client/web: switch to custom fork of gorilla/csrf

This fork removes the dependency on the html/template package, so we
should be able to enable the web client on mobile in the near future.

Updates #10261

Signed-off-by: Will Norris <will@tailscale.com>

.github/workflows/govulncheck.yml

@@ -22,17 +22,30 @@ jobs:
       - name: Scan source code for known vulnerabilities
         run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
 
-      - uses: ruby/action-slack@v3.2.1
-        with:
-          payload: >
-            {
-              "attachments": [{
-                "title": "${{ job.status }}: ${{ github.workflow }}",
-                "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",
-                "text": "${{ github.repository }}@${{ github.sha }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      - name: Post to slack
         if: failure() && github.event_name == 'schedule'
+        uses: slackapi/slack-github-action@v1.24.0
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
+        with:
+          channel-id: 'C05PXRM304B'
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "Govulncheck failed in ${{ github.repository }}"
+                  },
+                  "accessory": {
+                    "type": "button",
+                    "text": {
+                      "type": "plain_text",
+                      "text": "View results"
+                    },
+                    "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+                  }
+                }
+              ]
+            }

.github/workflows/kubemanifests.yaml

@@ -3,6 +3,7 @@ on:
   pull_request:
    paths: 
    - './cmd/k8s-operator/'
+   - './k8s-operator/'
    - '.github/workflows/kubemanifests.yaml'
 
 # Cancel workflow run if there is a newer push to the same PR for which it is
@@ -24,7 +25,7 @@ jobs:
         ./tool/helm lint "tailscale-operator-${VERSION_SHORT}.tgz"
     - name: Verify that static manifests are up to date
       run: |
-        ./tool/go generate tailscale.com/cmd/k8s-operator
+        make kube-generate-all
         echo
         echo
-        git diff --name-only --exit-code || (echo "Static manifests for Tailscale Kubernetes operator are out of date. Please run 'go generate tailscale.com/cmd/k8s-operator' and commit the diff."; exit 1)
+        git diff --name-only --exit-code || (echo "Generated files for Tailscale Kubernetes operator are out of date. Please run 'make kube-generate-all' and commit the diff."; exit 1)

Makefile

@@ -18,7 +18,8 @@ updatedeps: ## Update depaware deps
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+		tailscale.com/cmd/derper \
+		tailscale.com/cmd/stund
 
 depaware: ## Run depaware checks
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
@@ -26,7 +27,8 @@ depaware: ## Run depaware checks
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
+		tailscale.com/cmd/derper \
+		tailscale.com/cmd/stund
 
 buildwindows: ## Build tailscale CLI for windows/amd64
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
@@ -54,6 +56,21 @@ check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm ##
 staticcheck: ## Run staticcheck.io checks
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
 
+kube-generate-all: kube-generate-deepcopy ## Refresh generated files for Tailscale Kubernetes Operator
+	./tool/go generate ./cmd/k8s-operator
+
+# Tailscale operator watches Connector custom resources in a Kubernetes cluster
+# and caches them locally. Caching is done implicitly by controller-runtime
+# library (the middleware used by Tailscale operator to create kube control
+# loops). When a Connector resource is GET/LIST-ed from within our control loop,
+# the request goes through the cache. To ensure that cache contents don't get
+# modified by control loops, controller-runtime deep copies the requested
+# object. In order for this to work, Connector must implement deep copy
+# functionality so we autogenerate it here.
+# https://github.com/kubernetes-sigs/controller-runtime/blob/v0.16.3/pkg/cache/internal/cache_reader.go#L86-L89
+kube-generate-deepcopy: ## Refresh generated deepcopy functionality for Tailscale kube API types
+	./scripts/kube-deepcopy.sh
+
 spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
 	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
 

VERSION.txt

@@ -1 +1 @@
-1.55.0
+1.57.0

api.md

@@ -60,6 +60,8 @@ The Tailscale API does not currently support pagination. All results are returne
   - Update tags: [`POST /api/v2/device/{deviceID}/tags`](#update-device-tags)
 - **Key**
   - Update device key: [`POST /api/v2/device/{deviceID}/key`](#update-device-key)
+- **IP Address**
+  - Set device IPv4 address: [`POST /api/v2/device/{deviceID}/ip`](#set-device-ipv4-address)
 
 **[Tailnet](#tailnet)**
 - [**Policy File**](#policy-file)
@@ -277,6 +279,15 @@ You can also [list all devices in the tailnet](#list-tailnet-devices) to get the
   // tailnet lock is not enabled.
   // Learn more about tailnet lock at https://tailscale.com/kb/1226/.
   "tailnetLockKey": "",
+
+  // postureIdentity contains extra identifiers from the device when the tailnet
+  // it is connected to has device posture identification collection enabled.
+  // If the device has not opted-in to posture identification collection, this
+  // will contain {"disabled": true}.
+  // Learn more about posture identity at https://tailscale.com/kb/1326/device-identity
+  "postureIdentity": {
+    "serialNumbers": ["CP74LFQJXM"]
+  }
 }
 ```
 
@@ -328,6 +339,7 @@ Currently, there are two supported options:
   - `enabledRoutes`
   - `advertisedRoutes`
   - `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+  - `postureIdentity`
 
 ### Request example
 
@@ -590,7 +602,7 @@ If the tags supplied in the `POST` call do not exist in the tailnet policy file,
 }
 ```
 
-<a href="device-key-post"><a>
+<a href="device-key-post"></a>
 
 ## Update device key
 
@@ -644,6 +656,51 @@ curl "https://api.tailscale.com/api/v2/device/11055/key" \
 
 The response is 2xx on success. The response body is currently an empty JSON object.
 
+## Set device IPv4 address
+
+``` http
+POST /api/v2/device/{deviceID}/ip
+```
+
+Set the Tailscale IPv4 address of the device.
+
+### Parameters
+
+#### `deviceid` (required in URL path)
+
+The ID of the device.
+
+#### `ipv4` (optional in `POST` body)
+
+Provide a new IPv4 address for the device.
+
+When a device is added to a tailnet, its Tailscale IPv4 address is set at random either from the CGNAT range, or a subset of the CGNAT range specified by an [ip pool](https://tailscale.com/kb/1304/ip-pool).
+This endpoint can be used to replace the existing IPv4 address with a specific value.
+
+``` jsonc
+{
+  "ipv4": "100.80.0.1"
+}
+```
+
+This action will break any existing connections to this machine.
+You will need to reconnect to this machine using the new IP address.
+You may also need to flush your DNS cache.
+
+This returns a 2xx code on success, with an empty JSON object in the response body.
+
+### Request example
+
+``` sh
+curl "https://api.tailscale.com/api/v2/device/11055/ip" \
+-u "tskey-api-xxxxx:" \
+--data-binary '{"ipv4": "100.80.0.1"}'
+```
+
+### Response
+
+The response is 2xx on success. The response body is currently an empty JSON object.
+
 # Tailnet
 
 A tailnet is your private network, composed of all the devices on it and their configuration.

appc/appconnector.go

@@ -206,9 +206,8 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		if slices.Contains(addrs, addr) {
 			continue
 		}
-		// TODO(raggi): check for existing prefixes
 		if err := e.routeAdvertiser.AdvertiseRoute(netip.PrefixFrom(addr, addr.BitLen())); err != nil {
-			e.logf("failed to advertise route for %v: %v", addr, err)
+			e.logf("failed to advertise route for %s: %v: %v", domain, addr, err)
 			continue
 		}
 		e.logf("[v2] advertised route for %v: %v", domain, addr)
@@ -217,5 +216,4 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		e.domains[domain] = append(addrs, addr)
 		e.mu.Unlock()
 	}
-
 }

client/tailscale/devices.go

@@ -71,6 +71,17 @@ type Device struct {
 	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
 
 	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
+
+	// PostureIdentity contains extra identifiers collected from the device when
+	// the tailnet has the device posture identification features enabled. If
+	// Tailscale have attempted to collect this from the device but it has not
+	// opted in, PostureIdentity will have Disabled=true.
+	PostureIdentity *DevicePostureIdentity `json:"postureIdentity"`
+}
+
+type DevicePostureIdentity struct {
+	Disabled      bool     `json:"disabled,omitempty"`
+	SerialNumbers []string `json:"serialNumbers,omitempty"`
 }
 
 // DeviceFieldsOpts determines which fields should be returned in the response.

client/tailscale/localclient.go

@@ -102,8 +102,7 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 			return d.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(port))
 		}
 	}
-	s := safesocket.DefaultConnectionStrategy(lc.socket())
-	return safesocket.Connect(s)
+	return safesocket.Connect(lc.socket())
 }
 
 // DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.

client/web/src/components/app.tsx

@@ -5,6 +5,7 @@ import React from "react"
 import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
 import LoginToggle from "src/components/login-toggle"
 import DeviceDetailsView from "src/components/views/device-details-view"
+import DisconnectedView from "src/components/views/disconnected-view"
 import HomeView from "src/components/views/home-view"
 import LoginView from "src/components/views/login-view"
 import SSHView from "src/components/views/ssh-view"
@@ -74,9 +75,7 @@ function WebClient({
             />
           </FeatureRoute>
           <Route path="/disconnected">
-            <Card className="mt-8">
-              <EmptyState description="You have been disconnected" />
-            </Card>
+            <DisconnectedView />
           </Route>
           <Route>
             <Card className="mt-8">

client/web/src/components/views/device-details-view.tsx

@@ -226,24 +226,22 @@ function DisconnectDialog() {
   return (
     <Dialog
       className="max-w-md"
-      title="Disconnect"
-      trigger={<Button sizeVariant="small">Disconnect…</Button>}
+      title="Log out"
+      trigger={<Button sizeVariant="small">Log out…</Button>}
     >
       <Dialog.Form
         cancelButton
-        submitButton="Disconnect"
+        submitButton="Log out"
         destructive
         onSubmit={() => {
           api({ action: "logout" })
           setLocation("/disconnected")
         }}
       >
-        You are about to disconnect this device from your tailnet. To reconnect,
-        you will be required to re-authenticate this device.
-        <p className="mt-4 text-sm text-text-muted">
-          Your connection to this web interface will end as soon as you click
-          disconnect.
-        </p>
+        Logging out of this device will disconnect it from your tailnet and
+        expire its node key. You won’t be able to use this web interface until
+        you re-authenticate the device from either the Tailscale app or the
+        Tailscale command line interface.
       </Dialog.Form>
     </Dialog>
   )

client/web/src/components/views/disconnected-view.tsx

@@ -0,0 +1,21 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+import React from "react"
+import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
+
+/**
+ * DisconnectedView is rendered after node logout.
+ */
+export default function DisconnectedView() {
+  return (
+    <>
+      <TailscaleIcon className="mx-auto" />
+      <p className="mt-12 text-center text-text-muted">
+        You logged out of this device. To reconnect it you will have to
+        re-authenticate the device from either the Tailscale app or the
+        Tailscale command line interface.
+      </p>
+    </>
+  )
+}

client/web/web.go

@@ -15,13 +15,14 @@ import (
 	"net/http"
 	"net/netip"
 	"os"
+	"path"
 	"path/filepath"
 	"slices"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/gorilla/csrf"
+	"github.com/tailscale/csrf"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/clientupdate"
@@ -174,6 +175,14 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 		newAuthURL:  opts.NewAuthURL,
 		waitAuthURL: opts.WaitAuthURL,
 	}
+	if opts.PathPrefix != "" {
+		// Enforce that path prefix always has a single leading '/'
+		// so that it is treated as a relative URL path.
+		// We strip multiple leading '/' to prevent schema-less offsite URLs like "//example.com".
+		//
+		// See https://github.com/tailscale/corp/issues/16268.
+		s.pathPrefix = "/" + strings.TrimLeft(path.Clean(opts.PathPrefix), "/\\")
+	}
 	if s.mode == ManageServerMode {
 		if opts.NewAuthURL == nil {
 			return nil, fmt.Errorf("must provide a NewAuthURL implementation")
@@ -306,24 +315,63 @@ func (s *Server) requireTailscaleIP(w http.ResponseWriter, r *http.Request) (han
 		return true
 	}
 
-	var ipv4 string // store the first IPv4 address we see for redirect later
-	for _, ip := range st.Self.TailscaleIPs {
-		if ip.Is4() {
-			if r.Host == fmt.Sprintf("%s:%d", ip, ListenPort) {
-				return false
-			}
-			ipv4 = ip.String()
-		}
-		if ip.Is6() && r.Host == fmt.Sprintf("[%s]:%d", ip, ListenPort) {
-			return false
-		}
+	ipv4, ipv6 := s.selfNodeAddresses(r, st)
+	if r.Host == fmt.Sprintf("%s:%d", ipv4.String(), ListenPort) {
+		return false // already accessing over Tailscale IP
 	}
+	if r.Host == fmt.Sprintf("[%s]:%d", ipv6.String(), ListenPort) {
+		return false // already accessing over Tailscale IP
+	}
+
+	// Not currently accessing via Tailscale IP,
+	// redirect them.
+
+	var preferV6 bool
+	if ap, err := netip.ParseAddrPort(r.Host); err == nil {
+		// If Host was already ipv6, keep them on same protocol.
+		preferV6 = ap.Addr().Is6()
+	}
+
 	newURL := *r.URL
-	newURL.Host = fmt.Sprintf("%s:%d", ipv4, ListenPort)
+	if (preferV6 && ipv6.IsValid()) || !ipv4.IsValid() {
+		newURL.Host = fmt.Sprintf("[%s]:%d", ipv6.String(), ListenPort)
+	} else {
+		newURL.Host = fmt.Sprintf("%s:%d", ipv4.String(), ListenPort)
+	}
 	http.Redirect(w, r, newURL.String(), http.StatusMovedPermanently)
 	return true
 }
 
+// selfNodeAddresses return the Tailscale IPv4 and IPv6 addresses for the self node.
+// st is expected to be a status with peers included.
+func (s *Server) selfNodeAddresses(r *http.Request, st *ipnstate.Status) (ipv4, ipv6 netip.Addr) {
+	for _, ip := range st.Self.TailscaleIPs {
+		if ip.Is4() {
+			ipv4 = ip
+		} else if ip.Is6() {
+			ipv6 = ip
+		}
+		if ipv4.IsValid() && ipv6.IsValid() {
+			break // found both IPs
+		}
+	}
+	if whois, err := s.lc.WhoIs(r.Context(), r.RemoteAddr); err == nil {
+		// The source peer connecting to this node may know it by a different
+		// IP than the node knows itself as. Specifically, this may be the case
+		// if the peer is coming from a different tailnet (sharee node), as IPs
+		// are specific to each tailnet.
+		// Here, we check if the source peer knows the node by a different IP,
+		// and return the peer's version if so.
+		if knownIPv4 := whois.Node.SelfNodeV4MasqAddrForThisPeer; knownIPv4 != nil {
+			ipv4 = *knownIPv4
+		}
+		if knownIPv6 := whois.Node.SelfNodeV6MasqAddrForThisPeer; knownIPv6 != nil {
+			ipv6 = *knownIPv6
+		}
+	}
+	return ipv4, ipv6
+}
+
 // authorizeRequest reports whether the request from the web client
 // is authorized to be completed.
 // It reports true if the request is authorized, and false otherwise.
@@ -666,6 +714,10 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 		ACLAllowsAnyIncomingTraffic: s.aclsAllowAccess(filterRules),
 	}
 
+	ipv4, ipv6 := s.selfNodeAddresses(r, st)
+	data.IPv4 = ipv4.String()
+	data.IPv6 = ipv6.String()
+
 	if hostinfo.GetEnvType() == hostinfo.HomeAssistantAddOn && data.URLPrefix == "" {
 		// X-Ingress-Path is the path prefix in use for Home Assistant
 		// https://developers.home-assistant.io/docs/add-ons/presentation#ingress
@@ -678,16 +730,7 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 	} else {
 		data.ClientVersion = cv
 	}
-	for _, ip := range st.TailscaleIPs {
-		if ip.Is4() {
-			data.IPv4 = ip.String()
-		} else if ip.Is6() {
-			data.IPv6 = ip.String()
-		}
-		if data.IPv4 != "" && data.IPv6 != "" {
-			break
-		}
-	}
+
 	if st.CurrentTailnet != nil {
 		data.TailnetName = st.CurrentTailnet.MagicDNSSuffix
 		data.DomainName = st.CurrentTailnet.Name

client/web/web_test.go

@@ -939,6 +939,78 @@ func TestServeAPIAuthMetricLogging(t *testing.T) {
 	}
 }
 
+// TestPathPrefix tests that the provided path prefix is normalized correctly.
+// If a leading '/' is missing, one should be added.
+// If multiple leading '/' are present, they should be collapsed to one.
+// Additionally verify that this prevents open redirects when enforcing the path prefix.
+func TestPathPrefix(t *testing.T) {
+	tests := []struct {
+		name         string
+		prefix       string
+		wantPrefix   string
+		wantLocation string
+	}{
+		{
+			name:         "no-leading-slash",
+			prefix:       "javascript:alert(1)",
+			wantPrefix:   "/javascript:alert(1)",
+			wantLocation: "/javascript:alert(1)/",
+		},
+		{
+			name:   "2-slashes",
+			prefix: "//evil.example.com/goat",
+			// We must also get the trailing slash added:
+			wantPrefix:   "/evil.example.com/goat",
+			wantLocation: "/evil.example.com/goat/",
+		},
+		{
+			name:   "absolute-url",
+			prefix: "http://evil.example.com",
+			// We must also get the trailing slash added:
+			wantPrefix:   "/http:/evil.example.com",
+			wantLocation: "/http:/evil.example.com/",
+		},
+		{
+			name:   "double-dot",
+			prefix: "/../.././etc/passwd",
+			// We must also get the trailing slash added:
+			wantPrefix:   "/etc/passwd",
+			wantLocation: "/etc/passwd/",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			options := ServerOpts{
+				Mode:       LoginServerMode,
+				PathPrefix: tt.prefix,
+				CGIMode:    true,
+			}
+			s, err := NewServer(options)
+			if err != nil {
+				t.Error(err)
+			}
+
+			// verify provided prefix was normalized correctly
+			if s.pathPrefix != tt.wantPrefix {
+				t.Errorf("prefix was not normalized correctly; want=%q, got=%q", tt.wantPrefix, s.pathPrefix)
+			}
+
+			s.logf = t.Logf
+			r := httptest.NewRequest(httpm.GET, "http://localhost/", nil)
+			w := httptest.NewRecorder()
+			s.ServeHTTP(w, r)
+			res := w.Result()
+			defer res.Body.Close()
+
+			location := w.Header().Get("Location")
+			if location != tt.wantLocation {
+				t.Errorf("request got wrong location; want=%q, got=%q", tt.wantLocation, location)
+			}
+		})
+	}
+}
+
 func TestRequireTailscaleIP(t *testing.T) {
 	self := &ipnstate.PeerStatus{
 		TailscaleIPs: []netip.Addr{
@@ -1007,7 +1079,7 @@ func TestRequireTailscaleIP(t *testing.T) {
 	}
 
 	for _, tt := range tests {
-		t.Run(tt.target, func(t *testing.T) {
+		t.Run(tt.name, func(t *testing.T) {
 			s.logf = t.Logf
 			r := httptest.NewRequest(httpm.GET, tt.target, nil)
 			w := httptest.NewRecorder()

cmd/connector-gen/README.md

@@ -0,0 +1,15 @@
+# connector-gen
+
+Generate Tailscale app connector configuration details from third party data.
+
+Tailscale app connectors are used to dynamically route traffic for domain names
+via specific nodes on a tailnet. For larger upstream domains this may involve a
+large number of domains or routes, and fully dynamic discovery may be slower or
+involve more manual labor than ideal. This can be accelerated by
+pre-configuration of the associated routes, based on data provided by the
+target providers, which can be used to set precise `autoApprovers` routes, and
+also to pre-populate the subnet routes via `--advertise-routes` avoiding
+frequent routing reconfiguration that may otherwise occur while routes are
+first being discovered and advertised by the connectors.
+
+

cmd/connector-gen/advertise-routes.go

@@ -0,0 +1,22 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"go4.org/netipx"
+)
+
+func advertiseRoutes(set *netipx.IPSet) {
+	fmt.Println()
+	prefixes := set.Prefixes()
+	pfxs := make([]string, 0, len(prefixes))
+	for _, pfx := range prefixes {
+		pfxs = append(pfxs, pfx.String())
+	}
+	fmt.Printf("--advertise-routes=%s", strings.Join(pfxs, ","))
+	fmt.Println()
+}

cmd/connector-gen/aws.go

@@ -0,0 +1,68 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"net/netip"
+
+	"go4.org/netipx"
+)
+
+// See https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html
+
+type AWSMeta struct {
+	SyncToken  string `json:"syncToken"`
+	CreateDate string `json:"createDate"`
+	Prefixes   []struct {
+		IPPrefix           string `json:"ip_prefix"`
+		Region             string `json:"region"`
+		Service            string `json:"service"`
+		NetworkBorderGroup string `json:"network_border_group"`
+	} `json:"prefixes"`
+	Ipv6Prefixes []struct {
+		Ipv6Prefix         string `json:"ipv6_prefix"`
+		Region             string `json:"region"`
+		Service            string `json:"service"`
+		NetworkBorderGroup string `json:"network_border_group"`
+	} `json:"ipv6_prefixes"`
+}
+
+func aws() {
+	r, err := http.Get("https://ip-ranges.amazonaws.com/ip-ranges.json")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer r.Body.Close()
+
+	var aws AWSMeta
+	if err := json.NewDecoder(r.Body).Decode(&aws); err != nil {
+		log.Fatal(err)
+	}
+
+	var ips netipx.IPSetBuilder
+
+	for _, prefix := range aws.Prefixes {
+		ips.AddPrefix(netip.MustParsePrefix(prefix.IPPrefix))
+	}
+	for _, prefix := range aws.Ipv6Prefixes {
+		ips.AddPrefix(netip.MustParsePrefix(prefix.Ipv6Prefix))
+	}
+
+	set, err := ips.IPSet()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Println(`"routes": [`)
+	for _, pfx := range set.Prefixes() {
+		fmt.Printf(`"%s": ["tag:connector"],%s`, pfx.String(), "\n")
+	}
+	fmt.Println(`]`)
+
+	advertiseRoutes(set)
+}

cmd/connector-gen/connector-gen.go

@@ -0,0 +1,34 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// connector-gen is a tool to generate app connector configuration and flags from service provider address data.
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+func help() {
+	fmt.Fprintf(os.Stderr, "Usage: %s [help|github|aws] [subcommand-arguments]\n", os.Args[0])
+}
+
+func main() {
+	if len(os.Args) < 2 {
+		help()
+		os.Exit(128)
+	}
+
+	switch os.Args[1] {
+	case "help", "-h", "--help":
+		help()
+		os.Exit(0)
+	case "github":
+		github()
+	case "aws":
+		aws()
+	default:
+		help()
+		os.Exit(128)
+	}
+}

cmd/connector-gen/github.go

@@ -0,0 +1,116 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"net/netip"
+	"slices"
+	"strings"
+
+	"go4.org/netipx"
+)
+
+// See https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses
+
+type GithubMeta struct {
+	VerifiablePasswordAuthentication bool `json:"verifiable_password_authentication"`
+	SSHKeyFingerprints               struct {
+		Sha256Ecdsa   string `json:"SHA256_ECDSA"`
+		Sha256Ed25519 string `json:"SHA256_ED25519"`
+		Sha256Rsa     string `json:"SHA256_RSA"`
+	} `json:"ssh_key_fingerprints"`
+	SSHKeys                  []string `json:"ssh_keys"`
+	Hooks                    []string `json:"hooks"`
+	Web                      []string `json:"web"`
+	API                      []string `json:"api"`
+	Git                      []string `json:"git"`
+	GithubEnterpriseImporter []string `json:"github_enterprise_importer"`
+	Packages                 []string `json:"packages"`
+	Pages                    []string `json:"pages"`
+	Importer                 []string `json:"importer"`
+	Actions                  []string `json:"actions"`
+	Dependabot               []string `json:"dependabot"`
+	Domains                  struct {
+		Website    []string `json:"website"`
+		Codespaces []string `json:"codespaces"`
+		Copilot    []string `json:"copilot"`
+		Packages   []string `json:"packages"`
+	} `json:"domains"`
+}
+
+func github() {
+	r, err := http.Get("https://api.github.com/meta")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	var ghm GithubMeta
+
+	if err := json.NewDecoder(r.Body).Decode(&ghm); err != nil {
+		log.Fatal(err)
+	}
+	r.Body.Close()
+
+	var ips netipx.IPSetBuilder
+
+	var lists []string
+	lists = append(lists, ghm.Hooks...)
+	lists = append(lists, ghm.Web...)
+	lists = append(lists, ghm.API...)
+	lists = append(lists, ghm.Git...)
+	lists = append(lists, ghm.GithubEnterpriseImporter...)
+	lists = append(lists, ghm.Packages...)
+	lists = append(lists, ghm.Pages...)
+	lists = append(lists, ghm.Importer...)
+	lists = append(lists, ghm.Actions...)
+	lists = append(lists, ghm.Dependabot...)
+
+	for _, s := range lists {
+		ips.AddPrefix(netip.MustParsePrefix(s))
+	}
+
+	set, err := ips.IPSet()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Println(`"routes": [`)
+	for _, pfx := range set.Prefixes() {
+		fmt.Printf(`"%s": ["tag:connector"],%s`, pfx.String(), "\n")
+	}
+	fmt.Println(`]`)
+
+	fmt.Println()
+
+	var domains []string
+	domains = append(domains, ghm.Domains.Website...)
+	domains = append(domains, ghm.Domains.Codespaces...)
+	domains = append(domains, ghm.Domains.Copilot...)
+	domains = append(domains, ghm.Domains.Packages...)
+	slices.Sort(domains)
+	domains = slices.Compact(domains)
+
+	var bareDomains []string
+	for _, domain := range domains {
+		trimmed := strings.TrimPrefix(domain, "*.")
+		if trimmed != domain {
+			bareDomains = append(bareDomains, trimmed)
+		}
+	}
+	domains = append(domains, bareDomains...)
+	slices.Sort(domains)
+	domains = slices.Compact(domains)
+
+	fmt.Println(`"domains": [`)
+	for _, domain := range domains {
+		fmt.Printf(`"%s",%s`, domain, "\n")
+	}
+	fmt.Println(`]`)
+
+	advertiseRoutes(set)
+}

cmd/containerboot/main.go

@@ -13,7 +13,10 @@
 //
 //   - TS_AUTHKEY: the authkey to use for login.
 //   - TS_HOSTNAME: the hostname to request for the node.
-//   - TS_ROUTES: subnet routes to advertise. To accept routes, use TS_EXTRA_ARGS to pass in --accept-routes.
+//   - TS_ROUTES: subnet routes to advertise. Explicitly setting it to an empty
+//     value will cause containerboot to stop acting as a subnet router for any
+//     previously advertised routes. To accept routes, use TS_EXTRA_ARGS to pass
+//     in --accept-routes.
 //   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
 //     destination.
 //   - TS_TAILNET_TARGET_IP: proxy all incoming non-Tailscale traffic to the given
@@ -45,6 +48,13 @@
 //     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
 //     It cannot be used in conjunction with TS_DEST_IP. The file is watched for changes,
 //     and will be re-applied when it changes.
+//   - EXPERIMENTAL_TS_CONFIGFILE_PATH: if specified, a path to tailscaled
+//     config. If this is set, TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY,
+//     TS_ROUTES, TS_ACCEPT_DNS env vars must not be set. If this is set,
+//     containerboot only runs `tailscaled --config <path-to-this-configfile>`
+//     and not `tailscale up` or `tailscale set`.
+//     The config file contents are currently read once on container start.
+//     NB: This env var is currently experimental and the logic will likely change!
 //
 // When running on Kubernetes, containerboot defaults to storing state in the
 // "tailscale" kube secret. To store state on local disk instead, set
@@ -80,6 +90,7 @@ import (
 	"golang.org/x/sys/unix"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/conffile"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/ptr"
@@ -99,46 +110,36 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true
 
 	cfg := &settings{
-		AuthKey:           defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:          defaultEnv("TS_HOSTNAME", ""),
-		Routes:            defaultEnv("TS_ROUTES", ""),
-		ServeConfigPath:   defaultEnv("TS_SERVE_CONFIG", ""),
-		ProxyTo:           defaultEnv("TS_DEST_IP", ""),
-		TailnetTargetIP:   defaultEnv("TS_TAILNET_TARGET_IP", ""),
-		TailnetTargetFQDN: defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
-		DaemonExtraArgs:   defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:         defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:      os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:     defaultBool("TS_USERSPACE", true),
-		StateDir:          defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:         defaultBool("TS_ACCEPT_DNS", false),
-		KubeSecret:        defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:    defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:     defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:            defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:          defaultBool("TS_AUTH_ONCE", false),
-		Root:              defaultEnv("TS_TEST_ONLY_ROOT", "/"),
+		AuthKey:                  defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
+		Hostname:                 defaultEnv("TS_HOSTNAME", ""),
+		Routes:                   defaultEnvStringPointer("TS_ROUTES"),
+		ServeConfigPath:          defaultEnv("TS_SERVE_CONFIG", ""),
+		ProxyTo:                  defaultEnv("TS_DEST_IP", ""),
+		TailnetTargetIP:          defaultEnv("TS_TAILNET_TARGET_IP", ""),
+		TailnetTargetFQDN:        defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
+		DaemonExtraArgs:          defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
+		ExtraArgs:                defaultEnv("TS_EXTRA_ARGS", ""),
+		InKubernetes:             os.Getenv("KUBERNETES_SERVICE_HOST") != "",
+		UserspaceMode:            defaultBool("TS_USERSPACE", true),
+		StateDir:                 defaultEnv("TS_STATE_DIR", ""),
+		AcceptDNS:                defaultEnvBoolPointer("TS_ACCEPT_DNS"),
+		KubeSecret:               defaultEnv("TS_KUBE_SECRET", "tailscale"),
+		SOCKSProxyAddr:           defaultEnv("TS_SOCKS5_SERVER", ""),
+		HTTPProxyAddr:            defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
+		Socket:                   defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
+		AuthOnce:                 defaultBool("TS_AUTH_ONCE", false),
+		Root:                     defaultEnv("TS_TEST_ONLY_ROOT", "/"),
+		TailscaledConfigFilePath: defaultEnv("EXPERIMENTAL_TS_CONFIGFILE_PATH", ""),
 	}
-
-	if cfg.ProxyTo != "" && cfg.UserspaceMode {
-		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
-	}
-
-	if cfg.TailnetTargetIP != "" && cfg.UserspaceMode {
-		log.Fatal("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
-	}
-	if cfg.TailnetTargetFQDN != "" && cfg.UserspaceMode {
-		log.Fatal("TS_TAILNET_TARGET_FQDN is not supported with TS_USERSPACE")
-	}
-	if cfg.TailnetTargetFQDN != "" && cfg.TailnetTargetIP != "" {
-		log.Fatal("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
+	if err := cfg.validate(); err != nil {
+		log.Fatalf("invalid configuration: %v", err)
 	}
 
 	if !cfg.UserspaceMode {
 		if err := ensureTunFile(cfg.Root); err != nil {
 			log.Fatalf("Unable to create tuntap device file: %v", err)
 		}
-		if cfg.ProxyTo != "" || cfg.Routes != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" {
+		if cfg.ProxyTo != "" || cfg.Routes != nil || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" {
 			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.TailnetTargetIP, cfg.TailnetTargetFQDN, cfg.Routes); err != nil {
 				log.Printf("Failed to enable IP forwarding: %v", err)
 				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
@@ -168,7 +169,7 @@ func main() {
 		}
 		cfg.KubernetesCanPatch = canPatch
 
