util/execqueue: add metrics

Expose enough metrics to get a sense of queue depth, use and if it has stalled. Updates tailscale/corp#26058 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I271ac8d03f3db587a33aca6964fe92f2833e1251
2025-01-24 13:17:19 -08:00
124 changed files with 1213 additions and 9641 deletions
--- a/.github/workflows/checklocks.yml
+++ b/.github/workflows/checklocks.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: [ ubuntu-latest ]
    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Build checklocks
        run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -45,17 +45,17 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    # Install a more recent Go that understands modern go.mod content.
    - name: Install Go
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
      with:
        go-version-file: go.mod

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+      uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+      uses: github/codeql-action/autobuild@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+      uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
--- a/.github/workflows/docker-file-build.yml
+++ b/.github/workflows/docker-file-build.yml
@@ -10,6 +10,6 @@ jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: "Build Docker image"
      run: docker build .
--- a/.github/workflows/flakehub-publish-tagged.yml
+++ b/.github/workflows/flakehub-publish-tagged.yml
@@ -17,7 +17,7 @@ jobs:
      id-token: "write"
      contents: "read"
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
      - uses: "DeterminateSystems/nix-installer-action@main"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -23,9 +23,9 @@ jobs:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: go.mod
          cache: false
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Install govulncheck
        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
--- a/.github/workflows/installer.yml
+++ b/.github/workflows/installer.yml
@@ -36,6 +36,7 @@ jobs:
          - "ubuntu:24.04"
          - "elementary/docker:stable"
          - "elementary/docker:unstable"
+          - "parrotsec/core:lts-amd64"
          - "parrotsec/core:latest"
          - "kalilinux/kali-rolling"
          - "kalilinux/kali-dev"
@@ -91,7 +92,10 @@ jobs:
        || contains(matrix.image, 'parrotsec')
        || contains(matrix.image, 'kalilinux')
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # We cannot use v4, as it requires a newer glibc version than some of the
+      # tested images provide. See
+      # https://github.com/actions/checkout/issues/1487
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
    - name: run installer
      run: scripts/installer.sh
      # Package installation can fail in docker because systemd is not running
--- a/.github/workflows/kubemanifests.yaml
+++ b/.github/workflows/kubemanifests.yaml
@@ -17,7 +17,7 @@ jobs:
    runs-on: [ ubuntu-latest ]
    steps:
    - name: Check out code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Build and lint Helm chart
      run: |
        eval `./tool/go run ./cmd/mkversion`
--- a/.github/workflows/ssh-integrationtest.yml
+++ b/.github/workflows/ssh-integrationtest.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Run SSH integration tests
        run: |
          make sshintegrationtest
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -50,7 +50,7 @@ jobs:
          - shard: '4/4'
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: build test wrapper
      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
    - name: integration tests as root
@@ -78,7 +78,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Restore Cache
      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
@@ -150,10 +150,10 @@ jobs:
    runs-on: windows-2022
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Install Go
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
      with:
        go-version-file: go.mod
        cache: false
@@ -190,7 +190,7 @@ jobs:
      options: --privileged
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: chown
      run: chown -R $(id -u):$(id -g) $PWD
    - name: privileged tests
@@ -202,7 +202,7 @@ jobs:
    if: github.repository == 'tailscale/tailscale'
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Run VM tests
      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
      env:
@@ -214,7 +214,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: build all
      run: ./tool/go install -race ./cmd/...
    - name: build tests
@@ -258,7 +258,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Restore Cache
      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
@@ -295,7 +295,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: build some
      run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
      env:
@@ -323,7 +323,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Restore Cache
      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
@@ -356,7 +356,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
      # some Android breakages early.
@@ -371,7 +371,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Restore Cache
      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
@@ -405,7 +405,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: test tailscale_go
      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...

@@ -477,17 +477,17 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: check depaware
      run: |
        export PATH=$(./tool/go env GOROOT)/bin:$PATH
-        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check --internal
+        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check

  go_generate:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: check that 'go generate' is clean
      run: |
        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
@@ -500,7 +500,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: check that 'go mod tidy' is clean
      run: |
        ./tool/go mod tidy
@@ -512,7 +512,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: check licenses
      run: ./scripts/check_license_headers.sh .

@@ -528,7 +528,7 @@ jobs:
            goarch: "386"
    steps:
    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: install staticcheck
      run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
    - name: run staticcheck
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -21,7 +21,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Run update-flakes
        run: ./update-flake.sh
--- a/.github/workflows/update-webclient-prebuilt.yml
+++ b/.github/workflows/update-webclient-prebuilt.yml
@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Run go get
        run: |
--- a/.github/workflows/webclient.yml
+++ b/.github/workflows/webclient.yml
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Install deps
        run: ./tool/yarn --cwd client/web
      - name: Run lint
--- a/4
+++ b/4
@@ -17,7 +17,7 @@ lint: ## Run golangci-lint
 updatedeps: ## Update depaware deps
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update --internal \
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
@@ -27,7 +27,7 @@ updatedeps: ## Update depaware deps
 depaware: ## Run depaware checks
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
 	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --internal \
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.80.2
+1.79.0
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -37,7 +37,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion,ts_omit_ssh,ts_omit_wakeonlan,ts_omit_capture"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion,ts_omit_ssh,ts_omit_wakeonlan"
 		;;
 	--box)
 		shift
--- a/client/web/src/components/views/login-view.tsx
+++ b/client/web/src/components/views/login-view.tsx
@@ -1,11 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-import React from "react"
+import React, { useState } from "react"
 import { useAPI } from "src/api"
 import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
+import Collapsible from "src/ui/collapsible"
+import Input from "src/ui/input"

 /**
 * LoginView is rendered when the client is not authenticated
@@ -13,6 +15,8 @@ import Button from "src/ui/button"
 */
 export default function LoginView({ data }: { data: NodeData }) {
  const api = useAPI()
+  const [controlURL, setControlURL] = useState<string>("")
+  const [authKey, setAuthKey] = useState<string>("")

  return (
    <div className="mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
@@ -84,6 +88,8 @@ export default function LoginView({ data }: { data: NodeData }) {
                action: "up",
                data: {
                  Reauthenticate: true,
+                  ControlURL: controlURL,
+                  AuthKey: authKey,
                },
              })
            }
@@ -92,6 +98,34 @@ export default function LoginView({ data }: { data: NodeData }) {
          >
            Log In
          </Button>
+          <Collapsible trigger="Advanced options">
+            <h4 className="font-medium mb-1 mt-2">Auth Key</h4>
+            <p className="text-sm text-gray-500">
+              Connect with a pre-authenticated key.{" "}
+              <a
+                href="https://tailscale.com/kb/1085/auth-keys/"
+                className="link"
+                target="_blank"
+                rel="noreferrer"
+              >
+                Learn more &rarr;
+              </a>
+            </p>
+            <Input
+              className="mt-2"
+              value={authKey}
+              onChange={(e) => setAuthKey(e.target.value)}
+              placeholder="tskey-auth-XXX"
+            />
+            <h4 className="font-medium mt-3 mb-1">Server URL</h4>
+            <p className="text-sm text-gray-500">Base URL of control server.</p>
+            <Input
+              className="mt-2"
+              value={controlURL}
+              onChange={(e) => setControlURL(e.target.value)}
+              placeholder="https://login.tailscale.com/"
+            />
+          </Collapsible>
        </>
      )}
    </div>
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -211,25 +211,15 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	// The client is secured by limiting the interface it listens on,
 	// or by authenticating requests before they reach the web client.
 	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-
-	// signal to the CSRF middleware that the request is being served over
-	// plaintext HTTP to skip TLS-only header checks.
-	withSetPlaintext := func(h http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			r = csrf.PlaintextHTTPRequest(r)
-			h.ServeHTTP(w, r)
-		})
-	}
-
 	switch s.mode {
 	case LoginServerMode:
-		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveLoginAPI)))
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
 		metric = "web_login_client_initialization"
 	case ReadOnlyServerMode:
-		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveLoginAPI)))
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
 		metric = "web_readonly_client_initialization"
 	case ManageServerMode:
-		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveAPI)))
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
 		metric = "web_client_initialization"
 	}

--- a/cmd/containerboot/healthz.go
+++ b/cmd/containerboot/healthz.go
@@ -6,12 +6,9 @@
 package main

 import (
-	"fmt"
 	"log"
 	"net/http"
 	"sync"
-
-	"tailscale.com/kube/kubetypes"
 )

 // healthz is a simple health check server, if enabled it returns 200 OK if
@@ -20,7 +17,6 @@ import (
 type healthz struct {
 	sync.Mutex
 	hasAddrs bool
-	podIPv4  string
 }

 func (h *healthz) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -28,10 +24,7 @@ func (h *healthz) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	defer h.Unlock()

 	if h.hasAddrs {
-		w.Header().Add(kubetypes.PodIPv4Header, h.podIPv4)
-		if _, err := w.Write([]byte("ok")); err != nil {
-			http.Error(w, fmt.Sprintf("error writing status: %v", err), http.StatusInternalServerError)
-		}
+		w.Write([]byte("ok"))
 	} else {
 		http.Error(w, "node currently has no tailscale IPs", http.StatusServiceUnavailable)
 	}
@@ -50,8 +43,8 @@ func (h *healthz) update(healthy bool) {
 // healthHandlers registers a simple health handler at /healthz.
 // A containerized tailscale instance is considered healthy if
 // it has at least one tailnet IP address.
-func healthHandlers(mux *http.ServeMux, podIPv4 string) *healthz {
-	h := &healthz{podIPv4: podIPv4}
+func healthHandlers(mux *http.ServeMux) *healthz {
+	h := &healthz{}
 	mux.Handle("GET /healthz", h)
 	return h
 }
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@@ -8,22 +8,15 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"log"
 	"net/http"
 	"net/netip"
 	"os"
-	"strings"
-	"time"

-	"tailscale.com/ipn"
 	"tailscale.com/kube/kubeapi"
 	"tailscale.com/kube/kubeclient"
 	"tailscale.com/kube/kubetypes"
-	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
 )

 // kubeClient is a wrapper around Tailscale's internal kube client that knows how to talk to the kube API server. We use
@@ -133,62 +126,3 @@ func (kc *kubeClient) storeCapVerUID(ctx context.Context, podUID string) error {
 	}
 	return kc.StrategicMergePatchSecret(ctx, kc.stateSecret, s, "tailscale-container")
 }
-
-// waitForConsistentState waits for tailscaled to finish writing state if it
-// looks like it's started. It is designed to reduce the likelihood that
-// tailscaled gets shut down in the window between authenticating to control
-// and finishing writing state. However, it's not bullet proof because we can't
-// atomically authenticate and write state.
-func (kc *kubeClient) waitForConsistentState(ctx context.Context) error {
-	var logged bool
-
-	bo := backoff.NewBackoff("", logger.Discard, 2*time.Second)
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-		}
-		secret, err := kc.GetSecret(ctx, kc.stateSecret)
-		if ctx.Err() != nil || kubeclient.IsNotFoundErr(err) {
-			return nil
-		}
-		if err != nil {
-			return fmt.Errorf("getting Secret %q: %v", kc.stateSecret, err)
-		}
-
-		if hasConsistentState(secret.Data) {
-			return nil
-		}
-
-		if !logged {
-			log.Printf("Waiting for tailscaled to finish writing state to Secret %q", kc.stateSecret)
-			logged = true
-		}
-		bo.BackOff(ctx, errors.New("")) // Fake error to trigger actual sleep.
-	}
-}
-
-// hasConsistentState returns true is there is either no state or the full set
-// of expected keys are present.
-func hasConsistentState(d map[string][]byte) bool {
-	var (
-		_, hasCurrent = d[string(ipn.CurrentProfileStateKey)]
-		_, hasKnown   = d[string(ipn.KnownProfilesStateKey)]
-		_, hasMachine = d[string(ipn.MachineKeyStateKey)]
-		hasProfile    bool
-	)
-
-	for k := range d {
-		if strings.HasPrefix(k, "profile-") {
-			if hasProfile {
-				return false // We only expect one profile.
-			}
-			hasProfile = true
-		}
-	}
-
-	// Approximate check, we don't want to reimplement all of profileManager.
-	return (hasCurrent && hasKnown && hasMachine && hasProfile) ||
-		(!hasCurrent && !hasKnown && !hasMachine && !hasProfile)
-}
--- a/cmd/containerboot/kube_test.go
+++ b/cmd/containerboot/kube_test.go
@@ -9,10 +9,8 @@ import (
 	"context"
 	"errors"
 	"testing"
-	"time"

 	"github.com/google/go-cmp/cmp"
-	"tailscale.com/ipn"
 	"tailscale.com/kube/kubeapi"
 	"tailscale.com/kube/kubeclient"
 )
@@ -207,34 +205,3 @@ func TestSetupKube(t *testing.T) {
 		})
 	}
 }
-
-func TestWaitForConsistentState(t *testing.T) {
-	data := map[string][]byte{
-		// Missing _current-profile.
-		string(ipn.KnownProfilesStateKey): []byte(""),
-		string(ipn.MachineKeyStateKey):    []byte(""),
-		"profile-foo":                     []byte(""),
-	}
-	kc := &kubeClient{
-		Client: &kubeclient.FakeClient{
-			GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
-				return &kubeapi.Secret{
-					Data: data,
-				}, nil
-			},
-		},
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	if err := kc.waitForConsistentState(ctx); err != context.DeadlineExceeded {
-		t.Fatalf("expected DeadlineExceeded, got %v", err)
-	}
-
-	ctx, cancel = context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	data[string(ipn.CurrentProfileStateKey)] = []byte("")
-	if err := kc.waitForConsistentState(ctx); err != nil {
-		t.Fatalf("expected nil, got %v", err)
-	}
-}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -137,83 +137,53 @@ func newNetfilterRunner(logf logger.Logf) (linuxfw.NetfilterRunner, error) {
 }

 func main() {
-	if err := run(); err != nil && !errors.Is(err, context.Canceled) {
-		log.Fatal(err)
-	}
-}
-
-func run() error {
 	log.SetPrefix("boot: ")
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	cfg, err := configFromEnv()
 	if err != nil {
-		return fmt.Errorf("invalid configuration: %w", err)
+		log.Fatalf("invalid configuration: %v", err)
 	}

 	if !cfg.UserspaceMode {
 		if err := ensureTunFile(cfg.Root); err != nil {
-			return fmt.Errorf("unable to create tuntap device file: %w", err)
+			log.Fatalf("Unable to create tuntap device file: %v", err)
 		}
 		if cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.Routes != nil || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" {
 			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTargetIP, cfg.TailnetTargetIP, cfg.TailnetTargetFQDN, cfg.Routes); err != nil {
 				log.Printf("Failed to enable IP forwarding: %v", err)
 				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
 				if cfg.InKubernetes {
-					return fmt.Errorf("you can either set the sysctls as a privileged initContainer, or run the tailscale container with privileged=true.")
+					log.Fatalf("You can either set the sysctls as a privileged initContainer, or run the tailscale container with privileged=true.")
 				} else {
-					return fmt.Errorf("you can fix this by running the container with privileged=true, or the equivalent in your container runtime that permits access to sysctls.")
+					log.Fatalf("You can fix this by running the container with privileged=true, or the equivalent in your container runtime that permits access to sysctls.")
 				}
 			}
 		}
 	}

-	// Root context for the whole containerboot process, used to make sure
-	// shutdown signals are promptly and cleanly handled.
-	ctx, cancel := contextWithExitSignalWatch()
-	defer cancel()
-
-	// bootCtx is used for all setup stuff until we're in steady
+	// Context is used for all setup stuff until we're in steady
 	// state, so that if something is hanging we eventually time out
 	// and crashloop the container.
-	bootCtx, cancel := context.WithTimeout(ctx, 60*time.Second)
+	bootCtx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()

 	var kc *kubeClient
 	if cfg.InKubernetes {
 		kc, err = newKubeClient(cfg.Root, cfg.KubeSecret)
 		if err != nil {
-			return fmt.Errorf("error initializing kube client: %w", err)
+			log.Fatalf("error initializing kube client: %v", err)
 		}
 		if err := cfg.setupKube(bootCtx, kc); err != nil {
-			return fmt.Errorf("error setting up for running on Kubernetes: %w", err)
+			log.Fatalf("error setting up for running on Kubernetes: %v", err)
 		}
 	}

 	client, daemonProcess, err := startTailscaled(bootCtx, cfg)
 	if err != nil {
-		return fmt.Errorf("failed to bring up tailscale: %w", err)
+		log.Fatalf("failed to bring up tailscale: %v", err)
 	}
 	killTailscaled := func() {
-		if hasKubeStateStore(cfg) {
-			// Check we're not shutting tailscaled down while it's still writing
-			// state. If we authenticate and fail to write all the state, we'll
-			// never recover automatically.
-			//
-			// The default termination grace period for a Pod is 30s. We wait 25s at
-			// most so that we still reserve some of that budget for tailscaled
-			// to receive and react to a SIGTERM before the SIGKILL that k8s
-			// will send at the end of the grace period.
-			ctx, cancel := context.WithTimeout(context.Background(), 25*time.Second)
-			defer cancel()
-
-			log.Printf("Checking for consistent state")
-			err := kc.waitForConsistentState(ctx)
-			if err != nil {
-				log.Printf("Error waiting for consistent state on shutdown: %v", err)
-			}
-		}
-		log.Printf("Sending SIGTERM to tailscaled")
 		if err := daemonProcess.Signal(unix.SIGTERM); err != nil {
 			log.Fatalf("error shutting tailscaled down: %v", err)
 		}
@@ -221,18 +191,17 @@ func run() error {
 	defer killTailscaled()

 	var healthCheck *healthz
-	ep := &egressProxy{}
 	if cfg.HealthCheckAddrPort != "" {
 		mux := http.NewServeMux()

 		log.Printf("Running healthcheck endpoint at %s/healthz", cfg.HealthCheckAddrPort)
-		healthCheck = healthHandlers(mux, cfg.PodIPv4)
+		healthCheck = healthHandlers(mux)

 		close := runHTTPServer(mux, cfg.HealthCheckAddrPort)
 		defer close()
 	}

-	if cfg.localMetricsEnabled() || cfg.localHealthEnabled() || cfg.egressSvcsTerminateEPEnabled() {
+	if cfg.localMetricsEnabled() || cfg.localHealthEnabled() {
 		mux := http.NewServeMux()

 		if cfg.localMetricsEnabled() {
@@ -242,11 +211,7 @@ func run() error {

 		if cfg.localHealthEnabled() {
 			log.Printf("Running healthcheck endpoint at %s/healthz", cfg.LocalAddrPort)
-			healthCheck = healthHandlers(mux, cfg.PodIPv4)
-		}
-		if cfg.EgressProxiesCfgPath != "" {
-			log.Printf("Running preshutdown hook at %s%s", cfg.LocalAddrPort, kubetypes.EgessServicesPreshutdownEP)
-			ep.registerHandlers(mux)
+			healthCheck = healthHandlers(mux)
 		}

 		close := runHTTPServer(mux, cfg.LocalAddrPort)
@@ -261,7 +226,7 @@ func run() error {

 	w, err := client.WatchIPNBus(bootCtx, ipn.NotifyInitialNetMap|ipn.NotifyInitialPrefs|ipn.NotifyInitialState)
 	if err != nil {
-		return fmt.Errorf("failed to watch tailscaled for updates: %w", err)
+		log.Fatalf("failed to watch tailscaled for updates: %v", err)
 	}

 	// Now that we've started tailscaled, we can symlink the socket to the
@@ -297,18 +262,18 @@ func run() error {
 		didLogin = true
 		w.Close()
 		if err := tailscaleUp(bootCtx, cfg); err != nil {
-			return fmt.Errorf("failed to auth tailscale: %w", err)
+			return fmt.Errorf("failed to auth tailscale: %v", err)
 		}
 		w, err = client.WatchIPNBus(bootCtx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
 		if err != nil {
-			return fmt.Errorf("rewatching tailscaled for updates after auth: %w", err)
+			return fmt.Errorf("rewatching tailscaled for updates after auth: %v", err)
 		}
 		return nil
 	}

 	if isTwoStepConfigAlwaysAuth(cfg) {
 		if err := authTailscale(); err != nil {
-			return fmt.Errorf("failed to auth tailscale: %w", err)
+			log.Fatalf("failed to auth tailscale: %v", err)
 		}
 	}

@@ -316,7 +281,7 @@ authLoop:
 	for {
 		n, err := w.Next()
 		if err != nil {
-			return fmt.Errorf("failed to read from tailscaled: %w", err)
+			log.Fatalf("failed to read from tailscaled: %v", err)
 		}

 		if n.State != nil {
@@ -325,10 +290,10 @@ authLoop:
 				if isOneStepConfig(cfg) {
 					// This could happen if this is the first time tailscaled was run for this
 					// device and the auth key was not passed via the configfile.
-					return fmt.Errorf("invalid state: tailscaled daemon started with a config file, but tailscale is not logged in: ensure you pass a valid auth key in the config file.")
+					log.Fatalf("invalid state: tailscaled daemon started with a config file, but tailscale is not logged in: ensure you pass a valid auth key in the config file.")
 				}
 				if err := authTailscale(); err != nil {
-					return fmt.Errorf("failed to auth tailscale: %w", err)
+					log.Fatalf("failed to auth tailscale: %v", err)
 				}
 			case ipn.NeedsMachineAuth:
 				log.Printf("machine authorization required, please visit the admin panel")
@@ -348,11 +313,14 @@ authLoop:

 	w.Close()

+	ctx, cancel := contextWithExitSignalWatch()
+	defer cancel()
+
 	if isTwoStepConfigAuthOnce(cfg) {
 		// Now that we are authenticated, we can set/reset any of the
 		// settings that we need to.
 		if err := tailscaleSet(ctx, cfg); err != nil {
-			return fmt.Errorf("failed to auth tailscale: %w", err)
+			log.Fatalf("failed to auth tailscale: %v", err)
 		}
 	}

@@ -361,11 +329,11 @@ authLoop:
 	if cfg.ServeConfigPath != "" {
 		log.Printf("serve proxy: unsetting previous config")
 		if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
-			return fmt.Errorf("failed to unset serve config: %w", err)
+			log.Fatalf("failed to unset serve config: %v", err)
 		}
 		if hasKubeStateStore(cfg) {
 			if err := kc.storeHTTPSEndpoint(ctx, ""); err != nil {
-				return fmt.Errorf("failed to update HTTPS endpoint in tailscale state: %w", err)
+				log.Fatalf("failed to update HTTPS endpoint in tailscale state: %v", err)
 			}
 		}
 	}
@@ -376,19 +344,19 @@ authLoop:
 		// wipe it, but it's good hygiene.
 		log.Printf("Deleting authkey from kube secret")
 		if err := kc.deleteAuthKey(ctx); err != nil {
-			return fmt.Errorf("deleting authkey from kube secret: %w", err)
+			log.Fatalf("deleting authkey from kube secret: %v", err)
 		}
 	}

 	if hasKubeStateStore(cfg) {
 		if err := kc.storeCapVerUID(ctx, cfg.PodUID); err != nil {
-			return fmt.Errorf("storing capability version and UID: %w", err)
+			log.Fatalf("storing capability version and UID: %v", err)
 		}
 	}

 	w, err = client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
 	if err != nil {
-		return fmt.Errorf("rewatching tailscaled for updates after auth: %w", err)
+		log.Fatalf("rewatching tailscaled for updates after auth: %v", err)
 	}

 	// If tailscaled config was read from a mounted file, watch the file for updates and reload.
@@ -418,7 +386,7 @@ authLoop:
 	if isL3Proxy(cfg) {
 		nfr, err = newNetfilterRunner(log.Printf)
 		if err != nil {
-			return fmt.Errorf("error creating new netfilter runner: %w", err)
+			log.Fatalf("error creating new netfilter runner: %v", err)
 		}
 	}

@@ -489,9 +457,9 @@ runLoop:
 			killTailscaled()
 			break runLoop
 		case err := <-errChan:
-			return fmt.Errorf("failed to read from tailscaled: %w", err)
+			log.Fatalf("failed to read from tailscaled: %v", err)
 		case err := <-cfgWatchErrChan:
-			return fmt.Errorf("failed to watch tailscaled config: %w", err)
+			log.Fatalf("failed to watch tailscaled config: %v", err)
 		case n := <-notifyChan:
 			if n.State != nil && *n.State != ipn.Running {
 				// Something's gone wrong and we've left the authenticated state.
@@ -499,7 +467,7 @@ runLoop:
 				// control flow required to make it work now is hard. So, just crash
 				// the container and rely on the container runtime to restart us,
 				// whereupon we'll go through initial auth again.
-				return fmt.Errorf("tailscaled left running state (now in state %q), exiting", *n.State)
+				log.Fatalf("tailscaled left running state (now in state %q), exiting", *n.State)
 			}
 			if n.NetMap != nil {
 				addrs = n.NetMap.SelfNode.Addresses().AsSlice()
@@ -517,7 +485,7 @@ runLoop:
 				deviceID := n.NetMap.SelfNode.StableID()
 				if hasKubeStateStore(cfg) && deephash.Update(&currentDeviceID, &deviceID) {
 					if err := kc.storeDeviceID(ctx, n.NetMap.SelfNode.StableID()); err != nil {
-						return fmt.Errorf("storing device ID in Kubernetes Secret: %w", err)
+						log.Fatalf("storing device ID in Kubernetes Secret: %v", err)
 					}
 				}
 				if cfg.TailnetTargetFQDN != "" {
@@ -554,12 +522,12 @@ runLoop:
 								rulesInstalled = true
 								log.Printf("Installing forwarding rules for destination %v", ea.String())
 								if err := installEgressForwardingRule(ctx, ea.String(), addrs, nfr); err != nil {
-									return fmt.Errorf("installing egress proxy rules for destination %s: %v", ea.String(), err)
+									log.Fatalf("installing egress proxy rules for destination %s: %v", ea.String(), err)
 								}
 							}
 						}
 						if !rulesInstalled {
-							return fmt.Errorf("no forwarding rules for egress addresses %v, host supports IPv6: %v", egressAddrs, nfr.HasIPV6NAT())
+							log.Fatalf("no forwarding rules for egress addresses %v, host supports IPv6: %v", egressAddrs, nfr.HasIPV6NAT())
 						}
 					}
 					currentEgressIPs = newCurentEgressIPs
@@ -567,7 +535,7 @@ runLoop:
 				if cfg.ProxyTargetIP != "" && len(addrs) != 0 && ipsHaveChanged {
 					log.Printf("Installing proxy rules")
 					if err := installIngressForwardingRule(ctx, cfg.ProxyTargetIP, addrs, nfr); err != nil {
-						return fmt.Errorf("installing ingress proxy rules: %w", err)
+						log.Fatalf("installing ingress proxy rules: %v", err)
 					}
 				}
 				if cfg.ProxyTargetDNSName != "" && len(addrs) != 0 && ipsHaveChanged {
@@ -583,7 +551,7 @@ runLoop:
 					if backendsHaveChanged {
 						log.Printf("installing ingress proxy rules for backends %v", newBackendAddrs)
 						if err := installIngressForwardingRuleForDNSTarget(ctx, newBackendAddrs, addrs, nfr); err != nil {
-							return fmt.Errorf("error installing ingress proxy rules: %w", err)
+							log.Fatalf("error installing ingress proxy rules: %v", err)
 						}
 					}
 					resetTimer(false)
@@ -605,7 +573,7 @@ runLoop:
 				if cfg.TailnetTargetIP != "" && ipsHaveChanged && len(addrs) != 0 {
 					log.Printf("Installing forwarding rules for destination %v", cfg.TailnetTargetIP)
 					if err := installEgressForwardingRule(ctx, cfg.TailnetTargetIP, addrs, nfr); err != nil {
-						return fmt.Errorf("installing egress proxy rules: %w", err)
+						log.Fatalf("installing egress proxy rules: %v", err)
 					}
 				}
 				// If this is a L7 cluster ingress proxy (set up
@@ -617,7 +585,7 @@ runLoop:
 				if cfg.AllowProxyingClusterTrafficViaIngress && cfg.ServeConfigPath != "" && ipsHaveChanged && len(addrs) != 0 {
 					log.Printf("installing rules to forward traffic for %s to node's tailnet IP", cfg.PodIP)
 					if err := installTSForwardingRuleForDestination(ctx, cfg.PodIP, addrs, nfr); err != nil {
-						return fmt.Errorf("installing rules to forward traffic to node's tailnet IP: %w", err)
+						log.Fatalf("installing rules to forward traffic to node's tailnet IP: %v", err)
 					}
 				}
 				currentIPs = newCurrentIPs
@@ -636,7 +604,7 @@ runLoop:
 				deviceEndpoints := []any{n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses()}
 				if hasKubeStateStore(cfg) && deephash.Update(&currentDeviceEndpoints, &deviceEndpoints) {
 					if err := kc.storeDeviceEndpoints(ctx, n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses().AsSlice()); err != nil {
-						return fmt.Errorf("storing device IPs and FQDN in Kubernetes Secret: %w", err)
+						log.Fatalf("storing device IPs and FQDN in Kubernetes Secret: %v", err)
 					}
 				}

@@ -671,21 +639,20 @@ runLoop:
 					// will then continuously monitor the config file and netmap updates and
 					// reconfigure the firewall rules as needed. If any of its operations fail, it
 					// will crash this node.
-					if cfg.EgressProxiesCfgPath != "" {
-						log.Printf("configuring egress proxy using configuration file at %s", cfg.EgressProxiesCfgPath)
+					if cfg.EgressSvcsCfgPath != "" {
+						log.Printf("configuring egress proxy using configuration file at %s", cfg.EgressSvcsCfgPath)
 						egressSvcsNotify = make(chan ipn.Notify)
-						opts := egressProxyRunOpts{
-							cfgPath:      cfg.EgressProxiesCfgPath,
+						ep := egressProxy{
+							cfgPath:      cfg.EgressSvcsCfgPath,
 							nfr:          nfr,
 							kc:           kc,
-							tsClient:     client,
 							stateSecret:  cfg.KubeSecret,
 							netmapChan:   egressSvcsNotify,
 							podIPv4:      cfg.PodIPv4,
 							tailnetAddrs: addrs,
 						}
 						go func() {
-							if err := ep.run(ctx, n, opts); err != nil {
+							if err := ep.run(ctx, n); err != nil {
 								egressSvcsErrorChan <- err
 							}
 						}()
@@ -727,18 +694,16 @@ runLoop:
 			if backendsHaveChanged && len(addrs) != 0 {
 				log.Printf("Backend address change detected, installing proxy rules for backends %v", newBackendAddrs)
 				if err := installIngressForwardingRuleForDNSTarget(ctx, newBackendAddrs, addrs, nfr); err != nil {
-					return fmt.Errorf("installing ingress proxy rules for DNS target %s: %v", cfg.ProxyTargetDNSName, err)
+					log.Fatalf("installing ingress proxy rules for DNS target %s: %v", cfg.ProxyTargetDNSName, err)
 				}
 			}
 			backendAddrs = newBackendAddrs
 			resetTimer(false)
 		case e := <-egressSvcsErrorChan:
-			return fmt.Errorf("egress proxy failed: %v", e)
+			log.Fatalf("egress proxy failed: %v", e)
 		}
 	}
 	wg.Wait()
-
-	return nil
 }

 // ensureTunFile checks that /dev/net/tun exists, creating it if
@@ -767,13 +732,13 @@ func resolveDNS(ctx context.Context, name string) ([]net.IP, error) {
 	ip4s, err := net.DefaultResolver.LookupIP(ctx, "ip4", name)
 	if err != nil {
 		if e, ok := err.(*net.DNSError); !(ok && e.IsNotFound) {
-			return nil, fmt.Errorf("error looking up IPv4 addresses: %w", err)
+			return nil, fmt.Errorf("error looking up IPv4 addresses: %v", err)
 		}
 	}
 	ip6s, err := net.DefaultResolver.LookupIP(ctx, "ip6", name)
 	if err != nil {
 		if e, ok := err.(*net.DNSError); !(ok && e.IsNotFound) {
-			return nil, fmt.Errorf("error looking up IPv6 addresses: %w", err)
+			return nil, fmt.Errorf("error looking up IPv6 addresses: %v", err)
 		}
 	}
 	if len(ip4s) == 0 && len(ip6s) == 0 {
@@ -786,7 +751,7 @@ func resolveDNS(ctx context.Context, name string) ([]net.IP, error) {
 // context that gets cancelled when a signal is received and a cancel function
 // that can be called to free the resources when the watch should be stopped.
 func contextWithExitSignalWatch() (context.Context, func()) {
-	closeChan := make(chan struct{})
+	closeChan := make(chan string)
 	ctx, cancel := context.WithCancel(context.Background())
 	signalChan := make(chan os.Signal, 1)
 	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
@@ -798,11 +763,8 @@ func contextWithExitSignalWatch() (context.Context, func()) {
 			return
 		}
 	}()
-	closeOnce := sync.Once{}
 	f := func() {
-		closeOnce.Do(func() {
-			close(closeChan)
-		})
+		closeChan <- "goodbye"
 	}
 	return ctx, f
 }
@@ -855,11 +817,7 @@ func runHTTPServer(mux *http.ServeMux, addr string) (close func() error) {

 	go func() {
 		if err := srv.Serve(ln); err != nil {
-			if err != http.ErrServerClosed {
-				log.Fatalf("failed running server: %v", err)
-			} else {
-				log.Printf("HTTP server at %s closed", addr)
-			}
+			log.Fatalf("failed running server: %v", err)
 		}
 	}()

--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -25,7 +25,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"testing"
 	"time"

@@ -33,8 +32,6 @@ import (
 	"golang.org/x/sys/unix"
 	"tailscale.com/ipn"
 	"tailscale.com/kube/egressservices"
-	"tailscale.com/kube/kubeclient"
-	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
 	"tailscale.com/types/netmap"
@@ -51,13 +48,26 @@ func TestContainerBoot(t *testing.T) {
 	defer lapi.Close()

 	kube := kubeServer{FSRoot: d}
-	kube.Start(t)
+	if err := kube.Start(); err != nil {
+		t.Fatal(err)
+	}
 	defer kube.Close()

 	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: ptr.To("foo"), Version: "alpha0"}
+	tailscaledConfBytes, err := json.Marshal(tailscaledConf)
+	if err != nil {
+		t.Fatalf("error unmarshaling tailscaled config: %v", err)
+	}
 	serveConf := ipn.ServeConfig{TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}}}
-	egressCfg := egressSvcConfig("foo", "foo.tailnetxyz.ts.net")
-	egressStatus := egressSvcStatus("foo", "foo.tailnetxyz.ts.net")
+	serveConfBytes, err := json.Marshal(serveConf)
+	if err != nil {
+		t.Fatalf("error unmarshaling serve config: %v", err)
+	}
+	egressSvcsCfg := egressservices.Configs{"foo": {TailnetTarget: egressservices.TailnetTarget{FQDN: "foo.tailnetxyx.ts.net"}}}
+	egressSvcsCfgBytes, err := json.Marshal(egressSvcsCfg)
+	if err != nil {
+		t.Fatalf("error unmarshaling egress services config: %v", err)
+	}

 	dirs := []string{
 		"var/lib",
@@ -74,17 +84,16 @@ func TestContainerBoot(t *testing.T) {
 		}
 	}
 	files := map[string][]byte{
-		"usr/bin/tailscaled":                    fakeTailscaled,
-		"usr/bin/tailscale":                     fakeTailscale,
-		"usr/bin/iptables":                      fakeTailscale,
-		"usr/bin/ip6tables":                     fakeTailscale,
-		"dev/net/tun":                           []byte(""),
-		"proc/sys/net/ipv4/ip_forward":          []byte("0"),
-		"proc/sys/net/ipv6/conf/all/forwarding": []byte("0"),
-		"etc/tailscaled/cap-95.hujson":          mustJSON(t, tailscaledConf),
-		"etc/tailscaled/serve-config.json":      mustJSON(t, serveConf),
-		filepath.Join("etc/tailscaled/", egressservices.KeyEgressServices): mustJSON(t, egressCfg),
-		filepath.Join("etc/tailscaled/", egressservices.KeyHEPPings):       []byte("4"),
+		"usr/bin/tailscaled":                         fakeTailscaled,
+		"usr/bin/tailscale":                          fakeTailscale,
+		"usr/bin/iptables":                           fakeTailscale,
+		"usr/bin/ip6tables":                          fakeTailscale,
+		"dev/net/tun":                                []byte(""),
+		"proc/sys/net/ipv4/ip_forward":               []byte("0"),
+		"proc/sys/net/ipv6/conf/all/forwarding":      []byte("0"),
+		"etc/tailscaled/cap-95.hujson":               tailscaledConfBytes,
+		"etc/tailscaled/serve-config.json":           serveConfBytes,
+		"etc/tailscaled/egress-services-config.json": egressSvcsCfgBytes,
 	}
 	resetFiles := func() {
 		for path, content := range files {
@@ -123,9 +132,6 @@ func TestContainerBoot(t *testing.T) {
 	healthURL := func(port int) string {
 		return fmt.Sprintf("http://127.0.0.1:%d/healthz", port)
 	}
-	egressSvcTerminateURL := func(port int) string {
-		return fmt.Sprintf("http://127.0.0.1:%d%s", port, kubetypes.EgessServicesPreshutdownEP)
-	}

 	capver := fmt.Sprintf("%d", tailcfg.CurrentCapabilityVersion)

@@ -137,29 +143,15 @@ func TestContainerBoot(t *testing.T) {

 		// WantCmds is the commands that containerboot should run in this phase.
 		WantCmds []string
-
 		// WantKubeSecret is the secret keys/values that should exist in the
 		// kube secret.
 		WantKubeSecret map[string]string
-
-		// Update the kube secret with these keys/values at the beginning of the
-		// phase (simulates our fake tailscaled doing it).
-		UpdateKubeSecret map[string]string
-
 		// WantFiles files that should exist in the container and their
 		// contents.
 		WantFiles map[string]string
-
-		// WantLog is a log message we expect from containerboot.
-		WantLog string
-
-		// If set for a phase, the test will expect containerboot to exit with
-		// this error code, and the test will finish on that phase without
-		// waiting for the successful startup log message.
-		WantExitCode *int
-
-		// The signal to send to containerboot at the start of the phase.
-		Signal *syscall.Signal
+		// WantFatalLog is the fatal log message we expect from containerboot.
+		// If set for a phase, the test will finish on that phase.
+		WantFatalLog string

 		EndpointStatuses map[string]int
 	}
@@ -447,8 +439,7 @@ func TestContainerBoot(t *testing.T) {
 							},
 						},
 					},
-					WantLog:      "no forwarding rules for egress addresses [::1/128], host supports IPv6: false",
-					WantExitCode: ptr.To(1),
+					WantFatalLog: "no forwarding rules for egress addresses [::1/128], host supports IPv6: false",
 				},
 			},
 		},
@@ -905,10 +896,9 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "egress_svcs_config_kube",
 			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_EGRESS_PROXIES_CONFIG_PATH": filepath.Join(d, "etc/tailscaled"),
-				"TS_LOCAL_ADDR_PORT":            fmt.Sprintf("[::]:%d", localAddrPort),
+				"KUBERNETES_SERVICE_HOST":        kube.Host,
+				"KUBERNETES_SERVICE_PORT_HTTPS":  kube.Port,
+				"TS_EGRESS_SERVICES_CONFIG_PATH": filepath.Join(d, "etc/tailscaled/egress-services-config.json"),
 			},
 			KubeSecret: map[string]string{
 				"authkey": "tskey-key",
@@ -922,92 +912,28 @@ func TestContainerBoot(t *testing.T) {
 					WantKubeSecret: map[string]string{
 						"authkey": "tskey-key",
 					},
-					EndpointStatuses: map[string]int{
-						egressSvcTerminateURL(localAddrPort): 200,
-					},
 				},
 				{
 					Notify: runningNotify,
 					WantKubeSecret: map[string]string{
-						"egress-services":  mustBase64(t, egressStatus),
 						"authkey":          "tskey-key",
 						"device_fqdn":      "test-node.test.ts.net",
 						"device_id":        "myID",
 						"device_ips":       `["100.64.0.1"]`,
 						"tailscale_capver": capver,
 					},
-					EndpointStatuses: map[string]int{
-						egressSvcTerminateURL(localAddrPort): 200,
-					},
 				},
 			},
 		},
 		{
 			Name: "egress_svcs_config_no_kube",
 			Env: map[string]string{
-				"TS_EGRESS_PROXIES_CONFIG_PATH": filepath.Join(d, "etc/tailscaled"),
-				"TS_AUTHKEY":                    "tskey-key",
+				"TS_EGRESS_SERVICES_CONFIG_PATH": filepath.Join(d, "etc/tailscaled/egress-services-config.json"),
+				"TS_AUTHKEY":                     "tskey-key",
 			},
 			Phases: []phase{
 				{
-					WantLog:      "TS_EGRESS_PROXIES_CONFIG_PATH is only supported for Tailscale running on Kubernetes",
-					WantExitCode: ptr.To(1),
-				},
-			},
-		},
-		{
-			Name: "kube_shutdown_during_state_write",
-			Env: map[string]string{
-				"KUBERNETES_SERVICE_HOST":       kube.Host,
-				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_ENABLE_HEALTH_CHECK":        "true",
-			},
-			KubeSecret: map[string]string{
-				"authkey": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					// Normal startup.
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey": "tskey-key",
-					},
-				},
-				{
-					// SIGTERM before state is finished writing, should wait for
-					// consistent state before propagating SIGTERM to tailscaled.
-					Signal: ptr.To(unix.SIGTERM),
-					UpdateKubeSecret: map[string]string{
-						"_machinekey":  "foo",
-						"_profiles":    "foo",
-						"profile-baff": "foo",
-						// Missing "_current-profile" key.
-					},
-					WantKubeSecret: map[string]string{
-						"authkey":      "tskey-key",
-						"_machinekey":  "foo",
-						"_profiles":    "foo",
-						"profile-baff": "foo",
-					},
-					WantLog: "Waiting for tailscaled to finish writing state to Secret \"tailscale\"",
-				},
-				{
-					// tailscaled has finished writing state, should propagate SIGTERM.
-					UpdateKubeSecret: map[string]string{
-						"_current-profile": "foo",
-					},
-					WantKubeSecret: map[string]string{
-						"authkey":          "tskey-key",
-						"_machinekey":      "foo",
-						"_profiles":        "foo",
-						"profile-baff":     "foo",
-						"_current-profile": "foo",
-					},
-					WantLog:      "HTTP server at [::]:9002 closed",
-					WantExitCode: ptr.To(0),
+					WantFatalLog: "TS_EGRESS_SERVICES_CONFIG_PATH is only supported for Tailscale running on Kubernetes",
 				},
 			},
 		},
@@ -1055,36 +981,26 @@ func TestContainerBoot(t *testing.T) {

 			var wantCmds []string
 			for i, p := range test.Phases {
-				for k, v := range p.UpdateKubeSecret {
-					kube.SetSecret(k, v)
-				}
 				lapi.Notify(p.Notify)
-				if p.Signal != nil {
-					cmd.Process.Signal(*p.Signal)
-				}
-				if p.WantLog != "" {
+				if p.WantFatalLog != "" {
 					err := tstest.WaitFor(2*time.Second, func() error {
-						waitLogLine(t, time.Second, cbOut, p.WantLog)
+						state, err := cmd.Process.Wait()
+						if err != nil {
+							return err
+						}
+						if state.ExitCode() != 1 {
+							return fmt.Errorf("process exited with code %d but wanted %d", state.ExitCode(), 1)
+						}
+						waitLogLine(t, time.Second, cbOut, p.WantFatalLog)
 						return nil
 					})
 					if err != nil {
 						t.Fatal(err)
 					}
-				}
-
-				if p.WantExitCode != nil {
-					state, err := cmd.Process.Wait()
-					if err != nil {
-						t.Fatal(err)
-					}
-					if state.ExitCode() != *p.WantExitCode {
-						t.Fatalf("phase %d: want exit code %d, got %d", i, *p.WantExitCode, state.ExitCode())
-					}

 					// Early test return, we don't expect the successful startup log message.
 					return
 				}
-
 				wantCmds = append(wantCmds, p.WantCmds...)
 				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
 				err := tstest.WaitFor(2*time.Second, func() error {
@@ -1140,9 +1056,6 @@ func TestContainerBoot(t *testing.T) {
 				}
 			}
 			waitLogLine(t, 2*time.Second, cbOut, "Startup complete, waiting for shutdown signal")
-			if cmd.ProcessState != nil {
-				t.Fatalf("containerboot should be running but exited with exit code %d", cmd.ProcessState.ExitCode())
-			}
 		})
 	}
 }
@@ -1374,18 +1287,18 @@ func (k *kubeServer) Reset() {
 	k.secret = map[string]string{}
 }

-func (k *kubeServer) Start(t *testing.T) {
+func (k *kubeServer) Start() error {
 	root := filepath.Join(k.FSRoot, "var/run/secrets/kubernetes.io/serviceaccount")

 	if err := os.MkdirAll(root, 0700); err != nil {
-		t.Fatal(err)
+		return err
 	}

 	if err := os.WriteFile(filepath.Join(root, "namespace"), []byte("default"), 0600); err != nil {
-		t.Fatal(err)
+		return err
 	}
 	if err := os.WriteFile(filepath.Join(root, "token"), []byte("bearer_token"), 0600); err != nil {
-		t.Fatal(err)
+		return err
 	}

 	k.srv = httptest.NewTLSServer(k)
@@ -1394,11 +1307,13 @@ func (k *kubeServer) Start(t *testing.T) {

 	var cert bytes.Buffer
 	if err := pem.Encode(&cert, &pem.Block{Type: "CERTIFICATE", Bytes: k.srv.Certificate().Raw}); err != nil {
-		t.Fatal(err)
+		return err
 	}
 	if err := os.WriteFile(filepath.Join(root, "ca.crt"), cert.Bytes(), 0600); err != nil {
-		t.Fatal(err)
+		return err
 	}
+
+	return nil
 }

 func (k *kubeServer) Close() {
@@ -1447,7 +1362,6 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, fmt.Sprintf("reading request body: %v", err), http.StatusInternalServerError)
 		return
 	}
-	defer r.Body.Close()

 	switch r.Method {
 	case "GET":
@@ -1480,32 +1394,13 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 				panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
 			}
 			for _, op := range req {
-				switch op.Op {
-				case "remove":
-					if !strings.HasPrefix(op.Path, "/data/") {
-						panic(fmt.Sprintf("unsupported json-patch path %q", op.Path))
-					}
-					delete(k.secret, strings.TrimPrefix(op.Path, "/data/"))
-				case "replace":
-					path, ok := strings.CutPrefix(op.Path, "/data/")
-					if !ok {
-						panic(fmt.Sprintf("unsupported json-patch path %q", op.Path))
-					}
-					req := make([]kubeclient.JSONPatch, 0)
-					if err := json.Unmarshal(bs, &req); err != nil {
-						panic(fmt.Sprintf("json decode failed: %v. Body:\n\n%s", err, string(bs)))
-					}
-
-					for _, patch := range req {
-						val, ok := patch.Value.(string)
-						if !ok {
-							panic(fmt.Sprintf("unsupported json patch value %v: cannot be converted to string", patch.Value))
-						}
-						k.secret[path] = val
-					}
-				default:
+				if op.Op != "remove" {
 					panic(fmt.Sprintf("unsupported json-patch op %q", op.Op))
 				}
+				if !strings.HasPrefix(op.Path, "/data/") {
+					panic(fmt.Sprintf("unsupported json-patch path %q", op.Path))
+				}
+				delete(k.secret, strings.TrimPrefix(op.Path, "/data/"))
 			}
 		case "application/strategic-merge-patch+json":
 			req := struct {
@@ -1521,44 +1416,6 @@ func (k *kubeServer) serveSecret(w http.ResponseWriter, r *http.Request) {
 			panic(fmt.Sprintf("unknown content type %q", r.Header.Get("Content-Type")))
 		}
 	default:
-		panic(fmt.Sprintf("unhandled HTTP request %s %s", r.Method, r.URL))
-	}
-}
-
-func mustBase64(t *testing.T, v any) string {
-	b := mustJSON(t, v)
-	s := base64.StdEncoding.WithPadding('=').EncodeToString(b)
-	return s
-}
-
-func mustJSON(t *testing.T, v any) []byte {
-	b, err := json.Marshal(v)
-	if err != nil {
-		t.Fatalf("error converting %v to json: %v", v, err)
-	}
-	return b
-}
-
-// egress services status given one named tailnet target specified by FQDN. As written by the proxy to its state Secret.
-func egressSvcStatus(name, fqdn string) egressservices.Status {
-	return egressservices.Status{
-		Services: map[string]*egressservices.ServiceStatus{
-			name: {
-				TailnetTarget: egressservices.TailnetTarget{
-					FQDN: fqdn,
-				},
-			},
-		},
-	}
-}
-
-// egress config given one named tailnet target specified by FQDN.
-func egressSvcConfig(name, fqdn string) egressservices.Configs {
-	return egressservices.Configs{
-		name: egressservices.Config{
-			TailnetTarget: egressservices.TailnetTarget{
-				FQDN: fqdn,
-			},
-		},
+		panic(fmt.Sprintf("unhandled HTTP method %q", r.Method))
 	}
 }
--- a/cmd/containerboot/services.go
+++ b/cmd/containerboot/services.go
@@ -11,24 +11,18 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"net/http"
 	"net/netip"
 	"os"
 	"path/filepath"
 	"reflect"
-	"strconv"
 	"strings"
 	"time"

 	"github.com/fsnotify/fsnotify"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/kube/egressservices"
 	"tailscale.com/kube/kubeclient"
-	"tailscale.com/kube/kubetypes"
-	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/httpm"
 	"tailscale.com/util/linuxfw"
 	"tailscale.com/util/mak"
 )
@@ -43,15 +37,13 @@ const tailscaleTunInterface = "tailscale0"
 // egressProxy knows how to configure firewall rules to route cluster traffic to
 // one or more tailnet services.
 type egressProxy struct {
-	cfgPath string // path to a directory with egress services config files
+	cfgPath string // path to egress service config file

 	nfr linuxfw.NetfilterRunner // never nil

 	kc          kubeclient.Client // never nil
 	stateSecret string            // name of the kube state Secret

