret *corev1.Secret) {
+	secret.Data = nil
 }
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -44,9 +44,11 @@ const (
 	// Labels that the operator sets on StatefulSets and Pods. If you add a
 	// new label here, do also add it to tailscaleManagedLabels var to
 	// ensure that it does not get overwritten by ProxyClass configuration.
+	LabelManaged         = "tailscale.com/managed"
 	LabelParentType      = "tailscale.com/parent-resource-type"
 	LabelParentName      = "tailscale.com/parent-resource"
 	LabelParentNamespace = "tailscale.com/parent-resource-ns"
+	labelSecretType      = "tailscale.com/secret-type" // "config" or "state".

 	// LabelProxyClass can be set by users on tailscale Ingresses and Services that define cluster ingress or
 	// cluster egress, to specify that configuration in this ProxyClass should be applied to resources created for
@@ -102,13 +104,11 @@ const (

 	envVarTSLocalAddrPort = "TS_LOCAL_ADDR_PORT"
 	defaultLocalAddrPort  = 9002 // metrics and health check port
-
-	letsEncryptStagingEndpoint = "https://acme-staging-v02.api.letsencrypt.org/directory"
 )

 var (
 	// tailscaleManagedLabels are label keys that tailscale operator sets on StatefulSets and Pods.
-	tailscaleManagedLabels = []string{kubetypes.LabelManaged, LabelParentType, LabelParentName, LabelParentNamespace, "app"}
+	tailscaleManagedLabels = []string{LabelManaged, LabelParentType, LabelParentName, LabelParentNamespace, "app"}
 	// tailscaleManagedAnnotations are annotation keys that tailscale operator sets on StatefulSets and Pods.
 	tailscaleManagedAnnotations = []string{podAnnotationLastSetClusterIP, podAnnotationLastSetTailnetTargetIP, podAnnotationLastSetTailnetTargetFQDN, podAnnotationLastSetConfigFileHash}
 )
@@ -785,17 +785,6 @@ func applyProxyClassToStatefulSet(pc *tsapi.ProxyClass, ss *appsv1.StatefulSet,
 			enableEndpoints(ss, metricsEnabled, debugEnabled)
 		}
 	}
-	if pc.Spec.UseLetsEncryptStagingEnvironment && (stsCfg.proxyType == proxyTypeIngressResource || stsCfg.proxyType == string(tsapi.ProxyGroupTypeIngress)) {
-		for i, c := range ss.Spec.Template.Spec.Containers {
-			if c.Name == "tailscale" {
-				ss.Spec.Template.Spec.Containers[i].Env = append(ss.Spec.Template.Spec.Containers[i].Env, corev1.EnvVar{
-					Name:  "TS_DEBUG_ACME_DIRECTORY_URL",
-					Value: letsEncryptStagingEndpoint,
-				})
-				break
-			}
-		}
-	}

 	if pc.Spec.StatefulSet == nil {
 		return ss
--- a/cmd/k8s-operator/sts_test.go
+++ b/cmd/k8s-operator/sts_test.go
@@ -21,7 +21,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/yaml"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/types/ptr"
 )

@@ -157,8 +156,8 @@ func Test_applyProxyClassToStatefulSet(t *testing.T) {
 	// Set a couple additional fields so we can test that we don't
 	// mistakenly override those.
 	labels := map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentName:        "foo",
+		LabelManaged:    "true",
+		LabelParentName: "foo",
 	}
 	annots := map[string]string{
 		podAnnotationLastSetClusterIP: "1.2.3.4",
@@ -304,28 +303,28 @@ func Test_mergeStatefulSetLabelsOrAnnots(t *testing.T) {
 	}{
 		{
 			name:    "no custom labels specified and none present in current labels, return current labels",
-			current: map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
-			want:    map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{
 			name:    "no custom labels specified, but some present in current labels, return tailscale managed labels only from the current labels",
-			current: map[string]string{"foo": "bar", "something.io/foo": "bar", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
-			want:    map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{"foo": "bar", "something.io/foo": "bar", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{
 			name:    "custom labels specified, current labels only contain tailscale managed labels, return a union of both",
-			current: map[string]string{kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
-			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{
 			name:    "custom labels specified, current labels contain tailscale managed labels and custom labels, some of which re not present in the new custom labels, return a union of managed labels and the desired custom labels",
-			current: map[string]string{"foo": "bar", "bar": "baz", "app": "1234", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			current: map[string]string{"foo": "bar", "bar": "baz", "app": "1234", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
-			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", "app": "1234", kubetypes.LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", "app": "1234", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
 			managed: tailscaleManagedLabels,
 		},
 		{
--- a/cmd/k8s-operator/svc.go
+++ b/cmd/k8s-operator/svc.go
@@ -84,10 +84,10 @@ func childResourceLabels(name, ns, typ string) map[string]string {
 	// proxying. Instead, we have to do our own filtering and tracking with
 	// labels.
 	return map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentName:        name,
-		LabelParentNamespace:   ns,
-		LabelParentType:        typ,
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      typ,
 	}
 }

--- a/cmd/k8s-operator/testutils_test.go
+++ b/cmd/k8s-operator/testutils_test.go
@@ -32,7 +32,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
@@ -564,10 +563,10 @@ func expectedSecret(t *testing.T, cl client.Client, opts configOpts) *corev1.Sec
 func findGenName(t *testing.T, client client.Client, ns, name, typ string) (full, noSuffix string) {
 	t.Helper()
 	labels := map[string]string{
-		kubetypes.LabelManaged: "true",
-		LabelParentName:        name,
-		LabelParentNamespace:   ns,
-		LabelParentType:        typ,
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      typ,
 	}
 	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
 	if err != nil {
--- a/cmd/k8s-operator/tsrecorder.go
+++ b/cmd/k8s-operator/tsrecorder.go
@@ -230,7 +230,7 @@ func (r *RecorderReconciler) maybeProvision(ctx context.Context, tsr *tsapi.Reco
 func (r *RecorderReconciler) maybeCleanup(ctx context.Context, tsr *tsapi.Recorder) (bool, error) {
 	logger := r.logger(tsr.Name)

-	prefs, ok, err := r.getDevicePrefs(ctx, tsr.Name)
+	id, _, ok, err := r.getNodeMetadata(ctx, tsr.Name)
 	if err != nil {
 		return false, err
 	}
@@ -243,7 +243,6 @@ func (r *RecorderReconciler) maybeCleanup(ctx context.Context, tsr *tsapi.Record
 		return true, nil
 	}

-	id := string(prefs.Config.NodeID)
 	logger.Debugf("deleting device %s from control", string(id))
 	if err := r.tsClient.DeleteDevice(ctx, string(id)); err != nil {
 		errResp := &tailscale.ErrResponse{}
@@ -328,33 +327,34 @@ func (r *RecorderReconciler) getStateSecret(ctx context.Context, tsrName string)
 	return secret, nil
 }

-func (r *RecorderReconciler) getDevicePrefs(ctx context.Context, tsrName string) (prefs prefs, ok bool, err error) {
+func (r *RecorderReconciler) getNodeMetadata(ctx context.Context, tsrName string) (id tailcfg.StableNodeID, dnsName string, ok bool, err error) {
 	secret, err := r.getStateSecret(ctx, tsrName)
 	if err != nil || secret == nil {
-		return prefs, false, err
+		return "", "", false, err
 	}

-	return getDevicePrefs(secret)
+	return getNodeMetadata(ctx, secret)
 }

-// getDevicePrefs returns 'ok == true' iff the node ID is found. The dnsName
+// getNodeMetadata returns 'ok == true' iff the node ID is found. The dnsName
 // is expected to always be non-empty if the node ID is, but not required.
-func getDevicePrefs(secret *corev1.Secret) (prefs prefs, ok bool, err error) {
+func getNodeMetadata(ctx context.Context, secret *corev1.Secret) (id tailcfg.StableNodeID, dnsName string, ok bool, err error) {
 	// TODO(tomhjp): Should maybe use ipn to parse the following info instead.
 	currentProfile, ok := secret.Data[currentProfileKey]
 	if !ok {
-		return prefs, false, nil
+		return "", "", false, nil
 	}
 	profileBytes, ok := secret.Data[string(currentProfile)]
 	if !ok {
-		return prefs, false, nil
+		return "", "", false, nil
 	}
-	if err := json.Unmarshal(profileBytes, &prefs); err != nil {
-		return prefs, false, fmt.Errorf("failed to extract node profile info from state Secret %s: %w", secret.Name, err)
+	var profile profile
+	if err := json.Unmarshal(profileBytes, &profile); err != nil {
+		return "", "", false, fmt.Errorf("failed to extract node profile info from state Secret %s: %w", secret.Name, err)
 	}

-	ok = prefs.Config.NodeID != ""
-	return prefs, ok, nil
+	ok = profile.Config.NodeID != ""
+	return tailcfg.StableNodeID(profile.Config.NodeID), profile.Config.UserProfile.LoginName, ok, nil
 }

 func (r *RecorderReconciler) getDeviceInfo(ctx context.Context, tsrName string) (d tsapi.RecorderTailnetDevice, ok bool, err error) {
@@ -367,14 +367,14 @@ func (r *RecorderReconciler) getDeviceInfo(ctx context.Context, tsrName string)
 }

 func getDeviceInfo(ctx context.Context, tsClient tsClient, secret *corev1.Secret) (d tsapi.RecorderTailnetDevice, ok bool, err error) {
-	prefs, ok, err := getDevicePrefs(secret)
+	nodeID, dnsName, ok, err := getNodeMetadata(ctx, secret)
 	if !ok || err != nil {
 		return tsapi.RecorderTailnetDevice{}, false, err
 	}

 	// TODO(tomhjp): The profile info doesn't include addresses, which is why we
 	// need the API. Should we instead update the profile to include addresses?
-	device, err := tsClient.Device(ctx, string(prefs.Config.NodeID), nil)
+	device, err := tsClient.Device(ctx, string(nodeID), nil)
 	if err != nil {
 		return tsapi.RecorderTailnetDevice{}, false, fmt.Errorf("failed to get device info from API: %w", err)
 	}
@@ -383,25 +383,20 @@ func getDeviceInfo(ctx context.Context, tsClient tsClient, secret *corev1.Secret
 		Hostname:   device.Hostname,
 		TailnetIPs: device.Addresses,
 	}
-	if dnsName := prefs.Config.UserProfile.LoginName; dnsName != "" {
+	if dnsName != "" {
 		d.URL = fmt.Sprintf("https://%s", dnsName)
 	}

 	return d, true, nil
 }

-// [prefs] is a subset of the ipn.Prefs struct used for extracting information
-// from the state Secret of Tailscale devices.
-type prefs struct {
+type profile struct {
 	Config struct {
-		NodeID      tailcfg.StableNodeID `json:"NodeID"`
+		NodeID      string `json:"NodeID"`
 		UserProfile struct {
-			// LoginName is the MagicDNS name of the device, e.g. foo.tail-scale.ts.net.
 			LoginName string `json:"LoginName"`
 		} `json:"UserProfile"`
 	} `json:"Config"`
-
-	AdvertiseServices []string `json:"AdvertiseServices"`
 }

 func markedForDeletion(obj metav1.Object) bool {
--- a/cmd/natc/natc.go
+++ b/cmd/natc/natc.go
@@ -94,24 +94,18 @@ func main() {
 		}
 		ignoreDstTable.Insert(pfx, true)
 	}
-	var (
-		v4Prefixes    []netip.Prefix
-		numV4DNSAddrs int
-	)
+	var v4Prefixes []netip.Prefix
 	for _, s := range strings.Split(*v4PfxStr, ",") {
 		p := netip.MustParsePrefix(strings.TrimSpace(s))
 		if p.Masked() != p {
 			log.Fatalf("v4 prefix %v is not a masked prefix", p)
 		}
 		v4Prefixes = append(v4Prefixes, p)
-		numIPs := 1 << (32 - p.Bits())
-		numV4DNSAddrs += numIPs
 	}
 	if len(v4Prefixes) == 0 {
 		log.Fatalf("no v4 prefixes specified")
 	}
 	dnsAddr := v4Prefixes[0].Addr()
-	numV4DNSAddrs -= 1 // Subtract the dnsAddr allocated above.
 	ts := &tsnet.Server{
 		Hostname: *hostname,
 	}
@@ -159,13 +153,12 @@ func main() {
 	}

 	c := &connector{
-		ts:            ts,
-		lc:            lc,
-		dnsAddr:       dnsAddr,
-		v4Ranges:      v4Prefixes,
-		numV4DNSAddrs: numV4DNSAddrs,
-		v6ULA:         ula(uint16(*siteID)),
-		ignoreDsts:    ignoreDstTable,
+		ts:         ts,
+		lc:         lc,
+		dnsAddr:    dnsAddr,
+		v4Ranges:   v4Prefixes,
+		v6ULA:      ula(uint16(*siteID)),
+		ignoreDsts: ignoreDstTable,
 	}
 	c.run(ctx)
 }
@@ -184,11 +177,6 @@ type connector struct {
 	// v4Ranges is the list of IPv4 ranges to advertise and assign addresses from.
 	// These are masked prefixes.
 	v4Ranges []netip.Prefix
-
-	// numV4DNSAddrs is the total size of the IPv4 ranges in addresses, minus the
-	// dnsAddr allocation.
-	numV4DNSAddrs int
-
 	// v6ULA is the ULA prefix used by the app connector to assign IPv6 addresses.
 	v6ULA netip.Prefix

@@ -514,7 +502,6 @@ type perPeerState struct {
 	mu           sync.Mutex
 	domainToAddr map[string][]netip.Addr
 	addrToDomain *bart.Table[string]
-	numV4Allocs  int
 }

 // domainForIP returns the domain name assigned to the given IP address and
@@ -560,25 +547,17 @@ func (ps *perPeerState) isIPUsedLocked(ip netip.Addr) bool {

 // unusedIPv4Locked returns an unused IPv4 address from the available ranges.
 func (ps *perPeerState) unusedIPv4Locked() netip.Addr {
-	// All addresses have been allocated.
-	if ps.numV4Allocs >= ps.c.numV4DNSAddrs {
-		return netip.Addr{}
-	}
-
 	// TODO: skip ranges that have been exhausted
-	// TODO: implement a much more efficient algorithm for finding unused IPs,
-	// this is fairly crazy.
-	for {
-		for _, r := range ps.c.v4Ranges {
-			ip := randV4(r)
-			if !r.Contains(ip) {
-				panic("error: randV4 returned invalid address")
-			}
+	for _, r := range ps.c.v4Ranges {
+		ip := randV4(r)
+		for r.Contains(ip) {
 			if !ps.isIPUsedLocked(ip) && ip != ps.c.dnsAddr {
 				return ip
 			}
+			ip = ip.Next()
 		}
 	}
+	return netip.Addr{}
 }

