Merge 633297915a into 6275399327

only set username and email if valid
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-11-26 17:03:06 +00:00 · 2024-11-19 09:22:35 +00:00 · 2024-11-19 10:22:26 +01:00 · 2024-11-19 09:50:53 +01:00 · 2024-11-19 09:50:53 +01:00
19 changed files with 131 additions and 904 deletions
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@ -38,7 +38,6 @@ jobs:
          - TestNodeMoveCommand
          - TestPolicyCommand
          - TestPolicyBrokenConfigCommand
          - TestDERPVerifyEndpoint
          - TestResolveMagicDNS
          - TestValidateResolvConf
          - TestDERPServerScenario
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -23,7 +23,6 @@
 - Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules applied [#2198](https://github.com/juanfont/headscale/pull/2198)
 - Fixed updating of hostname and givenName when it is updated in HostInfo [#2199](https://github.com/juanfont/headscale/pull/2199)
 - Fixed missing `stable-debug` container tag [#2232](https://github.com/juanfont/headscale/pr/2232)
 - Loosened up `server_url` and `base_domain` check. It was overly strict in some cases.
 ## 0.23.0 (2024-09-18)
--- a/Dockerfile.derper
+++ b/Dockerfile.derper
@ -1,19 +0,0 @@
 # For testing purposes only
 FROM golang:alpine AS build-env
 WORKDIR /go/src
 RUN apk add --no-cache git
 ARG VERSION_BRANCH=main
 RUN git clone https://github.com/tailscale/tailscale.git --branch=$VERSION_BRANCH --depth=1
 WORKDIR /go/src/tailscale
 ARG TARGETARCH
 RUN GOARCH=$TARGETARCH go install -v ./cmd/derper
 FROM alpine:3.18
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
 COPY --from=build-env /go/bin/* /usr/local/bin/
 ENTRYPOINT [ "/usr/local/bin/derper" ]
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@ -28,9 +28,7 @@ ARG VERSION_GIT_HASH=""
 ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH
-ARG BUILD_TAGS=""
+RUN GOARCH=$TARGETARCH go install -ldflags="\
 RUN GOARCH=$TARGETARCH go install -tags="${BUILD_TAGS}" -ldflags="\
      -X tailscale.com/version.longStamp=$VERSION_LONG \
      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@ -457,8 +457,6 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
 		Methods(http.MethodGet)
 	router.HandleFunc("/verify", h.VerifyHandler).Methods(http.MethodPost)
 	if h.cfg.DERP.ServerEnabled {
 		router.HandleFunc("/derp", h.DERPServer.DERPHandler)
 		router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler)
--- a/hscontrol/handlers.go
+++ b/hscontrol/handlers.go
@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"strconv"
 	"strings"
@ -57,65 +56,6 @@ func parseCabailityVersion(req *http.Request) (tailcfg.CapabilityVersion, error)
 	return tailcfg.CapabilityVersion(clientCapabilityVersion), nil
 }
 func (h *Headscale) handleVerifyRequest(
 	req *http.Request,
 ) (bool, error) {
 	body, err := io.ReadAll(req.Body)
 	if err != nil {
 		return false, fmt.Errorf("cannot read request body: %w", err)
 	}
 	var derpAdmitClientRequest tailcfg.DERPAdmitClientRequest
 	if err := json.Unmarshal(body, &derpAdmitClientRequest); err != nil {
 		return false, fmt.Errorf("cannot parse derpAdmitClientRequest: %w", err)
 	}
 	nodes, err := h.db.ListNodes()
 	if err != nil {
 		return false, fmt.Errorf("cannot list nodes: %w", err)
 	}
 	return nodes.ContainsNodeKey(derpAdmitClientRequest.NodePublic), nil
 }
 // see https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159, Derp use verifyClientsURL to verify whether a client is allowed to connect to the DERP server.
 func (h *Headscale) VerifyHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
 	if req.Method != http.MethodPost {
 		http.Error(writer, "Wrong method", http.StatusMethodNotAllowed)
 		return
 	}
 	log.Debug().
 		Str("handler", "/verify").
 		Msg("verify client")
 	allow, err := h.handleVerifyRequest(req)
 	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
 			Msg("Failed to verify client")
 		http.Error(writer, "Internal error", http.StatusInternalServerError)
 	}
 	resp := tailcfg.DERPAdmitClientResponse{
 		Allow: allow,
 	}
 	writer.Header().Set("Content-Type", "application/json")
 	writer.WriteHeader(http.StatusOK)
 	err = json.NewEncoder(writer).Encode(resp)
 	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
 			Msg("Failed to write response")
 	}
 }
 // KeyHandler provides the Headscale pub key
 // Listens in /key.
 func (h *Headscale) KeyHandler(
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -28,9 +28,8 @@ const (
 	maxDuration           time.Duration = 1<<63 - 1
 )
-var (
+var errOidcMutuallyExclusive = errors.New(
-	errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
+	"oidc_client_secret and oidc_client_secret_path are mutually exclusive",
 	errServerURLSuffix       = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable")
 )
 type IPAllocationStrategy string
@ -828,10 +827,11 @@ func LoadServerConfig() (*Config, error) {
 	// - DERP run on their own domains
 	// - Control plane runs on login.tailscale.com/controlplane.tailscale.com
 	// - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net)
-	if dnsConfig.BaseDomain != "" {
+	if dnsConfig.BaseDomain != "" &&
-		if err := isSafeServerURL(serverURL, dnsConfig.BaseDomain); err != nil {
+		strings.Contains(serverURL, dnsConfig.BaseDomain) {
-			return nil, err
+		return nil, errors.New(
-		}
+			"server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.",
 		)
 	}
 	return &Config{
@ -924,37 +924,6 @@ func LoadServerConfig() (*Config, error) {
 	}, nil
 }
 // BaseDomain cannot be a suffix of the server URL.
