Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go

TUN-9863: Update pipelines to use cloudflared EV Certificate
TUN-9800: Migrate apt internal builds to Gitlab
2025-11-21 05:33:09 +00:00 · 2025-11-19 18:05:33 +00:00 · 2025-11-10 14:43:10 +00:00 · 2025-11-07 16:30:58 +00:00 · 2025-11-07 15:26:22 +00:00 · 2025-11-07 08:15:20 +00:00
580 changed files with 33828 additions and 17552 deletions
--- a/.ci/apt-internal.gitlab-ci.yml
+++ b/.ci/apt-internal.gitlab-ci.yml
@ -0,0 +1,151 @@
+.register_inputs: &register_inputs
+  stage: release-internal
+  runOnBranches: "^master$"
+  COMPONENT: "common"
+
+.register_inputs_stable_bookworm: &register_inputs_stable_bookworm
+  <<: *register_inputs
+  runOnChangesTo: ['RELEASE_NOTES']
+  FLAVOR: "bookworm"
+  SERIES: "stable"
+
+.register_inputs_stable_trixie: &register_inputs_stable_trixie
+  <<: *register_inputs
+  runOnChangesTo: ['RELEASE_NOTES']
+  FLAVOR: "trixie"
+  SERIES: "stable"
+
+.register_inputs_next_bookworm: &register_inputs_next_bookworm
+  <<: *register_inputs
+  FLAVOR: "bookworm"
+  SERIES: next
+
+.register_inputs_next_trixie: &register_inputs_next_trixie
+  <<: *register_inputs
+  FLAVOR: "trixie"
+  SERIES: next
+
+################################################
+### Generate Debian Package for Internal APT ###
+################################################
+.cloudflared-apt-build: &cloudflared_apt_build
+  stage: package
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
+  image: $BUILD_IMAGE
+  cache: {}
+  script:
+    - make cloudflared-deb
+  artifacts:
+    paths:
+      - cloudflared*.deb
+
+##############
+### Stable ###
+##############
+cloudflared-amd64-stable:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-release]
+  variables: &amd64-stable-vars
+    GOOS: linux
+    GOARCH: amd64
+    FIPS: true
+    ORIGINAL_NAME: true
+    CGO_ENABLED: 1
+
+cloudflared-arm64-stable:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-release]
+  variables: &arm64-stable-vars
+    GOOS: linux
+    GOARCH: arm64
+    FIPS: false # TUN-7595
+    ORIGINAL_NAME: true
+    CGO_ENABLED: 1
+
+############
+### Next ###
+############
+cloudflared-amd64-next:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-master]
+  variables:
+    <<: *amd64-stable-vars
+    NIGHTLY: true
+
+cloudflared-arm64-next:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-master]
+  variables:
+    <<: *arm64-stable-vars
+    NIGHTLY: true
+
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+  ##########################################
+  ### Publish Packages to Internal Repos ###
+  ##########################################
+  # Bookworm AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_bookworm
+      jobPrefix: cloudflared-bookworm-amd64
+      needs: &amd64-stable ["cloudflared-amd64-stable"]
+
+  # Bookworm ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_bookworm
+      jobPrefix: cloudflared-bookworm-arm64
+      needs: &arm64-stable ["cloudflared-arm64-stable"]
+
+  # Trixie AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_trixie
+      jobPrefix: cloudflared-trixie-amd64
+      needs: *amd64-stable
+
+  # Trixie ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_trixie
+      jobPrefix: cloudflared-trixie-arm64
+      needs: *arm64-stable
+
+  ##################################################
+  ### Publish Nightly Packages to Internal Repos ###
+  ##################################################
+  # Bookworm AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_bookworm
+      jobPrefix: cloudflared-nightly-bookworm-amd64
+      needs: &amd64-next ['cloudflared-amd64-next']
+
+  # Bookworm ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_bookworm
+      jobPrefix: cloudflared-nightly-bookworm-arm64
+      needs: &arm64-next ['cloudflared-arm64-next']
+
+  # Trixie AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_trixie
+      jobPrefix: cloudflared-nightly-trixie-amd64
+      needs: *amd64-next