-	tsClient *tailscale.LocalClient // never nil
-
 	netmapChan chan ipn.Notify // chan to receive netmap updates on

 	podIPv4 string // never empty string, currently only IPv4 is supported
@@ -63,29 +55,15 @@ type egressProxy struct {
 	// memory at all.
 	targetFQDNs map[string][]netip.Prefix

-	tailnetAddrs []netip.Prefix // tailnet IPs of this tailnet device
-
-	// shortSleep is the backoff sleep between healthcheck endpoint calls - can be overridden in tests.
-	shortSleep time.Duration
-	// longSleep is the time to sleep after the routing rules are updated to increase the chance that kube
-	// proxies on all nodes have updated their routing configuration. It can be configured to 0 in
-	// tests.
-	longSleep time.Duration
-	// client is a client that can send HTTP requests.
-	client httpClient
-}
-
-// httpClient is a client that can send HTTP requests and can be mocked in tests.
-type httpClient interface {
-	Do(*http.Request) (*http.Response, error)
+	// used to configure firewall rules.
+	tailnetAddrs []netip.Prefix
 }

 // run configures egress proxy firewall rules and ensures that the firewall rules are reconfigured when:
 // - the mounted egress config has changed
 // - the proxy's tailnet IP addresses have changed
 // - tailnet IPs have changed for any backend targets specified by tailnet FQDN
-func (ep *egressProxy) run(ctx context.Context, n ipn.Notify, opts egressProxyRunOpts) error {
-	ep.configure(opts)
+func (ep *egressProxy) run(ctx context.Context, n ipn.Notify) error {
 	var tickChan <-chan time.Time
 	var eventChan <-chan fsnotify.Event
 	// TODO (irbekrm): take a look if this can be pulled into a single func
@@ -97,7 +75,7 @@ func (ep *egressProxy) run(ctx context.Context, n ipn.Notify, opts egressProxyRu
 		tickChan = ticker.C
 	} else {
 		defer w.Close()
-		if err := w.Add(ep.cfgPath); err != nil {
+		if err := w.Add(filepath.Dir(ep.cfgPath)); err != nil {
 			return fmt.Errorf("failed to add fsnotify watch: %w", err)
 		}
 		eventChan = w.Events
@@ -107,52 +85,28 @@ func (ep *egressProxy) run(ctx context.Context, n ipn.Notify, opts egressProxyRu
 		return err
 	}
 	for {
+		var err error
 		select {
 		case <-ctx.Done():
 			return nil
 		case <-tickChan:
-			log.Printf("periodic sync, ensuring firewall config is up to date...")
+			err = ep.sync(ctx, n)
 		case <-eventChan:
 			log.Printf("config file change detected, ensuring firewall config is up to date...")
+			err = ep.sync(ctx, n)
 		case n = <-ep.netmapChan:
 			shouldResync := ep.shouldResync(n)
-			if !shouldResync {
-				continue
+			if shouldResync {
+				log.Printf("netmap change detected, ensuring firewall config is up to date...")
+				err = ep.sync(ctx, n)
 			}
-			log.Printf("netmap change detected, ensuring firewall config is up to date...")
 		}
-		if err := ep.sync(ctx, n); err != nil {
+		if err != nil {
 			return fmt.Errorf("error syncing egress service config: %w", err)
 		}
 	}
 }

-type egressProxyRunOpts struct {
-	cfgPath      string
-	nfr          linuxfw.NetfilterRunner
-	kc           kubeclient.Client
-	tsClient     *tailscale.LocalClient
-	stateSecret  string
-	netmapChan   chan ipn.Notify
-	podIPv4      string
-	tailnetAddrs []netip.Prefix
-}
-
-// applyOpts configures egress proxy using the provided options.
-func (ep *egressProxy) configure(opts egressProxyRunOpts) {
-	ep.cfgPath = opts.cfgPath
-	ep.nfr = opts.nfr
-	ep.kc = opts.kc
-	ep.tsClient = opts.tsClient
-	ep.stateSecret = opts.stateSecret
-	ep.netmapChan = opts.netmapChan
-	ep.podIPv4 = opts.podIPv4
-	ep.tailnetAddrs = opts.tailnetAddrs
-	ep.client = &http.Client{} // default HTTP client
-	ep.shortSleep = time.Second
-	ep.longSleep = time.Second * 10
-}
-
 // sync triggers an egress proxy config resync. The resync calculates the diff between config and status to determine if
 // any firewall rules need to be updated. Currently using status in state Secret as a reference for what is the current
 // firewall configuration is good enough because - the status is keyed by the Pod IP - we crash the Pod on errors such
@@ -373,8 +327,7 @@ func (ep *egressProxy) deleteUnnecessaryServices(cfgs *egressservices.Configs, s

 // getConfigs gets the mounted egress service configuration.
 func (ep *egressProxy) getConfigs() (*egressservices.Configs, error) {
-	svcsCfg := filepath.Join(ep.cfgPath, egressservices.KeyEgressServices)
-	j, err := os.ReadFile(svcsCfg)
+	j, err := os.ReadFile(ep.cfgPath)
 	if os.IsNotExist(err) {
 		return nil, nil
 	}
@@ -616,142 +569,3 @@ func servicesStatusIsEqual(st, st1 *egressservices.Status) bool {
 	st1.PodIPv4 = ""
 	return reflect.DeepEqual(*st, *st1)
 }
-
-// registerHandlers adds a new handler to the provided ServeMux that can be called as a Kubernetes prestop hook to
-// delay shutdown till it's safe to do so.
-func (ep *egressProxy) registerHandlers(mux *http.ServeMux) {
-	mux.Handle(fmt.Sprintf("GET %s", kubetypes.EgessServicesPreshutdownEP), ep)
-}
-
-// ServeHTTP serves /internal-egress-services-preshutdown endpoint, when it receives a request, it periodically polls
-// the configured health check endpoint for each egress service till it the health check endpoint no longer hits this
-// proxy Pod. It uses the Pod-IPv4 header to verify if health check response is received from this Pod.
-func (ep *egressProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	cfgs, err := ep.getConfigs()
-	if err != nil {
-		http.Error(w, fmt.Sprintf("error retrieving egress services configs: %v", err), http.StatusInternalServerError)
-		return
-	}
-	if cfgs == nil {
-		if _, err := w.Write([]byte("safe to terminate")); err != nil {
-			http.Error(w, fmt.Sprintf("error writing termination status: %v", err), http.StatusInternalServerError)
-			return
-		}
-	}
-	hp, err := ep.getHEPPings()
-	if err != nil {
-		http.Error(w, fmt.Sprintf("error determining the number of times health check endpoint should be pinged: %v", err), http.StatusInternalServerError)
-		return
-	}
-	ep.waitTillSafeToShutdown(r.Context(), cfgs, hp)
-}
-
-// waitTillSafeToShutdown looks up all egress targets configured to be proxied via this instance and, for each target
-// whose configuration includes a healthcheck endpoint, pings the endpoint till none of the responses
-// are returned by this instance or till the HTTP request times out. In practice, the endpoint will be a Kubernetes Service for whom one of the backends
-// would normally be this Pod. When this Pod is being deleted, the operator should have removed it from the Service
-// backends and eventually kube proxy routing rules should be updated to no longer route traffic for the Service to this
-// Pod.
-func (ep *egressProxy) waitTillSafeToShutdown(ctx context.Context, cfgs *egressservices.Configs, hp int) {
-	if cfgs == nil || len(*cfgs) == 0 { // avoid sleeping if no services are configured
-		return
-	}
-	log.Printf("Ensuring that cluster traffic for egress targets is no longer routed via this Pod...")
-	wg := syncs.WaitGroup{}
-
-	for s, cfg := range *cfgs {
-		hep := cfg.HealthCheckEndpoint
-		if hep == "" {
-			log.Printf("Tailnet target %q does not have a cluster healthcheck specified, unable to verify if cluster traffic for the target is still routed via this Pod", s)
-			continue
-		}
-		svc := s
-		wg.Go(func() {
-			log.Printf("Ensuring that cluster traffic is no longer routed to %q via this Pod...", svc)
-			for {
-				if ctx.Err() != nil { // kubelet's HTTP request timeout
-					log.Printf("Cluster traffic for %s did not stop being routed to this Pod.", svc)
-					return
-				}
-				found, err := lookupPodRoute(ctx, hep, ep.podIPv4, hp, ep.client)
-				if err != nil {
-					log.Printf("unable to reach endpoint %q, assuming the routing rules for this Pod have been deleted: %v", hep, err)
-					break
-				}
-				if !found {
-					log.Printf("service %q is no longer routed through this Pod", svc)
-					break
-				}
-				log.Printf("service %q is still routed through this Pod, waiting...", svc)
-				time.Sleep(ep.shortSleep)
-			}
-		})
-	}
-	wg.Wait()
-	// The check above really only checked that the routing rules are updated on this node. Sleep for a bit to
-	// ensure that the routing rules are updated on other nodes. TODO(irbekrm): this may or may not be good enough.
-	// If it's not good enough, we'd probably want to do something more complex, where the proxies check each other.
-	log.Printf("Sleeping for %s before shutdown to ensure that kube proxies on all nodes have updated routing configuration", ep.longSleep)
-	time.Sleep(ep.longSleep)
-}
-
-// lookupPodRoute calls the healthcheck endpoint repeat times and returns true if the endpoint returns with the podIP
-// header at least once.
-func lookupPodRoute(ctx context.Context, hep, podIP string, repeat int, client httpClient) (bool, error) {
-	for range repeat {
-		f, err := lookup(ctx, hep, podIP, client)
-		if err != nil {
-			return false, err
-		}
-		if f {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-// lookup calls the healthcheck endpoint and returns true if the response contains the podIP header.
-func lookup(ctx context.Context, hep, podIP string, client httpClient) (bool, error) {
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, hep, nil)
-	if err != nil {
-		return false, fmt.Errorf("error creating new HTTP request: %v", err)
-	}
-
-	// Close the TCP connection to ensure that the next request is routed to a different backend.
-	req.Close = true
-
-	resp, err := client.Do(req)
-	if err != nil {
-		log.Printf("Endpoint %q can not be reached: %v, likely because there are no (more) healthy backends", hep, err)
-		return true, nil
-	}
-	defer resp.Body.Close()
-	gotIP := resp.Header.Get(kubetypes.PodIPv4Header)
-	return strings.EqualFold(podIP, gotIP), nil
-}
-
-// getHEPPings gets the number of pings that should be sent to a health check endpoint to ensure that each configured
-// backend is hit. This assumes that a health check endpoint is a Kubernetes Service and traffic to backend Pods is
-// round robin load balanced.
-func (ep *egressProxy) getHEPPings() (int, error) {
-	hepPingsPath := filepath.Join(ep.cfgPath, egressservices.KeyHEPPings)
-	j, err := os.ReadFile(hepPingsPath)
-	if os.IsNotExist(err) {
-		return 0, nil
-	}
-	if err != nil {
-		return -1, err
-	}
-	if len(j) == 0 || string(j) == "" {
-		return 0, nil
-	}
-	hp, err := strconv.Atoi(string(j))
-	if err != nil {
-		return -1, fmt.Errorf("error parsing hep pings as int: %v", err)
-	}
-	if hp < 0 {
-		log.Printf("[unexpected] hep pings is negative: %d", hp)
-		return 0, nil
-	}
-	return hp, nil
-}
--- a/cmd/containerboot/services_test.go
+++ b/cmd/containerboot/services_test.go
@@ -6,18 +6,11 @@
 package main

 import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
 	"net/netip"
 	"reflect"
-	"strings"
-	"sync"
 	"testing"

 	"tailscale.com/kube/egressservices"
-	"tailscale.com/kube/kubetypes"
 )

 func Test_updatesForSvc(t *testing.T) {
@@ -180,145 +173,3 @@ func Test_updatesForSvc(t *testing.T) {
 		})
 	}
 }
-
-// A failure of this test will most likely look like a timeout.
-func TestWaitTillSafeToShutdown(t *testing.T) {
-	podIP := "10.0.0.1"
-	anotherIP := "10.0.0.2"
-
-	tests := []struct {
-		name string
-		// services is a map of service name to the number of calls to make to the healthcheck endpoint before
-		// returning a response that does NOT contain this Pod's IP in headers.
-		services       map[string]int
-		replicas       int
-		healthCheckSet bool
-	}{
-		{
-			name: "no_configs",
-		},
-		{
-			name: "one_service_immediately_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 0,
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_immediately_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 0,
-				"svc2": 0,
-				"svc3": 0,
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_no_healthcheck_endpoints",
-			services: map[string]int{
-				"svc1": 0,
-				"svc2": 0,
-				"svc3": 0,
-			},
-			replicas: 2,
-		},
-		{
-			name: "one_service_eventually_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 3, // After 3 calls to health check endpoint, no longer returns this Pod's IP
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_eventually_safe_to_shutdown",
-			services: map[string]int{
-				"svc1": 1, // After 1 call to health check endpoint, no longer returns this Pod's IP
-				"svc2": 3, // After 3 calls to health check endpoint, no longer returns this Pod's IP
-				"svc3": 5, // After 5 calls to the health check endpoint, no longer returns this Pod's IP
-			},
-			replicas:       2,
-			healthCheckSet: true,
-		},
-		{
-			name: "multiple_services_eventually_safe_to_shutdown_with_higher_replica_count",
-			services: map[string]int{
-				"svc1": 7,
-				"svc2": 10,
-			},
-			replicas:       5,
-			healthCheckSet: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cfgs := &egressservices.Configs{}
-			switches := make(map[string]int)
-
-			for svc, callsToSwitch := range tt.services {
-				endpoint := fmt.Sprintf("http://%s.local", svc)
-				if tt.healthCheckSet {
-					(*cfgs)[svc] = egressservices.Config{
-						HealthCheckEndpoint: endpoint,
-					}
-				}
-				switches[endpoint] = callsToSwitch
-			}
-
-			ep := &egressProxy{
-				podIPv4: podIP,
-				client: &mockHTTPClient{
-					podIP:     podIP,
-					anotherIP: anotherIP,
-					switches:  switches,
-				},
-			}
-
-			ep.waitTillSafeToShutdown(context.Background(), cfgs, tt.replicas)
-		})
-	}
-}
-
-// mockHTTPClient is a client that receives an HTTP call for an egress service endpoint and returns a response with an
-// IP address in a 'Pod-IPv4' header. It can be configured to return one IP address for N calls, then switch to another
-// IP address to simulate a scenario where an IP is eventually no longer a backend for an endpoint.
-// TODO(irbekrm): to test this more thoroughly, we should have the client take into account the number of replicas and
-// return as if traffic was round robin load balanced across different Pods.
-type mockHTTPClient struct {
-	// podIP - initial IP address to return, that matches the current proxy's IP address.
-	podIP     string
-	anotherIP string
-	// after how many calls to an endpoint, the client should start returning 'anotherIP' instead of 'podIP.
-	switches map[string]int
-	mu       sync.Mutex // protects the following
-	// calls tracks the number of calls received.
-	calls map[string]int
-}
-
-func (m *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
-	m.mu.Lock()
-	if m.calls == nil {
-		m.calls = make(map[string]int)
-	}
-
-	endpoint := req.URL.String()
-	m.calls[endpoint]++
-	calls := m.calls[endpoint]
-	m.mu.Unlock()
-
-	resp := &http.Response{
-		StatusCode: http.StatusOK,
-		Header:     make(http.Header),
-		Body:       io.NopCloser(strings.NewReader("")),
-	}
-
-	if calls <= m.switches[endpoint] {
-		resp.Header.Set(kubetypes.PodIPv4Header, m.podIP) // Pod is still routable
-	} else {
-		resp.Header.Set(kubetypes.PodIPv4Header, m.anotherIP) // Pod is no longer routable
-	}
-	return resp, nil
-}
--- a/cmd/containerboot/settings.go
+++ b/cmd/containerboot/settings.go
@@ -64,16 +64,16 @@ type settings struct {
 	// when setting up rules to proxy cluster traffic to cluster ingress
 	// target.
 	// Deprecated: use PodIPv4, PodIPv6 instead to support dual stack clusters
-	PodIP                string
-	PodIPv4              string
-	PodIPv6              string
-	PodUID               string
-	HealthCheckAddrPort  string
-	LocalAddrPort        string
-	MetricsEnabled       bool
-	HealthCheckEnabled   bool
-	DebugAddrPort        string
-	EgressProxiesCfgPath string
+	PodIP               string
+	PodIPv4             string
+	PodIPv6             string
+	PodUID              string
+	HealthCheckAddrPort string
+	LocalAddrPort       string
+	MetricsEnabled      bool
+	HealthCheckEnabled  bool
+	DebugAddrPort       string
+	EgressSvcsCfgPath   string
 }

 func configFromEnv() (*settings, error) {
@@ -107,7 +107,7 @@ func configFromEnv() (*settings, error) {
 		MetricsEnabled:                        defaultBool("TS_ENABLE_METRICS", false),
 		HealthCheckEnabled:                    defaultBool("TS_ENABLE_HEALTH_CHECK", false),
 		DebugAddrPort:                         defaultEnv("TS_DEBUG_ADDR_PORT", ""),
-		EgressProxiesCfgPath:                  defaultEnv("TS_EGRESS_PROXIES_CONFIG_PATH", ""),
+		EgressSvcsCfgPath:                     defaultEnv("TS_EGRESS_SERVICES_CONFIG_PATH", ""),
 		PodUID:                                defaultEnv("POD_UID", ""),
 	}
 	podIPs, ok := os.LookupEnv("POD_IPS")
@@ -186,7 +186,7 @@ func (s *settings) validate() error {
 			return fmt.Errorf("error parsing TS_HEALTHCHECK_ADDR_PORT value %q: %w", s.HealthCheckAddrPort, err)
 		}
 	}
-	if s.localMetricsEnabled() || s.localHealthEnabled() || s.EgressProxiesCfgPath != "" {
+	if s.localMetricsEnabled() || s.localHealthEnabled() {
 		if _, err := netip.ParseAddrPort(s.LocalAddrPort); err != nil {
 			return fmt.Errorf("error parsing TS_LOCAL_ADDR_PORT value %q: %w", s.LocalAddrPort, err)
 		}
@@ -199,8 +199,8 @@ func (s *settings) validate() error {
 	if s.HealthCheckEnabled && s.HealthCheckAddrPort != "" {
 		return errors.New("TS_HEALTHCHECK_ADDR_PORT is deprecated and will be removed in 1.82.0, use TS_ENABLE_HEALTH_CHECK and optionally TS_LOCAL_ADDR_PORT")
 	}
-	if s.EgressProxiesCfgPath != "" && !(s.InKubernetes && s.KubeSecret != "") {
-		return errors.New("TS_EGRESS_PROXIES_CONFIG_PATH is only supported for Tailscale running on Kubernetes")
+	if s.EgressSvcsCfgPath != "" && !(s.InKubernetes && s.KubeSecret != "") {
+		return errors.New("TS_EGRESS_SERVICES_CONFIG_PATH is only supported for Tailscale running on Kubernetes")
 	}
 	return nil
 }
@@ -291,7 +291,7 @@ func isOneStepConfig(cfg *settings) bool {
 // as an L3 proxy, proxying to an endpoint provided via one of the config env
 // vars.
 func isL3Proxy(cfg *settings) bool {
-	return cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" || cfg.AllowProxyingClusterTrafficViaIngress || cfg.EgressProxiesCfgPath != ""
+	return cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" || cfg.AllowProxyingClusterTrafficViaIngress || cfg.EgressSvcsCfgPath != ""
 }

 // hasKubeStateStore returns true if the state must be stored in a Kubernetes
@@ -308,10 +308,6 @@ func (cfg *settings) localHealthEnabled() bool {
 	return cfg.LocalAddrPort != "" && cfg.HealthCheckEnabled
 }

-func (cfg *settings) egressSvcsTerminateEPEnabled() bool {
-	return cfg.LocalAddrPort != "" && cfg.EgressProxiesCfgPath != ""
-}
-
 // defaultEnv returns the value of the given envvar name, or defVal if
 // unset.
 func defaultEnv(name, defVal string) string {
--- a/cmd/containerboot/tailscaled.go
+++ b/cmd/containerboot/tailscaled.go
@@ -42,14 +42,14 @@ func startTailscaled(ctx context.Context, cfg *settings) (*tailscale.LocalClient
 	log.Printf("Waiting for tailscaled socket")
 	for {
 		if ctx.Err() != nil {
-			return nil, nil, errors.New("timed out waiting for tailscaled socket")
+			log.Fatalf("Timed out waiting for tailscaled socket")
 		}
 		_, err := os.Stat(cfg.Socket)
 		if errors.Is(err, fs.ErrNotExist) {
 			time.Sleep(100 * time.Millisecond)
 			continue
 		} else if err != nil {
-			return nil, nil, fmt.Errorf("error waiting for tailscaled socket: %w", err)
+			log.Fatalf("Waiting for tailscaled socket: %v", err)
 		}
 		break
 	}
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -189,8 +189,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
-        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
-        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
@@ -203,7 +201,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/net/http/httpproxy                              from net/http+
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
-        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
@@ -235,18 +232,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
-        crypto/internal/boring                                       from crypto/aes+
-        crypto/internal/boring/bbig                                  from crypto/ecdsa+
-        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
-        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
-        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
@@ -257,7 +242,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from golang.org/x/crypto/acme+
        crypto/x509                                                  from crypto/tls+
-   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
@@ -279,44 +263,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
        html/template                                                from tailscale.com/cmd/derper
-        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
-        internal/bisect                                              from internal/godebug
-        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
-        internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
-        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
-        internal/filepathlite                                        from os+
-        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
-        internal/godebug                                             from crypto/tls+
-        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
-        internal/goos                                                from crypto/x509+
-        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
-        internal/nettrace                                            from net+
-        internal/oserror                                             from io/fs+
-        internal/poll                                                from net+
-        internal/profile                                             from net/http/pprof
-        internal/profilerecord                                       from runtime+
-        internal/race                                                from internal/poll+
-        internal/reflectlite                                         from context+
-        internal/runtime/atomic                                      from internal/runtime/exithook+
-        internal/runtime/exithook                                    from runtime
-   L    internal/runtime/syscall                                     from runtime+
-        internal/singleflight                                        from net
-        internal/stringslite                                         from embed+
-        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
-   W    internal/syscall/windows/registry                            from mime+
-   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
-        internal/testlog                                             from os
-        internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
   L    io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -336,7 +282,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/http                                                     from expvar+
        net/http/httptrace                                           from net/http+
        net/http/internal                                            from net/http
-        net/http/internal/ascii                                      from net/http
        net/http/pprof                                               from tailscale.com/tsweb
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
@@ -350,10 +295,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/nistec+
        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
@@ -372,4 +314,3 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
-        unsafe                                                       from bytes+
--- a/cmd/k8s-operator/depaware.txt
+++ b/cmd/k8s-operator/depaware.txt
@@ -197,6 +197,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
   W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
   W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
+        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal
  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
@@ -801,7 +802,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
        tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
        tailscale.com/feature                                        from tailscale.com/feature/wakeonlan+
-        tailscale.com/feature/capture                                from tailscale.com/feature/condregister
        tailscale.com/feature/condregister                           from tailscale.com/tsnet
   L    tailscale.com/feature/tap                                    from tailscale.com/feature/condregister
        tailscale.com/feature/wakeonlan                              from tailscale.com/feature/condregister
@@ -814,7 +814,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/localapi+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-        tailscale.com/ipn/localapi                                   from tailscale.com/tsnet+
+        tailscale.com/ipn/localapi                                   from tailscale.com/tsnet
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
        tailscale.com/ipn/store                                      from tailscale.com/ipn/ipnlocal+
   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
@@ -887,9 +887,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
-        tailscale.com/tempfork/acme                                  from tailscale.com/ipn/ipnlocal
        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
-        tailscale.com/tempfork/httprec                               from tailscale.com/control/controlclient
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
        tailscale.com/tsconst                                        from tailscale.com/net/netmon+
        tailscale.com/tsd                                            from tailscale.com/ipn/ipnlocal+
@@ -971,6 +969,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/version                                        from tailscale.com/client/web+
        tailscale.com/version/distro                                 from tailscale.com/client/web+
        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap+
     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
@@ -993,8 +992,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
-        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
-        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
@@ -1012,10 +1009,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
        golang.org/x/net/icmp                                        from github.com/prometheus-community/pro-bing+
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/internal/httpcommon                         from golang.org/x/net/http2
-        golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
-        golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
-        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
@@ -1057,18 +1050,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
-        crypto/internal/boring                                       from crypto/aes+
-        crypto/internal/boring/bbig                                  from crypto/ecdsa+
-        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
-        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
-        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls+
@@ -1079,7 +1060,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
        crypto/x509                                                  from crypto/tls+
-   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
        database/sql                                                 from github.com/prometheus/client_golang/prometheus/collectors
        database/sql/driver                                          from database/sql+
@@ -1105,7 +1085,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        go/build/constraint                                          from go/parser
        go/doc                                                       from k8s.io/apimachinery/pkg/runtime
        go/doc/comment                                               from go/doc
-        go/internal/typeparams                                       from go/parser
        go/parser                                                    from k8s.io/apimachinery/pkg/runtime
        go/scanner                                                   from go/ast+
        go/token                                                     from go/ast+
@@ -1116,46 +1095,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        hash/maphash                                                 from go4.org/mem
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
-        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
-        internal/bisect                                              from internal/godebug
-        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
-        internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
-        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
-        internal/filepathlite                                        from os+
-        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
-        internal/godebug                                             from archive/tar+
-        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
-        internal/goos                                                from crypto/x509+
-        internal/itoa                                                from internal/poll+
-        internal/lazyregexp                                          from go/doc
-        internal/msan                                                from syscall
-        internal/nettrace                                            from net+
-        internal/oserror                                             from io/fs+
-        internal/poll                                                from net+
-        internal/profile                                             from net/http/pprof
-        internal/profilerecord                                       from runtime+
-        internal/race                                                from internal/poll+
-        internal/reflectlite                                         from context+
-        internal/runtime/atomic                                      from internal/runtime/exithook+
-        internal/runtime/exithook                                    from runtime
-   L    internal/runtime/syscall                                     from runtime+
-        internal/saferio                                             from debug/pe+
-        internal/singleflight                                        from net
-        internal/stringslite                                         from embed+
-        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
-   W    internal/syscall/windows/registry                            from mime+
-   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
-        internal/testlog                                             from os
-        internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -1164,7 +1103,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        log/internal                                                 from log+
        log/slog                                                     from github.com/go-logr/logr+
        log/slog/internal                                            from log/slog
-        log/slog/internal/buffer                                     from log/slog
        maps                                                         from sigs.k8s.io/controller-runtime/pkg/predicate+
        math                                                         from archive/tar+
        math/big                                                     from crypto/dsa+
@@ -1176,10 +1114,10 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
+        net/http/httptest                                            from tailscale.com/control/controlclient
        net/http/httptrace                                           from github.com/prometheus-community/pro-bing+
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
-        net/http/internal/ascii                                      from net/http+
        net/http/pprof                                               from sigs.k8s.io/controller-runtime/pkg/manager+
        net/netip                                                    from github.com/gaissmai/bart+
        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
@@ -1193,10 +1131,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        reflect                                                      from archive/tar+
        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints+
        regexp/syntax                                                from regexp
-        runtime                                                      from archive/tar+
        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof+
        runtime/trace                                                from net/http/pprof
@@ -1215,4 +1150,3 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
-        unsafe                                                       from bytes+
--- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
@@ -63,10 +63,7 @@ rules:
  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
 - apiGroups: [""]
  resources: ["pods"]
-  verbs: ["get","list","watch", "update"]
- apiGroups: [""]
-  resources: ["pods/status"]
-  verbs: ["update"]
+  verbs: ["get","list","watch"]
 - apiGroups: ["apps"]
  resources: ["statefulsets", "deployments"]
  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
@@ -103,7 +103,7 @@ spec:
                    pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
                type:
                  description: |-
-                    Type of the ProxyGroup proxies. Currently the only supported type is egress.
+                    Type of the ProxyGroup proxies. Supported types are egress and ingress.
                    Type is immutable once a ProxyGroup is created.
                  type: string
                  enum:
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -2860,7 +2860,7 @@ spec:
                                type: array
                            type:
                                description: |-
-                                    Type of the ProxyGroup proxies. Currently the only supported type is egress.
+                                    Type of the ProxyGroup proxies. Supported types are egress and ingress.
                                    Type is immutable once a ProxyGroup is created.
                                enum:
                                    - egress
@@ -4854,13 +4854,6 @@ rules:
        - get
        - list
        - watch
-        - update
-    - apiGroups:
-        - ""
-      resources:
-        - pods/status
-      verbs:
-        - update
    - apiGroups:
        - apps
      resources:
--- a/cmd/k8s-operator/egress-eps.go
+++ b/cmd/k8s-operator/egress-eps.go
@@ -20,6 +20,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	tsoperator "tailscale.com/k8s-operator"
 	"tailscale.com/kube/egressservices"
 	"tailscale.com/types/ptr"
 )
@@ -70,27 +71,25 @@ func (er *egressEpsReconciler) Reconcile(ctx context.Context, req reconcile.Requ
 	if err != nil {
 		return res, fmt.Errorf("error retrieving ExternalName Service: %w", err)
 	}
+	if !tsoperator.EgressServiceIsValidAndConfigured(svc) {
+		l.Infof("Cluster resources for ExternalName Service %s/%s are not yet configured", svc.Namespace, svc.Name)
+		return res, nil
+	}

 	// TODO(irbekrm): currently this reconcile loop runs all the checks every time it's triggered, which is
 	// wasteful. Once we have a Ready condition for ExternalName Services for ProxyGroup, use the condition to
 	// determine if a reconcile is needed.

 	oldEps := eps.DeepCopy()
+	proxyGroupName := eps.Labels[labelProxyGroup]
 	tailnetSvc := tailnetSvcName(svc)
 	l = l.With("tailnet-service-name", tailnetSvc)

 	// Retrieve the desired tailnet service configuration from the ConfigMap.
-	proxyGroupName := eps.Labels[labelProxyGroup]
 	_, cfgs, err := egressSvcsConfigs(ctx, er.Client, proxyGroupName, er.tsNamespace)
 	if err != nil {
 		return res, fmt.Errorf("error retrieving tailnet services configuration: %w", err)
 	}
-	if cfgs == nil {
-		// TODO(irbekrm): this path would be hit if egress service was once exposed on a ProxyGroup that later
-		// got deleted. Probably the EndpointSlices then need to be deleted too- need to rethink this flow.
-		l.Debugf("No egress config found, likely because ProxyGroup has not been created")
-		return res, nil
-	}
 	cfg, ok := (*cfgs)[tailnetSvc]
 	if !ok {
 		l.Infof("[unexpected] configuration for tailnet service %s not found", tailnetSvc)
--- a/cmd/k8s-operator/egress-pod-readiness.go
+++ b/cmd/k8s-operator/egress-pod-readiness.go
@@ -1,274 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-	"slices"
-	"strings"
-	"sync/atomic"
-	"time"
-
-	"go.uber.org/zap"
-	xslices "golang.org/x/exp/slices"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
-	"tailscale.com/logtail/backoff"
-	"tailscale.com/tstime"
-	"tailscale.com/util/httpm"
-)
-
-const tsEgressReadinessGate = "tailscale.com/egress-services"
-
-// egressPodsReconciler is responsible for setting tailscale.com/egress-services condition on egress ProxyGroup Pods.
-// The condition is used as a readiness gate for the Pod, meaning that kubelet will not mark the Pod as ready before the
-// condition is set. The ProxyGroup StatefulSet updates are rolled out in such a way that no Pod is restarted, before
-// the previous Pod is marked as ready, so ensuring that the Pod does not get marked as ready when it is not yet able to
-// route traffic for egress service prevents downtime during restarts caused by no available endpoints left because
-// every Pod has been recreated and is not yet added to endpoints.
-// https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-readiness-gate
-type egressPodsReconciler struct {
-	client.Client
-	logger      *zap.SugaredLogger
-	tsNamespace string
-	clock       tstime.Clock
-	httpClient  doer          // http client that can be set to a mock client in tests
-	maxBackoff  time.Duration // max backoff period between health check calls
-}
-
-// Reconcile reconciles an egress ProxyGroup Pods on changes to those Pods and ProxyGroup EndpointSlices. It ensures
-// that for each Pod who is ready to route traffic to all egress services for the ProxyGroup, the Pod has a
-// tailscale.com/egress-services condition to set, so that kubelet will mark the Pod as ready.
-//
-// For the Pod to be ready
-// to route traffic to the egress service, the kube proxy needs to have set up the Pod's IP as an endpoint for the
-// ClusterIP Service corresponding to the egress service.
-//
-// Note that the endpoints for the ClusterIP Service are configured by the operator itself using custom
-// EndpointSlices(egress-eps-reconciler), so the routing is not blocked on Pod's readiness.
-//
-// Each egress service has a corresponding ClusterIP Service, that exposes all user configured
-// tailnet ports, as well as a health check port for the proxy.
-//
-// The reconciler calls the health check endpoint of each Service up to N number of times, where N is the number of
-// replicas for the ProxyGroup x 3, and checks if the received response is healthy response from the Pod being reconciled.
-//
-// The health check response contains a header with the
-// Pod's IP address- this is used to determine whether the response is received from this Pod.
-//
-// If the Pod does not appear to be serving the health check endpoint (pre-v1.80 proxies), the reconciler just sets the
-// readiness condition for backwards compatibility reasons.
-func (er *egressPodsReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
-	l := er.logger.With("Pod", req.NamespacedName)
-	l.Debugf("starting reconcile")
-	defer l.Debugf("reconcile finished")
-
-	pod := new(corev1.Pod)
-	err = er.Get(ctx, req.NamespacedName, pod)
-	if apierrors.IsNotFound(err) {
-		return reconcile.Result{}, nil
-	}
-	if err != nil {
-		return reconcile.Result{}, fmt.Errorf("failed to get Pod: %w", err)
-	}
-	if !pod.DeletionTimestamp.IsZero() {
-		l.Debugf("Pod is being deleted, do nothing")
-		return res, nil
-	}
-	if pod.Labels[LabelParentType] != proxyTypeProxyGroup {
-		l.Infof("[unexpected] reconciler called for a Pod that is not a ProxyGroup Pod")
-		return res, nil
-	}
-
-	// If the Pod does not have the readiness gate set, there is no need to add the readiness condition. In practice
-	// this will happen if the user has configured custom TS_LOCAL_ADDR_PORT, thus disabling the graceful failover.
-	if !slices.ContainsFunc(pod.Spec.ReadinessGates, func(r corev1.PodReadinessGate) bool {
-		return r.ConditionType == tsEgressReadinessGate
-	}) {
-		l.Debug("Pod does not have egress readiness gate set, skipping")
-		return res, nil
-	}
-
-	proxyGroupName := pod.Labels[LabelParentName]
-	pg := new(tsapi.ProxyGroup)
-	if err := er.Get(ctx, types.NamespacedName{Name: proxyGroupName}, pg); err != nil {
-		return res, fmt.Errorf("error getting ProxyGroup %q: %w", proxyGroupName, err)
-	}
-	if pg.Spec.Type != typeEgress {
-		l.Infof("[unexpected] reconciler called for %q ProxyGroup Pod", pg.Spec.Type)
-		return res, nil
-	}
-	// Get all ClusterIP Services for all egress targets exposed to cluster via this ProxyGroup.
-	lbls := map[string]string{
-		LabelManaged:    "true",
-		labelProxyGroup: proxyGroupName,
-		labelSvcType:    typeEgress,
-	}
-	svcs := &corev1.ServiceList{}
-	if err := er.List(ctx, svcs, client.InNamespace(er.tsNamespace), client.MatchingLabels(lbls)); err != nil {
-		return res, fmt.Errorf("error listing ClusterIP Services")
-	}
-
-	idx := xslices.IndexFunc(pod.Status.Conditions, func(c corev1.PodCondition) bool {
-		return c.Type == tsEgressReadinessGate
-	})
-	if idx != -1 {
-		l.Debugf("Pod is already ready, do nothing")
-		return res, nil
-	}
-
-	var routesMissing atomic.Bool
-	errChan := make(chan error, len(svcs.Items))
-	for _, svc := range svcs.Items {
-		s := svc
-		go func() {
-			ll := l.With("service_name", s.Name)
-			d := retrieveClusterDomain(er.tsNamespace, ll)
-			healthCheckAddr := healthCheckForSvc(&s, d)
-			if healthCheckAddr == "" {
-				ll.Debugf("ClusterIP Service does not expose a health check endpoint, unable to verify if routing is set up")
-				errChan <- nil
-				return
-			}
-
-			var routesSetup bool
-			bo := backoff.NewBackoff(s.Name, ll.Infof, er.maxBackoff)
-			for range numCalls(pgReplicas(pg)) {
-				if ctx.Err() != nil {
-					errChan <- nil
-					return
-				}
-				state, err := er.lookupPodRouteViaSvc(ctx, pod, healthCheckAddr, ll)
-				if err != nil {
-					errChan <- fmt.Errorf("error validating if routing has been set up for Pod: %w", err)
-					return
-				}
-				if state == healthy || state == cannotVerify {
-					routesSetup = true
-					break
-				}
-				if state == unreachable || state == unhealthy || state == podNotReady {
-					bo.BackOff(ctx, errors.New("backoff"))
-				}
-			}
-			if !routesSetup {
-				ll.Debugf("Pod is not yet configured as Service endpoint")
-				routesMissing.Store(true)
-			}
-			errChan <- nil
-		}()
-	}
-	for range len(svcs.Items) {
-		e := <-errChan
-		err = errors.Join(err, e)
-	}
-	if err != nil {
-		return res, fmt.Errorf("error verifying conectivity: %w", err)
-	}
-	if rm := routesMissing.Load(); rm {
-		l.Info("Pod is not yet added as an endpoint for all egress targets, waiting...")
-		return reconcile.Result{RequeueAfter: shortRequeue}, nil
-	}
-	if err := er.setPodReady(ctx, pod, l); err != nil {
-		return res, fmt.Errorf("error setting Pod as ready: %w", err)
-	}
-	return res, nil
-}
-
-func (er *egressPodsReconciler) setPodReady(ctx context.Context, pod *corev1.Pod, l *zap.SugaredLogger) error {
-	if slices.ContainsFunc(pod.Status.Conditions, func(c corev1.PodCondition) bool {
-		return c.Type == tsEgressReadinessGate
-	}) {
-		return nil
-	}
-	l.Infof("Pod is ready to route traffic to all egress targets")
-	pod.Status.Conditions = append(pod.Status.Conditions, corev1.PodCondition{
-		Type:               tsEgressReadinessGate,
-		Status:             corev1.ConditionTrue,
-		LastTransitionTime: metav1.Time{Time: er.clock.Now()},
-	})
-	return er.Status().Update(ctx, pod)
-}
-
-// healthCheckState is the result of a single request to an egress Service health check endpoint with a goal to hit a
-// specific backend Pod.
-type healthCheckState int8
-
-const (
-	cannotVerify healthCheckState = iota // not verifiable for this setup (i.e earlier proxy version)
-	unreachable                          // no backends or another network error
-	notFound                             // hit another backend
-	unhealthy                            // not 200
-	podNotReady                          // Pod is not ready, i.e does not have an IP address yet
-	healthy                              // 200
-)
-
-// lookupPodRouteViaSvc attempts to reach a Pod using a health check endpoint served by a Service and returns the state of the health check.
-func (er *egressPodsReconciler) lookupPodRouteViaSvc(ctx context.Context, pod *corev1.Pod, healthCheckAddr string, l *zap.SugaredLogger) (healthCheckState, error) {
-	if !slices.ContainsFunc(pod.Spec.Containers[0].Env, func(e corev1.EnvVar) bool {
-		return e.Name == "TS_ENABLE_HEALTH_CHECK" && e.Value == "true"
-	}) {
-		l.Debugf("Pod does not have health check enabled, unable to verify if it is currently routable via Service")
-		return cannotVerify, nil
-	}
-	wantsIP, err := podIPv4(pod)
-	if err != nil {
-		return -1, fmt.Errorf("error determining Pod's IP address: %w", err)
-	}
-	if wantsIP == "" {
-		return podNotReady, nil
-	}
-
-	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
-	defer cancel()
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, healthCheckAddr, nil)
-	if err != nil {
-		return -1, fmt.Errorf("error creating new HTTP request: %w", err)
-	}
-	// Do not re-use the same connection for the next request so to maximize the chance of hitting all backends equally.
-	req.Close = true
-	resp, err := er.httpClient.Do(req)
-	if err != nil {
-		// This is most likely because this is the first Pod and is not yet added to Service endoints. Other
-		// error types are possible, but checking for those would likely make the system too fragile.
-		return unreachable, nil
-	}
-	defer resp.Body.Close()
-	gotIP := resp.Header.Get(kubetypes.PodIPv4Header)
-	if gotIP == "" {
-		l.Debugf("Health check does not return Pod's IP header, unable to verify if Pod is currently routable via Service")
-		return cannotVerify, nil
-	}
-	if !strings.EqualFold(wantsIP, gotIP) {
-		return notFound, nil
-	}
-	if resp.StatusCode != http.StatusOK {
-		return unhealthy, nil
-	}
-	return healthy, nil
-}
-
-// numCalls return the number of times an endpoint on a ProxyGroup Service should be called till it can be safely
-// assumed that, if none of the responses came back from a specific Pod then traffic for the Service is currently not
-// being routed to that Pod. This assumes that traffic for the Service is routed via round robin, so
-// InternalTrafficPolicy must be 'Cluster' and session affinity must be None.
-func numCalls(replicas int32) int32 {
-	return replicas * 3
-}
-
-// doer is an interface for HTTP client that can be set to a mock client in tests.
-type doer interface {
-	Do(*http.Request) (*http.Response, error)
-}
--- a/cmd/k8s-operator/egress-pod-readiness_test.go
+++ b/cmd/k8s-operator/egress-pod-readiness_test.go
@@ -1,525 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"sync"
-	"testing"
-	"time"
-
-	"go.uber.org/zap"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/kubetypes"
-	"tailscale.com/tstest"
-	"tailscale.com/types/ptr"
-)
-
-func TestEgressPodReadiness(t *testing.T) {
-	// We need to pass a Pod object to WithStatusSubresource because of some quirks in how the fake client
-	// works. Without this code we would not be able to update Pod's status further down.
-	fc := fake.NewClientBuilder().
-		WithScheme(tsapi.GlobalScheme).
-		WithStatusSubresource(&corev1.Pod{}).
-		Build()
-	zl, _ := zap.NewDevelopment()
-	cl := tstest.NewClock(tstest.ClockOpts{})
-	rec := &egressPodsReconciler{
-		tsNamespace: "operator-ns",
-		Client:      fc,
-		logger:      zl.Sugar(),
-		clock:       cl,
-	}
-	pg := &tsapi.ProxyGroup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "dev",
-		},
-		Spec: tsapi.ProxyGroupSpec{
-			Type:     "egress",
-			Replicas: ptr.To(int32(3)),
-		},
-	}
-	mustCreate(t, fc, pg)
-	podIP := "10.0.0.2"
-	podTemplate := &corev1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "operator-ns",
-			Name:      "pod",
-			Labels: map[string]string{
-				LabelParentType: "proxygroup",
-				LabelParentName: "dev",
-			},
-		},
-		Spec: corev1.PodSpec{
-			ReadinessGates: []corev1.PodReadinessGate{{
-				ConditionType: tsEgressReadinessGate,
-			}},
-			Containers: []corev1.Container{{
-				Name: "tailscale",
-				Env: []corev1.EnvVar{{
-					Name:  "TS_ENABLE_HEALTH_CHECK",
-					Value: "true",
-				}},
-			}},
-		},
-		Status: corev1.PodStatus{
-			PodIPs: []corev1.PodIP{{IP: podIP}},
-		},
-	}
-
-	t.Run("no_egress_services", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-		mustCreate(t, fc, pod)
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod)
-	})
-	t.Run("one_svc_already_routed_to", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		mustCreateAll(t, fc, svc, pod)
-		resp := readyResps(podIP, 1)
-		httpCl := fakeHTTPClient{
-			t:     t,
-			state: map[string][]fakeResponse{hep: resp},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-
-		// A subsequent reconcile should not change the Pod.
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-		expectEqual(t, fc, pod)
-
-		mustDeleteAll(t, fc, pod, svc)
-	})
-	t.Run("one_svc_many_backends_eventually_routed_to", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		mustCreateAll(t, fc, svc, pod)
-		// For a 3 replica ProxyGroup the healthcheck endpoint should be called 9 times, make the 9th time only
-		// return with the right Pod IP.
-		resps := append(readyResps("10.0.0.3", 4), append(readyResps("10.0.0.4", 4), readyResps(podIP, 1)...)...)
-		httpCl := fakeHTTPClient{
-			t:     t,
-			state: map[string][]fakeResponse{hep: resps},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc)
-	})
-	t.Run("one_svc_one_backend_eventually_healthy", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		mustCreateAll(t, fc, svc, pod)
-		// For a 3 replica ProxyGroup the healthcheck endpoint should be called 9 times, make the 9th time only
-		// return with 200 status code.
-		resps := append(unreadyResps(podIP, 8), readyResps(podIP, 1)...)
-		httpCl := fakeHTTPClient{
-			t:     t,
-			state: map[string][]fakeResponse{hep: resps},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc)
-	})
-	t.Run("one_svc_one_backend_never_routable", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		mustCreateAll(t, fc, svc, pod)
-		// For a 3 replica ProxyGroup the healthcheck endpoint should be called 9 times and Pod should be
-		// requeued if neither of those succeed.
-		resps := readyResps("10.0.0.3", 9)
-		httpCl := fakeHTTPClient{
-			t:     t,
-			state: map[string][]fakeResponse{hep: resps},
-		}
-		rec.httpClient = &httpCl
-		expectRequeue(t, rec, "operator-ns", pod.Name)
-
-		// Pod should not have readiness gate condition set.
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc)
-	})
-	t.Run("one_svc_many_backends_already_routable", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		svc2, hep2 := newSvc("svc-2", 9002)
-		svc3, hep3 := newSvc("svc-3", 9002)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		resps := readyResps(podIP, 1)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep:  resps,
-				hep2: resps,
-				hep3: resps,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should not have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-	t.Run("one_svc_many_backends_eventually_routable_and_healthy", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-		svc, hep := newSvc("svc", 9002)
-		svc2, hep2 := newSvc("svc-2", 9002)
-		svc3, hep3 := newSvc("svc-3", 9002)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		resps := append(readyResps("10.0.0.3", 7), readyResps(podIP, 1)...)
-		resps2 := append(readyResps("10.0.0.3", 5), readyResps(podIP, 1)...)
-		resps3 := append(unreadyResps(podIP, 4), readyResps(podIP, 1)...)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep:  resps,
-				hep2: resps2,
-				hep3: resps3,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-	t.Run("one_svc_many_backends_never_routable_and_healthy", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		svc2, hep2 := newSvc("svc-2", 9002)
-		svc3, hep3 := newSvc("svc-3", 9002)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		// For a ProxyGroup with 3 replicas, each Service's health endpoint will be tried 9 times and the Pod
-		// will be requeued if neither succeeds.
-		resps := readyResps("10.0.0.3", 9)
-		resps2 := append(readyResps("10.0.0.3", 5), readyResps("10.0.0.4", 4)...)
-		resps3 := unreadyResps(podIP, 9)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep:  resps,
-				hep2: resps2,
-				hep3: resps3,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectRequeue(t, rec, "operator-ns", pod.Name)
-
-		// Pod should not have readiness gate condition set.
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-	t.Run("one_svc_many_backends_one_never_routable", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		svc2, hep2 := newSvc("svc-2", 9002)
-		svc3, hep3 := newSvc("svc-3", 9002)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		// For a ProxyGroup with 3 replicas, each Service's health endpoint will be tried 9 times and the Pod
-		// will be requeued if any one never succeeds.
-		resps := readyResps(podIP, 9)
-		resps2 := readyResps(podIP, 9)
-		resps3 := append(readyResps("10.0.0.3", 5), readyResps("10.0.0.4", 4)...)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep:  resps,
-				hep2: resps2,
-				hep3: resps3,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectRequeue(t, rec, "operator-ns", pod.Name)
-
-		// Pod should not have readiness gate condition set.
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-	t.Run("one_svc_many_backends_one_never_healthy", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		svc2, hep2 := newSvc("svc-2", 9002)
-		svc3, hep3 := newSvc("svc-3", 9002)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		// For a ProxyGroup with 3 replicas, each Service's health endpoint will be tried 9 times and the Pod
-		// will be requeued if any one never succeeds.
-		resps := readyResps(podIP, 9)
-		resps2 := unreadyResps(podIP, 9)
-		resps3 := readyResps(podIP, 9)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep:  resps,
-				hep2: resps2,
-				hep3: resps3,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectRequeue(t, rec, "operator-ns", pod.Name)
-
-		// Pod should not have readiness gate condition set.
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-	t.Run("one_svc_many_backends_different_ports_eventually_healthy_and_routable", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9003)
-		svc2, hep2 := newSvc("svc-2", 9004)
-		svc3, hep3 := newSvc("svc-3", 9010)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		// For a ProxyGroup with 3 replicas, each Service's health endpoint will be tried up to 9 times and
-		// marked as success as soon as one try succeeds.
-		resps := append(readyResps("10.0.0.3", 7), readyResps(podIP, 1)...)
-		resps2 := append(readyResps("10.0.0.3", 5), readyResps(podIP, 1)...)
-		resps3 := append(unreadyResps(podIP, 4), readyResps(podIP, 1)...)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep:  resps,
-				hep2: resps2,
-				hep3: resps3,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-	// Proxies of 1.78 and earlier did not set the Pod IP header.
-	t.Run("pod_does_not_return_ip_header", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-		pod.Name = "foo-bar"
-
-		svc, hep := newSvc("foo-bar", 9002)
-		mustCreateAll(t, fc, svc, pod)
-		// If a response does not contain Pod IP header, we assume that this is an earlier proxy version,
-		// readiness cannot be verified so the readiness gate is just set to true.
-		resps := unreadyResps("", 1)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep: resps,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc)
-	})
-	t.Run("one_svc_one_backend_eventually_healthy_and_routable", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		svc, hep := newSvc("svc", 9002)
-		mustCreateAll(t, fc, svc, pod)
-		// If a response errors, it is probably because the Pod is not yet properly running, so retry.
-		resps := append(erroredResps(8), readyResps(podIP, 1)...)
-		httpCl := fakeHTTPClient{
-			t: t,
-			state: map[string][]fakeResponse{
-				hep: resps,
-			},
-		}
-		rec.httpClient = &httpCl
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc)
-	})
-	t.Run("one_svc_one_backend_svc_does_not_have_health_port", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-
-		// If a Service does not have health port set, we assume that it is not possible to determine Pod's
-		// readiness and set it to ready.
-		svc, _ := newSvc("svc", -1)
-		mustCreateAll(t, fc, svc, pod)
-		rec.httpClient = nil
-		expectReconciled(t, rec, "operator-ns", pod.Name)
-
-		// Pod should have readiness gate condition set.
-		podSetReady(pod, cl)
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc)
-	})
-	t.Run("error_setting_up_healthcheck", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-		// This is not a realistic reason for error, but we are just testing the behaviour of a healthcheck
-		// lookup failing.
-		pod.Status.PodIPs = []corev1.PodIP{{IP: "not-an-ip"}}
-
-		svc, _ := newSvc("svc", 9002)
-		svc2, _ := newSvc("svc-2", 9002)
-		svc3, _ := newSvc("svc-3", 9002)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		rec.httpClient = nil
-		expectError(t, rec, "operator-ns", pod.Name)
-
-		// Pod should not have readiness gate condition set.
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-	t.Run("pod_does_not_have_an_ip_address", func(t *testing.T) {
-		pod := podTemplate.DeepCopy()
-		pod.Status.PodIPs = nil
-
-		svc, _ := newSvc("svc", 9002)
-		svc2, _ := newSvc("svc-2", 9002)
-		svc3, _ := newSvc("svc-3", 9002)
-		mustCreateAll(t, fc, svc, svc2, svc3, pod)
-		rec.httpClient = nil
-		expectRequeue(t, rec, "operator-ns", pod.Name)
-
-		// Pod should not have readiness gate condition set.
-		expectEqual(t, fc, pod)
-		mustDeleteAll(t, fc, pod, svc, svc2, svc3)
-	})
-}
-
-func readyResps(ip string, num int) (resps []fakeResponse) {
-	for range num {
-		resps = append(resps, fakeResponse{statusCode: 200, podIP: ip})
-	}
-	return resps
-}
-
-func unreadyResps(ip string, num int) (resps []fakeResponse) {
-	for range num {
-		resps = append(resps, fakeResponse{statusCode: 503, podIP: ip})
-	}
-	return resps
-}
-
-func erroredResps(num int) (resps []fakeResponse) {
-	for range num {
-		resps = append(resps, fakeResponse{err: errors.New("timeout")})
-	}
-	return resps
-}
-
-func newSvc(name string, port int32) (*corev1.Service, string) {
-	svc := &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "operator-ns",
-			Name:      name,
-			Labels: map[string]string{
-				LabelManaged:    "true",
-				labelProxyGroup: "dev",
-				labelSvcType:    typeEgress,
-			},
-		},
-		Spec: corev1.ServiceSpec{},
-	}
-	if port != -1 {
-		svc.Spec.Ports = []corev1.ServicePort{
-			{
-				Name:       tsHealthCheckPortName,
-				Port:       port,
-				TargetPort: intstr.FromInt(9002),
-				Protocol:   "TCP",
-			},
-		}
-	}
-	return svc, fmt.Sprintf("http://%s.operator-ns.svc.cluster.local:%d/healthz", name, port)
-}
-
-func podSetReady(pod *corev1.Pod, cl *tstest.Clock) {
-	pod.Status.Conditions = append(pod.Status.Conditions, corev1.PodCondition{
-		Type:               tsEgressReadinessGate,
-		Status:             corev1.ConditionTrue,
-		LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
-	})
-}
-
-// fakeHTTPClient is a mock HTTP client with a preset map of request URLs to list of responses. When it receives a
-// request for a specific URL, it returns the preset response for that URL. It errors if an unexpected request is
-// received.
-type fakeHTTPClient struct {
-	t     *testing.T
-	mu    sync.Mutex // protects following
-	state map[string][]fakeResponse
-}
-
-func (f *fakeHTTPClient) Do(req *http.Request) (*http.Response, error) {
-	f.mu.Lock()
-	resps := f.state[req.URL.String()]
-	if len(resps) == 0 {
-		f.mu.Unlock()
-		log.Printf("\n\n\nURL %q\n\n\n", req.URL)
-		f.t.Fatalf("fakeHTTPClient received an unexpected request for %q", req.URL)
-	}
-	defer func() {
-		if len(resps) == 1 {
-			delete(f.state, req.URL.String())
-			f.mu.Unlock()
-			return
-		}
-		f.state[req.URL.String()] = f.state[req.URL.String()][1:]
-		f.mu.Unlock()
-	}()
-
-	resp := resps[0]
-	if resp.err != nil {
-		return nil, resp.err
-	}
-	r := http.Response{
-		StatusCode: resp.statusCode,
-		Header:     make(http.Header),
-		Body:       io.NopCloser(bytes.NewReader([]byte{})),
-	}
-	r.Header.Add(kubetypes.PodIPv4Header, resp.podIP)
-	return &r, nil
-}
-
-type fakeResponse struct {
-	err        error
-	statusCode int
-	podIP      string // for the Pod IP header
-}
--- a/cmd/k8s-operator/egress-services-readiness.go
+++ b/cmd/k8s-operator/egress-services-readiness.go
@@ -48,12 +48,11 @@ type egressSvcsReadinessReconciler struct {
 // service to determine how many replicas are currently able to route traffic.
 func (esrr *egressSvcsReadinessReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
 	l := esrr.logger.With("Service", req.NamespacedName)
-	l.Debugf("starting reconcile")
-	defer l.Debugf("reconcile finished")
+	defer l.Info("reconcile finished")