 // This is because Tailscale takes over the domain in BaseDomain,
 // causing the headscale server and DERP to be unreachable.
 // For Tailscale upstream, the following is true:
 // - DERP run on their own domains.
 // - Control plane runs on login.tailscale.com/controlplane.tailscale.com.
 // - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net).
 func isSafeServerURL(serverURL, baseDomain string) error {
 	server, err := url.Parse(serverURL)
 	if err != nil {
 		return err
 	}
 	serverDomainParts := strings.Split(server.Host, ".")
 	baseDomainParts := strings.Split(baseDomain, ".")
 	if len(serverDomainParts) <= len(baseDomainParts) {
 		return nil
 	}
 	s := len(serverDomainParts)
 	b := len(baseDomainParts)
 	for i := range len(baseDomainParts) {
 		if serverDomainParts[s-i-1] != baseDomainParts[b-i-1] {
 			return nil
 		}
 	}
 	return errServerURLSuffix
 }
 type deprecator struct {
 	warns  set.Set[string]
 	fatals set.Set[string]
--- a/hscontrol/types/config_test.go
+++ b/hscontrol/types/config_test.go
@ -1,7 +1,6 @@
 package types
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@ -140,7 +139,7 @@ func TestReadConfig(t *testing.T) {
 				return LoadServerConfig()
 			},
 			want:    nil,
-			wantErr: errServerURLSuffix.Error(),
+			wantErr: "server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.",
 		},
 		{
 			name:       "base-domain-not-in-server-url",
@ -334,64 +333,3 @@ tls_letsencrypt_challenge_type: TLS-ALPN-01
 	err = LoadConfig(tmpDir, false)
 	assert.NoError(t, err)
 }
 // OK
 // server_url: headscale.com, base: clients.headscale.com
 // server_url: headscale.com, base: headscale.net
 //
 // NOT OK
 // server_url: server.headscale.com, base: headscale.com.
 func TestSafeServerURL(t *testing.T) {
 	tests := []struct {
 		serverURL, baseDomain,
 		wantErr string
 	}{
 		{
 			serverURL:  "https://example.com",
 			baseDomain: "example.org",
 		},
 		{
 			serverURL:  "https://headscale.com",
 			baseDomain: "headscale.com",
 		},
 		{
 			serverURL:  "https://headscale.com",
 			baseDomain: "clients.headscale.com",
 		},
 		{
 			serverURL:  "https://headscale.com",
 			baseDomain: "clients.subdomain.headscale.com",
 		},
 		{
 			serverURL:  "https://headscale.kristoffer.com",
 			baseDomain: "mybase",
 		},
 		{
 			serverURL:  "https://server.headscale.com",
 			baseDomain: "headscale.com",
 			wantErr:    errServerURLSuffix.Error(),
 		},
 		{
 			serverURL:  "https://server.subdomain.headscale.com",
 			baseDomain: "headscale.com",
 			wantErr:    errServerURLSuffix.Error(),
 		},
 		{
 			serverURL: "http://foo\x00",
 			wantErr:   `parse "http://foo\x00": net/url: invalid control character in URL`,
 		},
 	}
 	for _, tt := range tests {
 		testName := fmt.Sprintf("server=%s domain=%s", tt.serverURL, tt.baseDomain)
 		t.Run(testName, func(t *testing.T) {
 			err := isSafeServerURL(tt.serverURL, tt.baseDomain)
 			if tt.wantErr != "" {
 				assert.EqualError(t, err, tt.wantErr)
 				return
 			}
 			assert.NoError(t, err)
 		})
 	}
 }
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@ -223,16 +223,6 @@ func (nodes Nodes) FilterByIP(ip netip.Addr) Nodes {
 	return found
 }
 func (nodes Nodes) ContainsNodeKey(nodeKey key.NodePublic) bool {
 	for _, node := range nodes {
 		if node.NodeKey == nodeKey {
 			return true
 		}
 	}
 	return false
 }
 func (node *Node) Proto() *v1.Node {
 	nodeProto := &v1.Node{
 		Id:         uint64(node.ID),
--- a/hscontrol/types/testdata/base-domain-in-server-url.yaml
+++ b/hscontrol/types/testdata/base-domain-in-server-url.yaml
@ -8,7 +8,7 @@ prefixes:
 database:
  type: sqlite3
-server_url: "https://server.derp.no"
+server_url: "https://derp.no"
 dns:
  magic_dns: true
--- a/integration/README.md
+++ b/integration/README.md
@ -11,10 +11,10 @@ Tests are located in files ending with `_test.go` and the framework are located
 ## Running integration tests locally
-The easiest way to run tests locally is to use [act](https://github.com/nektos/act), a local GitHub Actions runner:
+The easiest way to run tests locally is to use `[act](INSERT LINK)`, a local GitHub Actions runner:
 ```
-act pull_request -W .github/workflows/test-integration.yaml
+act pull_request -W .github/workflows/test-integration-v2-TestPingAllByIP.yaml
 ```
 Alternatively, the `docker run` command in each GitHub workflow file can be used.
