Merge remote-tracking branch 'upstream/main'

Author: Mmx233

Makefile

@@ -64,7 +64,7 @@ buildmultiarchimage: ## Build (and optionally push) multiarch docker image
 check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm ## Perform basic checks and compilation tests
 
 staticcheck: ## Run staticcheck.io checks
-	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
+	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go run ./tool/listpkgs --ignore-3p  ./...)
 
 kube-generate-all: kube-generate-deepcopy ## Refresh generated files for Tailscale Kubernetes Operator
 	./tool/go generate ./cmd/k8s-operator

chirp/chirp_test.go

@@ -1,5 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
+
 package chirp
 
 import (

client/local/local.go

@@ -1,12 +1,11 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build go1.22
-
 // Package local contains a Go client for the Tailscale LocalAPI.
 package local
 
 import (
+	"bufio"
 	"bytes"
 	"cmp"
 	"context"
@@ -16,6 +15,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"iter"
 	"net"
 	"net/http"
 	"net/http/httptrace"
@@ -42,6 +42,7 @@ import (
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 	"tailscale.com/types/tkatype"
+	"tailscale.com/util/eventbus"
 	"tailscale.com/util/syspolicy/setting"
 )
 
@@ -414,6 +415,44 @@ func (lc *Client) TailDaemonLogs(ctx context.Context) (io.Reader, error) {
 	return res.Body, nil
 }
 
+// StreamBusEvents returns an iterator of Tailscale bus events as they arrive.
+// Each pair is a valid event and a nil error, or a zero event a non-nil error.
+// In case of error, the iterator ends after the pair reporting the error.
+// Iteration stops if ctx ends.
+func (lc *Client) StreamBusEvents(ctx context.Context) iter.Seq2[eventbus.DebugEvent, error] {
+	return func(yield func(eventbus.DebugEvent, error) bool) {
+		req, err := http.NewRequestWithContext(ctx, "GET",
+			"http://"+apitype.LocalAPIHost+"/localapi/v0/debug-bus-events", nil)
+		if err != nil {
+			yield(eventbus.DebugEvent{}, err)
+			return
+		}
+		res, err := lc.doLocalRequestNiceError(req)
+		if err != nil {
+			yield(eventbus.DebugEvent{}, err)
+			return
+		}
+		if res.StatusCode != http.StatusOK {
+			yield(eventbus.DebugEvent{}, errors.New(res.Status))
+			return
+		}
+		defer res.Body.Close()
+		dec := json.NewDecoder(bufio.NewReader(res.Body))
+		for {
+			var evt eventbus.DebugEvent
+			if err := dec.Decode(&evt); err == io.EOF {
+				return
+			} else if err != nil {
+				yield(eventbus.DebugEvent{}, err)
+				return
+			}
+			if !yield(evt, nil) {
+				return
+			}
+		}
+	}
+}
+
 // Pprof returns a pprof profile of the Tailscale daemon.
 func (lc *Client) Pprof(ctx context.Context, pprofType string, sec int) ([]byte, error) {
 	var secArg string

cmd/cloner/cloner_test.go

@@ -1,5 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
+
 package main
 
 import (

cmd/derper/depaware.txt

@@ -157,7 +157,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
      💣 tailscale.com/util/deephash                                  from tailscale.com/util/syspolicy/setting
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-        tailscale.com/util/eventbus                                  from tailscale.com/net/netmon
+        tailscale.com/util/eventbus                                  from tailscale.com/net/netmon+
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
         tailscale.com/util/lineiter                                  from tailscale.com/hostinfo+

cmd/derper/derper.go

@@ -68,7 +68,7 @@ var (
 	runDERP     = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
 	flagHome    = flag.String("home", "", "what to serve at the root path. It may be left empty (the default, for a default homepage), \"blank\" for a blank page, or a URL to redirect to")
 