 	svc := new(corev1.Service)
 	if err = esrr.Get(ctx, req.NamespacedName, svc); apierrors.IsNotFound(err) {
-		l.Debugf("Service not found")
+		l.Info("Service not found")
 		return res, nil
 	} else if err != nil {
 		return res, fmt.Errorf("failed to get Service: %w", err)
@@ -128,16 +127,16 @@ func (esrr *egressSvcsReadinessReconciler) Reconcile(ctx context.Context, req re
 			return res, err
 		}
 		if pod == nil {
-			l.Warnf("[unexpected] ProxyGroup is ready, but replica %d was not found", i)
+			l.Infof("[unexpected] ProxyGroup is ready, but replica %d was not found", i)
 			reason, msg = reasonClusterResourcesNotReady, reasonClusterResourcesNotReady
 			return res, nil
 		}
-		l.Debugf("looking at Pod with IPs %v", pod.Status.PodIPs)
+		l.Infof("looking at Pod with IPs %v", pod.Status.PodIPs)
 		ready := false
 		for _, ep := range eps.Endpoints {
-			l.Debugf("looking at endpoint with addresses %v", ep.Addresses)
+			l.Infof("looking at endpoint with addresses %v", ep.Addresses)
 			if endpointReadyForPod(&ep, pod, l) {
-				l.Debugf("endpoint is ready for Pod")
+				l.Infof("endpoint is ready for Pod")
 				ready = true
 				break
 			}
@@ -166,7 +165,7 @@ func (esrr *egressSvcsReadinessReconciler) Reconcile(ctx context.Context, req re
 func endpointReadyForPod(ep *discoveryv1.Endpoint, pod *corev1.Pod, l *zap.SugaredLogger) bool {
 	podIP, err := podIPv4(pod)
 	if err != nil {
-		l.Warnf("[unexpected] error retrieving Pod's IPv4 address: %v", err)
+		l.Infof("[unexpected] error retrieving Pod's IPv4 address: %v", err)
 		return false
 	}
 	// Currently we only ever set a single address on and Endpoint and nothing else is meant to modify this.
--- a/cmd/k8s-operator/egress-services.go
+++ b/cmd/k8s-operator/egress-services.go
@@ -59,8 +59,6 @@ const (
 	maxPorts = 1000

 	indexEgressProxyGroup = ".metadata.annotations.egress-proxy-group"
-
-	tsHealthCheckPortName = "tailscale-health-check"
 )

 var gaugeEgressServices = clientmetric.NewGauge(kubetypes.MetricEgressServiceCount)
@@ -231,16 +229,15 @@ func (esr *egressSvcsReconciler) provision(ctx context.Context, proxyGroupName s
 		found := false
 		for _, wantsPM := range svc.Spec.Ports {
 			if wantsPM.Port == pm.Port && strings.EqualFold(string(wantsPM.Protocol), string(pm.Protocol)) {
-				// We want to both preserve the user set port names for ease of debugging, but also
-				// ensure that we name all unnamed ports as the ClusterIP Service that we create will
-				// always have at least two ports.
+				// We don't use the port name to distinguish this port internally, but Kubernetes
+				// require that, for Service ports with more than one name each port is uniquely named.
+				// So we can always pick the port name from the ExternalName Service as at this point we
+				// know that those are valid names because Kuberentes already validated it once. Note
+				// that users could have changed an unnamed port to a named port and might have changed
+				// port names- this should still work.
 				// https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services
 				// See also https://github.com/tailscale/tailscale/issues/13406#issuecomment-2507230388
-				if wantsPM.Name != "" {
-					clusterIPSvc.Spec.Ports[i].Name = wantsPM.Name
-				} else {
-					clusterIPSvc.Spec.Ports[i].Name = "tailscale-unnamed"
-				}
+				clusterIPSvc.Spec.Ports[i].Name = wantsPM.Name
 				found = true
 				break
 			}
@@ -255,12 +252,6 @@ func (esr *egressSvcsReconciler) provision(ctx context.Context, proxyGroupName s
 	// ClusterIP Service produce new target port and add a portmapping to
 	// the ClusterIP Service.
 	for _, wantsPM := range svc.Spec.Ports {
-		// Because we add a healthcheck port of our own, we will always have at least two ports. That
-		// means that we cannot have ports with name not set.
-		// https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services
-		if wantsPM.Name == "" {
-			wantsPM.Name = "tailscale-unnamed"
-		}
 		found := false
 		for _, gotPM := range clusterIPSvc.Spec.Ports {
 			if wantsPM.Port == gotPM.Port && strings.EqualFold(string(wantsPM.Protocol), string(gotPM.Protocol)) {
@@ -287,25 +278,6 @@ func (esr *egressSvcsReconciler) provision(ctx context.Context, proxyGroupName s
 			})
 		}
 	}
-	var healthCheckPort int32 = defaultLocalAddrPort
-
-	for {
-		if !slices.ContainsFunc(svc.Spec.Ports, func(p corev1.ServicePort) bool {
-			return p.Port == healthCheckPort
-		}) {
-			break
-		}
-		healthCheckPort++
-		if healthCheckPort > 10002 {
-			return nil, false, fmt.Errorf("unable to find a free port for internal health check in range [9002, 10002]")
-		}
-	}
-	clusterIPSvc.Spec.Ports = append(clusterIPSvc.Spec.Ports, corev1.ServicePort{
-		Name:       tsHealthCheckPortName,
-		Port:       healthCheckPort,
-		TargetPort: intstr.FromInt(defaultLocalAddrPort),
-		Protocol:   "TCP",
-	})
 	if !reflect.DeepEqual(clusterIPSvc, oldClusterIPSvc) {
 		if clusterIPSvc, err = createOrUpdate(ctx, esr.Client, esr.tsNamespace, clusterIPSvc, func(svc *corev1.Service) {
 			svc.Labels = clusterIPSvc.Labels
@@ -348,7 +320,7 @@ func (esr *egressSvcsReconciler) provision(ctx context.Context, proxyGroupName s
 	}
 	tailnetSvc := tailnetSvcName(svc)
 	gotCfg := (*cfgs)[tailnetSvc]
-	wantsCfg := egressSvcCfg(svc, clusterIPSvc, esr.tsNamespace, l)
+	wantsCfg := egressSvcCfg(svc, clusterIPSvc)
 	if !reflect.DeepEqual(gotCfg, wantsCfg) {
 		l.Debugf("updating egress services ConfigMap %s", cm.Name)
 		mak.Set(cfgs, tailnetSvc, wantsCfg)
@@ -532,8 +504,10 @@ func (esr *egressSvcsReconciler) validateClusterResources(ctx context.Context, s
 		return false, nil
 	}
 	if !tsoperator.ProxyGroupIsReady(pg) {
+		l.Infof("ProxyGroup %s is not ready, waiting...", proxyGroupName)
 		tsoperator.SetServiceCondition(svc, tsapi.EgressSvcValid, metav1.ConditionUnknown, reasonProxyGroupNotReady, reasonProxyGroupNotReady, esr.clock, l)
 		tsoperator.RemoveServiceCondition(svc, tsapi.EgressSvcConfigured)
+		return false, nil
 	}

 	l.Debugf("egress service is valid")
@@ -541,24 +515,6 @@ func (esr *egressSvcsReconciler) validateClusterResources(ctx context.Context, s
 	return true, nil
 }

-func egressSvcCfg(externalNameSvc, clusterIPSvc *corev1.Service, ns string, l *zap.SugaredLogger) egressservices.Config {
-	d := retrieveClusterDomain(ns, l)
-	tt := tailnetTargetFromSvc(externalNameSvc)
-	hep := healthCheckForSvc(clusterIPSvc, d)
-	cfg := egressservices.Config{
-		TailnetTarget:       tt,
-		HealthCheckEndpoint: hep,
-	}
-	for _, svcPort := range clusterIPSvc.Spec.Ports {
-		if svcPort.Name == tsHealthCheckPortName {
-			continue // exclude healthcheck from egress svcs configs
-		}
-		pm := portMap(svcPort)
-		mak.Set(&cfg.Ports, pm, struct{}{})
-	}
-	return cfg
-}
-
 func validateEgressService(svc *corev1.Service, pg *tsapi.ProxyGroup) []string {
 	violations := validateService(svc)

@@ -628,6 +584,16 @@ func tailnetTargetFromSvc(svc *corev1.Service) egressservices.TailnetTarget {
 	}
 }

+func egressSvcCfg(externalNameSvc, clusterIPSvc *corev1.Service) egressservices.Config {
+	tt := tailnetTargetFromSvc(externalNameSvc)
+	cfg := egressservices.Config{TailnetTarget: tt}
+	for _, svcPort := range clusterIPSvc.Spec.Ports {
+		pm := portMap(svcPort)
+		mak.Set(&cfg.Ports, pm, struct{}{})
+	}
+	return cfg
+}
+
 func portMap(p corev1.ServicePort) egressservices.PortMap {
 	// TODO (irbekrm): out of bounds check?
 	return egressservices.PortMap{Protocol: string(p.Protocol), MatchPort: uint16(p.TargetPort.IntVal), TargetPort: uint16(p.Port)}
@@ -652,11 +618,7 @@ func egressSvcsConfigs(ctx context.Context, cl client.Client, proxyGroupName, ts
 			Namespace: tsNamespace,
 		},
 	}
-	err = cl.Get(ctx, client.ObjectKeyFromObject(cm), cm)
-	if apierrors.IsNotFound(err) { // ProxyGroup resources have not been created (yet)
-		return nil, nil, nil
-	}
-	if err != nil {
+	if err := cl.Get(ctx, client.ObjectKeyFromObject(cm), cm); err != nil {
 		return nil, nil, fmt.Errorf("error retrieving egress services ConfigMap %s: %v", name, err)
 	}
 	cfgs = &egressservices.Configs{}
@@ -778,17 +740,3 @@ func (esr *egressSvcsReconciler) updateSvcSpec(ctx context.Context, svc *corev1.
 	svc.Status = *st
 	return err
 }
-
-// healthCheckForSvc return the URL of the containerboot's health check endpoint served by this Service or empty string.
-func healthCheckForSvc(svc *corev1.Service, clusterDomain string) string {
-	// This version of the operator always sets health check port on the egress Services. However, it is possible
-	// that this reconcile loops runs during a proxy upgrade from a version that did not set the health check port
-	// and parses a Service that does not have the port set yet.
-	i := slices.IndexFunc(svc.Spec.Ports, func(port corev1.ServicePort) bool {
-		return port.Name == tsHealthCheckPortName
-	})
-	if i == -1 {
-		return ""
-	}
-	return fmt.Sprintf("http://%s.%s.svc.%s:%d/healthz", svc.Name, svc.Namespace, clusterDomain, svc.Spec.Ports[i].Port)
-}
--- a/cmd/k8s-operator/egress-services_test.go
+++ b/cmd/k8s-operator/egress-services_test.go
@@ -18,7 +18,6 @@ import (
 	discoveryv1 "k8s.io/api/discovery/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
@@ -79,16 +78,42 @@ func TestTailscaleEgressServices(t *testing.T) {
 			Selector:     nil,
 			Ports: []corev1.ServicePort{
 				{
+					Name:     "http",
 					Protocol: "TCP",
 					Port:     80,
 				},
+				{
+					Name:     "https",
+					Protocol: "TCP",
+					Port:     443,
+				},
 			},
 		},
 	}

-	t.Run("service_one_unnamed_port", func(t *testing.T) {
+	t.Run("proxy_group_not_ready", func(t *testing.T) {
 		mustCreate(t, fc, svc)
 		expectReconciled(t, esr, "default", "test")
+		// Service should have EgressSvcValid condition set to Unknown.
+		svc.Status.Conditions = []metav1.Condition{condition(tsapi.EgressSvcValid, metav1.ConditionUnknown, reasonProxyGroupNotReady, reasonProxyGroupNotReady, clock)}
+		expectEqual(t, fc, svc)
+	})
+
+	t.Run("proxy_group_ready", func(t *testing.T) {
+		mustUpdateStatus(t, fc, "", "foo", func(pg *tsapi.ProxyGroup) {
+			pg.Status.Conditions = []metav1.Condition{
+				condition(tsapi.ProxyGroupReady, metav1.ConditionTrue, "", "", clock),
+			}
+		})
+		expectReconciled(t, esr, "default", "test")
+		validateReadyService(t, fc, esr, svc, clock, zl, cm)
+	})
+	t.Run("service_retain_one_unnamed_port", func(t *testing.T) {
+		svc.Spec.Ports = []corev1.ServicePort{{Protocol: "TCP", Port: 80}}
+		mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+			s.Spec.Ports = svc.Spec.Ports
+		})
+		expectReconciled(t, esr, "default", "test")
 		validateReadyService(t, fc, esr, svc, clock, zl, cm)
 	})
 	t.Run("service_add_two_named_ports", func(t *testing.T) {
@@ -139,7 +164,7 @@ func validateReadyService(t *testing.T, fc client.WithWatch, esr *egressSvcsReco
 	// Verify that an EndpointSlice has been created.
 	expectEqual(t, fc, endpointSlice(name, svc, clusterSvc))
 	// Verify that ConfigMap contains configuration for the new egress service.
-	mustHaveConfigForSvc(t, fc, svc, clusterSvc, cm, zl)
+	mustHaveConfigForSvc(t, fc, svc, clusterSvc, cm)
 	r := svcConfiguredReason(svc, true, zl.Sugar())
 	// Verify that the user-created ExternalName Service has Configured set to true and ExternalName pointing to the
 	// CluterIP Service.
@@ -178,23 +203,6 @@ func findGenNameForEgressSvcResources(t *testing.T, client client.Client, svc *c

 func clusterIPSvc(name string, extNSvc *corev1.Service) *corev1.Service {
 	labels := egressSvcChildResourceLabels(extNSvc)
-	ports := make([]corev1.ServicePort, len(extNSvc.Spec.Ports))
-	for i, port := range extNSvc.Spec.Ports {
-		ports[i] = corev1.ServicePort{ // Copy the port to avoid modifying the original.
-			Name:     port.Name,
-			Port:     port.Port,
-			Protocol: port.Protocol,
-		}
-		if port.Name == "" {
-			ports[i].Name = "tailscale-unnamed"
-		}
-	}
-	ports = append(ports, corev1.ServicePort{
-		Name:       "tailscale-health-check",
-		Port:       9002,
-		TargetPort: intstr.FromInt(9002),
-		Protocol:   "TCP",
-	})
 	return &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:         name,
@@ -204,7 +212,7 @@ func clusterIPSvc(name string, extNSvc *corev1.Service) *corev1.Service {
 		},
 		Spec: corev1.ServiceSpec{
 			Type:  corev1.ServiceTypeClusterIP,
-			Ports: ports,
+			Ports: extNSvc.Spec.Ports,
 		},
 	}
 }
@@ -249,9 +257,9 @@ func portsForEndpointSlice(svc *corev1.Service) []discoveryv1.EndpointPort {
 	return ports
 }

-func mustHaveConfigForSvc(t *testing.T, cl client.Client, extNSvc, clusterIPSvc *corev1.Service, cm *corev1.ConfigMap, l *zap.Logger) {
+func mustHaveConfigForSvc(t *testing.T, cl client.Client, extNSvc, clusterIPSvc *corev1.Service, cm *corev1.ConfigMap) {
 	t.Helper()
-	wantsCfg := egressSvcCfg(extNSvc, clusterIPSvc, clusterIPSvc.Namespace, l.Sugar())
+	wantsCfg := egressSvcCfg(extNSvc, clusterIPSvc)
 	if err := cl.Get(context.Background(), client.ObjectKeyFromObject(cm), cm); err != nil {
 		t.Fatalf("Error retrieving ConfigMap: %v", err)
 	}
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -9,7 +9,6 @@ package main

 import (
 	"context"
-	"net/http"
 	"os"
 	"regexp"
 	"strconv"
@@ -331,6 +330,28 @@ func runReconcilers(opts reconcilerOpts) {
 	if err != nil {
 		startlog.Fatalf("could not create ingress reconciler: %v", err)
 	}
+	lc, err := opts.tsServer.LocalClient()
+	if err != nil {
+		startlog.Fatalf("could not get local client: %v", err)
+	}
+	err = builder.
+		ControllerManagedBy(mgr).
+		For(&networkingv1.Ingress{}).
+		Named("ingress-pg-reconciler").
+		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))).
+		Complete(&IngressPGReconciler{
+			recorder:    eventRecorder,
+			tsClient:    opts.tsClient,
+			tsnetServer: opts.tsServer,
+			defaultTags: strings.Split(opts.proxyTags, ","),
+			Client:      mgr.GetClient(),
+			logger:      opts.log.Named("ingress-pg-reconciler"),
+			lc:          lc,
+			tsNamespace: opts.tailscaleNamespace,
+		})
+	if err != nil {
+		startlog.Fatalf("could not create ingress-pg-reconciler: %v", err)
+	}

 	connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("connector"))
 	// If a ProxyClassChanges, enqueue all Connectors that have
@@ -432,24 +453,6 @@ func runReconcilers(opts reconcilerOpts) {
 		startlog.Fatalf("could not create egress EndpointSlices reconciler: %v", err)
 	}

-	podsForEps := handler.EnqueueRequestsFromMapFunc(podsFromEgressEps(mgr.GetClient(), opts.log, opts.tailscaleNamespace))
-	podsER := handler.EnqueueRequestsFromMapFunc(egressPodsHandler)
-	err = builder.
-		ControllerManagedBy(mgr).
-		Named("egress-pods-readiness-reconciler").
-		Watches(&discoveryv1.EndpointSlice{}, podsForEps).
-		Watches(&corev1.Pod{}, podsER).
-		Complete(&egressPodsReconciler{
-			Client:      mgr.GetClient(),
-			tsNamespace: opts.tailscaleNamespace,
-			clock:       tstime.DefaultClock{},
-			logger:      opts.log.Named("egress-pods-readiness-reconciler"),
-			httpClient:  http.DefaultClient,
-		})
-	if err != nil {
-		startlog.Fatalf("could not create egress Pods readiness reconciler: %v", err)
-	}
-
 	// ProxyClass reconciler gets triggered on ServiceMonitor CRD changes to ensure that any ProxyClasses, that
 	// define that a ServiceMonitor should be created, were set to invalid because the CRD did not exist get
 	// reconciled if the CRD is applied at a later point.
@@ -774,7 +777,7 @@ func proxyClassHandlerForConnector(cl client.Client, logger *zap.SugaredLogger)
 	}
 }

-// proxyClassHandlerForProxyGroup returns a handler that, for a given ProxyClass,
+// proxyClassHandlerForConnector returns a handler that, for a given ProxyClass,
 // returns a list of reconcile requests for all Connectors that have
 // .spec.proxyClass set.
 func proxyClassHandlerForProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
@@ -903,20 +906,6 @@ func egressEpsHandler(_ context.Context, o client.Object) []reconcile.Request {
 	}
 }

-func egressPodsHandler(_ context.Context, o client.Object) []reconcile.Request {
-	if typ := o.GetLabels()[LabelParentType]; typ != proxyTypeProxyGroup {
-		return nil
-	}
-	return []reconcile.Request{
-		{
-			NamespacedName: types.NamespacedName{
-				Namespace: o.GetNamespace(),
-				Name:      o.GetName(),
-			},
-		},
-	}
-}
-
 // egressEpsFromEgressPods returns a Pod event handler that checks if Pod is a replica for a ProxyGroup and if it is,
 // returns reconciler requests for all egress EndpointSlices for that ProxyGroup.
 func egressEpsFromPGPods(cl client.Client, ns string) handler.MapFunc {
@@ -1009,7 +998,7 @@ func reconcileRequestsForPG(pg string, cl client.Client, ns string) []reconcile.
 // egressSvcsFromEgressProxyGroup is an event handler for egress ProxyGroups. It returns reconcile requests for all
 // user-created ExternalName Services that should be exposed on this ProxyGroup.
 func egressSvcsFromEgressProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
-	return func(ctx context.Context, o client.Object) []reconcile.Request {
+	return func(_ context.Context, o client.Object) []reconcile.Request {
 		pg, ok := o.(*tsapi.ProxyGroup)
 		if !ok {
 			logger.Infof("[unexpected] ProxyGroup handler triggered for an object that is not a ProxyGroup")
@@ -1019,7 +1008,7 @@ func egressSvcsFromEgressProxyGroup(cl client.Client, logger *zap.SugaredLogger)
 			return nil
 		}
 		svcList := &corev1.ServiceList{}
-		if err := cl.List(ctx, svcList, client.MatchingFields{indexEgressProxyGroup: pg.Name}); err != nil {
+		if err := cl.List(context.Background(), svcList, client.MatchingFields{indexEgressProxyGroup: pg.Name}); err != nil {
 			logger.Infof("error listing Services: %v, skipping a reconcile for event on ProxyGroup %s", err, pg.Name)
 			return nil
 		}
@@ -1039,7 +1028,7 @@ func egressSvcsFromEgressProxyGroup(cl client.Client, logger *zap.SugaredLogger)
 // epsFromExternalNameService is an event handler for ExternalName Services that define a Tailscale egress service that
 // should be exposed on a ProxyGroup. It returns reconcile requests for EndpointSlices created for this Service.
 func epsFromExternalNameService(cl client.Client, logger *zap.SugaredLogger, ns string) handler.MapFunc {
-	return func(ctx context.Context, o client.Object) []reconcile.Request {
+	return func(_ context.Context, o client.Object) []reconcile.Request {
 		svc, ok := o.(*corev1.Service)
 		if !ok {
 			logger.Infof("[unexpected] Service handler triggered for an object that is not a Service")
@@ -1049,7 +1038,7 @@ func epsFromExternalNameService(cl client.Client, logger *zap.SugaredLogger, ns
 			return nil
 		}
 		epsList := &discoveryv1.EndpointSliceList{}
-		if err := cl.List(ctx, epsList, client.InNamespace(ns),
+		if err := cl.List(context.Background(), epsList, client.InNamespace(ns),
 			client.MatchingLabels(egressSvcChildResourceLabels(svc))); err != nil {
 			logger.Infof("error listing EndpointSlices: %v, skipping a reconcile for event on Service %s", err, svc.Name)
 			return nil
@@ -1067,43 +1056,6 @@ func epsFromExternalNameService(cl client.Client, logger *zap.SugaredLogger, ns
 	}
 }

-func podsFromEgressEps(cl client.Client, logger *zap.SugaredLogger, ns string) handler.MapFunc {
-	return func(ctx context.Context, o client.Object) []reconcile.Request {
-		eps, ok := o.(*discoveryv1.EndpointSlice)
-		if !ok {
-			logger.Infof("[unexpected] EndpointSlice handler triggered for an object that is not a EndpointSlice")
-			return nil
-		}
-		if eps.Labels[labelProxyGroup] == "" {
-			return nil
-		}
-		if eps.Labels[labelSvcType] != "egress" {
-			return nil
-		}
-		podLabels := map[string]string{
-			LabelManaged:    "true",
-			LabelParentType: "proxygroup",
-			LabelParentName: eps.Labels[labelProxyGroup],
-		}
-		podList := &corev1.PodList{}
-		if err := cl.List(ctx, podList, client.InNamespace(ns),
-			client.MatchingLabels(podLabels)); err != nil {
-			logger.Infof("error listing EndpointSlices: %v, skipping a reconcile for event on EndpointSlice %s", err, eps.Name)
-			return nil
-		}
-		reqs := make([]reconcile.Request, 0)
-		for _, pod := range podList.Items {
-			reqs = append(reqs, reconcile.Request{
-				NamespacedName: types.NamespacedName{
-					Namespace: pod.Namespace,
-					Name:      pod.Name,
-				},
-			})
-		}
-		return reqs
-	}
-}
-
 // proxyClassesWithServiceMonitor returns an event handler that, given that the event is for the Prometheus
 // ServiceMonitor CRD, returns all ProxyClasses that define that a ServiceMonitor should be created.
 func proxyClassesWithServiceMonitor(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
@@ -1156,6 +1108,42 @@ func indexEgressServices(o client.Object) []string {
 	return []string{o.GetAnnotations()[AnnotationProxyGroup]}
 }

+// serviceHandlerForIngressPG returns a handler for Service events that ensures that if the Service
+// associated with an event is a backend Service for a tailscale Ingress with ProxyGroup annotation,
+// the associated Ingress gets reconciled.
+func serviceHandlerForIngressPG(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		ingList := networkingv1.IngressList{}
+		if err := cl.List(ctx, &ingList, client.InNamespace(o.GetNamespace())); err != nil {
+			logger.Debugf("error listing Ingresses: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, ing := range ingList.Items {
+			if ing.Spec.IngressClassName == nil || *ing.Spec.IngressClassName != tailscaleIngressClassName {
+				continue
+			}
+			if !hasProxyGroupAnnotation(&ing) {
+				continue
+			}
+			if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil && ing.Spec.DefaultBackend.Service.Name == o.GetName() {
+				reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+			}
+			for _, rule := range ing.Spec.Rules {
+				if rule.HTTP == nil {
+					continue
+				}
+				for _, path := range rule.HTTP.Paths {
+					if path.Backend.Service != nil && path.Backend.Service.Name == o.GetName() {
+						reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+					}
+				}
+			}
+		}
+		return reqs
+	}
+}
+
 func hasProxyGroupAnnotation(obj client.Object) bool {
 	ing := obj.(*networkingv1.Ingress)
 	return ing.Annotations[AnnotationProxyGroup] != ""
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -1339,6 +1339,71 @@ func TestProxyFirewallMode(t *testing.T) {
 	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation, removeResourceReqs)
 }

+func TestTailscaledConfigfileHash(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
+	sr := &ServiceReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger:                zl.Sugar(),
+		clock:                 clock,
+		isDefaultLoadBalancer: true,
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeLoadBalancer,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
+		confFileHash:    "848bff4b5ba83ac999e6984c8464e597156daba961ae045e7dbaef606d54ab5e",
+		app:             kubetypes.AppIngressProxy,
+	}
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeResourceReqs)
+
+	// 2. Hostname gets changed, configfile is updated and a new hash value
+	// is produced.
+	mustUpdate(t, fc, "default", "test", func(svc *corev1.Service) {
+		mak.Set(&svc.Annotations, AnnotationHostname, "another-test")
+	})
+	o.hostname = "another-test"
+	o.confFileHash = "d4cc13f09f55f4f6775689004f9a466723325b84d2b590692796bfe22aeaa389"
+	expectReconciled(t, sr, "default", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeResourceReqs)
+}
 func Test_isMagicDNSName(t *testing.T) {
 	tests := []struct {
 		in   string
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -32,7 +32,6 @@ import (
 	"tailscale.com/ipn"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/kube/egressservices"
 	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstime"
@@ -167,7 +166,6 @@ func (r *ProxyGroupReconciler) Reconcile(ctx context.Context, req reconcile.Requ
 			r.recorder.Eventf(pg, corev1.EventTypeWarning, reasonProxyGroupCreationFailed, err.Error())
 			return setStatusReady(pg, metav1.ConditionFalse, reasonProxyGroupCreationFailed, err.Error())
 		}
-		validateProxyClassForPG(logger, pg, proxyClass)
 		if !tsoperator.ProxyClassIsReady(proxyClass) {
 			message := fmt.Sprintf("the ProxyGroup's ProxyClass %s is not yet in a ready state, waiting...", proxyClassName)
 			logger.Info(message)
@@ -206,31 +204,6 @@ func (r *ProxyGroupReconciler) Reconcile(ctx context.Context, req reconcile.Requ
 	return setStatusReady(pg, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady)
 }

-// validateProxyClassForPG applies custom validation logic for ProxyClass applied to ProxyGroup.
-func validateProxyClassForPG(logger *zap.SugaredLogger, pg *tsapi.ProxyGroup, pc *tsapi.ProxyClass) {
-	if pg.Spec.Type == tsapi.ProxyGroupTypeIngress {
-		return
-	}
-	// Our custom logic for ensuring minimum downtime ProxyGroup update rollouts relies on the local health check
-	// beig accessible on the replica Pod IP:9002. This address can also be modified by users, via
-	// TS_LOCAL_ADDR_PORT env var.
-	//
-	// Currently TS_LOCAL_ADDR_PORT controls Pod's health check and metrics address. _Probably_ there is no need for
-	// users to set this to a custom value. Users who want to consume metrics, should integrate with the metrics
-	// Service and/or ServiceMonitor, rather than Pods directly. The health check is likely not useful to integrate
-	// directly with for operator proxies (and we should aim for unified lifecycle logic in the operator, users
-	// shouldn't need to set their own).
-	//
-	// TODO(irbekrm): maybe disallow configuring this env var in future (in Tailscale 1.84 or later).
-	if hasLocalAddrPortSet(pc) {
-		msg := fmt.Sprintf("ProxyClass %s applied to an egress ProxyGroup has TS_LOCAL_ADDR_PORT env var set to a custom value."+
-			"This will disable the ProxyGroup graceful failover mechanism, so you might experience downtime when ProxyGroup pods are restarted."+
-			"In future we will remove the ability to set custom TS_LOCAL_ADDR_PORT for egress ProxyGroups."+
-			"Please raise an issue if you expect that this will cause issues for your workflow.", pc.Name)
-		logger.Warn(msg)
-	}
-}
-
 func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.ProxyGroup, proxyClass *tsapi.ProxyClass) error {
 	logger := r.logger(pg.Name)
 	r.mu.Lock()
@@ -280,11 +253,10 @@ func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.Pro
 		return fmt.Errorf("error provisioning RoleBinding: %w", err)
 	}
 	if pg.Spec.Type == tsapi.ProxyGroupTypeEgress {
-		cm, hp := pgEgressCM(pg, r.tsNamespace)
+		cm := pgEgressCM(pg, r.tsNamespace)
 		if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, cm, func(existing *corev1.ConfigMap) {
 			existing.ObjectMeta.Labels = cm.ObjectMeta.Labels
 			existing.ObjectMeta.OwnerReferences = cm.ObjectMeta.OwnerReferences
-			mak.Set(&existing.BinaryData, egressservices.KeyHEPPings, hp)
 		}); err != nil {
 			return fmt.Errorf("error provisioning egress ConfigMap %q: %w", cm.Name, err)
 		}
@@ -298,7 +270,7 @@ func (r *ProxyGroupReconciler) maybeProvision(ctx context.Context, pg *tsapi.Pro
 			return fmt.Errorf("error provisioning ingress ConfigMap %q: %w", cm.Name, err)
 		}
 	}
-	ss, err := pgStatefulSet(pg, r.tsNamespace, r.proxyImage, r.tsFirewallMode, proxyClass)
+	ss, err := pgStatefulSet(pg, r.tsNamespace, r.proxyImage, r.tsFirewallMode)
 	if err != nil {
 		return fmt.Errorf("error generating StatefulSet spec: %w", err)
 	}
--- a/cmd/k8s-operator/proxygroup_specs.go
+++ b/cmd/k8s-operator/proxygroup_specs.go
@@ -7,14 +7,11 @@ package main

 import (
 	"fmt"
-	"slices"
-	"strconv"

 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/yaml"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/egressservices"
@@ -22,12 +19,9 @@ import (
 	"tailscale.com/types/ptr"
 )

-// deletionGracePeriodSeconds is set to 6 minutes to ensure that the pre-stop hook of these proxies have enough chance to terminate gracefully.
-const deletionGracePeriodSeconds int64 = 360
-
 // Returns the base StatefulSet definition for a ProxyGroup. A ProxyClass may be
 // applied over the top after.
-func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string, proxyClass *tsapi.ProxyClass) (*appsv1.StatefulSet, error) {
+func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string) (*appsv1.StatefulSet, error) {
 	ss := new(appsv1.StatefulSet)
 	if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
@@ -151,25 +145,15 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 		}

 		if pg.Spec.Type == tsapi.ProxyGroupTypeEgress {
-			envs = append(envs,
-				// TODO(irbekrm): in 1.80 we deprecated TS_EGRESS_SERVICES_CONFIG_PATH in favour of
-				// TS_EGRESS_PROXIES_CONFIG_PATH. Remove it in 1.84.
-				corev1.EnvVar{
-					Name:  "TS_EGRESS_SERVICES_CONFIG_PATH",
-					Value: fmt.Sprintf("/etc/proxies/%s", egressservices.KeyEgressServices),
-				},
-				corev1.EnvVar{
-					Name:  "TS_EGRESS_PROXIES_CONFIG_PATH",
-					Value: "/etc/proxies",
-				},
+			envs = append(envs, corev1.EnvVar{
+				Name:  "TS_EGRESS_SERVICES_CONFIG_PATH",
+				Value: fmt.Sprintf("/etc/proxies/%s", egressservices.KeyEgressServices),
+			},
 				corev1.EnvVar{
 					Name:  "TS_INTERNAL_APP",
 					Value: kubetypes.AppProxyGroupEgress,
 				},
-				corev1.EnvVar{
-					Name:  "TS_ENABLE_HEALTH_CHECK",
-					Value: "true",
-				})
+			)
 		} else { // ingress
 			envs = append(envs, corev1.EnvVar{
 				Name:  "TS_INTERNAL_APP",
@@ -183,25 +167,6 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 		return append(c.Env, envs...)
 	}()

-	// The pre-stop hook is used to ensure that a replica does not get terminated while cluster traffic for egress
-	// services is still being routed to it.
-	//
-	// This mechanism currently (2025-01-26) rely on the local health check being accessible on the Pod's
-	// IP, so they are not supported for ProxyGroups where users have configured TS_LOCAL_ADDR_PORT to a custom
-	// value.
-	if pg.Spec.Type == tsapi.ProxyGroupTypeEgress && !hasLocalAddrPortSet(proxyClass) {
-		c.Lifecycle = &corev1.Lifecycle{
-			PreStop: &corev1.LifecycleHandler{
-				HTTPGet: &corev1.HTTPGetAction{
-					Path: kubetypes.EgessServicesPreshutdownEP,
-					Port: intstr.FromInt(defaultLocalAddrPort),
-				},
-			},
-		}
-		// Set the deletion grace period to 6 minutes to ensure that the pre-stop hook has enough time to terminate
-		// gracefully.
-		ss.Spec.Template.DeletionGracePeriodSeconds = ptr.To(deletionGracePeriodSeconds)
-	}
 	return ss, nil
 }

@@ -293,9 +258,7 @@ func pgStateSecrets(pg *tsapi.ProxyGroup, namespace string) (secrets []*corev1.S
 	return secrets
 }

-func pgEgressCM(pg *tsapi.ProxyGroup, namespace string) (*corev1.ConfigMap, []byte) {
-	hp := hepPings(pg)
-	hpBs := []byte(strconv.Itoa(hp))
+func pgEgressCM(pg *tsapi.ProxyGroup, namespace string) *corev1.ConfigMap {
 	return &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            pgEgressCMName(pg.Name),
@@ -303,10 +266,8 @@ func pgEgressCM(pg *tsapi.ProxyGroup, namespace string) (*corev1.ConfigMap, []by
 			Labels:          pgLabels(pg.Name, nil),
 			OwnerReferences: pgOwnerReference(pg),
 		},
-		BinaryData: map[string][]byte{egressservices.KeyHEPPings: hpBs},
-	}, hpBs
+	}
 }
-
 func pgIngressCM(pg *tsapi.ProxyGroup, namespace string) *corev1.ConfigMap {
 	return &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
@@ -352,23 +313,3 @@ func pgReplicas(pg *tsapi.ProxyGroup) int32 {
 func pgEgressCMName(pg string) string {
 	return fmt.Sprintf("%s-egress-config", pg)
 }
-
-// hasLocalAddrPortSet returns true if the proxyclass has the TS_LOCAL_ADDR_PORT env var set. For egress ProxyGroups,
-// currently (2025-01-26) this means that the ProxyGroup does not support graceful failover.
-func hasLocalAddrPortSet(proxyClass *tsapi.ProxyClass) bool {
-	if proxyClass == nil || proxyClass.Spec.StatefulSet == nil || proxyClass.Spec.StatefulSet.Pod == nil || proxyClass.Spec.StatefulSet.Pod.TailscaleContainer == nil {
-		return false
-	}
-	return slices.ContainsFunc(proxyClass.Spec.StatefulSet.Pod.TailscaleContainer.Env, func(env tsapi.Env) bool {
-		return env.Name == envVarTSLocalAddrPort
-	})
-}
-
-// hepPings returns the number of times a health check endpoint exposed by a Service fronting ProxyGroup replicas should
-// be pinged to ensure that all currently configured backend replicas are hit.
-func hepPings(pg *tsapi.ProxyGroup) int {
-	rc := pgReplicas(pg)
-	// Assuming a Service implemented using round robin load balancing, number-of-replica-times should be enough, but in
-	// practice, we cannot assume that the requests will be load balanced perfectly.
-	return int(rc) * 3
-}
--- a/cmd/k8s-operator/proxygroup_test.go
+++ b/cmd/k8s-operator/proxygroup_test.go
@@ -19,13 +19,13 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"tailscale.com/client/tailscale"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/kube/egressservices"
 	"tailscale.com/kube/kubetypes"
 	"tailscale.com/tstest"
 	"tailscale.com/types/ptr"
@@ -97,7 +97,7 @@ func TestProxyGroup(t *testing.T) {

 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "the ProxyGroup's ProxyClass default-pc is not yet in a ready state, waiting...", 0, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
-		expectProxyGroupResources(t, fc, pg, false, "", pc)
+		expectProxyGroupResources(t, fc, pg, false, "")
 	})

 	t.Run("observe_ProxyGroupCreating_status_reason", func(t *testing.T) {
@@ -118,11 +118,11 @@ func TestProxyGroup(t *testing.T) {

 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "0/2 ProxyGroup pods running", 0, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
-		expectProxyGroupResources(t, fc, pg, true, "", pc)
+		expectProxyGroupResources(t, fc, pg, true, "")
 		if expected := 1; reconciler.egressProxyGroups.Len() != expected {
 			t.Fatalf("expected %d egress ProxyGroups, got %d", expected, reconciler.egressProxyGroups.Len())
 		}
-		expectProxyGroupResources(t, fc, pg, true, "", pc)
+		expectProxyGroupResources(t, fc, pg, true, "")
 		keyReq := tailscale.KeyCapabilities{
 			Devices: tailscale.KeyDeviceCapabilities{
 				Create: tailscale.KeyDeviceCreateCapabilities{
@@ -154,7 +154,7 @@ func TestProxyGroup(t *testing.T) {
 		}
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionTrue, reasonProxyGroupReady, reasonProxyGroupReady, 0, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
-		expectProxyGroupResources(t, fc, pg, true, initialCfgHash, pc)
+		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)
 	})

 	t.Run("scale_up_to_3", func(t *testing.T) {
@@ -165,7 +165,7 @@ func TestProxyGroup(t *testing.T) {
 		expectReconciled(t, reconciler, "", pg.Name)
 		tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupReady, metav1.ConditionFalse, reasonProxyGroupCreating, "2/3 ProxyGroup pods running", 0, cl, zl.Sugar())
 		expectEqual(t, fc, pg)
-		expectProxyGroupResources(t, fc, pg, true, initialCfgHash, pc)
+		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)

 		addNodeIDToStateSecrets(t, fc, pg)
 		expectReconciled(t, reconciler, "", pg.Name)
@@ -175,7 +175,7 @@ func TestProxyGroup(t *testing.T) {
 			TailnetIPs: []string{"1.2.3.4", "::1"},
 		})
 		expectEqual(t, fc, pg)
-		expectProxyGroupResources(t, fc, pg, true, initialCfgHash, pc)
+		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)
 	})

 	t.Run("scale_down_to_1", func(t *testing.T) {
@@ -188,7 +188,7 @@ func TestProxyGroup(t *testing.T) {

 		pg.Status.Devices = pg.Status.Devices[:1] // truncate to only the first device.
 		expectEqual(t, fc, pg)
-		expectProxyGroupResources(t, fc, pg, true, initialCfgHash, pc)
+		expectProxyGroupResources(t, fc, pg, true, initialCfgHash)
 	})

 	t.Run("trigger_config_change_and_observe_new_config_hash", func(t *testing.T) {
@@ -202,7 +202,7 @@ func TestProxyGroup(t *testing.T) {
 		expectReconciled(t, reconciler, "", pg.Name)

 		expectEqual(t, fc, pg)
-		expectProxyGroupResources(t, fc, pg, true, "518a86e9fae64f270f8e0ec2a2ea6ca06c10f725035d3d6caca132cd61e42a74", pc)
+		expectProxyGroupResources(t, fc, pg, true, "518a86e9fae64f270f8e0ec2a2ea6ca06c10f725035d3d6caca132cd61e42a74")
 	})

 	t.Run("enable_metrics", func(t *testing.T) {
@@ -246,29 +246,12 @@ func TestProxyGroup(t *testing.T) {
 		// The fake client does not clean up objects whose owner has been
 		// deleted, so we can't test for the owned resources getting deleted.
 	})
-
 }

 func TestProxyGroupTypes(t *testing.T) {
-	pc := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "test",
-			Generation: 1,
-		},
-		Spec: tsapi.ProxyClassSpec{},
-	}
 	fc := fake.NewClientBuilder().
 		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pc).
-		WithStatusSubresource(pc).
 		Build()
-	mustUpdateStatus(t, fc, "", pc.Name, func(p *tsapi.ProxyClass) {
-		p.Status.Conditions = []metav1.Condition{{
-			Type:               string(tsapi.ProxyClassReady),
-			Status:             metav1.ConditionTrue,
-			ObservedGeneration: 1,
-		}}
-	})

 	zl, _ := zap.NewDevelopment()
 	reconciler := &ProxyGroupReconciler{
@@ -291,7 +274,9 @@ func TestProxyGroupTypes(t *testing.T) {
 				Replicas: ptr.To[int32](0),
 			},
 		}
-		mustCreate(t, fc, pg)
+		if err := fc.Create(context.Background(), pg); err != nil {
+			t.Fatal(err)
+		}

 		expectReconciled(t, reconciler, "", pg.Name)
 		verifyProxyGroupCounts(t, reconciler, 0, 1)
@@ -301,8 +286,7 @@ func TestProxyGroupTypes(t *testing.T) {
 			t.Fatalf("failed to get StatefulSet: %v", err)
 		}
 		verifyEnvVar(t, sts, "TS_INTERNAL_APP", kubetypes.AppProxyGroupEgress)
-		verifyEnvVar(t, sts, "TS_EGRESS_PROXIES_CONFIG_PATH", "/etc/proxies")
-		verifyEnvVar(t, sts, "TS_ENABLE_HEALTH_CHECK", "true")
+		verifyEnvVar(t, sts, "TS_EGRESS_SERVICES_CONFIG_PATH", fmt.Sprintf("/etc/proxies/%s", egressservices.KeyEgressServices))