--- a/integration/derp_verify_endpoint_test.go
+++ b/integration/derp_verify_endpoint_test.go
@ -1,96 +0,0 @@
 package integration
 import (
 	"encoding/json"
 	"fmt"
 	"net"
 	"strconv"
 	"strings"
 	"testing"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/juanfont/headscale/integration/dsic"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/juanfont/headscale/integration/tsic"
 	"tailscale.com/tailcfg"
 )
 func TestDERPVerifyEndpoint(t *testing.T) {
 	IntegrationSkip(t)
 	// Generate random hostname for the headscale instance
 	hash, err := util.GenerateRandomStringDNSSafe(6)
 	assertNoErr(t, err)
 	testName := "derpverify"
 	hostname := fmt.Sprintf("hs-%s-%s", testName, hash)
 	headscalePort := 8080
 	// Create cert for headscale
 	certHeadscale, keyHeadscale, err := integrationutil.CreateCertificate(hostname)
 	assertNoErr(t, err)
 	scenario, err := NewScenario(dockertestMaxWait())
 	assertNoErr(t, err)
 	defer scenario.ShutdownAssertNoPanics(t)
 	spec := map[string]int{
 		"user1": len(MustTestVersions),
 	}
 	derper, err := scenario.CreateDERPServer("head",
 		dsic.WithCACert(certHeadscale),
 		dsic.WithVerifyClientURL(fmt.Sprintf("https://%s/verify", net.JoinHostPort(hostname, strconv.Itoa(headscalePort)))),
 	)
 	assertNoErr(t, err)
 	derpMap := tailcfg.DERPMap{
 		Regions: map[int]*tailcfg.DERPRegion{
 			900: {
 				RegionID:   900,
 				RegionCode: "test-derpverify",
 				RegionName: "TestDerpVerify",
 				Nodes: []*tailcfg.DERPNode{
 					{
 						Name:     "TestDerpVerify",
 						RegionID: 900,
 						HostName: derper.GetHostname(),
 						STUNPort: derper.GetSTUNPort(),
 						STUNOnly: false,
 						DERPPort: derper.GetDERPPort(),
 					},
 				},
 			},
 		},
 	}
 	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{tsic.WithCACert(derper.GetCert())},
 		hsic.WithHostname(hostname),
 		hsic.WithPort(headscalePort),
 		hsic.WithCustomTLS(certHeadscale, keyHeadscale),
 		hsic.WithHostnameAsServerURL(),
 		hsic.WithDERPConfig(derpMap))
 	assertNoErrHeadscaleEnv(t, err)
 	allClients, err := scenario.ListTailscaleClients()
 	assertNoErrListClients(t, err)
 	for _, client := range allClients {
 		report, err := client.DebugDERPRegion("test-derpverify")
 		assertNoErr(t, err)
 		successful := false
 		for _, line := range report.Info {
 			if strings.Contains(line, "Successfully established a DERP connection with node") {
 				successful = true
 				break
 			}
 		}
 		if !successful {
 			stJSON, err := json.Marshal(report)
 			assertNoErr(t, err)
 			t.Errorf("Client %s could not establish a DERP connection: %s", client.Hostname(), string(stJSON))
 		}
 	}
 }
--- a/integration/dsic/dsic.go
+++ b/integration/dsic/dsic.go
@ -1,321 +0,0 @@
 package dsic
 import (
 	"crypto/tls"
 	"errors"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 )
 const (
 	dsicHashLength       = 6
 	dockerContextPath    = "../."
 	caCertRoot           = "/usr/local/share/ca-certificates"
 	DERPerCertRoot       = "/usr/local/share/derper-certs"
 	dockerExecuteTimeout = 60 * time.Second
 )
 var errDERPerStatusCodeNotOk = errors.New("DERPer status code not OK")
 // DERPServerInContainer represents DERP Server in Container (DSIC).
 type DERPServerInContainer struct {
 	version  string
 	hostname string
 	pool      *dockertest.Pool
 	container *dockertest.Resource
 	network   *dockertest.Network
 	stunPort            int
 	derpPort            int
 	caCerts             [][]byte
 	tlsCert             []byte
 	tlsKey              []byte
 	withExtraHosts      []string
 	withVerifyClientURL string
 	workdir             string
 }
 // Option represent optional settings that can be given to a
 // DERPer instance.
 type Option = func(c *DERPServerInContainer)
 // WithCACert adds it to the trusted surtificate of the Tailscale container.
 func WithCACert(cert []byte) Option {
 	return func(dsic *DERPServerInContainer) {
 		dsic.caCerts = append(dsic.caCerts, cert)
 	}
 }
 // WithOrCreateNetwork sets the Docker container network to use with
 // the DERPer instance, if the parameter is nil, a new network,
 // isolating the DERPer, will be created. If a network is
 // passed, the DERPer instance will join the given network.
 func WithOrCreateNetwork(network *dockertest.Network) Option {
 	return func(tsic *DERPServerInContainer) {
 		if network != nil {
 			tsic.network = network
 			return
 		}
 		network, err := dockertestutil.GetFirstOrCreateNetwork(
 			tsic.pool,
 			tsic.hostname+"-network",
 		)
 		if err != nil {
 			log.Fatalf("failed to create network: %s", err)
 		}
 		tsic.network = network
 	}
 }
 // WithDockerWorkdir allows the docker working directory to be set.
 func WithDockerWorkdir(dir string) Option {
 	return func(tsic *DERPServerInContainer) {
 		tsic.workdir = dir
 	}
 }
 // WithVerifyClientURL sets the URL to verify the client.
 func WithVerifyClientURL(url string) Option {
 	return func(tsic *DERPServerInContainer) {
 		tsic.withVerifyClientURL = url
 	}
 }
 // WithExtraHosts adds extra hosts to the container.
 func WithExtraHosts(hosts []string) Option {
 	return func(tsic *DERPServerInContainer) {
 		tsic.withExtraHosts = hosts
 	}
 }
 // New returns a new TailscaleInContainer instance.