+
+  # Trixie ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_trixie
+      jobPrefix: cloudflared-nightly-trixie-arm64
+      needs: *arm64-next
--- a/.ci/ci-image.gitlab-ci.yml
+++ b/.ci/ci-image.gitlab-ci.yml
@ -0,0 +1,31 @@
+# Builds a custom CI Image when necessary
+
+include:
+  #####################################################
+  ############## Build and Push CI Image ##############
+  #####################################################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
+    inputs:
+      stage: pre-build
+      jobPrefix: ci-image
+      runOnChangesTo: [".ci/image/**"]
+      runOnMR: true
+      runOnBranches: '^master$'
+      commentImageRefs: false
+      runner: vm-linux-x86-4cpu-8gb
+      EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
+
+  #####################################################
+  ## Resolve the image reference for downstream jobs ##
+  #####################################################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
+    inputs:
+      stage: pre-build
+      jobPrefix: ci-image
+      runOnMR: true
+      runOnBranches: '^master$'
+      IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
+      VARIABLE_NAME: BUILD_IMAGE
+      needs:
+        - job: ci-image-build-push-image
+          optional: true
--- a/.ci/commons.gitlab-ci.yml
+++ b/.ci/commons.gitlab-ci.yml
@ -0,0 +1,45 @@
+## A set of predefined rules to use on the different jobs
+.default-rules:
+  # Rules to run the job only on the master branch
+  run-on-master:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: on_success
+    - when: never
+  # Rules to run the job only on merge requests
+  run-on-mr:
+    - if: $CI_COMMIT_TAG
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: on_success
+    - when: never
+  # Rules to run the job on merge_requests and master branch
+  run-always:
+    - if: $CI_COMMIT_TAG
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: on_success
+    - when: never
+  # Rules to run the job only when a release happens
+  run-on-release:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      changes:
+          - 'RELEASE_NOTES'
+      when: on_success
+    - when: never
+
+.component-tests:
+  image: $BUILD_IMAGE
+  rules:
+    - !reference [.default-rules, run-always]
+  variables:
+    COMPONENT_TESTS_CONFIG: component-test-config.yaml
+    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
+  secrets:
+    DNS_API_TOKEN:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
+      file: false
+    COMPONENT_TESTS_ORIGINCERT:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
+      file: false
+  cache: {}
--- a/.ci/github.gitlab-ci.yml
+++ b/.ci/github.gitlab-ci.yml
@ -0,0 +1,17 @@
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+######################################
+### Sync master branch with Github ###
+######################################
+push-github:
+  stage: sync
+  rules:
+    - !reference [.default-rules, run-on-master]
+  script:
+    - ./.ci/scripts/github-push.sh
+  secrets:
+    CLOUDFLARED_DEPLOY_SSH_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
+      file: false
+  cache: {}
--- a/.ci/image/.docker-images
+++ b/.ci/image/.docker-images
@ -0,0 +1,2 @@
+images:
+  - name: ci-image
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@ -0,0 +1,35 @@
+ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
+
+FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/bookworm/main:2025.7.0@sha256:6350da2f7e728dae2c1420f6dafc38e23cacc0b399d3d5b2f40fe48d9c8ff1ca
+
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install --no-install-recommends --allow-downgrades -y \
+        build-essential \
+        git \
+        go-boring=1.24.9-1 \
+        libffi-dev \
+        procps \
+        python3-dev \
+        python3-pip \
+        python3-setuptools \
+        python3-venv \
+        # libmsi and libgcab are libraries the wixl binary depends on.
