feat(ci): bump to upstream 1.76.0 #13
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: kari-ts <kari@tailscale.com>
In prep for reducing mutex contention on Server.mu. Updates tailscale#3560 Change-Id: Ie95e7c6dc9f4b64b6f79b3b2338f8cd86c688d98 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Add a node attr for enabling SSH environment variable handling logic. Updates tailscale/corp#22775 Signed-off-by: Mario Minardi <mario@tailscale.com>
…ll (tailscale#13395) netcheck.Client.GetReport() applies its own deadlines. This 2s deadline was causing GetReport() to never fall back to HTTPS/ICMP measurements as it was shorter than netcheck.stunProbeTimeout, leaving no time for fallbacks. Updates tailscale#13394 Updates tailscale#6187 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Now that we have our API docs hosted at https://tailscale.com/api we can remove the previous (and now outdated) markdown based docs. The top level api.md has been left with the only content being the redirect to the new docs. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
Updates tailscale#13140 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ica85b2ac8ac7eab4ec5413b212f004aecc453279
This un-breaks vim-go (which doesn't understand "go 1.23") and allows the natlab tests to work in a Nix shell (by adding the "qemu-img" and "mkfs.ext4" binaries to the shell). These binaries are available even on macOS, as I'm testing on my M1 Max. Updates tailscale#13038 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I99f8521b5de93ea47dc33b099d5b243ffc1303da
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
In prep for upcoming flow tracking & mutex contention optimization changes, this change refactors (subjectively simplifying) how the DERP Server accounts for which peers have written to which other peers, to be able to send PeerGoneReasonDisconnected messages to writes to uncache their DRPO (DERP Return Path Optimization) routes. Notably, this removes the Server.sentTo field which was guarded by Server.mu and checked on all packet sends. Instead, the accounting is moved to each sclient's sendLoop goroutine and now only needs to acquire Server.mu for newly seen senders, the first time a peer sends a packet to that sclient. This change reduces the number of reasons to acquire Server.mu per-packet from two to one. Removing the last one is the subject of an upcoming change. Updates tailscale#3560 Updates tailscale#150 Change-Id: Id226216d6629d61254b6bfd532887534ac38586c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…nds (tailscale#13487) Updates tailscale#13484 Updates tailscale/corp#17879 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>
Fixes tailscale#13495 Signed-off-by: Fran Bull <fran@tailscale.com>
… netcheck (tailscale#13491) Updates tailscale/corp#17879 Signed-off-by: Jordan Whited <jordan@tailscale.com>
) Updates tailscale#13497 Change-Id: I398e9fa58ad0b9dc799ea280c9c7a32150150ee4 Signed-off-by: M. J. Fromberger <fromberger@tailscale.com>
…#13507) Updates tailscale#13452 Bump the Go toolchain to the latest to pick up changes required to not crash on Android 9/10. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
mdnsResponder at least as of macOS Sequoia does not find NXDOMAIN responses to these dns-sd PTR queries acceptable unless they include the question section in the response. This was found debugging tailscale#13511, once we turned on additional diagnostic reporting from mdnsResponder we witnessed: ``` Received unacceptable 12-byte response from 100.100.100.100 over UDP via utun6/27 -- id: 0x7F41 (32577), flags: 0x8183 (R/Query, RD, RA, NXDomain), counts: 0/0/0/0, ``` If the response includes a question section, the resposnes are acceptable, e.g.: ``` Received acceptable 59-byte response from 8.8.8.8 over UDP via en0/17 -- id: 0x2E55 (11861), flags: 0x8183 (R/Query, RD, RA, NXDomain), counts: 1/0/0/0, ``` This may be contributing to an issue under diagnosis in tailscale#13511 wherein some combination of conditions results in mdnsResponder no longer answering DNS queries correctly to applications on the system for extended periods of time (multiple minutes), while dig against quad-100 provides correct responses for those same domains. If additional debug logging is enabled in mdnsResponder we see it reporting: ``` Penalizing server 100.100.100.100 for 60 seconds ``` It is also possible that the reason that macOS & iOS never "stopped spamming" these queries is that they have never been replied to with acceptable responses. It is not clear if this special case handling of dns-sd PTR queries was ever beneficial, and given this evidence may have always been harmful. If we subsequently observe that the queries settle down now that they have acceptable responses, we should remove these special cases - making upstream queries very occasionally isn't a lot of battery, so we should be better off having to maintain less special cases and avoid bugs of this class. Updates tailscale#2442 Updates tailscale#3025 Updates tailscale#3363 Updates tailscale#3594 Updates tailscale#13511 Signed-off-by: James Tucker <james@tailscale.com>