 // randV4 returns a random IPv4 address within the given prefix.
@@ -604,7 +583,6 @@ func (ps *perPeerState) assignAddrsLocked(domain string) []netip.Addr {
 	if !v4.IsValid() {
 		return nil
 	}
-	ps.numV4Allocs++
 	as16 := ps.c.v6ULA.Addr().As16()
 	as4 := v4.As4()
 	copy(as16[12:], as4[:])
--- a/cmd/natc/natc_test.go
+++ b/cmd/natc/natc_test.go
@@ -1,429 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-	"slices"
-	"testing"
-
-	"github.com/gaissmai/bart"
-	"github.com/google/go-cmp/cmp"
-	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/tailcfg"
-)
-
-func prefixEqual(a, b netip.Prefix) bool {
-	return a.Bits() == b.Bits() && a.Addr() == b.Addr()
-}
-
-func TestULA(t *testing.T) {
-	tests := []struct {
-		name     string
-		siteID   uint16
-		expected string
-	}{
-		{"zero", 0, "fd7a:115c:a1e0:a99c:0000::/80"},
-		{"one", 1, "fd7a:115c:a1e0:a99c:0001::/80"},
-		{"max", 65535, "fd7a:115c:a1e0:a99c:ffff::/80"},
-		{"random", 12345, "fd7a:115c:a1e0:a99c:3039::/80"},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := ula(tc.siteID)
-			expected := netip.MustParsePrefix(tc.expected)
-			if !prefixEqual(got, expected) {
-				t.Errorf("ula(%d) = %s; want %s", tc.siteID, got, expected)
-			}
-		})
-	}
-}
-
-func TestRandV4(t *testing.T) {
-	pfx := netip.MustParsePrefix("100.64.1.0/24")
-
-	for i := 0; i < 512; i++ {
-		ip := randV4(pfx)
-		if !pfx.Contains(ip) {
-			t.Errorf("randV4(%s) = %s; not contained in prefix", pfx, ip)
-		}
-	}
-}
-
-func TestDNSResponse(t *testing.T) {
-	tests := []struct {
-		name        string
-		questions   []dnsmessage.Question
-		addrs       []netip.Addr
-		wantEmpty   bool
-		wantAnswers []struct {
-			name  string
-			qType dnsmessage.Type
-			addr  netip.Addr
-		}
-	}{
-		{
-			name:        "empty_request",
-			questions:   []dnsmessage.Question{},
-			addrs:       []netip.Addr{},
-			wantEmpty:   false,
-			wantAnswers: nil,
-		},
-		{
-			name: "a_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeA,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs: []netip.Addr{netip.MustParseAddr("100.64.1.5")},
-			wantAnswers: []struct {
-				name  string
-				qType dnsmessage.Type
-				addr  netip.Addr
-			}{
-				{
-					name:  "example.com.",
-					qType: dnsmessage.TypeA,
-					addr:  netip.MustParseAddr("100.64.1.5"),
-				},
-			},
-		},
-		{
-			name: "aaaa_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeAAAA,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs: []netip.Addr{netip.MustParseAddr("fd7a:115c:a1e0:a99c:0001:0505:0505:0505")},
-			wantAnswers: []struct {
-				name  string
-				qType dnsmessage.Type
-				addr  netip.Addr
-			}{
-				{
-					name:  "example.com.",
-					qType: dnsmessage.TypeAAAA,
-					addr:  netip.MustParseAddr("fd7a:115c:a1e0:a99c:0001:0505:0505:0505"),
-				},
-			},
-		},
-		{
-			name: "soa_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeSOA,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs:       []netip.Addr{},
-			wantAnswers: nil,
-		},
-		{
-			name: "ns_record",
-			questions: []dnsmessage.Question{
-				{
-					Name:  dnsmessage.MustNewName("example.com."),
-					Type:  dnsmessage.TypeNS,
-					Class: dnsmessage.ClassINET,
-				},
-			},
-			addrs:       []netip.Addr{},
-			wantAnswers: nil,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			req := &dnsmessage.Message{
-				Header: dnsmessage.Header{
-					ID: 1234,
-				},
-				Questions: tc.questions,
-			}
-
-			resp, err := dnsResponse(req, tc.addrs)
-			if err != nil {
-				t.Fatalf("dnsResponse() error = %v", err)
-			}
-
-			if tc.wantEmpty && len(resp) != 0 {
-				t.Errorf("dnsResponse() returned non-empty response when expected empty")
-			}
-
-			if !tc.wantEmpty && len(resp) == 0 {
-				t.Errorf("dnsResponse() returned empty response when expected non-empty")
-			}
-
-			if len(resp) > 0 {
-				var msg dnsmessage.Message
-				err = msg.Unpack(resp)
-				if err != nil {
-					t.Fatalf("Failed to unpack response: %v", err)
-				}
-
-				if !msg.Header.Response {
-					t.Errorf("Response header is not set")
-				}
-
-				if msg.Header.ID != req.Header.ID {
-					t.Errorf("Response ID = %d, want %d", msg.Header.ID, req.Header.ID)
-				}
-
-				if len(tc.wantAnswers) > 0 {
-					if len(msg.Answers) != len(tc.wantAnswers) {
-						t.Errorf("got %d answers, want %d", len(msg.Answers), len(tc.wantAnswers))
-					} else {
-						for i, want := range tc.wantAnswers {
-							ans := msg.Answers[i]
-
-							gotName := ans.Header.Name.String()
-							if gotName != want.name {
-								t.Errorf("answer[%d] name = %s, want %s", i, gotName, want.name)
-							}
-
-							if ans.Header.Type != want.qType {
-								t.Errorf("answer[%d] type = %v, want %v", i, ans.Header.Type, want.qType)
-							}
-
-							var gotIP netip.Addr
-							switch want.qType {
-							case dnsmessage.TypeA:
-								if ans.Body.(*dnsmessage.AResource) == nil {
-									t.Errorf("answer[%d] not an A record", i)
-									continue
-								}
-								resource := ans.Body.(*dnsmessage.AResource)
-								gotIP = netip.AddrFrom4([4]byte(resource.A))
-							case dnsmessage.TypeAAAA:
-								if ans.Body.(*dnsmessage.AAAAResource) == nil {
-									t.Errorf("answer[%d] not an AAAA record", i)
-									continue
-								}
-								resource := ans.Body.(*dnsmessage.AAAAResource)
-								gotIP = netip.AddrFrom16([16]byte(resource.AAAA))
-							}
-
-							if gotIP != want.addr {
-								t.Errorf("answer[%d] IP = %s, want %s", i, gotIP, want.addr)
-							}
-						}
-					}
-				}
-			}
-		})
-	}
-}
-
-func TestPerPeerState(t *testing.T) {
-	c := &connector{
-		v4Ranges:      []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")},
-		v6ULA:         netip.MustParsePrefix("fd7a:115c:a1e0:a99c:0001::/80"),
-		dnsAddr:       netip.MustParseAddr("100.64.1.0"),
-		numV4DNSAddrs: (1<<(32-24) - 1),
-	}
-
-	ps := &perPeerState{c: c}
-
-	addrs, err := ps.ipForDomain("example.com")
-	if err != nil {
-		t.Fatalf("ipForDomain() error = %v", err)
-	}
-
-	if len(addrs) != 2 {
-		t.Fatalf("ipForDomain() returned %d addresses, want 2", len(addrs))
-	}
-
-	v4 := addrs[0]
-	v6 := addrs[1]
-
-	if !v4.Is4() {
-		t.Errorf("First address is not IPv4: %s", v4)
-	}
-
-	if !v6.Is6() {
-		t.Errorf("Second address is not IPv6: %s", v6)
-	}
-
-	if !c.v4Ranges[0].Contains(v4) {
-		t.Errorf("IPv4 address %s not in range %s", v4, c.v4Ranges[0])
-	}
-
-	domain, ok := ps.domainForIP(v4)
-	if !ok {
-		t.Errorf("domainForIP(%s) not found", v4)
-	} else if domain != "example.com" {
-		t.Errorf("domainForIP(%s) = %s, want %s", v4, domain, "example.com")
-	}
-
-	domain, ok = ps.domainForIP(v6)
-	if !ok {
-		t.Errorf("domainForIP(%s) not found", v6)
-	} else if domain != "example.com" {
-		t.Errorf("domainForIP(%s) = %s, want %s", v6, domain, "example.com")
-	}
-
-	addrs2, err := ps.ipForDomain("example.com")
-	if err != nil {
-		t.Fatalf("ipForDomain() second call error = %v", err)
-	}
-
-	if !slices.Equal(addrs, addrs2) {
-		t.Errorf("ipForDomain() second call = %v, want %v", addrs2, addrs)
-	}
-}
-
-func TestIgnoreDestination(t *testing.T) {
-	ignoreDstTable := &bart.Table[bool]{}
-	ignoreDstTable.Insert(netip.MustParsePrefix("192.168.1.0/24"), true)
-	ignoreDstTable.Insert(netip.MustParsePrefix("10.0.0.0/8"), true)
-
-	c := &connector{
-		ignoreDsts: ignoreDstTable,
-	}
-
-	tests := []struct {
-		name     string
-		addrs    []netip.Addr
-		expected bool
-	}{
-		{
-			name:     "no_match",
-			addrs:    []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
-			expected: false,
-		},
-		{
-			name:     "one_match",
-			addrs:    []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("192.168.1.5")},
-			expected: true,
-		},
-		{
-			name:     "all_match",
-			addrs:    []netip.Addr{netip.MustParseAddr("10.0.0.1"), netip.MustParseAddr("192.168.1.5")},
-			expected: true,
-		},
-		{
-			name:     "empty_addrs",
-			addrs:    []netip.Addr{},
-			expected: false,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := c.ignoreDestination(tc.addrs)
-			if got != tc.expected {
-				t.Errorf("ignoreDestination(%v) = %v, want %v", tc.addrs, got, tc.expected)
-			}
-		})
-	}
-}
-
-func TestConnectorGenerateDNSResponse(t *testing.T) {
-	c := &connector{
-		v4Ranges:      []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")},
-		v6ULA:         netip.MustParsePrefix("fd7a:115c:a1e0:a99c:0001::/80"),
-		dnsAddr:       netip.MustParseAddr("100.64.1.0"),
-		numV4DNSAddrs: (1<<(32-24) - 1),
-	}
-
-	req := &dnsmessage.Message{
-		Header: dnsmessage.Header{ID: 1234},
-		Questions: []dnsmessage.Question{
-			{
-				Name:  dnsmessage.MustNewName("example.com."),
-				Type:  dnsmessage.TypeA,
-				Class: dnsmessage.ClassINET,
-			},
-		},
-	}
-
-	nodeID := tailcfg.NodeID(12345)
-
-	resp1, err := c.generateDNSResponse(req, nodeID)
-	if err != nil {
-		t.Fatalf("generateDNSResponse() error = %v", err)
-	}
-	if len(resp1) == 0 {
-		t.Fatalf("generateDNSResponse() returned empty response")
-	}
-
-	resp2, err := c.generateDNSResponse(req, nodeID)
-	if err != nil {
-		t.Fatalf("generateDNSResponse() second call error = %v", err)
-	}
-
-	if !cmp.Equal(resp1, resp2) {
-		t.Errorf("generateDNSResponse() responses differ between calls")
-	}
-}
-
-func TestIPPoolExhaustion(t *testing.T) {
-	smallPrefix := netip.MustParsePrefix("100.64.1.0/30") // Only 4 IPs: .0, .1, .2, .3
-	c := &connector{
-		v6ULA:         netip.MustParsePrefix("fd7a:115c:a1e0:a99c:0001::/80"),
-		v4Ranges:      []netip.Prefix{smallPrefix},
-		dnsAddr:       netip.MustParseAddr("100.64.1.0"),
-		numV4DNSAddrs: 3,
-	}
-
-	ps := &perPeerState{c: c}
-
-	assignedIPs := make(map[netip.Addr]string)
-
-	domains := []string{"a.example.com", "b.example.com", "c.example.com", "d.example.com"}
-
-	var errs []error
-
-	for i := 0; i < 5; i++ {
-		for _, domain := range domains {
-			addrs, err := ps.ipForDomain(domain)
-			if err != nil {
-				errs = append(errs, fmt.Errorf("failed to get IP for domain %q: %w", domain, err))
-				continue
-			}
-
-			for _, addr := range addrs {
-				if d, ok := assignedIPs[addr]; ok {
-					if d != domain {
-						t.Errorf("IP %s reused for domain %q, previously assigned to %q", addr, domain, d)
-					}
-				} else {
-					assignedIPs[addr] = domain
-				}
-			}
-		}
-	}
-
-	for addr, domain := range assignedIPs {
-		if addr.Is4() && !smallPrefix.Contains(addr) {
-			t.Errorf("IP %s for domain %q not in expected range %s", addr, domain, smallPrefix)
-		}
-		if addr.Is6() && !c.v6ULA.Contains(addr) {
-			t.Errorf("IP %s for domain %q not in expected range %s", addr, domain, c.v6ULA)
-		}
-		if addr == c.dnsAddr {
-			t.Errorf("IP %s for domain %q is the reserved DNS address", addr, domain)
-		}
-	}
-
-	// expect one error for each iteration with the 4th domain
-	if len(errs) != 5 {
-		t.Errorf("Expected 5 errors, got %d: %v", len(errs), errs)
-	}
-	for _, err := range errs {
-		if !errors.Is(err, ErrNoIPsAvailable) {
-			t.Errorf("generateDNSResponse() error = %v, want ErrNoIPsAvailable", err)
-		}
-	}
-}
--- a/cmd/proxy-to-grafana/proxy-to-grafana.go
+++ b/cmd/proxy-to-grafana/proxy-to-grafana.go
@@ -19,25 +19,8 @@
 //	header_property = username
 //	auto_sign_up = true
 //	whitelist = 127.0.0.1
-//	headers = Email:X-Webauth-User, Name:X-Webauth-Name, Role:X-Webauth-Role
+//	headers = Name:X-WEBAUTH-NAME
 //	enable_login_token = true
-//
-// You can use grants in Tailscale ACL to give users different roles in Grafana.
-// For example, to give group:eng the Editor role, add the following to your ACLs:
-//
-//	 "grants": [
-//			{
-//				"src": ["group:eng"],
-//				"dst": ["tag:grafana"],
-//				"app": {
-//					"tailscale.com/cap/proxy-to-grafana": [{
-//						"role": "editor",
-//					}],
-//				},
-//			},
-//	 ],
-//
-// If multiple roles are specified, the most permissive role is used.
 package main

 import (
@@ -66,57 +49,6 @@ var (
 	loginServer  = flag.String("login-server", "", "URL to alternative control server. If empty, the default Tailscale control is used.")
 )

-// aclCap is the Tailscale ACL capability used to configure proxy-to-grafana.
-const aclCap tailcfg.PeerCapability = "tailscale.com/cap/proxy-to-grafana"
-
-// aclGrant is an access control rule that assigns Grafana permissions
-// while provisioning a user.
-type aclGrant struct {
-	// Role is one of: "viewer", "editor", "admin".
-	Role string `json:"role"`
-}
-
-// grafanaRole defines possible Grafana roles.
-type grafanaRole int
-
-const (
-	// Roles are ordered by their permissions, with the least permissive role first.
-	// If a user has multiple roles, the most permissive role is used.
-	ViewerRole grafanaRole = iota
-	EditorRole
-	AdminRole
-)
-
-// String returns the string representation of a grafanaRole.
-// It is used as a header value in the HTTP request to Grafana.
-func (r grafanaRole) String() string {
-	switch r {
-	case ViewerRole:
-		return "Viewer"
-	case EditorRole:
-		return "Editor"
-	case AdminRole:
-		return "Admin"
-	default:
-		// A safe default.
-		return "Viewer"
-	}
-}
-
-// roleFromString converts a string to a grafanaRole.
-// It is used to parse the role from the ACL grant.
-func roleFromString(s string) (grafanaRole, error) {
-	switch strings.ToLower(s) {
-	case "viewer":
-		return ViewerRole, nil
-	case "editor":
-		return EditorRole, nil
-	case "admin":
-		return AdminRole, nil
-	}
-	return ViewerRole, fmt.Errorf("unknown role: %q", s)
-}
-
 func main() {
 	flag.Parse()
 	if *hostname == "" || strings.Contains(*hostname, ".") {
@@ -202,15 +134,7 @@ func modifyRequest(req *http.Request, localClient *local.Client) {
 		return
 	}

-	// Delete any existing X-Webauth-* headers to prevent possible spoofing
-	// if getting Tailnet identity fails.
-	for h := range req.Header {
-		if strings.HasPrefix(h, "X-Webauth-") {
-			req.Header.Del(h)
-		}
-	}
-
-	user, role, err := getTailscaleIdentity(req.Context(), localClient, req.RemoteAddr)
+	user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
 	if err != nil {
 		log.Printf("error getting Tailscale user: %v", err)
 		return
@@ -218,33 +142,19 @@ func modifyRequest(req *http.Request, localClient *local.Client) {

 	req.Header.Set("X-Webauth-User", user.LoginName)
 	req.Header.Set("X-Webauth-Name", user.DisplayName)
-	req.Header.Set("X-Webauth-Role", role.String())
 }

-func getTailscaleIdentity(ctx context.Context, localClient *local.Client, ipPort string) (*tailcfg.UserProfile, grafanaRole, error) {
+func getTailscaleUser(ctx context.Context, localClient *local.Client, ipPort string) (*tailcfg.UserProfile, error) {
 	whois, err := localClient.WhoIs(ctx, ipPort)
 	if err != nil {
-		return nil, ViewerRole, fmt.Errorf("failed to identify remote host: %w", err)
+		return nil, fmt.Errorf("failed to identify remote host: %w", err)
 	}
 	if whois.Node.IsTagged() {
-		return nil, ViewerRole, fmt.Errorf("tagged nodes are not users")
+		return nil, fmt.Errorf("tagged nodes are not users")
 	}
 	if whois.UserProfile == nil || whois.UserProfile.LoginName == "" {
-		return nil, ViewerRole, fmt.Errorf("failed to identify remote user")
+		return nil, fmt.Errorf("failed to identify remote user")
 	}

-	role := ViewerRole
-	grants, err := tailcfg.UnmarshalCapJSON[aclGrant](whois.CapMap, aclCap)
-	if err != nil {
-		return nil, ViewerRole, fmt.Errorf("failed to unmarshal ACL grants: %w", err)
-	}
-	for _, g := range grants {
-		r, err := roleFromString(g.Role)
-		if err != nil {
-			return nil, ViewerRole, fmt.Errorf("failed to parse role: %w", err)
-		}
-		role = max(role, r)
-	}
-
-	return whois.UserProfile, role, nil
+	return whois.UserProfile, nil
 }
--- a/cmd/stund/depaware.txt
+++ b/cmd/stund/depaware.txt
@@ -49,7 +49,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
        tailscale.com                                                from tailscale.com/version
        tailscale.com/envknob                                        from tailscale.com/tsweb+
-        tailscale.com/feature                                        from tailscale.com/tsweb
        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
        tailscale.com/metrics                                        from tailscale.com/net/stunserver+
        tailscale.com/net/netaddr                                    from tailscale.com/net/tsaddr
@@ -58,8 +57,8 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        tailscale.com/net/tsaddr                                     from tailscale.com/tsweb
        tailscale.com/syncs                                          from tailscale.com/metrics
        tailscale.com/tailcfg                                        from tailscale.com/version
-        tailscale.com/tsweb                                          from tailscale.com/cmd/stund+
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/cmd/stund
+        tailscale.com/tsweb                                          from tailscale.com/cmd/stund
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/ipproto                                  from tailscale.com/tailcfg
@@ -195,7 +194,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall+
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
        internal/byteorder                                           from crypto/cipher+
@@ -205,12 +204,12 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        internal/filepathlite                                        from os+
        internal/fmtsort                                             from fmt
        internal/goarch                                              from crypto/internal/fips140deps/cpu+
-        internal/godebug                                             from crypto/internal/fips140deps/godebug+
+        internal/godebug                                             from crypto/tls+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime+
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall+
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
--- a/cmd/stund/stund.go
+++ b/cmd/stund/stund.go
@@ -15,9 +15,6 @@ import (

 	"tailscale.com/net/stunserver"
 	"tailscale.com/tsweb"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )

 var (
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -136,17 +136,6 @@ func debugCmd() *ffcli.Command {
 				Exec:       runLocalCreds,
 				ShortHelp:  "Print how to access Tailscale LocalAPI",
 			},
-			{
-				Name:       "localapi",
-				ShortUsage: "tailscale debug localapi [<method>] <path> [<body| \"-\">]",
-				Exec:       runLocalAPI,
-				ShortHelp:  "Call a LocalAPI method directly",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("localapi")
-					fs.BoolVar(&localAPIFlags.verbose, "v", false, "verbose; dump HTTP headers")
-					return fs
-				})(),
-			},
 			{
 				Name:       "restun",
 				ShortUsage: "tailscale debug restun",
@@ -462,81 +451,6 @@ func runLocalCreds(ctx context.Context, args []string) error {
 	return nil
 }

-func looksLikeHTTPMethod(s string) bool {
-	if len(s) > len("OPTIONS") {
-		return false
-	}
-	for _, r := range s {
-		if r < 'A' || r > 'Z' {
-			return false
-		}
-	}
-	return true
-}
-
-var localAPIFlags struct {
-	verbose bool
-}
-
-func runLocalAPI(ctx context.Context, args []string) error {
-	if len(args) == 0 {
-		return errors.New("expected at least one argument")
-	}
-	method := "GET"
-	if looksLikeHTTPMethod(args[0]) {
-		method = args[0]
-		args = args[1:]
-		if len(args) == 0 {
-			return errors.New("expected at least one argument after method")
-		}
-	}
-	path := args[0]
-	if !strings.HasPrefix(path, "/localapi/") {
-		if !strings.Contains(path, "/") {
-			path = "/localapi/v0/" + path
-		} else {
-			path = "/localapi/" + path
-		}
-	}
-
-	var body io.Reader
-	if len(args) > 1 {
-		if args[1] == "-" {
-			fmt.Fprintf(Stderr, "# reading request body from stdin...\n")
-			all, err := io.ReadAll(os.Stdin)
-			if err != nil {
-				return fmt.Errorf("reading Stdin: %q", err)
-			}
-			body = bytes.NewReader(all)
-		} else {
-			body = strings.NewReader(args[1])
-		}
-	}
-	req, err := http.NewRequest(method, "http://local-tailscaled.sock"+path, body)
-	if err != nil {
-		return err
-	}
-	fmt.Fprintf(Stderr, "# doing request %s %s\n", method, path)
-
-	res, err := localClient.DoLocalRequest(req)
-	if err != nil {
-		return err
-	}
-	is2xx := res.StatusCode >= 200 && res.StatusCode <= 299
-	if localAPIFlags.verbose {
-		res.Write(Stdout)
-	} else {
-		if !is2xx {
-			fmt.Fprintf(Stderr, "# Response status %s\n", res.Status)
-		}
-		io.Copy(Stdout, res.Body)
-	}
-	if is2xx {
-		return nil
-	}
-	return errors.New(res.Status)
-}
-
 type localClientRoundTripper struct{}

 func (localClientRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -333,7 +333,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall+
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
        internal/byteorder                                           from crypto/cipher+
@@ -345,10 +345,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        internal/goarch                                              from crypto/internal/fips140deps/cpu+
        internal/godebug                                             from archive/tar+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime+
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall+
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -286,7 +286,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/ipnlocal+
   L    tailscale.com/kube/kubeapi                                   from tailscale.com/ipn/store/kubestore+
   L    tailscale.com/kube/kubeclient                                from tailscale.com/ipn/store/kubestore
-        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob+
+        tailscale.com/kube/kubetypes                                 from tailscale.com/envknob
        tailscale.com/licenses                                       from tailscale.com/client/web
        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
        tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
@@ -589,7 +589,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from internal/runtime/maps+
+        internal/asan                                                from syscall+
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
        internal/byteorder                                           from crypto/cipher+
@@ -601,10 +601,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        internal/goarch                                              from crypto/internal/fips140deps/cpu+
        internal/godebug                                             from archive/tar+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from hash/maphash+
+        internal/goexperiment                                        from runtime+
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from internal/runtime/maps+
+        internal/msan                                                from syscall+
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
--- a/cmd/xdpderper/xdpderper.go
+++ b/cmd/xdpderper/xdpderper.go
@@ -18,9 +18,6 @@ import (
 	"tailscale.com/derp/xdp"
 	"tailscale.com/net/netutil"
 	"tailscale.com/tsweb"
-
-	// Support for prometheus varz in tsweb
-	_ "tailscale.com/tsweb/promvarz"
 )

 var (
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -96,9 +96,6 @@ func (a *Dialer) httpsFallbackDelay() time.Duration {
 var _ = envknob.RegisterBool("TS_USE_CONTROL_DIAL_PLAN") // to record at init time whether it's in use

 func (a *Dialer) dial(ctx context.Context) (*ClientConn, error) {
-
-	a.logPort80Failure.Store(true)
-
 	// If we don't have a dial plan, just fall back to dialing the single
 	// host we know about.
 	useDialPlan := envknob.BoolDefaultTrue("TS_USE_CONTROL_DIAL_PLAN")
@@ -281,9 +278,7 @@ func (d *Dialer) forceNoise443() bool {
 		// This heuristic works around networks where port 80 is MITMed and
 		// appears to work for a bit post-Upgrade but then gets closed,
 		// such as seen in https://github.com/tailscale/tailscale/issues/13597.
-		if d.logPort80Failure.CompareAndSwap(true, false) {
-			d.logf("controlhttp: forcing port 443 dial due to recent noise dial")
-		}
+		d.logf("controlhttp: forcing port 443 dial due to recent noise dial")
 		return true
 	}