 		// Verify that egress configuration has been set up.
 		cm := &corev1.ConfigMap{}
@@ -339,57 +323,6 @@ func TestProxyGroupTypes(t *testing.T) {
 		if diff := cmp.Diff(expectedVolumeMounts, sts.Spec.Template.Spec.Containers[0].VolumeMounts); diff != "" {
 			t.Errorf("unexpected volume mounts (-want +got):\n%s", diff)
 		}
-
-		expectedLifecycle := corev1.Lifecycle{
-			PreStop: &corev1.LifecycleHandler{
-				HTTPGet: &corev1.HTTPGetAction{
-					Path: kubetypes.EgessServicesPreshutdownEP,
-					Port: intstr.FromInt(defaultLocalAddrPort),
-				},
-			},
-		}
-		if diff := cmp.Diff(expectedLifecycle, *sts.Spec.Template.Spec.Containers[0].Lifecycle); diff != "" {
-			t.Errorf("unexpected lifecycle (-want +got):\n%s", diff)
-		}
-		if *sts.Spec.Template.DeletionGracePeriodSeconds != deletionGracePeriodSeconds {
-			t.Errorf("unexpected deletion grace period seconds %d, want %d", *sts.Spec.Template.DeletionGracePeriodSeconds, deletionGracePeriodSeconds)
-		}
-	})
-	t.Run("egress_type_no_lifecycle_hook_when_local_addr_port_set", func(t *testing.T) {
-		pg := &tsapi.ProxyGroup{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "test-egress-no-lifecycle",
-				UID:  "test-egress-no-lifecycle-uid",
-			},
-			Spec: tsapi.ProxyGroupSpec{
-				Type:       tsapi.ProxyGroupTypeEgress,
-				Replicas:   ptr.To[int32](0),
-				ProxyClass: "test",
-			},
-		}
-		mustCreate(t, fc, pg)
-		mustUpdate(t, fc, "", pc.Name, func(p *tsapi.ProxyClass) {
-			p.Spec.StatefulSet = &tsapi.StatefulSet{
-				Pod: &tsapi.Pod{
-					TailscaleContainer: &tsapi.Container{
-						Env: []tsapi.Env{{
-							Name:  "TS_LOCAL_ADDR_PORT",
-							Value: "127.0.0.1:8080",
-						}},
-					},
-				},
-			}
-		})
-		expectReconciled(t, reconciler, "", pg.Name)
-
-		sts := &appsv1.StatefulSet{}
-		if err := fc.Get(context.Background(), client.ObjectKey{Namespace: tsNamespace, Name: pg.Name}, sts); err != nil {
-			t.Fatalf("failed to get StatefulSet: %v", err)
-		}
-
-		if sts.Spec.Template.Spec.Containers[0].Lifecycle != nil {
-			t.Error("lifecycle hook was set when TS_LOCAL_ADDR_PORT was configured via ProxyClass")
-		}
 	})

 	t.Run("ingress_type", func(t *testing.T) {
@@ -408,7 +341,7 @@ func TestProxyGroupTypes(t *testing.T) {
 		}

 		expectReconciled(t, reconciler, "", pg.Name)
-		verifyProxyGroupCounts(t, reconciler, 1, 2)
+		verifyProxyGroupCounts(t, reconciler, 1, 1)

 		sts := &appsv1.StatefulSet{}
 		if err := fc.Get(context.Background(), client.ObjectKey{Namespace: tsNamespace, Name: pg.Name}, sts); err != nil {
@@ -469,13 +402,13 @@ func verifyEnvVar(t *testing.T, sts *appsv1.StatefulSet, name, expectedValue str
 	t.Errorf("%s environment variable not found", name)
 }

-func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.ProxyGroup, shouldExist bool, cfgHash string, proxyClass *tsapi.ProxyClass) {
+func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.ProxyGroup, shouldExist bool, cfgHash string) {
 	t.Helper()

 	role := pgRole(pg, tsNamespace)
 	roleBinding := pgRoleBinding(pg, tsNamespace)
 	serviceAccount := pgServiceAccount(pg, tsNamespace)
-	statefulSet, err := pgStatefulSet(pg, tsNamespace, testProxyImage, "auto", proxyClass)
+	statefulSet, err := pgStatefulSet(pg, tsNamespace, testProxyImage, "auto")
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -101,9 +101,6 @@ const (
 	proxyTypeIngressResource = "ingress_resource"
 	proxyTypeConnector       = "connector"
 	proxyTypeProxyGroup      = "proxygroup"
-
-	envVarTSLocalAddrPort = "TS_LOCAL_ADDR_PORT"
-	defaultLocalAddrPort  = 9002 // metrics and health check port
 )

 var (
@@ -697,7 +694,7 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 		// being created, there is no need for a restart.
 		// TODO(irbekrm): remove this in 1.84.
 		hash := tsConfigHash
-		if dev == nil || dev.capver >= 110 {
+		if dev != nil && dev.capver >= 110 {
 			hash = s.Spec.Template.GetAnnotations()[podAnnotationLastSetConfigFileHash]
 		}
 		s.Spec = ss.Spec
--- a/cmd/k8s-operator/testutils_test.go
+++ b/cmd/k8s-operator/testutils_test.go
@@ -583,21 +583,6 @@ func mustCreate(t *testing.T, client client.Client, obj client.Object) {
 		t.Fatalf("creating %q: %v", obj.GetName(), err)
 	}
 }
-func mustCreateAll(t *testing.T, client client.Client, objs ...client.Object) {
-	t.Helper()
-	for _, obj := range objs {
-		mustCreate(t, client, obj)
-	}
-}
-
-func mustDeleteAll(t *testing.T, client client.Client, objs ...client.Object) {
-	t.Helper()
-	for _, obj := range objs {
-		if err := client.Delete(context.Background(), obj); err != nil {
-			t.Fatalf("deleting %q: %v", obj.GetName(), err)
-		}
-	}
-}

 func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
 	t.Helper()
@@ -721,19 +706,6 @@ func expectRequeue(t *testing.T, sr reconcile.Reconciler, ns, name string) {
 		t.Fatalf("expected timed requeue, got success")
 	}
 }
-func expectError(t *testing.T, sr reconcile.Reconciler, ns, name string) {
-	t.Helper()
-	req := reconcile.Request{
-		NamespacedName: types.NamespacedName{
-			Name:      name,
-			Namespace: ns,
-		},
-	}
-	_, err := sr.Reconcile(context.Background(), req)
-	if err == nil {
-		t.Error("Reconcile: expected error but did not get one")
-	}
-}

 // expectEvents accepts a test recorder and a list of events, tests that expected
 // events are sent down the recorder's channel. Waits for 5s for each event.
--- a/cmd/natc/natc.go
+++ b/cmd/natc/natc.go
@@ -10,7 +10,6 @@ import (
 	"context"
 	"encoding/binary"
 	"errors"
-	"expvar"
 	"flag"
 	"fmt"
 	"log"
@@ -27,8 +26,6 @@ import (
 	"github.com/inetaf/tcpproxy"
 	"github.com/peterbourgon/ff/v3"
 	"golang.org/x/net/dns/dnsmessage"
-	"gvisor.dev/gvisor/pkg/tcpip"
-	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
@@ -40,7 +37,6 @@ import (
 	"tailscale.com/tsweb"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
-	"tailscale.com/wgengine/netstack"
 )

 func main() {
@@ -116,7 +112,6 @@ func main() {
 		ts.Port = uint16(*wgPort)
 	}
 	defer ts.Close()
-
 	if *verboseTSNet {
 		ts.Logf = log.Printf
 	}
@@ -134,36 +129,6 @@ func main() {
 			log.Fatalf("debug serve: %v", http.Serve(dln, mux))
 		}()
 	}
-
-	if err := ts.Start(); err != nil {
-		log.Fatalf("ts.Start: %v", err)
-	}
-	// TODO(raggi): this is not a public interface or guarantee.
-	ns := ts.Sys().Netstack.Get().(*netstack.Impl)
-	tcpRXBufOpt := tcpip.TCPReceiveBufferSizeRangeOption{
-		Min:     tcp.MinBufferSize,
-		Default: tcp.DefaultReceiveBufferSize,
-		Max:     tcp.MaxBufferSize,
-	}
-	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpRXBufOpt); err != nil {
-		log.Fatalf("could not set TCP RX buf size: %v", err)
-	}
-	tcpTXBufOpt := tcpip.TCPSendBufferSizeRangeOption{
-		Min:     tcp.MinBufferSize,
-		Default: tcp.DefaultSendBufferSize,
-		Max:     tcp.MaxBufferSize,
-	}
-	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpTXBufOpt); err != nil {
-		log.Fatalf("could not set TCP TX buf size: %v", err)
-	}
-	mslOpt := tcpip.TCPTimeWaitTimeoutOption(5 * time.Second)
-	if err := ns.SetTransportProtocolOption(tcp.ProtocolNumber, &mslOpt); err != nil {
-		log.Fatalf("could not set TCP MSL: %v", err)
-	}
-	if *debugPort != 0 {
-		expvar.Publish("netstack", ns.ExpVar())
-	}
-
 	lc, err := ts.LocalClient()
 	if err != nil {
 		log.Fatalf("LocalClient() failed: %v", err)
--- a/cmd/stund/depaware.txt
+++ b/cmd/stund/depaware.txt
@@ -89,8 +89,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
-        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
-        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
@@ -125,18 +123,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
-        crypto/internal/boring                                       from crypto/aes+
-        crypto/internal/boring/bbig                                  from crypto/ecdsa+
-        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
-        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
-        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
@@ -147,7 +133,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from net/http+
        crypto/x509                                                  from crypto/tls
-   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
@@ -168,44 +153,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
-        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
-        internal/bisect                                              from internal/godebug
-        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
-        internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
-        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
-        internal/filepathlite                                        from os+
-        internal/fmtsort                                             from fmt
-        internal/goarch                                              from crypto/aes+
-        internal/godebug                                             from crypto/tls+
-        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
-        internal/goos                                                from crypto/x509+
-        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
-        internal/nettrace                                            from net+
-        internal/oserror                                             from io/fs+
-        internal/poll                                                from net+
-        internal/profile                                             from net/http/pprof
-        internal/profilerecord                                       from runtime+
-        internal/race                                                from internal/poll+
-        internal/reflectlite                                         from context+
-        internal/runtime/atomic                                      from internal/runtime/exithook+
-        internal/runtime/exithook                                    from runtime
-   L    internal/runtime/syscall                                     from runtime+
-        internal/singleflight                                        from net
-        internal/stringslite                                         from embed+
-        internal/syscall/execenv                                     from os
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
-   W    internal/syscall/windows/registry                            from mime+
-   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
-        internal/testlog                                             from os
-        internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
        iter                                                         from maps+
@@ -224,7 +171,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        net/http                                                     from expvar+
        net/http/httptrace                                           from net/http
        net/http/internal                                            from net/http
-        net/http/internal/ascii                                      from net/http
        net/http/pprof                                               from tailscale.com/tsweb
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
@@ -236,10 +182,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
        regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/nistec+
        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
@@ -256,4 +199,3 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
-        unsafe                                                       from bytes+
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -212,7 +212,7 @@ change in the future.
 			exitNodeCmd(),
 			updateCmd,
 			whoisCmd,
-			debugCmd(),
+			debugCmd,
 			driveCmd,
 			idTokenCmd,
 			advertiseCmd(),
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -25,12 +25,10 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstest"
-	"tailscale.com/tstest/deptest"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/set"
 	"tailscale.com/version/distro"
 )

@@ -1570,31 +1568,3 @@ func TestDocs(t *testing.T) {
 	}
 	walk(t, root)
 }
-
-func TestDeps(t *testing.T) {
-	deptest.DepChecker{
-		GOOS:   "linux",
-		GOARCH: "arm64",
-		WantDeps: set.Of(
-			"tailscale.com/feature/capture/dissector", // want the Lua by default
-		),
-		BadDeps: map[string]string{
-			"tailscale.com/feature/capture": "don't link capture code",
-			"tailscale.com/net/packet":      "why we passing packets in the CLI?",
-			"tailscale.com/net/flowtrack":   "why we tracking flows in the CLI?",
-		},
-	}.Check(t)
-}
-
-func TestDepsNoCapture(t *testing.T) {
-	deptest.DepChecker{
-		GOOS:   "linux",
-		GOARCH: "arm64",
-		Tags:   "ts_omit_capture",
-		BadDeps: map[string]string{
-			"tailscale.com/feature/capture":           "don't link capture code",
-			"tailscale.com/feature/capture/dissector": "don't like the Lua",
-		},
-	}.Check(t)
-
-}
--- a/cmd/tailscale/cli/debug-capture.go
+++ b/cmd/tailscale/cli/debug-capture.go
@@ -1,80 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !ios && !ts_omit_capture
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"io"
-	"os"
-	"os/exec"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/feature/capture/dissector"
-)
-
-func init() {
-	debugCaptureCmd = mkDebugCaptureCmd
-}
-
-func mkDebugCaptureCmd() *ffcli.Command {
-	return &ffcli.Command{
-		Name:       "capture",
-		ShortUsage: "tailscale debug capture",
-		Exec:       runCapture,
-		ShortHelp:  "Stream pcaps for debugging",
-		FlagSet: (func() *flag.FlagSet {
-			fs := newFlagSet("capture")
-			fs.StringVar(&captureArgs.outFile, "o", "", "path to stream the pcap (or - for stdout), leave empty to start wireshark")
-			return fs
-		})(),
-	}
-}
-
-var captureArgs struct {
-	outFile string
-}
-
-func runCapture(ctx context.Context, args []string) error {
-	stream, err := localClient.StreamDebugCapture(ctx)
-	if err != nil {
-		return err
-	}
-	defer stream.Close()
-
-	switch captureArgs.outFile {
-	case "-":
-		fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
-		_, err = io.Copy(os.Stdout, stream)
-		return err
-	case "":
-		lua, err := os.CreateTemp("", "ts-dissector")
-		if err != nil {
-			return err
-		}
-		defer os.Remove(lua.Name())
-		io.WriteString(lua, dissector.Lua)
-		if err := lua.Close(); err != nil {
-			return err
-		}
-
-		wireshark := exec.CommandContext(ctx, "wireshark", "-X", "lua_script:"+lua.Name(), "-k", "-i", "-")
-		wireshark.Stdin = stream
-		wireshark.Stdout = os.Stdout
-		wireshark.Stderr = os.Stderr
-		return wireshark.Run()
-	}
-
-	f, err := os.OpenFile(captureArgs.outFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
-	_, err = io.Copy(f, stream)
-	return err
-}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -20,6 +20,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
+	"os/exec"
 	"runtime"
 	"runtime/debug"
 	"strconv"
@@ -44,302 +45,307 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/must"
+	"tailscale.com/wgengine/capture"
 )

-var (
-	debugCaptureCmd func() *ffcli.Command // or nil
-)
-
-func debugCmd() *ffcli.Command {
-	return &ffcli.Command{
-		Name:       "debug",
-		Exec:       runDebug,
-		ShortUsage: "tailscale debug <debug-flags | subcommand>",
-		ShortHelp:  "Debug commands",
-		LongHelp:   hidden + `"tailscale debug" contains misc debug facilities; it is not a stable interface.`,
-		FlagSet: (func() *flag.FlagSet {
-			fs := newFlagSet("debug")
-			fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
-			fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-seconds seconds and write it to this file; - for stdout")
-			fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
-			fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
-			return fs
-		})(),
-		Subcommands: nonNilCmds([]*ffcli.Command{
-			{
-				Name:       "derp-map",
-				ShortUsage: "tailscale debug derp-map",
-				Exec:       runDERPMap,
-				ShortHelp:  "Print DERP map",
-			},
-			{
-				Name:       "component-logs",
-				ShortUsage: "tailscale debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]",
-				Exec:       runDebugComponentLogs,
-				ShortHelp:  "Enable/disable debug logs for a component",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("component-logs")
-					fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
-					return fs
-				})(),
-			},
-			{
-				Name:       "daemon-goroutines",
-				ShortUsage: "tailscale debug daemon-goroutines",
-				Exec:       runDaemonGoroutines,
-				ShortHelp:  "Print tailscaled's goroutines",
-			},
-			{
-				Name:       "daemon-logs",
-				ShortUsage: "tailscale debug daemon-logs",
-				Exec:       runDaemonLogs,
-				ShortHelp:  "Watch tailscaled's server logs",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("daemon-logs")
-					fs.IntVar(&daemonLogsArgs.verbose, "verbose", 0, "verbosity level")
-					fs.BoolVar(&daemonLogsArgs.time, "time", false, "include client time")
-					return fs
-				})(),
-			},
-			{
-				Name:       "metrics",
-				ShortUsage: "tailscale debug metrics",
-				Exec:       runDaemonMetrics,
-				ShortHelp:  "Print tailscaled's metrics",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("metrics")
-					fs.BoolVar(&metricsArgs.watch, "watch", false, "print JSON dump of delta values")
-					return fs
-				})(),
-			},
-			{
-				Name:       "env",
-				ShortUsage: "tailscale debug env",
-				Exec:       runEnv,
-				ShortHelp:  "Print cmd/tailscale environment",
-			},
-			{
-				Name:       "stat",
-				ShortUsage: "tailscale debug stat <files...>",
-				Exec:       runStat,
-				ShortHelp:  "Stat a file",
-			},
-			{
-				Name:       "hostinfo",
-				ShortUsage: "tailscale debug hostinfo",
-				Exec:       runHostinfo,
-				ShortHelp:  "Print hostinfo",
-			},
-			{
-				Name:       "local-creds",
-				ShortUsage: "tailscale debug local-creds",
-				Exec:       runLocalCreds,
-				ShortHelp:  "Print how to access Tailscale LocalAPI",
-			},
-			{
-				Name:       "restun",
-				ShortUsage: "tailscale debug restun",
-				Exec:       localAPIAction("restun"),
-				ShortHelp:  "Force a magicsock restun",
-			},
-			{
-				Name:       "rebind",
-				ShortUsage: "tailscale debug rebind",
-				Exec:       localAPIAction("rebind"),
-				ShortHelp:  "Force a magicsock rebind",
-			},
-			{
-				Name:       "derp-set-on-demand",
-				ShortUsage: "tailscale debug derp-set-on-demand",
-				Exec:       localAPIAction("derp-set-homeless"),
-				ShortHelp:  "Enable DERP on-demand mode (breaks reachability)",
-			},
-			{
-				Name:       "derp-unset-on-demand",
-				ShortUsage: "tailscale debug derp-unset-on-demand",
-				Exec:       localAPIAction("derp-unset-homeless"),
-				ShortHelp:  "Disable DERP on-demand mode",
-			},
-			{
-				Name:       "break-tcp-conns",
-				ShortUsage: "tailscale debug break-tcp-conns",
-				Exec:       localAPIAction("break-tcp-conns"),
-				ShortHelp:  "Break any open TCP connections from the daemon",
-			},
-			{
-				Name:       "break-derp-conns",
-				ShortUsage: "tailscale debug break-derp-conns",
-				Exec:       localAPIAction("break-derp-conns"),
-				ShortHelp:  "Break any open DERP connections from the daemon",
-			},
-			{
-				Name:       "pick-new-derp",
-				ShortUsage: "tailscale debug pick-new-derp",
-				Exec:       localAPIAction("pick-new-derp"),
-				ShortHelp:  "Switch to some other random DERP home region for a short time",
-			},
-			{
-				Name:       "force-prefer-derp",
-				ShortUsage: "tailscale debug force-prefer-derp",
-				Exec:       forcePreferDERP,
-				ShortHelp:  "Prefer the given region ID if reachable (until restart, or 0 to clear)",
-			},
-			{
-				Name:       "force-netmap-update",
-				ShortUsage: "tailscale debug force-netmap-update",
-				Exec:       localAPIAction("force-netmap-update"),
-				ShortHelp:  "Force a full no-op netmap update (for load testing)",
-			},
-			{
-				// TODO(bradfitz,maisem): eventually promote this out of debug
-				Name:       "reload-config",
-				ShortUsage: "tailscale debug reload-config",
-				Exec:       reloadConfig,
-				ShortHelp:  "Reload config",
-			},
-			{
-				Name:       "control-knobs",
-				ShortUsage: "tailscale debug control-knobs",
-				Exec:       debugControlKnobs,
-				ShortHelp:  "See current control knobs",
-			},
-			{
-				Name:       "prefs",
-				ShortUsage: "tailscale debug prefs",
-				Exec:       runPrefs,
-				ShortHelp:  "Print prefs",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("prefs")
-					fs.BoolVar(&prefsArgs.pretty, "pretty", false, "If true, pretty-print output")
-					return fs
-				})(),
-			},
-			{
-				Name:       "watch-ipn",
-				ShortUsage: "tailscale debug watch-ipn",
-				Exec:       runWatchIPN,
-				ShortHelp:  "Subscribe to IPN message bus",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("watch-ipn")
-					fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
-					fs.BoolVar(&watchIPNArgs.initial, "initial", false, "include initial status")
-					fs.BoolVar(&watchIPNArgs.rateLimit, "rate-limit", true, "rate limit messags")
-					fs.BoolVar(&watchIPNArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
-					fs.IntVar(&watchIPNArgs.count, "count", 0, "exit after printing this many statuses, or 0 to keep going forever")
-					return fs
-				})(),
-			},
-			{
-				Name:       "netmap",
-				ShortUsage: "tailscale debug netmap",
-				Exec:       runNetmap,
-				ShortHelp:  "Print the current network map",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("netmap")
-					fs.BoolVar(&netmapArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
-					return fs
-				})(),
-			},
-			{
-				Name: "via",
-				ShortUsage: "tailscale debug via <site-id> <v4-cidr>\n" +
-					"tailscale debug via <v6-route>",
-				Exec:      runVia,
-				ShortHelp: "Convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
-			},
-			{
-				Name:       "ts2021",
-				ShortUsage: "tailscale debug ts2021",
-				Exec:       runTS2021,
-				ShortHelp:  "Debug ts2021 protocol connectivity",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("ts2021")
-					fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
-					fs.IntVar(&ts2021Args.version, "version", int(tailcfg.CurrentCapabilityVersion), "protocol version")
-					fs.BoolVar(&ts2021Args.verbose, "verbose", false, "be extra verbose")
-					return fs
-				})(),
-			},
-			{
-				Name:       "set-expire",
-				ShortUsage: "tailscale debug set-expire --in=1m",
-				Exec:       runSetExpire,
-				ShortHelp:  "Manipulate node key expiry for testing",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("set-expire")
-					fs.DurationVar(&setExpireArgs.in, "in", 0, "if non-zero, set node key to expire this duration from now")
-					return fs
-				})(),
-			},
-			{
-				Name:       "dev-store-set",
-				ShortUsage: "tailscale debug dev-store-set",
-				Exec:       runDevStoreSet,
-				ShortHelp:  "Set a key/value pair during development",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("store-set")
-					fs.BoolVar(&devStoreSetArgs.danger, "danger", false, "accept danger")
-					return fs
-				})(),
-			},
-			{
-				Name:       "derp",
-				ShortUsage: "tailscale debug derp",
-				Exec:       runDebugDERP,
-				ShortHelp:  "Test a DERP configuration",
-			},
-			ccall(debugCaptureCmd),
-			{
-				Name:       "portmap",
-				ShortUsage: "tailscale debug portmap",
-				Exec:       debugPortmap,
-				ShortHelp:  "Run portmap debugging",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("portmap")
-					fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
-					fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
-					fs.StringVar(&debugPortmapArgs.gatewayAddr, "gateway-addr", "", `override gateway IP (must also pass --self-addr)`)
-					fs.StringVar(&debugPortmapArgs.selfAddr, "self-addr", "", `override self IP (must also pass --gateway-addr)`)
-					fs.BoolVar(&debugPortmapArgs.logHTTP, "log-http", false, `print all HTTP requests and responses to the log`)
-					return fs
-				})(),
-			},
-			{
-				Name:       "peer-endpoint-changes",
-				ShortUsage: "tailscale debug peer-endpoint-changes <hostname-or-IP>",
-				Exec:       runPeerEndpointChanges,
-				ShortHelp:  "Print debug information about a peer's endpoint changes",
-			},
-			{
-				Name:       "dial-types",
-				ShortUsage: "tailscale debug dial-types <hostname-or-IP> <port>",
-				Exec:       runDebugDialTypes,
-				ShortHelp:  "Print debug information about connecting to a given host or IP",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("dial-types")
-					fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
-					return fs
-				})(),
-			},
-			{
-				Name:       "resolve",
-				ShortUsage: "tailscale debug resolve <hostname>",
-				Exec:       runDebugResolve,
-				ShortHelp:  "Does a DNS lookup",
-				FlagSet: (func() *flag.FlagSet {
-					fs := newFlagSet("resolve")
-					fs.StringVar(&resolveArgs.net, "net", "ip", "network type to resolve (ip, ip4, ip6)")
-					return fs
-				})(),
-			},
-			{
-				Name:       "go-buildinfo",
-				ShortUsage: "tailscale debug go-buildinfo",
-				ShortHelp:  "Print Go's runtime/debug.BuildInfo",
-				Exec:       runGoBuildInfo,
-			},
-		}...),
-	}
+var debugCmd = &ffcli.Command{
+	Name:       "debug",
+	Exec:       runDebug,
+	ShortUsage: "tailscale debug <debug-flags | subcommand>",
+	ShortHelp:  "Debug commands",
+	LongHelp:   hidden + `"tailscale debug" contains misc debug facilities; it is not a stable interface.`,
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("debug")
+		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
+		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-seconds seconds and write it to this file; - for stdout")
+		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
+		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
+		return fs
+	})(),
+	Subcommands: []*ffcli.Command{
+		{
+			Name:       "derp-map",
+			ShortUsage: "tailscale debug derp-map",
+			Exec:       runDERPMap,
+			ShortHelp:  "Print DERP map",
+		},
+		{
+			Name:       "component-logs",
+			ShortUsage: "tailscale debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]",
+			Exec:       runDebugComponentLogs,
+			ShortHelp:  "Enable/disable debug logs for a component",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("component-logs")
+				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
+				return fs
+			})(),
+		},
+		{
+			Name:       "daemon-goroutines",
+			ShortUsage: "tailscale debug daemon-goroutines",
+			Exec:       runDaemonGoroutines,
+			ShortHelp:  "Print tailscaled's goroutines",
+		},
+		{
+			Name:       "daemon-logs",
+			ShortUsage: "tailscale debug daemon-logs",
+			Exec:       runDaemonLogs,
+			ShortHelp:  "Watch tailscaled's server logs",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("daemon-logs")
+				fs.IntVar(&daemonLogsArgs.verbose, "verbose", 0, "verbosity level")
+				fs.BoolVar(&daemonLogsArgs.time, "time", false, "include client time")
+				return fs
+			})(),
+		},
+		{
+			Name:       "metrics",
+			ShortUsage: "tailscale debug metrics",
+			Exec:       runDaemonMetrics,
+			ShortHelp:  "Print tailscaled's metrics",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("metrics")
+				fs.BoolVar(&metricsArgs.watch, "watch", false, "print JSON dump of delta values")
+				return fs
+			})(),
+		},
+		{
+			Name:       "env",
+			ShortUsage: "tailscale debug env",
+			Exec:       runEnv,
+			ShortHelp:  "Print cmd/tailscale environment",
+		},
+		{
+			Name:       "stat",
+			ShortUsage: "tailscale debug stat <files...>",
+			Exec:       runStat,
+			ShortHelp:  "Stat a file",
+		},
+		{
+			Name:       "hostinfo",
+			ShortUsage: "tailscale debug hostinfo",
+			Exec:       runHostinfo,
+			ShortHelp:  "Print hostinfo",
+		},
+		{
+			Name:       "local-creds",
+			ShortUsage: "tailscale debug local-creds",
+			Exec:       runLocalCreds,
+			ShortHelp:  "Print how to access Tailscale LocalAPI",
+		},
+		{
+			Name:       "restun",
+			ShortUsage: "tailscale debug restun",
+			Exec:       localAPIAction("restun"),
+			ShortHelp:  "Force a magicsock restun",
+		},
+		{
+			Name:       "rebind",
+			ShortUsage: "tailscale debug rebind",
+			Exec:       localAPIAction("rebind"),
+			ShortHelp:  "Force a magicsock rebind",
+		},
+		{
+			Name:       "derp-set-on-demand",
+			ShortUsage: "tailscale debug derp-set-on-demand",
+			Exec:       localAPIAction("derp-set-homeless"),
+			ShortHelp:  "Enable DERP on-demand mode (breaks reachability)",
+		},
+		{
+			Name:       "derp-unset-on-demand",
+			ShortUsage: "tailscale debug derp-unset-on-demand",
+			Exec:       localAPIAction("derp-unset-homeless"),
+			ShortHelp:  "Disable DERP on-demand mode",
+		},
+		{
+			Name:       "break-tcp-conns",
+			ShortUsage: "tailscale debug break-tcp-conns",
+			Exec:       localAPIAction("break-tcp-conns"),
+			ShortHelp:  "Break any open TCP connections from the daemon",
+		},
+		{
+			Name:       "break-derp-conns",
+			ShortUsage: "tailscale debug break-derp-conns",
+			Exec:       localAPIAction("break-derp-conns"),
+			ShortHelp:  "Break any open DERP connections from the daemon",
+		},
+		{
+			Name:       "pick-new-derp",
+			ShortUsage: "tailscale debug pick-new-derp",
+			Exec:       localAPIAction("pick-new-derp"),
+			ShortHelp:  "Switch to some other random DERP home region for a short time",
+		},
+		{
+			Name:       "force-prefer-derp",
+			ShortUsage: "tailscale debug force-prefer-derp",
+			Exec:       forcePreferDERP,
+			ShortHelp:  "Prefer the given region ID if reachable (until restart, or 0 to clear)",
+		},
+		{
+			Name:       "force-netmap-update",
+			ShortUsage: "tailscale debug force-netmap-update",
+			Exec:       localAPIAction("force-netmap-update"),
+			ShortHelp:  "Force a full no-op netmap update (for load testing)",
+		},
+		{
+			// TODO(bradfitz,maisem): eventually promote this out of debug
+			Name:       "reload-config",
+			ShortUsage: "tailscale debug reload-config",
+			Exec:       reloadConfig,
+			ShortHelp:  "Reload config",
+		},
+		{
+			Name:       "control-knobs",
+			ShortUsage: "tailscale debug control-knobs",
+			Exec:       debugControlKnobs,
+			ShortHelp:  "See current control knobs",
+		},
+		{
+			Name:       "prefs",
+			ShortUsage: "tailscale debug prefs",
+			Exec:       runPrefs,
+			ShortHelp:  "Print prefs",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("prefs")
+				fs.BoolVar(&prefsArgs.pretty, "pretty", false, "If true, pretty-print output")
+				return fs
+			})(),
+		},
+		{
+			Name:       "watch-ipn",
+			ShortUsage: "tailscale debug watch-ipn",
+			Exec:       runWatchIPN,
+			ShortHelp:  "Subscribe to IPN message bus",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("watch-ipn")
+				fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
+				fs.BoolVar(&watchIPNArgs.initial, "initial", false, "include initial status")
+				fs.BoolVar(&watchIPNArgs.rateLimit, "rate-limit", true, "rate limit messags")
+				fs.BoolVar(&watchIPNArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
+				fs.IntVar(&watchIPNArgs.count, "count", 0, "exit after printing this many statuses, or 0 to keep going forever")
+				return fs
+			})(),
+		},
+		{
+			Name:       "netmap",
+			ShortUsage: "tailscale debug netmap",
+			Exec:       runNetmap,
+			ShortHelp:  "Print the current network map",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("netmap")
+				fs.BoolVar(&netmapArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
+				return fs
+			})(),
+		},
+		{
+			Name: "via",
+			ShortUsage: "tailscale debug via <site-id> <v4-cidr>\n" +
+				"tailscale debug via <v6-route>",
+			Exec:      runVia,
+			ShortHelp: "Convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
+		},
+		{
+			Name:       "ts2021",
+			ShortUsage: "tailscale debug ts2021",
+			Exec:       runTS2021,
+			ShortHelp:  "Debug ts2021 protocol connectivity",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("ts2021")
+				fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
+				fs.IntVar(&ts2021Args.version, "version", int(tailcfg.CurrentCapabilityVersion), "protocol version")
+				fs.BoolVar(&ts2021Args.verbose, "verbose", false, "be extra verbose")
+				return fs
+			})(),
+		},
+		{
+			Name:       "set-expire",
+			ShortUsage: "tailscale debug set-expire --in=1m",
+			Exec:       runSetExpire,
+			ShortHelp:  "Manipulate node key expiry for testing",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("set-expire")
+				fs.DurationVar(&setExpireArgs.in, "in", 0, "if non-zero, set node key to expire this duration from now")
+				return fs
+			})(),
+		},
+		{
+			Name:       "dev-store-set",
+			ShortUsage: "tailscale debug dev-store-set",
+			Exec:       runDevStoreSet,
+			ShortHelp:  "Set a key/value pair during development",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("store-set")
+				fs.BoolVar(&devStoreSetArgs.danger, "danger", false, "accept danger")
+				return fs
+			})(),
+		},
+		{
+			Name:       "derp",
+			ShortUsage: "tailscale debug derp",
+			Exec:       runDebugDERP,
+			ShortHelp:  "Test a DERP configuration",
+		},
+		{
+			Name:       "capture",
+			ShortUsage: "tailscale debug capture",
+			Exec:       runCapture,
+			ShortHelp:  "Stream pcaps for debugging",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("capture")
+				fs.StringVar(&captureArgs.outFile, "o", "", "path to stream the pcap (or - for stdout), leave empty to start wireshark")
+				return fs
+			})(),
+		},
+		{
+			Name:       "portmap",
+			ShortUsage: "tailscale debug portmap",
+			Exec:       debugPortmap,
+			ShortHelp:  "Run portmap debugging",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("portmap")
+				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
+				fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
+				fs.StringVar(&debugPortmapArgs.gatewayAddr, "gateway-addr", "", `override gateway IP (must also pass --self-addr)`)
+				fs.StringVar(&debugPortmapArgs.selfAddr, "self-addr", "", `override self IP (must also pass --gateway-addr)`)
+				fs.BoolVar(&debugPortmapArgs.logHTTP, "log-http", false, `print all HTTP requests and responses to the log`)
+				return fs
+			})(),
+		},
+		{
+			Name:       "peer-endpoint-changes",
+			ShortUsage: "tailscale debug peer-endpoint-changes <hostname-or-IP>",
+			Exec:       runPeerEndpointChanges,
+			ShortHelp:  "Print debug information about a peer's endpoint changes",
+		},
+		{
+			Name:       "dial-types",
+			ShortUsage: "tailscale debug dial-types <hostname-or-IP> <port>",
+			Exec:       runDebugDialTypes,
+			ShortHelp:  "Print debug information about connecting to a given host or IP",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("dial-types")
+				fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
+				return fs
+			})(),
+		},
+		{
+			Name:       "resolve",
+			ShortUsage: "tailscale debug resolve <hostname>",
+			Exec:       runDebugResolve,
+			ShortHelp:  "Does a DNS lookup",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("resolve")
+				fs.StringVar(&resolveArgs.net, "net", "ip", "network type to resolve (ip, ip4, ip6)")
+				return fs
+			})(),
+		},
+		{
+			Name:       "go-buildinfo",
+			ShortUsage: "tailscale debug go-buildinfo",
+			ShortHelp:  "Print Go's runtime/debug.BuildInfo",
+			Exec:       runGoBuildInfo,
+		},
+	},
 }

 func runGoBuildInfo(ctx context.Context, args []string) error {
@@ -1030,6 +1036,50 @@ func runSetExpire(ctx context.Context, args []string) error {
 	return localClient.DebugSetExpireIn(ctx, setExpireArgs.in)
 }

+var captureArgs struct {
+	outFile string
+}
+
+func runCapture(ctx context.Context, args []string) error {
+	stream, err := localClient.StreamDebugCapture(ctx)
+	if err != nil {
+		return err
+	}
+	defer stream.Close()
+
+	switch captureArgs.outFile {
+	case "-":
+		fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
+		_, err = io.Copy(os.Stdout, stream)
+		return err
+	case "":
+		lua, err := os.CreateTemp("", "ts-dissector")
+		if err != nil {
+			return err
+		}
+		defer os.Remove(lua.Name())
+		lua.Write([]byte(capture.DissectorLua))
+		if err := lua.Close(); err != nil {
+			return err
+		}
+
+		wireshark := exec.CommandContext(ctx, "wireshark", "-X", "lua_script:"+lua.Name(), "-k", "-i", "-")
+		wireshark.Stdin = stream
+		wireshark.Stdout = os.Stdout
+		wireshark.Stderr = os.Stderr
+		return wireshark.Run()
+	}
+
+	f, err := os.OpenFile(captureArgs.outFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
+	_, err = io.Copy(f, stream)
+	return err
+}
+
 var debugPortmapArgs struct {
 	duration    time.Duration
 	gatewayAddr string
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -139,7 +139,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 		// Some flags are only for "up", not "login".
 		upf.BoolVar(&upArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
 		upf.BoolVar(&upArgs.reset, "reset", false, "reset unspecified settings to their default values")
-		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication (WARNING: this will bring down the Tailscale connection and thus should not be done remotely over SSH or RDP)")
+		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
 		registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
 	}

--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -88,7 +88,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/drive                                          from tailscale.com/client/tailscale+
        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
        tailscale.com/envknob/featureknob                            from tailscale.com/client/web
-        tailscale.com/feature/capture/dissector                      from tailscale.com/cmd/tailscale/cli
        tailscale.com/health                                         from tailscale.com/net/tlsdial+
        tailscale.com/health/healthmsg                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/hostinfo                                       from tailscale.com/client/web+
@@ -103,6 +102,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlhttp+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp+
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet
        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
@@ -110,6 +110,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscale/cli+
     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/capture
        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
@@ -132,7 +133,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/tsweb/varz                                     from tailscale.com/util/usermetric
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg+
        tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/ipn+
+        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/client/tailscale+
        tailscale.com/types/lazy                                     from tailscale.com/util/testenv+
        tailscale.com/types/logger                                   from tailscale.com/client/web+
@@ -184,6 +185,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/client/web+
        tailscale.com/version/distro                                 from tailscale.com/client/web+
+        tailscale.com/wgengine/capture                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
@@ -194,8 +196,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
-        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
-        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
@@ -211,10 +211,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/net/http2/hpack                                 from net/http+
        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/internal/httpcommon                         from golang.org/x/net/http2
-        golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
-        golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
-        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
@@ -253,18 +249,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
-        crypto/internal/boring                                       from crypto/aes+
-        crypto/internal/boring/bbig                                  from crypto/ecdsa+
-        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
-        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
-        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
@@ -275,7 +259,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/miekg/dns+
        crypto/x509                                                  from crypto/tls+
-   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
  DW    database/sql/driver                                          from github.com/google/uuid
   W    debug/dwarf                                                  from debug/pe
@@ -304,44 +287,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        image                                                        from github.com/skip2/go-qrcode+
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
-        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
-        internal/bisect                                              from internal/godebug
-        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
-        internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
-        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
-        internal/filepathlite                                        from os+
-        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
-        internal/godebug                                             from archive/tar+
-        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
-        internal/goos                                                from crypto/x509+
-        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
-        internal/nettrace                                            from net+
-        internal/oserror                                             from io/fs+
-        internal/poll                                                from net+
-        internal/profilerecord                                       from runtime
-        internal/race                                                from internal/poll+
-        internal/reflectlite                                         from context+
-        internal/runtime/atomic                                      from internal/runtime/exithook+
-        internal/runtime/exithook                                    from runtime
-   L    internal/runtime/syscall                                     from runtime+
-        internal/saferio                                             from debug/pe+
-        internal/singleflight                                        from net
-        internal/stringslite                                         from embed+
-        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
-   W    internal/syscall/windows/registry                            from mime+
-   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
-        internal/testlog                                             from os
-        internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -363,7 +308,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/http/httptrace                                           from golang.org/x/net/http2+
        net/http/httputil                                            from tailscale.com/client/web+
        net/http/internal                                            from net/http+
-        net/http/internal/ascii                                      from net/http+
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
@@ -376,10 +320,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        reflect                                                      from archive/tar+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
-        runtime                                                      from archive/tar+
        runtime/debug                                                from tailscale.com+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
        slices                                                       from tailscale.com/client/web+
        sort                                                         from compress/flate+
        strconv                                                      from archive/tar+
@@ -395,4 +336,3 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
-        unsafe                                                       from bytes+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -152,6 +152,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
   W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
   W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
+        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
@@ -259,7 +260,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
        tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
        tailscale.com/feature                                        from tailscale.com/feature/wakeonlan+
-        tailscale.com/feature/capture                                from tailscale.com/feature/condregister
        tailscale.com/feature/condregister                           from tailscale.com/cmd/tailscaled
   L    tailscale.com/feature/tap                                    from tailscale.com/feature/condregister
        tailscale.com/feature/wakeonlan                              from tailscale.com/feature/condregister
@@ -273,7 +273,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver+
+        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
        tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled+
   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
@@ -338,10 +338,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/syncs                                          from tailscale.com/cmd/tailscaled+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
-        tailscale.com/tempfork/acme                                  from tailscale.com/ipn/ipnlocal
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
-        tailscale.com/tempfork/httprec                               from tailscale.com/control/controlclient
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
        tailscale.com/tsconst                                        from tailscale.com/net/netmon+
        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
@@ -424,6 +422,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/version/distro                                 from tailscale.com/client/web+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap+
     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
@@ -446,15 +445,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
        golang.org/x/crypto/hkdf                                     from crypto/tls+
-        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
-        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
  LD    golang.org/x/crypto/ssh                                      from github.com/pkg/sftp+
-  LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
        golang.org/x/exp/maps                                        from tailscale.com/ipn/store/mem+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
@@ -466,10 +462,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
        golang.org/x/net/icmp                                        from tailscale.com/net/ping+
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/internal/httpcommon                         from golang.org/x/net/http2
-        golang.org/x/net/internal/iana                               from golang.org/x/net/icmp+
-        golang.org/x/net/internal/socket                             from golang.org/x/net/icmp+
-        golang.org/x/net/internal/socks                              from golang.org/x/net/proxy
        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
@@ -509,18 +501,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
-        crypto/internal/boring                                       from crypto/aes+
-        crypto/internal/boring/bbig                                  from crypto/ecdsa+
-        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
-        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
-        crypto/internal/randutil                                     from crypto/dsa+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls+
@@ -531,7 +511,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
        crypto/x509                                                  from crypto/tls+
-   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
  DW    database/sql/driver                                          from github.com/google/uuid
   W    debug/dwarf                                                  from debug/pe
@@ -549,7 +528,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        encoding/xml                                                 from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+
        errors                                                       from archive/tar+
        expvar                                                       from tailscale.com/derp+
-        flag                                                         from tailscale.com/cmd/tailscaled+
+        flag                                                         from net/http/httptest+
        fmt                                                          from archive/tar+
        hash                                                         from compress/zlib+
        hash/adler32                                                 from compress/zlib+
@@ -557,45 +536,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        hash/maphash                                                 from go4.org/mem
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
-        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
-        internal/bisect                                              from internal/godebug
-        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
-        internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
-        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
-        internal/filepathlite                                        from os+
-        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
-        internal/godebug                                             from archive/tar+
-        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
-        internal/goos                                                from crypto/x509+
-        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
-        internal/nettrace                                            from net+
-        internal/oserror                                             from io/fs+
-        internal/poll                                                from net+
-        internal/profile                                             from net/http/pprof
-        internal/profilerecord                                       from runtime+
-        internal/race                                                from internal/poll+
-        internal/reflectlite                                         from context+
-        internal/runtime/atomic                                      from internal/runtime/exithook+
-        internal/runtime/exithook                                    from runtime
-   L    internal/runtime/syscall                                     from runtime+
-        internal/saferio                                             from debug/pe+
-        internal/singleflight                                        from net
-        internal/stringslite                                         from embed+
-        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
-   W    internal/syscall/windows/registry                            from mime+
-   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
-        internal/testlog                                             from os
-        internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -614,10 +554,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
+        net/http/httptest                                            from tailscale.com/control/controlclient
        net/http/httptrace                                           from github.com/prometheus-community/pro-bing+
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
-        net/http/internal/ascii                                      from net/http+
        net/http/pprof                                               from tailscale.com/cmd/tailscaled+
        net/netip                                                    from github.com/tailscale/wireguard-go/conn+
        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
@@ -631,10 +571,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        reflect                                                      from archive/tar+
        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn+
        regexp/syntax                                                from regexp
-        runtime                                                      from archive/tar+
        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
        runtime/pprof                                                from net/http/pprof+
        runtime/trace                                                from net/http/pprof
        slices                                                       from tailscale.com/appc+
@@ -652,4 +589,3 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        unicode/utf16                                                from crypto/x509+
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
-        unsafe                                                       from bytes+
--- a/cmd/tailscaled/tailscaled_test.go
+++ b/cmd/tailscaled/tailscaled_test.go
@@ -22,8 +22,6 @@ func TestDeps(t *testing.T) {
 		BadDeps: map[string]string{
 			"testing":                        "do not use testing package in production code",
 			"gvisor.dev/gvisor/pkg/hostarch": "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
-			"net/http/httptest":              "do not use httptest in production code",
-			"net/http/internal/testcert":     "do not use httptest in production code",
 		},
 	}.Check(t)

--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -21,7 +21,6 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/structs"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/execqueue"
 )

@@ -132,8 +131,6 @@ type Auto struct {
 	// the server.
 	lastUpdateGen updateGen

-	lastStatus atomic.Pointer[Status]
-
 	paused         bool        // whether we should stop making HTTP requests
 	unpauseWaiters []chan bool // chans that gets sent true (once) on wake, or false on Shutdown
 	loggedIn       bool        // true if currently logged in
@@ -599,90 +596,21 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		// not logged in.
 		nm = nil
 	}
-	newSt := &Status{
+	new := Status{
 		URL:     url,
 		Persist: p,
 		NetMap:  nm,
 		Err:     err,
 		state:   state,
 	}
-	c.lastStatus.Store(newSt)

 	// Launch a new goroutine to avoid blocking the caller while the observer
 	// does its thing, which may result in a call back into the client.
-	metricQueued.Add(1)
 	c.observerQueue.Add(func() {
-		if canSkipStatus(newSt, c.lastStatus.Load()) {
-			metricSkippable.Add(1)
-			if !c.direct.controlKnobs.DisableSkipStatusQueue.Load() {
-				metricSkipped.Add(1)
-				return
-			}
-		}
-		c.observer.SetControlClientStatus(c, *newSt)
-
-		// Best effort stop retaining the memory now that we've sent it to the
-		// observer (LocalBackend). We CAS here because the caller goroutine is
-		// doing a Store which we want to win a race. This is only a memory
-		// optimization and is not for correctness.
-		//
-		// If the CAS fails, that means somebody else's Store replaced our
-		// pointer (so mission accomplished: our netmap is no longer retained in
-		// any case) and that Store caller will be responsible for removing
-		// their own netmap (or losing their race too, down the chain).
-		// Eventually the last caller will win this CAS and zero lastStatus.
-		c.lastStatus.CompareAndSwap(newSt, nil)
+		c.observer.SetControlClientStatus(c, new)
 	})
 }

-var (
-	metricQueued    = clientmetric.NewCounter("controlclient_auto_status_queued")
-	metricSkippable = clientmetric.NewCounter("controlclient_auto_status_queue_skippable")
-	metricSkipped   = clientmetric.NewCounter("controlclient_auto_status_queue_skipped")
-)
-
-// canSkipStatus reports whether we can skip sending s1, knowing
-// that s2 is enqueued sometime in the future after s1.
-//
-// s1 must be non-nil. s2 may be nil.
-func canSkipStatus(s1, s2 *Status) bool {
-	if s2 == nil {
-		// Nothing in the future.
-		return false
-	}
-	if s1 == s2 {
-		// If the last item in the queue is the same as s1,
-		// we can't skip it.
-		return false
-	}
-	if s1.Err != nil || s1.URL != "" {
-		// If s1 has an error or a URL, we shouldn't skip it, lest the error go
-		// away in s2 or in-between. We want to make sure all the subsystems see
-		// it. Plus there aren't many of these, so not worth skipping.
-		return false
-	}
-	if !s1.Persist.Equals(s2.Persist) || s1.state != s2.state {
-		// If s1 has a different Persist or state than s2,
-		// don't skip it. We only care about skipping the typical
-		// entries where the only difference is the NetMap.
-		return false
-	}
-	// If nothing above precludes it, and both s1 and s2 have NetMaps, then
-	// we can skip it, because s2's NetMap is a newer version and we can
-	// jump straight from whatever state we had before to s2's state,
-	// without passing through s1's state first. A NetMap is regrettably a
-	// full snapshot of the state, not an incremental delta. We're slowly
-	// moving towards passing around only deltas around internally at all
-	// layers, but this is explicitly the case where we didn't have a delta
-	// path for the message we received over the wire and had to resort
-	// to the legacy full NetMap path. And then we can get behind processing
-	// these full NetMap snapshots in LocalBackend/wgengine/magicsock/netstack
-	// and this path (when it returns true) lets us skip over useless work
-	// and not get behind in the queue. This matters in particular for tailnets
-	// that are both very large + very churny.
-	return s1.NetMap != nil && s2.NetMap != nil
-}
-
 func (c *Auto) Login(flags LoginFlags) {
 	c.logf("client.Login(%v)", flags)

--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -4,13 +4,8 @@
 package controlclient

 import (
-	"io"
 	"reflect"
-	"slices"
 	"testing"
-
-	"tailscale.com/types/netmap"
-	"tailscale.com/types/persist"
 )

 func fieldsOf(t reflect.Type) (fields []string) {
@@ -67,83 +62,3 @@ func TestStatusEqual(t *testing.T) {
 		}
 	}
 }
-
-// tests [canSkipStatus].
-func TestCanSkipStatus(t *testing.T) {
-	st := new(Status)
-	nm1 := &netmap.NetworkMap{}
-	nm2 := &netmap.NetworkMap{}
-
-	tests := []struct {
-		name   string
-		s1, s2 *Status
-		want   bool
-	}{
-		{
-			name: "nil-s2",
-			s1:   st,
-			s2:   nil,
-			want: false,
-		},
-		{
-			name: "equal",
-			s1:   st,
-			s2:   st,
-			want: false,
-		},
-		{
-			name: "s1-error",
-			s1:   &Status{Err: io.EOF, NetMap: nm1},
-			s2:   &Status{NetMap: nm2},
-			want: false,
-		},
-		{
-			name: "s1-url",
-			s1:   &Status{URL: "foo", NetMap: nm1},
-			s2:   &Status{NetMap: nm2},
-			want: false,
-		},
-		{
-			name: "s1-persist-diff",
-			s1:   &Status{Persist: new(persist.Persist).View(), NetMap: nm1},
-			s2:   &Status{NetMap: nm2},
-			want: false,
-		},
-		{
-			name: "s1-state-diff",
-			s1:   &Status{state: 123, NetMap: nm1},
-			s2:   &Status{NetMap: nm2},
-			want: false,
-		},
-		{
-			name: "s1-no-netmap1",
-			s1:   &Status{NetMap: nil},
-			s2:   &Status{NetMap: nm2},
-			want: false,
-		},
-		{
-			name: "s1-no-netmap2",
-			s1:   &Status{NetMap: nm1},
-			s2:   &Status{NetMap: nil},
-			want: false,
-		},
-		{
-			name: "skip",
-			s1:   &Status{NetMap: nm1},
-			s2:   &Status{NetMap: nm2},
-			want: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := canSkipStatus(tt.s1, tt.s2); got != tt.want {
-				t.Errorf("canSkipStatus = %v, want %v", got, tt.want)
-			}
-		})
-	}
-
-	want := []string{"Err", "URL", "NetMap", "Persist", "state"}
-	if f := fieldsOf(reflect.TypeFor[Status]()); !slices.Equal(f, want) {
-		t.Errorf("Status fields = %q; this code was only written to handle fields %q", f, want)
-	}
-}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -15,6 +15,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"net/http/httptest"
 	"net/netip"
 	"net/url"
 	"os"
@@ -41,7 +42,6 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tempfork/httprec"
 	"tailscale.com/tka"
 	"tailscale.com/tstime"
 	"tailscale.com/types/key"
@@ -1384,7 +1384,7 @@ func answerC2NPing(logf logger.Logf, c2nHandler http.Handler, c *http.Client, pr
 	handlerCtx, cancel := context.WithTimeout(context.Background(), handlerTimeout)
 	defer cancel()
 	hreq = hreq.WithContext(handlerCtx)
-	rec := httprec.NewRecorder()
+	rec := httptest.NewRecorder()
 	c2nHandler.ServeHTTP(rec, hreq)
 	cancel()