-		if cfg.AuthKey == "" {
+		if cfg.AuthKey == "" && !isOneStepConfig(cfg) {
 			key, err := findKeyInKubeSecret(bootCtx, cfg.KubeSecret)
 			if err != nil {
 				log.Fatalf("Getting authkey from kube secret: %v", err)
@@ -250,7 +251,7 @@ func main() {
 		return nil
 	}
 
-	if !cfg.AuthOnce {
+	if isTwoStepConfigAlwaysAuth(cfg) {
 		if err := authTailscale(); err != nil {
 			log.Fatalf("failed to auth tailscale: %v", err)
 		}
@@ -266,6 +267,13 @@ authLoop:
 		if n.State != nil {
 			switch *n.State {
 			case ipn.NeedsLogin:
+				if isOneStepConfig(cfg) {
+					// This could happen if this is the
+					// first time tailscaled was run for
+					// this device and the auth key was not
+					// passed via the configfile.
+					log.Fatalf("invalid state: tailscaled daemon started with a config file, but tailscale is not logged in: ensure you pass a valid auth key in the config file.")
+				}
 				if err := authTailscale(); err != nil {
 					log.Fatalf("failed to auth tailscale: %v", err)
 				}
@@ -290,7 +298,7 @@ authLoop:
 	ctx, cancel := contextWithExitSignalWatch()
 	defer cancel()
 
-	if cfg.AuthOnce {
+	if isTwoStepConfigAuthOnce(cfg) {
 		// Now that we are authenticated, we can set/reset any of the
 		// settings that we need to.
 		if err := tailscaleSet(ctx, cfg); err != nil {
@@ -306,7 +314,7 @@ authLoop:
 		}
 	}
 
-	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
+	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && isTwoStepConfigAuthOnce(cfg) {
 		// We were told to only auth once, so any secret-bound
 		// authkey is no longer needed. We don't strictly need to
 		// wipe it, but it's good hygiene.
@@ -631,6 +639,9 @@ func tailscaledArgs(cfg *settings) []string {
 	if cfg.HTTPProxyAddr != "" {
 		args = append(args, "--outbound-http-proxy-listen="+cfg.HTTPProxyAddr)
 	}
+	if cfg.TailscaledConfigFilePath != "" {
+		args = append(args, "--config="+cfg.TailscaledConfigFilePath)
+	}
 	if cfg.DaemonExtraArgs != "" {
 		args = append(args, strings.Fields(cfg.DaemonExtraArgs)...)
 	}
@@ -641,7 +652,7 @@ func tailscaledArgs(cfg *settings) []string {
 // if TS_AUTH_ONCE is set, only the first time containerboot starts.
 func tailscaleUp(ctx context.Context, cfg *settings) error {
 	args := []string{"--socket=" + cfg.Socket, "up"}
-	if cfg.AcceptDNS {
+	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
 		args = append(args, "--accept-dns=true")
 	} else {
 		args = append(args, "--accept-dns=false")
@@ -649,8 +660,12 @@ func tailscaleUp(ctx context.Context, cfg *settings) error {
 	if cfg.AuthKey != "" {
 		args = append(args, "--authkey="+cfg.AuthKey)
 	}
-	if cfg.Routes != "" {
-		args = append(args, "--advertise-routes="+cfg.Routes)
+	// --advertise-routes can be passed an empty string to configure a
+	// device (that might have previously advertised subnet routes) to not
+	// advertise any routes. Respect an empty string passed by a user and
+	// use it to explicitly unset the routes.
+	if cfg.Routes != nil {
+		args = append(args, "--advertise-routes="+*cfg.Routes)
 	}
 	if cfg.Hostname != "" {
 		args = append(args, "--hostname="+cfg.Hostname)
@@ -673,13 +688,17 @@ func tailscaleUp(ctx context.Context, cfg *settings) error {
 // node is in Running state and only if TS_AUTH_ONCE is set.
 func tailscaleSet(ctx context.Context, cfg *settings) error {
 	args := []string{"--socket=" + cfg.Socket, "set"}
-	if cfg.AcceptDNS {
+	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
 		args = append(args, "--accept-dns=true")
 	} else {
 		args = append(args, "--accept-dns=false")
 	}
-	if cfg.Routes != "" {
-		args = append(args, "--advertise-routes="+cfg.Routes)
+	// --advertise-routes can be passed an empty string to configure a
+	// device (that might have previously advertised subnet routes) to not
+	// advertise any routes. Respect an empty string passed by a user and
+	// use it to explicitly unset the routes.
+	if cfg.Routes != nil {
+		args = append(args, "--advertise-routes="+*cfg.Routes)
 	}
 	if cfg.Hostname != "" {
 		args = append(args, "--hostname="+cfg.Hostname)
@@ -714,7 +733,7 @@ func ensureTunFile(root string) error {
 }
 
 // ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
-func ensureIPForwarding(root, clusterProxyTarget, tailnetTargetiP, tailnetTargetFQDN, routes string) error {
+func ensureIPForwarding(root, clusterProxyTarget, tailnetTargetiP, tailnetTargetFQDN string, routes *string) error {
 	var (
 		v4Forwarding, v6Forwarding bool
 	)
@@ -745,8 +764,8 @@ func ensureIPForwarding(root, clusterProxyTarget, tailnetTargetiP, tailnetTarget
 	if tailnetTargetFQDN != "" {
 		v4Forwarding = true
 	}
-	if routes != "" {
-		for _, route := range strings.Split(routes, ",") {
+	if routes != nil && *routes != "" {
+		for _, route := range strings.Split(*routes, ",") {
 			cidr, err := netip.ParsePrefix(route)
 			if err != nil {
 				return fmt.Errorf("invalid subnet route: %v", err)
@@ -850,7 +869,7 @@ func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []ne
 type settings struct {
 	AuthKey  string
 	Hostname string
-	Routes   string
+	Routes   *string
 	// ProxyTo is the destination IP to which all incoming
 	// Tailscale traffic should be proxied. If empty, no proxying
 	// is done. This is typically a locally reachable IP.
@@ -862,21 +881,46 @@ type settings struct {
 	// TailnetTargetFQDN is an MagicDNS name to which all incoming
 	// non-Tailscale traffic should be proxied. This must be a full Tailnet
 	// node FQDN.
-	TailnetTargetFQDN  string
-	ServeConfigPath    string
-	DaemonExtraArgs    string
-	ExtraArgs          string
-	InKubernetes       bool
-	UserspaceMode      bool
-	StateDir           string
-	AcceptDNS          bool
-	KubeSecret         string
-	SOCKSProxyAddr     string
-	HTTPProxyAddr      string
-	Socket             string
-	AuthOnce           bool
-	Root               string
-	KubernetesCanPatch bool
+	TailnetTargetFQDN        string
+	ServeConfigPath          string
+	DaemonExtraArgs          string
+	ExtraArgs                string
+	InKubernetes             bool
+	UserspaceMode            bool
+	StateDir                 string
+	AcceptDNS                *bool
+	KubeSecret               string
+	SOCKSProxyAddr           string
+	HTTPProxyAddr            string
+	Socket                   string
+	AuthOnce                 bool
+	Root                     string
+	KubernetesCanPatch       bool
+	TailscaledConfigFilePath string
+}
+
+func (s *settings) validate() error {
+	if s.TailscaledConfigFilePath != "" {
+		if _, err := conffile.Load(s.TailscaledConfigFilePath); err != nil {
+			return fmt.Errorf("error validating tailscaled configfile contents: %w", err)
+		}
+	}
+	if s.ProxyTo != "" && s.UserspaceMode {
+		return errors.New("TS_DEST_IP is not supported with TS_USERSPACE")
+	}
+	if s.TailnetTargetIP != "" && s.UserspaceMode {
+		return errors.New("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
+	}
+	if s.TailnetTargetFQDN != "" && s.UserspaceMode {
+		return errors.New("TS_TAILNET_TARGET_FQDN is not supported with TS_USERSPACE")
+	}
+	if s.TailnetTargetFQDN != "" && s.TailnetTargetIP != "" {
+		return errors.New("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
+	}
+	if s.TailscaledConfigFilePath != "" && (s.AcceptDNS != nil || s.AuthKey != "" || s.Routes != nil || s.ExtraArgs != "" || s.Hostname != "") {
+		return errors.New("EXPERIMENTAL_TS_CONFIGFILE_PATH cannot be set in combination with TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY, TS_ROUTES, TS_ACCEPT_DNS.")
+	}
+	return nil
 }
 
 // defaultEnv returns the value of the given envvar name, or defVal if
@@ -888,6 +932,28 @@ func defaultEnv(name, defVal string) string {
 	return defVal
 }
 
+// defaultEnvStringPointer returns a pointer to the given envvar value if set, else
+// returns nil. This is useful in cases where we need to distinguish between a
+// variable being set to empty string vs unset.
+func defaultEnvStringPointer(name string) *string {
+	if v, ok := os.LookupEnv(name); ok {
+		return &v
+	}
+	return nil
+}
+
+// defaultEnvBoolPointer returns a pointer to the given envvar value if set, else
+// returns nil. This is useful in cases where we need to distinguish between a
+// variable being explicitly set to false vs unset.
+func defaultEnvBoolPointer(name string) *bool {
+	v := os.Getenv(name)
+	ret, err := strconv.ParseBool(v)
+	if err != nil {
+		return nil
+	}
+	return &ret
+}
+
 func defaultEnvs(names []string, defVal string) string {
 	for _, name := range names {
 		if v, ok := os.LookupEnv(name); ok {
@@ -929,3 +995,27 @@ func contextWithExitSignalWatch() (context.Context, func()) {
 	}
 	return ctx, f
 }
+
+// isTwoStepConfigAuthOnce returns true if the Tailscale node should be configured
+// in two steps and login should only happen once.
+// Step 1: run 'tailscaled'
+// Step 2):
+// A) if this is the first time starting this node run 'tailscale up --authkey <authkey> <config opts>'
+// B) if this is not the first time starting this node run 'tailscale set <config opts>'.
+func isTwoStepConfigAuthOnce(cfg *settings) bool {
+	return cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
+}
+
+// isTwoStepConfigAlwaysAuth returns true if the Tailscale node should be configured
+// in two steps and we should log in every time it starts.
+// Step 1: run 'tailscaled'
+// Step 2): run 'tailscale up --authkey <authkey> <config opts>'
+func isTwoStepConfigAlwaysAuth(cfg *settings) bool {
+	return !cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
+}
+
+// isOneStepConfig returns true if the Tailscale node should always be ran and
+// configured in a single step by running 'tailscaled <config opts>'
+func isOneStepConfig(cfg *settings) bool {
+	return cfg.TailscaledConfigFilePath != ""
+}

cmd/containerboot/main_test.go

@@ -52,6 +52,12 @@ func TestContainerBoot(t *testing.T) {
 	}
 	defer kube.Close()
 
+	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: func(s string) *string { return &s }("foo"), Version: "alpha0"}
+	tailscaledConfBytes, err := json.Marshal(tailscaledConf)
+	if err != nil {
+		t.Fatalf("error unmarshaling tailscaled config: %v", err)
+	}
+
 	dirs := []string{
 		"var/lib",
 		"usr/bin",
@@ -59,6 +65,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net",
 		"proc/sys/net/ipv4",
 		"proc/sys/net/ipv6/conf/all",
+		"etc",
 	}
 	for _, path := range dirs {
 		if err := os.MkdirAll(filepath.Join(d, path), 0700); err != nil {
@@ -73,6 +80,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net/tun":                           []byte(""),
 		"proc/sys/net/ipv4/ip_forward":          []byte("0"),
 		"proc/sys/net/ipv6/conf/all/forwarding": []byte("0"),
+		"etc/tailscaled":                        tailscaledConfBytes,
 	}
 	resetFiles := func() {
 		for path, content := range files {
@@ -218,6 +226,28 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "empty routes",
+			Env: map[string]string{
+				"TS_AUTHKEY": "tskey-key",
+				"TS_ROUTES":  "",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=",
+					},
+				},
+				{
+					Notify: runningNotify,
+					WantFiles: map[string]string{
+						"proc/sys/net/ipv4/ip_forward":          "0",
+						"proc/sys/net/ipv6/conf/all/forwarding": "0",
+					},
+				},
+			},
+		},
 		{
 			Name: "routes_kernel_ipv4",
 			Env: map[string]string{
@@ -288,7 +318,7 @@ func TestContainerBoot(t *testing.T) {
 			},
 		},
 		{
-			Name: "ingres proxy",
+			Name: "ingress proxy",
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
@@ -607,6 +637,21 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "experimental tailscaled configfile",
+			Env: map[string]string{
+				"EXPERIMENTAL_TS_CONFIGFILE_PATH": filepath.Join(d, "etc/tailscaled"),
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --config=/etc/tailscaled",
+					},
+				}, {
+					Notify: runningNotify,
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {

cmd/derper/depaware.txt

@@ -105,7 +105,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
         tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
-        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
+        tailscale.com/net/stun                                       from tailscale.com/net/stunserver
+        tailscale.com/net/stunserver                                 from tailscale.com/cmd/derper
    L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
@@ -152,6 +153,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
         tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
+        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
         tailscale.com/util/vizerror                                  from tailscale.com/tsweb+
    W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/derp+
@@ -193,7 +195,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         golang.org/x/time/rate                                       from tailscale.com/cmd/derper+
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
-        cmp                                                          from slices
+        cmp                                                          from slices+
         compress/flate                                               from compress/gzip+
         compress/gzip                                                from internal/profile+
         container/list                                               from crypto/tls+
@@ -231,7 +233,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         encoding/pem                                                 from crypto/tls+
         errors                                                       from bufio+
         expvar                                                       from tailscale.com/cmd/derper+
-        flag                                                         from tailscale.com/cmd/derper
+        flag                                                         from tailscale.com/cmd/derper+
         fmt                                                          from compress/flate+
         go/token                                                     from google.golang.org/protobuf/internal/strs
         hash                                                         from crypto+
@@ -262,6 +264,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         net/url                                                      from crypto/x509+
         os                                                           from crypto/rand+
         os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        os/signal                                                    from tailscale.com/cmd/derper
    W    os/user                                                      from tailscale.com/util/winutil
         path                                                         from golang.org/x/crypto/acme/autocert+
         path/filepath                                                from crypto/x509+
@@ -271,7 +274,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         runtime/debug                                                from golang.org/x/crypto/acme+
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof+
         slices                                                       from tailscale.com/ipn/ipnstate+
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+
@@ -279,6 +282,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         sync                                                         from compress/flate+
         sync/atomic                                                  from context+
         syscall                                                      from crypto/rand+
+        testing                                                      from tailscale.com/util/syspolicy
         text/tabwriter                                               from runtime/pprof
         time                                                         from compress/gzip+
         unicode                                                      from bytes+

cmd/derper/derper.go

@@ -17,11 +17,12 @@ import (
 	"math"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"regexp"
 	"strings"
+	"syscall"
 	"time"
 
 	"go4.org/mem"
@@ -30,7 +31,7 @@ import (
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/metrics"
-	"tailscale.com/net/stun"
+	"tailscale.com/net/stunserver"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
 	"tailscale.com/util/cmpx"
@@ -59,25 +60,11 @@ var (
 )
 
 var (
-	stats             = new(metrics.Set)
-	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
 	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
 	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
-
-	stunReadError  = stunDisposition.Get("read_error")
-	stunNotSTUN    = stunDisposition.Get("not_stun")
-	stunWriteError = stunDisposition.Get("write_error")
-	stunSuccess    = stunDisposition.Get("success")
-
-	stunIPv4 = stunAddrFamily.Get("ipv4")
-	stunIPv6 = stunAddrFamily.Get("ipv6")
 )
 
 func init() {
-	stats.Set("counter_requests", stunDisposition)
-	stats.Set("counter_addrfamily", stunAddrFamily)
-	expvar.Publish("stun", stats)
 	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
 	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
 }
@@ -135,6 +122,9 @@ func writeNewConfig() config {
 func main() {
 	flag.Parse()
 
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
 	if *dev {
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
@@ -146,6 +136,11 @@ func main() {
 		log.Fatalf("invalid server address: %v", err)
 	}
 
+	if *runSTUN {
+		ss := stunserver.New(ctx)
+		go ss.ListenAndServe(net.JoinHostPort(listenHost, fmt.Sprint(*stunPort)))
+	}
+
 	cfg := loadConfig()
 
 	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
@@ -221,10 +216,6 @@ func main() {
 	}))
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))
 
-	if *runSTUN {
-		go serveSTUN(listenHost, *stunPort)
-	}
-
 	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
 		Addr:     *addr,
@@ -241,6 +232,10 @@ func main() {
 		ReadTimeout:  30 * time.Second,
 		WriteTimeout: 30 * time.Second,
 	}
+	go func() {
+		<-ctx.Done()
+		httpsrv.Shutdown(ctx)
+	}()
 
 	if serveTLS {
 		log.Printf("derper: serving on %s with TLS", *addr)
@@ -351,59 +346,6 @@ func probeHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func serveSTUN(host string, port int) {
-	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, fmt.Sprint(port)))
-	if err != nil {
-		log.Fatalf("failed to open STUN listener: %v", err)
-	}
-	log.Printf("running STUN server on %v", pc.LocalAddr())
-	serverSTUNListener(context.Background(), pc.(*net.UDPConn))
-}
-
-func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
-	var buf [64 << 10]byte
-	var (
-		n   int
-		ua  *net.UDPAddr
-		err error
-	)
-	for {
-		n, ua, err = pc.ReadFromUDP(buf[:])
-		if err != nil {
-			if ctx.Err() != nil {
-				return
-			}
-			log.Printf("STUN ReadFrom: %v", err)
-			time.Sleep(time.Second)
-			stunReadError.Add(1)
-			continue
-		}
-		pkt := buf[:n]
-		if !stun.Is(pkt) {
-			stunNotSTUN.Add(1)
-			continue
-		}
-		txid, err := stun.ParseBindingRequest(pkt)
-		if err != nil {
-			stunNotSTUN.Add(1)
-			continue
-		}
-		if ua.IP.To4() != nil {
-			stunIPv4.Add(1)
-		} else {
-			stunIPv6.Add(1)
-		}
-		addr, _ := netip.AddrFromSlice(ua.IP)
-		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
-		_, err = pc.WriteTo(res, ua)
-		if err != nil {
-			stunWriteError.Add(1)
-		} else {
-			stunSuccess.Add(1)
-		}
-	}
-}
-
 var validProdHostname = regexp.MustCompile(`^derp([^.]*)\.tailscale\.com\.?$`)
 
 func prodAutocertHostPolicy(_ context.Context, host string) error {

cmd/derper/derper_test.go

@@ -5,13 +5,11 @@ package main
 
 import (
 	"context"
-	"net"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 
-	"tailscale.com/net/stun"
 	"tailscale.com/tstest/deptest"
 )
 
@@ -39,38 +37,6 @@ func TestProdAutocertHostPolicy(t *testing.T) {
 	}
 }
 
-func BenchmarkServerSTUN(b *testing.B) {
-	b.ReportAllocs()
-	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer pc.Close()
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	go serverSTUNListener(ctx, pc.(*net.UDPConn))
-	addr := pc.LocalAddr().(*net.UDPAddr)
-
-	var resBuf [1500]byte
-	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-	for i := 0; i < b.N; i++ {
-		if _, err := cc.WriteToUDP(req, addr); err != nil {
-			b.Fatal(err)
-		}
-		_, _, err := cc.ReadFromUDP(resBuf[:])
-		if err != nil {
-			b.Fatal(err)
-		}
-	}
-
-}
-
 func TestNoContent(t *testing.T) {
 	testCases := []struct {
 		name  string

cmd/k8s-operator/connector.go

@@ -0,0 +1,260 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"net/netip"
+	"slices"
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	xslices "golang.org/x/exp/slices"
+	corev1 "k8s.io/api/core/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	tsoperator "tailscale.com/k8s-operator"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/tstime"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/set"
+)
+
+const (
+	reasonConnectorCreationFailed = "ConnectorCreationFailed"
+
+	reasonConnectorCreated           = "ConnectorCreated"
+	reasonConnectorCleanupFailed     = "ConnectorCleanupFailed"
+	reasonConnectorCleanupInProgress = "ConnectorCleanupInProgress"
+	reasonConnectorInvalid           = "ConnectorInvalid"
+
+	messageConnectorCreationFailed = "Failed creating Connector: %v"
+	messageConnectorInvalid        = "Connector is invalid: %v"
+
+	shortRequeue = time.Second * 5
+)
+
+type ConnectorReconciler struct {
+	client.Client
+
+	recorder record.EventRecorder
+	ssr      *tailscaleSTSReconciler
+	logger   *zap.SugaredLogger
+
+	tsnamespace string
+
+	clock tstime.Clock
+
+	mu sync.Mutex // protects following
+
+	subnetRouters set.Slice[types.UID] // for subnet routers gauge
+	exitNodes     set.Slice[types.UID] // for exit nodes gauge
+}
+
+var (
+	// gaugeConnectorResources tracks the overall number of Connectors currently managed by this operator instance.
+	gaugeConnectorResources = clientmetric.NewGauge("k8s_connector_resources")
+	// gaugeConnectorSubnetRouterResources tracks the number of Connectors managed by this operator instance that are subnet routers.
+	gaugeConnectorSubnetRouterResources = clientmetric.NewGauge("k8s_connector_subnetrouter_resources")
+	// gaugeConnectorExitNodeResources tracks the number of Connectors currently managed by this operator instance that are exit nodes.
+	gaugeConnectorExitNodeResources = clientmetric.NewGauge("k8s_connector_exitnode_resources")
+)
+
+func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
+	logger := a.logger.With("Connector", req.Name)
+	logger.Debugf("starting reconcile")
+	defer logger.Debugf("reconcile finished")
+
+	cn := new(tsapi.Connector)
+	err = a.Get(ctx, req.NamespacedName, cn)
+	if apierrors.IsNotFound(err) {
+		logger.Debugf("Connector not found, assuming it was deleted")
+		return reconcile.Result{}, nil
+	} else if err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to get tailscale.com Connector: %w", err)
+	}
+	if !cn.DeletionTimestamp.IsZero() {
+		logger.Debugf("Connector is being deleted or should not be exposed, cleaning up resources")
+		ix := xslices.Index(cn.Finalizers, FinalizerName)
+		if ix < 0 {
+			logger.Debugf("no finalizer, nothing to do")
+			return reconcile.Result{}, nil
+		}
+
+		if done, err := a.maybeCleanupConnector(ctx, logger, cn); err != nil {
+			return reconcile.Result{}, err
+		} else if !done {
+			logger.Debugf("Connector resource cleanup not yet finished, will retry...")
+			return reconcile.Result{RequeueAfter: shortRequeue}, nil
+		}
+
+		cn.Finalizers = append(cn.Finalizers[:ix], cn.Finalizers[ix+1:]...)
+		if err := a.Update(ctx, cn); err != nil {
+			return reconcile.Result{}, err
+		}
+		logger.Infof("Connector resources cleaned up")
+		return reconcile.Result{}, nil
+	}
+
+	oldCnStatus := cn.Status.DeepCopy()
+	setStatus := func(cn *tsapi.Connector, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
+		tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, status, reason, message, cn.Generation, a.clock, logger)
+		if !apiequality.Semantic.DeepEqual(oldCnStatus, cn.Status) {
+			// An error encountered here should get returned by the Reconcile function.
+			if updateErr := a.Client.Status().Update(ctx, cn); updateErr != nil {
+				err = errors.Wrap(err, updateErr.Error())
+			}
+		}
+		return res, err
+	}
+
+	if !slices.Contains(cn.Finalizers, FinalizerName) {
+		// This log line is printed exactly once during initial provisioning,
+		// because once the finalizer is in place this block gets skipped. So,
+		// this is a nice place to tell the operator that the high level,
+		// multi-reconcile operation is underway.
+		logger.Infof("ensuring Connector is set up")
+		cn.Finalizers = append(cn.Finalizers, FinalizerName)
+		if err := a.Update(ctx, cn); err != nil {
+			logger.Errorf("error adding finalizer: %w", err)
+			return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorCreationFailed, reasonConnectorCreationFailed)
+		}
+	}
+
+	if err := a.validate(cn); err != nil {
+		logger.Errorf("error validating Connector spec: %w", err)
+		message := fmt.Sprintf(messageConnectorInvalid, err)
+		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonConnectorInvalid, message)
+		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorInvalid, message)
+	}
+
+	if err = a.maybeProvisionConnector(ctx, logger, cn); err != nil {
+		logger.Errorf("error creating Connector resources: %w", err)
+		message := fmt.Sprintf(messageConnectorCreationFailed, err)
+		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonConnectorCreationFailed, message)
+		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorCreationFailed, message)
+	}
+
+	logger.Info("Connector resources synced")
+	cn.Status.IsExitNode = cn.Spec.ExitNode
+	if cn.Spec.SubnetRouter != nil {
+		cn.Status.SubnetRoutes = cn.Spec.SubnetRouter.AdvertiseRoutes.Stringify()
+		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionTrue, reasonConnectorCreated, reasonConnectorCreated)
+	}
+	cn.Status.SubnetRoutes = ""
+	return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionTrue, reasonConnectorCreated, reasonConnectorCreated)
+}
+
+// maybeProvisionConnector ensures that any new resources required for this
+// Connector instance are deployed to the cluster.
+func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector) error {
+	hostname := cn.Name + "-connector"
+	if cn.Spec.Hostname != "" {
+		hostname = string(cn.Spec.Hostname)
+	}
+	crl := childResourceLabels(cn.Name, a.tsnamespace, "connector")
+	sts := &tailscaleSTSConfig{
+		ParentResourceName:  cn.Name,
+		ParentResourceUID:   string(cn.UID),
+		Hostname:            hostname,
+		ChildResourceLabels: crl,
+		Tags:                cn.Spec.Tags.Stringify(),
+		Connector: &connector{
+			isExitNode: cn.Spec.ExitNode,
+		},
+	}
+
+	if cn.Spec.SubnetRouter != nil && len(cn.Spec.SubnetRouter.AdvertiseRoutes) > 0 {
+		sts.Connector.routes = cn.Spec.SubnetRouter.AdvertiseRoutes.Stringify()
+	}
+
+	a.mu.Lock()
+	if sts.Connector.isExitNode {
+		a.exitNodes.Add(cn.UID)
+	} else {
+		a.exitNodes.Remove(cn.UID)
+	}
+	if sts.Connector.routes != "" {
+		a.subnetRouters.Add(cn.GetUID())
+	} else {
+		a.subnetRouters.Remove(cn.GetUID())
+	}
+	a.mu.Unlock()
+	gaugeConnectorSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
+	gaugeConnectorExitNodeResources.Set(int64(a.exitNodes.Len()))
+	var connectors set.Slice[types.UID]
+	connectors.AddSlice(a.exitNodes.Slice())
+	connectors.AddSlice(a.subnetRouters.Slice())
+	gaugeConnectorResources.Set(int64(connectors.Len()))
+
+	_, err := a.ssr.Provision(ctx, logger, sts)
+	return err
+}
+
+func (a *ConnectorReconciler) maybeCleanupConnector(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector) (bool, error) {
+	if done, err := a.ssr.Cleanup(ctx, logger, childResourceLabels(cn.Name, a.tsnamespace, "connector")); err != nil {
+		return false, fmt.Errorf("failed to cleanup Connector resources: %w", err)
+	} else if !done {
+		logger.Debugf("Connector cleanup not done yet, waiting for next reconcile")
+		return false, nil
+	}
+
+	// Unlike most log entries in the reconcile loop, this will get printed
+	// exactly once at the very end of cleanup, because the final step of
+	// cleanup removes the tailscale finalizer, which will make all future
+	// reconciles exit early.
+	logger.Infof("cleaned up Connector resources")
+	a.mu.Lock()
+	a.subnetRouters.Remove(cn.UID)
+	a.exitNodes.Remove(cn.UID)
+	a.mu.Unlock()
+	gaugeConnectorExitNodeResources.Set(int64(a.exitNodes.Len()))
+	gaugeConnectorSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
+	var connectors set.Slice[types.UID]
+	connectors.AddSlice(a.exitNodes.Slice())
+	connectors.AddSlice(a.subnetRouters.Slice())
+	gaugeConnectorResources.Set(int64(connectors.Len()))
+	return true, nil
+}
+
+func (a *ConnectorReconciler) validate(cn *tsapi.Connector) error {
+	// Connector fields are already validated at apply time with CEL validation
+	// on custom resource fields. The checks here are a backup in case the
+	// CEL validation breaks without us noticing.
+	if !(cn.Spec.SubnetRouter != nil || cn.Spec.ExitNode) {
+		return errors.New("invalid spec: a Connector must expose subnet routes or act as an exit node (or both)")
+	}
+	if cn.Spec.SubnetRouter == nil {
+		return nil
+	}
+	return validateSubnetRouter(cn.Spec.SubnetRouter)
+}
+
+func validateSubnetRouter(sb *tsapi.SubnetRouter) error {
+	if len(sb.AdvertiseRoutes) < 1 {
+		return errors.New("invalid subnet router spec: no routes defined")
+	}
+	var err error
+	for _, route := range sb.AdvertiseRoutes {
+		pfx, e := netip.ParsePrefix(string(route))
+		if e != nil {
+			err = errors.Wrap(err, fmt.Sprintf("route %s is invalid: %v", route, err))
+			continue
+		}
+		if pfx.Masked() != pfx {
+			err = errors.Wrap(err, fmt.Sprintf("route %s has non-address bits set; expected %s", pfx, pfx.Masked()))
+		}
+	}
+	return err
+}