--- a/control/controlhttp/constants.go
+++ b/control/controlhttp/constants.go
@@ -6,7 +6,6 @@ package controlhttp
 import (
 	"net/http"
 	"net/url"
-	"sync/atomic"
 	"time"

 	"tailscale.com/health"
@@ -91,11 +90,6 @@ type Dialer struct {

 	proxyFunc func(*http.Request) (*url.URL, error) // or nil

-	// logPort80Failure is whether we should log about port 80 interceptions
-	// and forcing a port 443 dial. We do this only once per "dial" method
-	// which can result in many concurrent racing dialHost calls.
-	logPort80Failure atomic.Bool
-
 	// For tests only
 	drainFinished        chan struct{}
 	omitCertErrorLogging bool
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -429,16 +429,10 @@ func App() string {
 // is a shared cert available.
 func IsCertShareReadOnlyMode() bool {
 	m := String("TS_CERT_SHARE_MODE")
-	return m == "ro"
+	return m == modeRO
 }

-// IsCertShareReadWriteMode returns true if this instance is the replica
-// responsible for issuing and renewing TLS certs in an HA setup with certs
-// shared between multiple replicas.
-func IsCertShareReadWriteMode() bool {
-	m := String("TS_CERT_SHARE_MODE")
-	return m == "rw"
-}
+const modeRO = "ro"

 // CrashOnUnexpected reports whether the Tailscale client should panic
 // on unexpected conditions. If TS_DEBUG_CRASH_ON_UNEXPECTED is set, that's
--- a/flake.nix
+++ b/flake.nix
@@ -130,4 +130,4 @@
  in
    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-xO1DuLWi6/lpA9ubA2ZYVJM+CkVNA5IaVGZxX9my0j0=
+# nix-direnv cache busting line: sha256-SiUkN6BQK1IQmLfkfPetzvYqRu9ENK6+6txtGxegF5Y=
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -1 +1 @@
-sha256-xO1DuLWi6/lpA9ubA2ZYVJM+CkVNA5IaVGZxX9my0j0=
+sha256-SiUkN6BQK1IQmLfkfPetzvYqRu9ENK6+6txtGxegF5Y=
--- a/internal/client/tailscale/vip_service.go
+++ b/internal/client/tailscale/vip_service.go
@@ -27,8 +27,6 @@ type VIPService struct {
 	Addrs []string `json:"addrs,omitempty"`
 	// Comment is an optional text string for display in the admin panel.
 	Comment string `json:"comment,omitempty"`
-	// Annotations are optional key-value pairs that can be used to store arbitrary metadata.
-	Annotations map[string]string `json:"annotations,omitempty"`
 	// Ports are the ports of a VIPService that will be configured via Tailscale serve config.
 	// If set, any node wishing to advertise this VIPService must have this port configured via Tailscale serve.
 	Ports []string `json:"ports,omitempty"`
--- a/ipn/conf.go
+++ b/ipn/conf.go
@@ -145,15 +145,9 @@ func (c *ConfigVAlpha) ToPrefs() (MaskedPrefs, error) {
 		mp.AppConnector = *c.AppConnector
 		mp.AppConnectorSet = true
 	}
-	// Configfile should be the source of truth for whether this node
-	// advertises any services.  We need to ensure that each reload updates
-	// currently advertised services as else the transition from 'some
-	// services are advertised' to 'advertised services are empty/unset in
-	// conffile' would have no effect (especially given that an empty
-	// service slice would be omitted from the JSON config).
-	mp.AdvertiseServicesSet = true
 	if c.AdvertiseServices != nil {
 		mp.AdvertiseServices = c.AdvertiseServices
+		mp.AdvertiseServicesSet = true
 	}
 	return mp, nil
 }
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -958,9 +958,7 @@ func (b *LocalBackend) linkChange(delta *netmon.ChangeDelta) {

 	if peerAPIListenAsync && b.netMap != nil && b.state == ipn.Running {
 		want := b.netMap.GetAddresses().Len()
-		have := len(b.peerAPIListeners)
-		b.logf("[v1] linkChange: have %d peerAPIListeners, want %d", have, want)
-		if have < want {
+		if len(b.peerAPIListeners) < want {
 			b.logf("linkChange: peerAPIListeners too low; trying again")
 			b.goTracker.Go(b.initPeerAPIListener)
 		}
@@ -2382,10 +2380,12 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	}
 	b.applyPrefsToHostinfoLocked(hostinfo, prefs)

+	b.setNetMapLocked(nil)
 	persistv := prefs.Persist().AsStruct()
 	if persistv == nil {
 		persistv = new(persist.Persist)
 	}
+	b.updateFilterLocked(nil, ipn.PrefsView{})

 	if b.portpoll != nil {
 		b.portpollOnce.Do(func() {
@@ -2404,9 +2404,11 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	}

 	var auditLogShutdown func()
+	// Audit logging is only available if the client has set up a proper persistent
+	// store for the logs in sys.
 	store, ok := b.sys.AuditLogStore.GetOK()
 	if !ok {
-		// Use memory store by default if no explicit store is provided.
+		b.logf("auditlog: [unexpected] no persistent audit log storage configured.  using memory store.")
 		store = auditlog.NewLogStore(&memstore.Store{})
 	}

@@ -3479,20 +3481,18 @@ func (b *LocalBackend) onTailnetDefaultAutoUpdate(au bool) {
 		// can still manually enable auto-updates on this node.
 		return
 	}
-	if clientupdate.CanAutoUpdate() {
-		b.logf("using tailnet default auto-update setting: %v", au)
-		prefsClone := prefs.AsStruct()
-		prefsClone.AutoUpdate.Apply = opt.NewBool(au)
-		_, err := b.editPrefsLockedOnEntry(&ipn.MaskedPrefs{
-			Prefs: *prefsClone,
-			AutoUpdateSet: ipn.AutoUpdatePrefsMask{
-				ApplySet: true,
-			},
-		}, unlock)
-		if err != nil {
-			b.logf("failed to apply tailnet-wide default for auto-updates (%v): %v", au, err)
-			return
-		}
+	b.logf("using tailnet default auto-update setting: %v", au)
+	prefsClone := prefs.AsStruct()
+	prefsClone.AutoUpdate.Apply = opt.NewBool(au)
+	_, err := b.editPrefsLockedOnEntry(&ipn.MaskedPrefs{
+		Prefs: *prefsClone,
+		AutoUpdateSet: ipn.AutoUpdatePrefsMask{
+			ApplySet: true,
+		},
+	}, unlock)
+	if err != nil {
+		b.logf("failed to apply tailnet-wide default for auto-updates (%v): %v", au, err)
+		return
 	}
 }

@@ -4968,7 +4968,7 @@ func (b *LocalBackend) authReconfig() {
 		return
 	}

-	oneCGNATRoute := shouldUseOneCGNATRoute(b.logf, b.sys.NetMon.Get(), b.sys.ControlKnobs(), version.OS())
+	oneCGNATRoute := shouldUseOneCGNATRoute(b.logf, b.sys.ControlKnobs(), version.OS())
 	rcfg := b.routerConfig(cfg, prefs, oneCGNATRoute)

 	err = b.e.Reconfig(cfg, rcfg, dcfg)
@@ -4992,7 +4992,7 @@ func (b *LocalBackend) authReconfig() {
 //
 // The versionOS is a Tailscale-style version ("iOS", "macOS") and not
 // a runtime.GOOS.
-func shouldUseOneCGNATRoute(logf logger.Logf, mon *netmon.Monitor, controlKnobs *controlknobs.Knobs, versionOS string) bool {
+func shouldUseOneCGNATRoute(logf logger.Logf, controlKnobs *controlknobs.Knobs, versionOS string) bool {
 	if controlKnobs != nil {
 		// Explicit enabling or disabling always take precedence.
 		if v, ok := controlKnobs.OneCGNAT.Load().Get(); ok {
@@ -5007,7 +5007,7 @@ func shouldUseOneCGNATRoute(logf logger.Logf, mon *netmon.Monitor, controlKnobs
 	// use fine-grained routes if another interfaces is also using the CGNAT
 	// IP range.
 	if versionOS == "macOS" {
-		hasCGNATInterface, err := mon.HasCGNATInterface()
+		hasCGNATInterface, err := netmon.HasCGNATInterface()
 		if err != nil {
 			logf("shouldUseOneCGNATRoute: Could not determine if any interfaces use CGNAT: %v", err)
 			return false
@@ -5369,7 +5369,6 @@ func (b *LocalBackend) initPeerAPIListener() {
 			ln, err = ps.listen(a.Addr(), b.prevIfState)
 			if err != nil {
 				if peerAPIListenAsync {
-					b.logf("possibly transient peerapi listen(%q) error, will try again on linkChange: %v", a.Addr(), err)
 					// Expected. But we fix it later in linkChange
 					// ("peerAPIListeners too low").
 					continue
@@ -5921,9 +5920,6 @@ func (b *LocalBackend) requestEngineStatusAndWait() {
 	b.logf("requestEngineStatusAndWait: got status update.")
 }

-// [controlclient.Auto] implements [auditlog.Transport].
-var _ auditlog.Transport = (*controlclient.Auto)(nil)
-
 // setControlClientLocked sets the control client to cc,
 // which may be nil.
 //
@@ -5931,12 +5927,12 @@ var _ auditlog.Transport = (*controlclient.Auto)(nil)
 func (b *LocalBackend) setControlClientLocked(cc controlclient.Client) {
 	b.cc = cc
 	b.ccAuto, _ = cc.(*controlclient.Auto)
-	if t, ok := b.cc.(auditlog.Transport); ok && b.auditLogger != nil {
+	if b.auditLogger != nil {
 		if err := b.auditLogger.SetProfileID(b.pm.CurrentProfile().ID()); err != nil {
 			b.logf("audit logger set profile ID failure: %v", err)
 		}

-		if err := b.auditLogger.Start(t); err != nil {
+		if err := b.auditLogger.Start(b.ccAuto); err != nil {
 			b.logf("audit logger start failure: %v", err)
 		}
 	}
@@ -7535,7 +7531,6 @@ func (b *LocalBackend) resetForProfileChangeLockedOnEntry(unlock unlockOnce) err
 		return nil
 	}
 	b.setNetMapLocked(nil) // Reset netmap.
-	b.updateFilterLocked(nil, ipn.PrefsView{})
 	// Reset the NetworkMap in the engine
 	b.e.SetNetworkMap(new(netmap.NetworkMap))
 	if prevCC := b.resetControlClientLocked(); prevCC != nil {
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -44,7 +44,6 @@ import (
 	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/dnstype"
-	"tailscale.com/types/ipproto"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
@@ -61,7 +60,6 @@ import (
 	"tailscale.com/util/syspolicy/source"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
-	"tailscale.com/wgengine/filter/filtertype"
 	"tailscale.com/wgengine/wgcfg"
 )

@@ -1510,15 +1508,6 @@ func TestReconfigureAppConnector(t *testing.T) {
 func TestBackfillAppConnectorRoutes(t *testing.T) {
 	// Create backend with an empty app connector.
 	b := newTestBackend(t)
-	// newTestBackend creates a backend with a non-nil netmap,
-	// but this test requires a nil netmap.
-	// Otherwise, instead of backfilling, [LocalBackend.reconfigAppConnectorLocked]
-	// uses the domains and routes from netmap's [appctype.AppConnectorAttr].
-	// Additionally, a non-nil netmap makes reconfigAppConnectorLocked
-	// asynchronous, resulting in a flaky test.
-	// Therefore, we set the netmap to nil to simulate a fresh backend start
-	// or a profile switch where the netmap is not yet available.
-	b.setNetMapLocked(nil)
 	if err := b.Start(ipn.Options{}); err != nil {
 		t.Fatal(err)
 	}
@@ -4754,133 +4743,32 @@ func TestLoginNotifications(t *testing.T) {
 // TestConfigFileReload tests that the LocalBackend reloads its configuration
 // when the configuration file changes.
 func TestConfigFileReload(t *testing.T) {
-	type testCase struct {
-		name    string
-		initial *conffile.Config
-		updated *conffile.Config
-		checkFn func(*testing.T, *LocalBackend)
+	cfg1 := `{"Hostname": "foo", "Version": "alpha0"}`
+	f := filepath.Join(t.TempDir(), "cfg")
+	must.Do(os.WriteFile(f, []byte(cfg1), 0600))
+	sys := new(tsd.System)
+	sys.InitialConfig = must.Get(conffile.Load(f))
+	lb := newTestLocalBackendWithSys(t, sys)
+	must.Do(lb.Start(ipn.Options{}))
+
+	lb.mu.Lock()
+	hn := lb.hostinfo.Hostname
+	lb.mu.Unlock()
+	if hn != "foo" {
+		t.Fatalf("got %q; want %q", hn, "foo")
 	}

-	tests := []testCase{
-		{
-			name: "hostname_change",
-			initial: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version:  "alpha0",
-					Hostname: ptr.To("initial-host"),
-				},
-			},
-			updated: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version:  "alpha0",
-					Hostname: ptr.To("updated-host"),
-				},
-			},
-			checkFn: func(t *testing.T, b *LocalBackend) {
-				if got := b.Prefs().Hostname(); got != "updated-host" {
-					t.Errorf("hostname = %q; want updated-host", got)
-				}
-			},
-		},
-		{
-			name: "start_advertising_services",
-			initial: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version: "alpha0",
-				},
-			},
-			updated: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version:           "alpha0",
-					AdvertiseServices: []string{"svc:abc", "svc:def"},
-				},
-			},
-			checkFn: func(t *testing.T, b *LocalBackend) {
-				if got := b.Prefs().AdvertiseServices().AsSlice(); !reflect.DeepEqual(got, []string{"svc:abc", "svc:def"}) {
-					t.Errorf("AdvertiseServices = %v; want [svc:abc, svc:def]", got)
-				}
-			},
-		},
-		{
-			name: "change_advertised_services",
-			initial: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version:           "alpha0",
-					AdvertiseServices: []string{"svc:abc", "svc:def"},
-				},
-			},
-			updated: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version:           "alpha0",
-					AdvertiseServices: []string{"svc:abc", "svc:ghi"},
-				},
-			},
-			checkFn: func(t *testing.T, b *LocalBackend) {
-				if got := b.Prefs().AdvertiseServices().AsSlice(); !reflect.DeepEqual(got, []string{"svc:abc", "svc:ghi"}) {
-					t.Errorf("AdvertiseServices = %v; want [svc:abc, svc:ghi]", got)
-				}
-			},
-		},
-		{
-			name: "unset_advertised_services",
-			initial: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version:           "alpha0",
-					AdvertiseServices: []string{"svc:abc"},
-				},
-			},
-			updated: &conffile.Config{
-				Parsed: ipn.ConfigVAlpha{
-					Version: "alpha0",
-				},
-			},
-			checkFn: func(t *testing.T, b *LocalBackend) {
-				if b.Prefs().AdvertiseServices().Len() != 0 {
-					t.Errorf("got %d AdvertiseServices wants none", b.Prefs().AdvertiseServices().Len())
-				}
-			},
-		},
+	cfg2 := `{"Hostname": "bar", "Version": "alpha0"}`
+	must.Do(os.WriteFile(f, []byte(cfg2), 0600))
+	if !must.Get(lb.ReloadConfig()) {
+		t.Fatal("reload failed")
 	}

-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			dir := t.TempDir()
-			path := filepath.Join(dir, "tailscale.conf")
-
-			// Write initial config
-			initialJSON, err := json.Marshal(tc.initial.Parsed)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if err := os.WriteFile(path, initialJSON, 0644); err != nil {
-				t.Fatal(err)
-			}
-
-			// Create backend with initial config
-			tc.initial.Path = path
-			tc.initial.Raw = initialJSON
-			sys := &tsd.System{
-				InitialConfig: tc.initial,
-			}
-			b := newTestLocalBackendWithSys(t, sys)
-
-			// Update config file
-			updatedJSON, err := json.Marshal(tc.updated.Parsed)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if err := os.WriteFile(path, updatedJSON, 0644); err != nil {
-				t.Fatal(err)
-			}
-
-			// Trigger reload
-			if ok, err := b.ReloadConfig(); !ok || err != nil {
-				t.Fatalf("ReloadConfig() = %v, %v; want true, nil", ok, err)
-			}
-
-			// Check outcome
-			tc.checkFn(t, b)
-		})
+	lb.mu.Lock()
+	hn = lb.hostinfo.Hostname
+	lb.mu.Unlock()
+	if hn != "bar" {
+		t.Fatalf("got %q; want %q", hn, "bar")
 	}
 }