 func New(
 	pool *dockertest.Pool,
 	version string,
 	network *dockertest.Network,
 	opts ...Option,
 ) (*DERPServerInContainer, error) {
 	hash, err := util.GenerateRandomStringDNSSafe(dsicHashLength)
 	if err != nil {
 		return nil, err
 	}
 	hostname := fmt.Sprintf("derp-%s-%s", strings.ReplaceAll(version, ".", "-"), hash)
 	tlsCert, tlsKey, err := integrationutil.CreateCertificate(hostname)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create certificates for headscale test: %w", err)
 	}
 	dsic := &DERPServerInContainer{
 		version:  version,
 		hostname: hostname,
 		pool:     pool,
 		network:  network,
 		tlsCert:  tlsCert,
 		tlsKey:   tlsKey,
 		stunPort: 3478, //nolint
 		derpPort: 443,  //nolint
 	}
 	for _, opt := range opts {
 		opt(dsic)
 	}
 	var cmdArgs strings.Builder
 	fmt.Fprintf(&cmdArgs, "--hostname=%s", hostname)
 	fmt.Fprintf(&cmdArgs, " --certmode=manual")
 	fmt.Fprintf(&cmdArgs, " --certdir=%s", DERPerCertRoot)
 	fmt.Fprintf(&cmdArgs, " --a=:%d", dsic.derpPort)
 	fmt.Fprintf(&cmdArgs, " --stun=true")
 	fmt.Fprintf(&cmdArgs, " --stun-port=%d", dsic.stunPort)
 	if dsic.withVerifyClientURL != "" {
 		fmt.Fprintf(&cmdArgs, " --verify-client-url=%s", dsic.withVerifyClientURL)
 	}
 	runOptions := &dockertest.RunOptions{
 		Name:       hostname,
 		Networks:   []*dockertest.Network{dsic.network},
 		ExtraHosts: dsic.withExtraHosts,
 		// we currently need to give us some time to inject the certificate further down.
 		Entrypoint: []string{"/bin/sh", "-c", "/bin/sleep 3 ; update-ca-certificates ; derper " + cmdArgs.String()},
 		ExposedPorts: []string{
 			"80/tcp",
 			fmt.Sprintf("%d/tcp", dsic.derpPort),
 			fmt.Sprintf("%d/udp", dsic.stunPort),
 		},
 	}
 	if dsic.workdir != "" {
 		runOptions.WorkingDir = dsic.workdir
 	}
 	// dockertest isnt very good at handling containers that has already
 	// been created, this is an attempt to make sure this container isnt
 	// present.
 	err = pool.RemoveContainerByName(hostname)
 	if err != nil {
 		return nil, err
 	}
 	var container *dockertest.Resource
 	buildOptions := &dockertest.BuildOptions{
 		Dockerfile: "Dockerfile.derper",
 		ContextDir: dockerContextPath,
 		BuildArgs:  []docker.BuildArg{},
 	}
 	switch version {
 	case "head":
 		buildOptions.BuildArgs = append(buildOptions.BuildArgs, docker.BuildArg{
 			Name:  "VERSION_BRANCH",
 			Value: "main",
 		})
 	default:
 		buildOptions.BuildArgs = append(buildOptions.BuildArgs, docker.BuildArg{
 			Name:  "VERSION_BRANCH",
 			Value: "v" + version,
 		})
 	}
 	container, err = pool.BuildAndRunWithBuildOptions(
 		buildOptions,
 		runOptions,
 		dockertestutil.DockerRestartPolicy,
 		dockertestutil.DockerAllowLocalIPv6,
 		dockertestutil.DockerAllowNetworkAdministration,
 	)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"%s could not start tailscale DERPer container (version: %s): %w",
 			hostname,
 			version,
 			err,
 		)
 	}
 	log.Printf("Created %s container\n", hostname)
 	dsic.container = container
 	for i, cert := range dsic.caCerts {
 		err = dsic.WriteFile(fmt.Sprintf("%s/user-%d.crt", caCertRoot, i), cert)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
 		}
 	}
 	if len(dsic.tlsCert) != 0 {
 		err = dsic.WriteFile(fmt.Sprintf("%s/%s.crt", DERPerCertRoot, dsic.hostname), dsic.tlsCert)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
 		}
 	}
 	if len(dsic.tlsKey) != 0 {
 		err = dsic.WriteFile(fmt.Sprintf("%s/%s.key", DERPerCertRoot, dsic.hostname), dsic.tlsKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write TLS key to container: %w", err)
 		}
 	}
 	return dsic, nil
 }
 // Shutdown stops and cleans up the DERPer container.
 func (t *DERPServerInContainer) Shutdown() error {
 	err := t.SaveLog("/tmp/control")
 	if err != nil {
 		log.Printf(
 			"Failed to save log from %s: %s",
 			t.hostname,
 			fmt.Errorf("failed to save log: %w", err),
 		)
 	}
 	return t.pool.Purge(t.container)
 }
 // GetCert returns the TLS certificate of the DERPer instance.
 func (t *DERPServerInContainer) GetCert() []byte {
 	return t.tlsCert
 }
 // Hostname returns the hostname of the DERPer instance.
 func (t *DERPServerInContainer) Hostname() string {
 	return t.hostname
 }
 // Version returns the running DERPer version of the instance.
 func (t *DERPServerInContainer) Version() string {
 	return t.version
 }
 // ID returns the Docker container ID of the DERPServerInContainer
 // instance.
 func (t *DERPServerInContainer) ID() string {
 	return t.container.Container.ID
 }
 func (t *DERPServerInContainer) GetHostname() string {
 	return t.hostname
 }
 // GetSTUNPort returns the STUN port of the DERPer instance.
 func (t *DERPServerInContainer) GetSTUNPort() int {
 	return t.stunPort
 }
 // GetDERPPort returns the DERP port of the DERPer instance.
 func (t *DERPServerInContainer) GetDERPPort() int {
 	return t.derpPort
 }
 // WaitForRunning blocks until the DERPer instance is ready to be used.