cmd/k8s-operator/connector_test.go

@@ -0,0 +1,185 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"context"
+	"testing"
+
+	"go.uber.org/zap"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/tstest"
+)
+
+func TestConnector(t *testing.T) {
+	// Create a Connector that defines a Tailscale node that advertises
+	// 10.40.0.0/14 route and acts as an exit node.
+	cn := &tsapi.Connector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test",
+			UID:  types.UID("1234-UID"),
+		},
+		TypeMeta: metav1.TypeMeta{
+			Kind:       tsapi.ConnectorKind,
+			APIVersion: "tailscale.io/v1alpha1",
+		},
+		Spec: tsapi.ConnectorSpec{
+			SubnetRouter: &tsapi.SubnetRouter{
+				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
+			},
+			ExitNode: true,
+		},
+	}
+	fc := fake.NewClientBuilder().
+		WithScheme(tsapi.GlobalScheme).
+		WithObjects(cn).
+		WithStatusSubresource(cn).
+		Build()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cl := tstest.NewClock(tstest.ClockOpts{})
+	cr := &ConnectorReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		clock:  cl,
+		logger: zl.Sugar(),
+	}
+
+	expectReconciled(t, cr, "", "test")
+	fullName, shortName := findGenName(t, fc, "", "test", "connector")
+
+	opts := configOpts{
+		stsName:                    shortName,
+		secretName:                 fullName,
+		parentType:                 "connector",
+		hostname:                   "test-connector",
+		shouldUseDeclarativeConfig: true,
+		isExitNode:                 true,
+		subnetRoutes:               "10.40.0.0/14",
+		confFileHash:               "9321660203effb80983eaecc7b5ac5a8c53934926f46e895b9fe295dcfc5a904",
+	}
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Add another route to be advertised.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.40.0.0/14", "10.44.0.0/20"}
+	})
+	opts.subnetRoutes = "10.40.0.0/14,10.44.0.0/20"
+	opts.confFileHash = "fb6c4daf67425f983985750cd8d6f2beae77e614fcb34176604571f5623d6862"
+	expectReconciled(t, cr, "", "test")
+
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Remove a route.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.44.0.0/20"}
+	})
+	opts.subnetRoutes = "10.44.0.0/20"
+	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Remove the subnet router.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.SubnetRouter = nil
+	})
+	opts.subnetRoutes = ""
+	opts.confFileHash = "7c421a99128eb80e79a285a82702f19f8f720615542a15bd794858a6275d8079"
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Re-add the subnet router.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.SubnetRouter = &tsapi.SubnetRouter{
+			AdvertiseRoutes: []tsapi.Route{"10.44.0.0/20"},
+		}
+	})
+	opts.subnetRoutes = "10.44.0.0/20"
+	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Delete the Connector.
+	if err = fc.Delete(context.Background(), cn); err != nil {
+		t.Fatalf("error deleting Connector: %v", err)
+	}
+
+	expectRequeue(t, cr, "", "test")
+	expectReconciled(t, cr, "", "test")
+
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+
+	// Create a Connector that advertises a route and is not an exit node.
+	cn = &tsapi.Connector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test",
+			UID:  types.UID("1234-UID"),
+		},
+		TypeMeta: metav1.TypeMeta{
+			Kind:       tsapi.ConnectorKind,
+			APIVersion: "tailscale.io/v1alpha1",
+		},
+		Spec: tsapi.ConnectorSpec{
+			SubnetRouter: &tsapi.SubnetRouter{
+				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
+			},
+		},
+	}
+	opts.subnetRoutes = "10.44.0.0/14"
+	opts.isExitNode = false
+	mustCreate(t, fc, cn)
+	expectReconciled(t, cr, "", "test")
+	fullName, shortName = findGenName(t, fc, "", "test", "connector")
+
+	opts = configOpts{
+		stsName:                    shortName,
+		secretName:                 fullName,
+		parentType:                 "connector",
+		shouldUseDeclarativeConfig: true,
+		subnetRoutes:               "10.40.0.0/14",
+		hostname:                   "test-connector",
+		confFileHash:               "57d922331890c9b1c8c6ae664394cb254334c551d9cd9db14537b5d9da9fb17e",
+	}
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Add an exit node.
+	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.ExitNode = true
+	})
+	opts.isExitNode = true
+	opts.confFileHash = "1499b591fd97a50f0330db6ec09979792c49890cf31f5da5bb6a3f50dba1e77a"
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(opts))
+
+	// Delete the Connector.
+	if err = fc.Delete(context.Background(), cn); err != nil {
+		t.Fatalf("error deleting Connector: %v", err)
+	}
+
+	expectRequeue(t, cr, "", "test")
+	expectReconciled(t, cr, "", "test")
+
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+}

cmd/k8s-operator/deploy/chart/templates/deployment.yaml

@@ -59,6 +59,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: ENABLE_CONNECTOR
+              value: "{{ .Values.enableConnector }}"
             - name: CLIENT_ID_FILE
               value: /oauth/client_id
             - name: CLIENT_SECRET_FILE

cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml

@@ -18,6 +18,9 @@ rules:
 - apiGroups: ["networking.k8s.io"]
   resources: ["ingresses", "ingresses/status"]
   verbs: ["*"]
+- apiGroups: ["tailscale.com"]
+  resources: ["connectors", "connectors/status"]
+  verbs: ["get", "list", "watch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

cmd/k8s-operator/deploy/chart/values.yaml

@@ -8,6 +8,12 @@ oauth: {}
   # clientId: ""
   # clientSecret: ""
 
+# enableConnector determines whether the operator should reconcile
+# connector.tailscale.com custom resources. If set to true you have to install
+# connector CRD in a separate step.
+# You can do so by running 'kubectl apply -f ./cmd/k8s-operator/deploy/crds'.
+enableConnector: "false"
+
 operatorConfig:
   image:
     repo: tailscale/k8s-operator
@@ -16,7 +22,7 @@ operatorConfig:
     tag: ""
     digest: ""
     pullPolicy: Always
-  logging: "info"
+  logging: "info" # info, debug, dev
   hostname: "tailscale-operator"
   nodeSelector:
     kubernetes.io/os: linux
@@ -47,7 +53,9 @@ proxyConfig:
   # ACL tag that operator will tag proxies with. Operator must be made owner of
   # these tags
   # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator
-  defaultTags: tag:k8s
+  # Multiple tags can be passed as a comma-separated string i.e 'tag:k8s-proxies,tag:prod'.
+  # Note that if you pass multiple tags to this field via `--set` flag to helm upgrade/install commands you must escape the comma (for example, "tag:k8s-proxies\,tag:prod"). See https://github.com/helm/helm/issues/1556
+  defaultTags: "tag:k8s"
   firewallMode: auto
 
 # apiServerProxyConfig allows to configure whether the operator should expose

cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml

@@ -0,0 +1,125 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: connectors.tailscale.com
+spec:
+  group: tailscale.com
+  names:
+    kind: Connector
+    listKind: ConnectorList
+    plural: connectors
+    shortNames:
+      - cn
+    singular: connector
+  scope: Cluster
+  versions:
+    - additionalPrinterColumns:
+        - description: CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance.
+          jsonPath: .status.subnetRoutes
+          name: SubnetRoutes
+          type: string
+        - description: Whether this Connector instance defines an exit node.
+          jsonPath: .status.isExitNode
+          name: IsExitNode
+          type: string
+        - description: Status of the deployed Connector resources.
+          jsonPath: .status.conditions[?(@.type == "ConnectorReady")].reason
+          name: Status
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ConnectorSpec describes the desired Tailscale component.
+              type: object
+              properties:
+                exitNode:
+                  description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
+                  type: boolean
+                hostname:
+                  description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
+                  type: string
+                  pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
+                subnetRouter:
+                  description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
+                  type: object
+                  required:
+                    - advertiseRoutes
+                  properties:
+                    advertiseRoutes:
+                      description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
+                      type: array
+                      minItems: 1
+                      items:
+                        type: string
+                        format: cidr
+                tags:
+                  description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+                  type: array
+                  items:
+                    type: string
+                    pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
+              x-kubernetes-validations:
+                - rule: has(self.subnetRouter) || self.exitNode == true
+                  message: A Connector needs to be either an exit node or a subnet router, or both.
+            status:
+              description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
+              type: object
+              properties:
+                conditions:
+                  description: List of status conditions to indicate the status of the Connector. Known condition types are `ConnectorReady`.
+                  type: array
+                  items:
+                    description: ConnectorCondition contains condition information for a Connector.
+                    type: object
+                    required:
+                      - status
+                      - type
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+                        type: string
+                        format: date-time
+                      message:
+                        description: Message is a human readable description of the details of the last transition, complementing reason.
+                        type: string
+                      observedGeneration:
+                        description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
+                        type: integer
+                        format: int64
+                      reason:
+                        description: Reason is a brief machine readable explanation for the condition's last transition.
+                        type: string
+                      status:
+                        description: Status of the condition, one of ('True', 'False', 'Unknown').
+                        type: string
+                      type:
+                        description: Type of the condition, known values are (`SubnetRouterReady`).
+                        type: string
+                  x-kubernetes-list-map-keys:
+                    - type
+                  x-kubernetes-list-type: map
+                isExitNode:
+                  description: IsExitNode is set to true if the Connector acts as an exit node.
+                  type: boolean
+                subnetRoutes:
+                  description: SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
+                  type: string
+      served: true
+      storage: true
+      subresources:
+        status: {}

cmd/k8s-operator/deploy/examples/connector.yaml

@@ -0,0 +1,19 @@
+# Before applying ensure that the operator owns tag:prod.
+# https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
+# To set up autoapproval set tag:prod as approver for 10.40.0.0/14 route and exit node.
+# Otherwise approve it manually in Machines panel once the
+# ts-prod Tailscale node has been created.
+# See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes
+apiVersion: tailscale.com/v1alpha1
+kind: Connector
+metadata:
+  name: prod
+spec:
+  tags:
+  - "tag:prod"
+  hostname: ts-prod
+  subnetRouter:
+    advertiseRoutes:
+    - "10.40.0.0/14"
+    - "192.168.0.0/14"
+  exitNode: true

cmd/k8s-operator/deploy/manifests/operator.yaml

@@ -47,6 +47,16 @@ rules:
         - ingresses/status
       verbs:
         - '*'
+    - apiGroups:
+        - tailscale.com
+      resources:
+        - connectors
+        - connectors/status
+      verbs:
+        - get
+        - list
+        - watch
+        - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -150,6 +160,8 @@ spec:
                       valueFrom:
                         fieldRef:
                             fieldPath: metadata.namespace
+                    - name: ENABLE_CONNECTOR
+                      value: "false"
                     - name: CLIENT_ID_FILE
                       value: /oauth/client_id
                     - name: CLIENT_SECRET_FILE

cmd/k8s-operator/operator.go

@@ -37,13 +37,19 @@ import (
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/kubestore"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/tsnet"
+	"tailscale.com/tstime"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
 )
 
+// Generate static manifests for deploying Tailscale operator on Kubernetes from the operator's Helm chart.
 //go:generate go run tailscale.com/cmd/k8s-operator/generate
 
+// Generate Connector CustomResourceDefinition yaml from its Go types.
+//go:generate go run sigs.k8s.io/controller-tools/cmd/controller-gen crd schemapatch:manifests=./deploy/crds output:dir=./deploy/crds paths=../../k8s-operator/apis/...
+
 func main() {
 	// Required to use our client API. We're fine with the instability since the
 	// client lives in the same repo as this code.
@@ -56,6 +62,7 @@ func main() {
 		priorityClassName = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags              = defaultEnv("PROXY_TAGS", "tag:k8s")
 		tsFirewallMode    = defaultEnv("PROXY_FIREWALL_MODE", "")
+		tsEnableConnector = defaultBool("ENABLE_CONNECTOR", false)
 	)
 
 	var opts []kzap.Opts
@@ -84,7 +91,9 @@ func main() {
 	defer s.Close()
 	restConfig := config.GetConfigOrDie()
 	maybeLaunchAPIServerProxy(zlog, restConfig, s, mode)
-	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode)
+	// TODO (irbekrm): gather the reconciler options into an opts struct
+	// rather than passing a million of them in one by one.
+	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode, tsEnableConnector)
 }
 
 // initTSNet initializes the tsnet.Server and logs in to Tailscale. It uses the
@@ -192,7 +201,7 @@ waitOnline:
 
 // runReconcilers starts the controller-runtime manager and registers the
 // ServiceReconciler. It blocks forever.
-func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags, tsFirewallMode string) {
+func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags, tsFirewallMode string, enableConnector bool) {
 	var (
 		isDefaultLoadBalancer = defaultBool("OPERATOR_DEFAULT_LOAD_BALANCER", false)
 	)
@@ -206,20 +215,25 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 	nsFilter := cache.ByObject{
 		Field: client.InNamespace(tsNamespace).AsSelector(),
 	}
-	mgr, err := manager.New(restConfig, manager.Options{
+	mgrOpts := manager.Options{
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
 		},
-	})
+	}
+	if enableConnector {
+		mgrOpts.Scheme = tsapi.GlobalScheme
+	}
+	mgr, err := manager.New(restConfig, mgrOpts)
 	if err != nil {
 		startlog.Fatalf("could not create manager: %v", err)
 	}
 
 	svcFilter := handler.EnqueueRequestsFromMapFunc(serviceHandler)
 	svcChildFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("svc"))
+
 	eventRecorder := mgr.GetEventRecorderFor("tailscale-operator")
 	ssr := &tailscaleSTSReconciler{
 		Client:                 mgr.GetClient(),
@@ -264,6 +278,23 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		startlog.Fatalf("could not create controller: %v", err)
 	}
 
+	if enableConnector {
+		connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("subnetrouter"))
+		err = builder.ControllerManagedBy(mgr).
+			For(&tsapi.Connector{}).
+			Watches(&appsv1.StatefulSet{}, connectorFilter).
+			Watches(&corev1.Secret{}, connectorFilter).
+			Complete(&ConnectorReconciler{
+				ssr:      ssr,
+				recorder: eventRecorder,
+				Client:   mgr.GetClient(),
+				logger:   zlog.Named("connector-reconciler"),
+				clock:    tstime.DefaultClock{},
+			})
+		if err != nil {
+			startlog.Fatal("could not create connector reconciler: %v", err)
+		}
+	}
 	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		startlog.Fatalf("could not start manager: %v", err)

cmd/k8s-operator/operator_test.go

@@ -6,24 +6,15 @@
 package main
 
 import (
-	"context"
 	"fmt"
-	"strings"
-	"sync"
 	"testing"
-	"time"
 
-	"github.com/google/go-cmp/cmp"
 	"go.uber.org/zap"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/types/ptr"
 )
 
@@ -66,16 +57,19 @@ func TestLoadBalancerClass(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	opts := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
-	expectEqual(t, fc, expectedSTS(o))
+
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(opts))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -159,6 +153,7 @@ func TestLoadBalancerClass(t *testing.T) {
 	}
 	expectEqual(t, fc, want)
 }
+
 func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	fc := fake.NewFakeClient()
 	ft := &fakeTSClient{}
@@ -203,16 +198,18 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:              shortName,
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:           shortName,
 		secretName:        fullName,
+		namespace:         "default",
+		parentType:        "svc",
 		tailnetTargetFQDN: tailnetTargetFQDN,
 		hostname:          "default-test",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -235,14 +232,8 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 		},
 	}
 	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedSecret(t, o))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:              shortName,
-		secretName:        fullName,
-		tailnetTargetFQDN: tailnetTargetFQDN,
-		hostname:          "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))
 
 	// Change the tailscale-target-fqdn annotation which should update the
@@ -272,6 +263,7 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 }
+
 func TestTailnetTargetIPAnnotation(t *testing.T) {
 	fc := fake.NewFakeClient()
 	ft := &fakeTSClient{}
@@ -316,16 +308,18 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:            shortName,
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
 		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
 		tailnetTargetIP: tailnetTargetIP,
 		hostname:        "default-test",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -348,14 +342,8 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 		},
 	}
 	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedSecret(t, o))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:            shortName,
-		secretName:      fullName,
-		tailnetTargetIP: tailnetTargetIP,
-		hostname:        "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))
 
 	// Change the tailscale-target-ip annotation which should update the
@@ -427,15 +415,18 @@ func TestAnnotations(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -532,15 +523,18 @@ func TestAnnotationIntoLB(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
@@ -586,11 +580,6 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))
 	// ... but the service should have a LoadBalancer status.
 
@@ -665,15 +654,18 @@ func TestLBIntoAnnotation(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
@@ -737,11 +729,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o = stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
-	}
 	expectEqual(t, fc, expectedSTS(o))
 
 	want = &corev1.Service{
@@ -808,15 +795,18 @@ func TestCustomHostname(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "reindeer-flotilla",
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "reindeer-flotilla",
+		clusterTargetIP: "10.20.30.40",
 	}
+
+	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -919,12 +909,15 @@ func TestCustomPriorityClassName(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-	o := stsOpts{
-		name:              shortName,
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:           shortName,
 		secretName:        fullName,
+		namespace:         "default",
+		parentType:        "svc",
 		hostname:          "tailscale-critical",
 		priorityClassName: "custom-priority-class-name",
+		clusterTargetIP:   "10.20.30.40",
 	}
 
 	expectEqual(t, fc, expectedSTS(o))
@@ -969,14 +962,16 @@ func TestDefaultLoadBalancer(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
 
-	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := stsOpts{
-		name:       shortName,
-		secretName: fullName,
-		hostname:   "default-test",
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
 	}
 	expectEqual(t, fc, expectedSTS(o))
 }
@@ -1021,335 +1016,20 @@ func TestProxyFirewallMode(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
-	fullName, shortName := findGenName(t, fc, "default", "test")
-	o := stsOpts{
-		name:         shortName,
-		secretName:   fullName,
-		hostname:     "default-test",
-		firewallMode: "nftables",
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		firewallMode:    "nftables",
+		clusterTargetIP: "10.20.30.40",
 	}
 	expectEqual(t, fc, expectedSTS(o))
 
 }
 
-func expectedSecret(name string) *corev1.Secret {
-	return &corev1.Secret{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Secret",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
-			},
-		},
-		StringData: map[string]string{
-			"authkey": "secret-authkey",
-		},
-	}
-}
-
-func expectedHeadlessService(name string) *corev1.Service {
-	return &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:         name,
-			GenerateName: "ts-test-",
-			Namespace:    "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			Selector: map[string]string{
-				"app": "1234-UID",
-			},
-			ClusterIP: "None",
-		},
-	}
-}
-
-func expectedSTS(opts stsOpts) *appsv1.StatefulSet {
-	containerEnv := []corev1.EnvVar{
-		{Name: "TS_USERSPACE", Value: "false"},
-		{Name: "TS_AUTH_ONCE", Value: "true"},
-		{Name: "TS_KUBE_SECRET", Value: opts.secretName},
-		{Name: "TS_HOSTNAME", Value: opts.hostname},
-	}
-	annots := map[string]string{
-		"tailscale.com/operator-last-set-hostname": opts.hostname,
-	}
-	if opts.tailnetTargetIP != "" {
-		annots["tailscale.com/operator-last-set-ts-tailnet-target-ip"] = opts.tailnetTargetIP
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_TAILNET_TARGET_IP",
-			Value: opts.tailnetTargetIP,
-		})
-	} else if opts.tailnetTargetFQDN != "" {
-		annots["tailscale.com/operator-last-set-ts-tailnet-target-fqdn"] = opts.tailnetTargetFQDN
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_TAILNET_TARGET_FQDN",
-			Value: opts.tailnetTargetFQDN,
-		})
-
-	} else {
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_DEST_IP",
-			Value: "10.20.30.40",
-		})
-
-		annots["tailscale.com/operator-last-set-cluster-ip"] = "10.20.30.40"
-
-	}
-	if opts.firewallMode != "" {
-		containerEnv = append(containerEnv, corev1.EnvVar{
-			Name:  "TS_DEBUG_FIREWALL_MODE",
-			Value: opts.firewallMode,
-		})
-	}
-	return &appsv1.StatefulSet{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "StatefulSet",
-			APIVersion: "apps/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      opts.name,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
-			},
-		},
-		Spec: appsv1.StatefulSetSpec{
-			Replicas: ptr.To[int32](1),
-			Selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{"app": "1234-UID"},
-			},
-			ServiceName: opts.name,
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					Annotations:                annots,
-					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels:                     map[string]string{"app": "1234-UID"},
-				},
-				Spec: corev1.PodSpec{
-					ServiceAccountName: "proxies",
-					PriorityClassName:  opts.priorityClassName,
-					InitContainers: []corev1.Container{
-						{
-							Name:    "sysctler",
-							Image:   "tailscale/tailscale",
-							Command: []string{"/bin/sh"},
-							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
-							SecurityContext: &corev1.SecurityContext{
-								Privileged: ptr.To(true),
-							},
-						},
-					},
-					Containers: []corev1.Container{
-						{
-							Name:  "tailscale",
-							Image: "tailscale/tailscale",
-							Env:   containerEnv,
-							SecurityContext: &corev1.SecurityContext{
-								Capabilities: &corev1.Capabilities{
-									Add: []corev1.Capability{"NET_ADMIN"},
-								},
-							},
-							ImagePullPolicy: "Always",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func findGenName(t *testing.T, client client.Client, ns, name string) (full, noSuffix string) {
-	t.Helper()
-	labels := map[string]string{
-		LabelManaged:         "true",
-		LabelParentName:      name,
-		LabelParentNamespace: ns,
-		LabelParentType:      "svc",
-	}
-	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
-	if err != nil {
-		t.Fatalf("finding secret for %q: %v", name, err)
-	}
-	if s == nil {
-		t.Fatalf("no secret found for %q", name)
-	}
-	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
-}
-
-func mustCreate(t *testing.T, client client.Client, obj client.Object) {
-	t.Helper()
-	if err := client.Create(context.Background(), obj); err != nil {
-		t.Fatalf("creating %q: %v", obj.GetName(), err)
-	}
-}
-
-func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
-func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Status().Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
-func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
-	t.Helper()
-	got := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      want.GetName(),
-		Namespace: want.GetNamespace(),
-	}, got); err != nil {
-		t.Fatalf("getting %q: %v", want.GetName(), err)
-	}
-	// The resource version changes eagerly whenever the operator does even a
-	// no-op update. Asserting a specific value leads to overly brittle tests,
-	// so just remove it from both got and want.
-	got.SetResourceVersion("")
-	want.SetResourceVersion("")
-	if diff := cmp.Diff(got, want); diff != "" {
-		t.Fatalf("unexpected object (-got +want):\n%s", diff)
-	}
-}
-
-func expectMissing[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); !apierrors.IsNotFound(err) {
-		t.Fatalf("object %s/%s unexpectedly present, wanted missing", ns, name)
-	}
-}
-
-func expectReconciled(t *testing.T, sr *ServiceReconciler, ns, name string) {
-	t.Helper()
-	req := reconcile.Request{
-		NamespacedName: types.NamespacedName{
-			Name:      name,
-			Namespace: ns,
-		},
-	}
-	res, err := sr.Reconcile(context.Background(), req)
-	if err != nil {
-		t.Fatalf("Reconcile: unexpected error: %v", err)
-	}
-	if res.Requeue {
-		t.Fatalf("unexpected immediate requeue")
-	}
-	if res.RequeueAfter != 0 {
-		t.Fatalf("unexpected timed requeue (%v)", res.RequeueAfter)
-	}
-}
-
-func expectRequeue(t *testing.T, sr *ServiceReconciler, ns, name string) {
-	t.Helper()
-	req := reconcile.Request{
-		NamespacedName: types.NamespacedName{
-			Name:      name,
-			Namespace: ns,
-		},
-	}
-	res, err := sr.Reconcile(context.Background(), req)
-	if err != nil {
-		t.Fatalf("Reconcile: unexpected error: %v", err)
-	}
-	if res.Requeue {
-		t.Fatalf("unexpected immediate requeue")
-	}
-	if res.RequeueAfter == 0 {
-		t.Fatalf("expected timed requeue, got success")
-	}
-}
-
-type stsOpts struct {
-	name              string
-	secretName        string
-	hostname          string
-	priorityClassName string
-	firewallMode      string
-	tailnetTargetIP   string
-	tailnetTargetFQDN string
-}
-
-type fakeTSClient struct {
-	sync.Mutex
-	keyRequests []tailscale.KeyCapabilities
-	deleted     []string
-}
-
-func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
-	c.Lock()
-	defer c.Unlock()
-	c.keyRequests = append(c.keyRequests, caps)
-	k := &tailscale.Key{
-		ID:           "key",
-		Created:      time.Now(),
-		Capabilities: caps,
-	}
-	return "secret-authkey", k, nil
-}
-
-func (c *fakeTSClient) DeleteDevice(ctx context.Context, deviceID string) error {
-	c.Lock()
-	defer c.Unlock()
-	c.deleted = append(c.deleted, deviceID)
-	return nil
-}
-
-func (c *fakeTSClient) KeyRequests() []tailscale.KeyCapabilities {
-	c.Lock()
-	defer c.Unlock()
-	return c.keyRequests
-}
-
-func (c *fakeTSClient) Deleted() []string {
-	c.Lock()
-	defer c.Unlock()
-	return c.deleted
-}
-
 func Test_isMagicDNSName(t *testing.T) {
 	tests := []struct {
 		in   string

cmd/k8s-operator/sts.go

@@ -7,6 +7,7 @@ package main
 
 import (
 	"context"
+	"crypto/sha256"
 	_ "embed"
 	"encoding/json"
 	"errors"
@@ -26,6 +27,7 @@ import (
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/opt"
@@ -54,11 +56,17 @@ const (
 	AnnotationFunnel = "tailscale.com/funnel"
 
 	// Annotations set by the operator on pods to trigger restarts when the
-	// hostname, IP or FQDN changes.
+	// hostname, IP, FQDN or tailscaled config changes.
 	podAnnotationLastSetClusterIP         = "tailscale.com/operator-last-set-cluster-ip"
 	podAnnotationLastSetHostname          = "tailscale.com/operator-last-set-hostname"
 	podAnnotationLastSetTailnetTargetIP   = "tailscale.com/operator-last-set-ts-tailnet-target-ip"
 	podAnnotationLastSetTailnetTargetFQDN = "tailscale.com/operator-last-set-ts-tailnet-target-fqdn"
+	// podAnnotationLastSetConfigFileHash is sha256 hash of the current tailscaled configuration contents.
+	podAnnotationLastSetConfigFileHash = "tailscale.com/operator-last-set-config-file-hash"
+
+	// tailscaledConfigKey is the name of the key in proxy Secret Data that
+	// holds the tailscaled config contents.
+	tailscaledConfigKey = "tailscaled"
 )
 
 type tailscaleSTSConfig struct {
@@ -66,18 +74,26 @@ type tailscaleSTSConfig struct {
 	ParentResourceUID   string
 	ChildResourceLabels map[string]string
 
-	ServeConfig *ipn.ServeConfig
-	// Tailscale target in cluster we are setting up ingress for
-	ClusterTargetIP string
+	ServeConfig     *ipn.ServeConfig
+	ClusterTargetIP string // ingress target
 
-	// Tailscale IP of a Tailscale service we are setting up egress for
-	TailnetTargetIP string
+	TailnetTargetIP string // egress target IP
 
-	// Tailscale FQDN of a Tailscale service we are setting up egress for
-	TailnetTargetFQDN string
+	TailnetTargetFQDN string // egress target FQDN
 
 	Hostname string
 	Tags     []string // if empty, use defaultTags
+
+	// Connector specifies a configuration of a Connector instance if that's
+	// what this StatefulSet should be created for.
+	Connector *connector
+}
+
+type connector struct {
+	// routes is a list of subnet routes that this Connector should expose.
+	routes string
+	// isExitNode defines whether this Connector should act as an exit node.
+	isExitNode bool
 }
 
 type tailscaleSTSReconciler struct {
@@ -107,16 +123,17 @@ func (a *tailscaleSTSReconciler) IsHTTPSEnabledOnTailnet() bool {
 // up to date.
 func (a *tailscaleSTSReconciler) Provision(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
 	// Do full reconcile.
+	// TODO (don't create Service for the Connector)
 	hsvc, err := a.reconcileHeadlessService(ctx, logger, sts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to reconcile headless service: %w", err)
 	}
 
-	secretName, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
+	secretName, tsConfigHash, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create or get API key secret: %w", err)
 	}
-	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName)
+	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName, tsConfigHash)
 	if err != nil {
 		return nil, fmt.Errorf("failed to reconcile statefulset: %w", err)
 	}
@@ -230,7 +247,7 @@ func (a *tailscaleSTSReconciler) reconcileHeadlessService(ctx context.Context, l
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, hsvc, func(svc *corev1.Service) { svc.Spec = hsvc.Spec })
 }
 
-func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *zap.SugaredLogger, stsC *tailscaleSTSConfig, hsvc *corev1.Service) (string, error) {
+func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *zap.SugaredLogger, stsC *tailscaleSTSConfig, hsvc *corev1.Service) (string, string, error) {
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			// Hardcode a -0 suffix so that in future, if we support
@@ -246,22 +263,25 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		logger.Debugf("secret %s/%s already exists", secret.GetNamespace(), secret.GetName())
 		orig = secret.DeepCopy()
 	} else if !apierrors.IsNotFound(err) {
-		return "", err
+		return "", "", err
 	}
 
