ipn: rename CapTailnetLockAlpha -> CapTailnetLock

Updates tailscale/corp#8568
Signed-off-by: Tom DNetto <[email protected]>

ipn/ipnlocal/local.go

@@ -1013,7 +1013,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 
 	// Perform all reconfiguration based on the netmap here.
 	if st.NetMap != nil {
-		b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLockAlpha)
+		b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLock)
 
 		b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded
 		if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil {

ipn/ipnlocal/network-lock.go

@@ -20,7 +20,6 @@ import (
 	"path/filepath"
 	"time"
 
-	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -53,20 +52,12 @@ type tkaState struct {
 	filtered  []ipnstate.TKAFilteredPeer
 }
 
-// permitTKAInitLocked returns true if tailnet lock initialization may
-// occur.
-// b.mu must be held.
-func (b *LocalBackend) permitTKAInitLocked() bool {
-	return envknob.UseWIPCode() || b.capTailnetLock
-}
-
 // tkaFilterNetmapLocked checks the signatures on each node key, dropping
 // nodes from the netmap whose signature does not verify.
 //
 // b.mu must be held.
 func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
-	// TODO(tom): Remove this guard for 1.35 and later.
-	if b.tka == nil && !b.permitTKAInitLocked() {
+	if b.tka == nil && !b.capTailnetLock {
 		health.SetTKAHealth(nil)
 		return
 	}
@@ -153,8 +144,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 	b.mu.Lock() // take mu to protect access to synchronized fields.
 	defer b.mu.Unlock()
 
-	// TODO(tom): Remove this guard for 1.35 and later.
-	if b.tka == nil && !b.permitTKAInitLocked() {
+	if b.tka == nil && !b.capTailnetLock {
 		return nil
 	}
 
@@ -483,10 +473,9 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
 	var nlPriv key.NLPrivate
 	b.mu.Lock()
 
-	// TODO(tom): Remove this guard for 1.35 and later.
-	if !b.permitTKAInitLocked() {
+	if !b.capTailnetLock {
 		b.mu.Unlock()
-		return errors.New("this feature is not yet complete, a later release may support this functionality")
+		return errors.New("not permitted to enable tailnet lock")
 	}
 
 	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {

ipn/ipnlocal/network-lock_test.go

@@ -17,7 +17,6 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"tailscale.com/control/controlclient"
-	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -66,8 +65,6 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
 }
 
 func TestTKAEnablementFlow(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()
 
 	// Make a fake TKA authority, getting a usable genesis AUM which
@@ -150,12 +147,13 @@ func TestTKAEnablementFlow(t *testing.T) {
 		},
 	}).View()))
 	b := LocalBackend{
-		varRoot: temp,
-		cc:      cc,
-		ccAuto:  cc,
-		logf:    t.Logf,
-		pm:      pm,
-		store:   pm.Store(),
+		capTailnetLock: true,
+		varRoot:        temp,
+		cc:             cc,
+		ccAuto:         cc,
+		logf:           t.Logf,
+		pm:             pm,
+		store:          pm.Store(),
 	}
 
 	err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
@@ -174,8 +172,6 @@ func TestTKAEnablementFlow(t *testing.T) {
 }
 
 func TestTKADisablementFlow(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()
 
 	// Make a fake TKA authority, to seed local state.
@@ -297,9 +293,6 @@ func TestTKADisablementFlow(t *testing.T) {
 }
 
 func TestTKASync(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
-
 	someKeyPriv := key.NewNLPrivate()
 	someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
 
@@ -538,9 +531,6 @@ func TestTKASync(t *testing.T) {
 }
 
 func TestTKAFilterNetmap(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
-
 	nlPriv := key.NewNLPrivate()
 	nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
 	storage := &tka.Mem{}
@@ -597,8 +587,6 @@ func TestTKAFilterNetmap(t *testing.T) {
 }
 
 func TestTKADisable(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()
 
 	// Make a fake TKA authority, to seed local state.
@@ -692,8 +680,6 @@ func TestTKADisable(t *testing.T) {
 }
 
 func TestTKASign(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()
 	toSign := key.NewNode()
 	nlPriv := key.NewNLPrivate()
@@ -780,8 +766,6 @@ func TestTKASign(t *testing.T) {
 }
 
 func TestTKAForceDisable(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()
 
 	// Make a fake TKA authority, to seed local state.

tailcfg/tailcfg.go

@@ -100,7 +100,8 @@ type CapabilityVersion int
 //   - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
 //   - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
 //   - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding.
-const CurrentCapabilityVersion CapabilityVersion = 63
+//   - 64: 2023-07-11: Client understands s/CapabilityTailnetLockAlpha/CapabilityTailnetLock
+const CurrentCapabilityVersion CapabilityVersion = 64
 
 type StableID string
 
@@ -1850,11 +1851,8 @@ const (
 	// of connections to the default network interface on Darwin nodes.
 	CapabilityDebugDisableBindConnToInterface = "https://tailscale.com/cap/debug-disable-bind-conn-to-interface"
 
-	// CapabilityTailnetLockAlpha indicates the node is in the tailnet lock alpha,
-	// and initialization of tailnet lock may proceed.
-	//
-	// TODO(tom): Remove this for 1.35 and later.
-	CapabilityTailnetLockAlpha = "https://tailscale.com/cap/tailnet-lock-alpha"
+	// CapabilityTailnetLock indicates the node may initialize tailnet lock.
+	CapabilityTailnetLock = "https://tailscale.com/cap/tailnet-lock"
 
 	// Inter-node capabilities as specified in the MapResponse.PacketFilter[].CapGrants.