 func (t *DERPServerInContainer) WaitForRunning() error {
 	url := "https://" + net.JoinHostPort(t.GetHostname(), strconv.Itoa(t.GetDERPPort())) + "/"
 	log.Printf("waiting for DERPer to be ready at %s", url)
 	insecureTransport := http.DefaultTransport.(*http.Transport).Clone()      //nolint
 	insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint
 	client := &http.Client{Transport: insecureTransport}
 	return t.pool.Retry(func() error {
 		resp, err := client.Get(url) //nolint
 		if err != nil {
 			return fmt.Errorf("headscale is not ready: %w", err)
 		}
 		if resp.StatusCode != http.StatusOK {
 			return errDERPerStatusCodeNotOk
 		}
 		return nil
 	})
 }
 // ConnectToNetwork connects the DERPer instance to a network.
 func (t *DERPServerInContainer) ConnectToNetwork(network *dockertest.Network) error {
 	return t.container.ConnectToNetwork(network)
 }
 // WriteFile save file inside the container.
 func (t *DERPServerInContainer) WriteFile(path string, data []byte) error {
 	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
 }
 // SaveLog saves the current stdout log of the container to a path
 // on the host system.
 func (t *DERPServerInContainer) SaveLog(path string) error {
 	_, _, err := dockertestutil.SaveLog(t.pool, t.container, path)
 	return err
 }
--- a/integration/embedded_derp_test.go
+++ b/integration/embedded_derp_test.go
@ -55,7 +55,7 @@ func TestDERPServerWebsocketScenario(t *testing.T) {
 	spec := map[string]ClientsSpec{
 		"user1": {
 			Plain:         0,
-			WebsocketDERP: 2,
+			WebsocketDERP: len(MustTestVersions),
 		},
 	}
@ -239,13 +239,10 @@ func (s *EmbeddedDERPServerScenario) CreateHeadscaleEnv(
 		if clientCount.WebsocketDERP > 0 {
 			// Containers that use DERP-over-WebSocket
 			// Note that these clients *must* be built
 			// from source, which is currently
 			// only done for HEAD.
 			err = s.CreateTailscaleIsolatedNodesInUser(
 				hash,
 				userName,
-				tsic.VersionHead,
+				"all",
 				clientCount.WebsocketDERP,
 				tsic.WithWebsocketDERP(true),
 			)
@ -310,7 +307,7 @@ func (s *EmbeddedDERPServerScenario) CreateTailscaleIsolatedNodesInUser(
 			cert := hsServer.GetCert()
 			opts = append(opts,
-				tsic.WithCACert(cert),
+				tsic.WithHeadscaleTLS(cert),
 			)
 			user.createWaitGroup.Go(func() error {
--- a/integration/hsic/hsic.go
+++ b/integration/hsic/hsic.go
@ -1,12 +1,19 @@
 package hsic
 import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
 	"log"
 	"math/big"
 	"net"
 	"net/http"
 	"net/url"
@ -25,14 +32,11 @@ import (
 	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"gopkg.in/yaml.v3"
 	"tailscale.com/tailcfg"
 )
 const (
 	hsicHashLength       = 6
 	dockerContextPath    = "../."
 	caCertRoot           = "/usr/local/share/ca-certificates"
 	aclPolicyPath        = "/etc/headscale/acl.hujson"
 	tlsCertPath          = "/etc/headscale/tls.cert"
 	tlsKeyPath           = "/etc/headscale/tls.key"
@ -60,7 +64,6 @@ type HeadscaleInContainer struct {
 	// optional config
 	port             int
 	extraPorts       []string
 	caCerts          [][]byte
 	hostPortBindings map[string][]string
 	aclPolicy        *policy.ACLPolicy
 	env              map[string]string
@ -85,29 +88,18 @@ func WithACLPolicy(acl *policy.ACLPolicy) Option {
 	}
 }
 // WithCACert adds it to the trusted surtificate of the container.
 func WithCACert(cert []byte) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.caCerts = append(hsic.caCerts, cert)
 	}
 }
 // WithTLS creates certificates and enables HTTPS.
 func WithTLS() Option {
 	return func(hsic *HeadscaleInContainer) {
-		cert, key, err := integrationutil.CreateCertificate(hsic.hostname)
+		cert, key, err := createCertificate(hsic.hostname)
 		if err != nil {
 			log.Fatalf("failed to create certificates for headscale test: %s", err)
 		}
-		hsic.tlsCert = cert
+		// TODO(kradalby): Move somewhere appropriate
-		hsic.tlsKey = key
+		hsic.env["HEADSCALE_TLS_CERT_PATH"] = tlsCertPath
-	}
+		hsic.env["HEADSCALE_TLS_KEY_PATH"] = tlsKeyPath
 }
 // WithCustomTLS uses the given certificates for the Headscale instance.
 func WithCustomTLS(cert, key []byte) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.tlsCert = cert
 		hsic.tlsKey = key
 	}
@ -154,13 +146,6 @@ func WithTestName(testName string) Option {
 	}
 }
 // WithHostname sets the hostname of the Headscale instance.
 func WithHostname(hostname string) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.hostname = hostname
 	}
 }
 // WithHostnameAsServerURL sets the Headscale ServerURL based on
 // the Hostname.
 func WithHostnameAsServerURL() Option {
@ -218,34 +203,6 @@ func WithEmbeddedDERPServerOnly() Option {
 	}
 }
 // WithDERPConfig configures Headscale use a custom
 // DERP server only.
 func WithDERPConfig(derpMap tailcfg.DERPMap) Option {
 	return func(hsic *HeadscaleInContainer) {
 		contents, err := yaml.Marshal(derpMap)
 		if err != nil {
 			log.Fatalf("failed to marshal DERP map: %s", err)
 			return
 		}
 		hsic.env["HEADSCALE_DERP_PATHS"] = "/etc/headscale/derp.yml"
 		hsic.filesInContainer = append(hsic.filesInContainer,
 			fileInContainer{
 				path:     "/etc/headscale/derp.yml",
 				contents: contents,
 			})
 		// Disable global DERP server and embedded DERP server
 		hsic.env["HEADSCALE_DERP_URLS"] = ""
 		hsic.env["HEADSCALE_DERP_SERVER_ENABLED"] = "false"
 		// Envknob for enabling DERP debug logs
 		hsic.env["DERP_DEBUG_LOGS"] = "true"
 		hsic.env["DERP_PROBER_DEBUG_LOGS"] = "true"
 	}
 }
 // WithTuning allows changing the tuning settings easily.