containerboot's main.go had grown to well over 1000 lines with lots of disparate bits of functionality. This commit is pure copy- paste to group related functionality outside of the main function into its own set of files. Everything is still in the main package to keep the diff incremental and reviewable. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Update go.toolchain.rev for tailscale/go#104 and add a test that, when using the tailscale_go build tag, we use the right Go toolchain. We'll crank up the strictness in later commits. Updates tailscale#13527 Change-Id: Ifb09a844858be2beb144a420e4e9dbdc5c03ae3a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
And convert a all relevant usages. Updates tailscale#12912 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Add an `AcceptEnv` field to `SSHRule`. This will contain the collection of environment variable names / patterns that are specified in the `acceptEnv` block for the SSH rule within the policy file. This will be used in the tailscale client to filter out unacceptable environment variables. Updates: tailscale/corp#22775 Signed-off-by: Mario Minardi <mario@tailscale.com>
…scale#13551) Pin actions/checkout usage to latest 3.x or 4.x as appropriate. These were previously pointing to `@4` or `@3` which pull in the latest versions at these tags as they are released, with the potential to break our workflows if a breaking change or malicious version for either of these streams are released. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
Pin actions/checkout usage to latest 5.x. These were previously pointing to `@4` which pulls in the latest v4 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@4` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v4 and v5 is that v5 requires Node 20 which should be a non-issue where it is used. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
Pin codeql actions usage to latest 3.x. These were previously pointing to `@2` which pulls in the latest v2 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@2` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v2 and v3 is that v3 requires Node 20 which is a non-issue as we are running this on ubuntu latest. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
…scale#13554) Use slackapi/slack-github-action across the board and pin to latest 1.x. Previously we were referencing the 1.27.0 tag directly which is vulnerable to someone replacing that version tag with malicious code. Replace usage of ruby/action-slack with slackapi/slack-github-action as the latter is the officially supported action from slack. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
Update and pin actions/cache usage to latest 4.x. These were previously pointing to `@3` which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@3` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v3 and v4 is that v4 requires Node 20 which should be a non-issue where this is run. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
…ale#13556) Update and pin actions/upload-artifact usage to latest 4.x. These were previously pointing to @3 which pulls in the latest v3 as they are released, with the potential to break our workflows if a breaking change or malicious version on the @3 stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
Pin re-actors/alls-green usage to latest 1.x. This was previously pointing to `@release/v2` which pulls in the latest changes from this branch as they are released, with the potential to break our workflows if a breaking change or malicious version on this stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinned version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
…9529) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.0 to 2.1.0. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](tibdex/github-app-token@b625283...3beb63f) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mario Minardi <mario@tailscale.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updates tailscale#13326 Adds a CLI subcommand to perform DNS queries using the internal DNS forwarder and observe its internals (namely, which upstream resolvers are being used). Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Add separate builds for DSM7.2 for synology so that we can encode separate versioning information in the INFO file to distinguish between the two. Fixes tailscale/corp#22908 Signed-off-by: Mario Minardi <mario@tailscale.com>
Rearrange conditionals to reduce indentation and make it a bit easier to read the logic. Also makes some error message updates for better consistency with the recent decision around capitalising resource names and the upcoming addition of config secrets. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