+	var (
+		authKey, hash string
+	)
 	if orig == nil {
 		// Secret doesn't exist yet, create one. Initially it contains
 		// only the Tailscale authkey, but once Tailscale starts it'll
 		// also store the daemon state.
 		sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, stsC.ChildResourceLabels)
 		if err != nil {
-			return "", err
+			return "", "", err
 		}
 		if sts != nil {
 			// StatefulSet exists, so we have already created the secret.
 			// If the secret is missing, they should delete the StatefulSet.
 			logger.Errorf("Tailscale proxy secret doesn't exist, but the corresponding StatefulSet %s/%s already does. Something is wrong, please delete the StatefulSet.", sts.GetNamespace(), sts.GetName())
-			return "", nil
+			return "", "", nil
 		}
 		// Create API Key secret which is going to be used by the statefulset
 		// to authenticate with Tailscale.
@@ -270,30 +290,42 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		if len(tags) == 0 {
 			tags = a.defaultTags
 		}
-		authKey, err := a.newAuthKey(ctx, tags)
+		authKey, err = a.newAuthKey(ctx, tags)
 		if err != nil {
-			return "", err
+			return "", "", err
 		}
-
+	}
+	if !shouldDoTailscaledDeclarativeConfig(stsC) && authKey != "" {
 		mak.Set(&secret.StringData, "authkey", authKey)
 	}
+	if shouldDoTailscaledDeclarativeConfig(stsC) {
+		confFileBytes, h, err := tailscaledConfig(stsC, authKey, orig)
+		if err != nil {
+			return "", "", fmt.Errorf("error creating tailscaled config: %w", err)
+		}
+		hash = h
+		mak.Set(&secret.StringData, tailscaledConfigKey, string(confFileBytes))
+	}
 	if stsC.ServeConfig != nil {
 		j, err := json.Marshal(stsC.ServeConfig)
 		if err != nil {
-			return "", err
+			return "", "", err
 		}
 		mak.Set(&secret.StringData, "serve-config", string(j))
 	}
+
 	if orig != nil {
+		logger.Debugf("patching existing state Secret with values %s", secret.Data[tailscaledConfigKey])
 		if err := a.Patch(ctx, secret, client.MergeFrom(orig)); err != nil {
-			return "", err
+			return "", "", err
 		}
 	} else {
+		logger.Debugf("creating new state Secret with authkey %s", secret.Data[tailscaledConfigKey])
 		if err := a.Create(ctx, secret); err != nil {
-			return "", err
+			return "", "", err
 		}
 	}
-	return secret.Name, nil
+	return secret.Name, hash, nil
 }
 
 // DeviceInfo returns the device ID and hostname for the Tailscale device
@@ -321,7 +353,6 @@ func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map
 			return "", "", nil, err
 		}
 	}
-
 	return id, hostname, ips, nil
 }
 
@@ -349,7 +380,7 @@ var proxyYaml []byte
 //go:embed deploy/manifests/userspace-proxy.yaml
 var userspaceProxyYaml []byte
 
-func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {
+func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, proxySecret, tsConfigHash string) (*appsv1.StatefulSet, error) {
 	var ss appsv1.StatefulSet
 	if sts.ServeConfig != nil {
 		if err := yaml.Unmarshal(userspaceProxyYaml, &ss); err != nil {
@@ -369,30 +400,90 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 	}
 	container := &ss.Spec.Template.Spec.Containers[0]
 	container.Image = a.proxyImage
+	ss.ObjectMeta = metav1.ObjectMeta{
+		Name:      headlessSvc.Name,
+		Namespace: a.operatorNamespace,
+		Labels:    sts.ChildResourceLabels,
+	}
+	ss.Spec.ServiceName = headlessSvc.Name
+	ss.Spec.Selector = &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"app": sts.ParentResourceUID,
+		},
+	}
+	mak.Set(&ss.Spec.Template.Labels, "app", sts.ParentResourceUID)
+
+	// Generic containerboot configuration options.
 	container.Env = append(container.Env,
 		corev1.EnvVar{
 			Name:  "TS_KUBE_SECRET",
-			Value: authKeySecret,
+			Value: proxySecret,
 		},
-		corev1.EnvVar{
+	)
+	if !shouldDoTailscaledDeclarativeConfig(sts) {
+		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_HOSTNAME",
 			Value: sts.Hostname,
 		})
+		// containerboot currently doesn't have a way to re-read the hostname/ip as
+		// it is passed via an environment variable. So we need to restart the
+		// container when the value changes. We do this by adding an annotation to
+		// the pod template that contains the last value we set.
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetHostname, sts.Hostname)
+	}
+	// Configure containeboot to run tailscaled with a configfile read from the state Secret.
+	if shouldDoTailscaledDeclarativeConfig(sts) {
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetConfigFileHash, tsConfigHash)
+		ss.Spec.Template.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: "tailscaledconfig",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: proxySecret,
+					Items: []corev1.KeyToPath{{
+						Key:  tailscaledConfigKey,
+						Path: tailscaledConfigKey,
+					}},
+				},
+			},
+		})
+		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
+			Name:      "tailscaledconfig",
+			ReadOnly:  true,
+			MountPath: "/etc/tsconfig",
+		})
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
+			Value: "/etc/tsconfig/tailscaled",
+		})
+	}
+
+	if a.tsFirewallMode != "" {
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "TS_DEBUG_FIREWALL_MODE",
+			Value: a.tsFirewallMode,
+		})
+	}
+	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
+
+	// Ingress/egress proxy configuration options.
 	if sts.ClusterTargetIP != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_DEST_IP",
 			Value: sts.ClusterTargetIP,
 		})
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetClusterIP, sts.ClusterTargetIP)
 	} else if sts.TailnetTargetIP != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_TAILNET_TARGET_IP",
 			Value: sts.TailnetTargetIP,
 		})
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetTailnetTargetIP, sts.TailnetTargetIP)
 	} else if sts.TailnetTargetFQDN != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_TAILNET_TARGET_FQDN",
 			Value: sts.TailnetTargetFQDN,
 		})
+		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetTailnetTargetFQDN, sts.TailnetTargetFQDN)
 	} else if sts.ServeConfig != nil {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_SERVE_CONFIG",
@@ -407,7 +498,7 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			Name: "serve-config",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: authKeySecret,
+					SecretName: proxySecret,
 					Items: []corev1.KeyToPath{{
 						Key:  "serve-config",
 						Path: "serve-config",
@@ -416,49 +507,47 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			},
 		})
 	}
-	if a.tsFirewallMode != "" {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_DEBUG_FIREWALL_MODE",
-			Value: a.tsFirewallMode,
-		},
-		)
-	}
-	ss.ObjectMeta = metav1.ObjectMeta{
-		Name:      headlessSvc.Name,
-		Namespace: a.operatorNamespace,
-		Labels:    sts.ChildResourceLabels,
-	}
-	ss.Spec.ServiceName = headlessSvc.Name
-	ss.Spec.Selector = &metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": sts.ParentResourceUID,
-		},
-	}
-
-	// containerboot currently doesn't have a way to re-read the hostname/ip as
-	// it is passed via an environment variable. So we need to restart the
-	// container when the value changes. We do this by adding an annotation to
-	// the pod template that contains the last value we set.
-	ss.Spec.Template.Annotations = map[string]string{
-		podAnnotationLastSetHostname: sts.Hostname,
-	}
-	if sts.ClusterTargetIP != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetClusterIP] = sts.ClusterTargetIP
-	}
-	if sts.TailnetTargetIP != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetIP] = sts.TailnetTargetIP
-	}
-	if sts.TailnetTargetFQDN != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetFQDN] = sts.TailnetTargetFQDN
-	}
-	ss.Spec.Template.Labels = map[string]string{
-		"app": sts.ParentResourceUID,
-	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }
 
+// tailscaledConfig takes a proxy config, a newly generated auth key if
+// generated and a Secret with the previous proxy state and auth key and
+// produces returns tailscaled configuration and a hash of that configuration.
+func tailscaledConfig(stsC *tailscaleSTSConfig, newAuthkey string, oldSecret *corev1.Secret) ([]byte, string, error) {
+	conf := ipn.ConfigVAlpha{
+		Version:   "alpha0",
+		AcceptDNS: "false",
+		Locked:    "false",
+		Hostname:  &stsC.Hostname,
+	}
+	if stsC.Connector != nil {
+		routes, err := netutil.CalcAdvertiseRoutes(stsC.Connector.routes, stsC.Connector.isExitNode)
+		if err != nil {
+			return nil, "", fmt.Errorf("error calculating routes: %w", err)
+		}
+		conf.AdvertiseRoutes = routes
+	}
+	if newAuthkey != "" {
+		conf.AuthKey = &newAuthkey
+	} else if oldSecret != nil && len(oldSecret.Data[tailscaledConfigKey]) > 0 { // write to StringData, read from Data as StringData is write-only
+		origConf := &ipn.ConfigVAlpha{}
+		if err := json.Unmarshal([]byte(oldSecret.Data[tailscaledConfigKey]), origConf); err != nil {
+			return nil, "", fmt.Errorf("error unmarshaling previous tailscaled config: %w", err)
+		}
+		conf.AuthKey = origConf.AuthKey
+	}
+	confFileBytes, err := json.Marshal(conf)
+	if err != nil {
+		return nil, "", fmt.Errorf("error marshaling tailscaled config : %w", err)
+	}
+	hash, err := hashBytes(confFileBytes)
+	if err != nil {
+		return nil, "", fmt.Errorf("error calculating config hash: %w", err)
+	}
+	return confFileBytes, hash, nil
+}
+
 // ptrObject is a type constraint for pointer types that implement
 // client.Object.
 type ptrObject[T any] interface {
@@ -466,6 +555,24 @@ type ptrObject[T any] interface {
 	*T
 }
 
+// hashBytes produces a hash for the provided bytes that is the same across
+// different invocations of this code. We do not use the
+// tailscale.com/deephash.Hash here because that produces a different hash for
+// the same value in different tailscale builds. The hash we are producing here
+// is used to determine if the container running the Connector Tailscale node
+// needs to be restarted. The container does not need restarting when the only
+// thing that changed is operator version (the hash is also exposed to users via
+// an annotation and might be confusing if it changes without the config having
+// changed).
+func hashBytes(b []byte) (string, error) {
+	h := sha256.New()
+	_, err := h.Write(b)
+	if err != nil {
+		return "", fmt.Errorf("error calculating hash: %w", err)
+	}
+	return fmt.Sprintf("%x", h.Sum(nil)), nil
+}
+
 // createOrUpdate adds obj to the k8s cluster, unless the object already exists,
 // in which case update is called to make changes to it. If update is nil, the
 // existing object is returned unmodified.
@@ -569,3 +676,10 @@ func nameForService(svc *corev1.Service) (string, error) {
 func isValidFirewallMode(m string) bool {
 	return m == "auto" || m == "nftables" || m == "iptables"
 }
+
+// shouldDoTailscaledDeclarativeConfig determines whether the proxy instance
+// should be configured to run tailscaled only with a all config opts passed to
+// tailscaled.
+func shouldDoTailscaledDeclarativeConfig(stsC *tailscaleSTSConfig) bool {
+	return stsC.Connector != nil
+}

cmd/k8s-operator/testutils_test.go

@@ -0,0 +1,411 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"net/netip"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+	"tailscale.com/types/ptr"
+	"tailscale.com/util/mak"
+)
+
+// confgOpts contains configuration options for creating cluster resources for
+// Tailscale proxies.
+type configOpts struct {
+	stsName                    string
+	secretName                 string
+	hostname                   string
+	namespace                  string
+	parentType                 string
+	priorityClassName          string
+	firewallMode               string
+	tailnetTargetIP            string
+	tailnetTargetFQDN          string
+	clusterTargetIP            string
+	subnetRoutes               string
+	isExitNode                 bool
+	shouldUseDeclarativeConfig bool // tailscaled in proxy should be configured using config file
+	confFileHash               string
+}
+
+func expectedSTS(opts configOpts) *appsv1.StatefulSet {
+	tsContainer := corev1.Container{
+		Name:  "tailscale",
+		Image: "tailscale/tailscale",
+		Env: []corev1.EnvVar{
+			{Name: "TS_USERSPACE", Value: "false"},
+			{Name: "TS_AUTH_ONCE", Value: "true"},
+			{Name: "TS_KUBE_SECRET", Value: opts.secretName},
+		},
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"NET_ADMIN"},
+			},
+		},
+		ImagePullPolicy: "Always",
+	}
+	annots := make(map[string]string)
+	var volumes []corev1.Volume
+	if opts.shouldUseDeclarativeConfig {
+		volumes = []corev1.Volume{
+			{
+				Name: "tailscaledconfig",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: opts.secretName,
+						Items: []corev1.KeyToPath{
+							{
+								Key:  "tailscaled",
+								Path: "tailscaled",
+							},
+						},
+					},
+				},
+			},
+		}
+		tsContainer.VolumeMounts = []corev1.VolumeMount{{
+			Name:      "tailscaledconfig",
+			ReadOnly:  true,
+			MountPath: "/etc/tsconfig",
+		}}
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
+			Value: "/etc/tsconfig/tailscaled",
+		})
+		annots["tailscale.com/operator-last-set-config-file-hash"] = opts.confFileHash
+	} else {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{Name: "TS_HOSTNAME", Value: opts.hostname})
+		annots["tailscale.com/operator-last-set-hostname"] = opts.hostname
+	}
+	if opts.firewallMode != "" {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_DEBUG_FIREWALL_MODE",
+			Value: opts.firewallMode,
+		})
+	}
+	if opts.tailnetTargetIP != "" {
+		annots["tailscale.com/operator-last-set-ts-tailnet-target-ip"] = opts.tailnetTargetIP
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_TAILNET_TARGET_IP",
+			Value: opts.tailnetTargetIP,
+		})
+	} else if opts.tailnetTargetFQDN != "" {
+		annots["tailscale.com/operator-last-set-ts-tailnet-target-fqdn"] = opts.tailnetTargetFQDN
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_TAILNET_TARGET_FQDN",
+			Value: opts.tailnetTargetFQDN,
+		})
+
+	} else if opts.clusterTargetIP != "" {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_DEST_IP",
+			Value: opts.clusterTargetIP,
+		})
+		annots["tailscale.com/operator-last-set-cluster-ip"] = opts.clusterTargetIP
+	}
+	return &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      opts.stsName,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   opts.namespace,
+				"tailscale.com/parent-resource-type": opts.parentType,
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To[int32](1),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "1234-UID"},
+			},
+			ServiceName: opts.stsName,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations:                annots,
+					DeletionGracePeriodSeconds: ptr.To[int64](10),
+					Labels:                     map[string]string{"app": "1234-UID"},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "proxies",
+					PriorityClassName:  opts.priorityClassName,
+					InitContainers: []corev1.Container{
+						{
+							Name:    "sysctler",
+							Image:   "tailscale/tailscale",
+							Command: []string{"/bin/sh"},
+							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: ptr.To(true),
+							},
+						},
+					},
+					Containers: []corev1.Container{tsContainer},
+					Volumes:    volumes,
+				},
+			},
+		},
+	}
+}
+
+func expectedHeadlessService(name string) *corev1.Service {
+	return &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:         name,
+			GenerateName: "ts-test-",
+			Namespace:    "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{
+				"app": "1234-UID",
+			},
+			ClusterIP: "None",
+		},
+	}
+}
+
+func expectedSecret(t *testing.T, opts configOpts) *corev1.Secret {
+	t.Helper()
+	labels := map[string]string{
+		"tailscale.com/managed":              "true",
+		"tailscale.com/parent-resource":      "test",
+		"tailscale.com/parent-resource-type": opts.parentType,
+	}
+	s := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      opts.secretName,
+			Namespace: "operator-ns",
+		},
+	}
+	if !opts.shouldUseDeclarativeConfig {
+		mak.Set(&s.StringData, "authkey", "secret-authkey")
+		labels["tailscale.com/parent-resource-ns"] = opts.namespace
+	} else {
+		conf := &ipn.ConfigVAlpha{
+			Version:   "alpha0",
+			AcceptDNS: "false",
+			Hostname:  &opts.hostname,
+			Locked:    "false",
+			AuthKey:   ptr.To("secret-authkey"),
+		}
+		var routes []netip.Prefix
+		if opts.subnetRoutes != "" || opts.isExitNode {
+			r := opts.subnetRoutes
+			if opts.isExitNode {
+				r = "0.0.0.0/0,::/0," + r
+			}
+			for _, rr := range strings.Split(r, ",") {
+				prefix, err := netip.ParsePrefix(rr)
+				if err != nil {
+					t.Fatal(err)
+				}
+				routes = append(routes, prefix)
+			}
+		}
+		conf.AdvertiseRoutes = routes
+		b, err := json.Marshal(conf)
+		if err != nil {
+			t.Fatalf("error marshalling tailscaled config")
+		}
+		mak.Set(&s.StringData, "tailscaled", string(b))
+		labels["tailscale.com/parent-resource-ns"] = "" // Connector is cluster scoped
+	}
+	s.Labels = labels
+	return s
+}
+
+func findGenName(t *testing.T, client client.Client, ns, name, typ string) (full, noSuffix string) {
+	t.Helper()
+	labels := map[string]string{
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      typ,
+	}
+	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
+	if err != nil {
+		t.Fatalf("finding secret for %q: %v", name, err)
+	}
+	if s == nil {
+		t.Fatalf("no secret found for %q %s %+#v", name, ns, labels)
+	}
+	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
+}
+
+func mustCreate(t *testing.T, client client.Client, obj client.Object) {
+	t.Helper()
+	if err := client.Create(context.Background(), obj); err != nil {
+		t.Fatalf("creating %q: %v", obj.GetName(), err)
+	}
+}
+
+func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
+func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Status().Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
+func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
+	t.Helper()
+	got := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      want.GetName(),
+		Namespace: want.GetNamespace(),
+	}, got); err != nil {
+		t.Fatalf("getting %q: %v", want.GetName(), err)
+	}
+	// The resource version changes eagerly whenever the operator does even a
+	// no-op update. Asserting a specific value leads to overly brittle tests,
+	// so just remove it from both got and want.
+	got.SetResourceVersion("")
+	want.SetResourceVersion("")
+	if diff := cmp.Diff(got, want); diff != "" {
+		t.Fatalf("unexpected object (-got +want):\n%s", diff)
+	}
+}
+
+func expectMissing[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); !apierrors.IsNotFound(err) {
+		t.Fatalf("object %s/%s unexpectedly present, wanted missing", ns, name)
+	}
+}
+
+func expectReconciled(t *testing.T, sr reconcile.Reconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: ns,
+			Name:      name,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.Requeue {
+		t.Fatalf("unexpected immediate requeue")
+	}
+	if res.RequeueAfter != 0 {
+		t.Fatalf("unexpected timed requeue (%v)", res.RequeueAfter)
+	}
+}
+
+func expectRequeue(t *testing.T, sr reconcile.Reconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Name:      name,
+			Namespace: ns,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.RequeueAfter == 0 {
+		t.Fatalf("expected timed requeue, got success")
+	}
+}
+
+type fakeTSClient struct {
+	sync.Mutex
+	keyRequests []tailscale.KeyCapabilities
+	deleted     []string
+}
+
+func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
+	c.Lock()
+	defer c.Unlock()
+	c.keyRequests = append(c.keyRequests, caps)
+	k := &tailscale.Key{
+		ID:           "key",
+		Created:      time.Now(),
+		Capabilities: caps,
+	}
+	return "secret-authkey", k, nil
+}
+
+func (c *fakeTSClient) DeleteDevice(ctx context.Context, deviceID string) error {
+	c.Lock()
+	defer c.Unlock()
+	c.deleted = append(c.deleted, deviceID)
+	return nil
+}
+
+func (c *fakeTSClient) KeyRequests() []tailscale.KeyCapabilities {
+	c.Lock()
+	defer c.Unlock()
+	return c.keyRequests
+}
+
+func (c *fakeTSClient) Deleted() []string {
+	c.Lock()
+	defer c.Unlock()
+	return c.deleted
+}

cmd/netlogfmt/main.go

@@ -25,6 +25,7 @@
 package main
 
 import (
+	"cmp"
 	"encoding/base64"
 	"encoding/json"
 	"flag"
@@ -45,7 +46,6 @@ import (
 	"github.com/go-json-experiment/json/jsontext"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netlogtype"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/must"
 )
 
@@ -155,7 +155,7 @@ func printMessage(msg message) {
 		slices.SortFunc(traffic, func(x, y netlogtype.ConnectionCounts) int {
 			nx := x.TxPackets + x.TxBytes + x.RxPackets + x.RxBytes
 			ny := y.TxPackets + y.TxBytes + y.RxPackets + y.RxBytes
-			return cmpx.Compare(ny, nx)
+			return cmp.Compare(ny, nx)
 		})
 		var sum netlogtype.Counts
 		for _, cc := range traffic {

cmd/stund/depaware.txt

@@ -0,0 +1,190 @@
+tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depaware)
+
+        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
+     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
+        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
+        github.com/google/uuid                                       from tailscale.com/tsweb
+        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
+     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
+        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
+        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
+        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
+  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
+  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
+  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
+     💣 go4.org/mem                                                  from tailscale.com/metrics+
+        go4.org/netipx                                               from tailscale.com/net/tsaddr
+        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
+        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
+        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
+        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
+        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
+     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
+        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
+     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
+        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
+        tailscale.com                                                from tailscale.com/version
+        tailscale.com/envknob                                        from tailscale.com/tsweb+
+        tailscale.com/metrics                                        from tailscale.com/net/stunserver+
+        tailscale.com/net/netaddr                                    from tailscale.com/net/tsaddr
+        tailscale.com/net/stun                                       from tailscale.com/net/stunserver
+        tailscale.com/net/stunserver                                 from tailscale.com/cmd/stund
+        tailscale.com/net/tsaddr                                     from tailscale.com/tsweb
+        tailscale.com/tailcfg                                        from tailscale.com/version
+        tailscale.com/tsweb                                          from tailscale.com/cmd/stund
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
+        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
+        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
+        tailscale.com/types/ipproto                                  from tailscale.com/tailcfg
+        tailscale.com/types/key                                      from tailscale.com/tailcfg
+        tailscale.com/types/lazy                                     from tailscale.com/version+
+        tailscale.com/types/logger                                   from tailscale.com/tsweb
+        tailscale.com/types/opt                                      from tailscale.com/envknob+
+        tailscale.com/types/ptr                                      from tailscale.com/tailcfg
+        tailscale.com/types/structs                                  from tailscale.com/tailcfg+
+        tailscale.com/types/tkatype                                  from tailscale.com/tailcfg+
+        tailscale.com/types/views                                    from tailscale.com/net/tsaddr+
+        tailscale.com/util/cmpx                                      from tailscale.com/tailcfg+
+   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
+        tailscale.com/util/dnsname                                   from tailscale.com/tailcfg
+        tailscale.com/util/lineread                                  from tailscale.com/version/distro
+        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
+        tailscale.com/util/slicesx                                   from tailscale.com/tailcfg
+        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
+        tailscale.com/version                                        from tailscale.com/envknob+
+        tailscale.com/version/distro                                 from tailscale.com/envknob
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/net/dns/dnsmessage                              from net
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+   D    golang.org/x/net/route                                       from net
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/prometheus/procfs+
+   W    golang.org/x/sys/windows                                     from github.com/prometheus/client_golang/prometheus
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        cmp                                                          from slices
+        compress/flate                                               from compress/gzip
+        compress/gzip                                                from github.com/golang/protobuf/proto+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdh+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdh                                                  from crypto/ecdsa+
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from net/http+
+        crypto/x509                                                  from crypto/tls
+        crypto/x509/pkix                                             from crypto/x509
+        database/sql/driver                                          from github.com/google/uuid
+        embed                                                        from crypto/internal/nistec+
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from github.com/prometheus/client_golang/prometheus+
+        flag                                                         from tailscale.com/cmd/stund
+        fmt                                                          from compress/flate+
+        go/token                                                     from google.golang.org/protobuf/internal/strs
+        hash                                                         from crypto+
+        hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
+        hash/maphash                                                 from go4.org/mem
+        html                                                         from net/http/pprof+
+        io                                                           from bufio+
+        io/fs                                                        from crypto/x509+
+        io/ioutil                                                    from github.com/golang/protobuf/proto+
+        log                                                          from expvar+
+        log/internal                                                 from log
+        maps                                                         from tailscale.com/tailcfg+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from math/big+
+        mime                                                         from github.com/prometheus/common/expfmt+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from net/http
+        net/http/internal                                            from net/http
+        net/http/pprof                                               from tailscale.com/tsweb+
+        net/netip                                                    from go4.org/netipx+
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/signal                                                    from tailscale.com/cmd/stund
+        path                                                         from github.com/prometheus/client_golang/prometheus/internal+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
+        runtime/pprof                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof
+        slices                                                       from tailscale.com/metrics+
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from runtime/pprof
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from crypto/x509+
+        unicode/utf8                                                 from bufio+

cmd/stund/stund.go

@@ -0,0 +1,48 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// The stund binary is a standalone STUN server.
+package main
+
+import (
+	"context"
+	"flag"
+	"io"
+	"log"
+	"net/http"
+	"os/signal"
+	"syscall"
+
+	"tailscale.com/net/stunserver"
+	"tailscale.com/tsweb"
+)
+
+var (
+	stunAddr = flag.String("stun", ":3478", "UDP address on which to start the STUN server")
+	httpAddr = flag.String("http", ":3479", "address on which to start the debug http server")
+)
+
+func main() {
+	flag.Parse()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	log.Printf("HTTP server listening on %s", *httpAddr)
+	go http.ListenAndServe(*httpAddr, mux())
+
+	s := stunserver.New(ctx)
+	if err := s.ListenAndServe(*stunAddr); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func mux() *http.ServeMux {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		io.WriteString(w, "<h1>stund</h1><a href=/debug>/debug</a>")
+	})
+	debug := tsweb.Debugger(mux)
+	debug.KV("stun_addr", *stunAddr)
+	return mux
+}

cmd/tailscale/cli/cli_test.go

@@ -558,7 +558,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				AllowSingleHosts: true,
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
 				},
 			},
 		},
@@ -575,7 +574,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				NetfilterMode:    preftype.NetfilterOn,
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
 				},
 			},
 		},
@@ -594,7 +592,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				NetfilterMode: preftype.NetfilterOn,
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
 				},
 			},
 		},
@@ -684,7 +681,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				NoSNAT:        true,
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
 				},
 			},
 		},
@@ -701,7 +697,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				NoSNAT:        true,
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
 				},
 			},
 		},
@@ -720,7 +715,24 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				},
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
+				},
+			},
+		},
+		{
+			name: "via_route_good_16_bit",
+			goos: "linux",
+			args: upArgsT{
+				advertiseRoutes: "fd7a:115c:a1e0:b1a::aabb:10.0.0.0/112",
+				netfilterMode:   "off",
+			},
+			want: &ipn.Prefs{
+				WantRunning: true,
+				NoSNAT:      true,
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::aabb:10.0.0.0/112"),
+				},
+				AutoUpdate: ipn.AutoUpdatePrefs{
+					Check: true,
 				},
 			},
 		},
@@ -740,7 +752,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
 				netfilterMode:   "off",
 			},
-			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
+			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xffff or less",
 		},
 	}
 	for _, tt := range tests {

cmd/tailscale/cli/debug.go

@@ -258,7 +258,7 @@ var debugCmd = &ffcli.Command{
 		{
 			Name:      "portmap",
 			Exec:      debugPortmap,
-			ShortHelp: "run portmap debugging debugging",
+			ShortHelp: "run portmap debugging",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("portmap")
 				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
@@ -274,6 +274,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      runPeerEndpointChanges,
 			ShortHelp: "prints debug information about a peer's endpoint changes",
 		},
+		{
+			Name:      "dial-types",
+			Exec:      runDebugDialTypes,
+			ShortHelp: "prints debug information about connecting to a given host or IP",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("dial-types")
+				fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
+				return fs
+			})(),
+		},
 	},
 }
 
@@ -683,8 +693,8 @@ func runVia(ctx context.Context, args []string) error {
 		if err != nil {
 			return fmt.Errorf("invalid site-id %q; must be decimal or hex with 0x prefix", args[0])
 		}
-		if siteID > 0xff {
-			return fmt.Errorf("site-id values over 255 are currently reserved")
+		if siteID > 0xffff {
+			return fmt.Errorf("site-id values over 65535 are currently reserved")
 		}
 		ipp, err := netip.ParsePrefix(args[1])
 		if err != nil {
@@ -1015,3 +1025,61 @@ func debugControlKnobs(ctx context.Context, args []string) error {
 	e.Encode(v)
 	return nil
 }
+
+var debugDialTypesArgs struct {
+	network string
+}
+
+func runDebugDialTypes(ctx context.Context, args []string) error {
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		printf("%s\n", description)
+		os.Exit(1)
+	}
+
+	if len(args) != 2 || args[0] == "" || args[1] == "" {
+		return errors.New("usage: dial-types <hostname-or-IP> <port>")
+	}
+
+	port, err := strconv.ParseUint(args[1], 10, 16)
+	if err != nil {
+		return fmt.Errorf("invalid port %q: %w", args[1], err)
+	}
+
+	hostOrIP := args[0]
+	ip, _, err := tailscaleIPFromArg(ctx, hostOrIP)
+	if err != nil {
+		return err
+	}
+	if ip != hostOrIP {
+		log.Printf("lookup %q => %q", hostOrIP, ip)
+	}
+
+	qparams := make(url.Values)
+	qparams.Set("ip", ip)
+	qparams.Set("port", strconv.FormatUint(port, 10))
+	qparams.Set("network", debugDialTypesArgs.network)
+
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/debug-dial-types?"+qparams.Encode(), nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := localClient.DoLocalRequest(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("%s", body)
+	return nil
+}

cmd/tailscale/cli/exitnode.go

@@ -4,6 +4,7 @@
 package cli
 
 import (
+	"cmp"
 	"context"
 	"errors"
 	"flag"
@@ -17,7 +18,6 @@ import (
 	xmaps "golang.org/x/exp/maps"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/cmpx"
 )
 
 var exitNodeCmd = &ffcli.Command{
@@ -228,7 +228,7 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 // by location.Priority, in order of highest priority.
 func sortPeersByPriority(peers []*ipnstate.PeerStatus) {
 	slices.SortStableFunc(peers, func(a, b *ipnstate.PeerStatus) int {
-		return cmpx.Compare(b.Location.Priority, a.Location.Priority)
+		return cmp.Compare(b.Location.Priority, a.Location.Priority)
 	})
 }
 

cmd/tailscale/cli/netcheck.go

@@ -85,7 +85,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 	}
 	for {
 		t0 := time.Now()
-		report, err := c.GetReport(ctx, dm)
+		report, err := c.GetReport(ctx, dm, nil)
 		d := time.Since(t0)
 		if netcheckArgs.verbose {
 			c.Logf("GetReport took %v; err=%v", d.Round(time.Millisecond), err)

cmd/tailscale/cli/serve_v2.go

@@ -93,14 +93,6 @@ var infoMap = map[serveMode]commandInfo{
 	},
 }
 
-func buildShortUsage(subcmd string) string {
-	return strings.Join([]string{
-		subcmd + " [flags] <target> [off]",
-		subcmd + " status [--json]",
-		subcmd + " reset",
-	}, "\n  ")
-}
-
 // errHelpFunc is standard error text that prompts users to
 // run `$subcmd --help` for information on how to use serve.
 var errHelpFunc = func(m serveMode) error {

cmd/tailscale/cli/serve_v2_test.go

@@ -27,7 +27,6 @@ func TestServeDevConfigMutations(t *testing.T) {
 		command []string                       // serve args; nil means no command to run (only reset)
 		want    *ipn.ServeConfig               // non-nil means we want a save of this value
 		wantErr func(error) (badErrMsg string) // nil means no error is wanted
-		before  func(t *testing.T)
 	}
 
