Update dependencies

2025-04-09 01:00:12 +01:00
parent f0641ffd6e
commit 5a9cfc022c
882 changed files with 68930 additions and 24201 deletions
--- a/vendor/tailscale.com/envknob/envknob.go
+++ b/vendor/tailscale.com/envknob/envknob.go
@@ -411,12 +411,35 @@ func TKASkipSignatureCheck() bool { return Bool("TS_UNSAFE_SKIP_NKS_VERIFICATION
 // Kubernetes Operator components.
 func App() string {
 	a := os.Getenv("TS_INTERNAL_APP")
-	if a == kubetypes.AppConnector || a == kubetypes.AppEgressProxy || a == kubetypes.AppIngressProxy || a == kubetypes.AppIngressResource {
+	if a == kubetypes.AppConnector || a == kubetypes.AppEgressProxy || a == kubetypes.AppIngressProxy || a == kubetypes.AppIngressResource || a == kubetypes.AppProxyGroupEgress || a == kubetypes.AppProxyGroupIngress {
 		return a
 	}
 	return ""
 }

+// IsCertShareReadOnlyMode returns true if this replica should never attempt to
+// issue or renew TLS credentials for any of the HTTPS endpoints that it is
+// serving. It should only return certs found in its cert store.  Currently,
+// this is used by the Kubernetes Operator's HA Ingress via VIPServices, where
+// multiple Ingress proxy instances serve the same HTTPS endpoint with a shared
+// TLS credentials. The TLS credentials should only be issued by one of the
+// replicas.
+// For HTTPS Ingress the operator and containerboot ensure
+// that read-only replicas will not be serving the HTTPS endpoints before there
+// is a shared cert available.
+func IsCertShareReadOnlyMode() bool {
+	m := String("TS_CERT_SHARE_MODE")
+	return m == "ro"
+}
+
+// IsCertShareReadWriteMode returns true if this instance is the replica
+// responsible for issuing and renewing TLS certs in an HA setup with certs
+// shared between multiple replicas.
+func IsCertShareReadWriteMode() bool {
+	m := String("TS_CERT_SHARE_MODE")
+	return m == "rw"
+}
+
 // CrashOnUnexpected reports whether the Tailscale client should panic
 // on unexpected conditions. If TS_DEBUG_CRASH_ON_UNEXPECTED is set, that's
 // used. Otherwise the default value is true for unstable builds.
--- a/vendor/tailscale.com/envknob/featureknob/featureknob.go
+++ b/vendor/tailscale.com/envknob/featureknob/featureknob.go
@@ -0,0 +1,67 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package featureknob provides a facility to control whether features
+// can run based on either an envknob or running OS / distro.
+package featureknob
+
+import (
+	"errors"
+	"runtime"
+
+	"tailscale.com/envknob"
+	"tailscale.com/hostinfo"
+	"tailscale.com/version"
+	"tailscale.com/version/distro"
+)
+
+// CanRunTailscaleSSH reports whether serving a Tailscale SSH server is
+// supported for the current os/distro.
+func CanRunTailscaleSSH() error {
+	switch runtime.GOOS {
+	case "linux":
+		if distro.Get() == distro.Synology && !envknob.UseWIPCode() {
+			return errors.New("The Tailscale SSH server does not run on Synology.")
+		}
+		if distro.Get() == distro.QNAP && !envknob.UseWIPCode() {
+			return errors.New("The Tailscale SSH server does not run on QNAP.")
+		}
+
+		// Setting SSH on Home Assistant causes trouble on startup
+		// (since the flag is not being passed to `tailscale up`).
+		// Although Tailscale SSH does work here,
+		// it's not terribly useful since it's running in a separate container.
+		if hostinfo.GetEnvType() == hostinfo.HomeAssistantAddOn {
+			return errors.New("The Tailscale SSH server does not run on HomeAssistant.")
+		}
+		// otherwise okay
+	case "darwin":
+		// okay only in tailscaled mode for now.
+		if version.IsSandboxedMacOS() {
+			return errors.New("The Tailscale SSH server does not run in sandboxed Tailscale GUI builds.")
+		}
+	case "freebsd", "openbsd":
+	default:
+		return errors.New("The Tailscale SSH server is not supported on " + runtime.GOOS)
+	}
+	if !envknob.CanSSHD() {
+		return errors.New("The Tailscale SSH server has been administratively disabled.")
+	}
+	return nil
+}
+
+// CanUseExitNode reports whether using an exit node is supported for the
+// current os/distro.
+func CanUseExitNode() error {
+	switch dist := distro.Get(); dist {
+	case distro.Synology, // see https://github.com/tailscale/tailscale/issues/1995
+		distro.QNAP:
+		return errors.New("Tailscale exit nodes cannot be used on " + string(dist))
+	}
+
+	if hostinfo.GetEnvType() == hostinfo.HomeAssistantAddOn {
+		return errors.New("Tailscale exit nodes cannot be used on HomeAssistant.")
+	}
+
+	return nil
+}
--- a/vendor/tailscale.com/envknob/features.go
+++ b/vendor/tailscale.com/envknob/features.go
@@ -1,39 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package envknob
-
-import (
-	"errors"
-	"runtime"
-
-	"tailscale.com/version"
-	"tailscale.com/version/distro"
-)
-
-// CanRunTailscaleSSH reports whether serving a Tailscale SSH server is
-// supported for the current os/distro.
-func CanRunTailscaleSSH() error {
-	switch runtime.GOOS {
-	case "linux":
-		if distro.Get() == distro.Synology && !UseWIPCode() {
-			return errors.New("The Tailscale SSH server does not run on Synology.")
-		}
-		if distro.Get() == distro.QNAP && !UseWIPCode() {
-			return errors.New("The Tailscale SSH server does not run on QNAP.")
-		}
-		// otherwise okay
-	case "darwin":
-		// okay only in tailscaled mode for now.
-		if version.IsSandboxedMacOS() {
-			return errors.New("The Tailscale SSH server does not run in sandboxed Tailscale GUI builds.")
-		}
-	case "freebsd", "openbsd":
-	default:
-		return errors.New("The Tailscale SSH server is not supported on " + runtime.GOOS)
-	}
-	if !CanSSHD() {
-		return errors.New("The Tailscale SSH server has been administratively disabled.")
-	}
-	return nil
-}