…yGroup (tailscale#13720) The default ProxyClass can be set via helm chart or env var, and applies to all proxies that do not otherwise have an explicit ProxyClass set. This ensures proxies created by the new ProxyGroup CRD are consistent with the behaviour of existing proxies Nearby but unrelated changes: * Fix up double error logs (controller runtime logs returned errors) * Fix a couple of variable names Updates tailscale#13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Updates tailscale#13728 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1e8319d6b2da013ae48f15113b30c9333e69cc0b
…k for dual stack clusters (tailscale#13721) Currently egress Services for ProxyGroup only work for Pods and Services with IPv4 addresses. Ensure that it works on dual stack clusters by reading proxy Pod's IP from the .status.podIPs list that always contains both IPv4 and IPv6 address (if the Pod has them) rather than .status.podIP that could contain IPv6 only for a dual stack cluster. Updates tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Updates tailscale#13731 Change-Id: Ibee85426827ebb9e43a1c42a9c07c847daa50117 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…le#13722) Instead of converting our PortMap struct to a string during marshalling for use as a key, convert the whole collection of PortMaps to a list of PortMap objects, which improves the readability of the JSON config while still keeping the data structure we need in the code. Updates tailscale#13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
…finition (tailscale#13714) As discussed in tailscale#13684, base the ProxyGroup's proxy definitions on the same scaffolding as the existing proxies, as defined in proxy.yaml Updates tailscale#13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Updates tailscale#12912 Updates tailscale#12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Fixes tailscale#13313 Fixes tailscale#12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Ensure that .status.podIPs is used to select Pod's IP in all reconcilers. Updates tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
…und. (tailscale#13736) We don't need to error out and continuously reconcile if ProxyClass has not (yet) been created, once it gets created the ProxyGroup reconciler will get triggered. Updates tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Their callers using Range are all kinda clunky feeling. Iterators should make them more readable. Updates tailscale#12912 Change-Id: I93461eba8e735276fda4a8558a4ae4bfd6c04922 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…ss Services for ProxyGroup (tailscale#13746) cmd/k8s-operator,k8s-operator/apis: set a readiness condition on egress Services Set a readiness condition on ExternalName Services that define a tailnet target to route cluster traffic to via a ProxyGroup's proxies. The condition is set to true if at least one proxy is currently set up to route. Updates tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Add Keys, Values, and All to iterate over all keys, values, and entries, respectively. Updates tailscale#11038 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Thus new function allows constructing vizerrors that combine a message appropriate for display to users with a wrapped underlying error. Updates tailscale/corp#23781 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Updates tailscale#11038 Change-Id: I2819fed896cc4035aba5e4e141b52c12637373b1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
One primary purpose of WithLock is to mutate the underlying map. However, this can lead to a panic if it happens to be nil. Thus, always allocate a map before passing it to f. Updates tailscale/corp#11038 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
However, this affects the scope of a defer. Updates tailscale#11038 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
We probably shouldn't link it in anywhere, but let's fix iOS for now. Updates tailscale#13762 Updates tailscale/corp#20099 Change-Id: Idac116e9340434334c256acba3866f02bd19827c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
There's never a tailscaled on iOS. And we can't run child processes to look for it anyway. Updates tailscale/corp#20099 Change-Id: Ieb3776f4bb440c4f1c442fdd169bacbe17f23ddb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
We were using google/uuid in two places and that brought in database/sql/driver. We didn't need it in either place. Updates tailscale#13760 Updates tailscale/corp#20099 Change-Id: Ieed32f1bebe35d35f47ec5a2a429268f24f11f1f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
…scale#13770) No need to prefix this with 'Tailscale' for tailscale.com custom resource types. Updates tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Updates tailscale/corp#20099 Change-Id: Ie3b782379b19d5f7890a8d3a378096b4f3e8a612 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Updates tailscale#13773 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I95e03eb6aef1639bd4a2efd3a415e2c10cdebc5a
Fixes tailscale#13772 Change-Id: I3ae03a5ee48c801f2e5ea12d1e54681df25d4604 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
anthr76
approved these changes
Oct 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://tailscale.com/changelog#2024-10-10