-	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It must be 64 lowercase hexadecimal characters; whitespace is trimmed.")
 	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list. If an entry contains a slash, the second part names a hostname to be used when dialing the target.")
 	secretsURL      = flag.String("secrets-url", "", "SETEC server URL for secrets retrieval of mesh key")
 	secretPrefix    = flag.String("secrets-path-prefix", "prod/derp", "setec path prefix for \""+setecMeshKeyName+"\" secret for DERP mesh key")

cmd/derper/mesh.go

@@ -72,6 +72,7 @@ func startMeshWithHost(s *derp.Server, hostTuple string) error {
 
 	add := func(m derp.PeerPresentMessage) { s.AddPacketForwarder(m.Key, c) }
 	remove := func(m derp.PeerGoneMessage) { s.RemovePacketForwarder(m.Peer, c) }
-	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
+	notifyError := func(err error) {}
+	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove, notifyError)
 	return nil
 }

cmd/derpprobe/derpprobe.go

@@ -5,23 +5,36 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
+	"path"
+	"path/filepath"
 	"sort"
 	"time"
 
+	"github.com/tailscale/setec/client/setec"
 	"tailscale.com/prober"
 	"tailscale.com/tsweb"
+	"tailscale.com/types/key"
 	"tailscale.com/version"
 
 	// Support for prometheus varz in tsweb
 	_ "tailscale.com/tsweb/promvarz"
 )
 
+const meshKeyEnvVar = "TAILSCALE_DERPER_MESH_KEY"
+const setecMeshKeyName = "meshkey"
+
+func defaultSetecCacheDir() string {
+	return filepath.Join(os.Getenv("HOME"), ".cache", "derper-secrets")
+}
+
 var (
+	dev                = flag.Bool("dev", false, "run in localhost development mode")
 	derpMapURL         = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://) or 'local' to use the local tailscaled's DERP map")
 	versionFlag        = flag.Bool("version", false, "print version and exit")
 	listen             = flag.String("listen", ":8030", "HTTP listen address")
@@ -37,6 +50,10 @@ var (
 	qdPacketsPerSecond = flag.Int("qd-packets-per-second", 0, "if greater than 0, queuing delay will be measured continuously using 260 byte packets (approximate size of a CallMeMaybe packet) sent at this rate per second")
 	qdPacketTimeout    = flag.Duration("qd-packet-timeout", 5*time.Second, "queuing delay packets arriving after this period of time from being sent are treated like dropped packets and don't count toward queuing delay timings")
 	regionCodeOrID     = flag.String("region-code", "", "probe only this region (e.g. 'lax' or '17'); if left blank, all regions will be probed")
+	meshPSKFile        = flag.String("mesh-psk-file", "", "if non-empty, path to file containing the mesh pre-shared key file. It must be 64 lowercase hexadecimal characters; whitespace is trimmed.")
+	secretsURL         = flag.String("secrets-url", "", "SETEC server URL for secrets retrieval of mesh key")
+	secretPrefix       = flag.String("secrets-path-prefix", "prod/derp", fmt.Sprintf("setec path prefix for \"%s\" secret for DERP mesh key", setecMeshKeyName))
+	secretsCacheDir    = flag.String("secrets-cache-dir", defaultSetecCacheDir(), "directory to cache setec secrets in (required if --secrets-url is set)")
 )
 
 func main() {
@@ -47,11 +64,16 @@ func main() {
 	}
 
 	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce).WithMetricNamespace("derpprobe")
+	meshKey, err := getMeshKey()
+	if err != nil {
+		log.Fatalf("failed to get mesh key: %v", err)
+	}
 	opts := []prober.DERPOpt{
 		prober.WithMeshProbing(*meshInterval),
 		prober.WithSTUNProbing(*stunInterval),
 		prober.WithTLSProbing(*tlsInterval),
 		prober.WithQueuingDelayProbing(*qdPacketsPerSecond, *qdPacketTimeout),
+		prober.WithMeshKey(meshKey),
 	}
 	if *bwInterval > 0 {
 		opts = append(opts, prober.WithBandwidthProbing(*bwInterval, *bwSize, *bwTUNIPv4Address))
@@ -99,6 +121,53 @@ func main() {
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }
 