--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -195,6 +195,10 @@ func (ms *mapSession) HandleNonKeepAliveMapResponse(ctx context.Context, resp *t

 	ms.updateStateFromResponse(resp)

+	// Occasionally clean up old userprofile if it grows too much
+	// from e.g. ephemeral tagged nodes.
+	ms.cleanLastUserProfile()
+
 	if ms.tryHandleIncrementally(resp) {
 		ms.occasionallyPrintSummary(ms.lastNetmapSummary)
 		return nil
@@ -292,20 +296,10 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 	for _, up := range resp.UserProfiles {
 		ms.lastUserProfile[up.ID] = up
 	}
-	// TODO(bradfitz): clean up old user profiles? maybe not worth it.

 	if dm := resp.DERPMap; dm != nil {
 		ms.vlogf("netmap: new map contains DERP map")

-		// Guard against the control server accidentally sending
-		// a nil region definition, which at least Headscale was
-		// observed to send.
-		for rid, r := range dm.Regions {
-			if r == nil {
-				delete(dm.Regions, rid)
-			}
-		}
-
 		// Zero-valued fields in a DERPMap mean that we're not changing
 		// anything and are using the previous value(s).
 		if ldm := ms.lastDERPMap; ldm != nil {
@@ -541,6 +535,32 @@ func (ms *mapSession) addUserProfile(nm *netmap.NetworkMap, userID tailcfg.UserI
 	}
 }

+// cleanLastUserProfile deletes any entries from lastUserProfile
+// that are not referenced by any peer or the self node.
+//
+// This is expensive enough that we don't do this on every message
+// from the server, but only when it's grown enough to matter.
+func (ms *mapSession) cleanLastUserProfile() {
+	if len(ms.lastUserProfile) < len(ms.peers)*2 {
+		// Hasn't grown enough to be worth cleaning.
+		return
+	}
+
+	keep := set.Set[tailcfg.UserID]{}
+	if node := ms.lastNode; node.Valid() {
+		keep.Add(node.User())
+	}
+	for _, n := range ms.peers {
+		keep.Add(n.User())
+		keep.Add(n.Sharer())
+	}
+	for userID := range ms.lastUserProfile {
+		if !keep.Contains(userID) {
+			delete(ms.lastUserProfile, userID)
+		}
+	}
+}
+
 var debugPatchifyPeer = envknob.RegisterBool("TS_DEBUG_PATCHIFY_PEER")

 // patchifyPeersChanged mutates resp to promote PeersChanged entries to PeersChangedPatch
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -6,8 +6,6 @@
 package controlknobs

 import (
-	"fmt"
-	"reflect"
 	"sync/atomic"

 	"tailscale.com/syncs"
@@ -105,11 +103,6 @@ type Knobs struct {
 	// DisableCaptivePortalDetection is whether the node should not perform captive portal detection
 	// automatically when the network state changes.
 	DisableCaptivePortalDetection atomic.Bool
-
-	// DisableSkipStatusQueue is whether the node should disable skipping
-	// of queued netmap.NetworkMap between the controlclient and LocalBackend.
-	// See tailscale/tailscale#14768.
-	DisableSkipStatusQueue atomic.Bool
 }

 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -139,7 +132,6 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 		disableLocalDNSOverrideViaNRPT       = has(tailcfg.NodeAttrDisableLocalDNSOverrideViaNRPT)
 		disableCryptorouting                 = has(tailcfg.NodeAttrDisableMagicSockCryptoRouting)
 		disableCaptivePortalDetection        = has(tailcfg.NodeAttrDisableCaptivePortalDetection)
-		disableSkipStatusQueue               = has(tailcfg.NodeAttrDisableSkipStatusQueue)
 	)

 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -167,7 +159,6 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 	k.DisableLocalDNSOverrideViaNRPT.Store(disableLocalDNSOverrideViaNRPT)
 	k.DisableCryptorouting.Store(disableCryptorouting)
 	k.DisableCaptivePortalDetection.Store(disableCaptivePortalDetection)
-	k.DisableSkipStatusQueue.Store(disableSkipStatusQueue)
 }

 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -176,19 +167,25 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 	if k == nil {
 		return nil
 	}
-	ret := map[string]any{}
-	rt := reflect.TypeFor[Knobs]()
-	rv := reflect.ValueOf(k).Elem() // of *k
-	for i := 0; i < rt.NumField(); i++ {
-		name := rt.Field(i).Name
-		switch v := rv.Field(i).Addr().Interface().(type) {
-		case *atomic.Bool:
-			ret[name] = v.Load()
-		case *syncs.AtomicValue[opt.Bool]:
-			ret[name] = v.Load()
-		default:
-			panic(fmt.Sprintf("unknown field type %T for %v", v, name))
-		}
+	return map[string]any{
+		"DisableUPnP":                          k.DisableUPnP.Load(),
+		"KeepFullWGConfig":                     k.KeepFullWGConfig.Load(),
+		"RandomizeClientPort":                  k.RandomizeClientPort.Load(),
+		"OneCGNAT":                             k.OneCGNAT.Load(),
+		"ForceBackgroundSTUN":                  k.ForceBackgroundSTUN.Load(),
+		"DisableDeltaUpdates":                  k.DisableDeltaUpdates.Load(),
+		"PeerMTUEnable":                        k.PeerMTUEnable.Load(),
+		"DisableDNSForwarderTCPRetries":        k.DisableDNSForwarderTCPRetries.Load(),
+		"SilentDisco":                          k.SilentDisco.Load(),
+		"LinuxForceIPTables":                   k.LinuxForceIPTables.Load(),
+		"LinuxForceNfTables":                   k.LinuxForceNfTables.Load(),
+		"SeamlessKeyRenewal":                   k.SeamlessKeyRenewal.Load(),
+		"ProbeUDPLifetime":                     k.ProbeUDPLifetime.Load(),
+		"AppCStoreRoutes":                      k.AppCStoreRoutes.Load(),
+		"UserDialUseRoutes":                    k.UserDialUseRoutes.Load(),
+		"DisableSplitDNSWhenNoCustomResolvers": k.DisableSplitDNSWhenNoCustomResolvers.Load(),
+		"DisableLocalDNSOverrideViaNRPT":       k.DisableLocalDNSOverrideViaNRPT.Load(),
+		"DisableCryptorouting":                 k.DisableCryptorouting.Load(),
+		"DisableCaptivePortalDetection":        k.DisableCaptivePortalDetection.Load(),
 	}
-	return ret
 }
--- a/control/controlknobs/controlknobs_test.go
+++ b/control/controlknobs/controlknobs_test.go
@@ -6,8 +6,6 @@ package controlknobs
 import (
 	"reflect"
 	"testing"
-
-	"tailscale.com/types/logger"
 )

 func TestAsDebugJSON(t *testing.T) {
@@ -20,5 +18,4 @@ func TestAsDebugJSON(t *testing.T) {
 	if want := reflect.TypeFor[Knobs]().NumField(); len(got) != want {
 		t.Errorf("AsDebugJSON map has %d fields; want %v", len(got), want)
 	}
-	t.Logf("Got: %v", logger.AsJSON(got))
 }
--- a/envknob/featureknob/featureknob.go
+++ b/envknob/featureknob/featureknob.go
@@ -55,7 +55,8 @@ func CanRunTailscaleSSH() error {
 func CanUseExitNode() error {
 	switch dist := distro.Get(); dist {
 	case distro.Synology, // see https://github.com/tailscale/tailscale/issues/1995
-		distro.QNAP:
+		distro.QNAP,
+		distro.Unraid:
 		return errors.New("Tailscale exit nodes cannot be used on " + string(dist))
 	}

--- a/feature/capture/dissector/dissector.go
+++ b/feature/capture/dissector/dissector.go
@@ -1,12 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package dissector contains the Lua dissector for Tailscale packets.
-package dissector
-
-import (
-	_ "embed"
-)
-
-//go:embed ts-dissector.lua
-var Lua string
--- a/feature/condregister/maybe_capture.go
+++ b/feature/condregister/maybe_capture.go
@@ -1,8 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !ios && !ts_omit_capture
-
-package condregister
-
-import _ "tailscale.com/feature/capture"
--- a/go.mod
+++ b/go.mod
@@ -74,7 +74,7 @@ require (
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/studio-b12/gowebdav v0.9.0
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
-	github.com/tailscale/depaware v0.0.0-20250112153213-b748de04d81b
+	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
 	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
@@ -82,7 +82,7 @@ require (
 	github.com/tailscale/mkctr v0.0.0-20250110151924-54977352e4a6
 	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7
 	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc
-	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976
+	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1
 	github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6
 	github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19
 	github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e
@@ -94,14 +94,14 @@ require (
 	go.uber.org/zap v1.27.0
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.33.0
+	golang.org/x/crypto v0.32.0
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
 	golang.org/x/mod v0.22.0
-	golang.org/x/net v0.35.0
+	golang.org/x/net v0.34.0
 	golang.org/x/oauth2 v0.25.0
-	golang.org/x/sync v0.11.0
-	golang.org/x/sys v0.30.0
-	golang.org/x/term v0.29.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab
+	golang.org/x/term v0.28.0
 	golang.org/x/time v0.9.0
 	golang.org/x/tools v0.29.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
@@ -265,7 +265,7 @@ require (
 	github.com/gordonklaus/ineffassign v0.1.0 // indirect
 	github.com/goreleaser/chglog v0.5.0 // indirect
 	github.com/goreleaser/fileglob v1.3.0 // indirect
-	github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30
+	github.com/gorilla/csrf v1.7.2
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.4.2 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
@@ -385,7 +385,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
 	golang.org/x/image v0.23.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -529,8 +529,8 @@ github.com/goreleaser/fileglob v1.3.0 h1:/X6J7U8lbDpQtBvGcwwPS6OpzkNVlVEsFUVRx9+
 github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU=
 github.com/goreleaser/nfpm/v2 v2.33.1 h1:EkdAzZyVhAI9JC1vjmjjbmnNzyH1J6Cu4JCsA7YcQuc=
 github.com/goreleaser/nfpm/v2 v2.33.1/go.mod h1:8wwWWvJWmn84xo/Sqiv0aMvEGTHlHZTXTEuVSgQpkIM=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 h1:fiJdrgVBkjZ5B1HJ2WQwNOaXB+QyYcNXTA3t1XYLz0M=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
+github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gostaticanalysis/analysisutil v0.7.1 h1:ZMCjoue3DtDWQ5WyU16YbjbQEQ3VuzwxALrpYd+HeKk=
@@ -915,8 +915,8 @@ github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplB
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
-github.com/tailscale/depaware v0.0.0-20250112153213-b748de04d81b h1:ewWb4cA+YO9/3X+v5UhdV+eKFsNBOPcGRh39Glshx/4=
-github.com/tailscale/depaware v0.0.0-20250112153213-b748de04d81b/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
+github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE=
+github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
@@ -933,8 +933,8 @@ github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
+github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
 github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19 h1:BcEJP2ewTIK2ZCsqgl6YGpuO6+oKqqag5HHb7ehljKw=
@@ -1058,8 +1058,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1148,8 +1148,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1171,8 +1171,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1231,16 +1231,16 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab h1:BMkEEWYOjkvOX7+YKOGbp6jCyQ5pR2j0Ah47p1Vdsx4=
+golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1251,8 +1251,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-64f7854906c3121fe3ada3d05f1936d3420d6ffa
+161c3b79ed91039e65eb148f2547dea6b91e2247
--- a/health/health.go
+++ b/health/health.go
@@ -22,7 +22,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/metrics"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/cibuild"
 	"tailscale.com/util/mak"
@@ -74,8 +73,6 @@ type Tracker struct {
 	// mu should not be held during init.
 	initOnce sync.Once

-	testClock tstime.Clock // nil means use time.Now / tstime.StdClock{}
-
 	// mu guards everything that follows.
 	mu sync.Mutex

@@ -83,13 +80,13 @@ type Tracker struct {
 	warnableVal map[*Warnable]*warningState
 	// pendingVisibleTimers contains timers for Warnables that are unhealthy, but are
 	// not visible to the user yet, because they haven't been unhealthy for TimeToVisible
-	pendingVisibleTimers map[*Warnable]tstime.TimerController
+	pendingVisibleTimers map[*Warnable]*time.Timer

 	// sysErr maps subsystems to their current error (or nil if the subsystem is healthy)
 	// Deprecated: using Warnables should be preferred
 	sysErr   map[Subsystem]error
 	watchers set.HandleSet[func(*Warnable, *UnhealthyState)] // opt func to run if error state changes
-	timer    tstime.TimerController
+	timer    *time.Timer

 	latestVersion   *tailcfg.ClientVersion // or nil
 	checkForUpdates bool
@@ -118,20 +115,6 @@ type Tracker struct {
 	metricHealthMessage     *metrics.MultiLabelMap[metricHealthMessageLabel]
 }

-func (t *Tracker) now() time.Time {
-	if t.testClock != nil {
-		return t.testClock.Now()
-	}
-	return time.Now()
-}
-
-func (t *Tracker) clock() tstime.Clock {
-	if t.testClock != nil {
-		return t.testClock
-	}
-	return tstime.StdClock{}
-}
-
 // Subsystem is the name of a subsystem whose health can be monitored.
 //
 // Deprecated: Registering a Warnable using Register() and updating its health state
@@ -231,11 +214,9 @@ type Warnable struct {
 	// TODO(angott): turn this into a SeverityFunc, which allows the Warnable to change its severity based on
 	// the Args of the unhappy state, just like we do in the Text function.
 	Severity Severity
-	// DependsOn is a set of Warnables that this Warnable depends on and need to be healthy
-	// before this Warnable is relevant. The GUI can use this information to ignore
+	// DependsOn is a set of Warnables that this Warnable depends, on and need to be healthy
+	// before this Warnable can also be healthy again. The GUI can use this information to ignore
 	// this Warnable if one of its dependencies is unhealthy.
-	// That is, if any of these Warnables are unhealthy, then this Warnable is not relevant
-	// and should be considered healthy to bother the user about.
 	DependsOn []*Warnable

 	// MapDebugFlag is a MapRequest.DebugFlag that is sent to control when this Warnable is unhealthy
@@ -328,11 +309,11 @@ func (ws *warningState) Equal(other *warningState) bool {

 // IsVisible returns whether the Warnable should be visible to the user, based on the TimeToVisible
 // field of the Warnable and the BrokenSince time when the Warnable became unhealthy.
-func (w *Warnable) IsVisible(ws *warningState, clockNow func() time.Time) bool {
+func (w *Warnable) IsVisible(ws *warningState) bool {
 	if ws == nil || w.TimeToVisible == 0 {
 		return true
 	}
-	return clockNow().Sub(ws.BrokenSince) >= w.TimeToVisible
+	return time.Since(ws.BrokenSince) >= w.TimeToVisible
 }

 // SetMetricsRegistry sets up the metrics for the Tracker. It takes
@@ -382,7 +363,7 @@ func (t *Tracker) setUnhealthyLocked(w *Warnable, args Args) {

 	// If we already have a warningState for this Warnable with an earlier BrokenSince time, keep that
 	// BrokenSince time.
-	brokenSince := t.now()
+	brokenSince := time.Now()
 	if existingWS := t.warnableVal[w]; existingWS != nil {
 		brokenSince = existingWS.BrokenSince
 	}
@@ -401,15 +382,15 @@ func (t *Tracker) setUnhealthyLocked(w *Warnable, args Args) {
 			// If the Warnable has been unhealthy for more than its TimeToVisible, the callback should be
 			// executed immediately. Otherwise, the callback should be enqueued to run once the Warnable
 			// becomes visible.
-			if w.IsVisible(ws, t.now) {
+			if w.IsVisible(ws) {
 				go cb(w, w.unhealthyState(ws))
 				continue
 			}

 			// The time remaining until the Warnable will be visible to the user is the TimeToVisible
 			// minus the time that has already passed since the Warnable became unhealthy.
-			visibleIn := w.TimeToVisible - t.now().Sub(brokenSince)
-			var tc tstime.TimerController = t.clock().AfterFunc(visibleIn, func() {
+			visibleIn := w.TimeToVisible - time.Since(brokenSince)
+			mak.Set(&t.pendingVisibleTimers, w, time.AfterFunc(visibleIn, func() {
 				t.mu.Lock()
 				defer t.mu.Unlock()
 				// Check if the Warnable is still unhealthy, as it could have become healthy between the time
@@ -418,8 +399,7 @@ func (t *Tracker) setUnhealthyLocked(w *Warnable, args Args) {
 					go cb(w, w.unhealthyState(ws))
 					delete(t.pendingVisibleTimers, w)
 				}
-			})
-			mak.Set(&t.pendingVisibleTimers, w, tc)
+			}))
 		}
 	}
 }
@@ -494,7 +474,7 @@ func (t *Tracker) RegisterWatcher(cb func(w *Warnable, r *UnhealthyState)) (unre
 	}
 	handle := t.watchers.Add(cb)
 	if t.timer == nil {
-		t.timer = t.clock().AfterFunc(time.Minute, t.timerSelfCheck)
+		t.timer = time.AfterFunc(time.Minute, t.timerSelfCheck)
 	}
 	return func() {
 		t.mu.Lock()
@@ -658,10 +638,10 @@ func (t *Tracker) GotStreamedMapResponse() {
 	}
 	t.mu.Lock()
 	defer t.mu.Unlock()
-	t.lastStreamedMapResponse = t.now()
+	t.lastStreamedMapResponse = time.Now()
 	if !t.inMapPoll {
 		t.inMapPoll = true
-		t.inMapPollSince = t.now()
+		t.inMapPollSince = time.Now()
 	}
 	t.selfCheckLocked()
 }
@@ -678,7 +658,7 @@ func (t *Tracker) SetOutOfPollNetMap() {
 		return
 	}
 	t.inMapPoll = false
-	t.lastMapPollEndedAt = t.now()
+	t.lastMapPollEndedAt = time.Now()
 	t.selfCheckLocked()
 }

@@ -720,7 +700,7 @@ func (t *Tracker) NoteMapRequestHeard(mr *tailcfg.MapRequest) {
 	// against SetMagicSockDERPHome and
 	// SetDERPRegionConnectedState

-	t.lastMapRequestHeard = t.now()
+	t.lastMapRequestHeard = time.Now()
 	t.selfCheckLocked()
 }

@@ -758,7 +738,7 @@ func (t *Tracker) NoteDERPRegionReceivedFrame(region int) {
 	}
 	t.mu.Lock()
 	defer t.mu.Unlock()
-	mak.Set(&t.derpRegionLastFrame, region, t.now())
+	mak.Set(&t.derpRegionLastFrame, region, time.Now())
 	t.selfCheckLocked()
 }

@@ -817,9 +797,9 @@ func (t *Tracker) SetIPNState(state string, wantRunning bool) {
 		// The first time we see wantRunning=true and it used to be false, it means the user requested
 		// the backend to start. We store this timestamp and use it to silence some warnings that are
 		// expected during startup.
-		t.ipnWantRunningLastTrue = t.now()
+		t.ipnWantRunningLastTrue = time.Now()
 		t.setUnhealthyLocked(warmingUpWarnable, nil)
-		t.clock().AfterFunc(warmingUpWarnableDuration, func() {
+		time.AfterFunc(warmingUpWarnableDuration, func() {
 			t.mu.Lock()
 			t.updateWarmingUpWarnableLocked()
 			t.mu.Unlock()
@@ -956,13 +936,10 @@ func (t *Tracker) Strings() []string {
 func (t *Tracker) stringsLocked() []string {
 	result := []string{}
 	for w, ws := range t.warnableVal {
-		if !w.IsVisible(ws, t.now) {
+		if !w.IsVisible(ws) {
 			// Do not append invisible warnings.
 			continue
 		}
-		if t.isEffectivelyHealthyLocked(w) {
-			continue
-		}
 		if ws.Args == nil {
 			result = append(result, w.Text(Args{}))
 		} else {
@@ -1028,7 +1005,7 @@ func (t *Tracker) updateBuiltinWarnablesLocked() {
 		t.setHealthyLocked(localLogWarnable)
 	}

-	now := t.now()
+	now := time.Now()

 	// How long we assume we'll have heard a DERP frame or a MapResponse
 	// KeepAlive by.
@@ -1038,10 +1015,8 @@ func (t *Tracker) updateBuiltinWarnablesLocked() {
 	recentlyOn := now.Sub(t.ipnWantRunningLastTrue) < 5*time.Second

 	homeDERP := t.derpHomeRegion
-	if recentlyOn || !t.inMapPoll {
+	if recentlyOn {
 		// If user just turned Tailscale on, don't warn for a bit.
-		// Also, if we're not in a map poll, that means we don't yet
-		// have a DERPMap or aren't in a state where we even want
 		t.setHealthyLocked(noDERPHomeWarnable)
 		t.setHealthyLocked(noDERPConnectionWarnable)
 		t.setHealthyLocked(derpTimeoutWarnable)
@@ -1190,7 +1165,7 @@ func (t *Tracker) updateBuiltinWarnablesLocked() {
 // updateWarmingUpWarnableLocked ensures the warmingUpWarnable is healthy if wantRunning has been set to true
 // for more than warmingUpWarnableDuration.
 func (t *Tracker) updateWarmingUpWarnableLocked() {
-	if !t.ipnWantRunningLastTrue.IsZero() && t.now().After(t.ipnWantRunningLastTrue.Add(warmingUpWarnableDuration)) {
+	if !t.ipnWantRunningLastTrue.IsZero() && time.Now().After(t.ipnWantRunningLastTrue.Add(warmingUpWarnableDuration)) {
 		t.setHealthyLocked(warmingUpWarnable)
 	}
 }
@@ -1302,7 +1277,7 @@ func (t *Tracker) LastNoiseDialWasRecent() bool {
 	t.mu.Lock()
 	defer t.mu.Unlock()

-	now := t.now()
+	now := time.Now()
 	dur := now.Sub(t.lastNoiseDial)
 	t.lastNoiseDial = now
 	return dur < 2*time.Minute
--- a/health/health_test.go
+++ b/health/health_test.go
@@ -12,7 +12,6 @@ import (
 	"time"

 	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/usermetric"
 	"tailscale.com/version"
@@ -258,15 +257,9 @@ func TestCheckDependsOnAppearsInUnhealthyState(t *testing.T) {
 	}
 	ht.SetUnhealthy(w2, Args{ArgError: "w2 is also unhealthy now"})
 	us2, ok := ht.CurrentState().Warnings[w2.Code]
-	if ok {
-		t.Fatalf("Saw w2 being unhealthy but it shouldn't be, as it depends on unhealthy w1")
-	}
-	ht.SetHealthy(w1)
-	us2, ok = ht.CurrentState().Warnings[w2.Code]
 	if !ok {
-		t.Fatalf("w2 wasn't unhealthy; want it to be unhealthy now that w1 is back healthy")
+		t.Fatalf("Expected an UnhealthyState for w2, got nothing")
 	}
-
 	wantDependsOn = slices.Concat([]WarnableCode{w1.Code}, wantDependsOn)
 	if !reflect.DeepEqual(us2.DependsOn, wantDependsOn) {
 		t.Fatalf("Expected DependsOn = %v in the unhealthy state, got: %v", wantDependsOn, us2.DependsOn)
@@ -407,47 +400,3 @@ func TestHealthMetric(t *testing.T) {
 		})
 	}
 }
-
-// TestNoDERPHomeWarnable checks that we don't
-// complain about no DERP home if we're not in a
-// map poll.
-func TestNoDERPHomeWarnable(t *testing.T) {
-	t.Skip("TODO: fix https://github.com/tailscale/tailscale/issues/14798 to make this test not deadlock")
-	clock := tstest.NewClock(tstest.ClockOpts{
-		Start:          time.Unix(123, 0),
-		FollowRealTime: false,
-	})
-	ht := &Tracker{
-		testClock: clock,
-	}
-	ht.SetIPNState("NeedsLogin", true)
-
-	// Advance 30 seconds to get past the "recentlyLoggedIn" check.
-	clock.Advance(30 * time.Second)
-	ht.updateBuiltinWarnablesLocked()
-
-	// Advance to get past the the TimeToVisible delay.
-	clock.Advance(noDERPHomeWarnable.TimeToVisible * 2)
-
-	ht.updateBuiltinWarnablesLocked()
-	if ws, ok := ht.CurrentState().Warnings[noDERPHomeWarnable.Code]; ok {
-		t.Fatalf("got unexpected noDERPHomeWarnable warnable: %v", ws)
-	}
-}
-
-// TestNoDERPHomeWarnableManual is like TestNoDERPHomeWarnable
-// but doesn't use tstest.Clock so avoids the deadlock
-// I hit: https://github.com/tailscale/tailscale/issues/14798
-func TestNoDERPHomeWarnableManual(t *testing.T) {
-	ht := &Tracker{}
-	ht.SetIPNState("NeedsLogin", true)
-
-	// Avoid wantRunning:
-	ht.ipnWantRunningLastTrue = ht.ipnWantRunningLastTrue.Add(-10 * time.Second)
-	ht.updateBuiltinWarnablesLocked()
-
-	ws, ok := ht.warnableVal[noDERPHomeWarnable]
-	if ok {
-		t.Fatalf("got unexpected noDERPHomeWarnable warnable: %v", ws)
-	}
-}
--- a/health/state.go
+++ b/health/state.go
@@ -86,15 +86,10 @@ func (t *Tracker) CurrentState() *State {
 	wm := map[WarnableCode]UnhealthyState{}

 	for w, ws := range t.warnableVal {
-		if !w.IsVisible(ws, t.now) {
+		if !w.IsVisible(ws) {
 			// Skip invisible Warnables.
 			continue
 		}
-		if t.isEffectivelyHealthyLocked(w) {
-			// Skip Warnables that are unhealthy if they have dependencies
-			// that are unhealthy.
-			continue
-		}
 		wm[w.Code] = *w.unhealthyState(ws)
 	}

@@ -102,23 +97,3 @@ func (t *Tracker) CurrentState() *State {
 		Warnings: wm,
 	}
 }
-
-// isEffectivelyHealthyLocked reports whether w is effectively healthy.
-// That means it's either actually healthy or it has a dependency that
-// that's unhealthy, so we should treat w as healthy to not spam users
-// with multiple warnings when only the root cause is relevant.
-func (t *Tracker) isEffectivelyHealthyLocked(w *Warnable) bool {
-	if _, ok := t.warnableVal[w]; !ok {
-		// Warnable not found in the tracker. So healthy.
-		return true
-	}
-	for _, d := range w.DependsOn {
-		if !t.isEffectivelyHealthyLocked(d) {
-			// If one of our deps is unhealthy, we're healthy.
-			return true
-		}
-	}
-	// If we have no unhealthy deps and had warnableVal set,
-	// we're unhealthy.
-	return false
-}
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -32,6 +32,7 @@ import (
 	"sync"
 	"time"

+	"github.com/tailscale/golang-x-crypto/acme"
 	"tailscale.com/atomicfile"
 	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
@@ -40,7 +41,6 @@ import (
 	"tailscale.com/ipn/store"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/net/bakedroots"
-	"tailscale.com/tempfork/acme"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/testenv"
 	"tailscale.com/version"
@@ -659,9 +659,8 @@ func acmeClient(cs certStore) (*acme.Client, error) {
 	// LetsEncrypt), we should make sure that they support ARI extension (see
 	// shouldStartDomainRenewalARI).
 	return &acme.Client{
-		Key:          key,
-		UserAgent:    "tailscaled/" + version.Long(),
-		DirectoryURL: envknob.String("TS_DEBUG_ACME_DIRECTORY_URL"),
+		Key:       key,
+		UserAgent: "tailscaled/" + version.Long(),
 	}, nil
 }

--- a/ipn/ipnlocal/cert_test.go
+++ b/ipn/ipnlocal/cert_test.go
@@ -199,19 +199,3 @@ func TestShouldStartDomainRenewal(t *testing.T) {
 		})
 	}
 }
-
-func TestDebugACMEDirectoryURL(t *testing.T) {
-	for _, tc := range []string{"", "https://acme-staging-v02.api.letsencrypt.org/directory"} {
-		const setting = "TS_DEBUG_ACME_DIRECTORY_URL"
-		t.Run(tc, func(t *testing.T) {
-			t.Setenv(setting, tc)
-			ac, err := acmeClient(certStateStore{StateStore: new(mem.Store)})
-			if err != nil {
-				t.Fatalf("acmeClient creation err: %v", err)
-			}
-			if ac.DirectoryURL != tc {
-				t.Fatalf("acmeClient.DirectoryURL = %q, want %q", ac.DirectoryURL, tc)
-			}
-		})
-	}
-}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -73,7 +73,6 @@ import (
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/netutil"
-	"tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/paths"
@@ -116,6 +115,7 @@ import (
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
+	"tailscale.com/wgengine/capture"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/magicsock"
 	"tailscale.com/wgengine/router"
@@ -209,7 +209,7 @@ type LocalBackend struct {
 	// Tailscale on port 5252.
 	exposeRemoteWebClientAtomicBool atomic.Bool
 	shutdownCalled                  bool // if Shutdown has been called
-	debugSink                       packet.CaptureSink
+	debugSink                       *capture.Sink
 	sockstatLogger                  *sockstatlog.Logger

 	// getTCPHandlerForFunnelFlow returns a handler for an incoming TCP flow for
@@ -948,40 +948,6 @@ func (b *LocalBackend) onHealthChange(w *health.Warnable, us *health.UnhealthySt
 	}
 }

-// GetOrSetCaptureSink returns the current packet capture sink, creating it
-// with the provided newSink function if it does not already exist.
-func (b *LocalBackend) GetOrSetCaptureSink(newSink func() packet.CaptureSink) packet.CaptureSink {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if b.debugSink != nil {
-		return b.debugSink
-	}
-	s := newSink()
-	b.debugSink = s
-	b.e.InstallCaptureHook(s.CaptureCallback())
-	return s
-}
-
-func (b *LocalBackend) ClearCaptureSink() {
-	// Shut down & uninstall the sink if there are no longer
-	// any outputs on it.
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	select {
-	case <-b.ctx.Done():
-		return
-	default:
-	}
-	if b.debugSink != nil && b.debugSink.NumOutputs() == 0 {
-		s := b.debugSink
-		b.e.InstallCaptureHook(nil)
-		b.debugSink = nil
-		s.Close()
-	}
-}
-
 // Shutdown halts the backend and all its sub-components. The backend
 // can no longer be used after Shutdown returns.
 func (b *LocalBackend) Shutdown() {
@@ -1082,6 +1048,7 @@ func stripKeysFromPrefs(p ipn.PrefsView) ipn.PrefsView {
 	}

 	p2 := p.AsStruct()
+	p2.Persist.LegacyFrontendPrivateMachineKey = key.MachinePrivate{}
 	p2.Persist.PrivateNodeKey = key.NodePrivate{}
 	p2.Persist.OldPrivateNodeKey = key.NodePrivate{}
 	p2.Persist.NetworkLockKey = key.NLPrivate{}
@@ -3342,6 +3309,11 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		return nil
 	}

+	var legacyMachineKey key.MachinePrivate
+	if p := b.pm.CurrentPrefs().Persist(); p.Valid() {
+		legacyMachineKey = p.LegacyFrontendPrivateMachineKey()
+	}
+
 	keyText, err := b.store.ReadState(ipn.MachineKeyStateKey)
 	if err == nil {
 		if err := b.machinePrivKey.UnmarshalText(keyText); err != nil {
@@ -3350,6 +3322,9 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		if b.machinePrivKey.IsZero() {
 			return fmt.Errorf("invalid zero key stored in %v key of %v", ipn.MachineKeyStateKey, b.store)
 		}
+		if !legacyMachineKey.IsZero() && !legacyMachineKey.Equal(b.machinePrivKey) {
+			b.logf("frontend-provided legacy machine key ignored; used value from server state")
+		}
 		return nil
 	}
 	if err != ipn.ErrStateNotExist {
@@ -3359,8 +3334,12 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 	// If we didn't find one already on disk and the prefs already
 	// have a legacy machine key, use that. Otherwise generate a
 	// new one.
-	b.logf("generating new machine key")
-	b.machinePrivKey = key.NewMachine()
+	if !legacyMachineKey.IsZero() {
+		b.machinePrivKey = legacyMachineKey
+	} else {
+		b.logf("generating new machine key")
+		b.machinePrivKey = key.NewMachine()
+	}

 	keyText, _ = b.machinePrivKey.MarshalText()
 	if err := ipn.WriteState(b.store, ipn.MachineKeyStateKey, keyText); err != nil {
@@ -7175,6 +7154,48 @@ func (b *LocalBackend) ResetAuth() error {
 	return b.resetForProfileChangeLockedOnEntry(unlock)
 }

+// StreamDebugCapture writes a pcap stream of packets traversing
+// tailscaled to the provided response writer.
+func (b *LocalBackend) StreamDebugCapture(ctx context.Context, w io.Writer) error {
+	var s *capture.Sink
+
+	b.mu.Lock()
+	if b.debugSink == nil {
+		s = capture.New()
+		b.debugSink = s
+		b.e.InstallCaptureHook(s.LogPacket)
+	} else {
+		s = b.debugSink
+	}
+	b.mu.Unlock()
+
+	unregister := s.RegisterOutput(w)
+
+	select {
+	case <-ctx.Done():
+	case <-s.WaitCh():
+	}
+	unregister()
+
+	// Shut down & uninstall the sink if there are no longer
+	// any outputs on it.
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	select {
+	case <-b.ctx.Done():
+		return nil
+	default:
+	}
+	if b.debugSink != nil && b.debugSink.NumOutputs() == 0 {
+		s := b.debugSink
+		b.e.InstallCaptureHook(nil)
+		b.debugSink = nil
+		return s.Close()
+	}
+	return nil
+}
+
 func (b *LocalBackend) GetPeerEndpointChanges(ctx context.Context, ip netip.Addr) ([]magicsock.EndpointChange, error) {
 	pip, ok := b.e.PeerForIP(ip)
 	if !ok {
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -949,6 +949,8 @@ func TestEditPrefsHasNoKeys(t *testing.T) {
 		Persist: &persist.Persist{
 			PrivateNodeKey:    key.NewNode(),
 			OldPrivateNodeKey: key.NewNode(),
+
+			LegacyFrontendPrivateMachineKey: key.NewMachine(),
 		},
 	}).View(), ipn.NetworkProfile{})
 	if p := b.pm.CurrentPrefs().Persist(); !p.Valid() || p.PrivateNodeKey().IsZero() {
@@ -975,6 +977,10 @@ func TestEditPrefsHasNoKeys(t *testing.T) {
 		t.Errorf("OldPrivateNodeKey = %v; want zero", p.Persist().OldPrivateNodeKey())
 	}

+	if !p.Persist().LegacyFrontendPrivateMachineKey().IsZero() {
+		t.Errorf("LegacyFrontendPrivateMachineKey = %v; want zero", p.Persist().LegacyFrontendPrivateMachineKey())
+	}
+
 	if !p.Persist().NetworkLockKey().IsZero() {
 		t.Errorf("NetworkLockKey= %v; want zero", p.Persist().NetworkLockKey())
 	}
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -68,12 +68,12 @@ import (
 	"tailscale.com/wgengine/magicsock"
 )

-type LocalAPIHandler func(*Handler, http.ResponseWriter, *http.Request)
+type localAPIHandler func(*Handler, http.ResponseWriter, *http.Request)

 // handler is the set of LocalAPI handlers, keyed by the part of the
 // Request.URL.Path after "/localapi/v0/". If the key ends with a trailing slash
 // then it's a prefix match.
-var handler = map[string]LocalAPIHandler{
+var handler = map[string]localAPIHandler{
 	// The prefix match handlers end with a slash:
 	"cert/":     (*Handler).serveCert,
 	"file-put/": (*Handler).serveFilePut,
@@ -90,6 +90,7 @@ var handler = map[string]LocalAPIHandler{
 	"check-udp-gro-forwarding":    (*Handler).serveCheckUDPGROForwarding,
 	"component-debug-logging":     (*Handler).serveComponentDebugLogging,
 	"debug":                       (*Handler).serveDebug,
+	"debug-capture":               (*Handler).serveDebugCapture,
 	"debug-derp-region":           (*Handler).serveDebugDERPRegion,
 	"debug-dial-types":            (*Handler).serveDebugDialTypes,
 	"debug-log":                   (*Handler).serveDebugLog,
@@ -151,14 +152,6 @@ var handler = map[string]LocalAPIHandler{
 	"whois":                       (*Handler).serveWhoIs,
 }

-// Register registers a new LocalAPI handler for the given name.
-func Register(name string, fn LocalAPIHandler) {
-	if _, ok := handler[name]; ok {
-		panic("duplicate LocalAPI handler registration: " + name)
-	}
-	handler[name] = fn
-}
-
 var (
 	// The clientmetrics package is stateful, but we want to expose a simple
 	// imperative API to local clients, so we need to keep track of
@@ -203,10 +196,6 @@ type Handler struct {
 	clock        tstime.Clock
 }

-func (h *Handler) LocalBackend() *ipnlocal.LocalBackend {
-	return h.b
-}
-
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if h.b == nil {
 		http.Error(w, "server has no local backend", http.StatusInternalServerError)
@@ -271,7 +260,7 @@ func (h *Handler) validHost(hostname string) bool {

 // handlerForPath returns the LocalAPI handler for the provided Request.URI.Path.
 // (the path doesn't include any query parameters)
-func handlerForPath(urlPath string) (h LocalAPIHandler, ok bool) {
+func handlerForPath(urlPath string) (h localAPIHandler, ok bool) {
 	if urlPath == "/" {
 		return (*Handler).serveLocalAPIRoot, true
 	}
@@ -2700,6 +2689,21 @@ func defBool(a string, def bool) bool {
 	return v
 }

+func (h *Handler) serveDebugCapture(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" {
+		http.Error(w, "POST required", http.StatusMethodNotAllowed)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.(http.Flusher).Flush()
+	h.b.StreamDebugCapture(r.Context(), w)
+}
+
 func (h *Handler) serveDebugLog(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "debug-log access denied", http.StatusForbidden)
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -467,6 +467,13 @@ func TestPrefsPretty(t *testing.T) {
 			"darwin",
 			`Prefs{ra=false dns=false want=true tags=tag:foo,tag:bar url="http://localhost:1234" update=off Persist=nil}`,
 		},
+		{
+			Prefs{
+				Persist: &persist.Persist{},
+			},
+			"linux",
+			`Prefs{ra=false dns=false want=false routes=[] nf=off update=off Persist{lm=, o=, n= u=""}}`,
+		},
 		{
 			Prefs{
 				Persist: &persist.Persist{
@@ -474,7 +481,7 @@ func TestPrefsPretty(t *testing.T) {
 				},
 			},
 			"linux",
-			`Prefs{ra=false dns=false want=false routes=[] nf=off update=off Persist{o=, n=[B1VKl] u=""}}`,
+			`Prefs{ra=false dns=false want=false routes=[] nf=off update=off Persist{lm=, o=, n=[B1VKl] u=""}}`,
 		},
 		{
 			Prefs{
--- a/k8s-operator/api.md
+++ b/k8s-operator/api.md
@@ -599,7 +599,7 @@ _Appears in:_

 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `type` _[ProxyGroupType](#proxygrouptype)_ | Type of the ProxyGroup proxies. Currently the only supported type is egress.<br />Type is immutable once a ProxyGroup is created. |  | Enum: [egress ingress] <br />Type: string <br /> |
+| `type` _[ProxyGroupType](#proxygrouptype)_ | Type of the ProxyGroup proxies. Supported types are egress and ingress.<br />Type is immutable once a ProxyGroup is created. |  | Enum: [egress ingress] <br />Type: string <br /> |
 | `tags` _[Tags](#tags)_ | Tags that the Tailscale devices will be tagged with. Defaults to [tag:k8s].<br />If you specify custom tags here, make sure you also make the operator<br />an owner of these tags.<br />See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.<br />Tags cannot be changed once a ProxyGroup device has been created.<br />Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. |  | Pattern: `^tag:[a-zA-Z][a-zA-Z0-9-]*$` <br />Type: string <br /> |
 | `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.<br />Defaults to 2. |  | Minimum: 0 <br /> |
 | `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created<br />by the ProxyGroup. Each device will have the integer number from its<br />StatefulSet pod appended to this prefix to form the full hostname.<br />HostnamePrefix can contain lower case letters, numbers and dashes, it<br />must not start with a dash and must be between 1 and 62 characters long. |  | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$` <br />Type: string <br /> |
--- a/k8s-operator/apis/v1alpha1/types_proxygroup.go
+++ b/k8s-operator/apis/v1alpha1/types_proxygroup.go
@@ -48,7 +48,7 @@ type ProxyGroupList struct {
 }

 type ProxyGroupSpec struct {
-	// Type of the ProxyGroup proxies. Currently the only supported type is egress.
+	// Type of the ProxyGroup proxies. Supported types are egress and ingress.
 	// Type is immutable once a ProxyGroup is created.
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ProxyGroup type is immutable"
 	Type ProxyGroupType `json:"type"`
--- a/k8s-operator/conditions.go
+++ b/k8s-operator/conditions.go
@@ -75,6 +75,16 @@ func RemoveServiceCondition(svc *corev1.Service, conditionType tsapi.ConditionTy
 	})
 }

+func EgressServiceIsValidAndConfigured(svc *corev1.Service) bool {
+	for _, typ := range []tsapi.ConditionType{tsapi.EgressSvcValid, tsapi.EgressSvcConfigured} {
+		cond := GetServiceCondition(svc, typ)
+		if cond == nil || cond.Status != metav1.ConditionTrue {
+			return false
+		}
+	}
+	return true
+}
+
 // SetRecorderCondition ensures that Recorder status has a condition with the
 // given attributes. LastTransitionTime gets set every time condition's status
 // changes.
--- a/kube/egressservices/egressservices.go
+++ b/kube/egressservices/egressservices.go
@@ -13,15 +13,9 @@ import (
 	"net/netip"
 )

-const (
-	// KeyEgressServices is name of the proxy state Secret field that contains the
-	// currently applied egress proxy config.
-	KeyEgressServices = "egress-services"
-
-	// KeyHEPPings is the number of times an egress service health check endpoint needs to be pinged to ensure that
-	// each currently configured backend is hit. In practice, it depends on the number of ProxyGroup replicas.
-	KeyHEPPings = "hep-pings"
-)
+// KeyEgressServices is name of the proxy state Secret field that contains the
+// currently applied egress proxy config.
+const KeyEgressServices = "egress-services"

 // Configs contains the desired configuration for egress services keyed by
 // service name.
@@ -30,7 +24,6 @@ type Configs map[string]Config
 // Config is an egress service configuration.
 // TODO(irbekrm): version this?
 type Config struct {
-	HealthCheckEndpoint string `json:"healthCheckEndpoint"`
 	// TailnetTarget is the target to which cluster traffic for this service
 	// should be proxied.
 	TailnetTarget TailnetTarget `json:"tailnetTarget"`
--- a/kube/egressservices/egressservices_test.go
+++ b/kube/egressservices/egressservices_test.go
@@ -55,7 +55,7 @@ func Test_jsonMarshalConfig(t *testing.T) {
 			protocol:   "tcp",
 			matchPort:  4003,
 			targetPort: 80,
-			wantsBs:    []byte(`{"healthCheckEndpoint":"","tailnetTarget":{"ip":"","fqdn":""},"ports":[{"protocol":"tcp","matchPort":4003,"targetPort":80}]}`),
+			wantsBs:    []byte(`{"tailnetTarget":{"ip":"","fqdn":""},"ports":[{"protocol":"tcp","matchPort":4003,"targetPort":80}]}`),
 		},
 	}
 	for _, tt := range tests {
--- a/kube/kubetypes/types.go
+++ b/kube/kubetypes/types.go
@@ -43,9 +43,4 @@ const (
 	// that cluster workloads behind the Ingress can now be accessed via the given DNS name over HTTPS.
 	KeyHTTPSEndpoint string = "https_endpoint"
 	ValueNoHTTPS     string = "no-https"
-
-	// Pod's IPv4 address header key as returned by containerboot health check endpoint.
-	PodIPv4Header string = "Pod-IPv4"
-
-	EgessServicesPreshutdownEP = "/internal-egress-services-preshutdown"
 )
--- a/net/netmon/netmon_darwin.go
+++ b/net/netmon/netmon_darwin.go
@@ -56,19 +56,7 @@ func (m *darwinRouteMon) Receive() (message, error) {
 		if err != nil {
 			return nil, err
 		}
-		msgs, err := func() (msgs []route.Message, err error) {
-			defer func() {
-				// #14201: permanent panic protection, as we have been burned by
-				// ParseRIB panics too many times.
-				msg := recover()
-				if msg != nil {
-					msgs = nil
-					m.logf("[unexpected] netmon: panic in route.ParseRIB from % 02x", m.buf[:n])
-					err = fmt.Errorf("panic in route.ParseRIB: %s", msg)
-				}
-			}()
-			return route.ParseRIB(route.RIBTypeRoute, m.buf[:n])
-		}()
+		msgs, err := route.ParseRIB(route.RIBTypeRoute, m.buf[:n])
 		if err != nil {
 			if debugRouteMessages {
 				m.logf("read %d bytes (% 02x), failed to parse RIB: %v", n, m.buf[:n], err)
--- a/net/packet/capture.go
+++ b/net/packet/capture.go
@@ -1,75 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package packet
-
-import (
-	"io"
-	"net/netip"
-	"time"
-)
-
-// Callback describes a function which is called to
-// record packets when debugging packet-capture.
-// Such callbacks must not take ownership of the
-// provided data slice: it may only copy out of it
-// within the lifetime of the function.
-type CaptureCallback func(CapturePath, time.Time, []byte, CaptureMeta)
-
-// CaptureSink is the minimal interface from [tailscale.com/feature/capture]'s
-// Sink type that is needed by the core (magicsock/LocalBackend/wgengine/etc).
-// This lets the relativel heavy feature/capture package be optionally linked.
-type CaptureSink interface {
-	// Close closes
-	Close() error
-
-	// NumOutputs returns the number of outputs registered with the sink.
-	NumOutputs() int
-
-	// CaptureCallback returns a callback which can be used to
-	// write packets to the sink.
-	CaptureCallback() CaptureCallback
-
-	// WaitCh returns a channel which blocks until
-	// the sink is closed.
-	WaitCh() <-chan struct{}
-
-	// RegisterOutput connects an output to this sink, which
-	// will be written to with a pcap stream as packets are logged.
-	// A function is returned which unregisters the output when
-	// called.
-	//
-	// If w implements io.Closer, it will be closed upon error
-	// or when the sink is closed. If w implements http.Flusher,
-	// it will be flushed periodically.
-	RegisterOutput(w io.Writer) (unregister func())
-}
-
-// CaptureMeta contains metadata that is used when debugging.
-type CaptureMeta struct {
-	DidSNAT     bool           // SNAT was performed & the address was updated.
-	OriginalSrc netip.AddrPort // The source address before SNAT was performed.
-	DidDNAT     bool           // DNAT was performed & the address was updated.
-	OriginalDst netip.AddrPort // The destination address before DNAT was performed.
-}
-
-// CapturePath describes where in the data path the packet was captured.
-type CapturePath uint8
-
-// CapturePath values
-const (
-	// FromLocal indicates the packet was logged as it traversed the FromLocal path:
-	// i.e.: A packet from the local system into the TUN.
-	FromLocal CapturePath = 0
-	// FromPeer indicates the packet was logged upon reception from a remote peer.
-	FromPeer CapturePath = 1
-	// SynthesizedToLocal indicates the packet was generated from within tailscaled,
-	// and is being routed to the local machine's network stack.
-	SynthesizedToLocal CapturePath = 2
-	// SynthesizedToPeer indicates the packet was generated from within tailscaled,
-	// and is being routed to a remote Wireguard peer.
-	SynthesizedToPeer CapturePath = 3
-
-	// PathDisco indicates the packet is information about a disco frame.
-	PathDisco CapturePath = 254
-)
--- a/net/packet/packet.go
+++ b/net/packet/packet.go
@@ -34,6 +34,14 @@ const (
 	TCPECNBits TCPFlag = TCPECNEcho | TCPCWR
 )

+// CaptureMeta contains metadata that is used when debugging.
+type CaptureMeta struct {
+	DidSNAT     bool           // SNAT was performed & the address was updated.
+	OriginalSrc netip.AddrPort // The source address before SNAT was performed.
+	DidDNAT     bool           // DNAT was performed & the address was updated.
+	OriginalDst netip.AddrPort // The destination address before DNAT was performed.
+}
+
 // Parsed is a minimal decoding of a packet suitable for use in filters.
 type Parsed struct {
 	// b is the byte buffer that this decodes.
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -36,6 +36,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/usermetric"
+	"tailscale.com/wgengine/capture"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/netstack/gro"
 	"tailscale.com/wgengine/wgcfg"
@@ -207,7 +208,7 @@ type Wrapper struct {
 	// stats maintains per-connection counters.
 	stats atomic.Pointer[connstats.Statistics]

-	captureHook syncs.AtomicValue[packet.CaptureCallback]
+	captureHook syncs.AtomicValue[capture.Callback]

 	metrics *metrics
 }
@@ -954,7 +955,7 @@ func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
 			}
 		}
 		if captHook != nil {
-			captHook(packet.FromLocal, t.now(), p.Buffer(), p.CaptureMeta)
+			captHook(capture.FromLocal, t.now(), p.Buffer(), p.CaptureMeta)
 		}
 		if !t.disableFilter {
 			var response filter.Response
@@ -1100,9 +1101,9 @@ func (t *Wrapper) injectedRead(res tunInjectedRead, outBuffs [][]byte, sizes []i
 	return n, err
 }