 func WithTuning(batchTimeout time.Duration, mapSessionChanSize int) Option {
 	return func(hsic *HeadscaleInContainer) {
@ -343,10 +300,6 @@ func New(
 		"HEADSCALE_DEBUG_HIGH_CARDINALITY_METRICS=1",
 		"HEADSCALE_DEBUG_DUMP_CONFIG=1",
 	}
 	if hsic.hasTLS() {
 		hsic.env["HEADSCALE_TLS_CERT_PATH"] = tlsCertPath
 		hsic.env["HEADSCALE_TLS_KEY_PATH"] = tlsKeyPath
 	}
 	for key, value := range hsic.env {
 		env = append(env, fmt.Sprintf("%s=%s", key, value))
 	}
@ -360,7 +313,7 @@ func New(
 		// Cmd:          []string{"headscale", "serve"},
 		// TODO(kradalby): Get rid of this hack, we currently need to give us some
 		// to inject the headscale configuration further down.
-		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; update-ca-certificates ; headscale serve ; /bin/sleep 30"},
+		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve ; /bin/sleep 30"},
 		Env:        env,
 	}
@ -398,14 +351,6 @@ func New(
 	hsic.container = container
 	// Write the CA certificates to the container
 	for i, cert := range hsic.caCerts {
 		err = hsic.WriteFile(fmt.Sprintf("%s/user-%d.crt", caCertRoot, i), cert)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
 		}
 	}
 	err = hsic.WriteFile("/etc/headscale/config.yaml", []byte(MinimumConfigYAML()))
 	if err != nil {
 		return nil, fmt.Errorf("failed to write headscale config to container: %w", err)
@ -804,3 +749,86 @@ func (t *HeadscaleInContainer) SendInterrupt() error {
 	return nil
 }
 // nolint
 func createCertificate(hostname string) ([]byte, []byte, error) {
 	// From:
 	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
 	ca := &x509.Certificate{
 		SerialNumber: big.NewInt(2019),
 		Subject: pkix.Name{
 			Organization: []string{"Headscale testing INC"},
 			Country:      []string{"NL"},
 			Locality:     []string{"Leiden"},
 		},
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(60 * time.Hour),
 		IsCA:      true,
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
 			x509.ExtKeyUsageServerAuth,
 		},
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 	}
 	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, nil, err
 	}
 	cert := &x509.Certificate{
 		SerialNumber: big.NewInt(1658),
 		Subject: pkix.Name{
 			CommonName:   hostname,
 			Organization: []string{"Headscale testing INC"},
 			Country:      []string{"NL"},
 			Locality:     []string{"Leiden"},
 		},
 		NotBefore:    time.Now(),
 		NotAfter:     time.Now().Add(60 * time.Minute),
 		SubjectKeyId: []byte{1, 2, 3, 4, 6},
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 		DNSNames:     []string{hostname},
 	}
 	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, nil, err
 	}
 	certBytes, err := x509.CreateCertificate(
 		rand.Reader,
 		cert,
 		ca,
 		&certPrivKey.PublicKey,
 		caPrivKey,
 	)
 	if err != nil {
 		return nil, nil, err
 	}
 	certPEM := new(bytes.Buffer)
 	err = pem.Encode(certPEM, &pem.Block{
 		Type:  "CERTIFICATE",
 		Bytes: certBytes,
 	})
 	if err != nil {
 		return nil, nil, err
 	}
 	certPrivKeyPEM := new(bytes.Buffer)
 	err = pem.Encode(certPrivKeyPEM, &pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
 	})
 	if err != nil {
 		return nil, nil, err
 	}
 	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
 }
--- a/integration/integrationutil/util.go
+++ b/integration/integrationutil/util.go
@ -3,16 +3,9 @@ package integrationutil
 import (
 	"archive/tar"
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
 	"io"
 	"math/big"
 	"path/filepath"
 	"time"
 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/ory/dockertest/v3"
@ -100,86 +93,3 @@ func FetchPathFromContainer(
 	return buf.Bytes(), nil
 }
 // nolint
 func CreateCertificate(hostname string) ([]byte, []byte, error) {
 	// From:
 	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
 	ca := &x509.Certificate{
 		SerialNumber: big.NewInt(2019),
 		Subject: pkix.Name{
 			Organization: []string{"Headscale testing INC"},
 			Country:      []string{"NL"},
 			Locality:     []string{"Leiden"},
 		},
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(60 * time.Hour),
 		IsCA:      true,
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
 			x509.ExtKeyUsageServerAuth,
 		},
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 	}
 	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, nil, err
 	}
 	cert := &x509.Certificate{
 		SerialNumber: big.NewInt(1658),
 		Subject: pkix.Name{
 			CommonName:   hostname,
 			Organization: []string{"Headscale testing INC"},
 			Country:      []string{"NL"},
 			Locality:     []string{"Leiden"},
 		},
 		NotBefore:    time.Now(),
 		NotAfter:     time.Now().Add(60 * time.Minute),
 		SubjectKeyId: []byte{1, 2, 3, 4, 6},
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 		DNSNames:     []string{hostname},
 	}
 	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, nil, err
 	}
 	certBytes, err := x509.CreateCertificate(
 		rand.Reader,
 		cert,
 		ca,
 		&certPrivKey.PublicKey,
 		caPrivKey,
 	)
 	if err != nil {
 		return nil, nil, err
 	}
 	certPEM := new(bytes.Buffer)
 	err = pem.Encode(certPEM, &pem.Block{
 		Type:  "CERTIFICATE",
 		Bytes: certBytes,
 	})
 	if err != nil {
 		return nil, nil, err
 	}
 	certPrivKeyPEM := new(bytes.Buffer)
 	err = pem.Encode(certPrivKeyPEM, &pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
 	})
 	if err != nil {
 		return nil, nil, err
 	}
 	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
 }
--- a/integration/scenario.go
+++ b/integration/scenario.go
@ -14,7 +14,6 @@ import (
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/dsic"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/ory/dockertest/v3"
@ -141,7 +140,6 @@ type Scenario struct {
 	// TODO(kradalby): support multiple headcales for later, currently only
 	// use one.