@@ -5318,60 +5206,3 @@ func TestUpdateIngressLocked(t *testing.T) {
 		})
 	}
 }
-
-// TestSrcCapPacketFilter tests that LocalBackend handles packet filters with
-// SrcCaps instead of Srcs (IPs)
-func TestSrcCapPacketFilter(t *testing.T) {
-	lb := newLocalBackendWithTestControl(t, false, func(tb testing.TB, opts controlclient.Options) controlclient.Client {
-		return newClient(tb, opts)
-	})
-	if err := lb.Start(ipn.Options{}); err != nil {
-		t.Fatalf("(*LocalBackend).Start(): %v", err)
-	}
-
-	var k key.NodePublic
-	must.Do(k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")))
-
-	controlClient := lb.cc.(*mockControl)
-	controlClient.send(nil, "", false, &netmap.NetworkMap{
-		SelfNode: (&tailcfg.Node{
-			Addresses: []netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")},
-		}).View(),
-		Peers: []tailcfg.NodeView{
-			(&tailcfg.Node{
-				Addresses: []netip.Prefix{netip.MustParsePrefix("2.2.2.2/32")},
-				ID:        2,
-				Key:       k,
-				CapMap:    tailcfg.NodeCapMap{"cap-X": nil}, // node 2 has cap
-			}).View(),
-			(&tailcfg.Node{
-				Addresses: []netip.Prefix{netip.MustParsePrefix("3.3.3.3/32")},
-				ID:        3,
-				Key:       k,
-				CapMap:    tailcfg.NodeCapMap{}, // node 3 does not have the cap
-			}).View(),
-		},
-		PacketFilter: []filtertype.Match{{
-			IPProto: views.SliceOf([]ipproto.Proto{ipproto.TCP}),
-			SrcCaps: []tailcfg.NodeCapability{"cap-X"}, // cap in packet filter rule
-			Dsts: []filtertype.NetPortRange{{
-				Net: netip.MustParsePrefix("1.1.1.1/32"),
-				Ports: filtertype.PortRange{
-					First: 22,
-					Last:  22,
-				},
-			}},
-		}},
-	})
-
-	f := lb.GetFilterForTest()
-	res := f.Check(netip.MustParseAddr("2.2.2.2"), netip.MustParseAddr("1.1.1.1"), 22, ipproto.TCP)
-	if res != filter.Accept {
-		t.Errorf("Check(2.2.2.2, ...) = %s, want %s", res, filter.Accept)
-	}
-
-	res = f.Check(netip.MustParseAddr("3.3.3.3"), netip.MustParseAddr("1.1.1.1"), 22, ipproto.TCP)
-	if !res.IsDrop() {
-		t.Error("IsDrop() for node without cap = false, want true")
-	}
-}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -481,7 +481,7 @@ func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Re
 		fmt.Fprintf(w, "<h3>Could not get the default route: %s</h3>\n", html.EscapeString(err.Error()))
 	}

-	if hasCGNATInterface, err := h.ps.b.sys.NetMon.Get().HasCGNATInterface(); hasCGNATInterface {
+	if hasCGNATInterface, err := netmon.HasCGNATInterface(); hasCGNATInterface {
 		fmt.Fprintln(w, "<p>There is another interface using the CGNAT range.</p>")
 	} else if err != nil {
 		fmt.Fprintf(w, "<p>Could not check for CGNAT interfaces: %s</p>\n", html.EscapeString(err.Error()))
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -735,10 +735,12 @@ func TestStateMachine(t *testing.T) {
 		// b.Shutdown() explicitly ourselves.
 		previousCC.assertShutdown(false)

+		// Note: unpause happens because ipn needs to get at least one netmap
+		//  on startup, otherwise UIs can't show the node list, login
+		//  name, etc when in state ipn.Stopped.
+		//  Arguably they shouldn't try. But they currently do.
 		nn := notifies.drain(2)
-		// We already have a netmap for this node,
-		// and WantRunning is false, so cc should be paused.
-		cc.assertCalls("New", "Login", "pause")
+		cc.assertCalls("New", "Login")
 		c.Assert(nn[0].Prefs, qt.IsNotNil)
 		c.Assert(nn[1].State, qt.IsNotNil)
 		c.Assert(nn[0].Prefs.WantRunning(), qt.IsFalse)
@@ -749,11 +751,7 @@ func TestStateMachine(t *testing.T) {
 	// When logged in but !WantRunning, ipn leaves us unpaused to retrieve
 	// the first netmap. Simulate that netmap being received, after which
 	// it should pause us, to avoid wasting CPU retrieving unnecessarily
-	// additional netmap updates. Since our LocalBackend instance already
-	// has a netmap, we will reset it to nil to simulate the first netmap
-	// retrieval.
-	b.setNetMapLocked(nil)
-	cc.assertCalls("unpause")
+	// additional netmap updates.
 	//
 	// TODO: really the various GUIs and prefs should be refactored to
 	//  not require the netmap structure at all when starting while
@@ -855,7 +853,7 @@ func TestStateMachine(t *testing.T) {
 	// The last test case is the most common one: restarting when both
 	// logged in and WantRunning.
 	t.Logf("\n\nStart5")
-	notifies.expect(2)
+	notifies.expect(1)
 	c.Assert(b.Start(ipn.Options{}), qt.IsNil)
 	{
 		// NOTE: cc.Shutdown() is correct here, since we didn't call
@@ -863,32 +861,30 @@ func TestStateMachine(t *testing.T) {
 		previousCC.assertShutdown(false)
 		cc.assertCalls("New", "Login")

-		nn := notifies.drain(2)
+		nn := notifies.drain(1)
 		cc.assertCalls()
 		c.Assert(nn[0].Prefs, qt.IsNotNil)
 		c.Assert(nn[0].Prefs.LoggedOut(), qt.IsFalse)
 		c.Assert(nn[0].Prefs.WantRunning(), qt.IsTrue)
-		// We're logged in and have a valid netmap, so we should
-		// be in the Starting state.
-		c.Assert(nn[1].State, qt.IsNotNil)
-		c.Assert(*nn[1].State, qt.Equals, ipn.Starting)
-		c.Assert(b.State(), qt.Equals, ipn.Starting)
+		c.Assert(b.State(), qt.Equals, ipn.NoState)
 	}

 	// Control server accepts our valid key from before.
 	t.Logf("\n\nLoginFinished5")
-	notifies.expect(0)
+	notifies.expect(1)
 	cc.send(nil, "", true, &netmap.NetworkMap{
 		SelfNode: (&tailcfg.Node{MachineAuthorized: true}).View(),
 	})
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		cc.assertCalls()
 		// NOTE: No LoginFinished message since no interactive
 		// login was needed.
+		c.Assert(nn[0].State, qt.IsNotNil)
+		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
 		// NOTE: No prefs change this time. WantRunning stays true.
 		// We were in Starting in the first place, so that doesn't
-		// change either, so we don't expect any notifications.
+		// change either.
 		c.Assert(ipn.Starting, qt.Equals, b.State())
 	}
 	t.Logf("\n\nExpireKey")
--- a/ipn/store/kubestore/store_kube.go
+++ b/ipn/store/kubestore/store_kube.go
@@ -13,14 +13,11 @@ import (
 	"strings"
 	"time"

-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/kube/kubeapi"
 	"tailscale.com/kube/kubeclient"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
 )

@@ -35,37 +32,21 @@ const (
 	reasonTailscaleStateLoadFailed   = "TailscaleStateLoadFailed"
 	eventTypeWarning                 = "Warning"
 	eventTypeNormal                  = "Normal"
-
-	keyTLSCert = "tls.crt"
-	keyTLSKey  = "tls.key"
 )

 // Store is an ipn.StateStore that uses a Kubernetes Secret for persistence.
 type Store struct {
-	client        kubeclient.Client
-	canPatch      bool
-	secretName    string // state Secret
-	certShareMode string // 'ro', 'rw', or empty
-	podName       string
+	client     kubeclient.Client
+	canPatch   bool
+	secretName string

-	// memory holds the latest tailscale state. Writes write state to a kube
-	// Secret and memory, Reads read from memory.
+	// memory holds the latest tailscale state. Writes write state to a kube Secret and memory, Reads read from
+	// memory.
 	memory mem.Store
 }

-// New returns a new Store that persists state to Kubernets Secret(s).
-// Tailscale state is stored in a Secret named by the secretName parameter.
-// TLS certs are stored and retrieved from state Secret or separate Secrets
-// named after TLS endpoints if running in cert share mode.
-func New(logf logger.Logf, secretName string) (*Store, error) {
-	c, err := newClient()
-	if err != nil {
-		return nil, err
-	}
-	return newWithClient(logf, c, secretName)
-}
-
-func newClient() (kubeclient.Client, error) {
+// New returns a new Store that persists to the named Secret.
+func New(_ logger.Logf, secretName string) (*Store, error) {
 	c, err := kubeclient.New("tailscale-state-store")
 	if err != nil {
 		return nil, err
@@ -74,10 +55,6 @@ func newClient() (kubeclient.Client, error) {
 		// Derive the API server address from the environment variables
 		c.SetURL(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
 	}
-	return c, nil
-}
-
-func newWithClient(logf logger.Logf, c kubeclient.Client, secretName string) (*Store, error) {
 	canPatch, _, err := c.CheckSecretPermissions(context.Background(), secretName)
 	if err != nil {
 		return nil, err
@@ -86,30 +63,11 @@ func newWithClient(logf logger.Logf, c kubeclient.Client, secretName string) (*S
 		client:     c,
 		canPatch:   canPatch,
 		secretName: secretName,
-		podName:    os.Getenv("POD_NAME"),
 	}
-	if envknob.IsCertShareReadWriteMode() {
-		s.certShareMode = "rw"
-	} else if envknob.IsCertShareReadOnlyMode() {
-		s.certShareMode = "ro"
-	}
-
 	// Load latest state from kube Secret if it already exists.
 	if err := s.loadState(); err != nil && err != ipn.ErrStateNotExist {
 		return nil, fmt.Errorf("error loading state from kube Secret: %w", err)
 	}
-	// If we are in cert share mode, pre-load existing shared certs.
-	if s.certShareMode == "rw" || s.certShareMode == "ro" {
-		sel := s.certSecretSelector()
-		if err := s.loadCerts(context.Background(), sel); err != nil {
-			// We will attempt to again retrieve the certs from Secrets when a request for an HTTPS endpoint
-			// is received.
-			log.Printf("[unexpected] error loading TLS certs: %v", err)
-		}
-	}
-	if s.certShareMode == "ro" {
-		go s.runCertReload(context.Background(), logf)
-	}
 	return s, nil
 }

@@ -126,110 +84,27 @@ func (s *Store) ReadState(id ipn.StateKey) ([]byte, error) {

 // WriteState implements the StateStore interface.
 func (s *Store) WriteState(id ipn.StateKey, bs []byte) (err error) {
-	defer func() {
-		if err == nil {
-			s.memory.WriteState(ipn.StateKey(sanitizeKey(id)), bs)
-		}
-	}()
-	return s.updateSecret(map[string][]byte{string(id): bs}, s.secretName)
+	return s.updateStateSecret(map[string][]byte{string(id): bs})
 }

-// WriteTLSCertAndKey writes a TLS cert and key to domain.crt, domain.key fields
-// of a Tailscale Kubernetes node's state Secret.
-func (s *Store) WriteTLSCertAndKey(domain string, cert, key []byte) (err error) {
-	if s.certShareMode == "ro" {
-		log.Printf("[unexpected] TLS cert and key write in read-only mode")
-	}
-	if err := dnsname.ValidHostname(domain); err != nil {
-		return fmt.Errorf("invalid domain name %q: %w", domain, err)
-	}
-	secretName := s.secretName
-	data := map[string][]byte{
-		domain + ".crt": cert,
-		domain + ".key": key,
-	}
-	// If we run in cert share mode, cert and key for a DNS name are written
-	// to a separate Secret.
-	if s.certShareMode == "rw" {
-		secretName = domain
-		data = map[string][]byte{
-			keyTLSCert: cert,
-			keyTLSKey:  key,
-		}
-	}
-	if err := s.updateSecret(data, secretName); err != nil {
-		return fmt.Errorf("error writing TLS cert and key to Secret: %w", err)
-	}
-	// TODO(irbekrm): certs for write replicas are currently not
-	// written to memory to avoid out of sync memory state after
-	// Ingress resources have been recreated.  This means that TLS
-	// certs for write replicas are retrieved from the Secret on
-	// each HTTPS request.  This is a temporary solution till we
-	// implement a Secret watch.
-	if s.certShareMode != "rw" {
-		s.memory.WriteState(ipn.StateKey(domain+".crt"), cert)
-		s.memory.WriteState(ipn.StateKey(domain+".key"), key)
-	}
-	return nil
+// WriteTLSCertAndKey writes a TLS cert and key to domain.crt, domain.key fields of a Tailscale Kubernetes node's state
+// Secret.
+func (s *Store) WriteTLSCertAndKey(domain string, cert, key []byte) error {
+	return s.updateStateSecret(map[string][]byte{domain + ".crt": cert, domain + ".key": key})
 }

-// ReadTLSCertAndKey reads a TLS cert and key from memory or from a
-// domain-specific Secret. It first checks the in-memory store, if not found in
-// memory and running cert store in read-only mode, looks up a Secret.
-// Note that write replicas of HA Ingress always retrieve TLS certs from Secrets.
-func (s *Store) ReadTLSCertAndKey(domain string) (cert, key []byte, err error) {
-	if err := dnsname.ValidHostname(domain); err != nil {
-		return nil, nil, fmt.Errorf("invalid domain name %q: %w", domain, err)
-	}
-	certKey := domain + ".crt"
-	keyKey := domain + ".key"
-	cert, err = s.memory.ReadState(ipn.StateKey(certKey))
-	if err == nil {
-		key, err = s.memory.ReadState(ipn.StateKey(keyKey))
-		if err == nil {
-			return cert, key, nil
-		}
-	}
-	if s.certShareMode == "" {
-		return nil, nil, ipn.ErrStateNotExist
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-	secret, err := s.client.GetSecret(ctx, domain)
-	if err != nil {
-		if kubeclient.IsNotFoundErr(err) {
-			// TODO(irbekrm): we should return a more specific error
-			// that wraps ipn.ErrStateNotExist here.
-			return nil, nil, ipn.ErrStateNotExist
-		}
-		return nil, nil, fmt.Errorf("getting TLS Secret %q: %w", domain, err)
-	}
-	cert = secret.Data[keyTLSCert]
-	key = secret.Data[keyTLSKey]
-	if len(cert) == 0 || len(key) == 0 {
-		return nil, nil, ipn.ErrStateNotExist
-	}
-	// TODO(irbekrm): a read between these two separate writes would
-	// get a mismatched cert and key.  Allow writing both cert and
-	// key to the memory store in a single, lock-protected operation.
-	//
-	// TODO(irbekrm): currently certs for write replicas of HA Ingress get
-	// retrieved from the cluster Secret on each HTTPS request to avoid a
-	// situation when after Ingress recreation stale certs are read from
-	// memory.
-	// Fix this by watching Secrets to ensure that memory store gets updated
-	// when Secrets are deleted.
-	if s.certShareMode == "ro" {
-		s.memory.WriteState(ipn.StateKey(certKey), cert)
-		s.memory.WriteState(ipn.StateKey(keyKey), key)
-	}
-	return cert, key, nil
-}
-
-func (s *Store) updateSecret(data map[string][]byte, secretName string) (err error) {
+func (s *Store) updateStateSecret(data map[string][]byte) (err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer func() {
+		if err == nil {
+			for id, bs := range data {
+				// The in-memory store does not distinguish between values read from state Secret on
+				// init and values written to afterwards. Values read from the state
+				// Secret will always be sanitized, so we also need to sanitize values written to store
+				// later, so that the Read logic can just lookup keys in sanitized form.
+				s.memory.WriteState(ipn.StateKey(sanitizeKey(id)), bs)
+			}
+		}
 		if err != nil {
 			if err := s.client.Event(ctx, eventTypeWarning, reasonTailscaleStateUpdateFailed, err.Error()); err != nil {
 				log.Printf("kubestore: error creating tailscaled state update Event: %v", err)
@@ -241,17 +116,17 @@ func (s *Store) updateSecret(data map[string][]byte, secretName string) (err err
 		}
 		cancel()
 	}()
-	secret, err := s.client.GetSecret(ctx, secretName)
+	secret, err := s.client.GetSecret(ctx, s.secretName)
 	if err != nil {
 		// If the Secret does not exist, create it with the required data.
-		if kubeclient.IsNotFoundErr(err) && s.canCreateSecret(secretName) {
+		if kubeclient.IsNotFoundErr(err) {
 			return s.client.CreateSecret(ctx, &kubeapi.Secret{
 				TypeMeta: kubeapi.TypeMeta{
 					APIVersion: "v1",
 					Kind:       "Secret",
 				},
 				ObjectMeta: kubeapi.ObjectMeta{
-					Name: secretName,
+					Name: s.secretName,
 				},
 				Data: func(m map[string][]byte) map[string][]byte {
 					d := make(map[string][]byte, len(m))
@@ -262,9 +137,9 @@ func (s *Store) updateSecret(data map[string][]byte, secretName string) (err err
 				}(data),
 			})
 		}
-		return fmt.Errorf("error getting Secret %s: %w", secretName, err)
+		return err
 	}
-	if s.canPatchSecret(secretName) {
+	if s.canPatch {
 		var m []kubeclient.JSONPatch
 		// If the user has pre-created a Secret with no data, we need to ensure the top level /data field.
 		if len(secret.Data) == 0 {
@@ -291,8 +166,8 @@ func (s *Store) updateSecret(data map[string][]byte, secretName string) (err err
 				})
 			}
 		}
-		if err := s.client.JSONPatchResource(ctx, secretName, kubeclient.TypeSecrets, m); err != nil {
-			return fmt.Errorf("error patching Secret %s: %w", secretName, err)
+		if err := s.client.JSONPatchResource(ctx, s.secretName, kubeclient.TypeSecrets, m); err != nil {
+			return fmt.Errorf("error patching Secret %s: %w", s.secretName, err)
 		}
 		return nil
 	}
@@ -301,9 +176,9 @@ func (s *Store) updateSecret(data map[string][]byte, secretName string) (err err
 		mak.Set(&secret.Data, sanitizeKey(key), val)
 	}
 	if err := s.client.UpdateSecret(ctx, secret); err != nil {
-		return fmt.Errorf("error updating Secret %s: %w", s.secretName, err)
+		return err
 	}
-	return nil
+	return err
 }

 func (s *Store) loadState() (err error) {
@@ -327,96 +202,6 @@ func (s *Store) loadState() (err error) {
 	return nil
 }