-func (t *Wrapper) filterPacketInboundFromWireGuard(p *packet.Parsed, captHook packet.CaptureCallback, pc *peerConfigTable, gro *gro.GRO) (filter.Response, *gro.GRO) {
+func (t *Wrapper) filterPacketInboundFromWireGuard(p *packet.Parsed, captHook capture.Callback, pc *peerConfigTable, gro *gro.GRO) (filter.Response, *gro.GRO) {
 	if captHook != nil {
-		captHook(packet.FromPeer, t.now(), p.Buffer(), p.CaptureMeta)
+		captHook(capture.FromPeer, t.now(), p.Buffer(), p.CaptureMeta)
 	}

 	if p.IPProto == ipproto.TSMP {
@@ -1316,7 +1317,7 @@ func (t *Wrapper) InjectInboundPacketBuffer(pkt *stack.PacketBuffer, buffs [][]b
 	p.Decode(buf)
 	captHook := t.captureHook.Load()
 	if captHook != nil {
-		captHook(packet.SynthesizedToLocal, t.now(), p.Buffer(), p.CaptureMeta)
+		captHook(capture.SynthesizedToLocal, t.now(), p.Buffer(), p.CaptureMeta)
 	}

 	invertGSOChecksum(buf, pkt.GSOOptions)
@@ -1448,7 +1449,7 @@ func (t *Wrapper) InjectOutboundPacketBuffer(pkt *stack.PacketBuffer) error {
 	}
 	if capt := t.captureHook.Load(); capt != nil {
 		b := pkt.ToBuffer()
-		capt(packet.SynthesizedToPeer, t.now(), b.Flatten(), packet.CaptureMeta{})
+		capt(capture.SynthesizedToPeer, t.now(), b.Flatten(), packet.CaptureMeta{})
 	}

 	t.injectOutbound(tunInjectedRead{packet: pkt})
@@ -1490,6 +1491,6 @@ var (
 	metricPacketOutDropSelfDisco = clientmetric.NewCounter("tstun_out_to_wg_drop_self_disco")
 )

-func (t *Wrapper) InstallCaptureHook(cb packet.CaptureCallback) {
+func (t *Wrapper) InstallCaptureHook(cb capture.Callback) {
 	t.captureHook.Store(cb)
 }
--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -40,6 +40,7 @@ import (
 	"tailscale.com/types/views"
 	"tailscale.com/util/must"
 	"tailscale.com/util/usermetric"
+	"tailscale.com/wgengine/capture"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/wgcfg"
 )
@@ -870,14 +871,14 @@ func TestPeerCfg_NAT(t *testing.T) {
 // with the correct parameters when various packet operations are performed.
 func TestCaptureHook(t *testing.T) {
 	type captureRecord struct {
-		path packet.CapturePath
+		path capture.Path
 		now  time.Time
 		pkt  []byte
 		meta packet.CaptureMeta
 	}

 	var captured []captureRecord
-	hook := func(path packet.CapturePath, now time.Time, pkt []byte, meta packet.CaptureMeta) {
+	hook := func(path capture.Path, now time.Time, pkt []byte, meta packet.CaptureMeta) {
 		captured = append(captured, captureRecord{
 			path: path,
 			now:  now,
@@ -934,19 +935,19 @@ func TestCaptureHook(t *testing.T) {
 	// Assert that the right packets are captured.
 	want := []captureRecord{
 		{
-			path: packet.FromPeer,
+			path: capture.FromPeer,
 			pkt:  []byte("Write1"),
 		},
 		{
-			path: packet.FromPeer,
+			path: capture.FromPeer,
 			pkt:  []byte("Write2"),
 		},
 		{
-			path: packet.SynthesizedToLocal,
+			path: capture.SynthesizedToLocal,
 			pkt:  []byte("InjectInboundPacketBuffer"),
 		},
 		{
-			path: packet.SynthesizedToPeer,
+			path: capture.SynthesizedToPeer,
 			pkt:  []byte("InjectOutboundPacketBuffer"),
 		},
 	}
--- a/prober/prober.go
+++ b/prober/prober.go
@@ -7,7 +7,6 @@
 package prober

 import (
-	"cmp"
 	"container/ring"
 	"context"
 	"encoding/json"
@@ -21,7 +20,6 @@ import (
 	"time"

 	"github.com/prometheus/client_golang/prometheus"
-	"tailscale.com/syncs"
 	"tailscale.com/tsweb"
 )

@@ -46,14 +44,6 @@ type ProbeClass struct {
 	// exposed by this probe class.
 	Labels Labels

-	// Timeout is the maximum time the probe function is allowed to run before
-	// its context is cancelled. Defaults to 80% of the scheduling interval.
-	Timeout time.Duration
-
-	// Concurrency is the maximum number of concurrent probe executions
-	// allowed for this probe class. Defaults to 1.
-	Concurrency int
-
 	// Metrics allows a probe class to export custom Metrics. Can be nil.
 	Metrics func(prometheus.Labels) []prometheus.Metric
 }
@@ -141,12 +131,9 @@ func newProbe(p *Prober, name string, interval time.Duration, l prometheus.Label
 		cancel:  cancel,
 		stopped: make(chan struct{}),

-		runSema: syncs.NewSemaphore(cmp.Or(pc.Concurrency, 1)),
-
 		name:         name,
 		probeClass:   pc,
 		interval:     interval,
-		timeout:      cmp.Or(pc.Timeout, time.Duration(float64(interval)*0.8)),
 		initialDelay: initialDelay(name, interval),
 		successHist:  ring.New(recentHistSize),
 		latencyHist:  ring.New(recentHistSize),
@@ -239,12 +226,11 @@ type Probe struct {
 	ctx     context.Context
 	cancel  context.CancelFunc // run to initiate shutdown
 	stopped chan struct{}      // closed when shutdown is complete
-	runSema syncs.Semaphore    // restricts concurrency per probe
+	runMu   sync.Mutex         // ensures only one probe runs at a time

 	name         string
 	probeClass   ProbeClass
 	interval     time.Duration
-	timeout      time.Duration
 	initialDelay time.Duration
 	tick         ticker

@@ -296,15 +282,17 @@ func (p *Probe) loop() {
 		t := p.prober.newTicker(p.initialDelay)
 		select {
 		case <-t.Chan():
+			p.run()
 		case <-p.ctx.Done():
 			t.Stop()
 			return
 		}
 		t.Stop()
+	} else {
+		p.run()
 	}

 	if p.prober.once {
-		p.run()
 		return
 	}

@@ -327,12 +315,9 @@ func (p *Probe) loop() {
 	p.tick = p.prober.newTicker(p.interval)
 	defer p.tick.Stop()
 	for {
-		// Run the probe in a new goroutine every tick. Default concurrency & timeout
-		// settings will ensure that only one probe is running at a time.
-		go p.run()
-
 		select {
 		case <-p.tick.Chan():
+			p.run()
 		case <-p.ctx.Done():
 			return
 		}
@@ -346,13 +331,8 @@ func (p *Probe) loop() {
 // that the probe either succeeds or fails before the next cycle is scheduled to
 // start.
 func (p *Probe) run() (pi ProbeInfo, err error) {
-	// Probes are scheduled each p.interval, so we don't wait longer than that.
-	semaCtx, cancel := context.WithTimeout(p.ctx, p.interval)
-	defer cancel()
-	if !p.runSema.AcquireContext(semaCtx) {
-		return pi, fmt.Errorf("probe %s: context cancelled", p.name)
-	}
-	defer p.runSema.Release()
+	p.runMu.Lock()
+	defer p.runMu.Unlock()

 	p.recordStart()
 	defer func() {
@@ -364,21 +344,19 @@ func (p *Probe) run() (pi ProbeInfo, err error) {
 		if r := recover(); r != nil {
 			log.Printf("probe %s panicked: %v", p.name, r)
 			err = fmt.Errorf("panic: %v", r)
-			p.recordEndLocked(err)
+			p.recordEnd(err)
 		}
 	}()
 	ctx := p.ctx
 	if !p.IsContinuous() {
+		timeout := time.Duration(float64(p.interval) * 0.8)
 		var cancel func()
-		ctx, cancel = context.WithTimeout(ctx, p.timeout)
+		ctx, cancel = context.WithTimeout(ctx, timeout)
 		defer cancel()
 	}

 	err = p.probeClass.Probe(ctx)
-
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	p.recordEndLocked(err)
+	p.recordEnd(err)
 	if err != nil {
 		log.Printf("probe %s: %v", p.name, err)
 	}
@@ -392,8 +370,10 @@ func (p *Probe) recordStart() {
 	p.mu.Unlock()
 }

-func (p *Probe) recordEndLocked(err error) {
+func (p *Probe) recordEnd(err error) {
 	end := p.prober.now()
+	p.mu.Lock()
+	defer p.mu.Unlock()
 	p.end = end
 	p.succeeded = err == nil
 	p.lastErr = err
--- a/prober/prober_test.go
+++ b/prober/prober_test.go
@@ -149,74 +149,6 @@ func TestProberTimingSpread(t *testing.T) {
 	notCalled()
 }

-func TestProberTimeout(t *testing.T) {
-	clk := newFakeTime()
-	p := newForTest(clk.Now, clk.NewTicker)
-
-	var done sync.WaitGroup
-	done.Add(1)
-	pfunc := FuncProbe(func(ctx context.Context) error {
-		defer done.Done()
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		}
-	})
-	pfunc.Timeout = time.Microsecond
-	probe := p.Run("foo", 30*time.Second, nil, pfunc)
-	waitActiveProbes(t, p, clk, 1)
-	done.Wait()
-	probe.mu.Lock()
-	info := probe.probeInfoLocked()
-	probe.mu.Unlock()
-	wantInfo := ProbeInfo{
-		Name:            "foo",
-		Interval:        30 * time.Second,
-		Labels:          map[string]string{"class": "", "name": "foo"},
-		Status:          ProbeStatusFailed,
-		Error:           "context deadline exceeded",
-		RecentResults:   []bool{false},
-		RecentLatencies: nil,
-	}
-	if diff := cmp.Diff(wantInfo, info, cmpopts.IgnoreFields(ProbeInfo{}, "Start", "End", "Latency")); diff != "" {
-		t.Fatalf("unexpected ProbeInfo (-want +got):\n%s", diff)
-	}
-	if got := info.Latency; got > time.Second {
-		t.Errorf("info.Latency = %v, want at most 1s", got)
-	}
-}
-
-func TestProberConcurrency(t *testing.T) {
-	clk := newFakeTime()
-	p := newForTest(clk.Now, clk.NewTicker)
-
-	var ran atomic.Int64
-	stopProbe := make(chan struct{})
-	pfunc := FuncProbe(func(ctx context.Context) error {
-		ran.Add(1)
-		<-stopProbe
-		return nil
-	})
-	pfunc.Timeout = time.Hour
-	pfunc.Concurrency = 3
-	p.Run("foo", time.Second, nil, pfunc)
-	waitActiveProbes(t, p, clk, 1)
-
-	for range 50 {
-		clk.Advance(time.Second)
-	}
-
-	if err := tstest.WaitFor(convergenceTimeout, func() error {
-		if got, want := ran.Load(), int64(3); got != want {
-			return fmt.Errorf("expected %d probes to run concurrently, got %d", want, got)
-		}
-		return nil
-	}); err != nil {
-		t.Fatal(err)
-	}
-	close(stopProbe)
-}
-
 func TestProberRun(t *testing.T) {
 	clk := newFakeTime()
 	p := newForTest(clk.Now, clk.NewTicker)
@@ -518,11 +450,9 @@ func TestProbeInfoRecent(t *testing.T) {
 			for _, r := range tt.results {
 				probe.recordStart()
 				clk.Advance(r.latency)
-				probe.recordEndLocked(r.err)
+				probe.recordEnd(r.err)
 			}
-			probe.mu.Lock()
 			info := probe.probeInfoLocked()
-			probe.mu.Unlock()
 			if diff := cmp.Diff(tt.wantProbeInfo, info, cmpopts.IgnoreFields(ProbeInfo{}, "Start", "End", "Interval")); diff != "" {
 				t.Fatalf("unexpected ProbeInfo (-want +got):\n%s", diff)
 			}
--- a/safeweb/http.go
+++ b/safeweb/http.go
@@ -318,12 +318,6 @@ func checkHandlerType(apiPattern, browserPattern string) handlerType {
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// if we are not in a secure context, signal to the CSRF middleware that
-	// TLS-only header checks should be skipped
-	if !s.Config.SecureContext {
-		r = csrf.PlaintextHTTPRequest(r)
-	}
-
 	_, bp := s.BrowserMux.Handler(r)
 	_, ap := s.APIMux.Handler(r)
 	switch {
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -199,8 +199,7 @@ func (srv *server) OnPolicyChange() {
 //   - ServerConfigCallback
 //
 // Do the user auth
-//   - NoClientAuthHandler or publicKeyHandler
-//   - fakePasswordHandler if forcing password auth with the `+password` username suffix
+//   - NoClientAuthHandler
 //
 // Once auth is done, the conn can be multiplexed with multiple sessions and
 // channels concurrently. At which point any of the following can be called
@@ -338,21 +337,6 @@ func (c *conn) fakePasswordHandler(ctx ssh.Context, password string) bool {
 	return c.anyPasswordIsOkay
 }

-// publicKeyHandler is our implementation of the PublicKeyHandler hook that
-// checks whether the user's public key is correct. It exists for clients that
-// don't support "none" auth and instead insist on supplying a public key.
-// This ignores the supplied public key and authenticates with Tailscale auth
-// in the same way as NoClientAuthCallback.
-func (c *conn) publicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
-	if err := c.doPolicyAuth(ctx); err != nil {
-		return err
-	}
-	if err := c.isAuthorized(ctx); err != nil {
-		return err
-	}
-	return nil
-}
-
 // doPolicyAuth verifies that conn can proceed.
 // It returns nil if the matching policy action is Accept or
 // HoldAndDelegate. Otherwise, it returns errDenied.
@@ -429,14 +413,6 @@ func (srv *server) newConn() (*conn, error) {
 		NoClientAuthHandler: c.NoClientAuthCallback,
 		PasswordHandler:     c.fakePasswordHandler,

-		// The below handler exists for clients that don't support "none" auth
-		// and insist on supplying a public key. It ignores the supplied key
-		// and instead uses the same Tailscale auth as NoClientAuthCallback.
-		//
-		// As of 2025-02-10, tailssh_integration_test does not exercise this functionality.
-		// See tailscale/tailscale#14969.
-		PublicKeyHandler: c.publicKeyHandler,
-
 		Handler:                       c.handleSessionPostSSHAuth,
 		LocalPortForwardingCallback:   c.mayForwardLocalPortTo,
 		ReversePortForwardingCallback: c.mayReversePortForwardTo,
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -2470,11 +2470,6 @@ const (
 	// automatically when the network state changes.
 	NodeAttrDisableCaptivePortalDetection NodeCapability = "disable-captive-portal-detection"