+func getMeshKey() (key.DERPMesh, error) {
+	var meshKey string
+
+	if *dev {
+		meshKey = os.Getenv(meshKeyEnvVar)
+		if meshKey == "" {
+			log.Printf("No mesh key specified for dev via %s\n", meshKeyEnvVar)
+		} else {
+			log.Printf("Set mesh key from %s\n", meshKeyEnvVar)
+		}
+	} else if *secretsURL != "" {
+		meshKeySecret := path.Join(*secretPrefix, setecMeshKeyName)
+		fc, err := setec.NewFileCache(*secretsCacheDir)
+		if err != nil {
+			log.Fatalf("NewFileCache: %v", err)
+		}
+		log.Printf("Setting up setec store from %q", *secretsURL)
+		st, err := setec.NewStore(context.Background(),
+			setec.StoreConfig{
+				Client: setec.Client{Server: *secretsURL},
+				Secrets: []string{
+					meshKeySecret,
+				},
+				Cache: fc,
+			})
+		if err != nil {
+			log.Fatalf("NewStore: %v", err)
+		}
+		meshKey = st.Secret(meshKeySecret).GetString()
+		log.Println("Got mesh key from setec store")
+		st.Close()
+	} else if *meshPSKFile != "" {
+		b, err := setec.StaticFile(*meshPSKFile)
+		if err != nil {
+			log.Fatalf("StaticFile failed to get key: %v", err)
+		}
+		log.Println("Got mesh key from static file")
+		meshKey = b.GetString()
+	}
+	if meshKey == "" {
+		log.Printf("No mesh key found, mesh key is empty")
+		return key.DERPMesh{}, nil
+	}
+
+	return key.ParseDERPMesh(meshKey)
+}
+
 type overallStatus struct {
 	good, bad []string
 }

cmd/gitops-pusher/gitops-pusher_test.go

@@ -1,5 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
+
 package main
 
 import (

cmd/k8s-operator/ingress-for-pg.go

@@ -252,7 +252,7 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		return false, fmt.Errorf("error determining DNS name base: %w", err)
 	}
 	dnsName := hostname + "." + tcd
-	if err := r.ensureCertResources(ctx, pgName, dnsName, ing); err != nil {
+	if err := r.ensureCertResources(ctx, pg, dnsName, ing); err != nil {
 		return false, fmt.Errorf("error ensuring cert resources: %w", err)
 	}
 
@@ -931,18 +931,31 @@ func ownersAreSetAndEqual(a, b *tailscale.VIPService) bool {
 // (domain) is a valid Kubernetes resource name.
 // https://github.com/tailscale/tailscale/blob/8b1e7f646ee4730ad06c9b70c13e7861b964949b/util/dnsname/dnsname.go#L99
 // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
-func (r *HAIngressReconciler) ensureCertResources(ctx context.Context, pgName, domain string, ing *networkingv1.Ingress) error {
-	secret := certSecret(pgName, r.tsNamespace, domain, ing)
-	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, secret, nil); err != nil {
+func (r *HAIngressReconciler) ensureCertResources(ctx context.Context, pg *tsapi.ProxyGroup, domain string, ing *networkingv1.Ingress) error {
+	secret := certSecret(pg.Name, r.tsNamespace, domain, ing)
+	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, secret, func(s *corev1.Secret) {
+		// Labels might have changed if the Ingress has been updated to use a
+		// different ProxyGroup.
+		s.Labels = secret.Labels
+	}); err != nil {
 		return fmt.Errorf("failed to create or update Secret %s: %w", secret.Name, err)
 	}
-	role := certSecretRole(pgName, r.tsNamespace, domain)
-	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, role, nil); err != nil {
+	role := certSecretRole(pg.Name, r.tsNamespace, domain)
+	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, role, func(r *rbacv1.Role) {
+		// Labels might have changed if the Ingress has been updated to use a
+		// different ProxyGroup.
+		r.Labels = role.Labels
+	}); err != nil {
 		return fmt.Errorf("failed to create or update Role %s: %w", role.Name, err)
 	}
-	rb := certSecretRoleBinding(pgName, r.tsNamespace, domain)
-	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, rb, nil); err != nil {
-		return fmt.Errorf("failed to create or update RoleBinding %s: %w", rb.Name, err)
+	rolebinding := certSecretRoleBinding(pg.Name, r.tsNamespace, domain)
+	if _, err := createOrUpdate(ctx, r.Client, r.tsNamespace, rolebinding, func(rb *rbacv1.RoleBinding) {
+		// Labels and subjects might have changed if the Ingress has been updated to use a
+		// different ProxyGroup.
+		rb.Labels = rolebinding.Labels
+		rb.Subjects = rolebinding.Subjects
+	}); err != nil {
+		return fmt.Errorf("failed to create or update RoleBinding %s: %w", rolebinding.Name, err)
 	}
 	return nil
 }