 	// group is a group of steps that share the same
@@ -1224,14 +1223,6 @@ func TestMessageForPort(t *testing.T) {
 	}
 }
 
-func unindent(s string) string {
-	lines := strings.Split(s, "\n")
-	for i, line := range lines {
-		lines[i] = strings.TrimSpace(line)
-	}
-	return strings.Join(lines, "\n")
-}
-
 func TestIsLegacyInvocation(t *testing.T) {
 	tests := []struct {
 		subcmd      serveMode

cmd/tailscale/cli/set.go

@@ -12,11 +12,13 @@ import (
 	"os/exec"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/web"
 	"tailscale.com/clientupdate"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/safesocket"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/views"
 	"tailscale.com/version"
 )
@@ -116,7 +118,7 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 			ForceDaemon:            setArgs.forceDaemon,
 			AutoUpdate: ipn.AutoUpdatePrefs{
 				Check: setArgs.updateCheck,
-				Apply: setArgs.updateApply,
+				Apply: opt.NewBool(setArgs.updateApply),
 			},
 			AppConnector: ipn.AppConnectorPrefs{
 				Advertise: setArgs.advertiseConnector,
@@ -172,7 +174,7 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 		// does not use clientupdate.
 		if version.IsMacSysExt() {
 			apply := "0"
-			if maskedPrefs.AutoUpdate.Apply {
+			if maskedPrefs.AutoUpdate.Apply.EqualBool(true) {
 				apply = "1"
 			}
 			out, err := exec.Command("defaults", "write", "io.tailscale.ipn.macsys", "SUAutomaticallyUpdate", apply).CombinedOutput()
@@ -192,7 +194,15 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 	}
 
 	_, err = localClient.EditPrefs(ctx, maskedPrefs)
-	return err
+	if err != nil {
+		return err
+	}
+
+	if setArgs.runWebClient && len(st.TailscaleIPs) > 0 {
+		printf("\nWeb interface now running at %s:%d", st.TailscaleIPs[0], web.ListenPort)
+	}
+
+	return nil
 }
 
 // calcAdvertiseRoutesForSet returns the new value for Prefs.AdvertiseRoutes based on the

cmd/tailscale/cli/up.go

@@ -1044,18 +1044,6 @@ func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
 	return
 }
 
-func anyPeerAdvertisingRoutes(st *ipnstate.Status) bool {
-	for _, ps := range st.Peer {
-		if ps.PrimaryRoutes == nil {
-			continue
-		}
-		if ps.PrimaryRoutes.Len() > 0 {
-			return true
-		}
-	}
-	return false
-}
-
 func init() {
 	// Required to use our client API. We're fine with the instability since the
 	// client lives in the same repo as this code.

cmd/tailscale/cli/whois.go

@@ -18,7 +18,7 @@ import (
 
 var whoisCmd = &ffcli.Command{
 	Name:       "whois",
-	ShortUsage: "whois [--json] [ip|ip:port]",
+	ShortUsage: "whois [--json] ip[:port]",
 	ShortHelp:  "Show the machine and user associated with a Tailscale IP (v4 or v6)",
 	LongHelp: strings.TrimSpace(`
 	'tailscale whois' shows the machine and user associated with a Tailscale IP (v4 or v6).

cmd/tailscale/depaware.txt

@@ -19,8 +19,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
    L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/google/uuid                                       from tailscale.com/util/quarantine+
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
+        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
    L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
@@ -38,10 +37,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
         github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
         github.com/peterbourgon/ff/v3/internal                       from github.com/peterbourgon/ff/v3
-        github.com/pkg/errors                                        from github.com/gorilla/csrf
         github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
         github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
         github.com/skip2/go-qrcode/reedsolomon                       from github.com/skip2/go-qrcode
+        github.com/tailscale/csrf                                    from tailscale.com/client/web
    W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
    W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
    W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
@@ -157,6 +156,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache+
         tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
         tailscale.com/util/testenv                                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/truncate                                  from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/vizerror                                  from tailscale.com/types/ipproto+
@@ -210,7 +210,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         archive/tar                                                  from tailscale.com/clientupdate
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
-        cmp                                                          from slices
+        cmp                                                          from slices+
         compress/flate                                               from compress/gzip+
         compress/gzip                                                from net/http+
         compress/zlib                                                from image/png+
@@ -259,8 +259,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         hash/adler32                                                 from compress/zlib
         hash/crc32                                                   from compress/gzip+
         hash/maphash                                                 from go4.org/mem
-        html                                                         from tailscale.com/ipn/ipnstate+
-        html/template                                                from github.com/gorilla/csrf
+        html                                                         from tailscale.com/ipn/ipnstate
         image                                                        from github.com/skip2/go-qrcode+
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
@@ -290,12 +289,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         os/exec                                                      from github.com/toqueteos/webbrowser+
         os/signal                                                    from tailscale.com/cmd/tailscale/cli
         os/user                                                      from tailscale.com/util/groupmember+
-        path                                                         from html/template+
+        path                                                         from archive/tar+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+
         regexp                                                       from github.com/tailscale/goupnp/httpu+
         regexp/syntax                                                from regexp
         runtime/debug                                                from tailscale.com/util/singleflight+
+        runtime/trace                                                from testing
         slices                                                       from tailscale.com/cmd/tailscale/cli+
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+
@@ -303,9 +303,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         sync                                                         from compress/flate+
         sync/atomic                                                  from context+
         syscall                                                      from crypto/rand+
+        testing                                                      from tailscale.com/util/syspolicy
         text/tabwriter                                               from github.com/peterbourgon/ff/v3/ffcli+
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
         time                                                         from compress/gzip+
         unicode                                                      from bytes+
         unicode/utf16                                                from encoding/asn1+

cmd/tailscaled/depaware.txt

@@ -95,8 +95,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
    L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/google/uuid                                       from tailscale.com/clientupdate
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
+        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
    L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@@ -130,11 +129,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
    L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
    L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
-        github.com/pkg/errors                                        from github.com/gorilla/csrf
   LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
   LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
    L 💣 github.com/safchain/ethtool                                  from tailscale.com/net/netkernelconf
    W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+        github.com/tailscale/csrf                                    from tailscale.com/client/web
    W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
    W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
    W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
@@ -283,7 +282,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/netknob                                    from tailscale.com/net/netns+
         tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscaled+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
-     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnauth+
+   W 💣 tailscale.com/net/netstat                                    from tailscale.com/portlist
         tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/packet                                     from tailscale.com/net/tstun+
         tailscale.com/net/packet/checksum                            from tailscale.com/net/tstun
@@ -442,7 +441,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         archive/tar                                                  from tailscale.com/clientupdate
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
-        cmp                                                          from slices
+        cmp                                                          from slices+
         compress/flate                                               from compress/gzip+
         compress/gzip                                                from golang.org/x/net/http2+
    W    compress/zlib                                                from debug/pe
@@ -494,7 +493,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         hash/fnv                                                     from tailscale.com/wgengine/magicsock+
         hash/maphash                                                 from go4.org/mem
         html                                                         from tailscale.com/ipn/ipnlocal+
-        html/template                                                from github.com/gorilla/csrf
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from github.com/godbus/dbus/v5+
@@ -540,8 +538,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         syscall                                                      from crypto/rand+
         testing                                                      from tailscale.com/util/syspolicy
         text/tabwriter                                               from runtime/pprof
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
         time                                                         from compress/gzip+
         unicode                                                      from bytes+
         unicode/utf16                                                from crypto/x509+

cmd/tailscaled/taildrop.go

@@ -27,7 +27,6 @@ func configureTaildrop(logf logger.Logf, lb *ipnlocal.LocalBackend) {
 		} else {
 			logf("%s Taildrop: using %v", dg, path)
 			lb.SetDirectFileRoot(path)
-			lb.SetDirectFileDoFinalRename(true)
 		}
 	}
 

cmd/tailscaled/tailscaled.go

@@ -324,7 +324,7 @@ func ipnServerOpts() (o serverOptions) {
 var logPol *logpolicy.Policy
 var debugMux *http.ServeMux
 
-func run() error {
+func run() (err error) {
 	var logf logger.Logf = log.Printf
 
 	sys := new(tsd.System)
@@ -332,7 +332,6 @@ func run() error {
 	// Parse config, if specified, to fail early if it's invalid.
 	var conf *conffile.Config
 	if args.confFile != "" {
-		var err error
 		conf, err = conffile.Load(args.confFile)
 		if err != nil {
 			return fmt.Errorf("error reading config file: %w", err)
@@ -340,13 +339,17 @@ func run() error {
 		sys.InitialConfig = conf
 	}
 
-	netMon, err := netmon.New(func(format string, args ...any) {
-		logf(format, args...)
-	})
-	if err != nil {
-		return fmt.Errorf("netmon.New: %w", err)
+	var netMon *netmon.Monitor
+	isWinSvc := isWindowsService()
+	if !isWinSvc {
+		netMon, err = netmon.New(func(format string, args ...any) {
+			logf(format, args...)
+		})
+		if err != nil {
+			return fmt.Errorf("netmon.New: %w", err)
+		}
+		sys.Set(netMon)
 	}
-	sys.Set(netMon)
 
 	pol := logpolicy.New(logtail.CollectionNode, netMon, nil /* use log.Printf */)
 	pol.SetVerbosityLevel(args.verbose)
@@ -362,7 +365,7 @@ func run() error {
 		log.Printf("Error reading environment config: %v", err)
 	}
 
-	if isWindowsService() {
+	if isWinSvc {
 		// Run the IPN server from the Windows service manager.
 		log.Printf("Running service...")
 		if err := runWindowsService(pol); err != nil {
@@ -508,7 +511,13 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 			return ok
 		}
 		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-			return ns.DialContextTCP(ctx, dst)
+			// Note: don't just return ns.DialContextTCP or we'll
+			// return an interface containing a nil pointer.
+			tcpConn, err := ns.DialContextTCP(ctx, dst)
+			if err != nil {
+				return nil, err
+			}
+			return tcpConn, nil
 		}
 	}
 	if socksListener != nil || httpProxyListener != nil {

cmd/testwrapper/args.go

@@ -12,22 +12,6 @@ import (
 	"testing"
 )
 
-// defaultTestArgs contains the default values for all flags in the testing
-// package. It is used to reset the flag values in testwrapper tests to allow
-// parsing the flags again.
-var defaultTestArgs map[string]string
-
-// initDefaultTestArgs initializes defaultTestArgs.
-func initDefaultTestArgs() {
-	if defaultTestArgs != nil {
-		return
-	}
-	defaultTestArgs = make(map[string]string)
-	flag.CommandLine.VisitAll(func(f *flag.Flag) {
-		defaultTestArgs[f.Name] = f.DefValue
-	})
-}
-
 // registerTestFlags registers all flags from the testing package with the
 // provided flag set. It does so by calling testing.Init() and then iterating
 // over all flags registered on flag.CommandLine.

cmd/tsconnect/build.go

@@ -83,26 +83,6 @@ func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	return json.Marshal(metadata)
 }
 
-func cleanDist() error {
-	log.Printf("Cleaning %s...\n", *distDir)
-	files, err := os.ReadDir(*distDir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return os.MkdirAll(*distDir, 0755)
-		}
-		return err
-	}
-
-	for _, file := range files {
-		if file.Name() != "placeholder" {
-			if err := os.Remove(filepath.Join(*distDir, file.Name())); err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
 func precompressDist(fastCompression bool) error {
 	log.Printf("Pre-compressing files in %s/...\n", *distDir)
 	return precompress.PrecompressDir(*distDir, precompress.Options{

control/controlbase/conn_test.go

@@ -7,7 +7,6 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"crypto/rand"
 	"encoding/binary"
 	"fmt"
 	"io"
@@ -302,32 +301,6 @@ func TestConnMemoryOverhead(t *testing.T) {
 	}
 }
 
-// mkConns creates synthetic Noise Conns wrapping the given net.Conns.
-// This function is for testing just the Conn transport logic without
-// having to muck about with Noise handshakes.
-func mkConns(s1, s2 net.Conn) (*Conn, *Conn) {
-	var k1, k2 [chp.KeySize]byte
-	if _, err := rand.Read(k1[:]); err != nil {
-		panic(err)
-	}
-	if _, err := rand.Read(k2[:]); err != nil {
-		panic(err)
-	}
-
-	ret1 := &Conn{
-		conn: s1,
-		tx:   txState{cipher: newCHP(k1)},
-		rx:   rxState{cipher: newCHP(k2)},
-	}
-	ret2 := &Conn{
-		conn: s2,
-		tx:   txState{cipher: newCHP(k2)},
-		rx:   rxState{cipher: newCHP(k1)},
-	}
-
-	return ret1, ret2
-}
-
 type readSink struct {
 	r io.Reader
 

control/controlbase/noiseexplorer_test.go

@@ -32,7 +32,6 @@ import (
 	"encoding/binary"
 	"hash"
 	"io"
-	"math"
 
 	"golang.org/x/crypto/blake2s"
 	"golang.org/x/crypto/chacha20poly1305"
@@ -105,10 +104,6 @@ var minNonce = uint32(0)
  * UTILITY FUNCTIONS                                                *
  * ---------------------------------------------------------------- */
 
-func getPublicKey(kp *keypair) [32]byte {
-	return kp.public_key
-}
-
 func isEmptyKey(k [32]byte) bool {
 	return subtle.ConstantTimeCompare(k[:], emptyKey[:]) == 1
 }
@@ -162,12 +157,6 @@ func generateKeypair() keypair {
 	return generateKeypair()
 }
 
-func generatePublicKey(private_key [32]byte) [32]byte {
-	var public_key [32]byte
-	curve25519.ScalarBaseMult(&public_key, &private_key)
-	return public_key
-}
-
 func encrypt(k [32]byte, n uint32, ad []byte, plaintext []byte) []byte {
 	var nonce [12]byte
 	var ciphertext []byte
@@ -246,12 +235,6 @@ func decryptWithAd(cs *cipherstate, ad []byte, ciphertext []byte) (*cipherstate,
 	return cs, plaintext, valid
 }
 
-func reKey(cs *cipherstate) *cipherstate {
-	e := encrypt(cs.k, math.MaxUint32, []byte{}, emptyKey[:])
-	copy(cs.k[:], e)
-	return cs
-}
-
 /* SymmetricState */
 
 func initializeSymmetric(protocolName []byte) symmetricstate {
@@ -273,19 +256,6 @@ func mixHash(ss *symmetricstate, data []byte) *symmetricstate {
 	return ss
 }
 
-func mixKeyAndHash(ss *symmetricstate, ikm [32]byte) *symmetricstate {
-	var tempH [32]byte
-	var tempK [32]byte
-	ss.ck, tempH, tempK = getHkdf(ss.ck, ikm[:])
-	ss = mixHash(ss, tempH[:])
-	ss.cs = initializeKey(tempK)
-	return ss
-}
-
-func getHandshakeHash(ss *symmetricstate) [32]byte {
-	return ss.h
-}
-
 func encryptAndHash(ss *symmetricstate, plaintext []byte) (*symmetricstate, []byte) {
 	var ciphertext []byte
 	if hasKey(&ss.cs) {
@@ -471,5 +441,3 @@ func RecvMessage(session *noisesession, message *messagebuffer) (*noisesession,
 	session.mc = session.mc + 1
 	return session, plaintext, valid
 }
-
-func main() {}

control/controlclient/auto.go

@@ -252,14 +252,6 @@ func (c *Auto) updateControl() {
 	}
 }
 
-// cancelAuthCtx cancels the existing auth goroutine's context
-// & creates a new one, causing it to restart.
-func (c *Auto) cancelAuthCtx() {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	c.cancelAuthCtxLocked()
-}
-
 // cancelAuthCtxLocked is like cancelAuthCtx, but assumes the caller holds c.mu.
 func (c *Auto) cancelAuthCtxLocked() {
 	if c.authCancel != nil {
@@ -271,14 +263,6 @@ func (c *Auto) cancelAuthCtxLocked() {
 	}
 }
 
-// cancelMapCtx cancels the context for the existing mapPoll and liteUpdates
-// goroutines and creates a new one, causing them to restart.
-func (c *Auto) cancelMapCtx() {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	c.cancelMapCtxLocked()
-}
-
 // cancelMapCtxLocked is like cancelMapCtx, but assumes the caller holds c.mu.
 func (c *Auto) cancelMapCtxLocked() {
 	if c.mapCancel != nil {

control/controlclient/direct.go

@@ -61,23 +61,24 @@ import (
 
 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
-	httpc                 *http.Client // HTTP client used to talk to tailcontrol
-	dialer                *tsdial.Dialer
-	dnsCache              *dnscache.Resolver
-	controlKnobs          *controlknobs.Knobs // always non-nil
-	serverURL             string              // URL of the tailcontrol server
-	clock                 tstime.Clock
-	logf                  logger.Logf
-	netMon                *netmon.Monitor // or nil
-	discoPubKey           key.DiscoPublic
-	getMachinePrivKey     func() (key.MachinePrivate, error)
-	debugFlags            []string
-	skipIPForwardingCheck bool
-	pinger                Pinger
-	popBrowser            func(url string)             // or nil
-	c2nHandler            http.Handler                 // or nil
-	onClientVersion       func(*tailcfg.ClientVersion) // or nil
-	onControlTime         func(time.Time)              // or nil
+	httpc                      *http.Client // HTTP client used to talk to tailcontrol
+	dialer                     *tsdial.Dialer
+	dnsCache                   *dnscache.Resolver
+	controlKnobs               *controlknobs.Knobs // always non-nil
+	serverURL                  string              // URL of the tailcontrol server
+	clock                      tstime.Clock
+	logf                       logger.Logf
+	netMon                     *netmon.Monitor // or nil
+	discoPubKey                key.DiscoPublic
+	getMachinePrivKey          func() (key.MachinePrivate, error)
+	debugFlags                 []string
+	skipIPForwardingCheck      bool
+	pinger                     Pinger
+	popBrowser                 func(url string)             // or nil
+	c2nHandler                 http.Handler                 // or nil
+	onClientVersion            func(*tailcfg.ClientVersion) // or nil
+	onControlTime              func(time.Time)              // or nil
+	onTailnetDefaultAutoUpdate func(bool)                   // or nil
 
 	dialPlan ControlDialPlanner // can be nil
 
@@ -110,24 +111,25 @@ type Observer interface {
 }
 
 type Options struct {
-	Persist              persist.Persist                    // initial persistent data
-	GetMachinePrivateKey func() (key.MachinePrivate, error) // returns the machine key to use
-	ServerURL            string                             // URL of the tailcontrol server
-	AuthKey              string                             // optional node auth key for auto registration
-	Clock                tstime.Clock
-	Hostinfo             *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
-	DiscoPublicKey       key.DiscoPublic
-	Logf                 logger.Logf
-	HTTPTestClient       *http.Client                 // optional HTTP client to use (for tests only)
-	NoiseTestClient      *http.Client                 // optional HTTP client to use for noise RPCs (tests only)
-	DebugFlags           []string                     // debug settings to send to control
-	NetMon               *netmon.Monitor              // optional network monitor
-	PopBrowserURL        func(url string)             // optional func to open browser
-	OnClientVersion      func(*tailcfg.ClientVersion) // optional func to inform GUI of client version status
-	OnControlTime        func(time.Time)              // optional func to notify callers of new time from control
-	Dialer               *tsdial.Dialer               // non-nil
-	C2NHandler           http.Handler                 // or nil
-	ControlKnobs         *controlknobs.Knobs          // or nil to ignore
+	Persist                    persist.Persist                    // initial persistent data
+	GetMachinePrivateKey       func() (key.MachinePrivate, error) // returns the machine key to use
+	ServerURL                  string                             // URL of the tailcontrol server
+	AuthKey                    string                             // optional node auth key for auto registration
+	Clock                      tstime.Clock
+	Hostinfo                   *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
+	DiscoPublicKey             key.DiscoPublic
+	Logf                       logger.Logf
+	HTTPTestClient             *http.Client                 // optional HTTP client to use (for tests only)
+	NoiseTestClient            *http.Client                 // optional HTTP client to use for noise RPCs (tests only)
+	DebugFlags                 []string                     // debug settings to send to control
+	NetMon                     *netmon.Monitor              // optional network monitor
+	PopBrowserURL              func(url string)             // optional func to open browser
+	OnClientVersion            func(*tailcfg.ClientVersion) // optional func to inform GUI of client version status
+	OnControlTime              func(time.Time)              // optional func to notify callers of new time from control
+	OnTailnetDefaultAutoUpdate func(bool)                   // optional func to inform GUI of default auto-update setting for the tailnet
+	Dialer                     *tsdial.Dialer               // non-nil
+	C2NHandler                 http.Handler                 // or nil
+	ControlKnobs               *controlknobs.Knobs          // or nil to ignore
 
 	// Observer is called when there's a change in status to report
 	// from the control client.
@@ -263,26 +265,27 @@ func NewDirect(opts Options) (*Direct, error) {
 	}
 
 	c := &Direct{
-		httpc:                 httpc,
-		controlKnobs:          opts.ControlKnobs,
-		getMachinePrivKey:     opts.GetMachinePrivateKey,
-		serverURL:             opts.ServerURL,
-		clock:                 opts.Clock,
-		logf:                  opts.Logf,
-		persist:               opts.Persist.View(),
-		authKey:               opts.AuthKey,
-		discoPubKey:           opts.DiscoPublicKey,
-		debugFlags:            opts.DebugFlags,
-		netMon:                opts.NetMon,
-		skipIPForwardingCheck: opts.SkipIPForwardingCheck,
-		pinger:                opts.Pinger,
-		popBrowser:            opts.PopBrowserURL,
-		onClientVersion:       opts.OnClientVersion,
-		onControlTime:         opts.OnControlTime,
-		c2nHandler:            opts.C2NHandler,
-		dialer:                opts.Dialer,
-		dnsCache:              dnsCache,
-		dialPlan:              opts.DialPlan,
+		httpc:                      httpc,
+		controlKnobs:               opts.ControlKnobs,
+		getMachinePrivKey:          opts.GetMachinePrivateKey,
+		serverURL:                  opts.ServerURL,
+		clock:                      opts.Clock,
+		logf:                       opts.Logf,
+		persist:                    opts.Persist.View(),
+		authKey:                    opts.AuthKey,
+		discoPubKey:                opts.DiscoPublicKey,
+		debugFlags:                 opts.DebugFlags,
+		netMon:                     opts.NetMon,
+		skipIPForwardingCheck:      opts.SkipIPForwardingCheck,
+		pinger:                     opts.Pinger,
+		popBrowser:                 opts.PopBrowserURL,
+		onClientVersion:            opts.OnClientVersion,
+		onTailnetDefaultAutoUpdate: opts.OnTailnetDefaultAutoUpdate,
+		onControlTime:              opts.OnControlTime,
+		c2nHandler:                 opts.C2NHandler,
+		dialer:                     opts.Dialer,
+		dnsCache:                   dnsCache,
+		dialPlan:                   opts.DialPlan,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
@@ -1041,7 +1044,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 
 		var resp tailcfg.MapResponse
 		if err := c.decodeMsg(msg, &resp, machinePrivKey); err != nil {
-			vlogf("netmap: decode error: %v")
+			vlogf("netmap: decode error: %v", err)
 			return err
 		}
 		watchdogTimer.Stop()
@@ -1091,6 +1094,11 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 			metricMapResponseKeepAlives.Add(1)
 			continue
 		}
+		if au, ok := resp.DefaultAutoUpdate.Get(); ok {
+			if c.onTailnetDefaultAutoUpdate != nil {
+				c.onTailnetDefaultAutoUpdate(au)
+			}
+		}
 
 		metricMapResponseMap.Add(1)
 		if gotNonKeepAliveMessage {

control/controlclient/map.go

@@ -8,7 +8,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
-	"net/netip"
 	"reflect"
 	"slices"
 	"sort"
@@ -86,9 +85,9 @@ type mapSession struct {
 	lastDomainAuditLogID   string
 	lastHealth             []string
 	lastPopBrowserURL      string
-	stickyDebug            tailcfg.Debug // accumulated opt.Bool values
 	lastTKAInfo            *tailcfg.TKAInfo
 	lastNetmapSummary      string // from NetworkMap.VeryConcise
+	lastMaxExpiry          time.Duration
 }
 
 // newMapSession returns a mostly unconfigured new mapSession.
@@ -321,6 +320,9 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 	if resp.TKAInfo != nil {
 		ms.lastTKAInfo = resp.TKAInfo
 	}
+	if resp.MaxKeyDuration > 0 {
+		ms.lastMaxExpiry = resp.MaxKeyDuration
+	}
 }
 
 var (
@@ -765,6 +767,7 @@ func (ms *mapSession) netmap() *netmap.NetworkMap {
 		DERPMap:           ms.lastDERPMap,
 		ControlHealth:     ms.lastHealth,
 		TKAEnabled:        ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
+		MaxKeyDuration:    ms.lastMaxExpiry,
 	}
 
 	if ms.lastTKAInfo != nil && ms.lastTKAInfo.Head != "" {
@@ -790,43 +793,3 @@ func (ms *mapSession) netmap() *netmap.NetworkMap {
 	}
 	return nm
 }
-
-func nodesSorted(v []*tailcfg.Node) bool {
-	for i, n := range v {
-		if i > 0 && n.ID <= v[i-1].ID {
-			return false
-		}
-	}
-	return true
-}
-
-func sortNodes(v []*tailcfg.Node) {
-	sort.Slice(v, func(i, j int) bool { return v[i].ID < v[j].ID })
-}
-
-func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
-	if v1 == nil {
-		return nil
-	}
-	v2 := make([]*tailcfg.Node, len(v1))
-	for i, n := range v1 {
-		v2[i] = n.Clone()
-	}
-	return v2
-}
-
-var debugSelfIPv6Only = envknob.RegisterBool("TS_DEBUG_SELF_V6_ONLY")
-
-func filterSelfAddresses(in []netip.Prefix) (ret []netip.Prefix) {
-	switch {
-	default:
-		return in
-	case debugSelfIPv6Only():
-		for _, a := range in {
-			if a.Addr().Is6() {
-				ret = append(ret, a)
-			}
-		}
-		return ret
-	}
-}

control/controlknobs/controlknobs.go

@@ -64,6 +64,11 @@ type Knobs struct {
 	// LinuxForceNfTables is whether the node should use nftables for Linux
 	// netfiltering, unless overridden by the user.
 	LinuxForceNfTables atomic.Bool
+
+	// SeamlessKeyRenewal is whether to enable the alpha functionality of
+	// renewing node keys without breaking connections.
+	// http://go/seamless-key-renewal
+	SeamlessKeyRenewal atomic.Bool
 }
 
 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -89,6 +94,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 		silentDisco                   = has(tailcfg.NodeAttrSilentDisco)
 		forceIPTables                 = has(tailcfg.NodeAttrLinuxMustUseIPTables)
 		forceNfTables                 = has(tailcfg.NodeAttrLinuxMustUseNfTables)
+		seamlessKeyRenewal            = has(tailcfg.NodeAttrSeamlessKeyRenewal)
 	)
 
 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -109,6 +115,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 	k.SilentDisco.Store(silentDisco)
 	k.LinuxForceIPTables.Store(forceIPTables)
 	k.LinuxForceNfTables.Store(forceNfTables)
+	k.SeamlessKeyRenewal.Store(seamlessKeyRenewal)
 }
 
 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -130,5 +137,6 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 		"SilentDisco":                   k.SilentDisco.Load(),
 		"LinuxForceIPTables":            k.LinuxForceIPTables.Load(),
 		"LinuxForceNfTables":            k.LinuxForceNfTables.Load(),
+		"SeamlessKeyRenewal":            k.SeamlessKeyRenewal.Load(),
 	}
 }

derp/derp_server.go

@@ -753,12 +753,6 @@ func (s *Server) debugLogf(format string, v ...any) {
 	}
 }
 
-// for testing
-var (
-	timeSleep = time.Sleep
-	timeNow   = time.Now
-)
-
 // run serves the client until there's an error.
 // If the client hangs up or the server is closed, run returns nil, otherwise run returns an error.
 func (c *sclient) run(ctx context.Context) error {

disco/disco.go

@@ -11,7 +11,7 @@
 //	senderDiscoPub [32]byte // nacl public key
 //	nonce          [24]byte
 //
-// The recipient then decrypts the bytes following (the nacl secretbox)
+// The recipient then decrypts the bytes following (the nacl box)
 // and then the inner payload structure is:
 //
 //	messageType     byte  (the MessageType constants below)
@@ -35,7 +35,7 @@ const Magic = "TS💬" // 6 bytes: 0x54 53 f0 9f 92 ac
 
 const keyLen = 32
 
-// NonceLen is the length of the nonces used by nacl secretboxes.
+// NonceLen is the length of the nonces used by nacl box.
 const NonceLen = 24
 
 type MessageType byte
@@ -70,7 +70,7 @@ func Source(p []byte) (src []byte, ok bool) {
 }
 