-	// NodeAttrDisableSkipStatusQueue is set when the node should disable skipping
-	// of queued netmap.NetworkMap between the controlclient and LocalBackend.
-	// See tailscale/tailscale#14768.
-	NodeAttrDisableSkipStatusQueue NodeCapability = "disable-skip-status-queue"
-
 	// NodeAttrSSHEnvironmentVariables enables logic for handling environment variables sent
 	// via SendEnv in the SSH server and applying them to the SSH session.
 	NodeAttrSSHEnvironmentVariables NodeCapability = "ssh-env-vars"
--- a/tempfork/acme/README.md
+++ b/tempfork/acme/README.md
@@ -1,14 +0,0 @@
-# tempfork/acme
-
-This is a vendored copy of Tailscale's https://github.com/tailscale/golang-x-crypto,
-which is a fork of golang.org/x/crypto/acme.
-
-See https://github.com/tailscale/tailscale/issues/10238 for unforking
-status.
-
-The https://github.com/tailscale/golang-x-crypto location exists to
-let us do rebases from upstream easily, and then we update tempfork/acme
-in the same commit we go get github.com/tailscale/golang-x-crypto@main.
-See the comment on the TestSyncedToUpstream test for details. That
-test should catch that forgotten step.
-
--- a/tempfork/acme/acme.go
+++ b/tempfork/acme/acme.go
@@ -1,861 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package acme provides an implementation of the
-// Automatic Certificate Management Environment (ACME) spec,
-// most famously used by Let's Encrypt.
-//
-// The initial implementation of this package was based on an early version
-// of the spec. The current implementation supports only the modern
-// RFC 8555 but some of the old API surface remains for compatibility.
-// While code using the old API will still compile, it will return an error.
-// Note the deprecation comments to update your code.
-//
-// See https://tools.ietf.org/html/rfc8555 for the spec.
-//
-// Most common scenarios will want to use autocert subdirectory instead,
-// which provides automatic access to certificates from Let's Encrypt
-// and any other ACME-based CA.
-package acme
-
-import (
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/json"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"math/big"
-	"net/http"
-	"strings"
-	"sync"
-	"time"
-)
-
-const (
-	// LetsEncryptURL is the Directory endpoint of Let's Encrypt CA.
-	LetsEncryptURL = "https://acme-v02.api.letsencrypt.org/directory"
-
-	// ALPNProto is the ALPN protocol name used by a CA server when validating
-	// tls-alpn-01 challenges.
-	//
-	// Package users must ensure their servers can negotiate the ACME ALPN in
-	// order for tls-alpn-01 challenge verifications to succeed.
-	// See the crypto/tls package's Config.NextProtos field.
-	ALPNProto = "acme-tls/1"
-)
-
-// idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge.
-// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
-var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
-
-const (
-	maxChainLen = 5       // max depth and breadth of a certificate chain
-	maxCertSize = 1 << 20 // max size of a certificate, in DER bytes
-	// Used for decoding certs from application/pem-certificate-chain response,
-	// the default when in RFC mode.
-	maxCertChainSize = maxCertSize * maxChainLen
-
-	// Max number of collected nonces kept in memory.
-	// Expect usual peak of 1 or 2.
-	maxNonces = 100
-)
-
-// Client is an ACME client.
-//
-// The only required field is Key. An example of creating a client with a new key
-// is as follows:
-//
-//	key, err := rsa.GenerateKey(rand.Reader, 2048)
-//	if err != nil {
-//		log.Fatal(err)
-//	}
-//	client := &Client{Key: key}
-type Client struct {
-	// Key is the account key used to register with a CA and sign requests.
-	// Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey.
-	//
-	// The following algorithms are supported:
-	// RS256, ES256, ES384 and ES512.
-	// See RFC 7518 for more details about the algorithms.
-	Key crypto.Signer
-
-	// HTTPClient optionally specifies an HTTP client to use
-	// instead of http.DefaultClient.
-	HTTPClient *http.Client
-
-	// DirectoryURL points to the CA directory endpoint.
-	// If empty, LetsEncryptURL is used.
-	// Mutating this value after a successful call of Client's Discover method
-	// will have no effect.
-	DirectoryURL string
-
-	// RetryBackoff computes the duration after which the nth retry of a failed request
-	// should occur. The value of n for the first call on failure is 1.
-	// The values of r and resp are the request and response of the last failed attempt.
-	// If the returned value is negative or zero, no more retries are done and an error
-	// is returned to the caller of the original method.
-	//
-	// Requests which result in a 4xx client error are not retried,
-	// except for 400 Bad Request due to "bad nonce" errors and 429 Too Many Requests.
-	//
-	// If RetryBackoff is nil, a truncated exponential backoff algorithm
-	// with the ceiling of 10 seconds is used, where each subsequent retry n
-	// is done after either ("Retry-After" + jitter) or (2^n seconds + jitter),
-	// preferring the former if "Retry-After" header is found in the resp.
-	// The jitter is a random value up to 1 second.
-	RetryBackoff func(n int, r *http.Request, resp *http.Response) time.Duration
-
-	// UserAgent is prepended to the User-Agent header sent to the ACME server,
-	// which by default is this package's name and version.
-	//
-	// Reusable libraries and tools in particular should set this value to be
-	// identifiable by the server, in case they are causing issues.
-	UserAgent string
-
-	cacheMu sync.Mutex
-	dir     *Directory // cached result of Client's Discover method
-	// KID is the key identifier provided by the CA. If not provided it will be
-	// retrieved from the CA by making a call to the registration endpoint.
-	KID KeyID
-
-	noncesMu sync.Mutex
-	nonces   map[string]struct{} // nonces collected from previous responses
-}
-
-// accountKID returns a key ID associated with c.Key, the account identity
-// provided by the CA during RFC based registration.
-// It assumes c.Discover has already been called.
-//
-// accountKID requires at most one network roundtrip.
-// It caches only successful result.
-//
-// When in pre-RFC mode or when c.getRegRFC responds with an error, accountKID
-// returns noKeyID.
-func (c *Client) accountKID(ctx context.Context) KeyID {
-	c.cacheMu.Lock()
-	defer c.cacheMu.Unlock()
-	if c.KID != noKeyID {
-		return c.KID
-	}
-	a, err := c.getRegRFC(ctx)
-	if err != nil {
-		return noKeyID
-	}
-	c.KID = KeyID(a.URI)
-	return c.KID
-}
-
-var errPreRFC = errors.New("acme: server does not support the RFC 8555 version of ACME")
-
-// Discover performs ACME server discovery using c.DirectoryURL.
-//
-// It caches successful result. So, subsequent calls will not result in
-// a network round-trip. This also means mutating c.DirectoryURL after successful call
-// of this method will have no effect.
-func (c *Client) Discover(ctx context.Context) (Directory, error) {
-	c.cacheMu.Lock()
-	defer c.cacheMu.Unlock()
-	if c.dir != nil {
-		return *c.dir, nil
-	}
-
-	res, err := c.get(ctx, c.directoryURL(), wantStatus(http.StatusOK))
-	if err != nil {
-		return Directory{}, err
-	}
-	defer res.Body.Close()
-	c.addNonce(res.Header)
-
-	var v struct {
-		Reg         string `json:"newAccount"`
-		Authz       string `json:"newAuthz"`
-		Order       string `json:"newOrder"`
-		Revoke      string `json:"revokeCert"`
-		Nonce       string `json:"newNonce"`
-		KeyChange   string `json:"keyChange"`
-		RenewalInfo string `json:"renewalInfo"`
-		Meta        struct {
-			Terms        string   `json:"termsOfService"`
-			Website      string   `json:"website"`
-			CAA          []string `json:"caaIdentities"`
-			ExternalAcct bool     `json:"externalAccountRequired"`
-		}
-	}
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return Directory{}, err
-	}
-	if v.Order == "" {
-		return Directory{}, errPreRFC
-	}
-	c.dir = &Directory{
-		RegURL:                  v.Reg,
-		AuthzURL:                v.Authz,
-		OrderURL:                v.Order,
-		RevokeURL:               v.Revoke,
-		NonceURL:                v.Nonce,
-		KeyChangeURL:            v.KeyChange,
-		RenewalInfoURL:          v.RenewalInfo,
-		Terms:                   v.Meta.Terms,
-		Website:                 v.Meta.Website,
-		CAA:                     v.Meta.CAA,
-		ExternalAccountRequired: v.Meta.ExternalAcct,
-	}
-	return *c.dir, nil
-}
-
-func (c *Client) directoryURL() string {
-	if c.DirectoryURL != "" {
-		return c.DirectoryURL
-	}
-	return LetsEncryptURL
-}
-
-// CreateCert was part of the old version of ACME. It is incompatible with RFC 8555.
-//
-// Deprecated: this was for the pre-RFC 8555 version of ACME. Callers should use CreateOrderCert.
-func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, bundle bool) (der [][]byte, certURL string, err error) {
-	return nil, "", errPreRFC
-}
-
-// FetchCert retrieves already issued certificate from the given url, in DER format.
-// It retries the request until the certificate is successfully retrieved,
-// context is cancelled by the caller or an error response is received.
-//
-// If the bundle argument is true, the returned value also contains the CA (issuer)
-// certificate chain.
-//
-// FetchCert returns an error if the CA's response or chain was unreasonably large.
-// Callers are encouraged to parse the returned value to ensure the certificate is valid
-// and has expected features.
-func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-	return c.fetchCertRFC(ctx, url, bundle)
-}
-
-// RevokeCert revokes a previously issued certificate cert, provided in DER format.
-//
-// The key argument, used to sign the request, must be authorized
-// to revoke the certificate. It's up to the CA to decide which keys are authorized.
-// For instance, the key pair of the certificate may be authorized.
-// If the key is nil, c.Key is used instead.
-func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error {
-	if _, err := c.Discover(ctx); err != nil {
-		return err
-	}
-	return c.revokeCertRFC(ctx, key, cert, reason)
-}
-
-// FetchRenewalInfo retrieves the RenewalInfo from Directory.RenewalInfoURL.
-func (c *Client) FetchRenewalInfo(ctx context.Context, leaf []byte) (*RenewalInfo, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	parsedLeaf, err := x509.ParseCertificate(leaf)
-	if err != nil {
-		return nil, fmt.Errorf("parsing leaf certificate: %w", err)
-	}
-
-	renewalURL, err := c.getRenewalURL(parsedLeaf)
-	if err != nil {
-		return nil, fmt.Errorf("generating renewal info URL: %w", err)
-	}
-
-	res, err := c.get(ctx, renewalURL, wantStatus(http.StatusOK))
-	if err != nil {
-		return nil, fmt.Errorf("fetching renewal info: %w", err)
-	}
-	defer res.Body.Close()
-
-	var info RenewalInfo
-	if err := json.NewDecoder(res.Body).Decode(&info); err != nil {
-		return nil, fmt.Errorf("parsing renewal info response: %w", err)
-	}
-	return &info, nil
-}
-
-func (c *Client) getRenewalURL(cert *x509.Certificate) (string, error) {
-	// See https://www.ietf.org/archive/id/draft-ietf-acme-ari-04.html#name-the-renewalinfo-resource
-	// for how the request URL is built.
-	url := c.dir.RenewalInfoURL
-	if !strings.HasSuffix(url, "/") {
-		url += "/"
-	}
-	aki := base64.RawURLEncoding.EncodeToString(cert.AuthorityKeyId)
-	serial := base64.RawURLEncoding.EncodeToString(cert.SerialNumber.Bytes())
-	return fmt.Sprintf("%s%s.%s", url, aki, serial), nil
-}
-
-// AcceptTOS always returns true to indicate the acceptance of a CA's Terms of Service
-// during account registration. See Register method of Client for more details.
-func AcceptTOS(tosURL string) bool { return true }
-
-// Register creates a new account with the CA using c.Key.
-// It returns the registered account. The account acct is not modified.
-//
-// The registration may require the caller to agree to the CA's Terms of Service (TOS).
-// If so, and the account has not indicated the acceptance of the terms (see Account for details),
-// Register calls prompt with a TOS URL provided by the CA. Prompt should report
-// whether the caller agrees to the terms. To always accept the terms, the caller can use AcceptTOS.
-//
-// When interfacing with an RFC-compliant CA, non-RFC 8555 fields of acct are ignored
-// and prompt is called if Directory's Terms field is non-zero.
-// Also see Error's Instance field for when a CA requires already registered accounts to agree
-// to an updated Terms of Service.
-func (c *Client) Register(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) {
-	if c.Key == nil {
-		return nil, errors.New("acme: client.Key must be set to Register")
-	}
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-	return c.registerRFC(ctx, acct, prompt)
-}
-
-// GetReg retrieves an existing account associated with c.Key.
-//
-// The url argument is a legacy artifact of the pre-RFC 8555 API
-// and is ignored.
-func (c *Client) GetReg(ctx context.Context, url string) (*Account, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-	return c.getRegRFC(ctx)
-}
-
-// UpdateReg updates an existing registration.
-// It returns an updated account copy. The provided account is not modified.
-//
-// The account's URI is ignored and the account URL associated with
-// c.Key is used instead.
-func (c *Client) UpdateReg(ctx context.Context, acct *Account) (*Account, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-	return c.updateRegRFC(ctx, acct)
-}
-
-// AccountKeyRollover attempts to transition a client's account key to a new key.
-// On success client's Key is updated which is not concurrency safe.
-// On failure an error will be returned.
-// The new key is already registered with the ACME provider if the following is true:
-//   - error is of type acme.Error
-//   - StatusCode should be 409 (Conflict)
-//   - Location header will have the KID of the associated account
-//
-// More about account key rollover can be found at
-// https://tools.ietf.org/html/rfc8555#section-7.3.5.
-func (c *Client) AccountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
-	return c.accountKeyRollover(ctx, newKey)
-}
-
-// Authorize performs the initial step in the pre-authorization flow,
-// as opposed to order-based flow.
-// The caller will then need to choose from and perform a set of returned
-// challenges using c.Accept in order to successfully complete authorization.
-//
-// Once complete, the caller can use AuthorizeOrder which the CA
-// should provision with the already satisfied authorization.
-// For pre-RFC CAs, the caller can proceed directly to requesting a certificate
-// using CreateCert method.
-//
-// If an authorization has been previously granted, the CA may return
-// a valid authorization which has its Status field set to StatusValid.
-//
-// More about pre-authorization can be found at
-// https://tools.ietf.org/html/rfc8555#section-7.4.1.
-func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) {
-	return c.authorize(ctx, "dns", domain)
-}
-
-// AuthorizeIP is the same as Authorize but requests IP address authorization.
-// Clients which successfully obtain such authorization may request to issue
-// a certificate for IP addresses.
-//
-// See the ACME spec extension for more details about IP address identifiers:
-// https://tools.ietf.org/html/draft-ietf-acme-ip.
-func (c *Client) AuthorizeIP(ctx context.Context, ipaddr string) (*Authorization, error) {
-	return c.authorize(ctx, "ip", ipaddr)
-}
-
-func (c *Client) authorize(ctx context.Context, typ, val string) (*Authorization, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	type authzID struct {
-		Type  string `json:"type"`
-		Value string `json:"value"`
-	}
-	req := struct {
-		Resource   string  `json:"resource"`
-		Identifier authzID `json:"identifier"`
-	}{
-		Resource:   "new-authz",
-		Identifier: authzID{Type: typ, Value: val},
-	}
-	res, err := c.post(ctx, nil, c.dir.AuthzURL, req, wantStatus(http.StatusCreated))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-
-	var v wireAuthz
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	if v.Status != StatusPending && v.Status != StatusValid {
-		return nil, fmt.Errorf("acme: unexpected status: %s", v.Status)
-	}
-	return v.authorization(res.Header.Get("Location")), nil
-}
-
-// GetAuthorization retrieves an authorization identified by the given URL.
-//
-// If a caller needs to poll an authorization until its status is final,
-// see the WaitAuthorization method.
-func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	var v wireAuthz
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	return v.authorization(url), nil
-}
-
-// RevokeAuthorization relinquishes an existing authorization identified
-// by the given URL.
-// The url argument is an Authorization.URI value.
-//
-// If successful, the caller will be required to obtain a new authorization
-// using the Authorize or AuthorizeOrder methods before being able to request
-// a new certificate for the domain associated with the authorization.
-//
-// It does not revoke existing certificates.
-func (c *Client) RevokeAuthorization(ctx context.Context, url string) error {
-	if _, err := c.Discover(ctx); err != nil {
-		return err
-	}
-
-	req := struct {
-		Resource string `json:"resource"`
-		Status   string `json:"status"`
-		Delete   bool   `json:"delete"`
-	}{
-		Resource: "authz",
-		Status:   "deactivated",
-		Delete:   true,
-	}
-	res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	return nil
-}
-
-// WaitAuthorization polls an authorization at the given URL
-// until it is in one of the final states, StatusValid or StatusInvalid,
-// the ACME CA responded with a 4xx error code, or the context is done.
-//
-// It returns a non-nil Authorization only if its Status is StatusValid.
-// In all other cases WaitAuthorization returns an error.
-// If the Status is StatusInvalid, the returned error is of type *AuthorizationError.
-func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-	for {
-		res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted))
-		if err != nil {
-			return nil, err
-		}
-
-		var raw wireAuthz
-		err = json.NewDecoder(res.Body).Decode(&raw)
-		res.Body.Close()
-		switch {
-		case err != nil:
-			// Skip and retry.
-		case raw.Status == StatusValid:
-			return raw.authorization(url), nil
-		case raw.Status == StatusInvalid:
-			return nil, raw.error(url)
-		}
-
-		// Exponential backoff is implemented in c.get above.
-		// This is just to prevent continuously hitting the CA
-		// while waiting for a final authorization status.
-		d := retryAfter(res.Header.Get("Retry-After"))
-		if d == 0 {
-			// Given that the fastest challenges TLS-SNI and HTTP-01
-			// require a CA to make at least 1 network round trip
-			// and most likely persist a challenge state,
-			// this default delay seems reasonable.
-			d = time.Second
-		}
-		t := time.NewTimer(d)
-		select {
-		case <-ctx.Done():
-			t.Stop()
-			return nil, ctx.Err()
-		case <-t.C:
-			// Retry.
-		}
-	}
-}
-
-// GetChallenge retrieves the current status of an challenge.
-//
-// A client typically polls a challenge status using this method.
-func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted))
-	if err != nil {
-		return nil, err
-	}
-
-	defer res.Body.Close()
-	v := wireChallenge{URI: url}
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	return v.challenge(), nil
-}
-
-// Accept informs the server that the client accepts one of its challenges
-// previously obtained with c.Authorize.
-//
-// The server will then perform the validation asynchronously.
-func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	res, err := c.post(ctx, nil, chal.URI, json.RawMessage("{}"), wantStatus(
-		http.StatusOK,       // according to the spec
-		http.StatusAccepted, // Let's Encrypt: see https://goo.gl/WsJ7VT (acme-divergences.md)
-	))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-
-	var v wireChallenge
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid response: %v", err)
-	}
-	return v.challenge(), nil
-}
-
-// DNS01ChallengeRecord returns a DNS record value for a dns-01 challenge response.
-// A TXT record containing the returned value must be provisioned under
-// "_acme-challenge" name of the domain being validated.
-//
-// The token argument is a Challenge.Token value.
-func (c *Client) DNS01ChallengeRecord(token string) (string, error) {
-	ka, err := keyAuth(c.Key.Public(), token)
-	if err != nil {
-		return "", err
-	}
-	b := sha256.Sum256([]byte(ka))
-	return base64.RawURLEncoding.EncodeToString(b[:]), nil
-}
-
-// HTTP01ChallengeResponse returns the response for an http-01 challenge.
-// Servers should respond with the value to HTTP requests at the URL path
-// provided by HTTP01ChallengePath to validate the challenge and prove control
-// over a domain name.
-//
-// The token argument is a Challenge.Token value.
-func (c *Client) HTTP01ChallengeResponse(token string) (string, error) {
-	return keyAuth(c.Key.Public(), token)
-}
-
-// HTTP01ChallengePath returns the URL path at which the response for an http-01 challenge
-// should be provided by the servers.
-// The response value can be obtained with HTTP01ChallengeResponse.
-//
-// The token argument is a Challenge.Token value.
-func (c *Client) HTTP01ChallengePath(token string) string {
-	return "/.well-known/acme-challenge/" + token
-}
-
-// TLSSNI01ChallengeCert creates a certificate for TLS-SNI-01 challenge response.
-//
-// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec.
-func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {
-	ka, err := keyAuth(c.Key.Public(), token)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	b := sha256.Sum256([]byte(ka))
-	h := hex.EncodeToString(b[:])
-	name = fmt.Sprintf("%s.%s.acme.invalid", h[:32], h[32:])
-	cert, err = tlsChallengeCert([]string{name}, opt)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	return cert, name, nil
-}
-
-// TLSSNI02ChallengeCert creates a certificate for TLS-SNI-02 challenge response.
-//
-// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec.
-func (c *Client) TLSSNI02ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {
-	b := sha256.Sum256([]byte(token))
-	h := hex.EncodeToString(b[:])
-	sanA := fmt.Sprintf("%s.%s.token.acme.invalid", h[:32], h[32:])
-
-	ka, err := keyAuth(c.Key.Public(), token)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	b = sha256.Sum256([]byte(ka))
-	h = hex.EncodeToString(b[:])
-	sanB := fmt.Sprintf("%s.%s.ka.acme.invalid", h[:32], h[32:])
-
-	cert, err = tlsChallengeCert([]string{sanA, sanB}, opt)
-	if err != nil {
-		return tls.Certificate{}, "", err
-	}
-	return cert, sanA, nil
-}
-
-// TLSALPN01ChallengeCert creates a certificate for TLS-ALPN-01 challenge response.
-// Servers can present the certificate to validate the challenge and prove control
-// over a domain name. For more details on TLS-ALPN-01 see
-// https://tools.ietf.org/html/draft-shoemaker-acme-tls-alpn-00#section-3
-//
-// The token argument is a Challenge.Token value.
-// If a WithKey option is provided, its private part signs the returned cert,
-// and the public part is used to specify the signee.
-// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve.
-//
-// The returned certificate is valid for the next 24 hours and must be presented only when
-// the server name in the TLS ClientHello matches the domain, and the special acme-tls/1 ALPN protocol
-// has been specified.
-func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption) (cert tls.Certificate, err error) {
-	ka, err := keyAuth(c.Key.Public(), token)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	shasum := sha256.Sum256([]byte(ka))
-	extValue, err := asn1.Marshal(shasum[:])
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	acmeExtension := pkix.Extension{
-		Id:       idPeACMEIdentifier,
-		Critical: true,
-		Value:    extValue,
-	}
-
-	tmpl := defaultTLSChallengeCertTemplate()
-
-	var newOpt []CertOption
-	for _, o := range opt {
-		switch o := o.(type) {
-		case *certOptTemplate:
-			t := *(*x509.Certificate)(o) // shallow copy is ok
-			tmpl = &t
-		default:
-			newOpt = append(newOpt, o)
-		}
-	}
-	tmpl.ExtraExtensions = append(tmpl.ExtraExtensions, acmeExtension)
-	newOpt = append(newOpt, WithTemplate(tmpl))
-	return tlsChallengeCert([]string{domain}, newOpt)
-}
-
-// popNonce returns a nonce value previously stored with c.addNonce
-// or fetches a fresh one from c.dir.NonceURL.
-// If NonceURL is empty, it first tries c.directoryURL() and, failing that,
-// the provided url.
-func (c *Client) popNonce(ctx context.Context, url string) (string, error) {
-	c.noncesMu.Lock()
-	defer c.noncesMu.Unlock()
-	if len(c.nonces) == 0 {
-		if c.dir != nil && c.dir.NonceURL != "" {
-			return c.fetchNonce(ctx, c.dir.NonceURL)
-		}
-		dirURL := c.directoryURL()
-		v, err := c.fetchNonce(ctx, dirURL)
-		if err != nil && url != dirURL {
-			v, err = c.fetchNonce(ctx, url)
-		}
-		return v, err
-	}
-	var nonce string
-	for nonce = range c.nonces {
-		delete(c.nonces, nonce)
-		break
-	}
-	return nonce, nil
-}
-
-// clearNonces clears any stored nonces
-func (c *Client) clearNonces() {
-	c.noncesMu.Lock()
-	defer c.noncesMu.Unlock()
-	c.nonces = make(map[string]struct{})
-}
-
-// addNonce stores a nonce value found in h (if any) for future use.
-func (c *Client) addNonce(h http.Header) {
-	v := nonceFromHeader(h)
-	if v == "" {
-		return
-	}
-	c.noncesMu.Lock()
-	defer c.noncesMu.Unlock()
-	if len(c.nonces) >= maxNonces {
-		return
-	}
-	if c.nonces == nil {
-		c.nonces = make(map[string]struct{})
-	}
-	c.nonces[v] = struct{}{}
-}
-
-func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) {
-	r, err := http.NewRequest("HEAD", url, nil)
-	if err != nil {
-		return "", err
-	}
-	resp, err := c.doNoRetry(ctx, r)
-	if err != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
-	nonce := nonceFromHeader(resp.Header)
-	if nonce == "" {
-		if resp.StatusCode > 299 {
-			return "", responseError(resp)
-		}
-		return "", errors.New("acme: nonce not found")
-	}
-	return nonce, nil
-}
-
-func nonceFromHeader(h http.Header) string {
-	return h.Get("Replay-Nonce")
-}
-
-// linkHeader returns URI-Reference values of all Link headers
-// with relation-type rel.
-// See https://tools.ietf.org/html/rfc5988#section-5 for details.
-func linkHeader(h http.Header, rel string) []string {
-	var links []string
-	for _, v := range h["Link"] {
-		parts := strings.Split(v, ";")
-		for _, p := range parts {
-			p = strings.TrimSpace(p)
-			if !strings.HasPrefix(p, "rel=") {
-				continue
-			}
-			if v := strings.Trim(p[4:], `"`); v == rel {
-				links = append(links, strings.Trim(parts[0], "<>"))
-			}
-		}
-	}
-	return links
-}
-
-// keyAuth generates a key authorization string for a given token.
-func keyAuth(pub crypto.PublicKey, token string) (string, error) {
-	th, err := JWKThumbprint(pub)
-	if err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%s.%s", token, th), nil
-}
-
-// defaultTLSChallengeCertTemplate is a template used to create challenge certs for TLS challenges.
-func defaultTLSChallengeCertTemplate() *x509.Certificate {
-	return &x509.Certificate{
-		SerialNumber:          big.NewInt(1),
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(24 * time.Hour),
-		BasicConstraintsValid: true,
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-	}
-}
-
-// tlsChallengeCert creates a temporary certificate for TLS-SNI challenges
-// with the given SANs and auto-generated public/private key pair.
-// The Subject Common Name is set to the first SAN to aid debugging.
-// To create a cert with a custom key pair, specify WithKey option.
-func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) {
-	var key crypto.Signer
-	tmpl := defaultTLSChallengeCertTemplate()
-	for _, o := range opt {
-		switch o := o.(type) {
-		case *certOptKey:
-			if key != nil {
-				return tls.Certificate{}, errors.New("acme: duplicate key option")
-			}
-			key = o.key
-		case *certOptTemplate:
-			t := *(*x509.Certificate)(o) // shallow copy is ok
-			tmpl = &t
-		default:
-			// package's fault, if we let this happen:
-			panic(fmt.Sprintf("unsupported option type %T", o))
-		}
-	}
-	if key == nil {
-		var err error
-		if key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil {
-			return tls.Certificate{}, err
-		}
-	}
-	tmpl.DNSNames = san
-	if len(san) > 0 {
-		tmpl.Subject.CommonName = san[0]
-	}
-
-	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	return tls.Certificate{
-		Certificate: [][]byte{der},
-		PrivateKey:  key,
-	}, nil
-}
-
-// encodePEM returns b encoded as PEM with block of type typ.
-func encodePEM(typ string, b []byte) []byte {
-	pb := &pem.Block{Type: typ, Bytes: b}
-	return pem.EncodeToMemory(pb)
-}
-
-// timeNow is time.Now, except in tests which can mess with it.
-var timeNow = time.Now
--- a/tempfork/acme/acme_test.go
+++ b/tempfork/acme/acme_test.go
@@ -1,973 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"bytes"
-	"context"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"io"
-	"math/big"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"reflect"
-	"sort"
-	"strings"
-	"testing"
-	"time"
-)
-
-// newTestClient creates a client with a non-nil Directory so that it skips
-// the discovery which is otherwise done on the first call of almost every
-// exported method.
-func newTestClient() *Client {
-	return &Client{
-		Key: testKeyEC,
-		dir: &Directory{}, // skip discovery
-	}
-}
-
-// newTestClientWithMockDirectory creates a client with a non-nil Directory
-// that contains mock field values.
-func newTestClientWithMockDirectory() *Client {
-	return &Client{
-		Key: testKeyEC,
-		dir: &Directory{
-			RenewalInfoURL: "https://example.com/acme/renewal-info/",
-		},
-	}
-}
-
-// Decodes a JWS-encoded request and unmarshals the decoded JSON into a provided
-// interface.
-func decodeJWSRequest(t *testing.T, v interface{}, r io.Reader) {
-	// Decode request
-	var req struct{ Payload string }
-	if err := json.NewDecoder(r).Decode(&req); err != nil {
-		t.Fatal(err)
-	}
-	payload, err := base64.RawURLEncoding.DecodeString(req.Payload)
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = json.Unmarshal(payload, v)
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
-type jwsHead struct {
-	Alg   string
-	Nonce string
-	URL   string            `json:"url"`
-	KID   string            `json:"kid"`
-	JWK   map[string]string `json:"jwk"`
-}
-
-func decodeJWSHead(r io.Reader) (*jwsHead, error) {
-	var req struct{ Protected string }
-	if err := json.NewDecoder(r).Decode(&req); err != nil {
-		return nil, err
-	}
-	b, err := base64.RawURLEncoding.DecodeString(req.Protected)
-	if err != nil {
-		return nil, err
-	}
-	var head jwsHead
-	if err := json.Unmarshal(b, &head); err != nil {
-		return nil, err
-	}
-	return &head, nil
-}
-
-func TestRegisterWithoutKey(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "test-nonce")
-			return
-		}
-		w.WriteHeader(http.StatusCreated)
-		fmt.Fprint(w, `{}`)
-	}))
-	defer ts.Close()
-	// First verify that using a complete client results in success.
-	c := Client{
-		Key:          testKeyEC,
-		DirectoryURL: ts.URL,
-		dir:          &Directory{RegURL: ts.URL},
-	}
-	if _, err := c.Register(context.Background(), &Account{}, AcceptTOS); err != nil {
-		t.Fatalf("c.Register() = %v; want success with a complete test client", err)
-	}
-	c.Key = nil
-	if _, err := c.Register(context.Background(), &Account{}, AcceptTOS); err == nil {
-		t.Error("c.Register() from client without key succeeded, wanted error")
-	}
-}
-
-func TestAuthorize(t *testing.T) {
-	tt := []struct{ typ, value string }{
-		{"dns", "example.com"},
-		{"ip", "1.2.3.4"},
-	}
-	for _, test := range tt {
-		t.Run(test.typ, func(t *testing.T) {
-			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				if r.Method == "HEAD" {
-					w.Header().Set("Replay-Nonce", "test-nonce")
-					return
-				}
-				if r.Method != "POST" {
-					t.Errorf("r.Method = %q; want POST", r.Method)
-				}
-
-				var j struct {
-					Resource   string
-					Identifier struct {
-						Type  string
-						Value string
-					}
-				}
-				decodeJWSRequest(t, &j, r.Body)
-
-				// Test request
-				if j.Resource != "new-authz" {
-					t.Errorf("j.Resource = %q; want new-authz", j.Resource)
-				}
-				if j.Identifier.Type != test.typ {
-					t.Errorf("j.Identifier.Type = %q; want %q", j.Identifier.Type, test.typ)
-				}
-				if j.Identifier.Value != test.value {
-					t.Errorf("j.Identifier.Value = %q; want %q", j.Identifier.Value, test.value)
-				}
-
-				w.Header().Set("Location", "https://ca.tld/acme/auth/1")
-				w.WriteHeader(http.StatusCreated)
-				fmt.Fprintf(w, `{
-					"identifier": {"type":%q,"value":%q},
-					"status":"pending",
-					"challenges":[
-						{
-							"type":"http-01",
-							"status":"pending",
-							"uri":"https://ca.tld/acme/challenge/publickey/id1",
-							"token":"token1"
-						},
-						{
-							"type":"tls-sni-01",
-							"status":"pending",
-							"uri":"https://ca.tld/acme/challenge/publickey/id2",
-							"token":"token2"
-						}
-					],
-					"combinations":[[0],[1]]
-				}`, test.typ, test.value)
-			}))
-			defer ts.Close()
-
-			var (
-				auth *Authorization
-				err  error
-			)
-			cl := Client{
-				Key:          testKeyEC,
-				DirectoryURL: ts.URL,
-				dir:          &Directory{AuthzURL: ts.URL},
-			}
-			switch test.typ {
-			case "dns":
-				auth, err = cl.Authorize(context.Background(), test.value)
-			case "ip":
-				auth, err = cl.AuthorizeIP(context.Background(), test.value)
-			default:
-				t.Fatalf("unknown identifier type: %q", test.typ)
-			}
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if auth.URI != "https://ca.tld/acme/auth/1" {
-				t.Errorf("URI = %q; want https://ca.tld/acme/auth/1", auth.URI)
-			}
-			if auth.Status != "pending" {
-				t.Errorf("Status = %q; want pending", auth.Status)
-			}
-			if auth.Identifier.Type != test.typ {
-				t.Errorf("Identifier.Type = %q; want %q", auth.Identifier.Type, test.typ)
-			}
-			if auth.Identifier.Value != test.value {
-				t.Errorf("Identifier.Value = %q; want %q", auth.Identifier.Value, test.value)
-			}
-
-			if n := len(auth.Challenges); n != 2 {
-				t.Fatalf("len(auth.Challenges) = %d; want 2", n)
-			}
-
-			c := auth.Challenges[0]
-			if c.Type != "http-01" {
-				t.Errorf("c.Type = %q; want http-01", c.Type)
-			}
-			if c.URI != "https://ca.tld/acme/challenge/publickey/id1" {
-				t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id1", c.URI)
-			}
-			if c.Token != "token1" {
-				t.Errorf("c.Token = %q; want token1", c.Token)
-			}
-
-			c = auth.Challenges[1]
-			if c.Type != "tls-sni-01" {
-				t.Errorf("c.Type = %q; want tls-sni-01", c.Type)
-			}
-			if c.URI != "https://ca.tld/acme/challenge/publickey/id2" {
-				t.Errorf("c.URI = %q; want https://ca.tld/acme/challenge/publickey/id2", c.URI)
-			}
-			if c.Token != "token2" {
-				t.Errorf("c.Token = %q; want token2", c.Token)
-			}
-
-			combs := [][]int{{0}, {1}}
-			if !reflect.DeepEqual(auth.Combinations, combs) {
-				t.Errorf("auth.Combinations: %+v\nwant: %+v\n", auth.Combinations, combs)
-			}
-
-		})
-	}
-}
-
-func TestAuthorizeValid(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "nonce")
-			return
-		}
-		w.WriteHeader(http.StatusCreated)
-		w.Write([]byte(`{"status":"valid"}`))
-	}))
-	defer ts.Close()
-	client := Client{
-		Key:          testKey,
-		DirectoryURL: ts.URL,
-		dir:          &Directory{AuthzURL: ts.URL},
-	}
-	_, err := client.Authorize(context.Background(), "example.com")
-	if err != nil {
-		t.Errorf("err = %v", err)
-	}
-}
-
-func TestWaitAuthorization(t *testing.T) {
-	t.Run("wait loop", func(t *testing.T) {
-		var count int
-		authz, err := runWaitAuthorization(context.Background(), t, func(w http.ResponseWriter, r *http.Request) {
-			count++
-			w.Header().Set("Retry-After", "0")
-			if count > 1 {
-				fmt.Fprintf(w, `{"status":"valid"}`)
-				return
-			}
-			fmt.Fprintf(w, `{"status":"pending"}`)
-		})
-		if err != nil {
-			t.Fatalf("non-nil error: %v", err)
-		}
-		if authz == nil {
-			t.Fatal("authz is nil")
-		}
-	})
-	t.Run("invalid status", func(t *testing.T) {
-		_, err := runWaitAuthorization(context.Background(), t, func(w http.ResponseWriter, r *http.Request) {
-			fmt.Fprintf(w, `{"status":"invalid"}`)
-		})
-		if _, ok := err.(*AuthorizationError); !ok {
-			t.Errorf("err is %v (%T); want non-nil *AuthorizationError", err, err)
-		}
-	})
-	t.Run("invalid status with error returns the authorization error", func(t *testing.T) {
-		_, err := runWaitAuthorization(context.Background(), t, func(w http.ResponseWriter, r *http.Request) {
-			fmt.Fprintf(w, `{
-				"type": "dns-01",
-				"status": "invalid",
-				"error": {
-				  "type": "urn:ietf:params:acme:error:caa",
-				  "detail": "CAA record for <domain> prevents issuance",
-				  "status": 403
-				},
-				"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxx/xxx",
-				"token": "xxx",
-				"validationRecord": [
-				  {
-					"hostname": "<domain>"
-				  }
-				]
-			  }`)
-		})
-
-		want := &AuthorizationError{
-			Errors: []error{
-				(&wireError{
-					Status: 403,
-					Type:   "urn:ietf:params:acme:error:caa",
-					Detail: "CAA record for <domain> prevents issuance",
-				}).error(nil),
-			},
-		}
-
-		_, ok := err.(*AuthorizationError)
-		if !ok {
-			t.Errorf("err is %T; want non-nil *AuthorizationError", err)
-		}
-
-		if err.Error() != want.Error() {
-			t.Errorf("err is %v; want %v", err, want)
-		}
-	})
-	t.Run("non-retriable error", func(t *testing.T) {
-		const code = http.StatusBadRequest
-		_, err := runWaitAuthorization(context.Background(), t, func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(code)
-		})
-		res, ok := err.(*Error)
-		if !ok {
-			t.Fatalf("err is %v (%T); want a non-nil *Error", err, err)
-		}
-		if res.StatusCode != code {
-			t.Errorf("res.StatusCode = %d; want %d", res.StatusCode, code)
-		}
-	})
-	for _, code := range []int{http.StatusTooManyRequests, http.StatusInternalServerError} {
-		t.Run(fmt.Sprintf("retriable %d error", code), func(t *testing.T) {
-			var count int
-			authz, err := runWaitAuthorization(context.Background(), t, func(w http.ResponseWriter, r *http.Request) {
-				count++
-				w.Header().Set("Retry-After", "0")
-				if count > 1 {
-					fmt.Fprintf(w, `{"status":"valid"}`)
-					return
-				}
-				w.WriteHeader(code)
-			})
-			if err != nil {
-				t.Fatalf("non-nil error: %v", err)
-			}
-			if authz == nil {
-				t.Fatal("authz is nil")
-			}
-		})
-	}
-	t.Run("context cancel", func(t *testing.T) {
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-		_, err := runWaitAuthorization(ctx, t, func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Retry-After", "60")
-			fmt.Fprintf(w, `{"status":"pending"}`)
-			time.AfterFunc(1*time.Millisecond, cancel)
-		})
-		if err == nil {
-			t.Error("err is nil")
-		}
-	})
-}
-
-func runWaitAuthorization(ctx context.Context, t *testing.T, h http.HandlerFunc) (*Authorization, error) {
-	t.Helper()
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Replay-Nonce", fmt.Sprintf("bad-test-nonce-%v", time.Now().UnixNano()))
-		h(w, r)
-	}))
-	defer ts.Close()
-
-	client := &Client{
-		Key:          testKey,
-		DirectoryURL: ts.URL,
-		dir:          &Directory{},
-		KID:          "some-key-id", // set to avoid lookup attempt
-	}
-	return client.WaitAuthorization(ctx, ts.URL)
-}
-
-func TestRevokeAuthorization(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "HEAD" {
-			w.Header().Set("Replay-Nonce", "nonce")
-			return
-		}
-		switch r.URL.Path {
-		case "/1":
-			var req struct {
-				Resource string
-				Status   string
-				Delete   bool
-			}
-			decodeJWSRequest(t, &req, r.Body)
-			if req.Resource != "authz" {
-				t.Errorf("req.Resource = %q; want authz", req.Resource)
-			}
-			if req.Status != "deactivated" {
-				t.Errorf("req.Status = %q; want deactivated", req.Status)
-			}
-			if !req.Delete {
-				t.Errorf("req.Delete is false")
-			}
-		case "/2":
-			w.WriteHeader(http.StatusBadRequest)
-		}
-	}))
-	defer ts.Close()
-	client := &Client{
-		Key:          testKey,
-		DirectoryURL: ts.URL,       // don't dial outside of localhost
-		dir:          &Directory{}, // don't do discovery
-	}
-	ctx := context.Background()
-	if err := client.RevokeAuthorization(ctx, ts.URL+"/1"); err != nil {
-		t.Errorf("err = %v", err)
-	}
-	if client.RevokeAuthorization(ctx, ts.URL+"/2") == nil {
-		t.Error("nil error")
-	}
-}
-
-func TestFetchCertCancel(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		<-r.Context().Done()
-		w.Header().Set("Retry-After", "0")
-		w.WriteHeader(http.StatusBadRequest)
-	}))
-	defer ts.Close()
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan struct{})
-	var err error
-	go func() {
-		cl := newTestClient()
-		_, err = cl.FetchCert(ctx, ts.URL, false)
-		close(done)
-	}()
-	cancel()
-	<-done
-	if err != context.Canceled {
-		t.Errorf("err = %v; want %v", err, context.Canceled)
-	}
-}
-
-func TestFetchCertDepth(t *testing.T) {
-	var count byte
-	var ts *httptest.Server
-	ts = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
-		if count > maxChainLen+1 {
-			t.Errorf("count = %d; want at most %d", count, maxChainLen+1)
-			w.WriteHeader(http.StatusInternalServerError)
-		}
-		w.Header().Set("Link", fmt.Sprintf("<%s>;rel=up", ts.URL))
-		w.Write([]byte{count})
-	}))
-	defer ts.Close()
-	cl := newTestClient()
-	_, err := cl.FetchCert(context.Background(), ts.URL, true)
-	if err == nil {
-		t.Errorf("err is nil")
-	}
-}
-
-func TestFetchCertBreadth(t *testing.T) {
-	var ts *httptest.Server
-	ts = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		for i := 0; i < maxChainLen+1; i++ {
-			w.Header().Add("Link", fmt.Sprintf("<%s>;rel=up", ts.URL))
-		}
-		w.Write([]byte{1})
-	}))
-	defer ts.Close()
-	cl := newTestClient()
-	_, err := cl.FetchCert(context.Background(), ts.URL, true)
-	if err == nil {
-		t.Errorf("err is nil")
-	}
-}
-
-func TestFetchCertSize(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		b := bytes.Repeat([]byte{1}, maxCertSize+1)
-		w.Write(b)
-	}))
-	defer ts.Close()
-	cl := newTestClient()
-	_, err := cl.FetchCert(context.Background(), ts.URL, false)
-	if err == nil {
-		t.Errorf("err is nil")
-	}
-}
-
-const (
-	leafPEM = `-----BEGIN CERTIFICATE-----
-MIIEizCCAvOgAwIBAgIRAITApw7R8HSs7GU7cj8dEyUwDQYJKoZIhvcNAQELBQAw
-gYUxHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEtMCsGA1UECwwkY3Bh
-bG1lckBwdW1wa2luLmxvY2FsIChDaHJpcyBQYWxtZXIpMTQwMgYDVQQDDCtta2Nl
-cnQgY3BhbG1lckBwdW1wa2luLmxvY2FsIChDaHJpcyBQYWxtZXIpMB4XDTIzMDcx
-MjE4MjIxNloXDTI1MTAxMjE4MjIxNlowWDEnMCUGA1UEChMebWtjZXJ0IGRldmVs
-b3BtZW50IGNlcnRpZmljYXRlMS0wKwYDVQQLDCRjcGFsbWVyQHB1bXBraW4ubG9j
-YWwgKENocmlzIFBhbG1lcikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDNDO8P4MI9jaqVcPtF8C4GgHnTP5EK3U9fgyGApKGxTpicMQkA6z4GXwUP/Fvq
-7RuCU9Wg7By5VetKIHF7FxkxWkUMrssr7mV8v6mRCh/a5GqDs14aj5ucjLQAJV74
-tLAdrCiijQ1fkPWc82fob+LkfKWGCWw7Cxf6ZtEyC8jz/DnfQXUvOiZS729ndGF7
-FobKRfIoirD+GI2NTYIp3LAUFSPR6HXTe7HAg8J81VoUKli8z504+FebfMmHePm/
-zIfiI0njAj4czOlZD56/oLsV0WRUizFjafHHUFz1HVdfFw8Qf9IOOTydYOe8M5i0
-lVbVO5G+HP+JDn3cr9MT41B9AgMBAAGjgaEwgZ4wDgYDVR0PAQH/BAQDAgWgMBMG
-A1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdIwQYMBaAFPpL4Q0O7Z7voTkjn2rrFCsf
-s8TbMFYGA1UdEQRPME2CC2V4YW1wbGUuY29tgg0qLmV4YW1wbGUuY29tggxleGFt
-cGxlLnRlc3SCCWxvY2FsaG9zdIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkq
-hkiG9w0BAQsFAAOCAYEAMlOb7lrHuSxwcnAu7mL1ysTGqKn1d2TyDJAN5W8YFY+4
-XLpofNkK2UzZ0t9LQRnuFUcjmfqmfplh5lpC7pKmtL4G5Qcdc+BczQWcopbxd728
-sht9BKRkH+Bo1I+1WayKKNXW+5bsMv4CH641zxaMBlzjEnPvwKkNaGLMH3x5lIeX
-GGgkKNXwVtINmyV+lTNVtu2IlHprxJGCjRfEuX7mEv6uRnqz3Wif+vgyh3MBgM/1
-dUOsTBNH4a6Jl/9VPSOfRdQOStqIlwTa/J1bhTvivsYt1+eWjLnsQJLgZQqwKvYH
-BJ30gAk1oNnuSkx9dHbx4mO+4mB9oIYUALXUYakb8JHTOnuMSj9qelVj5vjVxl9q
-KRitptU+kLYRA4HSgUXrhDIm4Q6D/w8/ascPqQ3HxPIDFLe+gTofEjqnnsnQB29L
-gWpI8l5/MtXAOMdW69eEovnADc2pgaiif0T+v9nNKBc5xfDZHnrnqIqVzQEwL5Qv
-niQI8IsWD5LcQ1Eg7kCq
-----END CERTIFICATE-----`
-)
-
-func TestGetRenewalURL(t *testing.T) {
-	leaf, _ := pem.Decode([]byte(leafPEM))
-
-	parsedLeaf, err := x509.ParseCertificate(leaf.Bytes)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	client := newTestClientWithMockDirectory()
-	urlString, err := client.getRenewalURL(parsedLeaf)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	parsedURL, err := url.Parse(urlString)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if scheme := parsedURL.Scheme; scheme == "" {
-		t.Fatalf("malformed URL scheme: %q from %q", scheme, urlString)
-	}
-	if host := parsedURL.Host; host == "" {
-		t.Fatalf("malformed URL host: %q from %q", host, urlString)
-	}
-	if parsedURL.RawQuery != "" {
-		t.Fatalf("malformed URL: should not have a query")
-	}
-	path := parsedURL.EscapedPath()
-	slash := strings.LastIndex(path, "/")
-	if slash == -1 {
-		t.Fatalf("malformed URL path: %q from %q", path, urlString)
-	}
-	certID := path[slash+1:]
-	if certID == "" {
-		t.Fatalf("missing certificate identifier in URL path: %q from %q", path, urlString)
-	}
-	certIDParts := strings.Split(certID, ".")
-	if len(certIDParts) != 2 {
-		t.Fatalf("certificate identifier should consist of 2 base64-encoded values separated by a dot: %q from %q", certID, urlString)
-	}
-	if _, err := base64.RawURLEncoding.DecodeString(certIDParts[0]); err != nil {
-		t.Fatalf("malformed AKI part in certificate identifier: %q from %q: %v", certIDParts[0], urlString, err)
-	}
-	if _, err := base64.RawURLEncoding.DecodeString(certIDParts[1]); err != nil {
-		t.Fatalf("malformed Serial part in certificate identifier: %q from %q: %v", certIDParts[1], urlString, err)
-	}
-
-}
-
-func TestUnmarshalRenewalInfo(t *testing.T) {
-	renewalInfoJSON := `{
-     "suggestedWindow": {
-       "start": "2021-01-03T00:00:00Z",
-       "end": "2021-01-07T00:00:00Z"
-     },
-     "explanationURL": "https://example.com/docs/example-mass-reissuance-event"
-   }`
-	expectedStart := time.Date(2021, time.January, 3, 0, 0, 0, 0, time.UTC)
-	expectedEnd := time.Date(2021, time.January, 7, 0, 0, 0, 0, time.UTC)
-
-	var info RenewalInfo
-	if err := json.Unmarshal([]byte(renewalInfoJSON), &info); err != nil {
-		t.Fatal(err)
-	}
-	if _, err := url.Parse(info.ExplanationURL); err != nil {
-		t.Fatal(err)
-	}
-	if !info.SuggestedWindow.Start.Equal(expectedStart) {
-		t.Fatalf("%v != %v", expectedStart, info.SuggestedWindow.Start)
-	}
-	if !info.SuggestedWindow.End.Equal(expectedEnd) {
-		t.Fatalf("%v != %v", expectedEnd, info.SuggestedWindow.End)
-	}
-}
-
-func TestNonce_add(t *testing.T) {
-	var c Client
-	c.addNonce(http.Header{"Replay-Nonce": {"nonce"}})
-	c.addNonce(http.Header{"Replay-Nonce": {}})
-	c.addNonce(http.Header{"Replay-Nonce": {"nonce"}})
-
-	nonces := map[string]struct{}{"nonce": {}}
-	if !reflect.DeepEqual(c.nonces, nonces) {
-		t.Errorf("c.nonces = %q; want %q", c.nonces, nonces)
-	}
-}
-
-func TestNonce_addMax(t *testing.T) {
-	c := &Client{nonces: make(map[string]struct{})}
-	for i := 0; i < maxNonces; i++ {
-		c.nonces[fmt.Sprintf("%d", i)] = struct{}{}
-	}
-	c.addNonce(http.Header{"Replay-Nonce": {"nonce"}})
-	if n := len(c.nonces); n != maxNonces {
-		t.Errorf("len(c.nonces) = %d; want %d", n, maxNonces)
-	}
-}
-
-func TestNonce_fetch(t *testing.T) {
-	tests := []struct {
-		code  int
-		nonce string
-	}{
-		{http.StatusOK, "nonce1"},
-		{http.StatusBadRequest, "nonce2"},
-		{http.StatusOK, ""},
-	}
-	var i int
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "HEAD" {
-			t.Errorf("%d: r.Method = %q; want HEAD", i, r.Method)
-		}
-		w.Header().Set("Replay-Nonce", tests[i].nonce)
-		w.WriteHeader(tests[i].code)
-	}))
-	defer ts.Close()
-	for ; i < len(tests); i++ {
-		test := tests[i]
-		c := newTestClient()
-		n, err := c.fetchNonce(context.Background(), ts.URL)
-		if n != test.nonce {
-			t.Errorf("%d: n=%q; want %q", i, n, test.nonce)
-		}
-		switch {
-		case err == nil && test.nonce == "":
-			t.Errorf("%d: n=%q, err=%v; want non-nil error", i, n, err)
-		case err != nil && test.nonce != "":
-			t.Errorf("%d: n=%q, err=%v; want %q", i, n, err, test.nonce)
-		}
-	}
-}
-
-func TestNonce_fetchError(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusTooManyRequests)
-	}))
-	defer ts.Close()
-	c := newTestClient()
-	_, err := c.fetchNonce(context.Background(), ts.URL)
-	e, ok := err.(*Error)
-	if !ok {
-		t.Fatalf("err is %T; want *Error", err)
-	}
-	if e.StatusCode != http.StatusTooManyRequests {
-		t.Errorf("e.StatusCode = %d; want %d", e.StatusCode, http.StatusTooManyRequests)
-	}
-}
-
-func TestNonce_popWhenEmpty(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "HEAD" {
-			t.Errorf("r.Method = %q; want HEAD", r.Method)
-		}
-		switch r.URL.Path {
-		case "/dir-with-nonce":
-			w.Header().Set("Replay-Nonce", "dirnonce")
-		case "/new-nonce":
-			w.Header().Set("Replay-Nonce", "newnonce")
-		case "/dir-no-nonce", "/empty":
-			// No nonce in the header.
-		default:
-			t.Errorf("Unknown URL: %s", r.URL)
-		}
-	}))
-	defer ts.Close()
-	ctx := context.Background()
-
-	tt := []struct {
-		dirURL, popURL, nonce string
-		wantOK                bool
-	}{
-		{ts.URL + "/dir-with-nonce", ts.URL + "/new-nonce", "dirnonce", true},
-		{ts.URL + "/dir-no-nonce", ts.URL + "/new-nonce", "newnonce", true},
-		{ts.URL + "/dir-no-nonce", ts.URL + "/empty", "", false},
-	}
-	for _, test := range tt {
-		t.Run(fmt.Sprintf("nonce:%s wantOK:%v", test.nonce, test.wantOK), func(t *testing.T) {
-			c := Client{DirectoryURL: test.dirURL}
-			v, err := c.popNonce(ctx, test.popURL)
-			if !test.wantOK {
-				if err == nil {
-					t.Fatalf("c.popNonce(%q) returned nil error", test.popURL)
-				}
-				return
-			}
-			if err != nil {
-				t.Fatalf("c.popNonce(%q): %v", test.popURL, err)
-			}
-			if v != test.nonce {
-				t.Errorf("c.popNonce(%q) = %q; want %q", test.popURL, v, test.nonce)
-			}
-		})
-	}
-}
-
-func TestLinkHeader(t *testing.T) {
-	h := http.Header{"Link": {
-		`<https://example.com/acme/new-authz>;rel="next"`,
-		`<https://example.com/acme/recover-reg>; rel=recover`,
-		`<https://example.com/acme/terms>; foo=bar; rel="terms-of-service"`,
-		`<dup>;rel="next"`,
-	}}
-	tests := []struct {
-		rel string
-		out []string
-	}{
-		{"next", []string{"https://example.com/acme/new-authz", "dup"}},
-		{"recover", []string{"https://example.com/acme/recover-reg"}},
-		{"terms-of-service", []string{"https://example.com/acme/terms"}},
-		{"empty", nil},
-	}
-	for i, test := range tests {
-		if v := linkHeader(h, test.rel); !reflect.DeepEqual(v, test.out) {
-			t.Errorf("%d: linkHeader(%q): %v; want %v", i, test.rel, v, test.out)
-		}
-	}
-}
-
-func TestTLSSNI01ChallengeCert(t *testing.T) {
-	const (
-		token = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
-		// echo -n <token.testKeyECThumbprint> | shasum -a 256
-		san = "dbbd5eefe7b4d06eb9d1d9f5acb4c7cd.a27d320e4b30332f0b6cb441734ad7b0.acme.invalid"
-	)
-
-	tlscert, name, err := newTestClient().TLSSNI01ChallengeCert(token)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if n := len(tlscert.Certificate); n != 1 {
-		t.Fatalf("len(tlscert.Certificate) = %d; want 1", n)
-	}
-	cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(cert.DNSNames) != 1 || cert.DNSNames[0] != san {
-		t.Fatalf("cert.DNSNames = %v; want %q", cert.DNSNames, san)
-	}
-	if cert.DNSNames[0] != name {
-		t.Errorf("cert.DNSNames[0] != name: %q vs %q", cert.DNSNames[0], name)
-	}
-	if cn := cert.Subject.CommonName; cn != san {
-		t.Errorf("cert.Subject.CommonName = %q; want %q", cn, san)
-	}
-}
-
-func TestTLSSNI02ChallengeCert(t *testing.T) {
-	const (
-		token = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
-		// echo -n evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA | shasum -a 256
-		sanA = "7ea0aaa69214e71e02cebb18bb867736.09b730209baabf60e43d4999979ff139.token.acme.invalid"
-		// echo -n <token.testKeyECThumbprint> | shasum -a 256
-		sanB = "dbbd5eefe7b4d06eb9d1d9f5acb4c7cd.a27d320e4b30332f0b6cb441734ad7b0.ka.acme.invalid"
-	)
-
-	tlscert, name, err := newTestClient().TLSSNI02ChallengeCert(token)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if n := len(tlscert.Certificate); n != 1 {
-		t.Fatalf("len(tlscert.Certificate) = %d; want 1", n)
-	}
-	cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-	if err != nil {
-		t.Fatal(err)
-	}
-	names := []string{sanA, sanB}
-	if !reflect.DeepEqual(cert.DNSNames, names) {
-		t.Fatalf("cert.DNSNames = %v;\nwant %v", cert.DNSNames, names)
-	}
-	sort.Strings(cert.DNSNames)
-	i := sort.SearchStrings(cert.DNSNames, name)
-	if i >= len(cert.DNSNames) || cert.DNSNames[i] != name {
-		t.Errorf("%v doesn't have %q", cert.DNSNames, name)
-	}
-	if cn := cert.Subject.CommonName; cn != sanA {
-		t.Errorf("CommonName = %q; want %q", cn, sanA)
-	}
-}
-
-func TestTLSALPN01ChallengeCert(t *testing.T) {
-	const (
-		token   = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
-		keyAuth = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA." + testKeyECThumbprint
-		// echo -n <token.testKeyECThumbprint> | shasum -a 256
-		h      = "0420dbbd5eefe7b4d06eb9d1d9f5acb4c7cda27d320e4b30332f0b6cb441734ad7b0"
-		domain = "example.com"
-	)
-
-	extValue, err := hex.DecodeString(h)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tlscert, err := newTestClient().TLSALPN01ChallengeCert(token, domain)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if n := len(tlscert.Certificate); n != 1 {
-		t.Fatalf("len(tlscert.Certificate) = %d; want 1", n)
-	}
-	cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-	if err != nil {
-		t.Fatal(err)
-	}
-	names := []string{domain}
-	if !reflect.DeepEqual(cert.DNSNames, names) {
-		t.Fatalf("cert.DNSNames = %v;\nwant %v", cert.DNSNames, names)
-	}
-	if cn := cert.Subject.CommonName; cn != domain {
-		t.Errorf("CommonName = %q; want %q", cn, domain)
-	}
-	acmeExts := []pkix.Extension{}
-	for _, ext := range cert.Extensions {
-		if idPeACMEIdentifier.Equal(ext.Id) {
-			acmeExts = append(acmeExts, ext)
-		}
-	}
-	if len(acmeExts) != 1 {
-		t.Errorf("acmeExts = %v; want exactly one", acmeExts)
-	}
-	if !acmeExts[0].Critical {
-		t.Errorf("acmeExt.Critical = %v; want true", acmeExts[0].Critical)
-	}
-	if bytes.Compare(acmeExts[0].Value, extValue) != 0 {
-		t.Errorf("acmeExt.Value = %v; want %v", acmeExts[0].Value, extValue)
-	}
-
-}
-
-func TestTLSChallengeCertOpt(t *testing.T) {
-	key, err := rsa.GenerateKey(rand.Reader, 512)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tmpl := &x509.Certificate{
-		SerialNumber: big.NewInt(2),
-		Subject:      pkix.Name{Organization: []string{"Test"}},
-		DNSNames:     []string{"should-be-overwritten"},
-	}
-	opts := []CertOption{WithKey(key), WithTemplate(tmpl)}
-
-	client := newTestClient()
-	cert1, _, err := client.TLSSNI01ChallengeCert("token", opts...)
-	if err != nil {
-		t.Fatal(err)
-	}
-	cert2, _, err := client.TLSSNI02ChallengeCert("token", opts...)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for i, tlscert := range []tls.Certificate{cert1, cert2} {
-		// verify generated cert private key
-		tlskey, ok := tlscert.PrivateKey.(*rsa.PrivateKey)
-		if !ok {
-			t.Errorf("%d: tlscert.PrivateKey is %T; want *rsa.PrivateKey", i, tlscert.PrivateKey)
-			continue
-		}
-		if tlskey.D.Cmp(key.D) != 0 {
-			t.Errorf("%d: tlskey.D = %v; want %v", i, tlskey.D, key.D)
-		}
-		// verify generated cert public key
-		x509Cert, err := x509.ParseCertificate(tlscert.Certificate[0])
-		if err != nil {
-			t.Errorf("%d: %v", i, err)
-			continue
-		}
-		tlspub, ok := x509Cert.PublicKey.(*rsa.PublicKey)
-		if !ok {
-			t.Errorf("%d: x509Cert.PublicKey is %T; want *rsa.PublicKey", i, x509Cert.PublicKey)
-			continue
-		}
-		if tlspub.N.Cmp(key.N) != 0 {
-			t.Errorf("%d: tlspub.N = %v; want %v", i, tlspub.N, key.N)
-		}
-		// verify template option
-		sn := big.NewInt(2)
-		if x509Cert.SerialNumber.Cmp(sn) != 0 {
-			t.Errorf("%d: SerialNumber = %v; want %v", i, x509Cert.SerialNumber, sn)
-		}
-		org := []string{"Test"}
-		if !reflect.DeepEqual(x509Cert.Subject.Organization, org) {
-			t.Errorf("%d: Subject.Organization = %+v; want %+v", i, x509Cert.Subject.Organization, org)
-		}
-		for _, v := range x509Cert.DNSNames {
-			if !strings.HasSuffix(v, ".acme.invalid") {
-				t.Errorf("%d: invalid DNSNames element: %q", i, v)
-			}
-		}
-	}
-}
-
-func TestHTTP01Challenge(t *testing.T) {
-	const (
-		token = "xxx"
-		// thumbprint is precomputed for testKeyEC in jws_test.go
-		value   = token + "." + testKeyECThumbprint
-		urlpath = "/.well-known/acme-challenge/" + token
-	)
-	client := newTestClient()
-	val, err := client.HTTP01ChallengeResponse(token)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if val != value {
-		t.Errorf("val = %q; want %q", val, value)
-	}
-	if path := client.HTTP01ChallengePath(token); path != urlpath {
-		t.Errorf("path = %q; want %q", path, urlpath)
-	}
-}
-
-func TestDNS01ChallengeRecord(t *testing.T) {
-	// echo -n xxx.<testKeyECThumbprint> | \
-	//      openssl dgst -binary -sha256 | \
-	//      base64 | tr -d '=' | tr '/+' '_-'
-	const value = "8DERMexQ5VcdJ_prpPiA0mVdp7imgbCgjsG4SqqNMIo"
-
-	val, err := newTestClient().DNS01ChallengeRecord("xxx")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if val != value {
-		t.Errorf("val = %q; want %q", val, value)
-	}
-}
--- a/tempfork/acme/http.go
+++ b/tempfork/acme/http.go
@@ -1,325 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/rand"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"math/big"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
-)
-
-// retryTimer encapsulates common logic for retrying unsuccessful requests.
-// It is not safe for concurrent use.
-type retryTimer struct {
-	// backoffFn provides backoff delay sequence for retries.
-	// See Client.RetryBackoff doc comment.
-	backoffFn func(n int, r *http.Request, res *http.Response) time.Duration
-	// n is the current retry attempt.
-	n int
-}
-
-func (t *retryTimer) inc() {
-	t.n++
-}
-
-// backoff pauses the current goroutine as described in Client.RetryBackoff.