 	controlServers *xsync.MapOf[string, ControlServer]
 	derpServers    []*dsic.DERPServerInContainer
 	users map[string]*User
@ -226,13 +224,6 @@ func (s *Scenario) ShutdownAssertNoPanics(t *testing.T) {
 		}
 	}
 	for _, derp := range s.derpServers {
 		err := derp.Shutdown()
 		if err != nil {
 			log.Printf("failed to tear down derp server: %s", err)
 		}
 	}
 	if err := s.pool.RemoveNetwork(s.network); err != nil {
 		log.Printf("failed to remove network: %s", err)
 	}
@ -361,7 +352,7 @@ func (s *Scenario) CreateTailscaleNodesInUser(
 			hostname := headscale.GetHostname()
 			opts = append(opts,
-				tsic.WithCACert(cert),
+				tsic.WithHeadscaleTLS(cert),
 				tsic.WithHeadscaleName(hostname),
 			)
@ -660,20 +651,3 @@ func (s *Scenario) WaitForTailscaleLogout() error {
 	return nil
 }
 // CreateDERPServer creates a new DERP server in a container.
 func (s *Scenario) CreateDERPServer(version string, opts ...dsic.Option) (*dsic.DERPServerInContainer, error) {
 	derp, err := dsic.New(s.pool, version, s.network, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create DERP server: %w", err)
 	}
 	err = derp.WaitForRunning()
 	if err != nil {
 		return nil, fmt.Errorf("failed to reach DERP server: %w", err)
 	}
 	s.derpServers = append(s.derpServers, derp)
 	return derp, nil
 }
--- a/integration/tailscale.go
+++ b/integration/tailscale.go
@ -30,7 +30,6 @@ type TailscaleClient interface {
 	FQDN() (string, error)
 	Status(...bool) (*ipnstate.Status, error)
 	Netmap() (*netmap.NetworkMap, error)
 	DebugDERPRegion(region string) (*ipnstate.DebugDERPRegionReport, error)
 	Netcheck() (*netcheck.Report, error)
 	WaitForNeedsLogin() error
 	WaitForRunning() error
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@ -12,7 +12,6 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
 	"reflect"
 	"strconv"
 	"strings"
 	"time"
@ -33,7 +32,7 @@ const (
 	defaultPingTimeout   = 300 * time.Millisecond
 	defaultPingCount     = 10
 	dockerContextPath    = "../."
-	caCertRoot           = "/usr/local/share/ca-certificates"
+	headscaleCertPath    = "/usr/local/share/ca-certificates/headscale.crt"
 	dockerExecuteTimeout = 60 * time.Second
 )
@ -45,11 +44,6 @@ var (
 	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
 	errTailscaleNotConnected           = errors.New("tailscale not connected")
 	errTailscaledNotReadyForLogin      = errors.New("tailscaled not ready for login")
 	errInvalidClientConfig             = errors.New("verifiably invalid client config requested")
 )
 const (
 	VersionHead = "head"
 )
 func errTailscaleStatus(hostname string, err error) error {
@ -71,7 +65,7 @@ type TailscaleInContainer struct {
 	fqdn string
 	// optional config
-	caCerts           [][]byte
+	headscaleCert     []byte
 	headscaleHostname string
 	withWebsocketDERP bool
 	withSSH           bool
@ -80,23 +74,17 @@ type TailscaleInContainer struct {
 	withExtraHosts    []string
 	workdir           string
 	netfilter         string
 	// build options, solely for HEAD
 	buildConfig TailscaleInContainerBuildConfig
 }
 type TailscaleInContainerBuildConfig struct {
 	tags []string
 }
 // Option represent optional settings that can be given to a
 // Tailscale instance.
 type Option = func(c *TailscaleInContainer)
-// WithCACert adds it to the trusted surtificate of the Tailscale container.
+// WithHeadscaleTLS takes the certificate of the Headscale instance
-func WithCACert(cert []byte) Option {
+// and adds it to the trusted surtificate of the Tailscale container.
 func WithHeadscaleTLS(cert []byte) Option {
 	return func(tsic *TailscaleInContainer) {
-		tsic.caCerts = append(tsic.caCerts, cert)
+		tsic.headscaleCert = cert
 	}
 }
@ -125,7 +113,7 @@ func WithOrCreateNetwork(network *dockertest.Network) Option {
 }
 // WithHeadscaleName set the name of the headscale instance,
-// mostly useful in combination with TLS and WithCACert.
+// mostly useful in combination with TLS and WithHeadscaleTLS.
 func WithHeadscaleName(hsName string) Option {
 	return func(tsic *TailscaleInContainer) {
 		tsic.headscaleHostname = hsName
@ -187,22 +175,6 @@ func WithNetfilter(state string) Option {
 	}
 }
 // WithBuildTag adds an additional value to the `-tags=` parameter
 // of the Go compiler, allowing callers to customize the Tailscale client build.
 // This option is only meaningful when invoked on **HEAD** versions of the client.