 // Parse parses the encrypted part of the message from inside the
-// nacl secretbox.
+// nacl box.
 func Parse(p []byte) (Message, error) {
 	if len(p) < 2 {
 		return nil, errShort

docs/webhooks/example.go

@@ -1,9 +1,9 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-// Package webhooks provides example consumer code for Tailscale
+// Command webhooks provides example consumer code for Tailscale
 // webhooks.
-package webhooks
+package main
 
 import (
 	"crypto/hmac"

docs/windows/policy/en-US/tailscale.adml

@@ -0,0 +1,222 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policyDefinitionResources revision="1.0" schemaVersion="1.0"
+                           xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
+    <displayName>Tailscale</displayName>
+    <description>A set of policies that enforces particular settings in the Tailscale Windows client.</description>
+    <resources>
+        <stringTable>
+            <string id="TAILSCALE_PRODUCT">Tailscale</string>
+            <string id="SINCE_V1_22">Tailscale version 1.22.0 and later</string>
+            <string id="SINCE_V1_26">Tailscale version 1.26.0 and later</string>
+            <string id="SINCE_V1_50">Tailscale version 1.50.0 and later</string>
+            <string id="SINCE_V1_52">Tailscale version 1.52.0 and later</string>
+            <string id="SINCE_V1_56">Tailscale version 1.56.0 and later</string>
+            <string id="PARTIAL_FULL_SINCE_V1_56">Tailscale version 1.56.0 and later (full support), some earlier versions (partial support)</string>
+            <string id="SINCE_V1_58">Tailscale version 1.58.0 and later</string>
+            <string id="Tailscale_Category">Tailscale</string>
+            <string id="UI_Category">UI customization</string>
+            <string id="Settings_Category">Settings</string>
+            <string id="LoginURL">Require using a specific Tailscale coordination server</string>
+            <string id="LoginURL_Help"><![CDATA[This policy can be used to require the use of a particular Tailscale coordination server.
+See https://tailscale.com/kb/1315/mdm-keys#set-a-custom-control-server-url for more details.
+
+If you configure this policy, set it to the URL of your coordination server, beginning with https:// and ending with no trailing slash. If blank or "https://controlplane.tailscale.com", the default coordination server will be required.
+
+If you disable this policy, the Tailscale SaaS coordination server will be used by default, but a non-standard Tailscale coordination server can be configured using the CLI.]]></string>
+            <string id="LogTarget">Require using a specific Tailscale log server</string>
+            <string id="LogTarget_Help"><![CDATA[This policy can be used to require the use of a non-standard log server.
+Please note that using a non-standard log server will limit Tailscale Support's ability to diagnose problems.
+
+If you configure this policy, set it to the URL of your log server, beginning with https:// and ending with no trailing slash. If blank or "https://log.tailscale.io", the default log server will be used.
+
+If you disable this policy, the Tailscale standard log server will be used by default, but a non-standard Tailscale log server can be configured using the TS_LOG_TARGET environment variable.]]></string>
+            <string id="Tailnet">Specify which Tailnet should be used for Login</string>
+            <string id="Tailnet_Help"><![CDATA[This policy can be used to suggest or require a specific tailnet when opening the login page.
+See https://tailscale.com/kb/1315/mdm-keys#set-a-suggested-or-required-tailnet for more details.
+
+To suggest a tailnet at login time, set this to the name of the tailnet, as shown in the top-left of the admin panel, such as "example.com". That tailnet's SSO button will be shown prominently, along with the option to select a different tailnet.
+
+To require logging in to a particular tailnet, add the "required:" prefix, such as "required:example.com". The result is similar to the suggested tailnet but there will be no option to choose a different tailnet.
+
+If you configure this policy, set it to the name of the tailnet, possibly with the "required:" prefix, as described above.
+
+If you disable this policy, the standard login page will be used.]]></string>
+            <string id="ExitNodeID">Require using a specific Exit Node</string>
+            <string id="ExitNodeID_Help"><![CDATA[This policy can be used to require always using the specified Exit Node whenever the Tailscale client is connected.
+See https://tailscale.com/kb/1315/mdm-keys#force-an-exit-node-to-always-be-used and https://tailscale.com/kb/1103/exit-nodes for more details.
+
+If you enable this policy, set it to the ID of an exit node. The ID is visible on the Machines page of the admin console, or can be queried using the Tailscale API. If the specified exit node is unavailable, this device will have no Internet access unless Tailscale is disconnected.
+
+If you disable this policy or supply an empty exit node ID, then usage of exit nodes will be disallowed.
+
+If you do not configure this policy, no exit node will be used by default but an exit node (if one is available and permitted by ACLs) can be chosen by the user if desired.]]></string>
+            <string id="AllowIncomingConnections">Allow incoming connections</string>
+            <string id="AllowIncomingConnections_Help"><![CDATA[This policy can be used to require that the Allow Incoming Connections setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-whether-to-allow-incoming-connections and https://tailscale.com/kb/1072/client-preferences#allow-incoming-connections for more details.
+
+If you enable this policy, then Allow Incoming Connections is always enabled and the menu option is hidden.
+
+If you disable this policy, then Allow Incoming Connections is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Allow Incoming Connections depends on what is selected in the Preferences submenu.]]></string>
+            <string id="UnattendedMode">Run Tailscale in Unattended Mode</string>
+            <string id="UnattendedMode_Help"><![CDATA[This policy can be used to require that the Run Unattended setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-unattended-mode and https://tailscale.com/kb/1088/run-unattended for more details.
+
+If you enable this policy, then Run Unattended is always enabled and the menu option is hidden.
+
+If you disable this policy, then Run Unattended is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Run Unattended depends on what is selected in the Preferences submenu.]]></string>
+            <string id="ExitNodeAllowLANAccess">Allow Local Network Access when an Exit Node is in use</string>
+            <string id="ExitNodeAllowLANAccess_Help"><![CDATA[This policy can be used to require that the Allow Local Network Access setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#toggle-local-network-access-when-an-exit-node-is-in-use and https://tailscale.com/kb/1103/exit-nodes#step-4-use-the-exit-node for more details.
+
+If you enable this policy, then Allow Local Network Access is always enabled and the menu option is hidden.
+
+If you disable this policy, then Allow Local Network Access is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Allow Local Network Access depends on what is selected in the Exit Node submenu.]]></string>
+            <string id="UseTailscaleDNSSettings">Use Tailscale DNS Settings</string>
+            <string id="UseTailscaleDNSSettings_Help"><![CDATA[This policy can be used to require that Use Tailscale DNS is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-whether-the-device-uses-tailscale-dns-settings for more details.
+
+If you enable this policy, then Use Tailscale DNS is always enabled and the menu option is hidden.
+
+If you disable this policy, then Use Tailscale DNS is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Use Tailscale DNS depends on what is selected in the Preferences submenu.]]></string>
+            <string id="UseTailscaleSubnets">Use Tailscale Subnets</string>
+            <string id="UseTailscaleSubnets_Help"><![CDATA[This policy can be used to require that Use Tailscale Subnets is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#set-whether-the-device-accepts-tailscale-subnets or https://tailscale.com/kb/1019/subnets for more details.
+
+If you enable this policy, then Use Tailscale Subnets is always enabled and the menu option is hidden.
+
+If you disable this policy, then Use Tailscale Subnets is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Use Tailscale Subnets depends on what is selected in the Preferences submenu.]]></string>
+            <string id="InstallUpdates">Automatically install updates</string>
+            <string id="InstallUpdates_Help"><![CDATA[This policy can be used to require that Automatically Install Updates is configured a certain way.
+See https://tailscale.com/kb/1067/update#auto-updates for more details.
+
+If you enable this policy, then Automatically Install Updates is always enabled and the menu option is hidden.
+
+If you disable this policy, then Automatically Install Updates is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Automatically Install Updates depends on what is selected in the Preferences submenu.]]></string>
+            <string id="AdvertiseExitNode">Run Tailscale as an Exit Node</string>
+            <string id="AdvertiseExitNode_Help"><![CDATA[This policy can be used to require that Run Exit Node is configured a certain way.
+See https://tailscale.com/kb/1103/exit-nodes for more details.
+
+If you enable this policy, then Run Exit Node is always enabled and the menu option is hidden.
+
+If you disable this policy, then Run Exit Node is always disabled and the menu option is hidden.
+
+If you do not configure this policy, then Run Exit Node depends on what is selected in the Exit Node submenu.]]></string>
+            <string id="AdminPanel">Show the "Admin Panel" menu item</string>
+            <string id="AdminPanel_Help"><![CDATA[This policy can be used to show or hide the Admin Console item in the Tailscale Menu.
+
+If you enable or don't configure this policy, the Admin Console item will be shown in the Tailscale menu when available.
+
+If you disable this policy, the Admin Console item will always be hidden from the Tailscale menu.]]></string>
+            <string id="NetworkDevices">Show the "Network Devices" submenu</string>
+            <string id="NetworkDevices_Help"><![CDATA[This policy can be used to show or hide the Network Devices submenu in the Tailscale Menu.
+
+If you enable or don't configure this policy, the Network Devices submenu will be shown in the Tailscale menu.
+
+If you disable this policy, the Network Devices submenu will be hidden from the Tailscale menu. This does not affect other devices' visibility in the CLI.]]></string>
+            <string id="TestMenu">Show the "Debug" submenu</string>
+            <string id="TestMenu_Help"><![CDATA[This policy can be used to show or hide the Debug submenu of the Tailscale menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-debug-menu for more details.
+
+If you enable or don't configure this policy, the Debug submenu will be shown in the Tailscale menu when opened while holding Ctrl.
+
+If you disable this policy, the Debug submenu will be hidden from the Tailscale menu.]]></string>
+            <string id="UpdateMenu">Show the "Update Available" menu item</string>
+            <string id="UpdateMenu_Help"><![CDATA[This policy can be used to show or hide the Update Available item in the Tailscale Menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-update-menu for more details.
+
+If you enable or don't configure this policy, the Update Available item will be shown in the Tailscale menu when there is an update.
+
+If you disable this policy, the Update Available item will be hidden from the Tailscale menu.]]></string>
+            <string id="RunExitNode">Show the "Run Exit Node" menu item</string>
+            <string id="RunExitNode_Help"><![CDATA[This policy can be used to show or hide the Run Exit Node item in the Exit Node submenu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-run-as-exit-node-menu-item for more details.
+This does not affect using the CLI to enable or disable advertising an exit node. If you wish to enable or disable this feature, see the Run Exit Node policy in the Settings category.
+
+If you enable or don't configure this policy, the Run Exit Node item will be shown in the Exit Node submenu.
+
+If you disable this policy, the Run Exit Node item will be hidden from the Exit Node submenu.]]></string>
+            <string id="PreferencesMenu">Show the "Preferences" submenu</string>
+            <string id="PreferencesMenu_Help"><![CDATA[This policy can be used to show or hide the Preferences submenu of the Tailscale menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-preferences-menu for more details.
+This does not affect using the CLI to modify that menu's preferences. If you wish to control those, look at the policies in the Settings category.
+
+If you enable or don't configure this policy, the Preferences submenu will be shown in the Tailscale menu.
+
+If you disable this policy, the Preferences submenu will be hidden from the Tailscale menu.]]></string>
+            <string id="ExitNodesPicker">Show the "Exit Node" submenu</string>
+            <string id="ExitNodesPicker_Help"><![CDATA[This policy can be used to show or hide the Exit Node submenu of the Tailscale menu.
+See https://tailscale.com/kb/1315/mdm-keys#hide-the-exit-node-picker for more details.
+This does not affect using the CLI to select or stop using an exit node. If you wish to control exit node usage, look at the "Require using a specific Exit Node" policy in the Settings category.
+
+If you enable or don't configure this policy, the Exit Node submenu will be shown in the Tailscale menu.
+
+If you disable this policy, the Exit Node submenu will be hidden from the Tailscale menu.]]></string>
+            <string id="KeyExpirationNoticeTime">Specify a custom key expiration notification time</string>
+            <string id="KeyExpirationNoticeTime_Help"><![CDATA[This policy can be used to configure how soon the notification appears before key expiry.
+See https://tailscale.com/kb/1315/mdm-keys#set-the-key-expiration-notice-period for more details.
+
+Time intervals must be specified as a Go Duration: for example, 24h, 5h25m30s. Time units larger than hours are unsupported.
+
+If you enable this policy and supply a valid time interval, the key expiry notification will begin to display when the current key has less than that amount of time remaining.
+
+If you disable or don't configure this policy, the default time period will be used (as of Tailscale 1.56, this is 24 hours).]]></string>
+            <string id="LogSCMInteractions">Log extra details about service events</string>
+            <string id="LogSCMInteractions_Help"><![CDATA[This policy can be used to enable additional logging related to Service Control Manager for debugging purposes.
+This should only be enabled if recommended by Tailscale Support.
+
+If you enable this policy, additional logging will be enabled for SCM events.
+
+If you disable or don't configure this policy, the normal amount of logging occurs.]]></string>
+            <string id="FlushDNSOnSessionUnlock">Flush the DNS cache on session unlock</string>
+            <string id="FlushDNSOnSessionUnlock_Help"><![CDATA[This policy can be used to enable additional DNS cache flushing for debugging purposes.
+This should only be enabled if recommended by Tailscale Support.
+
+If you enable this policy, the DNS cache will be flushed on session unlock in addition to when the DNS cache would normally be flushed.
+
+If you disable or don't configure this policy, the DNS cache is managed normally.]]></string>
+            <string id="PostureChecking">Collect data for posture checking</string>
+            <string id="PostureChecking_Help"><![CDATA[This policy can be used to require that the Posture Checking setting is configured a certain way.
+See https://tailscale.com/kb/1315/mdm-keys#enable-gathering-device-posture-data and https://tailscale.com/kb/1326/device-identity for more details.
+
+If you enable this policy, then data collection is always enabled.
+
+If you disable this policy, then data collection is always disabled.
+
+If you do not configure this policy, then data collection depends on if it has been enabled from the CLI (as of Tailscale 1.56), it may be present in the GUI in later versions.]]></string>
+        </stringTable>
+        <presentationTable>
+            <presentation id="LoginURL">
+                <textBox refId="LoginURLPrompt">
+                    <label>Coordination server</label>
+                </textBox>
+            </presentation>
+            <presentation id="LogTarget">
+                <textBox refId="LogTargetPrompt">
+                    <label>Log server</label>
+                </textBox>
+            </presentation>
+            <presentation id="Tailnet">
+                <textBox refId="TailnetPrompt">
+                    <label>Tailnet</label>
+                </textBox>
+            </presentation>
+            <presentation id="ExitNodeID">
+                <textBox refId="ExitNodeIDPrompt">
+                    <label>Exit Node</label>
+                </textBox>
+            </presentation>
+        </presentationTable>
+    </resources>
+</policyDefinitionResources>

docs/windows/policy/tailscale.admx

@@ -0,0 +1,256 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<policyDefinitions revision="1.0" schemaVersion="1.0"
+                   xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
+  <policyNamespaces>
+    <target prefix="tailscale" namespace="Tailscale.Policies" />
+  </policyNamespaces>
+  <resources minRequiredRevision="1.0" />
+
+  <supportedOn>
+    <products>
+      <product name="TAILSCALE_PRODUCT" displayName="$(string.TAILSCALE_PRODUCT)">
+        <majorVersion name="TAILSCALE_V1" displayName="$(string.TAILSCALE_PRODUCT)" versionIndex="1" />
+      </product>
+    </products>
+
+    <definitions>
+      <definition name="SINCE_V1_22"
+                  displayName="$(string.SINCE_V1_22)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_26"
+                  displayName="$(string.SINCE_V1_26)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_50"
+                  displayName="$(string.SINCE_V1_50)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_52"
+                  displayName="$(string.SINCE_V1_52)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="PARTIAL_FULL_SINCE_V1_56"
+                  displayName="$(string.PARTIAL_FULL_SINCE_V1_56)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_56"
+                  displayName="$(string.SINCE_V1_56)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+      <definition name="SINCE_V1_58"
+                  displayName="$(string.SINCE_V1_58)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
+    </definitions>
+  </supportedOn>
+  <categories>
+    <category name="Top_Category" displayName="$(string.Tailscale_Category)" />
+    <category name="UI_Category" displayName="$(string.UI_Category)">
+      <parentCategory ref="Top_Category" />
+    </category>
+    <category name="Settings_Category" displayName="$(string.Settings_Category)">
+      <parentCategory ref="Top_Category" />
+    </category>
+  </categories>
+  <policies>
+    <policy name="LoginURL" class="Machine" displayName="$(string.LoginURL)" explainText="$(string.LoginURL_Help)" presentation="$(presentation.LoginURL)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <elements>
+        <text id="LoginURLPrompt" valueName="LoginURL" required="true" />
+      </elements>
+    </policy>
+    <policy name="LogTarget" class="Machine" displayName="$(string.LogTarget)" explainText="$(string.LogTarget_Help)" presentation="$(presentation.LogTarget)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_58" />
+      <elements>
+        <text id="LogTargetPrompt" valueName="LogTarget" required="true" />
+      </elements>
+    </policy>
+    <policy name="Tailnet" class="Machine" displayName="$(string.Tailnet)" explainText="$(string.Tailnet_Help)" presentation="$(presentation.Tailnet)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_52" />
+      <elements>
+        <text id="TailnetPrompt" valueName="Tailnet" required="true" />
+      </elements>
+    </policy>
+    <policy name="ExitNodeID" class="Machine" displayName="$(string.ExitNodeID)" explainText="$(string.ExitNodeID_Help)" presentation="$(presentation.ExitNodeID)" key="Software\Policies\Tailscale">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="SINCE_V1_56" />
+      <elements>
+        <text id="ExitNodeIDPrompt" valueName="ExitNodeID" required="true" />
+      </elements>
+    </policy>
+    <policy name="AllowIncomingConnections" class="Machine" displayName="$(string.AllowIncomingConnections)" explainText="$(string.AllowIncomingConnections_Help)" key="Software\Policies\Tailscale" valueName="AllowIncomingConnections">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="UnattendedMode" class="Machine" displayName="$(string.UnattendedMode)" explainText="$(string.UnattendedMode_Help)" key="Software\Policies\Tailscale" valueName="UnattendedMode">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="ExitNodeAllowLANAccess" class="Machine" displayName="$(string.ExitNodeAllowLANAccess)" explainText="$(string.ExitNodeAllowLANAccess_Help)" key="Software\Policies\Tailscale" valueName="ExitNodeAllowLANAccess">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="UseTailscaleDNSSettings" class="Machine" displayName="$(string.UseTailscaleDNSSettings)" explainText="$(string.UseTailscaleDNSSettings_Help)" key="Software\Policies\Tailscale" valueName="UseTailscaleDNSSettings">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="UseTailscaleSubnets" class="Machine" displayName="$(string.UseTailscaleSubnets)" explainText="$(string.UseTailscaleSubnets_Help)" key="Software\Policies\Tailscale" valueName="UseTailscaleSubnets">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="InstallUpdates" class="Machine" displayName="$(string.InstallUpdates)" explainText="$(string.InstallUpdates_Help)" key="Software\Policies\Tailscale" valueName="InstallUpdates">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="AdvertiseExitNode" class="Machine" displayName="$(string.AdvertiseExitNode)" explainText="$(string.AdvertiseExitNode_Help)" key="Software\Policies\Tailscale" valueName="AdvertiseExitNode">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="PostureChecking" class="Machine" displayName="$(string.PostureChecking)" explainText="$(string.PostureChecking_Help)" key="Software\Policies\Tailscale" valueName="PostureChecking">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
+      <enabledValue>
+        <string>always</string>
+      </enabledValue>
+      <disabledValue>
+        <string>never</string>
+      </disabledValue>
+    </policy>
+    <policy name="LogSCMInteractions" class="Machine" displayName="$(string.LogSCMInteractions)" explainText="$(string.LogSCMInteractions_Help)" key="Software\Policies\Tailscale" valueName="LogSCMInteractions">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_26" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
+    <policy name="FlushDNSOnSessionUnlock" class="Machine" displayName="$(string.FlushDNSOnSessionUnlock)" explainText="$(string.FlushDNSOnSessionUnlock_Help)" key="Software\Policies\Tailscale" valueName="FlushDNSOnSessionUnlock">
+      <parentCategory ref="Top_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
+    <policy name="AdminPanel" class="Machine" displayName="$(string.AdminPanel)" explainText="$(string.AdminPanel_Help)" key="Software\Policies\Tailscale" valueName="AdminPanel">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="NetworkDevices" class="Machine" displayName="$(string.NetworkDevices)" explainText="$(string.NetworkDevices_Help)" key="Software\Policies\Tailscale" valueName="NetworkDevices">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="TestMenu" class="Machine" displayName="$(string.TestMenu)" explainText="$(string.TestMenu_Help)" key="Software\Policies\Tailscale" valueName="TestMenu">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="UpdateMenu" class="Machine" displayName="$(string.UpdateMenu)" explainText="$(string.UpdateMenu_Help)" key="Software\Policies\Tailscale" valueName="UpdateMenu">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="RunExitNode" class="Machine" displayName="$(string.RunExitNode)" explainText="$(string.RunExitNode_Help)" key="Software\Policies\Tailscale" valueName="RunExitNode">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="PreferencesMenu" class="Machine" displayName="$(string.PreferencesMenu)" explainText="$(string.PreferencesMenu_Help)" key="Software\Policies\Tailscale" valueName="PreferencesMenu">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+    <policy name="ExitNodesPicker" class="Machine" displayName="$(string.ExitNodesPicker)" explainText="$(string.ExitNodesPicker_Help)" key="Software\Policies\Tailscale" valueName="ExitNodesPicker">
+      <parentCategory ref="UI_Category" />
+      <supportedOn ref="SINCE_V1_22" />
+      <enabledValue>
+        <string>show</string>
+      </enabledValue>
+      <disabledValue>
+        <string>hide</string>
+      </disabledValue>
+    </policy>
+  </policies>
+</policyDefinitions>

doctor/permissions/permissions.go

@@ -26,6 +26,7 @@ func (Check) Run(_ context.Context, logf logger.Logf) error {
 	return permissionsImpl(logf)
 }
 
+//lint:ignore U1000 used in non-windows implementations.
 func formatUserID[T constraints.Integer](id T) string {
 	idStr := fmt.Sprint(id)
 	if uu, err := user.LookupId(idStr); err != nil {
@@ -35,6 +36,7 @@ func formatUserID[T constraints.Integer](id T) string {
 	}
 }
 
+//lint:ignore U1000 used in non-windows implementations.
 func formatGroupID[T constraints.Integer](id T) string {
 	idStr := fmt.Sprint(id)
 	if g, err := user.LookupGroupId(idStr); err != nil {
@@ -44,6 +46,7 @@ func formatGroupID[T constraints.Integer](id T) string {
 	}
 }
 
+//lint:ignore U1000 used in non-windows implementations.
 func formatGroups[T constraints.Integer](groups []T) string {
 	var buf strings.Builder
 	for i, group := range groups {

flake.nix

@@ -120,4 +120,4 @@
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-bG/ydsJf2UncOcDo8/BXdvQJO3Mk0tl8JGje1b6kto4=
+# nix-direnv cache busting line: sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=

go.mod

@@ -33,7 +33,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/golangci/golangci-lint v1.52.2
 	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.16.1
+	github.com/google/go-containerregistry v0.17.0
 	github.com/google/nftables v0.1.1-0.20230115205135-9aa6fdf5a28c
 	github.com/google/uuid v1.3.1
 	github.com/goreleaser/nfpm/v2 v2.33.1
@@ -44,7 +44,7 @@ require (
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/jsimonetti/rtnetlink v1.3.5
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.17.0
+	github.com/klauspost/compress v1.17.4
 	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a
 	github.com/mattn/go-colorable v0.1.13
 	github.com/mattn/go-isatty v0.0.19
@@ -61,12 +61,13 @@ require (
 	github.com/safchain/ethtool v0.3.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
+	github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
 	github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
-	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
+	github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
 	github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2
 	github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272
@@ -103,6 +104,7 @@ require (
 	k8s.io/client-go v0.28.2
 	nhooyr.io/websocket v1.8.7
 	sigs.k8s.io/controller-runtime v0.16.2
+	sigs.k8s.io/controller-tools v0.13.0
 	sigs.k8s.io/yaml v1.3.0
 	software.sslmate.com/src/go-pkcs12 v0.2.1
 )
@@ -111,8 +113,9 @@ require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/dave/astrid v0.0.0-20170323122508-8c2895878b14 // indirect
 	github.com/dave/brenda v1.1.0 // indirect
+	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 )
 
 require (
@@ -166,13 +169,13 @@ require (
 	github.com/charithe/durationcheck v0.0.10 // indirect
 	github.com/chavacava/garif v0.0.0-20230227094218-b8c73b2037b8 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/curioswitch/go-reassign v0.2.0 // indirect
 	github.com/daixiang0/gci v0.10.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/denis-tingaikin/go-header v0.4.3 // indirect
-	github.com/docker/cli v24.0.6+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/cli v24.0.7+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v24.0.7+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
@@ -222,7 +225,6 @@ require (
 	github.com/gordonklaus/ineffassign v0.0.0-20230107090616-13ace0543b28 // indirect
 	github.com/goreleaser/chglog v0.5.0 // indirect
 	github.com/goreleaser/fileglob v1.3.0 // indirect
-	github.com/gorilla/csrf v1.7.1
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.4.2 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
@@ -325,7 +327,7 @@ require (
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
 	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
-	github.com/stretchr/testify v1.8.4 // indirect
+	github.com/stretchr/testify v1.8.4
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55

go.mod.sri

@@ -1 +1 @@
-sha256-bG/ydsJf2UncOcDo8/BXdvQJO3Mk0tl8JGje1b6kto4=
+sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=

go.sum

@@ -208,8 +208,8 @@ github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUK
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
-github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
+github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
+github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
 github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
 github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
@@ -243,10 +243,10 @@ github.com/denis-tingaikin/go-header v0.4.3 h1:tEaZKAlqql6SKCY++utLmkPLd6K8IBM20
 github.com/denis-tingaikin/go-header v0.4.3/go.mod h1:0wOCWuN71D5qIgE2nz9KrKmuYBAC2Mra5RassOIQ2/c=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
-github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY=
-github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1xfI36MSkFg=
+github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
 github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
@@ -363,6 +363,8 @@ github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUN
 github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig=
 github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80U=
 github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
+github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
+github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
@@ -450,8 +452,8 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ=
-github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
+github.com/google/go-containerregistry v0.17.0 h1:5p+zYs/R4VGHkhyvgWurWrpJ2hW4Vv9fQI+GzdcwXLk=
+github.com/google/go-containerregistry v0.17.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -494,10 +496,8 @@ github.com/goreleaser/fileglob v1.3.0 h1:/X6J7U8lbDpQtBvGcwwPS6OpzkNVlVEsFUVRx9+
 github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU=
 github.com/goreleaser/nfpm/v2 v2.33.1 h1:EkdAzZyVhAI9JC1vjmjjbmnNzyH1J6Cu4JCsA7YcQuc=
 github.com/goreleaser/nfpm/v2 v2.33.1/go.mod h1:8wwWWvJWmn84xo/Sqiv0aMvEGTHlHZTXTEuVSgQpkIM=
-github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
-github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -594,8 +594,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/kkHAIKE/contextcheck v1.1.4 h1:B6zAaLhOEEcjvUgIYEqystmnFk1Oemn8bvJhbt0GMb8=
 github.com/kkHAIKE/contextcheck v1.1.4/go.mod h1:1+i/gWqokIa+dm31mqGLZhZJ7Uh44DJGZVmr6QRBNJg=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
-github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
+github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -706,8 +706,12 @@ github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
 github.com/nunnatsa/ginkgolinter v0.11.2 h1:xzQpAsEyZe5F1RMy2Z5kn8UFCGiWfKqJOUd2ZzBXA4M=
 github.com/nunnatsa/ginkgolinter v0.11.2/go.mod h1:dJIGXYXbkBswqa/pIzG0QlVTTDSBMxDoCFwhsl4Uras=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
 github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
@@ -876,6 +880,8 @@ github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplB
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16 h1:ALxSJ4KoXENNx1f3L+LD/QuY/FpWadzAMtWIa1Po+jk=
+github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16/go.mod h1:DkNNZmUscMpGHYJVVqyAqMVY6goWltxvnDSMKuDsxlU=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
@@ -888,8 +894,8 @@ github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPx
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
-github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89 h1:7xU7AFQE83h0wz/dIMvD0t77g0FxFfZIQjghDQxyG2U=
-github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89/go.mod h1:OGMqrTzDqmJkGumUTtOv44Rp3/4xS+QFbE8Rn0AGlaU=
+github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734 h1:93cvKHbvsPK3MKfFTvR00d0b0R0bzRKBW9yrj813fhI=
+github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734/go.mod h1:6v53VHLmLKUaqWMpSGDeRWhltLSCEteMItYoiKLpdJk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2 h1:lR1voET3dwe3CxacGAiva4k08TXtQ6Dlmult4JILlj4=
@@ -1417,6 +1423,8 @@ gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
@@ -1485,6 +1493,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/controller-runtime v0.16.2 h1:mwXAVuEk3EQf478PQwQ48zGOXvW27UJc8NHktQVuIPU=
 sigs.k8s.io/controller-runtime v0.16.2/go.mod h1:vpMu3LpI5sYWtujJOa2uPK61nB5rbwlN7BAB8aSLvGU=
+sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI=
+sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=

header.txt

@@ -0,0 +1,2 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

health/health.go

@@ -360,6 +360,8 @@ func SetDERPRegionHealth(region int, problem string) {
 	selfCheckLocked()
 }
 
+// NoteDERPRegionReceivedFrame is called to note that a frame was received from
+// the given DERP region at the current time.
 func NoteDERPRegionReceivedFrame(region int) {
 	mu.Lock()
 	defer mu.Unlock()
@@ -367,6 +369,15 @@ func NoteDERPRegionReceivedFrame(region int) {
 	selfCheckLocked()
 }
 
+// GetDERPRegionReceivedTime returns the last time that a frame was received
+// from the given DERP region, or the zero time if no communication with that
+// region has occurred.
+func GetDERPRegionReceivedTime(region int) time.Time {
+	mu.Lock()
+	defer mu.Unlock()
+	return derpRegionLastFrame[region]
+}
+
 // state is an ipn.State.String() value: "Running", "Stopped", "NeedsLogin", etc.
 func SetIPNState(state string, wantRunning bool) {
 	mu.Lock()

ipn/backend.go

@@ -175,6 +175,7 @@ type PartialFile struct {
 	// in-progress '*.partial' file's path when the peerapi isn't
 	// being used; see LocalBackend.SetDirectFileRoot.
 	PartialPath string `json:",omitempty"`
+	FinalPath   string `json:",omitempty"`
 