-// runCertReload relists and reloads all TLS certs for endpoints shared by this
-// node from Secrets other than the state Secret to ensure that renewed certs get eventually loaded.
-// It is not critical to reload a cert immediately after
-// renewal, so a daily check is acceptable.
-// Currently (3/2025) this is only used for the shared HA Ingress certs on 'read' replicas.
-// Note that if shared certs are not found in memory on an HTTPS request, we
-// do a Secret lookup, so this mechanism does not need to ensure that newly
-// added Ingresses' certs get loaded.
-func (s *Store) runCertReload(ctx context.Context, logf logger.Logf) {
-	ticker := time.NewTicker(time.Hour * 24)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ticker.C:
-			sel := s.certSecretSelector()
-			if err := s.loadCerts(ctx, sel); err != nil {
-				logf("[unexpected] error reloading TLS certs: %v", err)
-			}
-		}
-	}
-}
-
-// loadCerts lists all Secrets matching the provided selector and loads TLS
-// certs and keys from those.
-func (s *Store) loadCerts(ctx context.Context, sel map[string]string) error {
-	ss, err := s.client.ListSecrets(ctx, sel)
-	if err != nil {
-		return fmt.Errorf("error listing TLS Secrets: %w", err)
-	}
-	for _, secret := range ss.Items {
-		if !hasTLSData(&secret) {
-			continue
-		}
-		// Only load secrets that have valid domain names (ending in .ts.net)
-		if !strings.HasSuffix(secret.Name, ".ts.net") {
-			continue
-		}
-		s.memory.WriteState(ipn.StateKey(secret.Name)+".crt", secret.Data[keyTLSCert])
-		s.memory.WriteState(ipn.StateKey(secret.Name)+".key", secret.Data[keyTLSKey])
-	}
-	return nil
-}
-
-// canCreateSecret returns true if this node should be allowed to create the given
-// Secret in its namespace.
-func (s *Store) canCreateSecret(secret string) bool {
-	// Only allow creating the state Secret (and not TLS Secrets).
-	return secret == s.secretName
-}
-
-// canPatchSecret returns true if this node should be allowed to patch the given
-// Secret.
-func (s *Store) canPatchSecret(secret string) bool {
-	// For backwards compatibility reasons, setups where the proxies are not
-	// given PATCH permissions for state Secrets are allowed. For TLS
-	// Secrets, we should always have PATCH permissions.
-	if secret == s.secretName {
-		return s.canPatch
-	}
-	return true
-}
-
-// certSecretSelector returns a label selector that can be used to list all
-// Secrets that aren't Tailscale state Secrets and contain TLS certificates for
-// HTTPS endpoints that this node serves.
-// Currently (3/2025) this only applies to the Kubernetes Operator's ingress
-// ProxyGroup.
-func (s *Store) certSecretSelector() map[string]string {
-	if s.podName == "" {
-		return map[string]string{}
-	}
-	p := strings.LastIndex(s.podName, "-")
-	if p == -1 {
-		return map[string]string{}
-	}
-	pgName := s.podName[:p]
-	return map[string]string{
-		kubetypes.LabelSecretType:   "certs",
-		kubetypes.LabelManaged:      "true",
-		"tailscale.com/proxy-group": pgName,
-	}
-}
-
-// hasTLSData returns true if the provided Secret contains non-empty TLS cert and key.
-func hasTLSData(s *kubeapi.Secret) bool {
-	return len(s.Data[keyTLSCert]) != 0 && len(s.Data[keyTLSKey]) != 0
-}
-
 // sanitizeKey converts any value that can be converted to a string into a valid Kubernetes Secret key.
 // Valid characters are alphanumeric, -, _, and .
 // https://kubernetes.io/docs/concepts/configuration/secret/#restriction-names-data.
--- a/ipn/store/kubestore/store_kube_test.go
+++ b/ipn/store/kubestore/store_kube_test.go
@@ -4,37 +4,33 @@
 package kubestore

 import (
-	"bytes"
 	"context"
-	"encoding/json"
-	"fmt"
 	"strings"
 	"testing"

 	"github.com/google/go-cmp/cmp"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/kube/kubeapi"
 	"tailscale.com/kube/kubeclient"
 )

-func TestWriteState(t *testing.T) {
+func TestUpdateStateSecret(t *testing.T) {
 	tests := []struct {
 		name       string
 		initial    map[string][]byte
-		key        ipn.StateKey
-		value      []byte
+		updates    map[string][]byte
 		wantData   map[string][]byte
 		allowPatch bool
 	}{
 		{
-			name: "basic_write",
+			name: "basic_update",
 			initial: map[string][]byte{
 				"existing": []byte("old"),
 			},
-			key:   "foo",
-			value: []byte("bar"),
+			updates: map[string][]byte{
+				"foo": []byte("bar"),
+			},
 			wantData: map[string][]byte{
 				"existing": []byte("old"),
 				"foo":      []byte("bar"),
@@ -46,17 +42,35 @@ func TestWriteState(t *testing.T) {
 			initial: map[string][]byte{
 				"foo": []byte("old"),
 			},
-			key:   "foo",
-			value: []byte("new"),
+			updates: map[string][]byte{
+				"foo": []byte("new"),
+			},
 			wantData: map[string][]byte{
 				"foo": []byte("new"),
 			},
 			allowPatch: true,
 		},
 		{
-			name:  "create_new_secret",
-			key:   "foo",
-			value: []byte("bar"),
+			name: "multiple_updates",
+			initial: map[string][]byte{
+				"keep": []byte("keep"),
+			},
+			updates: map[string][]byte{
+				"foo": []byte("bar"),
+				"baz": []byte("qux"),
+			},
+			wantData: map[string][]byte{
+				"keep": []byte("keep"),
+				"foo":  []byte("bar"),
+				"baz":  []byte("qux"),
+			},
+			allowPatch: true,
+		},
+		{
+			name: "create_new_secret",
+			updates: map[string][]byte{
+				"foo": []byte("bar"),
+			},
 			wantData: map[string][]byte{
 				"foo": []byte("bar"),
 			},
@@ -67,23 +81,29 @@ func TestWriteState(t *testing.T) {
 			initial: map[string][]byte{
 				"foo": []byte("old"),
 			},
-			key:   "foo",
-			value: []byte("new"),
+			updates: map[string][]byte{
+				"foo": []byte("new"),
+			},
 			wantData: map[string][]byte{
 				"foo": []byte("new"),
 			},
 			allowPatch: false,
 		},
 		{
-			name: "sanitize_key",
+			name: "sanitize_keys",
 			initial: map[string][]byte{
 				"clean-key": []byte("old"),
 			},
-			key:   "dirty@key",
-			value: []byte("new"),
+			updates: map[string][]byte{
+				"dirty@key": []byte("new"),
+				"also/bad":  []byte("value"),
+				"good.key":  []byte("keep"),
+			},
 			wantData: map[string][]byte{
 				"clean-key": []byte("old"),
 				"dirty_key": []byte("new"),
+				"also_bad":  []byte("value"),
+				"good.key":  []byte("keep"),
 			},
 			allowPatch: true,
 		},
@@ -132,13 +152,13 @@ func TestWriteState(t *testing.T) {
 			s := &Store{
 				client:     client,
 				canPatch:   tt.allowPatch,
-				secretName: "ts-state",
+				secretName: "test-secret",
 				memory:     mem.Store{},
 			}

-			err := s.WriteState(tt.key, tt.value)
+			err := s.updateStateSecret(tt.updates)
 			if err != nil {
-				t.Errorf("WriteState() error = %v", err)
+				t.Errorf("updateStateSecret() error = %v", err)
 				return
 			}

@@ -148,579 +168,16 @@ func TestWriteState(t *testing.T) {
 			}

 			// Verify memory store was updated
-			got, err := s.memory.ReadState(ipn.StateKey(sanitizeKey(string(tt.key))))
-			if err != nil {
-				t.Errorf("reading from memory store: %v", err)
-			}
-			if !cmp.Equal(got, tt.value) {
-				t.Errorf("memory store key %q = %v, want %v", tt.key, got, tt.value)
-			}
-		})
-	}
-}
-
-func TestWriteTLSCertAndKey(t *testing.T) {
-	const (
-		testDomain = "my-app.tailnetxyz.ts.net"
-		testCert   = "fake-cert"
-		testKey    = "fake-key"
-	)
-
-	tests := []struct {
-		name            string
-		initial         map[string][]byte // pre-existing cert and key
-		certShareMode   string
-		allowPatch      bool   // whether client can patch the Secret
-		wantSecretName  string // name of the Secret where cert and key should be written
-		wantSecretData  map[string][]byte
-		wantMemoryStore map[ipn.StateKey][]byte
-	}{
-		{
-			name: "basic_write",
-			initial: map[string][]byte{
-				"existing": []byte("old"),
-			},
-			allowPatch:     true,
-			wantSecretName: "ts-state",
-			wantSecretData: map[string][]byte{
-				"existing":                     []byte("old"),
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-			wantMemoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-		},
-		{
-			name:           "cert_share_mode_write",
-			certShareMode:  "rw",
-			allowPatch:     true,
-			wantSecretName: "my-app.tailnetxyz.ts.net",
-			wantSecretData: map[string][]byte{
-				"tls.crt": []byte(testCert),
-				"tls.key": []byte(testKey),
-			},
-		},
-		{
-			name: "cert_share_mode_write_update_existing",
-			initial: map[string][]byte{
-				"tls.crt": []byte("old-cert"),
-				"tls.key": []byte("old-key"),
-			},
-			certShareMode:  "rw",
-			allowPatch:     true,
-			wantSecretName: "my-app.tailnetxyz.ts.net",
-			wantSecretData: map[string][]byte{
-				"tls.crt": []byte(testCert),
-				"tls.key": []byte(testKey),
-			},
-		},
-		{
-			name: "update_existing",
-			initial: map[string][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte("old-cert"),
-				"my-app.tailnetxyz.ts.net.key": []byte("old-key"),
-			},
-			certShareMode:  "",
-			allowPatch:     true,
-			wantSecretName: "ts-state",
-			wantSecretData: map[string][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-			wantMemoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-		},
-		{
-			name:           "patch_denied",
-			certShareMode:  "",
-			allowPatch:     false,
-			wantSecretName: "ts-state",
-			wantSecretData: map[string][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-			wantMemoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-
-			// Set POD_NAME for testing selectors
-			envknob.Setenv("POD_NAME", "ingress-proxies-1")
-			defer envknob.Setenv("POD_NAME", "")
-
-			secret := tt.initial // track current state
-			client := &kubeclient.FakeClient{
-				GetSecretImpl: func(ctx context.Context, name string) (*kubeapi.Secret, error) {
-					if secret == nil {
-						return nil, &kubeapi.Status{Code: 404}
-					}
-					return &kubeapi.Secret{Data: secret}, nil
-				},
-				CheckSecretPermissionsImpl: func(ctx context.Context, name string) (bool, bool, error) {
-					return tt.allowPatch, true, nil
-				},
-				CreateSecretImpl: func(ctx context.Context, s *kubeapi.Secret) error {
-					if s.Name != tt.wantSecretName {
-						t.Errorf("CreateSecret called with wrong name, got %q, want %q", s.Name, tt.wantSecretName)
-					}
-					secret = s.Data
-					return nil
-				},
-				UpdateSecretImpl: func(ctx context.Context, s *kubeapi.Secret) error {
-					if s.Name != tt.wantSecretName {
-						t.Errorf("UpdateSecret called with wrong name, got %q, want %q", s.Name, tt.wantSecretName)
-					}
-					secret = s.Data
-					return nil
-				},
-				JSONPatchResourceImpl: func(ctx context.Context, name, resourceType string, patches []kubeclient.JSONPatch) error {
-					if !tt.allowPatch {
-						return &kubeapi.Status{Reason: "Forbidden"}
-					}
-					if name != tt.wantSecretName {
-						t.Errorf("JSONPatchResource called with wrong name, got %q, want %q", name, tt.wantSecretName)
-					}
-					if secret == nil {
-						secret = make(map[string][]byte)
-					}
-					for _, p := range patches {
-						if p.Op == "add" && p.Path == "/data" {
-							secret = p.Value.(map[string][]byte)
-						} else if p.Op == "add" && strings.HasPrefix(p.Path, "/data/") {
-							key := strings.TrimPrefix(p.Path, "/data/")
-							secret[key] = p.Value.([]byte)
-						}
-					}
-					return nil
-				},
-			}
-
-			s := &Store{
-				client:        client,
-				canPatch:      tt.allowPatch,
-				secretName:    tt.wantSecretName,
-				certShareMode: tt.certShareMode,
-				memory:        mem.Store{},
-			}
-
-			err := s.WriteTLSCertAndKey(testDomain, []byte(testCert), []byte(testKey))
-			if err != nil {
-				t.Errorf("WriteTLSCertAndKey() error = '%v'", err)
-				return
-			}
-
-			// Verify secret data
-			if diff := cmp.Diff(secret, tt.wantSecretData); diff != "" {
-				t.Errorf("secret data mismatch (-got +want):\n%s", diff)
-			}
-
-			// Verify memory store was updated
-			for key, want := range tt.wantMemoryStore {
-				got, err := s.memory.ReadState(key)
+			for k, v := range tt.updates {
+				got, err := s.memory.ReadState(ipn.StateKey(sanitizeKey(k)))
 				if err != nil {
 					t.Errorf("reading from memory store: %v", err)
 					continue
 				}
-				if !cmp.Equal(got, want) {
-					t.Errorf("memory store key %q = %v, want %v", key, got, want)
+				if !cmp.Equal(got, v) {
+					t.Errorf("memory store key %q = %v, want %v", k, got, v)
 				}
 			}
 		})
 	}
 }
-
-func TestReadTLSCertAndKey(t *testing.T) {
-	const (
-		testDomain = "my-app.tailnetxyz.ts.net"
-		testCert   = "fake-cert"
-		testKey    = "fake-key"
-	)
-
-	tests := []struct {
-		name          string
-		memoryStore   map[ipn.StateKey][]byte // pre-existing memory store state
-		certShareMode string
-		domain        string
-		secretData    map[string][]byte // data to return from mock GetSecret
-		secretGetErr  error             // error to return from mock GetSecret
-		wantCert      []byte
-		wantKey       []byte
-		wantErr       error
-		// what should end up in memory store after the store is created
-		wantMemoryStore map[ipn.StateKey][]byte
-	}{
-		{
-			name: "found_in_memory",
-			memoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-			domain:   testDomain,
-			wantCert: []byte(testCert),
-			wantKey:  []byte(testKey),
-			wantMemoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-		},
-		{
-			name:    "not_found_in_memory",
-			domain:  testDomain,
-			wantErr: ipn.ErrStateNotExist,
-		},
-		{
-			name:          "cert_share_ro_mode_found_in_secret",
-			certShareMode: "ro",
-			domain:        testDomain,
-			secretData: map[string][]byte{
-				"tls.crt": []byte(testCert),
-				"tls.key": []byte(testKey),
-			},
-			wantCert: []byte(testCert),
-			wantKey:  []byte(testKey),
-			wantMemoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-		},
-		{
-			name:          "cert_share_rw_mode_found_in_secret",
-			certShareMode: "rw",
-			domain:        testDomain,
-			secretData: map[string][]byte{
-				"tls.crt": []byte(testCert),
-				"tls.key": []byte(testKey),
-			},
-			wantCert: []byte(testCert),
-			wantKey:  []byte(testKey),
-		},
-		{
-			name:          "cert_share_ro_mode_found_in_memory",
-			certShareMode: "ro",
-			memoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-			domain:   testDomain,
-			wantCert: []byte(testCert),
-			wantKey:  []byte(testKey),
-			wantMemoryStore: map[ipn.StateKey][]byte{
-				"my-app.tailnetxyz.ts.net.crt": []byte(testCert),
-				"my-app.tailnetxyz.ts.net.key": []byte(testKey),
-			},
-		},
-		{
-			name:          "cert_share_ro_mode_not_found",
-			certShareMode: "ro",
-			domain:        testDomain,
-			secretGetErr:  &kubeapi.Status{Code: 404},
-			wantErr:       ipn.ErrStateNotExist,
-		},
-		{
-			name:          "cert_share_ro_mode_empty_cert_in_secret",
-			certShareMode: "ro",
-			domain:        testDomain,
-			secretData: map[string][]byte{
-				"tls.crt": {},
-				"tls.key": []byte(testKey),
-			},
-			wantErr: ipn.ErrStateNotExist,
-		},
-		{
-			name:          "cert_share_ro_mode_kube_api_error",
-			certShareMode: "ro",
-			domain:        testDomain,
-			secretGetErr:  fmt.Errorf("api error"),
-			wantErr:       fmt.Errorf("getting TLS Secret %q: api error", sanitizeKey(testDomain)),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-
-			client := &kubeclient.FakeClient{
-				GetSecretImpl: func(ctx context.Context, name string) (*kubeapi.Secret, error) {
-					if tt.secretGetErr != nil {
-						return nil, tt.secretGetErr
-					}
-					return &kubeapi.Secret{Data: tt.secretData}, nil
-				},
-			}
-
-			s := &Store{
-				client:        client,
-				secretName:    "ts-state",
-				certShareMode: tt.certShareMode,
-				memory:        mem.Store{},
-			}
-
-			// Initialize memory store
-			for k, v := range tt.memoryStore {
-				s.memory.WriteState(k, v)
-			}
-
-			gotCert, gotKey, err := s.ReadTLSCertAndKey(tt.domain)
-			if tt.wantErr != nil {
-				if err == nil {
-					t.Errorf("ReadTLSCertAndKey() error = nil, want error containing %v", tt.wantErr)
-					return
-				}
-				if !strings.Contains(err.Error(), tt.wantErr.Error()) {
-					t.Errorf("ReadTLSCertAndKey() error = %v, want error containing %v", err, tt.wantErr)
-				}
-				return
-			}
-			if err != nil {
-				t.Errorf("ReadTLSCertAndKey() unexpected error: %v", err)
-				return
-			}
-
-			if !bytes.Equal(gotCert, tt.wantCert) {
-				t.Errorf("ReadTLSCertAndKey() gotCert = %v, want %v", gotCert, tt.wantCert)
-			}
-			if !bytes.Equal(gotKey, tt.wantKey) {
-				t.Errorf("ReadTLSCertAndKey() gotKey = %v, want %v", gotKey, tt.wantKey)
-			}
-
-			// Verify memory store contents after operation
-			if tt.wantMemoryStore != nil {
-				for key, want := range tt.wantMemoryStore {
-					got, err := s.memory.ReadState(key)
-					if err != nil {
-						t.Errorf("reading from memory store: %v", err)
-						continue
-					}
-					if !bytes.Equal(got, want) {
-						t.Errorf("memory store key %q = %v, want %v", key, got, want)
-					}
-				}
-			}
-		})
-	}
-}
-
-func TestNewWithClient(t *testing.T) {
-	const (
-		secretName = "ts-state"
-		testCert   = "fake-cert"
-		testKey    = "fake-key"
-	)
-
-	certSecretsLabels := map[string]string{
-		"tailscale.com/secret-type": "certs",
-		"tailscale.com/managed":     "true",
-		"tailscale.com/proxy-group": "ingress-proxies",
-	}
-
-	// Helper function to create Secret objects for testing
-	makeSecret := func(name string, labels map[string]string, certSuffix string) kubeapi.Secret {
-		return kubeapi.Secret{
-			ObjectMeta: kubeapi.ObjectMeta{
-				Name:   name,
-				Labels: labels,
-			},
-			Data: map[string][]byte{
-				"tls.crt": []byte(testCert + certSuffix),
-				"tls.key": []byte(testKey + certSuffix),
-			},
-		}
-	}
-
-	tests := []struct {
-		name                    string
-		stateSecretContents     map[string][]byte // data in state Secret
-		TLSSecrets              []kubeapi.Secret  // list of TLS cert Secrets
-		certMode                string
-		secretGetErr            error // error to return from GetSecret
-		secretsListErr          error // error to return from ListSecrets
-		wantMemoryStoreContents map[ipn.StateKey][]byte
-		wantErr                 error
-	}{
-		{
-			name:                    "empty_state_secret",
-			stateSecretContents:     map[string][]byte{},
-			wantMemoryStoreContents: map[ipn.StateKey][]byte{},
-		},
-		{
-			name:                    "state_secret_not_found",
-			secretGetErr:            &kubeapi.Status{Code: 404},
-			wantMemoryStoreContents: map[ipn.StateKey][]byte{},
-		},
-		{
-			name:         "state_secret_get_error",
-			secretGetErr: fmt.Errorf("some error"),
-			wantErr:      fmt.Errorf("error loading state from kube Secret: some error"),
-		},
-		{
-			name: "load_existing_state",
-			stateSecretContents: map[string][]byte{
-				"foo": []byte("bar"),
-				"baz": []byte("qux"),
-			},
-			wantMemoryStoreContents: map[ipn.StateKey][]byte{
-				"foo": []byte("bar"),
-				"baz": []byte("qux"),
-			},
-		},
-		{
-			name:     "load_select_certs_in_read_only_mode",
-			certMode: "ro",
-			stateSecretContents: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			TLSSecrets: []kubeapi.Secret{
-				makeSecret("app1.tailnetxyz.ts.net", certSecretsLabels, "1"),
-				makeSecret("app2.tailnetxyz.ts.net", certSecretsLabels, "2"),
-				makeSecret("some-other-secret", nil, "3"),
-				makeSecret("app3.other-proxies.ts.net", map[string]string{
-					"tailscale.com/secret-type": "certs",
-					"tailscale.com/managed":     "true",
-					"tailscale.com/proxy-group": "some-other-proxygroup",
-				}, "4"),
-			},
-			wantMemoryStoreContents: map[ipn.StateKey][]byte{
-				"foo":                        []byte("bar"),
-				"app1.tailnetxyz.ts.net.crt": []byte(testCert + "1"),
-				"app1.tailnetxyz.ts.net.key": []byte(testKey + "1"),
-				"app2.tailnetxyz.ts.net.crt": []byte(testCert + "2"),
-				"app2.tailnetxyz.ts.net.key": []byte(testKey + "2"),
-			},
-		},
-		{
-			name:     "load_select_certs_in_read_write_mode",
-			certMode: "rw",
-			stateSecretContents: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			TLSSecrets: []kubeapi.Secret{
-				makeSecret("app1.tailnetxyz.ts.net", certSecretsLabels, "1"),
-				makeSecret("app2.tailnetxyz.ts.net", certSecretsLabels, "2"),
-				makeSecret("some-other-secret", nil, "3"),
-				makeSecret("app3.other-proxies.ts.net", map[string]string{
-					"tailscale.com/secret-type": "certs",
-					"tailscale.com/managed":     "true",
-					"tailscale.com/proxy-group": "some-other-proxygroup",
-				}, "4"),
-			},
-			wantMemoryStoreContents: map[ipn.StateKey][]byte{
-				"foo":                        []byte("bar"),
-				"app1.tailnetxyz.ts.net.crt": []byte(testCert + "1"),
-				"app1.tailnetxyz.ts.net.key": []byte(testKey + "1"),
-				"app2.tailnetxyz.ts.net.crt": []byte(testCert + "2"),
-				"app2.tailnetxyz.ts.net.key": []byte(testKey + "2"),
-			},
-		},
-		{
-			name:     "list_cert_secrets_fails",
-			certMode: "ro",
-			stateSecretContents: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			secretsListErr: fmt.Errorf("list error"),
-			// The error is logged but not returned, and state is still loaded
-			wantMemoryStoreContents: map[ipn.StateKey][]byte{
-				"foo": []byte("bar"),
-			},
-		},
-		{
-			name:     "cert_secrets_not_loaded_when_not_in_share_mode",
-			certMode: "",
-			stateSecretContents: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			TLSSecrets: []kubeapi.Secret{
-				makeSecret("app1.tailnetxyz.ts.net", certSecretsLabels, "1"),
-			},
-			wantMemoryStoreContents: map[ipn.StateKey][]byte{
-				"foo": []byte("bar"),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			envknob.Setenv("TS_CERT_SHARE_MODE", tt.certMode)
-
-			t.Setenv("POD_NAME", "ingress-proxies-1")
-
-			client := &kubeclient.FakeClient{
-				GetSecretImpl: func(ctx context.Context, name string) (*kubeapi.Secret, error) {
-					if tt.secretGetErr != nil {
-						return nil, tt.secretGetErr
-					}
-					if name == secretName {
-						return &kubeapi.Secret{Data: tt.stateSecretContents}, nil
-					}
-					return nil, &kubeapi.Status{Code: 404}
-				},
-				CheckSecretPermissionsImpl: func(ctx context.Context, name string) (bool, bool, error) {
-					return true, true, nil
-				},
-				ListSecretsImpl: func(ctx context.Context, selector map[string]string) (*kubeapi.SecretList, error) {
-					if tt.secretsListErr != nil {
-						return nil, tt.secretsListErr
-					}
-					var matchingSecrets []kubeapi.Secret
-					for _, secret := range tt.TLSSecrets {
-						matches := true
-						for k, v := range selector {
-							if secret.Labels[k] != v {
-								matches = false
-								break
-							}
-						}
-						if matches {
-							matchingSecrets = append(matchingSecrets, secret)
-						}
-					}
-					return &kubeapi.SecretList{Items: matchingSecrets}, nil
-				},
-			}
-
-			s, err := newWithClient(t.Logf, client, secretName)
-			if tt.wantErr != nil {
-				if err == nil {
-					t.Errorf("NewWithClient() error = nil, want error containing %v", tt.wantErr)
-					return
-				}
-				if !strings.Contains(err.Error(), tt.wantErr.Error()) {
-					t.Errorf("NewWithClient() error = %v, want error containing %v", err, tt.wantErr)
-				}
-				return
-			}
-
-			if err != nil {
-				t.Errorf("NewWithClient() unexpected error: %v", err)
-				return
-			}
-
-			// Verify memory store contents
-			gotJSON, err := s.memory.ExportToJSON()
-			if err != nil {
-				t.Errorf("ExportToJSON failed: %v", err)
-				return
-			}
-			var got map[ipn.StateKey][]byte
-			if err := json.Unmarshal(gotJSON, &got); err != nil {
-				t.Errorf("failed to unmarshal memory store JSON: %v", err)
-				return
-			}
-			want := tt.wantMemoryStoreContents
-			if want == nil {
-				want = map[ipn.StateKey][]byte{}
-			}
-			if diff := cmp.Diff(got, want); diff != "" {
-				t.Errorf("memory store contents mismatch (-got +want):\n%s", diff)
-			}
-		})
-	}
-}
--- a/k8s-operator/api.md
+++ b/k8s-operator/api.md
@@ -517,7 +517,6 @@ _Appears in:_
 | `statefulSet` _[StatefulSet](#statefulset)_ | Configuration parameters for the proxy's StatefulSet. Tailscale<br />Kubernetes operator deploys a StatefulSet for each of the user<br />configured proxies (Tailscale Ingress, Tailscale Service, Connector). |  |  |
 | `metrics` _[Metrics](#metrics)_ | Configuration for proxy metrics. Metrics are currently not supported<br />for egress proxies and for Ingress proxies that have been configured<br />with tailscale.com/experimental-forward-cluster-traffic-via-ingress<br />annotation. Note that the metrics are currently considered unstable<br />and will likely change in breaking ways in the future - we only<br />recommend that you use those for debugging purposes. |  |  |
 | `tailscale` _[TailscaleConfig](#tailscaleconfig)_ | TailscaleConfig contains options to configure the tailscale-specific<br />parameters of proxies. |  |  |
-| `useLetsEncryptStagingEnvironment` _boolean_ | Set UseLetsEncryptStagingEnvironment to true to issue TLS<br />certificates for any HTTPS endpoints exposed to the tailnet from<br />LetsEncrypt's staging environment.<br />https://letsencrypt.org/docs/staging-environment/<br />This setting only affects Tailscale Ingress resources.<br />By default Ingress TLS certificates are issued from LetsEncrypt's<br />production environment.<br />Changing this setting true -> false, will result in any<br />existing certs being re-issued from the production environment.<br />Changing this setting false (default) -> true, when certs have already<br />been provisioned from production environment will NOT result in certs<br />being re-issued from the staging environment before they need to be<br />renewed. |  |  |