 // Attempts to use it with any other version is a bug in the calling code.
 func WithBuildTag(tag string) Option {
 	return func(tsic *TailscaleInContainer) {
 		if tsic.version != VersionHead {
 			panic(errInvalidClientConfig)
 		}
 		tsic.buildConfig.tags = append(
 			tsic.buildConfig.tags, tag,
 		)
 	}
 }
 // New returns a new TailscaleInContainer instance.
 func New(
 	pool *dockertest.Pool,
@ -247,20 +219,18 @@ func New(
 	}
 	if tsic.withWebsocketDERP {
 		if version != VersionHead {
 			return tsic, errInvalidClientConfig
 		}
 		WithBuildTag("ts_debug_websockets")(tsic)
 		tailscaleOptions.Env = append(
 			tailscaleOptions.Env,
 			fmt.Sprintf("TS_DEBUG_DERP_WS_CLIENT=%t", tsic.withWebsocketDERP),
 		)
 	}
-	tailscaleOptions.ExtraHosts = append(tailscaleOptions.ExtraHosts,
+	if tsic.headscaleHostname != "" {
-		"host.docker.internal:host-gateway")
+		tailscaleOptions.ExtraHosts = []string{
 			"host.docker.internal:host-gateway",
 			fmt.Sprintf("%s:host-gateway", tsic.headscaleHostname),
 		}
 	}
 	if tsic.workdir != "" {
 		tailscaleOptions.WorkingDir = tsic.workdir
@ -275,36 +245,14 @@ func New(
 	}
 	var container *dockertest.Resource
 	if version != VersionHead {
 		// build options are not meaningful with pre-existing images,
 		// let's not lead anyone astray by pretending otherwise.
 		defaultBuildConfig := TailscaleInContainerBuildConfig{}
 		hasBuildConfig := !reflect.DeepEqual(defaultBuildConfig, tsic.buildConfig)
 		if hasBuildConfig {
 			return tsic, errInvalidClientConfig
 		}
 	}
 	switch version {
-	case VersionHead:
+	case "head":
 		buildOptions := &dockertest.BuildOptions{
 			Dockerfile: "Dockerfile.tailscale-HEAD",
 			ContextDir: dockerContextPath,
 			BuildArgs:  []docker.BuildArg{},
 		}
 		buildTags := strings.Join(tsic.buildConfig.tags, ",")
 		if len(buildTags) > 0 {
 			buildOptions.BuildArgs = append(
 				buildOptions.BuildArgs,
 				docker.BuildArg{
 					Name:  "BUILD_TAGS",
 					Value: buildTags,
 				},
 			)
 		}
 		container, err = pool.BuildAndRunWithBuildOptions(
 			buildOptions,
 			tailscaleOptions,
@ -346,8 +294,8 @@ func New(
 	tsic.container = container
-	for i, cert := range tsic.caCerts {
+	if tsic.hasTLS() {
-		err = tsic.WriteFile(fmt.Sprintf("%s/user-%d.crt", caCertRoot, i), cert)
+		err = tsic.WriteFile(headscaleCertPath, tsic.headscaleCert)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
 		}
@ -356,6 +304,10 @@ func New(
 	return tsic, nil
 }
 func (t *TailscaleInContainer) hasTLS() bool {
 	return len(t.headscaleCert) != 0
 }
 // Shutdown stops and cleans up the Tailscale container.
 func (t *TailscaleInContainer) Shutdown() error {
 	err := t.SaveLog("/tmp/control")
@ -730,34 +682,6 @@ func (t *TailscaleInContainer) watchIPN(ctx context.Context) (*ipn.Notify, error
 	}
 }
 func (t *TailscaleInContainer) DebugDERPRegion(region string) (*ipnstate.DebugDERPRegionReport, error) {
 	if !util.TailscaleVersionNewerOrEqual("1.34", t.version) {
 		panic("tsic.DebugDERPRegion() called with unsupported version: " + t.version)
 	}
 	command := []string{
 		"tailscale",
 		"debug",
 		"derp",
 		region,
 	}
 	result, stderr, err := t.Execute(command)
 	if err != nil {
 		fmt.Printf("stderr: %s\n", stderr) // nolint
 		return nil, fmt.Errorf("failed to execute tailscale debug derp command: %w", err)
 	}
 	var report ipnstate.DebugDERPRegionReport
 	err = json.Unmarshal([]byte(result), &report)
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal tailscale derp region report: %w", err)
 	}
 	return &report, err
 }
 // Netcheck returns the current Netcheck Report (netcheck.Report) of the Tailscale instance.
 func (t *TailscaleInContainer) Netcheck() (*netcheck.Report, error) {
 	command := []string{
Author	SHA1	Message	Date
Kristoffer Dalby	21e8f87845	Merge `633297915a` into `6275399327`	2024-11-19 09:22:35 +00:00
Kristoffer Dalby	633297915a	only set username and email if valid Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-19 10:22:26 +01:00
Kristoffer Dalby	4ba319a0d3	ensure provider id is found out of order Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-19 09:50:53 +01:00
Kristoffer Dalby	b2ab5ac1ad	resolve user identifier to stable ID currently, the policy approach node to user matching with a quite naive approach looking at the username provided in the policy and matched it with the username on the nodes. This worked ok as long as usernames were unique and did not change. As usernames are no longer guarenteed to be unique in an OIDC environment we cant rely on this. This changes the mechanism that matches the user string (now user token) with nodes: - first find all potential users by looking up: - database ID - provider ID (OIDC) - username/email If more than one user is matching, then the query is rejected, and zero matching nodes are returned. When a single user is found, the node is matched against the User database ID, which are also present on the actual node. This means that from this commit, users can use the following to identify users in the policy: - provider identity (iss + sub) - username - email - database id There are more changes coming to this, so it is not recommended to start using any of these new abilities, with the exception of email, which will not change since it includes an @. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-19 09:50:53 +01:00