 	// Done is set in "direct" mode when the partial file has been
 	// closed and is ready for the caller to rename away the

ipn/ipnauth/ipnauth.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"net/netip"
 	"os"
 	"os/user"
 	"runtime"
@@ -18,7 +17,6 @@ import (
 	"inet.af/peercred"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
-	"tailscale.com/net/netstat"
 	"tailscale.com/safesocket"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
@@ -207,12 +205,3 @@ func isLocalAdmin(uid string) (bool, error) {
 	}
 	return groupmember.IsMemberOfGroup(adminGroup, u.Username)
 }
-
-func peerPid(entries []netstat.Entry, la, ra netip.AddrPort) int {
-	for _, e := range entries {
-		if e.Local == ra && e.Remote == la {
-			return e.Pid
-		}
-	}
-	return 0
-}

ipn/ipnauth/ipnauth_windows.go

@@ -20,7 +20,7 @@ import (
 // based on the user who owns the other end of the connection.
 // If c is not backed by a named pipe, an error is returned.
 func GetConnIdentity(logf logger.Logf, c net.Conn) (ci *ConnIdentity, err error) {
-	ci = &ConnIdentity{conn: c}
+	ci = &ConnIdentity{conn: c, notWindows: false}
 	wcc, ok := c.(*safesocket.WindowsClientConn)
 	if !ok {
 		return nil, fmt.Errorf("not a WindowsClientConn: %T", c)

ipn/ipnlocal/c2n.go

@@ -378,7 +378,7 @@ func (b *LocalBackend) newC2NUpdateResponse() tailcfg.C2NUpdateResponse {
 	// invoke it here. For this purpose, it is ok to pass it a zero Arguments.
 	prefs := b.Prefs().AutoUpdate()
 	return tailcfg.C2NUpdateResponse{
-		Enabled:   envknob.AllowsRemoteUpdate() || prefs.Apply,
+		Enabled:   envknob.AllowsRemoteUpdate() || prefs.Apply.EqualBool(true),
 		Supported: clientupdate.CanAutoUpdate(),
 	}
 }

ipn/ipnlocal/local.go

@@ -4,6 +4,7 @@
 package ipnlocal
 
 import (
+	"cmp"
 	"context"
 	"encoding/base64"
 	"encoding/json"
@@ -76,6 +77,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netmap"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
 	"tailscale.com/types/ptr"
@@ -263,9 +265,8 @@ type LocalBackend struct {
 	// It's also used on several NAS platforms (Synology, TrueNAS, etc)
 	// but in that case DoFinalRename is also set true, which moves the
 	// *.partial file to its final name on completion.
-	directFileRoot          string
-	directFileDoFinalRename bool // false on macOS, true on several NAS platforms
-	componentLogUntil       map[string]componentLogState
+	directFileRoot    string
+	componentLogUntil map[string]componentLogState
 	// c2nUpdateStatus is the status of c2n-triggered client update.
 	c2nUpdateStatus     updateStatus
 	currentUser         ipnauth.WindowsToken
@@ -538,17 +539,6 @@ func (b *LocalBackend) SetDirectFileRoot(dir string) {
 	b.directFileRoot = dir
 }
 
-// SetDirectFileDoFinalRename sets whether the peerapi file server should rename
-// a received "name.partial" file to "name" when the download is complete.
-//
-// This only applies when SetDirectFileRoot is non-empty.
-// The default is false.
-func (b *LocalBackend) SetDirectFileDoFinalRename(v bool) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.directFileDoFinalRename = v
-}
-
 // ReloadConfig reloads the backend's config from disk.
 //
 // It returns (false, nil) if not running in declarative mode, (true, nil) on
@@ -772,7 +762,7 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 				}
 				if !prefs.ExitNodeID().IsZero() {
 					if exitPeer, ok := b.netMap.PeerWithStableID(prefs.ExitNodeID()); ok {
-						var online = false
+						online := false
 						if v := exitPeer.Online(); v != nil {
 							online = *v
 						}
@@ -853,7 +843,7 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 		if p.LastSeen() != nil {
 			lastSeen = *p.LastSeen()
 		}
-		var tailscaleIPs = make([]netip.Addr, 0, p.Addresses().Len())
+		tailscaleIPs := make([]netip.Addr, 0, p.Addresses().Len())
 		for i := range p.Addresses().LenIter() {
 			addr := p.Addresses().At(i)
 			if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.Addr()) {
@@ -1072,9 +1062,11 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 		b.blockEngineUpdates(false)
 	}
 
-	if st.LoginFinished() && wasBlocked {
-		// Auth completed, unblock the engine
-		b.blockEngineUpdates(false)
+	if st.LoginFinished() && (wasBlocked || b.seamlessRenewalEnabled()) {
+		if wasBlocked {
+			// Auth completed, unblock the engine
+			b.blockEngineUpdates(false)
+		}
 		b.authReconfig()
 		b.send(ipn.Notify{LoginFinished: &empty.Message{}})
 	}
@@ -1106,7 +1098,7 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 		b.authURL = st.URL
 		b.authURLSticky = st.URL
 	}
-	if wasBlocked && st.LoginFinished() {
+	if (wasBlocked || b.seamlessRenewalEnabled()) && st.LoginFinished() {
 		// Interactive login finished successfully (URL visited).
 		// After an interactive login, the user always wants
 		// WantRunning.
@@ -1271,8 +1263,8 @@ var preferencePolicies = []preferencePolicyInfo{
 	},
 	{
 		key: syspolicy.ApplyUpdates,
-		get: func(p ipn.PrefsView) bool { return p.AutoUpdate().Apply },
-		set: func(p *ipn.Prefs, v bool) { p.AutoUpdate.Apply = v },
+		get: func(p ipn.PrefsView) bool { v, _ := p.AutoUpdate().Apply.Get(); return v },
+		set: func(p *ipn.Prefs, v bool) { p.AutoUpdate.Apply.Set(v) },
 	},
 	{
 		key: syspolicy.EnableRunExitNode,
@@ -1331,7 +1323,7 @@ func (b *LocalBackend) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bo
 			nm.Peers = append(nm.Peers, p)
 		}
 		slices.SortFunc(nm.Peers, func(a, b tailcfg.NodeView) int {
-			return cmpx.Compare(a.ID(), b.ID())
+			return cmp.Compare(a.ID(), b.ID())
 		})
 		notify = &ipn.Notify{NetMap: nm}
 	} else if testenv.InTest() {
@@ -1548,7 +1540,7 @@ func (b *LocalBackend) PeersForTest() []tailcfg.NodeView {
 	defer b.mu.Unlock()
 	ret := xmaps.Values(b.peers)
 	slices.SortFunc(ret, func(a, b tailcfg.NodeView) int {
-		return cmpx.Compare(a.ID(), b.ID())
+		return cmp.Compare(a.ID(), b.ID())
 	})
 	return ret
 }
@@ -1767,25 +1759,26 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	// new controlclient. SetPrefs() allows you to overwrite ServerURL,
 	// but it won't take effect until the next Start().
 	cc, err := b.getNewControlClientFunc()(controlclient.Options{
-		GetMachinePrivateKey: b.createGetMachinePrivateKeyFunc(),
-		Logf:                 logger.WithPrefix(b.logf, "control: "),
-		Persist:              *persistv,
-		ServerURL:            serverURL,
-		AuthKey:              opts.AuthKey,
-		Hostinfo:             hostinfo,
-		HTTPTestClient:       httpTestClient,
-		DiscoPublicKey:       discoPublic,
-		DebugFlags:           debugFlags,
-		NetMon:               b.sys.NetMon.Get(),
-		Pinger:               b,
-		PopBrowserURL:        b.tellClientToBrowseToURL,
-		OnClientVersion:      b.onClientVersion,
-		OnControlTime:        b.em.onControlTime,
-		Dialer:               b.Dialer(),
-		Observer:             b,
-		C2NHandler:           http.HandlerFunc(b.handleC2N),
-		DialPlan:             &b.dialPlan, // pointer because it can't be copied
-		ControlKnobs:         b.sys.ControlKnobs(),
+		GetMachinePrivateKey:       b.createGetMachinePrivateKeyFunc(),
+		Logf:                       logger.WithPrefix(b.logf, "control: "),
+		Persist:                    *persistv,
+		ServerURL:                  serverURL,
+		AuthKey:                    opts.AuthKey,
+		Hostinfo:                   hostinfo,
+		HTTPTestClient:             httpTestClient,
+		DiscoPublicKey:             discoPublic,
+		DebugFlags:                 debugFlags,
+		NetMon:                     b.sys.NetMon.Get(),
+		Pinger:                     b,
+		PopBrowserURL:              b.tellClientToBrowseToURL,
+		OnClientVersion:            b.onClientVersion,
+		OnTailnetDefaultAutoUpdate: b.onTailnetDefaultAutoUpdate,
+		OnControlTime:              b.em.onControlTime,
+		Dialer:                     b.Dialer(),
+		Observer:                   b,
+		C2NHandler:                 http.HandlerFunc(b.handleC2N),
+		DialPlan:                   &b.dialPlan, // pointer because it can't be copied
+		ControlKnobs:               b.sys.ControlKnobs(),
 
 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -2453,8 +2446,10 @@ func (b *LocalBackend) popBrowserAuthNow() {
 
 	b.logf("popBrowserAuthNow: url=%v", url != "")
 
-	b.blockEngineUpdates(true)
-	b.stopEngineAndWait()
+	if !b.seamlessRenewalEnabled() {
+		b.blockEngineUpdates(true)
+		b.stopEngineAndWait()
+	}
 	b.tellClientToBrowseToURL(url)
 	if b.State() == ipn.Running {
 		b.enterState(ipn.Starting)
@@ -2500,6 +2495,32 @@ func (b *LocalBackend) onClientVersion(v *tailcfg.ClientVersion) {
 	b.send(ipn.Notify{ClientVersion: v})
 }
 
+func (b *LocalBackend) onTailnetDefaultAutoUpdate(au bool) {
+	prefs := b.pm.CurrentPrefs()
+	if !prefs.Valid() {
+		b.logf("[unexpected]: received tailnet default auto-update callback but current prefs are nil")
+		return
+	}
+	if _, ok := prefs.AutoUpdate().Apply.Get(); ok {
+		// Apply was already set from a previous default or manually by the
+		// user. Tailnet default should not affect us, even if it changes.
+		return
+	}
+	b.logf("using tailnet default auto-update setting: %v", au)
+	prefsClone := prefs.AsStruct()
+	prefsClone.AutoUpdate.Apply = opt.NewBool(au)
+	_, err := b.EditPrefs(&ipn.MaskedPrefs{
+		Prefs: *prefsClone,
+		AutoUpdateSet: ipn.AutoUpdatePrefsMask{
+			ApplySet: true,
+		},
+	})
+	if err != nil {
+		b.logf("failed to apply tailnet-wide default for auto-updates (%v): %v", au, err)
+		return
+	}
+}
+
 // For testing lazy machine key generation.
 var panicOnMachineKeyGeneration = envknob.RegisterBool("TS_DEBUG_PANIC_MACHINE_KEY")
 
@@ -3422,7 +3443,7 @@ func (b *LocalBackend) reconfigAppConnectorLocked(nm *netmap.NetworkMap, prefs i
 		}
 	}
 	slices.Sort(domains)
-	slices.Compact(domains)
+	domains = slices.Compact(domains)
 	b.appConnector.UpdateDomains(domains)
 }
 
@@ -3844,13 +3865,12 @@ func (b *LocalBackend) initPeerAPIListener() {
 	ps := &peerAPIServer{
 		b: b,
 		taildrop: taildrop.ManagerOptions{
-			Logf:             b.logf,
-			Clock:            tstime.DefaultClock{Clock: b.clock},
-			State:            b.store,
-			Dir:              fileRoot,
-			DirectFileMode:   b.directFileRoot != "",
-			AvoidFinalRename: !b.directFileDoFinalRename,
-			SendFileNotify:   b.sendFileNotify,
+			Logf:           b.logf,
+			Clock:          tstime.DefaultClock{Clock: b.clock},
+			State:          b.store,
+			Dir:            fileRoot,
+			DirectFileMode: b.directFileRoot != "",
+			SendFileNotify: b.sendFileNotify,
 		}.New(),
 	}
 	if dm, ok := b.sys.DNSManager.GetOK(); ok {
@@ -3982,10 +4002,13 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs ipn.PrefsView, oneC
 		singleRouteThreshold = 1
 	}
 
-	netfilterKind := b.capForcedNetfilter
+	b.mu.Lock()
+	netfilterKind := b.capForcedNetfilter // protected by b.mu
+	b.mu.Unlock()
+
 	if prefs.NetfilterKind() != "" {
-		if b.capForcedNetfilter != "" {
-			b.logf("nodeattr netfilter preference %s overridden by c2n pref %s", b.capForcedNetfilter, prefs.NetfilterKind())
+		if netfilterKind != "" {
+			b.logf("nodeattr netfilter preference %s overridden by c2n pref %s", netfilterKind, prefs.NetfilterKind())
 		}
 		netfilterKind = prefs.NetfilterKind()
 	}
@@ -4079,7 +4102,7 @@ func (b *LocalBackend) applyPrefsToHostinfoLocked(hi *tailcfg.Hostinfo, prefs ip
 	hi.RoutableIPs = prefs.AdvertiseRoutes().AsSlice()
 	hi.RequestTags = prefs.AdvertiseTags().AsSlice()
 	hi.ShieldsUp = prefs.ShieldsUp()
-	hi.AllowsUpdate = envknob.AllowsRemoteUpdate() || prefs.AutoUpdate().Apply
+	hi.AllowsUpdate = envknob.AllowsRemoteUpdate() || prefs.AutoUpdate().Apply.EqualBool(true)
 
 	var sshHostKeys []string
 	if prefs.RunSSH() && envknob.CanSSHD() {
@@ -4144,6 +4167,9 @@ func (b *LocalBackend) enterStateLockedOnEntry(newState ipn.State) {
 	switch newState {
 	case ipn.NeedsLogin:
 		systemd.Status("Needs login: %s", authURL)
+		if b.seamlessRenewalEnabled() {
+			break
+		}
 		b.blockEngineUpdates(true)
 		fallthrough
 	case ipn.Stopped:
@@ -4171,7 +4197,6 @@ func (b *LocalBackend) enterStateLockedOnEntry(newState ipn.State) {
 	default:
 		b.logf("[unexpected] unknown newState %#v", newState)
 	}
-
 }
 
 // hasNodeKey reports whether a non-zero node key is present in the current
@@ -4876,7 +4901,7 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		})
 	}
 	slices.SortFunc(ret, func(a, b *apitype.FileTarget) int {
-		return cmpx.Compare(a.Node.Name, b.Node.Name)
+		return cmp.Compare(a.Node.Name, b.Node.Name)
 	})
 	return ret, nil
 }
@@ -5296,15 +5321,6 @@ func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error)
 	return cc.DoNoiseRequest(req)
 }
 
-// tailscaleSSHEnabled reports whether Tailscale SSH is currently enabled based
-// on prefs. It returns false if there are no prefs set.
-func (b *LocalBackend) tailscaleSSHEnabled() bool {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	p := b.pm.CurrentPrefs()
-	return p.Valid() && p.RunSSH()
-}
-
 func (b *LocalBackend) sshServerOrInit() (_ SSHServer, err error) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -5752,12 +5768,21 @@ func (b *LocalBackend) ObserveDNSResponse(res []byte) {
 	appConnector.ObserveDNSResponse(res)
 }
 
+// ErrDisallowedAutoRoute is returned by AdvertiseRoute when a route that is not allowed is requested.
+var ErrDisallowedAutoRoute = errors.New("route is not allowed")
+
 // AdvertiseRoute implements the appc.RouteAdvertiser interface. It sets a new
 // route advertisement if one is not already present in the existing routes.
+// If the route is disallowed, ErrDisallowedAutoRoute is returned.
 func (b *LocalBackend) AdvertiseRoute(ipp netip.Prefix) error {
+	if !allowedAutoRoute(ipp) {
+		return ErrDisallowedAutoRoute
+	}
 	currentRoutes := b.Prefs().AdvertiseRoutes()
-	// TODO(raggi): check if the new route is a subset of an existing route.
-	if currentRoutes.ContainsFunc(func(r netip.Prefix) bool { return r == ipp }) {
+	if currentRoutes.ContainsFunc(func(r netip.Prefix) bool {
+		// TODO(raggi): add support for subset checks and avoid subset route creations.
+		return ipp.IsSingleIP() && r.Contains(ipp.Addr()) || r == ipp
+	}) {
 		return nil
 	}
 	routes := append(currentRoutes.AsSlice(), ipp)
@@ -5770,6 +5795,44 @@ func (b *LocalBackend) AdvertiseRoute(ipp netip.Prefix) error {
 	return err
 }
 
+// seamlessRenewalEnabled reports whether seamless key renewals are enabled
+// (i.e. we saw our self node with the SeamlessKeyRenewal attr in a netmap).
+// This enables beta functionality of renewing node keys without breaking
+// connections.
+func (b *LocalBackend) seamlessRenewalEnabled() bool {
+	return b.ControlKnobs().SeamlessKeyRenewal.Load()
+}
+
+var (
+	disallowedAddrs = []netip.Addr{
+		netip.MustParseAddr("::1"),
+		netip.MustParseAddr("::"),
+		netip.MustParseAddr("0.0.0.0"),
+	}
+	disallowedRanges = []netip.Prefix{
+		netip.MustParsePrefix("127.0.0.0/8"),
+		netip.MustParsePrefix("224.0.0.0/4"),
+		netip.MustParsePrefix("ff00::/8"),
+	}
+)
+
+// allowedAutoRoute determines if the route being added via AdvertiseRoute (the app connector featuge) should be allowed.
+func allowedAutoRoute(ipp netip.Prefix) bool {
+	// Note: blocking the addrs for globals, not solely the prefixes.
+	for _, addr := range disallowedAddrs {
+		if ipp.Addr() == addr {
+			return false
+		}
+	}
+	for _, pfx := range disallowedRanges {
+		if pfx.Overlaps(ipp) {
+			return false
+		}
+	}
+	// TODO(raggi): exclude tailscale service IPs and so on as well.
+	return true
+}
+
 // mayDeref dereferences p if non-nil, otherwise it returns the zero value.
 func mayDeref[T any](p *T) (v T) {
 	if p == nil {

ipn/ipnlocal/local_test.go

@@ -31,6 +31,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netmap"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
@@ -264,7 +265,6 @@ func TestPeerRoutes(t *testing.T) {
 			}
 		})
 	}
-
 }
 
 func TestPeerAPIBase(t *testing.T) {
@@ -699,7 +699,6 @@ func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {
 			}
 		})
 	}
-
 }
 
 func TestStatusWithoutPeers(t *testing.T) {
@@ -1172,6 +1171,26 @@ func TestRouteAdvertiser(t *testing.T) {
 	}
 }
 
+func TestRouterAdvertiserIgnoresContainedRoutes(t *testing.T) {
+	b := newTestBackend(t)
+	testPrefix := netip.MustParsePrefix("192.0.0.0/24")
+	ra := appc.RouteAdvertiser(b)
+	must.Do(ra.AdvertiseRoute(testPrefix))
+
+	routes := b.Prefs().AdvertiseRoutes()
+	if routes.Len() != 1 || routes.At(0) != testPrefix {
+		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
+	}
+
+	must.Do(ra.AdvertiseRoute(netip.MustParsePrefix("192.0.0.8/32")))
+
+	// the above /32 is not added as it is contained within the /24
+	routes = b.Prefs().AdvertiseRoutes()
+	if routes.Len() != 1 || routes.At(0) != testPrefix {
+		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
+	}
+}
+
 func TestObserveDNSResponse(t *testing.T) {
 	b := newTestBackend(t)
 
@@ -1780,13 +1799,13 @@ func TestApplySysPolicy(t *testing.T) {
 			prefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
+					Apply: opt.NewBool(false),
 				},
 			},
 			wantPrefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: true,
+					Apply: opt.NewBool(true),
 				},
 			},
 			wantAnyChange: true,
@@ -1799,13 +1818,13 @@ func TestApplySysPolicy(t *testing.T) {
 			prefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: true,
+					Apply: opt.NewBool(true),
 				},
 			},
 			wantPrefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
+					Apply: opt.NewBool(false),
 				},
 			},
 			wantAnyChange: true,
@@ -1818,13 +1837,13 @@ func TestApplySysPolicy(t *testing.T) {
 			prefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: false,
-					Apply: true,
+					Apply: opt.NewBool(true),
 				},
 			},
 			wantPrefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: true,
+					Apply: opt.NewBool(true),
 				},
 			},
 			wantAnyChange: true,
@@ -1837,13 +1856,13 @@ func TestApplySysPolicy(t *testing.T) {
 			prefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: true,
-					Apply: true,
+					Apply: opt.NewBool(true),
 				},
 			},
 			wantPrefs: ipn.Prefs{
 				AutoUpdate: ipn.AutoUpdatePrefs{
 					Check: false,
-					Apply: true,
+					Apply: opt.NewBool(true),
 				},
 			},
 			wantAnyChange: true,
@@ -1885,7 +1904,6 @@ func TestApplySysPolicy(t *testing.T) {
 			})
 
 			t.Run("set prefs", func(t *testing.T) {
-
 				b := newTestBackend(t)
 				b.SetPrefs(tt.prefs.Clone())
 				if !b.Prefs().Equals(tt.wantPrefs.View()) {
@@ -2055,3 +2073,56 @@ func TestPreferencePolicyInfo(t *testing.T) {
 		})
 	}
 }
+
+func TestOnTailnetDefaultAutoUpdate(t *testing.T) {
+	tests := []struct {
+		desc           string
+		before, after  opt.Bool
+		tailnetDefault bool
+	}{
+		{
+			before:         opt.Bool(""),
+			tailnetDefault: true,
+			after:          opt.NewBool(true),
+		},
+		{
+			before:         opt.Bool(""),
+			tailnetDefault: false,
+			after:          opt.NewBool(false),
+		},
+		{
+			before:         opt.Bool("unset"),
+			tailnetDefault: true,
+			after:          opt.NewBool(true),
+		},
+		{
+			before:         opt.Bool("unset"),
+			tailnetDefault: false,
+			after:          opt.NewBool(false),
+		},
+		{
+			before:         opt.NewBool(false),
+			tailnetDefault: true,
+			after:          opt.NewBool(false),
+		},
+		{
+			before:         opt.NewBool(true),
+			tailnetDefault: false,
+			after:          opt.NewBool(true),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("before=%s after=%s", tt.before, tt.after), func(t *testing.T) {
+			b := newTestBackend(t)
+			p := ipn.NewPrefs()
+			p.AutoUpdate.Apply = tt.before
+			if err := b.pm.setPrefsLocked(p.View()); err != nil {
+				t.Fatal(err)
+			}
+			b.onTailnetDefaultAutoUpdate(tt.tailnetDefault)
+			if want, got := tt.after, b.pm.CurrentPrefs().AutoUpdate().Apply; got != want {
+				t.Errorf("got: %q, want %q", got, want)
+			}
+		})
+	}
+}

ipn/ipnlocal/peerapi.go

@@ -62,10 +62,6 @@ type peerAPIServer struct {
 	taildrop *taildrop.Manager
 }
 
-var (
-	errNilPeerAPIServer = errors.New("peerapi unavailable; not listening")
-)
-
 func (s *peerAPIServer) listen(ip netip.Addr, ifState *interfaces.State) (ln net.Listener, err error) {
 	// Android for whatever reason often has problems creating the peerapi listener.
 	// But since we started intercepting it with netstack, it's not even important that

ipn/ipnlocal/peerapi_test.go

@@ -114,7 +114,6 @@ func hexAll(v string) string {
 }
 
 func TestHandlePeerAPI(t *testing.T) {
-	const nodeFQDN = "self-node.tail-scale.ts.net."
 	tests := []struct {
 		name       string
 		isSelf     bool // the peer sending the request is owned by us

ipn/ipnlocal/profiles.go

@@ -4,6 +4,7 @@
 package ipnlocal
 
 import (
+	"cmp"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -17,7 +18,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/cmpx"
 )
 
 var errAlreadyMigrated = errors.New("profile migration already completed")
@@ -113,7 +113,7 @@ func (pm *profileManager) allProfiles() (out []*ipn.LoginProfile) {
 		}
 	}
 	slices.SortFunc(out, func(a, b *ipn.LoginProfile) int {
-		return cmpx.Compare(a.Name, b.Name)
+		return cmp.Compare(a.Name, b.Name)
 	})
 	return out
 }

ipn/ipnlocal/ssh.go

@@ -217,3 +217,12 @@ func (b *LocalBackend) getSSHHostKeyPublicStrings() (ret []string) {
 	}
 	return ret
 }
+
+// tailscaleSSHEnabled reports whether Tailscale SSH is currently enabled based
+// on prefs. It returns false if there are no prefs set.
+func (b *LocalBackend) tailscaleSSHEnabled() bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	p := b.pm.CurrentPrefs()
+	return p.Valid() && p.RunSSH()
+}

ipn/localapi/localapi.go

@@ -80,6 +80,7 @@ var handler = map[string]localAPIHandler{
 	"component-debug-logging":     (*Handler).serveComponentDebugLogging,
 	"debug":                       (*Handler).serveDebug,
 	"debug-derp-region":           (*Handler).serveDebugDERPRegion,
+	"debug-dial-types":            (*Handler).serveDebugDialTypes,
 	"debug-packet-filter-matches": (*Handler).serveDebugPacketFilterMatches,
 	"debug-packet-filter-rules":   (*Handler).serveDebugPacketFilterRules,
 	"debug-portmap":               (*Handler).serveDebugPortmap,
@@ -840,6 +841,76 @@ func (h *Handler) serveComponentDebugLogging(w http.ResponseWriter, r *http.Requ
 	json.NewEncoder(w).Encode(res)
 }
 
+func (h *Handler) serveDebugDialTypes(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug-dial-types access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != httpm.POST {
+		http.Error(w, "only POST allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	ip := r.FormValue("ip")
+	port := r.FormValue("port")
+	network := r.FormValue("network")
+
+	addr := ip + ":" + port
+	if _, err := netip.ParseAddrPort(addr); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprintf(w, "invalid address %q: %v", addr, err)
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	var bareDialer net.Dialer
+
+	dialer := h.b.Dialer()
+
+	var peerDialer net.Dialer
+	peerDialer.Control = dialer.PeerDialControlFunc()
+
+	// Kick off a dial with each available dialer in parallel.
+	dialers := []struct {
+		name string
+		dial func(context.Context, string, string) (net.Conn, error)
+	}{
+		{"SystemDial", dialer.SystemDial},
+		{"UserDial", dialer.UserDial},
+		{"PeerDial", peerDialer.DialContext},
+		{"BareDial", bareDialer.DialContext},
+	}
+	type result struct {
+		name string
+		conn net.Conn
+		err  error
+	}
+	results := make(chan result, len(dialers))
+
+	var wg sync.WaitGroup
+	for _, dialer := range dialers {
+		dialer := dialer // loop capture
+
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			conn, err := dialer.dial(ctx, network, addr)
+			results <- result{dialer.name, conn, err}
+		}()
+	}
+
+	wg.Wait()
+	for i := 0; i < len(dialers); i++ {
+		res := <-results
+		fmt.Fprintf(w, "[%s] connected=%v err=%v\n", res.name, res.conn != nil, res.err)
+		if res.conn != nil {
+			res.conn.Close()
+		}
+	}
+}
+
 // servePprofFunc is the implementation of Handler.servePprof, after auth,
 // for platforms where we want to link it in.
 var servePprofFunc func(http.ResponseWriter, *http.Request)

ipn/prefs.go

@@ -21,10 +21,12 @@ import (
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
 	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/util/syspolicy"
 )
 
 // DefaultControlURL is the URL base of the control plane
@@ -237,7 +239,17 @@ type AutoUpdatePrefs struct {
 	// Apply specifies whether background auto-updates are enabled. When
 	// enabled, tailscaled will apply available updates in the background.
 	// Check must also be set when Apply is set.
-	Apply bool
+	Apply opt.Bool
+}
+
+func (au1 AutoUpdatePrefs) Equals(au2 AutoUpdatePrefs) bool {
+	// This could almost be as easy as `au1.Apply == au2.Apply`, except that
+	// opt.Bool("") and opt.Bool("unset") should be treated as equal.
+	apply1, ok1 := au1.Apply.Get()
+	apply2, ok2 := au2.Apply.Get()
+	return au1.Check == au2.Check &&
+		apply1 == apply2 &&
+		ok1 == ok2
 }
 