 #### ProxyClassStatus
@@ -600,7 +599,7 @@ _Appears in:_

 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `type` _[ProxyGroupType](#proxygrouptype)_ | Type of the ProxyGroup proxies. Currently the only supported type is egress.<br />Type is immutable once a ProxyGroup is created. |  | Enum: [egress ingress] <br />Type: string <br /> |
+| `type` _[ProxyGroupType](#proxygrouptype)_ | Type of the ProxyGroup proxies. Supported types are egress and ingress.<br />Type is immutable once a ProxyGroup is created. |  | Enum: [egress ingress] <br />Type: string <br /> |
 | `tags` _[Tags](#tags)_ | Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s].<br />If you specify custom tags here, make sure you also make the operator<br />an owner of these tags.<br />See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.<br />Tags cannot be changed once a ProxyGroup device has been created.<br />Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. |  | Pattern: `^tag:[a-zA-Z][a-zA-Z0-9-]*$` <br />Type: string <br /> |
 | `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.<br />Defaults to 2. |  | Minimum: 0 <br /> |
 | `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. |  | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> |
--- a/k8s-operator/apis/v1alpha1/types_proxyclass.go
+++ b/k8s-operator/apis/v1alpha1/types_proxyclass.go
@@ -66,21 +66,6 @@ type ProxyClassSpec struct {
 	// parameters of proxies.
 	// +optional
 	TailscaleConfig *TailscaleConfig `json:"tailscale,omitempty"`
-	// Set UseLetsEncryptStagingEnvironment to true to issue TLS
-	// certificates for any HTTPS endpoints exposed to the tailnet from
-	// LetsEncrypt's staging environment.
-	// https://letsencrypt.org/docs/staging-environment/
-	// This setting only affects Tailscale Ingress resources.
-	// By default Ingress TLS certificates are issued from LetsEncrypt's
-	// production environment.
-	// Changing this setting true -> false, will result in any
-	// existing certs being re-issued from the production environment.
-	// Changing this setting false (default) -> true, when certs have already
-	// been provisioned from production environment will NOT result in certs
-	// being re-issued from the staging environment before they need to be
-	// renewed.
-	// +optional
-	UseLetsEncryptStagingEnvironment bool `json:"useLetsEncryptStagingEnvironment,omitempty"`
 }

 type TailscaleConfig struct {
--- a/k8s-operator/apis/v1alpha1/types_proxygroup.go
+++ b/k8s-operator/apis/v1alpha1/types_proxygroup.go
@@ -48,7 +48,7 @@ type ProxyGroupList struct {
 }

 type ProxyGroupSpec struct {
-	// Type of the ProxyGroup proxies. Currently the only supported type is egress.
+	// Type of the ProxyGroup proxies. Supported types are egress and ingress.
 	// Type is immutable once a ProxyGroup is created.
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ProxyGroup type is immutable"
 	Type ProxyGroupType `json:"type"`
--- a/kube/kubeapi/api.go
+++ b/kube/kubeapi/api.go
@@ -153,14 +153,6 @@ type Secret struct {
 	Data map[string][]byte `json:"data,omitempty"`
 }

-// SecretList is a list of Secret objects.
-type SecretList struct {
-	TypeMeta   `json:",inline"`
-	ObjectMeta `json:"metadata"`
-
-	Items []Secret `json:"items,omitempty"`
-}
-
 // Event contains a subset of fields from corev1.Event.
 // https://github.com/kubernetes/api/blob/6cc44b8953ae704d6d9ec2adf32e7ae19199ea9f/core/v1/types.go#L7034
 // It is copied here to avoid having to import kube libraries.
--- a/kube/kubeclient/client.go
+++ b/kube/kubeclient/client.go
@@ -60,7 +60,6 @@ func readFile(n string) ([]byte, error) {
 // It expects to be run inside a cluster.
 type Client interface {
 	GetSecret(context.Context, string) (*kubeapi.Secret, error)
-	ListSecrets(context.Context, map[string]string) (*kubeapi.SecretList, error)
 	UpdateSecret(context.Context, *kubeapi.Secret) error
 	CreateSecret(context.Context, *kubeapi.Secret) error
 	// Event attempts to ensure an event with the specified options associated with the Pod in which we are
@@ -249,35 +248,21 @@ func (c *client) newRequest(ctx context.Context, method, url string, in any) (*h
 // GetSecret fetches the secret from the Kubernetes API.
 func (c *client) GetSecret(ctx context.Context, name string) (*kubeapi.Secret, error) {
 	s := &kubeapi.Secret{Data: make(map[string][]byte)}
-	if err := c.kubeAPIRequest(ctx, "GET", c.resourceURL(name, TypeSecrets, ""), nil, s); err != nil {
+	if err := c.kubeAPIRequest(ctx, "GET", c.resourceURL(name, TypeSecrets), nil, s); err != nil {
 		return nil, err
 	}
 	return s, nil
 }

-// ListSecrets fetches the secret from the Kubernetes API.
-func (c *client) ListSecrets(ctx context.Context, selector map[string]string) (*kubeapi.SecretList, error) {
-	sl := new(kubeapi.SecretList)
-	s := make([]string, 0, len(selector))
-	for key, val := range selector {
-		s = append(s, key+"="+url.QueryEscape(val))
-	}
-	ss := strings.Join(s, ",")
-	if err := c.kubeAPIRequest(ctx, "GET", c.resourceURL("", TypeSecrets, ss), nil, sl); err != nil {
-		return nil, err
-	}
-	return sl, nil
-}
-
 // CreateSecret creates a secret in the Kubernetes API.
 func (c *client) CreateSecret(ctx context.Context, s *kubeapi.Secret) error {
 	s.Namespace = c.ns
-	return c.kubeAPIRequest(ctx, "POST", c.resourceURL("", TypeSecrets, ""), s, nil)
+	return c.kubeAPIRequest(ctx, "POST", c.resourceURL("", TypeSecrets), s, nil)
 }

 // UpdateSecret updates a secret in the Kubernetes API.
 func (c *client) UpdateSecret(ctx context.Context, s *kubeapi.Secret) error {
-	return c.kubeAPIRequest(ctx, "PUT", c.resourceURL(s.Name, TypeSecrets, ""), s, nil)
+	return c.kubeAPIRequest(ctx, "PUT", c.resourceURL(s.Name, TypeSecrets), s, nil)
 }

 // JSONPatch is a JSON patch operation.
@@ -298,14 +283,14 @@ func (c *client) JSONPatchResource(ctx context.Context, name, typ string, patche
 			return fmt.Errorf("unsupported JSON patch operation: %q", p.Op)
 		}
 	}
-	return c.kubeAPIRequest(ctx, "PATCH", c.resourceURL(name, typ, ""), patches, nil, setHeader("Content-Type", "application/json-patch+json"))
+	return c.kubeAPIRequest(ctx, "PATCH", c.resourceURL(name, typ), patches, nil, setHeader("Content-Type", "application/json-patch+json"))
 }

 // StrategicMergePatchSecret updates a secret in the Kubernetes API using a
 // strategic merge patch.
 // If a fieldManager is provided, it will be used to track the patch.
 func (c *client) StrategicMergePatchSecret(ctx context.Context, name string, s *kubeapi.Secret, fieldManager string) error {
-	surl := c.resourceURL(name, TypeSecrets, "")
+	surl := c.resourceURL(name, TypeSecrets)
 	if fieldManager != "" {
 		uv := url.Values{
 			"fieldManager": {fieldManager},
@@ -357,7 +342,7 @@ func (c *client) Event(ctx context.Context, typ, reason, msg string) error {
 			LastTimestamp:  now,
 			Count:          1,
 		}
-		return c.kubeAPIRequest(ctx, "POST", c.resourceURL("", typeEvents, ""), &ev, nil)
+		return c.kubeAPIRequest(ctx, "POST", c.resourceURL("", typeEvents), &ev, nil)
 	}
 	// If the Event already exists, we patch its count and last timestamp. This ensures that when users run 'kubectl
 	// describe pod...', they see the event just once (but with a message of how many times it has appeared over
@@ -487,13 +472,9 @@ func (c *client) checkPermission(ctx context.Context, verb, typ, name string) (b
 // resourceURL returns a URL that can be used to interact with the given resource type and, if name is not empty string,
 // the named resource of that type.
 // Note that this only works for core/v1 resource types.
-func (c *client) resourceURL(name, typ, sel string) string {
+func (c *client) resourceURL(name, typ string) string {
 	if name == "" {
-		url := fmt.Sprintf("%s/api/v1/namespaces/%s/%s", c.url, c.ns, typ)
-		if sel != "" {
-			url += "?labelSelector=" + sel
-		}
-		return url
+		return fmt.Sprintf("%s/api/v1/namespaces/%s/%s", c.url, c.ns, typ)
 	}
 	return fmt.Sprintf("%s/api/v1/namespaces/%s/%s/%s", c.url, c.ns, typ, name)
 }
@@ -506,7 +487,7 @@ func (c *client) nameForEvent(reason string) string {
 // getEvent fetches the event from the Kubernetes API.
 func (c *client) getEvent(ctx context.Context, name string) (*kubeapi.Event, error) {
 	e := &kubeapi.Event{}
-	if err := c.kubeAPIRequest(ctx, "GET", c.resourceURL(name, typeEvents, ""), nil, e); err != nil {
+	if err := c.kubeAPIRequest(ctx, "GET", c.resourceURL(name, typeEvents), nil, e); err != nil {
 		return nil, err
 	}
 	return e, nil
--- a/kube/kubeclient/fake_client.go
+++ b/kube/kubeclient/fake_client.go
@@ -18,7 +18,6 @@ type FakeClient struct {
 	CreateSecretImpl           func(context.Context, *kubeapi.Secret) error
 	UpdateSecretImpl           func(context.Context, *kubeapi.Secret) error
 	JSONPatchResourceImpl      func(context.Context, string, string, []JSONPatch) error
-	ListSecretsImpl            func(context.Context, map[string]string) (*kubeapi.SecretList, error)
 }

 func (fc *FakeClient) CheckSecretPermissions(ctx context.Context, name string) (bool, bool, error) {
@@ -46,9 +45,3 @@ func (fc *FakeClient) UpdateSecret(ctx context.Context, secret *kubeapi.Secret)
 func (fc *FakeClient) CreateSecret(ctx context.Context, secret *kubeapi.Secret) error {
 	return fc.CreateSecretImpl(ctx, secret)
 }
-func (fc *FakeClient) ListSecrets(ctx context.Context, selector map[string]string) (*kubeapi.SecretList, error) {
-	if fc.ListSecretsImpl != nil {
-		return fc.ListSecretsImpl(ctx, selector)
-	}
-	return nil, nil
-}
--- a/kube/kubetypes/types.go
+++ b/kube/kubetypes/types.go
@@ -48,7 +48,4 @@ const (
 	PodIPv4Header string = "Pod-IPv4"

