tailcfg: rename and retype ServiceHost capability (#14380)

* tailcfg: rename and retype ServiceHost capability, add value type Updates tailscale/corp#22743. In #14046, this was accidentally made a PeerCapability when it should have been NodeCapability. Also, renaming it to use the nomenclature that we decided on after #14046 went up, and adding the type of the value that will be passed down in the RawMessage for this capability. This shouldn't break anything, since no one was using this string or variable yet. Signed-off-by: Naman Sood <mail@nsood.in>
2024-12-20 15:57:46 -05:00 · 2024-12-20 15:57:46 -05:00 · 887472312d
commit 887472312d
parent 256da8dfb5
1 changed files with 27 additions and 5 deletions
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@ -1453,11 +1453,6 @@ type CapGrant struct {
 	// user groups as Kubernetes user groups. This capability is read by
 	// peers that are Tailscale Kubernetes operator instances.
 	PeerCapabilityKubernetes PeerCapability = "tailscale.com/cap/kubernetes"
-
-	// PeerCapabilityServicesDestination grants a peer the ability to serve as
-	// a destination for a set of given VIP services, which is provided as the
-	// value of this key in NodeCapMap.
-	PeerCapabilityServicesDestination PeerCapability = "tailscale.com/cap/services-destination"
 )

 // NodeCapMap is a map of capabilities to their optional values. It is valid for
@ -2401,6 +2396,15 @@ type Oauth2Token struct {
 	// NodeAttrSSHEnvironmentVariables enables logic for handling environment variables sent
 	// via SendEnv in the SSH server and applying them to the SSH session.
 	NodeAttrSSHEnvironmentVariables NodeCapability = "ssh-env-vars"
+
+	// NodeAttrServiceHost indicates the VIP Services for which the client is
+	// approved to act as a service host, and which IP addresses are assigned
+	// to those VIP Services. Any VIP Services that the client is not
+	// advertising can be ignored.
+	// Each value of this key in [NodeCapMap] is of type [ServiceIPMappings].
+	// If multiple values of this key exist, they should be merged in sequence
+	// (replace conflicting keys).
+	NodeAttrServiceHost NodeCapability = "service-host"
 )

 // SetDNSRequest is a request to add a DNS record.
@ -2883,3 +2887,21 @@ type EarlyNoise struct {
 // For some request types, the header may have multiple values. (e.g. OldNodeKey
 // vs NodeKey)
 const LBHeader = "Ts-Lb"
+
+// ServiceIPMappings maps service names (strings that conform to
+// [CheckServiceName]) to lists of IP addresses. This is used as the value of
+// the [NodeAttrServiceHost] capability, to inform service hosts what IP
+// addresses they need to listen on for each service that they are advertising.
+//
+// This is of the form:
+//
+//	{
+//	  "svc:samba": ["100.65.32.1", "fd7a:115c:a1e0::1234"],
+//	  "svc:web": ["100.102.42.3", "fd7a:115c:a1e0::abcd"],
+//	}
+//
+// where the IP addresses are the IPs of the VIP services. These IPs are also
+// provided in AllowedIPs, but this lets the client know which services
+// correspond to those IPs. Any services that don't correspond to a service
+// this client is hosting can be ignored.
+type ServiceIPMappings map[string][]netip.Addr