 // AppConnectorPrefs are the app connector settings for the node agent.
@@ -403,12 +415,20 @@ func (m *MaskedPrefs) Pretty() string {
 				continue
 			}
 			mpf := mpv.Field(i - 1)
-			prettyFn := mf.MethodByName("Pretty")
-			if !prettyFn.IsValid() {
-				panic(fmt.Sprintf("MaskedPrefs field %q is missing the Pretty method", name))
+			// This would be much simpler with reflect.MethodByName("Pretty"),
+			// but using MethodByName disables some linker optimizations and
+			// makes our binaries much larger. See
+			// https://github.com/tailscale/tailscale/issues/10627#issuecomment-1861211945
+			//
+			// Instead, have this explicit switch by field name to do type
+			// assertions.
+			switch name {
+			case "AutoUpdateSet":
+				p := mf.Interface().(AutoUpdatePrefsMask).Pretty(mpf.Interface().(AutoUpdatePrefs))
+				fmt.Fprintf(&sb, "%s={%s}", strings.TrimSuffix(name, "Set"), p)
+			default:
+				panic(fmt.Sprintf("unexpected MaskedPrefs field %q", name))
 			}
-			res := prettyFn.Call([]reflect.Value{mpf})
-			fmt.Fprintf(&sb, "%s={%s}", strings.TrimSuffix(name, "Set"), res[0].String())
 		}
 	}
 	sb.WriteString("}")
@@ -533,14 +553,14 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		compareStrings(p.AdvertiseTags, p2.AdvertiseTags) &&
 		p.Persist.Equals(p2.Persist) &&
 		p.ProfileName == p2.ProfileName &&
-		p.AutoUpdate == p2.AutoUpdate &&
+		p.AutoUpdate.Equals(p2.AutoUpdate) &&
 		p.AppConnector == p2.AppConnector &&
 		p.PostureChecking == p2.PostureChecking &&
 		p.NetfilterKind == p2.NetfilterKind
 }
 
 func (au AutoUpdatePrefs) Pretty() string {
-	if au.Apply {
+	if au.Apply.EqualBool(true) {
 		return "update=on "
 	}
 	if au.Check {
@@ -600,7 +620,7 @@ func NewPrefs() *Prefs {
 		NetfilterMode:    preftype.NetfilterOn,
 		AutoUpdate: AutoUpdatePrefs{
 			Check: true,
-			Apply: false,
+			Apply: opt.Bool("unset"),
 		},
 	}
 }
@@ -618,11 +638,16 @@ func (p PrefsView) ControlURLOrDefault() string {
 // If not configured, or if the configured value is a legacy name equivalent to
 // the default, then DefaultControlURL is returned instead.
 func (p *Prefs) ControlURLOrDefault() string {
-	if p.ControlURL != "" {
-		if p.ControlURL != DefaultControlURL && IsLoginServerSynonym(p.ControlURL) {
+	controlURL, err := syspolicy.GetString(syspolicy.ControlURL, p.ControlURL)
+	if err != nil {
+		controlURL = p.ControlURL
+	}
+
+	if controlURL != "" {
+		if controlURL != DefaultControlURL && IsLoginServerSynonym(controlURL) {
 			return DefaultControlURL
 		}
-		return p.ControlURL
+		return controlURL
 	}
 	return DefaultControlURL
 }

ipn/prefs_test.go

@@ -20,6 +20,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
 )
@@ -294,18 +295,18 @@ func TestPrefsEqual(t *testing.T) {
 			false,
 		},
 		{
-			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: false}},
-			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: false, Apply: false}},
+			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(false)}},
+			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: false, Apply: opt.NewBool(false)}},
 			false,
 		},
 		{
-			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: true}},
-			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: false}},
+			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(true)}},
+			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(false)}},
 			false,
 		},
 		{
-			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: false}},
-			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: false}},
+			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(false)}},
+			&Prefs{AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(false)}},
 			true,
 		},
 		{
@@ -522,7 +523,7 @@ func TestPrefsPretty(t *testing.T) {
 			Prefs{
 				AutoUpdate: AutoUpdatePrefs{
 					Check: true,
-					Apply: false,
+					Apply: opt.NewBool(false),
 				},
 			},
 			"linux",
@@ -532,7 +533,7 @@ func TestPrefsPretty(t *testing.T) {
 			Prefs{
 				AutoUpdate: AutoUpdatePrefs{
 					Check: true,
-					Apply: true,
+					Apply: opt.NewBool(true),
 				},
 			},
 			"linux",
@@ -764,7 +765,7 @@ func TestMaskedPrefsPretty(t *testing.T) {
 		{
 			m: &MaskedPrefs{
 				Prefs: Prefs{
-					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: false},
+					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(false)},
 				},
 				AutoUpdateSet: AutoUpdatePrefsMask{CheckSet: true, ApplySet: false},
 			},
@@ -773,7 +774,7 @@ func TestMaskedPrefsPretty(t *testing.T) {
 		{
 			m: &MaskedPrefs{
 				Prefs: Prefs{
-					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: true},
+					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(true)},
 				},
 				AutoUpdateSet: AutoUpdatePrefsMask{CheckSet: true, ApplySet: true},
 			},
@@ -782,7 +783,7 @@ func TestMaskedPrefsPretty(t *testing.T) {
 		{
 			m: &MaskedPrefs{
 				Prefs: Prefs{
-					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: false},
+					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(false)},
 				},
 				AutoUpdateSet: AutoUpdatePrefsMask{CheckSet: false, ApplySet: true},
 			},
@@ -791,7 +792,7 @@ func TestMaskedPrefsPretty(t *testing.T) {
 		{
 			m: &MaskedPrefs{
 				Prefs: Prefs{
-					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: true},
+					AutoUpdate: AutoUpdatePrefs{Check: true, Apply: opt.NewBool(true)},
 				},
 				AutoUpdateSet: AutoUpdatePrefsMask{CheckSet: false, ApplySet: false},
 			},

k8s-operator/apis/doc.go

@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package apis
+
+const GroupName = "tailscale.com"

k8s-operator/apis/v1alpha1/doc.go

@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+// +kubebuilder:object:generate=true
+// +groupName=tailscale.com
+package v1alpha1

k8s-operator/apis/v1alpha1/register.go

@@ -0,0 +1,56 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package v1alpha1
+
+import (
+	"fmt"
+
+	"tailscale.com/k8s-operator/apis"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes/scheme"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: apis.GroupName, Version: "v1alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+
+	GlobalScheme *runtime.Scheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+
+	GlobalScheme = runtime.NewScheme()
+	if err := scheme.AddToScheme(GlobalScheme); err != nil {
+		panic(fmt.Sprintf("failed to add k8s.io scheme: %s", err))
+	}
+	if err := AddToScheme(GlobalScheme); err != nil {
+		panic(fmt.Sprintf("failed to add tailscale.com scheme: %s", err))
+	}
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion, &Connector{}, &ConnectorList{})
+
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}

k8s-operator/apis/v1alpha1/types_connector.go

@@ -0,0 +1,184 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package v1alpha1
+
+import (
+	"fmt"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Code comments on these types should be treated as user facing documentation-
+// they will appear on the Connector CRD i.e if someone runs kubectl explain connector.
+
+var ConnectorKind = "Connector"
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,shortName=cn
+// +kubebuilder:printcolumn:name="SubnetRoutes",type="string",JSONPath=`.status.subnetRoutes`,description="CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance."
+// +kubebuilder:printcolumn:name="IsExitNode",type="string",JSONPath=`.status.isExitNode`,description="Whether this Connector instance defines an exit node."
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=`.status.conditions[?(@.type == "ConnectorReady")].reason`,description="Status of the deployed Connector resources."
+
+type Connector struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// ConnectorSpec describes the desired Tailscale component.
+	Spec ConnectorSpec `json:"spec"`
+
+	// ConnectorStatus describes the status of the Connector. This is set
+	// and managed by the Tailscale operator.
+	// +optional
+	Status ConnectorStatus `json:"status"`
+}
+
+// +kubebuilder:object:root=true
+
+type ConnectorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []Connector `json:"items"`
+}
+
+// ConnectorSpec describes a Tailscale node to be deployed in the cluster.
+// +kubebuilder:validation:XValidation:rule="has(self.subnetRouter) || self.exitNode == true",message="A Connector needs to be either an exit node or a subnet router, or both."
+type ConnectorSpec struct {
+	// Tags that the Tailscale node will be tagged with.
+	// Defaults to [tag:k8s].
+	// To autoapprove the subnet routes or exit node defined by a Connector,
+	// you can configure Tailscale ACLs to give these tags the necessary
+	// permissions.
+	// See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
+	// If you specify custom tags here, you must also make the operator an owner of these tags.
+	// See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
+	// Tags cannot be changed once a Connector node has been created.
+	// Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+	// +optional
+	Tags Tags `json:"tags,omitempty"`
+	// Hostname is the tailnet hostname that should be assigned to the
+	// Connector node. If unset, hostname defaults to <connector
+	// name>-connector. Hostname can contain lower case letters, numbers and
+	// dashes, it must not start or end with a dash and must be between 2
+	// and 63 characters long.
+	// +optional
+	Hostname Hostname `json:"hostname,omitempty"`
+	// SubnetRouter defines subnet routes that the Connector node should
+	// expose to tailnet. If unset, none are exposed.
+	// https://tailscale.com/kb/1019/subnets/
+	// +optional
+	SubnetRouter *SubnetRouter `json:"subnetRouter"`
+	// ExitNode defines whether the Connector node should act as a
+	// Tailscale exit node. Defaults to false.
+	// https://tailscale.com/kb/1103/exit-nodes
+	// +optional
+	ExitNode bool `json:"exitNode"`
+}
+
+// SubnetRouter defines subnet routes that should be exposed to tailnet via a
+// Connector node.
+type SubnetRouter struct {
+	// AdvertiseRoutes refer to CIDRs that the subnet router should make
+	// available. Route values must be strings that represent a valid IPv4
+	// or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
+	// https://tailscale.com/kb/1201/4via6-subnets/
+	AdvertiseRoutes Routes `json:"advertiseRoutes"`
+}
+
+type Tags []Tag
+
+func (tags Tags) Stringify() []string {
+	stringTags := make([]string, len(tags))
+	for i, t := range tags {
+		stringTags[i] = string(t)
+	}
+	return stringTags
+}
+
+// +kubebuilder:validation:MinItems=1
+type Routes []Route
+
+func (routes Routes) Stringify() string {
+	if len(routes) < 1 {
+		return ""
+	}
+	var sb strings.Builder
+	sb.WriteString(string(routes[0]))
+	for _, r := range routes[1:] {
+		sb.WriteString(fmt.Sprintf(",%s", r))
+	}
+	return sb.String()
+}
+
+// +kubebuilder:validation:Type=string
+// +kubebuilder:validation:Format=cidr
+type Route string
+
+// +kubebuilder:validation:Type=string
+// +kubebuilder:validation:Pattern=`^tag:[a-zA-Z][a-zA-Z0-9-]*$`
+type Tag string
+
+// +kubebuilder:validation:Type=string
+// +kubebuilder:validation:Pattern=`^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$`
+type Hostname string
+
+// ConnectorStatus defines the observed state of the Connector.
+type ConnectorStatus struct {
+	// List of status conditions to indicate the status of the Connector.
+	// Known condition types are `ConnectorReady`.
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []ConnectorCondition `json:"conditions"`
+	// SubnetRoutes are the routes currently exposed to tailnet via this
+	// Connector instance.
+	// +optional
+	SubnetRoutes string `json:"subnetRoutes"`
+	// IsExitNode is set to true if the Connector acts as an exit node.
+	// +optional
+	IsExitNode bool `json:"isExitNode"`
+}
+
+// ConnectorCondition contains condition information for a Connector.
+type ConnectorCondition struct {
+	// Type of the condition, known values are (`SubnetRouterReady`).
+	Type ConnectorConditionType `json:"type"`
+
+	// Status of the condition, one of ('True', 'False', 'Unknown').
+	Status metav1.ConditionStatus `json:"status"`
+
+	// LastTransitionTime is the timestamp corresponding to the last status
+	// change of this condition.
+	// +optional
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+
+	// Reason is a brief machine readable explanation for the condition's last
+	// transition.
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// Message is a human readable description of the details of the last
+	// transition, complementing reason.
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// If set, this represents the .metadata.generation that the condition was
+	// set based upon.
+	// For instance, if .metadata.generation is currently 12, but the
+	// .status.condition[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the Connector.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+}
+
+// ConnectorConditionType represents a Connector condition type.
+type ConnectorConditionType string
+
+const (
+	ConnectorReady ConnectorConditionType = `ConnectorReady`
+)

k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,195 @@
+//go:build !ignore_autogenerated && !plan9
+
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Connector) DeepCopyInto(out *Connector) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Connector.
+func (in *Connector) DeepCopy() *Connector {
+	if in == nil {
+		return nil
+	}
+	out := new(Connector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Connector) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectorCondition) DeepCopyInto(out *ConnectorCondition) {
+	*out = *in
+	if in.LastTransitionTime != nil {
+		in, out := &in.LastTransitionTime, &out.LastTransitionTime
+		*out = (*in).DeepCopy()
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectorCondition.
+func (in *ConnectorCondition) DeepCopy() *ConnectorCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectorCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectorList) DeepCopyInto(out *ConnectorList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Connector, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectorList.
+func (in *ConnectorList) DeepCopy() *ConnectorList {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectorList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ConnectorList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectorSpec) DeepCopyInto(out *ConnectorSpec) {
+	*out = *in
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(Tags, len(*in))
+		copy(*out, *in)
+	}
+	if in.SubnetRouter != nil {
+		in, out := &in.SubnetRouter, &out.SubnetRouter
+		*out = new(SubnetRouter)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectorSpec.
+func (in *ConnectorSpec) DeepCopy() *ConnectorSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectorSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectorStatus) DeepCopyInto(out *ConnectorStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ConnectorCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectorStatus.
+func (in *ConnectorStatus) DeepCopy() *ConnectorStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectorStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in Routes) DeepCopyInto(out *Routes) {
+	{
+		in := &in
+		*out = make(Routes, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Routes.
+func (in Routes) DeepCopy() Routes {
+	if in == nil {
+		return nil
+	}
+	out := new(Routes)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubnetRouter) DeepCopyInto(out *SubnetRouter) {
+	*out = *in
+	if in.AdvertiseRoutes != nil {
+		in, out := &in.AdvertiseRoutes, &out.AdvertiseRoutes
+		*out = make(Routes, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubnetRouter.
+func (in *SubnetRouter) DeepCopy() *SubnetRouter {
+	if in == nil {
+		return nil
+	}
+	out := new(SubnetRouter)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in Tags) DeepCopyInto(out *Tags) {
+	{
+		in := &in
+		*out = make(Tags, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tags.
+func (in Tags) DeepCopy() Tags {
+	if in == nil {
+		return nil
+	}
+	out := new(Tags)
+	in.DeepCopyInto(out)
+	return *out
+}

k8s-operator/conditions.go

@@ -0,0 +1,60 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package kube
+
+import (
+	"slices"
+
+	"go.uber.org/zap"
+	xslices "golang.org/x/exp/slices"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/tstime"
+)
+
+// SetConnectorCondition ensures that Connector status has a condition with the
+// given attributes. LastTransitionTime gets set every time condition's status
+// changes
+func SetConnectorCondition(cn *tsapi.Connector, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string, gen int64, clock tstime.Clock, logger *zap.SugaredLogger) {
+	newCondition := tsapi.ConnectorCondition{
+		Type:               conditionType,
+		Status:             status,
+		Reason:             reason,
+		Message:            message,
+		ObservedGeneration: gen,
+	}
+
+	nowTime := metav1.NewTime(clock.Now())
+	newCondition.LastTransitionTime = &nowTime
+
+	idx := xslices.IndexFunc(cn.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
+		return cond.Type == conditionType
+	})
+
+	if idx == -1 {
+		cn.Status.Conditions = append(cn.Status.Conditions, newCondition)
+		return
+	}
+
+	// Update the existing condition
+	cond := cn.Status.Conditions[idx]
+	// If this update doesn't contain a state transition, we don't update
+	// the conditions LastTransitionTime to Now()
+	if cond.Status == status {
+		newCondition.LastTransitionTime = cond.LastTransitionTime
+	} else {
+		logger.Info("Status change for Connector condition %s from %s to %s", conditionType, cond.Status, status)
+	}
+
+	cn.Status.Conditions[idx] = newCondition
+}
+
+// RemoveConnectorCondition will remove condition of the given type
+func RemoveConnectorCondition(conn *tsapi.Connector, conditionType tsapi.ConnectorConditionType) {
+	conn.Status.Conditions = slices.DeleteFunc(conn.Status.Conditions, func(cond tsapi.ConnectorCondition) bool {
+		return cond.Type == conditionType
+	})
+}

k8s-operator/conditions_test.go

@@ -0,0 +1,102 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package kube
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/tstest"
+)
+
+func TestSetConnectorCondition(t *testing.T) {
+	cn := tsapi.Connector{}
+	clock := tstest.NewClock(tstest.ClockOpts{})
+	fakeNow := metav1.NewTime(clock.Now())
+	fakePast := metav1.NewTime(clock.Now().Add(-5 * time.Minute))
+	zl, err := zap.NewDevelopment()
+	assert.Nil(t, err)
+
+	// Set up a new condition
+	SetConnectorCondition(&cn, tsapi.ConnectorReady, metav1.ConditionTrue, "someReason", "someMsg", 1, clock, zl.Sugar())
+	assert.Equal(t, cn, tsapi.Connector{
+		Status: tsapi.ConnectorStatus{
+			Conditions: []tsapi.ConnectorCondition{
+				{
+					Type:               tsapi.ConnectorReady,
+					Status:             metav1.ConditionTrue,
+					Reason:             "someReason",
+					Message:            "someMsg",
+					ObservedGeneration: 1,
+					LastTransitionTime: &fakeNow,
+				},
+			},
+		},
+	})
+
+	// Modify status of an existing condition
+	cn.Status = tsapi.ConnectorStatus{
+		Conditions: []tsapi.ConnectorCondition{
+			{
+				Type:               tsapi.ConnectorReady,
+				Status:             metav1.ConditionFalse,
+				Reason:             "someReason",
+				Message:            "someMsg",
+				ObservedGeneration: 1,
+				LastTransitionTime: &fakePast,
+			},
+		},
+	}
+	SetConnectorCondition(&cn, tsapi.ConnectorReady, metav1.ConditionTrue, "anotherReason", "anotherMsg", 2, clock, zl.Sugar())
+	assert.Equal(t, cn, tsapi.Connector{
+		Status: tsapi.ConnectorStatus{
+			Conditions: []tsapi.ConnectorCondition{
+				{
+					Type:               tsapi.ConnectorReady,
+					Status:             metav1.ConditionTrue,
+					Reason:             "anotherReason",
+					Message:            "anotherMsg",
+					ObservedGeneration: 2,
+					LastTransitionTime: &fakeNow,
+				},
+			},
+		},
+	})
+
+	// Don't modify last transition time if status hasn't changed
+	cn.Status = tsapi.ConnectorStatus{
+		Conditions: []tsapi.ConnectorCondition{
+			{
+				Type:               tsapi.ConnectorReady,
+				Status:             metav1.ConditionTrue,
+				Reason:             "someReason",
+				Message:            "someMsg",
+				ObservedGeneration: 1,
+				LastTransitionTime: &fakePast,
+			},
+		},
+	}
+	SetConnectorCondition(&cn, tsapi.ConnectorReady, metav1.ConditionTrue, "anotherReason", "anotherMsg", 2, clock, zl.Sugar())
+	assert.Equal(t, cn, tsapi.Connector{
+		Status: tsapi.ConnectorStatus{
+			Conditions: []tsapi.ConnectorCondition{
+				{
+					Type:               tsapi.ConnectorReady,
+					Status:             metav1.ConditionTrue,
+					Reason:             "anotherReason",
+					Message:            "anotherMsg",
+					ObservedGeneration: 2,
+					LastTransitionTime: &fakePast,
+				},
+			},
+		},
+	})
+
+}

licenses/apple.md

@@ -41,9 +41,9 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
  - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
  - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
  - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
  - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
  - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))

licenses/tailscale.md

@@ -53,9 +53,9 @@ Some packages may only be included on certain architectures or operating systems
  - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
  - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
  - [github.com/kballard/go-shellquote](https://pkg.go.dev/github.com/kballard/go-shellquote) ([MIT](https://github.com/kballard/go-shellquote/blob/95032a82bc51/LICENSE))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
  - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
  - [github.com/kr/fs](https://pkg.go.dev/github.com/kr/fs) ([BSD-3-Clause](https://github.com/kr/fs/blob/v0.1.0/LICENSE))
  - [github.com/mattn/go-colorable](https://pkg.go.dev/github.com/mattn/go-colorable) ([MIT](https://github.com/mattn/go-colorable/blob/v0.1.13/LICENSE))
@@ -77,7 +77,7 @@ Some packages may only be included on certain architectures or operating systems
  - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
  - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/3a45625fe806/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/a4fa669015b2/LICENSE))
  - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/cc193a0b3272/LICENSE))
  - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
  - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))

licenses/windows.md

@@ -13,8 +13,23 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/1a75b4708caa/LICENSE))
  - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
  - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.42/config/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.40/credentials/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.11/feature/ec2/imds/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.41/internal/configsources/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.35/internal/endpoints/v2/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.43/internal/ini/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.35/service/internal/presigned-url/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.38.0/service/ssm/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.14.1/service/sso/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.17.1/service/ssooidc/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.22.0/service/sts/LICENSE.txt))
+ - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.14.2/LICENSE))
+ - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.14.2/internal/sync/singleflight/LICENSE))
  - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.7.0/LICENSE))
- - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/e994401fc077/LICENSE))
+ - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/65927751e9eb/LICENSE))
  - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.5.0/LICENSE))
  - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
  - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
@@ -22,11 +37,12 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.1/LICENSE))
  - [github.com/gregjones/httpcache](https://pkg.go.dev/github.com/gregjones/httpcache) ([MIT](https://github.com/gregjones/httpcache/blob/901d90724c79/LICENSE.txt))
  - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
+ - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
  - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
  - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
  - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
  - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.5.0/LICENSE.md))
  - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.56/LICENSE))
@@ -36,8 +52,8 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
  - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/dff4ed649e49/LICENSE))
- - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/84569fd814a9/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/95b7e17614b9/LICENSE))
+ - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/d2e5cdeed6dc/LICENSE))
  - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.1/LICENSE))
  - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
  - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))

logpolicy/logpolicy.go

@@ -48,8 +48,8 @@ import (
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/must"
 	"tailscale.com/util/racebuild"
+	"tailscale.com/util/syspolicy"
 	"tailscale.com/util/testenv"
-	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -61,14 +61,8 @@ var getLogTargetOnce struct {
 
 func getLogTarget() string {
 	getLogTargetOnce.Do(func() {
-		if val, ok := os.LookupEnv("TS_LOG_TARGET"); ok {
-			getLogTargetOnce.v = val
-		} else {
-			if runtime.GOOS == "windows" {
-				logTarget, _ := winutil.GetRegString("LogTarget")
-				getLogTargetOnce.v = logTarget
-			}
-		}
+		envTarget, _ := os.LookupEnv("TS_LOG_TARGET")
+		getLogTargetOnce.v, _ = syspolicy.GetString(syspolicy.LogTarget, envTarget)
 	})
 
 	return getLogTargetOnce.v
@@ -714,7 +708,7 @@ func dialContext(ctx context.Context, netw, addr string, netMon *netmon.Monitor,
 	}
 
 	if version.IsWindowsGUI() && strings.HasPrefix(netw, "tcp") {
-		if c, err := safesocket.Connect(safesocket.DefaultConnectionStrategy("")); err == nil {
+		if c, err := safesocket.Connect(""); err == nil {
 			fmt.Fprintf(c, "CONNECT %s HTTP/1.0\r\n\r\n", addr)
 			br := bufio.NewReader(c)
 			res, err := http.ReadResponse(br, nil)

logtail/logtail.go

@@ -15,7 +15,9 @@ import (
 	"log"
 	mrand "math/rand"
 	"net/http"
+	"net/netip"
 	"os"
+	"regexp"
 	"strconv"
 	"sync"
 	"sync/atomic"
@@ -24,6 +26,7 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/sockstats"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tstime"
 	tslogger "tailscale.com/types/logger"
 	"tailscale.com/types/logid"
@@ -725,6 +728,8 @@ func (l *Logger) Logf(format string, args ...any) {
 	fmt.Fprintf(l, format, args...)
 }
 
+var obscureIPs = envknob.RegisterBool("TS_OBSCURE_LOGGED_IPS")
+
 // Write logs an encoded JSON blob.
 //
 // If the []byte passed to Write is not an encoded JSON blob,
@@ -749,6 +754,10 @@ func (l *Logger) Write(buf []byte) (int, error) {
 		}
 	}
 
+	if obscureIPs() {
+		buf = redactIPs(buf)
+	}
+
 	l.writeLock.Lock()
 	defer l.writeLock.Unlock()
 
@@ -757,6 +766,40 @@ func (l *Logger) Write(buf []byte) (int, error) {
 	return inLen, err
 }
 
+var (
+	regexMatchesIPv6 = regexp.MustCompile(`([0-9a-fA-F]{1,4}):([0-9a-fA-F]{1,4}):([0-9a-fA-F:]{1,4})*`)
+	regexMatchesIPv4 = regexp.MustCompile(`(\d{1,3})\.(\d{1,3})\.\d{1,3}\.\d{1,3}`)
+)
+
+// redactIPs is a helper function used in Write() to redact IPs (other than tailscale IPs).
+// This function takes a log line as a byte slice and
+// uses regex matching to parse and find IP addresses. Based on if the IP address is IPv4 or
+// IPv6, it parses and replaces the end of the addresses with an "x". This function returns the
+// log line with the IPs redacted.
+func redactIPs(buf []byte) []byte {
+	out := regexMatchesIPv6.ReplaceAllFunc(buf, func(b []byte) []byte {
+		ip, err := netip.ParseAddr(string(b))
+		if err != nil || tsaddr.IsTailscaleIP(ip) {
+			return b // don't change this one
+		}
+
+		prefix := bytes.Split(b, []byte(":"))
+		return bytes.Join(append(prefix[:2], []byte("x")), []byte(":"))
+	})
+
+	out = regexMatchesIPv4.ReplaceAllFunc(out, func(b []byte) []byte {
+		ip, err := netip.ParseAddr(string(b))
+		if err != nil || tsaddr.IsTailscaleIP(ip) {
+			return b // don't change this one
+		}
+
+		prefix := bytes.Split(b, []byte("."))
+		return bytes.Join(append(prefix[:2], []byte("x.x")), []byte("."))
+	})
+
+	return []byte(out)
+}
+
 var (
 	openBracketV = []byte("[v")
 	v1           = []byte("[v1] ")

logtail/logtail_test.go

@@ -14,6 +14,7 @@ import (
 	"testing"
 	"time"
 
+	"tailscale.com/envknob"
 	"tailscale.com/tstest"
 	"tailscale.com/tstime"
 )
@@ -406,3 +407,82 @@ func TestLoggerWriteResult(t *testing.T) {
 		t.Errorf("mismatch.\n got: %#q\nwant: %#q", back, want)
 	}
 }
+func TestRedact(t *testing.T) {
+	envknob.Setenv("TS_OBSCURE_LOGGED_IPS", "true")
+	tests := []struct {
+		in   string
+		want string
+	}{
+		// tests for ipv4 addresses
+		{
+			"120.100.30.47",
+			"120.100.x.x",
+		},
+		{
+			"192.167.0.1/65",
+			"192.167.x.x/65",
+		},
+		{
+			"node [5Btdd] d:e89a3384f526d251 now using 10.0.0.222:41641 mtu=1360 tx=d81a8a35a0ce",
+			"node [5Btdd] d:e89a3384f526d251 now using 10.0.x.x:41641 mtu=1360 tx=d81a8a35a0ce",
+		},
+		//tests for ipv6 addresses
+		{
+			"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+			"2001:0db8:x",
+		},
+		{
+			"2345:0425:2CA1:0000:0000:0567:5673:23b5",
+			"2345:0425:x",
+		},
+		{
+			"2601:645:8200:edf0::c9de/64",
+			"2601:645:x/64",
+		},
+		{
+			"node [5Btdd] d:e89a3384f526d251 now using 2051:0000:140F::875B:131C mtu=1360 tx=d81a8a35a0ce",
+			"node [5Btdd] d:e89a3384f526d251 now using 2051:0000:x mtu=1360 tx=d81a8a35a0ce",
+		},
+		{
+			"2601:645:8200:edf0::c9de/64 2601:645:8200:edf0:1ce9:b17d:71f5:f6a3/64",
+			"2601:645:x/64 2601:645:x/64",
+		},
+		//tests for tailscale ip addresses
+		{
+			"100.64.5.6",
+			"100.64.5.6",
+		},
+		{
+			"fd7a:115c:a1e0::/96",
+			"fd7a:115c:a1e0::/96",
+		},
+		//tests for ipv6 and ipv4 together
+		{
+			"192.167.0.1 2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+			"192.167.x.x 2001:0db8:x",
+		},
+		{
+			"node [5Btdd] d:e89a3384f526d251 now using 10.0.0.222:41641 mtu=1360 tx=d81a8a35a0ce 2345:0425:2CA1::0567:5673:23b5",
+			"node [5Btdd] d:e89a3384f526d251 now using 10.0.x.x:41641 mtu=1360 tx=d81a8a35a0ce 2345:0425:x",
+		},
+		{
+			"100.64.5.6 2091:0db8:85a3:0000:0000:8a2e:0370:7334",
+			"100.64.5.6 2091:0db8:x",
+		},
+		{
+			"192.167.0.1 120.100.30.47 2041:0000:140F::875B:131B",
+			"192.167.x.x 120.100.x.x 2041:0000:x",
+		},
+		{
+			"fd7a:115c:a1e0::/96 192.167.0.1 2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+			"fd7a:115c:a1e0::/96 192.167.x.x 2001:0db8:x",
+		},
+	}
+
+	for _, tt := range tests {
+		gotBuf := redactIPs([]byte(tt.in))
+		if string(gotBuf) != tt.want {
+			t.Errorf("for %q,\n got: %#q\nwant: %#q\n", tt.in, gotBuf, tt.want)
+		}
+	}
+}

net/art/stride_table.go

@@ -240,15 +240,6 @@ func (t *strideTable[T]) tableDebugString() string {
 	return ret.String()
 }
 
-// treeDebugString returns the contents of t, formatted as a sparse tree. Each
-// line is one entry, indented such that it is contained by all its parents, and
-// non-overlapping with any of its siblings.
-func (t *strideTable[T]) treeDebugString() string {
-	var ret bytes.Buffer
-	t.treeDebugStringRec(&ret, 1, 0) // index of 0/0, and 0 indent
-	return ret.String()
-}
-
 func (t *strideTable[T]) treeDebugStringRec(w io.Writer, idx, indent int) {
 	addr, len := inversePrefixIndex(idx)
 	if t.hasPrefixRootedAt(idx) {

net/art/stride_table_test.go

@@ -348,12 +348,6 @@ func (t *slowTable[T]) String() string {
 	return ret.String()
 }
 
-func (t *slowTable[T]) insert(addr uint8, prefixLen int, val T) {
-	t.delete(addr, prefixLen) // no-op if prefix doesn't exist
-
-	t.prefixes = append(t.prefixes, slowEntry[T]{addr, prefixLen, val})
-}
-
 func (t *slowTable[T]) delete(addr uint8, prefixLen int) {
 	pfx := make([]slowEntry[T], 0, len(t.prefixes))
 	for _, e := range t.prefixes {

net/art/table_test.go

@@ -968,8 +968,6 @@ func BenchmarkTableDelete(b *testing.B) {
 	})
 }
 
-var addrSink netip.Addr
-
 func BenchmarkTableGet(b *testing.B) {
 	forFamilyAndCount(b, func(b *testing.B, routes []slowPrefixEntry[int]) {
 		genAddr := randomAddr4
@@ -1106,18 +1104,6 @@ type slowPrefixEntry[T any] struct {
 	val T
 }
 
-func (t *slowPrefixTable[T]) delete(pfx netip.Prefix) {
-	pfx = pfx.Masked()
-	ret := make([]slowPrefixEntry[T], 0, len(t.prefixes))
-	for _, ent := range t.prefixes {
-		if ent.pfx == pfx {
-			continue
-		}
-		ret = append(ret, ent)
-	}
-	t.prefixes = ret
-}
-
 func (t *slowPrefixTable[T]) insert(pfx netip.Prefix, val T) {
 	pfx = pfx.Masked()
 	for i, ent := range t.prefixes {
@@ -1230,26 +1216,3 @@ func roundFloat64(f float64) float64 {
 	}
 	return ret
 }
-
-func minimize(pfxs []slowPrefixEntry[int], f func(skip map[netip.Prefix]bool) error) (map[netip.Prefix]bool, error) {
-	if f(nil) == nil {
-		return nil, nil
-	}
-
-	remove := map[netip.Prefix]bool{}
-	for lastLen := -1; len(remove) != lastLen; lastLen = len(remove) {
-		fmt.Println("len is ", len(remove))
-		for i, pfx := range pfxs {
-			if remove[pfx.pfx] {
-				continue
-			}
-			remove[pfx.pfx] = true
-			fmt.Printf("%d %d: trying without %s\n", i, len(remove), pfx.pfx)
-			if f(remove) == nil {
-				delete(remove, pfx.pfx)
-			}
-		}
-	}
-
-	return remove, f(remove)
-}