 	EgessServicesPreshutdownEP = "/internal-egress-services-preshutdown"
-
-	LabelManaged    = "tailscale.com/managed"
-	LabelSecretType = "tailscale.com/secret-type" // "config", "state" "certs"
 )
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -29,7 +29,7 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/djherbis/times](https://pkg.go.dev/github.com/djherbis/times) ([MIT](https://github.com/djherbis/times/blob/v1.6.0/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.7.0/LICENSE))
 - [github.com/gaissmai/bart](https://pkg.go.dev/github.com/gaissmai/bart) ([MIT](https://github.com/gaissmai/bart/blob/v0.18.0/LICENSE))
- - [github.com/go-json-experiment/json](https://pkg.go.dev/github.com/go-json-experiment/json) ([BSD-3-Clause](https://github.com/go-json-experiment/json/blob/d3c622f1b874/LICENSE))
+ - [github.com/go-json-experiment/json](https://pkg.go.dev/github.com/go-json-experiment/json) ([BSD-3-Clause](https://github.com/go-json-experiment/json/blob/6a9a0fde9288/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/76236955d466/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
@@ -64,11 +64,11 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/ae6ca9944745/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/fdeea329fbba/LICENSE))
 - [go4.org/unsafe/assume-no-moving-gc](https://pkg.go.dev/go4.org/unsafe/assume-no-moving-gc) ([BSD-3-Clause](https://github.com/go4org/unsafe-assume-no-moving-gc/blob/e7c30c78aeb2/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.35.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.33.0:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/939b2ce7:LICENSE))
 - [golang.org/x/mobile](https://pkg.go.dev/golang.org/x/mobile) ([BSD-3-Clause](https://cs.opensource.google/go/x/mobile/+/81131f64:LICENSE))
 - [golang.org/x/mod/semver](https://pkg.go.dev/golang.org/x/mod/semver) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.23.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.36.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE))
 - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.29.0:LICENSE))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -70,7 +70,7 @@ See also the dependencies in the [Tailscale CLI][].
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/fdeea329fbba/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.35.0:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/939b2ce7:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.36.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE))
 - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.29.0:LICENSE))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -92,7 +92,7 @@ Some packages may only be included on certain architectures or operating systems
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/fdeea329fbba/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.35.0:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/939b2ce7:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.36.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE))
 - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.26.0:LICENSE))
 - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -62,7 +62,7 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
 - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/4d49adab4de7/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/b2c15a420186/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/04068c1cab63/LICENSE))
 - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/5992cb43ca35/LICENSE))
 - [github.com/tailscale/xnet/webdav](https://pkg.go.dev/github.com/tailscale/xnet/webdav) ([BSD-3-Clause](https://github.com/tailscale/xnet/blob/8497ac4dab2e/LICENSE))
 - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.1/LICENSE))
@@ -74,7 +74,7 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/939b2ce7:LICENSE))
 - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.24.0:LICENSE))
 - [golang.org/x/mod](https://pkg.go.dev/golang.org/x/mod) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.23.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.36.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE))
 - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE))
 - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.29.0:LICENSE))
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -35,9 +35,6 @@ import (

 var (
 	errFullQueue = errors.New("request queue full")
-	// ErrNoDNSConfig is returned by RecompileDNSConfig when the Manager
-	// has no existing DNS configuration.
-	ErrNoDNSConfig = errors.New("no DNS configuration")
 )

 // maxActiveQueries returns the maximal number of DNS requests that can
@@ -94,18 +91,21 @@ func NewManager(logf logger.Logf, oscfg OSConfigurator, health *health.Tracker,
 	}

 	// Rate limit our attempts to correct our DNS configuration.
-	// This is done on incoming queries, we don't want to spam it.
 	limiter := rate.NewLimiter(1.0/5.0, 1)

 	// This will recompile the DNS config, which in turn will requery the system
 	// DNS settings. The recovery func should triggered only when we are missing
 	// upstream nameservers and require them to forward a query.
 	m.resolver.SetMissingUpstreamRecovery(func() {
+		m.mu.Lock()
+		defer m.mu.Unlock()
+		if m.config == nil {
+			return
+		}
+
 		if limiter.Allow() {
-			m.logf("resolution failed due to missing upstream nameservers.  Recompiling DNS configuration.")
-			if err := m.RecompileDNSConfig(); err != nil {
-				m.logf("config recompilation failed: %v", err)
-			}
+			m.logf("DNS resolution failed due to missing upstream nameservers.  Recompiling DNS configuration.")
+			m.setLocked(*m.config)
 		}
 	})

@@ -117,26 +117,6 @@ func NewManager(logf logger.Logf, oscfg OSConfigurator, health *health.Tracker,
 // Resolver returns the Manager's DNS Resolver.
 func (m *Manager) Resolver() *resolver.Resolver { return m.resolver }

-// RecompileDNSConfig sets the DNS config to the current value, which has
-// the side effect of re-querying the OS's interface nameservers.  This should be used
-// on platforms where the interface nameservers can change.  Darwin, for example,
-// where the nameservers aren't always available when we process a major interface
-// change event, or platforms where the nameservers may change while tunnel is up.
-//
-// This should be called if it is determined that [OSConfigurator.GetBaseConfig] may
-// give a better or different result than when [Manager.Set] was last called.  The
-// logic for making that determination is up to the caller.
-//
-// It returns [ErrNoDNSConfig] if the [Manager] has no existing DNS configuration.
-func (m *Manager) RecompileDNSConfig() error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	if m.config == nil {
-		return ErrNoDNSConfig
-	}
-	return m.setLocked(*m.config)
-}
-
 func (m *Manager) Set(cfg Config) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
--- a/net/netmon/interfaces_test.go
+++ b/net/netmon/interfaces_test.go
@@ -13,7 +13,7 @@ import (
 )

 func TestGetState(t *testing.T) {
-	st, err := getState("")
+	st, err := GetState()
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/net/netmon/netmon.go
+++ b/net/netmon/netmon.go
@@ -161,7 +161,7 @@ func (m *Monitor) InterfaceState() *State {
 }

 func (m *Monitor) interfaceStateUncached() (*State, error) {
-	return getState(m.tsIfName)
+	return GetState()
 }

 // SetTailscaleInterfaceName sets the name of the Tailscale interface. For
--- a/net/netmon/state.go
+++ b/net/netmon/state.go
@@ -461,22 +461,21 @@ func isTailscaleInterface(name string, ips []netip.Prefix) bool {
 // getPAC, if non-nil, returns the current PAC file URL.
 var getPAC func() string

-// getState returns the state of all the current machine's network interfaces.
+// GetState returns the state of all the current machine's network interfaces.
 //
 // It does not set the returned State.IsExpensive. The caller can populate that.
 //
-// optTSInterfaceName is the name of the Tailscale interface, if known.
-func getState(optTSInterfaceName string) (*State, error) {
+// Deprecated: use netmon.Monitor.InterfaceState instead.
+func GetState() (*State, error) {
 	s := &State{
 		InterfaceIPs: make(map[string][]netip.Prefix),
 		Interface:    make(map[string]Interface),
 	}
 	if err := ForeachInterface(func(ni Interface, pfxs []netip.Prefix) {
-		isTSInterfaceName := optTSInterfaceName != "" && ni.Name == optTSInterfaceName
 		ifUp := ni.IsUp()
 		s.Interface[ni.Name] = ni
 		s.InterfaceIPs[ni.Name] = append(s.InterfaceIPs[ni.Name], pfxs...)
-		if !ifUp || isTSInterfaceName || isTailscaleInterface(ni.Name, pfxs) {
+		if !ifUp || isTailscaleInterface(ni.Name, pfxs) {
 			return
 		}
 		for _, pfx := range pfxs {
@@ -756,12 +755,11 @@ func DefaultRoute() (DefaultRouteDetails, error) {

 // HasCGNATInterface reports whether there are any non-Tailscale interfaces that
 // use a CGNAT IP range.
-func (m *Monitor) HasCGNATInterface() (bool, error) {
+func HasCGNATInterface() (bool, error) {
 	hasCGNATInterface := false
 	cgnatRange := tsaddr.CGNATRange()
 	err := ForeachInterface(func(i Interface, pfxs []netip.Prefix) {
-		isTSInterfaceName := m.tsIfName != "" && i.Name == m.tsIfName
-		if hasCGNATInterface || !i.IsUp() || isTSInterfaceName || isTailscaleInterface(i.Name, pfxs) {
+		if hasCGNATInterface || !i.IsUp() || isTailscaleInterface(i.Name, pfxs) {
 			return
 		}
 		for _, pfx := range pfxs {
--- a/net/packet/geneve.go
+++ b/net/packet/geneve.go
@@ -1,104 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package packet
-
-import (
-	"encoding/binary"
-	"errors"
-	"io"
-)
-
-const (
-	// GeneveFixedHeaderLength is the length of the fixed size portion of the
-	// Geneve header, in bytes.
-	GeneveFixedHeaderLength = 8
-)
-
-const (
-	// GeneveProtocolDisco is the IEEE 802 Ethertype number used to represent
-	// the Tailscale Disco protocol in a Geneve header.
-	GeneveProtocolDisco uint16 = 0x7A11
-	// GeneveProtocolWireGuard is the IEEE 802 Ethertype number used to represent the
-	// WireGuard protocol in a Geneve header.
-	GeneveProtocolWireGuard uint16 = 0x7A12
-)
-
-// GeneveHeader represents the fixed size Geneve header from RFC8926.
-// TLVs/options are not implemented/supported.
-//
-//	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-//	|Ver|  Opt Len  |O|C|    Rsvd.  |          Protocol Type        |
-//	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-//	|        Virtual Network Identifier (VNI)       |    Reserved   |
-//	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-type GeneveHeader struct {
-	// Ver (2 bits): The current version number is 0. Packets received by a
-	// tunnel endpoint with an unknown version MUST be dropped. Transit devices
-	// interpreting Geneve packets with an unknown version number MUST treat
-	// them as UDP packets with an unknown payload.
-	Version uint8
-
-	// Protocol Type (16 bits): The type of protocol data unit appearing after
-	// the Geneve header. This follows the Ethertype [ETYPES] convention, with
-	// Ethernet itself being represented by the value 0x6558.
-	Protocol uint16
-
-	// Virtual Network Identifier (VNI) (24 bits): An identifier for a unique
-	// element of a virtual network. In many situations, this may represent an
-	// L2 segment; however, the control plane defines the forwarding semantics
-	// of decapsulated packets. The VNI MAY be used as part of ECMP forwarding
-	// decisions or MAY be used as a mechanism to distinguish between
-	// overlapping address spaces contained in the encapsulated packet when load
-	// balancing across CPUs.
-	VNI uint32
-
-	// O (1 bit): Control packet. This packet contains a control message.
-	// Control messages are sent between tunnel endpoints. Tunnel endpoints MUST
-	// NOT forward the payload, and transit devices MUST NOT attempt to
-	// interpret it. Since control messages are less frequent, it is RECOMMENDED
-	// that tunnel endpoints direct these packets to a high-priority control
-	// queue (for example, to direct the packet to a general purpose CPU from a
-	// forwarding Application-Specific Integrated Circuit (ASIC) or to separate
-	// out control traffic on a NIC). Transit devices MUST NOT alter forwarding
-	// behavior on the basis of this bit, such as ECMP link selection.
-	Control bool
-}
-
-// Encode encodes GeneveHeader into b. If len(b) < GeneveFixedHeaderLength an
-// io.ErrShortBuffer error is returned.
-func (h *GeneveHeader) Encode(b []byte) error {
-	if len(b) < GeneveFixedHeaderLength {
-		return io.ErrShortBuffer
-	}
-	if h.Version > 3 {
-		return errors.New("version must be <= 3")
-	}
-	b[0] = 0
-	b[1] = 0
-	b[0] |= h.Version << 6
-	if h.Control {
-		b[1] |= 0x80
-	}
-	binary.BigEndian.PutUint16(b[2:], h.Protocol)
-	if h.VNI > 1<<24-1 {
-		return errors.New("VNI must be <= 2^24-1")
-	}
-	binary.BigEndian.PutUint32(b[4:], h.VNI<<8)
-	return nil
-}
-
-// Decode decodes GeneveHeader from b. If len(b) < GeneveFixedHeaderLength an
-// io.ErrShortBuffer error is returned.
-func (h *GeneveHeader) Decode(b []byte) error {
-	if len(b) < GeneveFixedHeaderLength {
-		return io.ErrShortBuffer
-	}
-	h.Version = b[0] >> 6
-	if b[1]&0x80 != 0 {
-		h.Control = true
-	}
-	h.Protocol = binary.BigEndian.Uint16(b[2:])
-	h.VNI = binary.BigEndian.Uint32(b[4:]) >> 8
-	return nil
-}
--- a/net/packet/geneve_test.go
+++ b/net/packet/geneve_test.go
@@ -1,32 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package packet
-
-import (
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-)
-
-func TestGeneveHeader(t *testing.T) {
-	in := GeneveHeader{
-		Version:  3,
-		Protocol: GeneveProtocolDisco,
-		VNI:      1<<24 - 1,
-		Control:  true,
-	}
-	b := make([]byte, GeneveFixedHeaderLength)
-	err := in.Encode(b)
-	if err != nil {
-		t.Fatal(err)
-	}
-	out := GeneveHeader{}
-	err = out.Decode(b)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if diff := cmp.Diff(out, in); diff != "" {
-		t.Fatalf("wrong results (-got +want)\n%s", diff)
-	}
-}
--- a/pkgdoc_test.go
+++ b/pkgdoc_test.go
@@ -26,9 +26,6 @@ func TestPackageDocs(t *testing.T) {
 		if err != nil {
 			return err
 		}
-		if fi.Mode().IsDir() && path == ".git" {
-			return filepath.SkipDir // No documentation lives in .git
-		}
 		if fi.Mode().IsRegular() && strings.HasSuffix(path, ".go") {
 			if strings.HasSuffix(path, "_test.go") {
 				return nil
--- a/prober/derp.go
+++ b/prober/derp.go
@@ -596,23 +596,11 @@ func (d *derpProber) updateMap(ctx context.Context) error {
 }

 func (d *derpProber) ProbeUDP(ipaddr string, port int) ProbeClass {
-	initLabels := make(Labels)
-	ip := net.ParseIP(ipaddr)
-
-	if ip.To4() != nil {
-		initLabels["address_family"] = "ipv4"
-	} else if ip.To16() != nil { // Will return an IPv4 as 16 byte, so ensure the check for IPv4 precedes this
-		initLabels["address_family"] = "ipv6"
-	} else {
-		initLabels["address_family"] = "unknown"
-	}
-
 	return ProbeClass{
 		Probe: func(ctx context.Context) error {
 			return derpProbeUDP(ctx, ipaddr, port)
 		},
-		Class:  "derp_udp",
-		Labels: initLabels,
+		Class: "derp_udp",
 	}
 }

--- a/prober/prober.go
+++ b/prober/prober.go
@@ -404,14 +404,10 @@ func (p *Probe) recordEndLocked(err error) {
 		p.mSeconds.WithLabelValues("ok").Add(latency.Seconds())
 		p.latencyHist.Value = latency
 		p.latencyHist = p.latencyHist.Next()
-		p.mAttempts.WithLabelValues("fail").Add(0)
-		p.mSeconds.WithLabelValues("fail").Add(0)
 	} else {
 		p.latency = 0
 		p.mAttempts.WithLabelValues("fail").Inc()
 		p.mSeconds.WithLabelValues("fail").Add(latency.Seconds())
-		p.mAttempts.WithLabelValues("ok").Add(0)
-		p.mSeconds.WithLabelValues("ok").Add(0)
 	}
 	p.successHist.Value = p.succeeded
 	p.successHist = p.successHist.Next()
--- a/safesocket/safesocket.go
+++ b/safesocket/safesocket.go
@@ -61,11 +61,7 @@ func ConnectContext(ctx context.Context, path string) (net.Conn, error) {
 			if ctx.Err() != nil {
 				return nil, ctx.Err()
 			}
-			select {
-			case <-ctx.Done():
-				return nil, ctx.Err()
-			case <-time.After(250 * time.Millisecond):
-			}
+			time.Sleep(250 * time.Millisecond)
 			continue
 		}
 		return c, err
--- a/shell.nix
+++ b/shell.nix
@@ -16,4 +16,4 @@
 ) {
  src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-xO1DuLWi6/lpA9ubA2ZYVJM+CkVNA5IaVGZxX9my0j0=
+# nix-direnv cache busting line: sha256-SiUkN6BQK1IQmLfkfPetzvYqRu9ENK6+6txtGxegF5Y=
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -505,11 +505,6 @@ func (s *Server) start() (reterr error) {
 			// directory and hostname when they're not supplied. But we can fall
 			// back to "tsnet" as well.
 			exe = "tsnet"
-		case "ios":
-			// When compiled as a framework (via TailscaleKit in libtailscale),
-			// os.Executable() returns an error, so fall back to "tsnet" there
-			// too.
-			exe = "tsnet"
 		default:
 			return err
 		}
--- a/tsnet/tsnet_test.go
+++ b/tsnet/tsnet_test.go
@@ -120,7 +120,6 @@ func startControl(t *testing.T) (controlURL string, control *testcontrol.Server)
 			Proxied: true,
 		},
 		MagicDNSDomain: "tail-scale.ts.net",
-		Logf:           t.Logf,
 	}
 	control.HTTPTestServer = httptest.NewUnstartedServer(control)
 	control.HTTPTestServer.Start()
@@ -222,7 +221,7 @@ func startServer(t *testing.T, ctx context.Context, controlURL, hostname string)
 		getCertForTesting: testCertRoot.getCert,
 	}
 	if *verboseNodes {
-		s.Logf = t.Logf
+		s.Logf = log.Printf
 	}
 	t.Cleanup(func() { s.Close() })

--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -1942,8 +1942,6 @@ func (n *testNode) AwaitIP6() netip.Addr {

 // AwaitRunning waits for n to reach the IPN state "Running".
 func (n *testNode) AwaitRunning() {
-	t := n.env.t
-	t.Helper()
 	n.AwaitBackendState("Running")
 }

@@ -2017,7 +2015,7 @@ func (n *testNode) Status() (*ipnstate.Status, error) {
 	}
 	st := new(ipnstate.Status)
 	if err := json.Unmarshal(out, st); err != nil {
-		return nil, fmt.Errorf("decoding tailscale status JSON: %w\njson:\n%s", err, out)
+		return nil, fmt.Errorf("decoding tailscale status JSON: %w", err)
 	}
 	return st, nil
 }
--- a/tstest/integration/testcontrol/testcontrol.go
+++ b/tstest/integration/testcontrol/testcontrol.go
@@ -839,17 +839,15 @@ func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey key.Machi

 	w.WriteHeader(200)
 	for {
-		// Only send raw map responses to the streaming poll, to avoid a
-		// non-streaming map request beating the streaming poll in a race and
-		// potentially dropping the map response.
-		if streaming {
-			if resBytes, ok := s.takeRawMapMessage(req.NodeKey); ok {
-				if err := s.sendMapMsg(w, compress, resBytes); err != nil {
-					s.logf("sendMapMsg of raw message: %v", err)
-					return
-				}
+		if resBytes, ok := s.takeRawMapMessage(req.NodeKey); ok {
+			if err := s.sendMapMsg(w, compress, resBytes); err != nil {
+				s.logf("sendMapMsg of raw message: %v", err)
+				return
+			}
+			if streaming {
 				continue
 			}
+			return
 		}