-func (t *retryTimer) backoff(ctx context.Context, r *http.Request, res *http.Response) error {
-	d := t.backoffFn(t.n, r, res)
-	if d <= 0 {
-		return fmt.Errorf("acme: no more retries for %s; tried %d time(s)", r.URL, t.n)
-	}
-	wakeup := time.NewTimer(d)
-	defer wakeup.Stop()
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-wakeup.C:
-		return nil
-	}
-}
-
-func (c *Client) retryTimer() *retryTimer {
-	f := c.RetryBackoff
-	if f == nil {
-		f = defaultBackoff
-	}
-	return &retryTimer{backoffFn: f}
-}
-
-// defaultBackoff provides default Client.RetryBackoff implementation
-// using a truncated exponential backoff algorithm,
-// as described in Client.RetryBackoff.
-//
-// The n argument is always bounded between 1 and 30.
-// The returned value is always greater than 0.
-func defaultBackoff(n int, r *http.Request, res *http.Response) time.Duration {
-	const max = 10 * time.Second
-	var jitter time.Duration
-	if x, err := rand.Int(rand.Reader, big.NewInt(1000)); err == nil {
-		// Set the minimum to 1ms to avoid a case where
-		// an invalid Retry-After value is parsed into 0 below,
-		// resulting in the 0 returned value which would unintentionally
-		// stop the retries.
-		jitter = (1 + time.Duration(x.Int64())) * time.Millisecond
-	}
-	if v, ok := res.Header["Retry-After"]; ok {
-		return retryAfter(v[0]) + jitter
-	}
-
-	if n < 1 {
-		n = 1
-	}
-	if n > 30 {
-		n = 30
-	}
-	d := time.Duration(1<<uint(n-1))*time.Second + jitter
-	if d > max {
-		return max
-	}
-	return d
-}
-
-// retryAfter parses a Retry-After HTTP header value,
-// trying to convert v into an int (seconds) or use http.ParseTime otherwise.
-// It returns zero value if v cannot be parsed.
-func retryAfter(v string) time.Duration {
-	if i, err := strconv.Atoi(v); err == nil {
-		return time.Duration(i) * time.Second
-	}
-	t, err := http.ParseTime(v)
-	if err != nil {
-		return 0
-	}
-	return t.Sub(timeNow())
-}
-
-// resOkay is a function that reports whether the provided response is okay.
-// It is expected to keep the response body unread.
-type resOkay func(*http.Response) bool
-
-// wantStatus returns a function which reports whether the code
-// matches the status code of a response.
-func wantStatus(codes ...int) resOkay {
-	return func(res *http.Response) bool {
-		for _, code := range codes {
-			if code == res.StatusCode {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-// get issues an unsigned GET request to the specified URL.
-// It returns a non-error value only when ok reports true.
-//
-// get retries unsuccessful attempts according to c.RetryBackoff
-// until the context is done or a non-retriable error is received.
-func (c *Client) get(ctx context.Context, url string, ok resOkay) (*http.Response, error) {
-	retry := c.retryTimer()
-	for {
-		req, err := http.NewRequest("GET", url, nil)
-		if err != nil {
-			return nil, err
-		}
-		res, err := c.doNoRetry(ctx, req)
-		switch {
-		case err != nil:
-			return nil, err
-		case ok(res):
-			return res, nil
-		case isRetriable(res.StatusCode):
-			retry.inc()
-			resErr := responseError(res)
-			res.Body.Close()
-			// Ignore the error value from retry.backoff
-			// and return the one from last retry, as received from the CA.
-			if retry.backoff(ctx, req, res) != nil {
-				return nil, resErr
-			}
-		default:
-			defer res.Body.Close()
-			return nil, responseError(res)
-		}
-	}
-}
-
-// postAsGet is POST-as-GET, a replacement for GET in RFC 8555
-// as described in https://tools.ietf.org/html/rfc8555#section-6.3.
-// It makes a POST request in KID form with zero JWS payload.
-// See nopayload doc comments in jws.go.
-func (c *Client) postAsGet(ctx context.Context, url string, ok resOkay) (*http.Response, error) {
-	return c.post(ctx, nil, url, noPayload, ok)
-}
-
-// post issues a signed POST request in JWS format using the provided key
-// to the specified URL. If key is nil, c.Key is used instead.
-// It returns a non-error value only when ok reports true.
-//
-// post retries unsuccessful attempts according to c.RetryBackoff
-// until the context is done or a non-retriable error is received.
-// It uses postNoRetry to make individual requests.
-func (c *Client) post(ctx context.Context, key crypto.Signer, url string, body interface{}, ok resOkay) (*http.Response, error) {
-	retry := c.retryTimer()
-	for {
-		res, req, err := c.postNoRetry(ctx, key, url, body)
-		if err != nil {
-			return nil, err
-		}
-		if ok(res) {
-			return res, nil
-		}
-		resErr := responseError(res)
-		res.Body.Close()
-		switch {
-		// Check for bad nonce before isRetriable because it may have been returned
-		// with an unretriable response code such as 400 Bad Request.
-		case isBadNonce(resErr):
-			// Consider any previously stored nonce values to be invalid.
-			c.clearNonces()
-		case !isRetriable(res.StatusCode):
-			return nil, resErr
-		}
-		retry.inc()
-		// Ignore the error value from retry.backoff
-		// and return the one from last retry, as received from the CA.
-		if err := retry.backoff(ctx, req, res); err != nil {
-			return nil, resErr
-		}
-	}
-}
-
-// postNoRetry signs the body with the given key and POSTs it to the provided url.
-// It is used by c.post to retry unsuccessful attempts.
-// The body argument must be JSON-serializable.
-//
-// If key argument is nil, c.Key is used to sign the request.
-// If key argument is nil and c.accountKID returns a non-zero keyID,
-// the request is sent in KID form. Otherwise, JWK form is used.
-//
-// In practice, when interfacing with RFC-compliant CAs most requests are sent in KID form
-// and JWK is used only when KID is unavailable: new account endpoint and certificate
-// revocation requests authenticated by a cert key.
-// See jwsEncodeJSON for other details.
-func (c *Client) postNoRetry(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, *http.Request, error) {
-	kid := noKeyID
-	if key == nil {
-		if c.Key == nil {
-			return nil, nil, errors.New("acme: Client.Key must be populated to make POST requests")
-		}
-		key = c.Key
-		kid = c.accountKID(ctx)
-	}
-	nonce, err := c.popNonce(ctx, url)
-	if err != nil {
-		return nil, nil, err
-	}
-	b, err := jwsEncodeJSON(body, key, kid, nonce, url)
-	if err != nil {
-		return nil, nil, err
-	}
-	req, err := http.NewRequest("POST", url, bytes.NewReader(b))
-	if err != nil {
-		return nil, nil, err
-	}
-	req.Header.Set("Content-Type", "application/jose+json")
-	res, err := c.doNoRetry(ctx, req)
-	if err != nil {
-		return nil, nil, err
-	}
-	c.addNonce(res.Header)
-	return res, req, nil
-}
-
-// doNoRetry issues a request req, replacing its context (if any) with ctx.
-func (c *Client) doNoRetry(ctx context.Context, req *http.Request) (*http.Response, error) {
-	req.Header.Set("User-Agent", c.userAgent())
-	res, err := c.httpClient().Do(req.WithContext(ctx))
-	if err != nil {
-		select {
-		case <-ctx.Done():
-			// Prefer the unadorned context error.
-			// (The acme package had tests assuming this, previously from ctxhttp's
-			// behavior, predating net/http supporting contexts natively)
-			// TODO(bradfitz): reconsider this in the future. But for now this
-			// requires no test updates.
-			return nil, ctx.Err()
-		default:
-			return nil, err
-		}
-	}
-	return res, nil
-}
-
-func (c *Client) httpClient() *http.Client {
-	if c.HTTPClient != nil {
-		return c.HTTPClient
-	}
-	return http.DefaultClient
-}
-
-// packageVersion is the version of the module that contains this package, for
-// sending as part of the User-Agent header. It's set in version_go112.go.
-var packageVersion string
-
-// userAgent returns the User-Agent header value. It includes the package name,
-// the module version (if available), and the c.UserAgent value (if set).
-func (c *Client) userAgent() string {
-	ua := "golang.org/x/crypto/acme"
-	if packageVersion != "" {
-		ua += "@" + packageVersion
-	}
-	if c.UserAgent != "" {
-		ua = c.UserAgent + " " + ua
-	}
-	return ua
-}
-
-// isBadNonce reports whether err is an ACME "badnonce" error.
-func isBadNonce(err error) bool {
-	// According to the spec badNonce is urn:ietf:params:acme:error:badNonce.
-	// However, ACME servers in the wild return their versions of the error.
-	// See https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-5.4
-	// and https://github.com/letsencrypt/boulder/blob/0e07eacb/docs/acme-divergences.md#section-66.
-	ae, ok := err.(*Error)
-	return ok && strings.HasSuffix(strings.ToLower(ae.ProblemType), ":badnonce")
-}
-
-// isRetriable reports whether a request can be retried
-// based on the response status code.
-//
-// Note that a "bad nonce" error is returned with a non-retriable 400 Bad Request code.
-// Callers should parse the response and check with isBadNonce.
-func isRetriable(code int) bool {
-	return code <= 399 || code >= 500 || code == http.StatusTooManyRequests
-}
-
-// responseError creates an error of Error type from resp.
-func responseError(resp *http.Response) error {
-	// don't care if ReadAll returns an error:
-	// json.Unmarshal will fail in that case anyway
-	b, _ := io.ReadAll(resp.Body)
-	e := &wireError{Status: resp.StatusCode}
-	if err := json.Unmarshal(b, e); err != nil {
-		// this is not a regular error response:
-		// populate detail with anything we received,
-		// e.Status will already contain HTTP response code value
-		e.Detail = string(b)
-		if e.Detail == "" {
-			e.Detail = resp.Status
-		}
-	}
-	return e.error(resp.Header)
-}
--- a/tempfork/acme/http_test.go
+++ b/tempfork/acme/http_test.go
@@ -1,255 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"reflect"
-	"strings"
-	"testing"
-	"time"
-)
-
-func TestDefaultBackoff(t *testing.T) {
-	tt := []struct {
-		nretry     int
-		retryAfter string        // Retry-After header
-		out        time.Duration // expected min; max = min + jitter
-	}{
-		{-1, "", time.Second},       // verify the lower bound is 1
-		{0, "", time.Second},        // verify the lower bound is 1
-		{100, "", 10 * time.Second}, // verify the ceiling
-		{1, "3600", time.Hour},      // verify the header value is used
-		{1, "", 1 * time.Second},
-		{2, "", 2 * time.Second},
-		{3, "", 4 * time.Second},
-		{4, "", 8 * time.Second},
-	}
-	for i, test := range tt {
-		r := httptest.NewRequest("GET", "/", nil)
-		resp := &http.Response{Header: http.Header{}}
-		if test.retryAfter != "" {
-			resp.Header.Set("Retry-After", test.retryAfter)
-		}
-		d := defaultBackoff(test.nretry, r, resp)
-		max := test.out + time.Second // + max jitter
-		if d < test.out || max < d {
-			t.Errorf("%d: defaultBackoff(%v) = %v; want between %v and %v", i, test.nretry, d, test.out, max)
-		}
-	}
-}
-
-func TestErrorResponse(t *testing.T) {
-	s := `{
-		"status": 400,
-		"type": "urn:acme:error:xxx",
-		"detail": "text"
-	}`
-	res := &http.Response{
-		StatusCode: 400,
-		Status:     "400 Bad Request",
-		Body:       io.NopCloser(strings.NewReader(s)),
-		Header:     http.Header{"X-Foo": {"bar"}},
-	}
-	err := responseError(res)
-	v, ok := err.(*Error)
-	if !ok {
-		t.Fatalf("err = %+v (%T); want *Error type", err, err)
-	}
-	if v.StatusCode != 400 {
-		t.Errorf("v.StatusCode = %v; want 400", v.StatusCode)
-	}
-	if v.ProblemType != "urn:acme:error:xxx" {
-		t.Errorf("v.ProblemType = %q; want urn:acme:error:xxx", v.ProblemType)
-	}
-	if v.Detail != "text" {
-		t.Errorf("v.Detail = %q; want text", v.Detail)
-	}
-	if !reflect.DeepEqual(v.Header, res.Header) {
-		t.Errorf("v.Header = %+v; want %+v", v.Header, res.Header)
-	}
-}
-
-func TestPostWithRetries(t *testing.T) {
-	var count int
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
-		w.Header().Set("Replay-Nonce", fmt.Sprintf("nonce%d", count))
-		if r.Method == "HEAD" {
-			// We expect the client to do 2 head requests to fetch
-			// nonces, one to start and another after getting badNonce
-			return
-		}
-
-		head, err := decodeJWSHead(r.Body)
-		switch {
-		case err != nil:
-			t.Errorf("decodeJWSHead: %v", err)
-		case head.Nonce == "":
-			t.Error("head.Nonce is empty")
-		case head.Nonce == "nonce1":
-			// Return a badNonce error to force the call to retry.
-			w.Header().Set("Retry-After", "0")
-			w.WriteHeader(http.StatusBadRequest)
-			w.Write([]byte(`{"type":"urn:ietf:params:acme:error:badNonce"}`))
-			return
-		}
-		// Make client.Authorize happy; we're not testing its result.
-		w.WriteHeader(http.StatusCreated)
-		w.Write([]byte(`{"status":"valid"}`))
-	}))
-	defer ts.Close()
-
-	client := &Client{
-		Key:          testKey,
-		DirectoryURL: ts.URL,
-		dir:          &Directory{AuthzURL: ts.URL},
-	}
-	// This call will fail with badNonce, causing a retry
-	if _, err := client.Authorize(context.Background(), "example.com"); err != nil {
-		t.Errorf("client.Authorize 1: %v", err)
-	}
-	if count != 3 {
-		t.Errorf("total requests count: %d; want 3", count)
-	}
-}
-
-func TestRetryErrorType(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Replay-Nonce", "nonce")
-		w.WriteHeader(http.StatusTooManyRequests)
-		w.Write([]byte(`{"type":"rateLimited"}`))
-	}))
-	defer ts.Close()
-
-	client := &Client{
-		Key: testKey,
-		RetryBackoff: func(n int, r *http.Request, res *http.Response) time.Duration {
-			// Do no retries.
-			return 0
-		},
-		dir: &Directory{AuthzURL: ts.URL},
-	}
-
-	t.Run("post", func(t *testing.T) {
-		testRetryErrorType(t, func() error {
-			_, err := client.Authorize(context.Background(), "example.com")
-			return err
-		})
-	})
-	t.Run("get", func(t *testing.T) {
-		testRetryErrorType(t, func() error {
-			_, err := client.GetAuthorization(context.Background(), ts.URL)
-			return err
-		})
-	})
-}
-
-func testRetryErrorType(t *testing.T, callClient func() error) {
-	t.Helper()
-	err := callClient()
-	if err == nil {
-		t.Fatal("client.Authorize returned nil error")
-	}
-	acmeErr, ok := err.(*Error)
-	if !ok {
-		t.Fatalf("err is %v (%T); want *Error", err, err)
-	}
-	if acmeErr.StatusCode != http.StatusTooManyRequests {
-		t.Errorf("acmeErr.StatusCode = %d; want %d", acmeErr.StatusCode, http.StatusTooManyRequests)
-	}
-	if acmeErr.ProblemType != "rateLimited" {
-		t.Errorf("acmeErr.ProblemType = %q; want 'rateLimited'", acmeErr.ProblemType)
-	}
-}
-
-func TestRetryBackoffArgs(t *testing.T) {
-	const resCode = http.StatusInternalServerError
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Replay-Nonce", "test-nonce")
-		w.WriteHeader(resCode)
-	}))
-	defer ts.Close()
-
-	// Canceled in backoff.
-	ctx, cancel := context.WithCancel(context.Background())
-
-	var nretry int
-	backoff := func(n int, r *http.Request, res *http.Response) time.Duration {
-		nretry++
-		if n != nretry {
-			t.Errorf("n = %d; want %d", n, nretry)
-		}
-		if nretry == 3 {
-			cancel()
-		}
-
-		if r == nil {
-			t.Error("r is nil")
-		}
-		if res.StatusCode != resCode {
-			t.Errorf("res.StatusCode = %d; want %d", res.StatusCode, resCode)
-		}
-		return time.Millisecond
-	}
-
-	client := &Client{
-		Key:          testKey,
-		RetryBackoff: backoff,
-		dir:          &Directory{AuthzURL: ts.URL},
-	}
-	if _, err := client.Authorize(ctx, "example.com"); err == nil {
-		t.Error("err is nil")
-	}
-	if nretry != 3 {
-		t.Errorf("nretry = %d; want 3", nretry)
-	}
-}
-
-func TestUserAgent(t *testing.T) {
-	for _, custom := range []string{"", "CUSTOM_UA"} {
-		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			t.Log(r.UserAgent())
-			if s := "golang.org/x/crypto/acme"; !strings.Contains(r.UserAgent(), s) {
-				t.Errorf("expected User-Agent to contain %q, got %q", s, r.UserAgent())
-			}
-			if !strings.Contains(r.UserAgent(), custom) {
-				t.Errorf("expected User-Agent to contain %q, got %q", custom, r.UserAgent())
-			}
-
-			w.WriteHeader(http.StatusOK)
-			w.Write([]byte(`{"newOrder": "sure"}`))
-		}))
-		defer ts.Close()
-
-		client := &Client{
-			Key:          testKey,
-			DirectoryURL: ts.URL,
-			UserAgent:    custom,
-		}
-		if _, err := client.Discover(context.Background()); err != nil {
-			t.Errorf("client.Discover: %v", err)
-		}
-	}
-}
-
-func TestAccountKidLoop(t *testing.T) {
-	// if Client.postNoRetry is called with a nil key argument
-	// then Client.Key must be set, otherwise we fall into an
-	// infinite loop (which also causes a deadlock).
-	client := &Client{dir: &Directory{OrderURL: ":)"}}
-	_, _, err := client.postNoRetry(context.Background(), nil, "", nil)
-	if err == nil {
-		t.Fatal("Client.postNoRetry didn't fail with a nil key")
-	}
-	expected := "acme: Client.Key must be populated to make POST requests"
-	if err.Error() != expected {
-		t.Fatalf("Unexpected error returned: wanted %q, got %q", expected, err.Error())
-	}
-}
--- a/tempfork/acme/jws.go
+++ b/tempfork/acme/jws.go
@@ -1,257 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/hmac"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha256"
-	_ "crypto/sha512" // need for EC keys
-	"encoding/asn1"
-	"encoding/base64"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"math/big"
-)
-
-// KeyID is the account key identity provided by a CA during registration.
-type KeyID string
-
-// noKeyID indicates that jwsEncodeJSON should compute and use JWK instead of a KID.
-// See jwsEncodeJSON for details.
-const noKeyID = KeyID("")
-
-// noPayload indicates jwsEncodeJSON will encode zero-length octet string
-// in a JWS request. This is called POST-as-GET in RFC 8555 and is used to make
-// authenticated GET requests via POSTing with an empty payload.
-// See https://tools.ietf.org/html/rfc8555#section-6.3 for more details.
-const noPayload = ""
-
-// noNonce indicates that the nonce should be omitted from the protected header.
-// See jwsEncodeJSON for details.
-const noNonce = ""
-
-// jsonWebSignature can be easily serialized into a JWS following
-// https://tools.ietf.org/html/rfc7515#section-3.2.
-type jsonWebSignature struct {
-	Protected string `json:"protected"`
-	Payload   string `json:"payload"`
-	Sig       string `json:"signature"`
-}
-
-// jwsEncodeJSON signs claimset using provided key and a nonce.
-// The result is serialized in JSON format containing either kid or jwk
-// fields based on the provided KeyID value.
-//
-// The claimset is marshalled using json.Marshal unless it is a string.
-// In which case it is inserted directly into the message.
-//
-// If kid is non-empty, its quoted value is inserted in the protected header
-// as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted
-// as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive.
-//
-// If nonce is non-empty, its quoted value is inserted in the protected header.
-//
-// See https://tools.ietf.org/html/rfc7515#section-7.
-func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) {
-	if key == nil {
-		return nil, errors.New("nil key")
-	}
-	alg, sha := jwsHasher(key.Public())
-	if alg == "" || !sha.Available() {
-		return nil, ErrUnsupportedKey
-	}
-	headers := struct {
-		Alg   string          `json:"alg"`
-		KID   string          `json:"kid,omitempty"`
-		JWK   json.RawMessage `json:"jwk,omitempty"`
-		Nonce string          `json:"nonce,omitempty"`
-		URL   string          `json:"url"`
-	}{
-		Alg:   alg,
-		Nonce: nonce,
-		URL:   url,
-	}
-	switch kid {
-	case noKeyID:
-		jwk, err := jwkEncode(key.Public())
-		if err != nil {
-			return nil, err
-		}
-		headers.JWK = json.RawMessage(jwk)
-	default:
-		headers.KID = string(kid)
-	}
-	phJSON, err := json.Marshal(headers)
-	if err != nil {
-		return nil, err
-	}
-	phead := base64.RawURLEncoding.EncodeToString([]byte(phJSON))
-	var payload string
-	if val, ok := claimset.(string); ok {
-		payload = val
-	} else {
-		cs, err := json.Marshal(claimset)
-		if err != nil {
-			return nil, err
-		}
-		payload = base64.RawURLEncoding.EncodeToString(cs)
-	}
-	hash := sha.New()
-	hash.Write([]byte(phead + "." + payload))
-	sig, err := jwsSign(key, sha, hash.Sum(nil))
-	if err != nil {
-		return nil, err
-	}
-	enc := jsonWebSignature{
-		Protected: phead,
-		Payload:   payload,
-		Sig:       base64.RawURLEncoding.EncodeToString(sig),
-	}
-	return json.Marshal(&enc)
-}
-
-// jwsWithMAC creates and signs a JWS using the given key and the HS256
-// algorithm. kid and url are included in the protected header. rawPayload
-// should not be base64-URL-encoded.
-func jwsWithMAC(key []byte, kid, url string, rawPayload []byte) (*jsonWebSignature, error) {
-	if len(key) == 0 {
-		return nil, errors.New("acme: cannot sign JWS with an empty MAC key")
-	}
-	header := struct {
-		Algorithm string `json:"alg"`
-		KID       string `json:"kid"`
-		URL       string `json:"url,omitempty"`
-	}{
-		// Only HMAC-SHA256 is supported.
-		Algorithm: "HS256",
-		KID:       kid,
-		URL:       url,
-	}
-	rawProtected, err := json.Marshal(header)
-	if err != nil {
-		return nil, err
-	}
-	protected := base64.RawURLEncoding.EncodeToString(rawProtected)
-	payload := base64.RawURLEncoding.EncodeToString(rawPayload)
-
-	h := hmac.New(sha256.New, key)
-	if _, err := h.Write([]byte(protected + "." + payload)); err != nil {
-		return nil, err
-	}
-	mac := h.Sum(nil)
-
-	return &jsonWebSignature{
-		Protected: protected,
-		Payload:   payload,
-		Sig:       base64.RawURLEncoding.EncodeToString(mac),
-	}, nil
-}
-
-// jwkEncode encodes public part of an RSA or ECDSA key into a JWK.
-// The result is also suitable for creating a JWK thumbprint.
-// https://tools.ietf.org/html/rfc7517
-func jwkEncode(pub crypto.PublicKey) (string, error) {
-	switch pub := pub.(type) {
-	case *rsa.PublicKey:
-		// https://tools.ietf.org/html/rfc7518#section-6.3.1
-		n := pub.N
-		e := big.NewInt(int64(pub.E))
-		// Field order is important.
-		// See https://tools.ietf.org/html/rfc7638#section-3.3 for details.
-		return fmt.Sprintf(`{"e":"%s","kty":"RSA","n":"%s"}`,
-			base64.RawURLEncoding.EncodeToString(e.Bytes()),
-			base64.RawURLEncoding.EncodeToString(n.Bytes()),
-		), nil
-	case *ecdsa.PublicKey:
-		// https://tools.ietf.org/html/rfc7518#section-6.2.1
-		p := pub.Curve.Params()
-		n := p.BitSize / 8
-		if p.BitSize%8 != 0 {
-			n++
-		}
-		x := pub.X.Bytes()
-		if n > len(x) {
-			x = append(make([]byte, n-len(x)), x...)
-		}
-		y := pub.Y.Bytes()
-		if n > len(y) {
-			y = append(make([]byte, n-len(y)), y...)
-		}
-		// Field order is important.
-		// See https://tools.ietf.org/html/rfc7638#section-3.3 for details.
-		return fmt.Sprintf(`{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`,
-			p.Name,
-			base64.RawURLEncoding.EncodeToString(x),
-			base64.RawURLEncoding.EncodeToString(y),
-		), nil
-	}
-	return "", ErrUnsupportedKey
-}
-
-// jwsSign signs the digest using the given key.
-// The hash is unused for ECDSA keys.
-func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error) {
-	switch pub := key.Public().(type) {
-	case *rsa.PublicKey:
-		return key.Sign(rand.Reader, digest, hash)
-	case *ecdsa.PublicKey:
-		sigASN1, err := key.Sign(rand.Reader, digest, hash)
-		if err != nil {
-			return nil, err
-		}
-
-		var rs struct{ R, S *big.Int }
-		if _, err := asn1.Unmarshal(sigASN1, &rs); err != nil {
-			return nil, err
-		}
-
-		rb, sb := rs.R.Bytes(), rs.S.Bytes()
-		size := pub.Params().BitSize / 8
-		if size%8 > 0 {
-			size++
-		}
-		sig := make([]byte, size*2)
-		copy(sig[size-len(rb):], rb)
-		copy(sig[size*2-len(sb):], sb)
-		return sig, nil
-	}
-	return nil, ErrUnsupportedKey
-}
-
-// jwsHasher indicates suitable JWS algorithm name and a hash function
-// to use for signing a digest with the provided key.
-// It returns ("", 0) if the key is not supported.
-func jwsHasher(pub crypto.PublicKey) (string, crypto.Hash) {
-	switch pub := pub.(type) {
-	case *rsa.PublicKey:
-		return "RS256", crypto.SHA256
-	case *ecdsa.PublicKey:
-		switch pub.Params().Name {
-		case "P-256":
-			return "ES256", crypto.SHA256
-		case "P-384":
-			return "ES384", crypto.SHA384
-		case "P-521":
-			return "ES512", crypto.SHA512
-		}
-	}
-	return "", 0
-}
-
-// JWKThumbprint creates a JWK thumbprint out of pub
-// as specified in https://tools.ietf.org/html/rfc7638.
-func JWKThumbprint(pub crypto.PublicKey) (string, error) {
-	jwk, err := jwkEncode(pub)
-	if err != nil {
-		return "", err
-	}
-	b := sha256.Sum256([]byte(jwk))
-	return base64.RawURLEncoding.EncodeToString(b[:]), nil
-}
--- a/tempfork/acme/jws_test.go
+++ b/tempfork/acme/jws_test.go
@@ -1,550 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"io"
-	"math/big"
-	"testing"
-)
-
-// The following shell command alias is used in the comments
-// throughout this file:
-// alias b64raw="base64 -w0 | tr -d '=' | tr '/+' '_-'"
-
-const (
-	// Modulus in raw base64:
-	// 4xgZ3eRPkwoRvy7qeRUbmMDe0V-xH9eWLdu0iheeLlrmD2mqWXfP9IeSKApbn34
-	// g8TuAS9g5zhq8ELQ3kmjr-KV86GAMgI6VAcGlq3QrzpTCf_30Ab7-zawrfRaFON
-	// a1HwEzPY1KHnGVkxJc85gNkwYI9SY2RHXtvln3zs5wITNrdosqEXeaIkVYBEhbh
-	// Nu54pp3kxo6TuWLi9e6pXeWetEwmlBwtWZlPoib2j3TxLBksKZfoyFyek380mHg
-	// JAumQ_I2fjj98_97mk3ihOY4AgVdCDj1z_GCoZkG5Rq7nbCGyosyKWyDX00Zs-n
-	// NqVhoLeIvXC4nnWdJMZ6rogxyQQ
-	testKeyPEM = `
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA4xgZ3eRPkwoRvy7qeRUbmMDe0V+xH9eWLdu0iheeLlrmD2mq
-WXfP9IeSKApbn34g8TuAS9g5zhq8ELQ3kmjr+KV86GAMgI6VAcGlq3QrzpTCf/30
-Ab7+zawrfRaFONa1HwEzPY1KHnGVkxJc85gNkwYI9SY2RHXtvln3zs5wITNrdosq
-EXeaIkVYBEhbhNu54pp3kxo6TuWLi9e6pXeWetEwmlBwtWZlPoib2j3TxLBksKZf
-oyFyek380mHgJAumQ/I2fjj98/97mk3ihOY4AgVdCDj1z/GCoZkG5Rq7nbCGyosy
-KWyDX00Zs+nNqVhoLeIvXC4nnWdJMZ6rogxyQQIDAQABAoIBACIEZTOI1Kao9nmV
-9IeIsuaR1Y61b9neOF/MLmIVIZu+AAJFCMB4Iw11FV6sFodwpEyeZhx2WkpWVN+H
-r19eGiLX3zsL0DOdqBJoSIHDWCCMxgnYJ6nvS0nRxX3qVrBp8R2g12Ub+gNPbmFm
-ecf/eeERIVxfifd9VsyRu34eDEvcmKFuLYbElFcPh62xE3x12UZvV/sN7gXbawpP
-G+w255vbE5MoaKdnnO83cTFlcHvhn24M/78qP7Te5OAeelr1R89kYxQLpuGe4fbS
-zc6E3ym5Td6urDetGGrSY1Eu10/8sMusX+KNWkm+RsBRbkyKq72ks/qKpOxOa+c6
-9gm+Y8ECgYEA/iNUyg1ubRdH11p82l8KHtFC1DPE0V1gSZsX29TpM5jS4qv46K+s
-8Ym1zmrORM8x+cynfPx1VQZQ34EYeCMIX212ryJ+zDATl4NE0I4muMvSiH9vx6Xc
-7FmhNnaYzPsBL5Tm9nmtQuP09YEn8poiOJFiDs/4olnD5ogA5O4THGkCgYEA5MIL
-qWYBUuqbEWLRtMruUtpASclrBqNNsJEsMGbeqBJmoMxdHeSZckbLOrqm7GlMyNRJ
-Ne/5uWRGSzaMYuGmwsPpERzqEvYFnSrpjW5YtXZ+JtxFXNVfm9Z1gLLgvGpOUCIU
-RbpoDckDe1vgUuk3y5+DjZihs+rqIJ45XzXTzBkCgYBWuf3segruJZy5rEKhTv+o
-JqeUvRn0jNYYKFpLBeyTVBrbie6GkbUGNIWbrK05pC+c3K9nosvzuRUOQQL1tJbd
-4gA3oiD9U4bMFNr+BRTHyZ7OQBcIXdz3t1qhuHVKtnngIAN1p25uPlbRFUNpshnt
-jgeVoHlsBhApcs5DUc+pyQKBgDzeHPg/+g4z+nrPznjKnktRY1W+0El93kgi+J0Q
-YiJacxBKEGTJ1MKBb8X6sDurcRDm22wMpGfd9I5Cv2v4GsUsF7HD/cx5xdih+G73
-c4clNj/k0Ff5Nm1izPUno4C+0IOl7br39IPmfpSuR6wH/h6iHQDqIeybjxyKvT1G
-N0rRAoGBAKGD+4ZI/E1MoJ5CXB8cDDMHagbE3cq/DtmYzE2v1DFpQYu5I4PCm5c7
-EQeIP6dZtv8IMgtGIb91QX9pXvP0aznzQKwYIA8nZgoENCPfiMTPiEDT9e/0lObO
-9XWsXpbSTsRPj0sv1rB+UzBJ0PgjK4q2zOF0sNo7b1+6nlM3BWPx
-----END RSA PRIVATE KEY-----
-`
-
-	// This thumbprint is for the testKey defined above.
-	testKeyThumbprint = "6nicxzh6WETQlrvdchkz-U3e3DOQZ4heJKU63rfqMqQ"
-
-	// openssl ecparam -name secp256k1 -genkey -noout
-	testKeyECPEM = `
-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIK07hGLr0RwyUdYJ8wbIiBS55CjnkMD23DWr+ccnypWLoAoGCCqGSM49
-AwEHoUQDQgAE5lhEug5xK4xBDZ2nAbaxLtaLiv85bxJ7ePd1dkO23HThqIrvawF5
-QAaS/RNouybCiRhRjI3EaxLkQwgrCw0gqQ==
-----END EC PRIVATE KEY-----
-`
-	// openssl ecparam -name secp384r1 -genkey -noout
-	testKeyEC384PEM = `
-----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDAQ4lNtXRORWr1bgKR1CGysr9AJ9SyEk4jiVnlUWWUChmSNL+i9SLSD
-Oe/naPqXJ6CgBwYFK4EEACKhZANiAAQzKtj+Ms0vHoTX5dzv3/L5YMXOWuI5UKRj
-JigpahYCqXD2BA1j0E/2xt5vlPf+gm0PL+UHSQsCokGnIGuaHCsJAp3ry0gHQEke
-WYXapUUFdvaK1R2/2hn5O+eiQM8YzCg=
-----END EC PRIVATE KEY-----
-`
-	// openssl ecparam -name secp521r1 -genkey -noout
-	testKeyEC512PEM = `
-----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBSNZKFcWzXzB/aJClAb305ibalKgtDA7+70eEkdPt28/3LZMM935Z
-KqYHh/COcxuu3Kt8azRAUz3gyr4zZKhlKUSgBwYFK4EEACOhgYkDgYYABAHUNKbx
-7JwC7H6pa2sV0tERWhHhB3JmW+OP6SUgMWryvIKajlx73eS24dy4QPGrWO9/ABsD
-FqcRSkNVTXnIv6+0mAF25knqIBIg5Q8M9BnOu9GGAchcwt3O7RDHmqewnJJDrbjd
-GGnm6rb+NnWR9DIopM0nKNkToWoF/hzopxu4Ae/GsQ==
-----END EC PRIVATE KEY-----
-`
-	// 1. openssl ec -in key.pem -noout -text
-	// 2. remove first byte, 04 (the header); the rest is X and Y
-	// 3. convert each with: echo <val> | xxd -r -p | b64raw
-	testKeyECPubX    = "5lhEug5xK4xBDZ2nAbaxLtaLiv85bxJ7ePd1dkO23HQ"
-	testKeyECPubY    = "4aiK72sBeUAGkv0TaLsmwokYUYyNxGsS5EMIKwsNIKk"
-	testKeyEC384PubX = "MyrY_jLNLx6E1-Xc79_y-WDFzlriOVCkYyYoKWoWAqlw9gQNY9BP9sbeb5T3_oJt"
-	testKeyEC384PubY = "Dy_lB0kLAqJBpyBrmhwrCQKd68tIB0BJHlmF2qVFBXb2itUdv9oZ-TvnokDPGMwo"
-	testKeyEC512PubX = "AdQ0pvHsnALsfqlraxXS0RFaEeEHcmZb44_pJSAxavK8gpqOXHvd5Lbh3LhA8atY738AGwMWpxFKQ1VNeci_r7SY"
-	testKeyEC512PubY = "AXbmSeogEiDlDwz0Gc670YYByFzC3c7tEMeap7CckkOtuN0Yaebqtv42dZH0MiikzSco2ROhagX-HOinG7gB78ax"
-
-	// echo -n '{"crv":"P-256","kty":"EC","x":"<testKeyECPubX>","y":"<testKeyECPubY>"}' | \
-	// openssl dgst -binary -sha256 | b64raw
-	testKeyECThumbprint = "zedj-Bd1Zshp8KLePv2MB-lJ_Hagp7wAwdkA0NUTniU"
-)
-
-var (
-	testKey      *rsa.PrivateKey
-	testKeyEC    *ecdsa.PrivateKey
-	testKeyEC384 *ecdsa.PrivateKey
-	testKeyEC512 *ecdsa.PrivateKey
-)
-
-func init() {
-	testKey = parseRSA(testKeyPEM, "testKeyPEM")
-	testKeyEC = parseEC(testKeyECPEM, "testKeyECPEM")
-	testKeyEC384 = parseEC(testKeyEC384PEM, "testKeyEC384PEM")
-	testKeyEC512 = parseEC(testKeyEC512PEM, "testKeyEC512PEM")
-}
-
-func decodePEM(s, name string) []byte {
-	d, _ := pem.Decode([]byte(s))
-	if d == nil {
-		panic("no block found in " + name)
-	}
-	return d.Bytes
-}
-
-func parseRSA(s, name string) *rsa.PrivateKey {
-	b := decodePEM(s, name)
-	k, err := x509.ParsePKCS1PrivateKey(b)
-	if err != nil {
-		panic(fmt.Sprintf("%s: %v", name, err))
-	}
-	return k
-}
-
-func parseEC(s, name string) *ecdsa.PrivateKey {
-	b := decodePEM(s, name)
-	k, err := x509.ParseECPrivateKey(b)
-	if err != nil {
-		panic(fmt.Sprintf("%s: %v", name, err))
-	}
-	return k
-}
-
-func TestJWSEncodeJSON(t *testing.T) {
-	claims := struct{ Msg string }{"Hello JWS"}
-	// JWS signed with testKey and "nonce" as the nonce value
-	// JSON-serialized JWS fields are split for easier testing
-	const (
-		// {"alg":"RS256","jwk":{"e":"AQAB","kty":"RSA","n":"..."},"nonce":"nonce","url":"url"}
-		protected = "eyJhbGciOiJSUzI1NiIsImp3ayI6eyJlIjoiQVFBQiIsImt0eSI6" +
-			"IlJTQSIsIm4iOiI0eGdaM2VSUGt3b1J2eTdxZVJVYm1NRGUwVi14" +
-			"SDllV0xkdTBpaGVlTGxybUQybXFXWGZQOUllU0tBcGJuMzRnOFR1" +
-			"QVM5ZzV6aHE4RUxRM2ttanItS1Y4NkdBTWdJNlZBY0dscTNRcnpw" +
-			"VENmXzMwQWI3LXphd3JmUmFGT05hMUh3RXpQWTFLSG5HVmt4SmM4" +
-			"NWdOa3dZSTlTWTJSSFh0dmxuM3pzNXdJVE5yZG9zcUVYZWFJa1ZZ" +
-			"QkVoYmhOdTU0cHAza3hvNlR1V0xpOWU2cFhlV2V0RXdtbEJ3dFda" +
-			"bFBvaWIyajNUeExCa3NLWmZveUZ5ZWszODBtSGdKQXVtUV9JMmZq" +
-			"ajk4Xzk3bWszaWhPWTRBZ1ZkQ0RqMXpfR0NvWmtHNVJxN25iQ0d5" +
-			"b3N5S1d5RFgwMFpzLW5OcVZob0xlSXZYQzRubldkSk1aNnJvZ3h5" +
-			"UVEifSwibm9uY2UiOiJub25jZSIsInVybCI6InVybCJ9"
-		// {"Msg":"Hello JWS"}
-		payload = "eyJNc2ciOiJIZWxsbyBKV1MifQ"
-		// printf '<protected>.<payload>' | openssl dgst -binary -sha256 -sign testKey | b64raw
-		signature = "YFyl_xz1E7TR-3E1bIuASTr424EgCvBHjt25WUFC2VaDjXYV0Rj_" +
-			"Hd3dJ_2IRqBrXDZZ2n4ZeA_4mm3QFwmwyeDwe2sWElhb82lCZ8iX" +
-			"uFnjeOmSOjx-nWwPa5ibCXzLq13zZ-OBV1Z4oN_TuailQeRoSfA3" +
-			"nO8gG52mv1x2OMQ5MAFtt8jcngBLzts4AyhI6mBJ2w7Yaj3ZCriq" +
-			"DWA3GLFvvHdW1Ba9Z01wtGT2CuZI7DUk_6Qj1b3BkBGcoKur5C9i" +
-			"bUJtCkABwBMvBQNyD3MmXsrRFRTgvVlyU_yMaucYm7nmzEr_2PaQ" +
-			"50rFt_9qOfJ4sfbLtG1Wwae57BQx1g"
-	)
-
-	b, err := jwsEncodeJSON(claims, testKey, noKeyID, "nonce", "url")
-	if err != nil {
-		t.Fatal(err)
-	}
-	var jws struct{ Protected, Payload, Signature string }
-	if err := json.Unmarshal(b, &jws); err != nil {
-		t.Fatal(err)
-	}
-	if jws.Protected != protected {
-		t.Errorf("protected:\n%s\nwant:\n%s", jws.Protected, protected)
-	}
-	if jws.Payload != payload {
-		t.Errorf("payload:\n%s\nwant:\n%s", jws.Payload, payload)
-	}
-	if jws.Signature != signature {
-		t.Errorf("signature:\n%s\nwant:\n%s", jws.Signature, signature)
-	}
-}
-
-func TestJWSEncodeNoNonce(t *testing.T) {
-	kid := KeyID("https://example.org/account/1")
-	claims := "RawString"
-	const (
-		// {"alg":"ES256","kid":"https://example.org/account/1","nonce":"nonce","url":"url"}
-		protected = "eyJhbGciOiJFUzI1NiIsImtpZCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvYWNjb3VudC8xIiwidXJsIjoidXJsIn0"
-		// "Raw String"
-		payload = "RawString"
-	)
-
-	b, err := jwsEncodeJSON(claims, testKeyEC, kid, "", "url")
-	if err != nil {
-		t.Fatal(err)
-	}
-	var jws struct{ Protected, Payload, Signature string }
-	if err := json.Unmarshal(b, &jws); err != nil {
-		t.Fatal(err)
-	}
-	if jws.Protected != protected {
-		t.Errorf("protected:\n%s\nwant:\n%s", jws.Protected, protected)
-	}
-	if jws.Payload != payload {
-		t.Errorf("payload:\n%s\nwant:\n%s", jws.Payload, payload)
-	}
-
-	sig, err := base64.RawURLEncoding.DecodeString(jws.Signature)
-	if err != nil {
-		t.Fatalf("jws.Signature: %v", err)
-	}
-	r, s := big.NewInt(0), big.NewInt(0)
-	r.SetBytes(sig[:len(sig)/2])
-	s.SetBytes(sig[len(sig)/2:])
-	h := sha256.Sum256([]byte(protected + "." + payload))
-	if !ecdsa.Verify(testKeyEC.Public().(*ecdsa.PublicKey), h[:], r, s) {
-		t.Error("invalid signature")
-	}
-}
-
-func TestJWSEncodeKID(t *testing.T) {
-	kid := KeyID("https://example.org/account/1")
-	claims := struct{ Msg string }{"Hello JWS"}
-	// JWS signed with testKeyEC
-	const (
-		// {"alg":"ES256","kid":"https://example.org/account/1","nonce":"nonce","url":"url"}
-		protected = "eyJhbGciOiJFUzI1NiIsImtpZCI6Imh0dHBzOi8vZXhhbXBsZS5" +
-			"vcmcvYWNjb3VudC8xIiwibm9uY2UiOiJub25jZSIsInVybCI6InVybCJ9"
-		// {"Msg":"Hello JWS"}
-		payload = "eyJNc2ciOiJIZWxsbyBKV1MifQ"
-	)
-
-	b, err := jwsEncodeJSON(claims, testKeyEC, kid, "nonce", "url")
-	if err != nil {
-		t.Fatal(err)
-	}
-	var jws struct{ Protected, Payload, Signature string }
-	if err := json.Unmarshal(b, &jws); err != nil {
-		t.Fatal(err)
-	}
-	if jws.Protected != protected {
-		t.Errorf("protected:\n%s\nwant:\n%s", jws.Protected, protected)
-	}
-	if jws.Payload != payload {
-		t.Errorf("payload:\n%s\nwant:\n%s", jws.Payload, payload)
-	}
-
-	sig, err := base64.RawURLEncoding.DecodeString(jws.Signature)
-	if err != nil {
-		t.Fatalf("jws.Signature: %v", err)
-	}
-	r, s := big.NewInt(0), big.NewInt(0)
-	r.SetBytes(sig[:len(sig)/2])
-	s.SetBytes(sig[len(sig)/2:])
-	h := sha256.Sum256([]byte(protected + "." + payload))
-	if !ecdsa.Verify(testKeyEC.Public().(*ecdsa.PublicKey), h[:], r, s) {
-		t.Error("invalid signature")
-	}
-}
-
-func TestJWSEncodeJSONEC(t *testing.T) {
-	tt := []struct {
-		key      *ecdsa.PrivateKey
-		x, y     string
-		alg, crv string
-	}{
-		{testKeyEC, testKeyECPubX, testKeyECPubY, "ES256", "P-256"},
-		{testKeyEC384, testKeyEC384PubX, testKeyEC384PubY, "ES384", "P-384"},
-		{testKeyEC512, testKeyEC512PubX, testKeyEC512PubY, "ES512", "P-521"},
-	}
-	for i, test := range tt {
-		claims := struct{ Msg string }{"Hello JWS"}
-		b, err := jwsEncodeJSON(claims, test.key, noKeyID, "nonce", "url")
-		if err != nil {
-			t.Errorf("%d: %v", i, err)
-			continue
-		}
-		var jws struct{ Protected, Payload, Signature string }
-		if err := json.Unmarshal(b, &jws); err != nil {
-			t.Errorf("%d: %v", i, err)
-			continue
-		}
-
-		b, err = base64.RawURLEncoding.DecodeString(jws.Protected)
-		if err != nil {
-			t.Errorf("%d: jws.Protected: %v", i, err)
-		}
-		var head struct {
-			Alg   string
-			Nonce string
-			URL   string `json:"url"`
-			KID   string `json:"kid"`
-			JWK   struct {
-				Crv string
-				Kty string
-				X   string
-				Y   string
-			} `json:"jwk"`
-		}
-		if err := json.Unmarshal(b, &head); err != nil {
-			t.Errorf("%d: jws.Protected: %v", i, err)
-		}
-		if head.Alg != test.alg {
-			t.Errorf("%d: head.Alg = %q; want %q", i, head.Alg, test.alg)
-		}
-		if head.Nonce != "nonce" {
-			t.Errorf("%d: head.Nonce = %q; want nonce", i, head.Nonce)
-		}
-		if head.URL != "url" {
-			t.Errorf("%d: head.URL = %q; want 'url'", i, head.URL)
-		}
-		if head.KID != "" {
-			// We used noKeyID in jwsEncodeJSON: expect no kid value.
-			t.Errorf("%d: head.KID = %q; want empty", i, head.KID)
-		}
-		if head.JWK.Crv != test.crv {
-			t.Errorf("%d: head.JWK.Crv = %q; want %q", i, head.JWK.Crv, test.crv)
-		}
-		if head.JWK.Kty != "EC" {
-			t.Errorf("%d: head.JWK.Kty = %q; want EC", i, head.JWK.Kty)
-		}
-		if head.JWK.X != test.x {
-			t.Errorf("%d: head.JWK.X = %q; want %q", i, head.JWK.X, test.x)
-		}
-		if head.JWK.Y != test.y {
-			t.Errorf("%d: head.JWK.Y = %q; want %q", i, head.JWK.Y, test.y)
-		}
-	}
-}
-
-type customTestSigner struct {
-	sig []byte
-	pub crypto.PublicKey
-}
-
-func (s *customTestSigner) Public() crypto.PublicKey { return s.pub }
-func (s *customTestSigner) Sign(io.Reader, []byte, crypto.SignerOpts) ([]byte, error) {
-	return s.sig, nil
-}
-
-func TestJWSEncodeJSONCustom(t *testing.T) {
-	claims := struct{ Msg string }{"hello"}
-	const (
-		// printf '{"Msg":"hello"}' | b64raw
-		payload = "eyJNc2ciOiJoZWxsbyJ9"
-		// printf 'testsig' | b64raw
-		testsig = "dGVzdHNpZw"
-
-		// the example P256 curve point from https://tools.ietf.org/html/rfc7515#appendix-A.3.1
-		// encoded as ASN.1…
-		es256stdsig = "MEUCIA7RIVN5Y2xIPC9/FVgH1AKjsigDOvl8fheBmsMWnqZlAiEA" +
-			"xQoH04w8cOXY8S2vCEpUgKZlkMXyk1Cajz9/ioOjVNU"
-		// …and RFC7518 (https://tools.ietf.org/html/rfc7518#section-3.4)
-		es256jwsig = "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw" +
-			"5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
-
-		// printf '{"alg":"ES256","jwk":{"crv":"P-256","kty":"EC","x":<testKeyECPubY>,"y":<testKeyECPubY>},"nonce":"nonce","url":"url"}' | b64raw
-		es256phead = "eyJhbGciOiJFUzI1NiIsImp3ayI6eyJjcnYiOiJQLTI1NiIsImt0" +
-			"eSI6IkVDIiwieCI6IjVsaEV1ZzV4SzR4QkRaMm5BYmF4THRhTGl2" +
-			"ODVieEo3ZVBkMWRrTzIzSFEiLCJ5IjoiNGFpSzcyc0JlVUFHa3Yw" +
-			"VGFMc213b2tZVVl5TnhHc1M1RU1JS3dzTklLayJ9LCJub25jZSI6" +
-			"Im5vbmNlIiwidXJsIjoidXJsIn0"
-
-		// {"alg":"RS256","jwk":{"e":"AQAB","kty":"RSA","n":"..."},"nonce":"nonce","url":"url"}
-		rs256phead = "eyJhbGciOiJSUzI1NiIsImp3ayI6eyJlIjoiQVFBQiIsImt0eSI6" +
-			"IlJTQSIsIm4iOiI0eGdaM2VSUGt3b1J2eTdxZVJVYm1NRGUwVi14" +
-			"SDllV0xkdTBpaGVlTGxybUQybXFXWGZQOUllU0tBcGJuMzRnOFR1" +
-			"QVM5ZzV6aHE4RUxRM2ttanItS1Y4NkdBTWdJNlZBY0dscTNRcnpw" +
-			"VENmXzMwQWI3LXphd3JmUmFGT05hMUh3RXpQWTFLSG5HVmt4SmM4" +
-			"NWdOa3dZSTlTWTJSSFh0dmxuM3pzNXdJVE5yZG9zcUVYZWFJa1ZZ" +
-			"QkVoYmhOdTU0cHAza3hvNlR1V0xpOWU2cFhlV2V0RXdtbEJ3dFda" +
-			"bFBvaWIyajNUeExCa3NLWmZveUZ5ZWszODBtSGdKQXVtUV9JMmZq" +
-			"ajk4Xzk3bWszaWhPWTRBZ1ZkQ0RqMXpfR0NvWmtHNVJxN25iQ0d5" +
-			"b3N5S1d5RFgwMFpzLW5OcVZob0xlSXZYQzRubldkSk1aNnJvZ3h5" +
-			"UVEifSwibm9uY2UiOiJub25jZSIsInVybCI6InVybCJ9"
-	)
-
-	tt := []struct {
-		alg, phead    string
-		pub           crypto.PublicKey
-		stdsig, jwsig string
-	}{
-		{"ES256", es256phead, testKeyEC.Public(), es256stdsig, es256jwsig},
-		{"RS256", rs256phead, testKey.Public(), testsig, testsig},
-	}
-	for _, tc := range tt {
-		tc := tc
-		t.Run(tc.alg, func(t *testing.T) {
-			stdsig, err := base64.RawStdEncoding.DecodeString(tc.stdsig)
-			if err != nil {
-				t.Errorf("couldn't decode test vector: %v", err)
-			}
-			signer := &customTestSigner{
-				sig: stdsig,
-				pub: tc.pub,
-			}
-
-			b, err := jwsEncodeJSON(claims, signer, noKeyID, "nonce", "url")
-			if err != nil {
-				t.Fatal(err)
-			}
-			var j jsonWebSignature
-			if err := json.Unmarshal(b, &j); err != nil {
-				t.Fatal(err)
-			}
-			if j.Protected != tc.phead {
-				t.Errorf("j.Protected = %q\nwant %q", j.Protected, tc.phead)
-			}
-			if j.Payload != payload {
-				t.Errorf("j.Payload = %q\nwant %q", j.Payload, payload)
-			}
-			if j.Sig != tc.jwsig {
-				t.Errorf("j.Sig = %q\nwant %q", j.Sig, tc.jwsig)
-			}
-		})
-	}
-}
-
-func TestJWSWithMAC(t *testing.T) {
-	// Example from RFC 7520 Section 4.4.3.
-	// https://tools.ietf.org/html/rfc7520#section-4.4.3
-	b64Key := "hJtXIZ2uSN5kbQfbtTNWbpdmhkV8FJG-Onbc6mxCcYg"
-	rawPayload := []byte("It\xe2\x80\x99s a dangerous business, Frodo, going out your " +
-		"door. You step onto the road, and if you don't keep your feet, " +
-		"there\xe2\x80\x99s no knowing where you might be swept off " +
-		"to.")
-	protected := "eyJhbGciOiJIUzI1NiIsImtpZCI6IjAxOGMwYWU1LTRkOWItNDcxYi1iZmQ2LW" +
-		"VlZjMxNGJjNzAzNyJ9"
-	payload := "SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywg" +
-		"Z29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9h" +
-		"ZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXi" +
-		"gJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9m" +
-		"ZiB0by4"
-	sig := "s0h6KThzkfBBBkLspW1h84VsJZFTsPPqMDA7g1Md7p0"
-
-	key, err := base64.RawURLEncoding.DecodeString(b64Key)
-	if err != nil {
-		t.Fatalf("unable to decode key: %q", b64Key)
-	}
-	got, err := jwsWithMAC(key, "018c0ae5-4d9b-471b-bfd6-eef314bc7037", "", rawPayload)
-	if err != nil {
-		t.Fatalf("jwsWithMAC() = %q", err)
-	}
-	if got.Protected != protected {
-		t.Errorf("got.Protected = %q\nwant %q", got.Protected, protected)
-	}
-	if got.Payload != payload {
-		t.Errorf("got.Payload = %q\nwant %q", got.Payload, payload)
-	}
-	if got.Sig != sig {
-		t.Errorf("got.Signature = %q\nwant %q", got.Sig, sig)
-	}
-}
-
-func TestJWSWithMACError(t *testing.T) {
-	p := "{}"
-	if _, err := jwsWithMAC(nil, "", "", []byte(p)); err == nil {
-		t.Errorf("jwsWithMAC(nil, ...) = success; want err")
-	}
-}
-
-func TestJWKThumbprintRSA(t *testing.T) {
-	// Key example from RFC 7638
-	const base64N = "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAt" +
-		"VT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn6" +
-		"4tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FD" +
-		"W2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n9" +
-		"1CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINH" +
-		"aQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"
-	const base64E = "AQAB"
-	const expected = "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"
-
-	b, err := base64.RawURLEncoding.DecodeString(base64N)
-	if err != nil {
-		t.Fatalf("Error parsing example key N: %v", err)
-	}
-	n := new(big.Int).SetBytes(b)
-
-	b, err = base64.RawURLEncoding.DecodeString(base64E)
-	if err != nil {
-		t.Fatalf("Error parsing example key E: %v", err)
-	}
-	e := new(big.Int).SetBytes(b)
-
-	pub := &rsa.PublicKey{N: n, E: int(e.Uint64())}
-	th, err := JWKThumbprint(pub)
-	if err != nil {
-		t.Error(err)
-	}
-	if th != expected {
-		t.Errorf("thumbprint = %q; want %q", th, expected)
-	}
-}
-
-func TestJWKThumbprintEC(t *testing.T) {
-	// Key example from RFC 7520
-	// expected was computed with
-	// printf '{"crv":"P-521","kty":"EC","x":"<base64X>","y":"<base64Y>"}' | \
-	// openssl dgst -binary -sha256 | b64raw
-	const (
-		base64X = "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9A5RkT" +
-			"KqjqvjyekWF-7ytDyRXYgCF5cj0Kt"
-		base64Y = "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVySsUda" +
-			"QkAgDPrwQrJmbnX9cwlGfP-HqHZR1"
-		expected = "dHri3SADZkrush5HU_50AoRhcKFryN-PI6jPBtPL55M"
-	)
-
-	b, err := base64.RawURLEncoding.DecodeString(base64X)
-	if err != nil {
-		t.Fatalf("Error parsing example key X: %v", err)
-	}
-	x := new(big.Int).SetBytes(b)
-
-	b, err = base64.RawURLEncoding.DecodeString(base64Y)
-	if err != nil {
-		t.Fatalf("Error parsing example key Y: %v", err)
-	}
-	y := new(big.Int).SetBytes(b)
-
-	pub := &ecdsa.PublicKey{Curve: elliptic.P521(), X: x, Y: y}
-	th, err := JWKThumbprint(pub)
-	if err != nil {
-		t.Error(err)
-	}
-	if th != expected {
-		t.Errorf("thumbprint = %q; want %q", th, expected)
-	}
-}
-
-func TestJWKThumbprintErrUnsupportedKey(t *testing.T) {
-	_, err := JWKThumbprint(struct{}{})
-	if err != ErrUnsupportedKey {
-		t.Errorf("err = %q; want %q", err, ErrUnsupportedKey)
-	}
-}
--- a/tempfork/acme/rfc8555.go
+++ b/tempfork/acme/rfc8555.go
@@ -1,476 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package acme
-
-import (
-	"context"
-	"crypto"
-	"encoding/base64"
-	"encoding/json"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-)
-
-// DeactivateReg permanently disables an existing account associated with c.Key.
-// A deactivated account can no longer request certificate issuance or access
-// resources related to the account, such as orders or authorizations.
-//
-// It only works with CAs implementing RFC 8555.
-func (c *Client) DeactivateReg(ctx context.Context) error {
-	if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
-		return err
-	}
-	url := string(c.accountKID(ctx))
-	if url == "" {
-		return ErrNoAccount
-	}
-	req := json.RawMessage(`{"status": "deactivated"}`)
-	res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
-	if err != nil {
-		return err
-	}
-	res.Body.Close()
-	return nil
-}
-
-// registerRFC is equivalent to c.Register but for CAs implementing RFC 8555.
-// It expects c.Discover to have already been called.
-func (c *Client) registerRFC(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) {
-	c.cacheMu.Lock() // guard c.kid access
-	defer c.cacheMu.Unlock()
-
-	req := struct {
-		TermsAgreed            bool              `json:"termsOfServiceAgreed,omitempty"`
-		Contact                []string          `json:"contact,omitempty"`
-		ExternalAccountBinding *jsonWebSignature `json:"externalAccountBinding,omitempty"`
-	}{
-		Contact: acct.Contact,
-	}
-	if c.dir.Terms != "" {
-		req.TermsAgreed = prompt(c.dir.Terms)
-	}
-
-	// set 'externalAccountBinding' field if requested
-	if acct.ExternalAccountBinding != nil {
-		eabJWS, err := c.encodeExternalAccountBinding(acct.ExternalAccountBinding)
-		if err != nil {
-			return nil, fmt.Errorf("acme: failed to encode external account binding: %v", err)
-		}
-		req.ExternalAccountBinding = eabJWS
-	}
-
-	res, err := c.post(ctx, c.Key, c.dir.RegURL, req, wantStatus(
-		http.StatusOK,      // account with this key already registered
-		http.StatusCreated, // new account created
-	))
-	if err != nil {
-		return nil, err
-	}
-
-	defer res.Body.Close()
-	a, err := responseAccount(res)
-	if err != nil {
-		return nil, err
-	}
-	// Cache Account URL even if we return an error to the caller.
-	// It is by all means a valid and usable "kid" value for future requests.
-	c.KID = KeyID(a.URI)
-	if res.StatusCode == http.StatusOK {
-		return nil, ErrAccountAlreadyExists
-	}
-	return a, nil
-}
-
-// encodeExternalAccountBinding will encode an external account binding stanza
-// as described in https://tools.ietf.org/html/rfc8555#section-7.3.4.
-func (c *Client) encodeExternalAccountBinding(eab *ExternalAccountBinding) (*jsonWebSignature, error) {
-	jwk, err := jwkEncode(c.Key.Public())
-	if err != nil {
-		return nil, err
-	}
-	return jwsWithMAC(eab.Key, eab.KID, c.dir.RegURL, []byte(jwk))
-}
-
-// updateRegRFC is equivalent to c.UpdateReg but for CAs implementing RFC 8555.
-// It expects c.Discover to have already been called.
-func (c *Client) updateRegRFC(ctx context.Context, a *Account) (*Account, error) {
-	url := string(c.accountKID(ctx))
-	if url == "" {
-		return nil, ErrNoAccount
-	}
-	req := struct {
-		Contact []string `json:"contact,omitempty"`
-	}{
-		Contact: a.Contact,
-	}
-	res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	return responseAccount(res)
-}
-
-// getRegRFC is equivalent to c.GetReg but for CAs implementing RFC 8555.
-// It expects c.Discover to have already been called.
-func (c *Client) getRegRFC(ctx context.Context) (*Account, error) {
-	req := json.RawMessage(`{"onlyReturnExisting": true}`)
-	res, err := c.post(ctx, c.Key, c.dir.RegURL, req, wantStatus(http.StatusOK))
-	if e, ok := err.(*Error); ok && e.ProblemType == "urn:ietf:params:acme:error:accountDoesNotExist" {
-		return nil, ErrNoAccount
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	defer res.Body.Close()
-	return responseAccount(res)
-}
-
-func responseAccount(res *http.Response) (*Account, error) {
-	var v struct {
-		Status  string
-		Contact []string
-		Orders  string
-	}
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: invalid account response: %v", err)
-	}
-	return &Account{
-		URI:       res.Header.Get("Location"),
-		Status:    v.Status,
-		Contact:   v.Contact,
-		OrdersURL: v.Orders,
-	}, nil
-}
-
-// accountKeyRollover attempts to perform account key rollover.
-// On success it will change client.Key to the new key.
-func (c *Client) accountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
-	dir, err := c.Discover(ctx) // Also required by c.accountKID
-	if err != nil {
-		return err
-	}
-	kid := c.accountKID(ctx)
-	if kid == noKeyID {
-		return ErrNoAccount
-	}
-	oldKey, err := jwkEncode(c.Key.Public())
-	if err != nil {
-		return err
-	}
-	payload := struct {
-		Account string          `json:"account"`
-		OldKey  json.RawMessage `json:"oldKey"`
-	}{
-		Account: string(kid),
-		OldKey:  json.RawMessage(oldKey),
-	}
-	inner, err := jwsEncodeJSON(payload, newKey, noKeyID, noNonce, dir.KeyChangeURL)
-	if err != nil {
-		return err
-	}
-
-	res, err := c.post(ctx, nil, dir.KeyChangeURL, base64.RawURLEncoding.EncodeToString(inner), wantStatus(http.StatusOK))
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	c.Key = newKey
-	return nil
-}
-
-// AuthorizeOrder initiates the order-based application for certificate issuance,
-// as opposed to pre-authorization in Authorize.
-// It is only supported by CAs implementing RFC 8555.
-//
-// The caller then needs to fetch each authorization with GetAuthorization,
-// identify those with StatusPending status and fulfill a challenge using Accept.
-// Once all authorizations are satisfied, the caller will typically want to poll
-// order status using WaitOrder until it's in StatusReady state.
-// To finalize the order and obtain a certificate, the caller submits a CSR with CreateOrderCert.
-func (c *Client) AuthorizeOrder(ctx context.Context, id []AuthzID, opt ...OrderOption) (*Order, error) {
-	dir, err := c.Discover(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	req := struct {
-		Identifiers []wireAuthzID `json:"identifiers"`
-		NotBefore   string        `json:"notBefore,omitempty"`
-		NotAfter    string        `json:"notAfter,omitempty"`
-	}{}
-	for _, v := range id {
-		req.Identifiers = append(req.Identifiers, wireAuthzID{
-			Type:  v.Type,
-			Value: v.Value,
-		})
-	}
-	for _, o := range opt {
-		switch o := o.(type) {
-		case orderNotBeforeOpt:
-			req.NotBefore = time.Time(o).Format(time.RFC3339)
-		case orderNotAfterOpt:
-			req.NotAfter = time.Time(o).Format(time.RFC3339)
-		default:
-			// Package's fault if we let this happen.
-			panic(fmt.Sprintf("unsupported order option type %T", o))
-		}
-	}
-
-	res, err := c.post(ctx, nil, dir.OrderURL, req, wantStatus(http.StatusCreated))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	return responseOrder(res)
-}
-
-// GetOrder retrives an order identified by the given URL.
-// For orders created with AuthorizeOrder, the url value is Order.URI.
-//
-// If a caller needs to poll an order until its status is final,
-// see the WaitOrder method.
-func (c *Client) GetOrder(ctx context.Context, url string) (*Order, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-
-	res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	return responseOrder(res)
-}
-
-// WaitOrder polls an order from the given URL until it is in one of the final states,
-// StatusReady, StatusValid or StatusInvalid, the CA responded with a non-retryable error
-// or the context is done.
-//
-// It returns a non-nil Order only if its Status is StatusReady or StatusValid.
-// In all other cases WaitOrder returns an error.
-// If the Status is StatusInvalid, the returned error is of type *OrderError.
-func (c *Client) WaitOrder(ctx context.Context, url string) (*Order, error) {
-	if _, err := c.Discover(ctx); err != nil {
-		return nil, err
-	}
-	for {
-		res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
-		if err != nil {
-			return nil, err
-		}
-		o, err := responseOrder(res)
-		res.Body.Close()
-		switch {
-		case err != nil:
-			// Skip and retry.
-		case o.Status == StatusInvalid:
-			return nil, &OrderError{OrderURL: o.URI, Status: o.Status}
-		case o.Status == StatusReady || o.Status == StatusValid:
-			return o, nil
-		}
-
-		d := retryAfter(res.Header.Get("Retry-After"))
-		if d == 0 {
-			// Default retry-after.
-			// Same reasoning as in WaitAuthorization.
-			d = time.Second
-		}
-		t := time.NewTimer(d)
-		select {
-		case <-ctx.Done():
-			t.Stop()
-			return nil, ctx.Err()
-		case <-t.C:
-			// Retry.
-		}
-	}
-}
-
-func responseOrder(res *http.Response) (*Order, error) {
-	var v struct {
-		Status         string
-		Expires        time.Time
-		Identifiers    []wireAuthzID
-		NotBefore      time.Time
-		NotAfter       time.Time
-		Error          *wireError
-		Authorizations []string
-		Finalize       string
-		Certificate    string
-	}
-	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
-		return nil, fmt.Errorf("acme: error reading order: %v", err)
-	}
-	o := &Order{
-		URI:         res.Header.Get("Location"),
-		Status:      v.Status,
-		Expires:     v.Expires,
-		NotBefore:   v.NotBefore,
-		NotAfter:    v.NotAfter,
-		AuthzURLs:   v.Authorizations,
-		FinalizeURL: v.Finalize,
-		CertURL:     v.Certificate,
-	}
-	for _, id := range v.Identifiers {
-		o.Identifiers = append(o.Identifiers, AuthzID{Type: id.Type, Value: id.Value})
-	}
-	if v.Error != nil {
-		o.Error = v.Error.error(nil /* headers */)
-	}
-	return o, nil
-}
-
-// CreateOrderCert submits the CSR (Certificate Signing Request) to a CA at the specified URL.
-// The URL is the FinalizeURL field of an Order created with AuthorizeOrder.
-//
-// If the bundle argument is true, the returned value also contain the CA (issuer)
-// certificate chain. Otherwise, only a leaf certificate is returned.
-// The returned URL can be used to re-fetch the certificate using FetchCert.
-//
-// This method is only supported by CAs implementing RFC 8555. See CreateCert for pre-RFC CAs.
-//
-// CreateOrderCert returns an error if the CA's response is unreasonably large.
-// Callers are encouraged to parse the returned value to ensure the certificate is valid and has the expected features.
-func (c *Client) CreateOrderCert(ctx context.Context, url string, csr []byte, bundle bool) (der [][]byte, certURL string, err error) {
-	if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
-		return nil, "", err
-	}
-
-	// RFC describes this as "finalize order" request.
-	req := struct {
-		CSR string `json:"csr"`
-	}{
-		CSR: base64.RawURLEncoding.EncodeToString(csr),
-	}
-	res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
-	if err != nil {
-		return nil, "", err
-	}
-	defer res.Body.Close()
-	o, err := responseOrder(res)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// Wait for CA to issue the cert if they haven't.
-	if o.Status != StatusValid {
-		o, err = c.WaitOrder(ctx, o.URI)
-	}
-	if err != nil {
-		return nil, "", err
-	}
-	// The only acceptable status post finalize and WaitOrder is "valid".
-	if o.Status != StatusValid {
-		return nil, "", &OrderError{OrderURL: o.URI, Status: o.Status}
-	}
-	crt, err := c.fetchCertRFC(ctx, o.CertURL, bundle)
-	return crt, o.CertURL, err
-}
-
-// fetchCertRFC downloads issued certificate from the given URL.
-// It expects the CA to respond with PEM-encoded certificate chain.
-//
-// The URL argument is the CertURL field of Order.
-func (c *Client) fetchCertRFC(ctx context.Context, url string, bundle bool) ([][]byte, error) {
-	res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-
-	// Get all the bytes up to a sane maximum.
-	// Account very roughly for base64 overhead.
-	const max = maxCertChainSize + maxCertChainSize/33
-	b, err := io.ReadAll(io.LimitReader(res.Body, max+1))
-	if err != nil {
-		return nil, fmt.Errorf("acme: fetch cert response stream: %v", err)
-	}
-	if len(b) > max {
-		return nil, errors.New("acme: certificate chain is too big")
-	}
-
-	// Decode PEM chain.
-	var chain [][]byte
-	for {
-		var p *pem.Block
-		p, b = pem.Decode(b)
-		if p == nil {
-			break
-		}
-		if p.Type != "CERTIFICATE" {
-			return nil, fmt.Errorf("acme: invalid PEM cert type %q", p.Type)
-		}
-
-		chain = append(chain, p.Bytes)
-		if !bundle {
-			return chain, nil
-		}
-		if len(chain) > maxChainLen {
-			return nil, errors.New("acme: certificate chain is too long")
-		}
-	}
-	if len(chain) == 0 {
-		return nil, errors.New("acme: certificate chain is empty")
-	}
-	return chain, nil
-}
-
-// sends a cert revocation request in either JWK form when key is non-nil or KID form otherwise.
-func (c *Client) revokeCertRFC(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error {
-	req := &struct {
-		Cert   string `json:"certificate"`
-		Reason int    `json:"reason"`
-	}{
-		Cert:   base64.RawURLEncoding.EncodeToString(cert),
-		Reason: int(reason),
-	}
-	res, err := c.post(ctx, key, c.dir.RevokeURL, req, wantStatus(http.StatusOK))
-	if err != nil {
-		if isAlreadyRevoked(err) {
-			// Assume it is not an error to revoke an already revoked cert.
-			return nil
-		}
-		return err
-	}
-	defer res.Body.Close()
-	return nil
-}
-
-func isAlreadyRevoked(err error) bool {
-	e, ok := err.(*Error)
-	return ok && e.ProblemType == "urn:ietf:params:acme:error:alreadyRevoked"
-}
-
-// ListCertAlternates retrieves any alternate certificate chain URLs for the
-// given certificate chain URL. These alternate URLs can be passed to FetchCert
-// in order to retrieve the alternate certificate chains.
-//
-// If there are no alternate issuer certificate chains, a nil slice will be
-// returned.
-func (c *Client) ListCertAlternates(ctx context.Context, url string) ([]string, error) {
-	if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
-		return nil, err
-	}
-
-	res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-
-	// We don't need the body but we need to discard it so we don't end up
-	// preventing keep-alive
-	if _, err := io.Copy(io.Discard, res.Body); err != nil {
-		return nil, fmt.Errorf("acme: cert alternates response stream: %v", err)
-	}
-	alts := linkHeader(res.Header, "alternate")
-	return alts, nil
-}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .80.2
 .79.0