 		if s.canGenerateAutomaticMapResponseFor(req.NodeKey) {
--- a/tstest/mts/mts.go
+++ b/tstest/mts/mts.go
@@ -1,599 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux || darwin
-
-// The mts ("Multiple Tailscale") command runs multiple tailscaled instances for
-// development, managing their directories and sockets, and lets you easily direct
-// tailscale CLI commands to them.
-package main
-
-import (
-	"bufio"
-	"context"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"maps"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"regexp"
-	"slices"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"tailscale.com/client/local"
-	"tailscale.com/types/bools"
-	"tailscale.com/types/lazy"
-	"tailscale.com/util/mak"
-)
-
-func usage(args ...any) {
-	var format string
-	if len(args) > 0 {
-		format, args = args[0].(string), args[1:]
-	}
-	if format != "" {
-		format = strings.TrimSpace(format) + "\n\n"
-		fmt.Fprintf(os.Stderr, format, args...)
-	}
-	io.WriteString(os.Stderr, strings.TrimSpace(`
-usage:
-
-   mts server <subcommand>      # manage tailscaled instances
-   mts server run               # run the mts server (parent process of all tailscaled)
-   mts server list              # list all tailscaled and their state
-   mts server list <name>       # show details of named instance
-   mts server add <name>        # add+start new named tailscaled
-   mts server start <name>      # start a previously added tailscaled
-   mts server stop <name>       # stop & remove a named tailscaled
-   mts server rm <name>         # stop & remove a named tailscaled
-   mts server logs [-f] <name>  # get/follow tailscaled logs
-
-  mts <inst-name> [tailscale CLI args] # run Tailscale CLI against a named instance
-    e.g.
-      mts gmail1 up
-      mts github2 status --json
-	`)+"\n")
-	os.Exit(1)
-}
-
-func main() {
-	// Don't use flag.Parse here; we mostly just delegate through
-	// to the Tailscale CLI.
-
-	if len(os.Args) < 2 {
-		usage()
-	}
-	firstArg, args := os.Args[1], os.Args[2:]
-	if firstArg == "server" || firstArg == "s" {
-		if err := runMTSServer(args); err != nil {
-			log.Fatal(err)
-		}
-	} else {
-		var c Client
-		inst := firstArg
-		c.RunCommand(inst, args)
-	}
-}
-
-func runMTSServer(args []string) error {
-	if len(args) == 0 {
-		usage()
-	}
-	cmd, args := args[0], args[1:]
-	if cmd == "run" {
-		var s Server
-		return s.Run()
-	}
-
-	// Commands other than "run" all use the HTTP client to
-	// hit the mts server over its unix socket.
-	var c Client
-
-	switch cmd {
-	default:
-		usage("unknown mts server subcommand %q", cmd)
-	case "list", "ls":
-		list, err := c.List()
-		if err != nil {
-			return err
-		}
-		if len(args) == 0 {
-			names := slices.Sorted(maps.Keys(list.Instances))
-			for _, name := range names {
-				running := list.Instances[name].Running
-				fmt.Printf("%10s %s\n", bools.IfElse(running, "RUNNING", "stopped"), name)
-			}
-		} else {
-			for _, name := range args {
-				inst, ok := list.Instances[name]
-				if !ok {
-					return fmt.Errorf("no instance named %q", name)
-				}
-				je := json.NewEncoder(os.Stdout)
-				je.SetIndent("", "  ")
-				if err := je.Encode(inst); err != nil {
-					return err
-				}
-			}
-		}
-
-	case "rm":
-		if len(args) == 0 {
-			return fmt.Errorf("missing instance name(s) to remove")
-		}
-		log.SetFlags(0)
-		for _, name := range args {
-			ok, err := c.Remove(name)
-			if err != nil {
-				return err
-			}
-			if ok {
-				log.Printf("%s deleted.", name)
-			} else {
-				log.Printf("%s didn't exist.", name)
-			}
-		}
-	case "stop":
-		if len(args) == 0 {
-			return fmt.Errorf("missing instance name(s) to stop")
-		}
-		log.SetFlags(0)
-		for _, name := range args {
-			ok, err := c.Stop(name)
-			if err != nil {
-				return err
-			}
-			if ok {
-				log.Printf("%s stopped.", name)
-			} else {
-				log.Printf("%s didn't exist.", name)
-			}
-		}
-	case "start", "restart":
-		list, err := c.List()
-		if err != nil {
-			return err
-		}
-		shouldStop := cmd == "restart"
-		for _, arg := range args {
-			is, ok := list.Instances[arg]
-			if !ok {
-				return fmt.Errorf("no instance named %q", arg)
-			}
-			if is.Running {
-				if shouldStop {
-					if _, err := c.Stop(arg); err != nil {
-						return fmt.Errorf("stopping %q: %w", arg, err)
-					}
-				} else {
-					log.SetFlags(0)
-					log.Printf("%s already running.", arg)
-					continue
-				}
-			}
-			// Creating an existing one starts it up.
-			if err := c.Create(arg); err != nil {
-				return fmt.Errorf("starting %q: %w", arg, err)
-			}
-		}
-	case "add":
-		if len(args) == 0 {
-			return fmt.Errorf("missing instance name(s) to add")
-		}
-		for _, name := range args {
-			if err := c.Create(name); err != nil {
-				return fmt.Errorf("creating %q: %w", name, err)
-			}
-		}
-	case "logs":
-		fs := flag.NewFlagSet("logs", flag.ExitOnError)
-		fs.Usage = func() { usage() }
-		follow := fs.Bool("f", false, "follow logs")
-		fs.Parse(args)
-		log.Printf("Parsed; following=%v, args=%q", *follow, fs.Args())
-		if fs.NArg() != 1 {
-			usage()
-		}
-		cmd := bools.IfElse(*follow, "tail", "cat")
-		args := []string{cmd}
-		if *follow {
-			args = append(args, "-f")
-		}
-		path, err := exec.LookPath(cmd)
-		if err != nil {
-			return fmt.Errorf("looking up %q: %w", cmd, err)
-		}
-		args = append(args, instLogsFile(fs.Arg(0)))
-		log.Fatal(syscall.Exec(path, args, os.Environ()))
-	}
-	return nil
-}
-
-type Client struct {
-}
-
-func (c *Client) client() *http.Client {
-	return &http.Client{
-		Transport: &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return net.Dial("unix", mtsSock())
-			},
-		},
-	}
-}
-
-func getJSON[T any](res *http.Response, err error) (T, error) {
-	var ret T
-	if err != nil {
-		return ret, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(res.Body)
-		return ret, fmt.Errorf("unexpected status: %v: %s", res.Status, body)
-	}
-	if err := json.NewDecoder(res.Body).Decode(&ret); err != nil {
-		return ret, err
-	}
-	return ret, nil
-}
-
-func (c *Client) List() (listResponse, error) {
-	return getJSON[listResponse](c.client().Get("http://mts/list"))
-}
-
-func (c *Client) Remove(name string) (found bool, err error) {
-	return getJSON[bool](c.client().PostForm("http://mts/rm", url.Values{
-		"name": []string{name},
-	}))
-}
-
-func (c *Client) Stop(name string) (found bool, err error) {
-	return getJSON[bool](c.client().PostForm("http://mts/stop", url.Values{
-		"name": []string{name},
-	}))
-}
-
-func (c *Client) Create(name string) error {
-	req, err := http.NewRequest("POST", "http://mts/create/"+name, nil)
-	if err != nil {
-		return err
-	}
-	resp, err := c.client().Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(resp.Body)
-		return fmt.Errorf("unexpected status: %v: %s", resp.Status, body)
-	}
-	return nil
-}
-
-func (c *Client) RunCommand(name string, args []string) {
-	sock := instSock(name)
-	lc := &local.Client{
-		Socket:        sock,
-		UseSocketOnly: true,
-	}
-	probeCtx, cancel := context.WithTimeout(context.Background(), 250*time.Millisecond)
-	defer cancel()
-	if _, err := lc.StatusWithoutPeers(probeCtx); err != nil {
-		log.Fatalf("instance %q not running? start with 'mts server start %q'; got error: %v", name, name, err)
-	}
-	args = append([]string{"run", "tailscale.com/cmd/tailscale", "--socket=" + sock}, args...)
-	cmd := exec.Command("go", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	err := cmd.Run()
-	if err == nil {
-		os.Exit(0)
-	}
-	if exitErr, ok := err.(*exec.ExitError); ok {
-		os.Exit(exitErr.ExitCode())
-	}
-	panic(err)
-}
-
-type Server struct {
-	lazyTailscaled lazy.GValue[string]
-
-	mu   sync.Mutex
-	cmds map[string]*exec.Cmd // running tailscaled instances
-}
-
-func (s *Server) tailscaled() string {
-	v, err := s.lazyTailscaled.GetErr(func() (string, error) {
-		out, err := exec.Command("go", "list", "-f", "{{.Target}}", "tailscale.com/cmd/tailscaled").CombinedOutput()
-		if err != nil {
-			return "", err
-		}
-		return strings.TrimSpace(string(out)), nil
-	})
-	if err != nil {
-		panic(err)
-	}
-	return v
-}
-
-func (s *Server) Run() error {
-	if err := os.MkdirAll(mtsRoot(), 0700); err != nil {
-		return err
-	}
-	sock := mtsSock()
-	os.Remove(sock)
-	log.Printf("Multi-Tailscaled Server running; listening on %q ...", sock)
-	ln, err := net.Listen("unix", sock)
-	if err != nil {
-		return err
-	}
-	return http.Serve(ln, s)
-}
-
-var validNameRx = regexp.MustCompile(`^[a-zA-Z0-9_-]+$`)
-
-func validInstanceName(name string) bool {
-	return validNameRx.MatchString(name)
-}
-
-func (s *Server) InstanceRunning(name string) bool {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	_, ok := s.cmds[name]
-	return ok
-}
-
-func (s *Server) Stop(name string) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if cmd, ok := s.cmds[name]; ok {
-		if err := cmd.Process.Kill(); err != nil {
-			log.Printf("error killing %q: %v", name, err)
-		}
-		delete(s.cmds, name)
-	}
-}
-
-func (s *Server) RunInstance(name string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if _, ok := s.cmds[name]; ok {
-		return fmt.Errorf("instance %q already running", name)
-	}
-
-	if !validInstanceName(name) {
-		return fmt.Errorf("invalid instance name %q", name)
-	}
-	dir := filepath.Join(mtsRoot(), name)
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return err
-	}
-
-	env := os.Environ()
-	env = append(env, "TS_DEBUG_LOG_RATE=all")
-	if ef, err := os.Open(instEnvFile(name)); err == nil {
-		defer ef.Close()
-		sc := bufio.NewScanner(ef)
-		for sc.Scan() {
-			t := strings.TrimSpace(sc.Text())
-			if strings.HasPrefix(t, "#") || !strings.Contains(t, "=") {
-				continue
-			}
-			env = append(env, t)
-		}
-	} else if os.IsNotExist(err) {
-		// Write an example one.
-		os.WriteFile(instEnvFile(name), fmt.Appendf(nil, "# Example mts env.txt file; uncomment/add stuff you want for %q\n\n#TS_DEBUG_MAP=1\n#TS_DEBUG_REGISTER=1\n#TS_NO_LOGS_NO_SUPPORT=1\n", name), 0600)
-	}
-
-	extraArgs := []string{"--verbose=1"}
-	if af, err := os.Open(instArgsFile(name)); err == nil {
-		extraArgs = nil // clear default args
-		defer af.Close()
-		sc := bufio.NewScanner(af)
-		for sc.Scan() {
-			t := strings.TrimSpace(sc.Text())
-			if strings.HasPrefix(t, "#") || t == "" {
-				continue
-			}
-			extraArgs = append(extraArgs, t)
-		}
-	} else if os.IsNotExist(err) {
-		// Write an example one.
-		os.WriteFile(instArgsFile(name), fmt.Appendf(nil, "# Example mts args.txt file for instance %q.\n# One line per extra arg to tailscaled; no magic string quoting\n\n--verbose=1\n#--socks5-server=127.0.0.1:5000\n", name), 0600)
-	}
-
-	log.Printf("Running Tailscale daemon %q in %q", name, dir)
-
-	args := []string{
-		"--tun=userspace-networking",
-		"--statedir=" + filepath.Join(dir),
-		"--socket=" + filepath.Join(dir, "tailscaled.sock"),
-	}
-	args = append(args, extraArgs...)
-
-	cmd := exec.Command(s.tailscaled(), args...)
-	cmd.Dir = dir
-	cmd.Env = env
-
-	out, err := cmd.StdoutPipe()
-	if err != nil {
-		return err
-	}
-	cmd.Stderr = cmd.Stdout
-
-	logs := instLogsFile(name)
-	logFile, err := os.OpenFile(logs, os.O_CREATE|os.O_WRONLY|os.O_APPEND|os.O_TRUNC, 0644)
-	if err != nil {
-		return fmt.Errorf("opening logs file: %w", err)
-	}
-
-	go func() {
-		bs := bufio.NewScanner(out)
-		for bs.Scan() {
-			// TODO(bradfitz): record in memory too, serve via HTTP
-			line := strings.TrimSpace(bs.Text())
-			fmt.Fprintf(logFile, "%s\n", line)
-			fmt.Printf("tailscaled[%s]: %s\n", name, line)
-		}
-	}()
-
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	go func() {
-		err := cmd.Wait()
-		logFile.Close()
-		log.Printf("Tailscale daemon %q exited: %v", name, err)
-		s.mu.Lock()
-		defer s.mu.Unlock()
-		delete(s.cmds, name)
-	}()
-
-	mak.Set(&s.cmds, name, cmd)
-	return nil
-}
-
-type listResponse struct {
-	// Instances maps instance name to its details.
-	Instances map[string]listResponseInstance `json:"instances"`
-}
-
-type listResponseInstance struct {
-	Name    string `json:"name"`
-	Dir     string `json:"dir"`
-	Sock    string `json:"sock"`
-	Running bool   `json:"running"`
-	Env     string `json:"env"`
-	Args    string `json:"args"`
-	Logs    string `json:"logs"`
-}
-
-func writeJSON(w http.ResponseWriter, v any) {
-	w.Header().Set("Content-Type", "application/json")
-	e := json.NewEncoder(w)
-	e.SetIndent("", "  ")
-	e.Encode(v)
-}
-
-func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Path == "/list" {
-		var res listResponse
-		for _, name := range s.InstanceNames() {
-			mak.Set(&res.Instances, name, listResponseInstance{
-				Name:    name,
-				Dir:     instDir(name),
-				Sock:    instSock(name),
-				Running: s.InstanceRunning(name),
-				Env:     instEnvFile(name),
-				Args:    instArgsFile(name),
-				Logs:    instLogsFile(name),
-			})
-		}
-		writeJSON(w, res)
-		return
-	}
-	if r.URL.Path == "/rm" || r.URL.Path == "/stop" {
-		shouldRemove := r.URL.Path == "/rm"
-		if r.Method != "POST" {
-			http.Error(w, "POST required", http.StatusMethodNotAllowed)
-			return
-		}
-		target := r.FormValue("name")
-		var ok bool
-		for _, name := range s.InstanceNames() {
-			if name != target {
-				continue
-			}
-			ok = true
-			s.Stop(name)
-			if shouldRemove {
-				if err := os.RemoveAll(instDir(name)); err != nil {
-					http.Error(w, err.Error(), http.StatusInternalServerError)
-					return
-				}
-			}
-			break
-		}
-		writeJSON(w, ok)
-		return
-	}
-	if inst, ok := strings.CutPrefix(r.URL.Path, "/create/"); ok {
-		if !s.InstanceRunning(inst) {
-			if err := s.RunInstance(inst); err != nil {
-				http.Error(w, err.Error(), http.StatusInternalServerError)
-				return
-			}
-		}
-		fmt.Fprintf(w, "OK\n")
-		return
-	}
-	if r.URL.Path == "/" {
-		fmt.Fprintf(w, "This is mts, the multi-tailscaled server.\n")
-		return
-	}
-	http.NotFound(w, r)
-}
-
-func (s *Server) InstanceNames() []string {
-	var ret []string
-	des, err := os.ReadDir(mtsRoot())
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		panic(err)
-	}
-	for _, de := range des {
-		if !de.IsDir() {
-			continue
-		}
-		ret = append(ret, de.Name())
-	}
-	return ret
-}
-
-func mtsRoot() string {
-	dir, err := os.UserConfigDir()
-	if err != nil {
-		panic(err)
-	}
-	return filepath.Join(dir, "multi-tailscale-dev")
-}
-
-func instDir(name string) string {
-	return filepath.Join(mtsRoot(), name)
-}
-
-func instSock(name string) string {
-	return filepath.Join(instDir(name), "tailscaled.sock")
-}
-
-func instEnvFile(name string) string {
-	return filepath.Join(mtsRoot(), name, "env.txt")
-}
-
-func instArgsFile(name string) string {
-	return filepath.Join(mtsRoot(), name, "args.txt")
-}
-
-func instLogsFile(name string) string {
-	return filepath.Join(mtsRoot(), name, "logs.txt")
-}
-
-func mtsSock() string {
-	return filepath.Join(mtsRoot(), "mts.sock")
-}
--- a/tsweb/debug.go
+++ b/tsweb/debug.go
@@ -14,7 +14,7 @@ import (
 	"os"
 	"runtime"

-	"tailscale.com/feature"
+	"tailscale.com/tsweb/promvarz"
 	"tailscale.com/tsweb/varz"
 	"tailscale.com/version"
 )
@@ -37,11 +37,6 @@ type DebugHandler struct {
 	title    string                           // title displayed on index page
 }

-// PrometheusHandler is an optional hook to enable native Prometheus
-// support in the debug handler. It is disabled by default. Import the
-// tailscale.com/tsweb/promvarz package to enable this feature.
-var PrometheusHandler feature.Hook[func(*DebugHandler)]
-
 // Debugger returns the DebugHandler registered on mux at /debug/,
 // creating it if necessary.
 func Debugger(mux *http.ServeMux) *DebugHandler {
@@ -58,11 +53,7 @@ func Debugger(mux *http.ServeMux) *DebugHandler {
 	ret.KVFunc("Uptime", func() any { return varz.Uptime() })
 	ret.KV("Version", version.Long())
 	ret.Handle("vars", "Metrics (Go)", expvar.Handler())
-	if PrometheusHandler.IsSet() {
-		PrometheusHandler.Get()(ret)
-	} else {
-		ret.Handle("varz", "Metrics (Prometheus)", http.HandlerFunc(varz.Handler))
-	}
+	ret.Handle("varz", "Metrics (Prometheus)", http.HandlerFunc(promvarz.Handler))

 	// pprof.Index serves everything that runtime/pprof.Lookup finds:
 	// goroutine, threadcreate, heap, allocs, block, mutex
--- a/tsweb/promvarz/promvarz.go
+++ b/tsweb/promvarz/promvarz.go
@@ -11,21 +11,12 @@ import (

 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/common/expfmt"
-	"tailscale.com/tsweb"
 	"tailscale.com/tsweb/varz"
 )

-func init() {
-	tsweb.PrometheusHandler.Set(registerVarz)
-}
-
-func registerVarz(debug *tsweb.DebugHandler) {
-	debug.Handle("varz", "Metrics (Prometheus)", http.HandlerFunc(handler))
-}
-
-// handler returns Prometheus metrics exported by our expvar converter
+// Handler returns Prometheus metrics exported by our expvar converter
 // and the official Prometheus client.
-func handler(w http.ResponseWriter, r *http.Request) {
+func Handler(w http.ResponseWriter, r *http.Request) {
 	if err := gatherNativePrometheusMetrics(w); err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Write([]byte(err.Error()))
--- a/tsweb/promvarz/promvarz_test.go
+++ b/tsweb/promvarz/promvarz_test.go
@@ -23,7 +23,7 @@ func TestHandler(t *testing.T) {
 	testVar1.Set(42)
 	testVar2.Set(4242)

-	svr := httptest.NewServer(http.HandlerFunc(handler))
+	svr := httptest.NewServer(http.HandlerFunc(Handler))
 	defer svr.Close()

 	want := `
--- a/util/eventbus/debughttp.go
+++ b/util/eventbus/debughttp.go
@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:build !ios
-
 package eventbus

 import (
--- a/util/eventbus/debughttp_ios.go
+++ b/util/eventbus/debughttp_ios.go
@@ -1,18 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build ios
-
-package eventbus
-
-import "tailscale.com/tsweb"
-
-func registerHTTPDebugger(d *Debugger, td *tsweb.DebugHandler) {
-	// The event bus debugging UI uses html/template, which uses
-	// reflection for method lookups. This forces the compiler to
-	// retain a lot more code and information to make dynamic method
-	// dispatch work, which is unacceptable bloat for the iOS build.
-	//
-	// TODO: https://github.com/tailscale/tailscale/issues/15297 to
-	// bring the debug UI back to iOS somehow.
-}
@@ -1 +1 @@
 .19
 .18
@@ -1 +1 @@
 .83.0
 .81.0