+        libmsi-dev \
+        libgcab-dev \
+        # deb and rpm build tools
+        rubygem-fpm \
+        rpm \
+        # create deb and rpm repository files
+        reprepro \
+        createrepo-c \
+        # gcc for cross architecture compilation in arm
+        gcc-aarch64-linux-gnu \
+        libc6-dev-arm64-cross && \
+    rm -rf /var/lib/apt/lists/* && \
+    # Install wixl
+    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
+    chmod a+x /usr/local/bin/wixl && \
+    mkdir -p opt
+
+WORKDIR /opt
--- a/.ci/linux.gitlab-ci.yml
+++ b/.ci/linux.gitlab-ci.yml
@ -0,0 +1,122 @@
+.golang-inputs: &golang_inputs
+  runOnMR: true
+  runOnBranches: '^master$'
+  outputDir: artifacts
+  runner: linux-x86-8cpu-16gb
+  stage: build
+  golangVersion: "boring-1.24"
+  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
+  CGO_ENABLED: 1
+
+.default-packaging-job: &packaging-job-defaults
+  stage: package
+  needs:
+    - ci-image-get-image-ref
+  rules:
+    - !reference [.default-rules, run-on-master]
+  image: $BUILD_IMAGE
+  cache: {}
+  artifacts:
+    paths:
+      - artifacts/*
+
+include:
+  ###################
+  ### Linux Build ###
+  ###################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
+    inputs:
+      <<: *golang_inputs
+      jobPrefix: linux-build
+      GOLANG_MAKE_TARGET: ci-build
+
+  ########################
+  ### Linux FIPS Build ###
+  ########################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
+    inputs:
+      <<: *golang_inputs
+      jobPrefix: linux-fips-build
+      GOLANG_MAKE_TARGET: ci-fips-build
+
+  #################
+  ### Unit Tests ##
+  #################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
+    inputs:
+      <<: *golang_inputs
+      stage: test
+      jobPrefix: test
+      GOLANG_MAKE_TARGET: ci-test
+
+  ######################
+  ### Unit Tests FIPS ##
+  ######################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
+    inputs:
+      <<: *golang_inputs
+      stage: test
+      jobPrefix: test-fips
+      GOLANG_MAKE_TARGET: ci-fips-test
+
+  #################
+  ### Vuln Check ##
+  #################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
+    inputs:
+      <<: *golang_inputs
+      runOnBranches: '^$'
+      stage: validate
+      jobPrefix: vulncheck
+      GOLANG_MAKE_TARGET: vulncheck
+
+#################################
+### Run Linux Component Tests ###
+#################################
+linux-component-tests: &linux-component-tests
+  stage: test
+  extends: .component-tests
+  needs:
+    - ci-image-get-image-ref
+    - linux-build-boring-make
+  script:
+    - ./.ci/scripts/component-tests.sh
+  variables: &component-tests-variables
+    CI: 1
+    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
+  tags:
+    - linux-x86-8cpu-16gb
+  artifacts:
+    reports:
+      junit: report.xml
+
+######################################
+### Run Linux FIPS Component Tests ###
+######################################
+linux-component-tests-fips:
+  <<: *linux-component-tests
+  needs:
+    - ci-image-get-image-ref
+    - linux-fips-build-boring-make
+  variables:
+    <<: *component-tests-variables
+    COMPONENT_TESTS_FIPS: 1
+
+################################
+####### Linux Packaging ########
+################################
+linux-packaging:
+  <<: *packaging-job-defaults
+  parallel:
+    matrix:
+      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
+  script:
+    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
+
+################################
+##### Linux FIPS Packaging #####
+################################
+linux-packaging-fips:
+  <<: *packaging-job-defaults
+  script:
+    - ./.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/mac.gitlab-ci.yml
+++ b/.ci/mac.gitlab-ci.yml
@ -0,0 +1,66 @@
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+###############################
+### Defaults for Mac Builds ###
+###############################
+.mac-build-defaults: &mac-build-defaults
+  rules:
+    - !reference [.default-rules, run-on-mr]
+  tags:
+    - "macstadium-${RUNNER_ARCH}"
+  parallel:
+    matrix:
+      - RUNNER_ARCH: [arm, intel]
+  cache: {}
+
+######################################
+### Build Cloudflared Mac Binaries ###
+######################################
+macos-build-cloudflared: &mac-build
+  <<: *mac-build-defaults
+  stage: build
+  artifacts:
+    paths:
+      - artifacts/*
+  script:
+    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
+    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
+    - ARCH=$(uname -m)
+    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
+    - ./.ci/scripts/mac/install-go.sh
+    - BUILD_SCRIPT=.ci/scripts/mac/build.sh
+    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
+    - set -euo pipefail
+    - echo "Executing ${BUILD_SCRIPT}"
+    - exec ${BUILD_SCRIPT}
+
+###############################################
+### Build and Sign Cloudflared Mac Binaries ###
+###############################################
+macos-build-and-sign-cloudflared:
+  <<: *mac-build
+  rules:
+    - !reference [.default-rules, run-on-master]
+  secrets:
+    APPLE_DEV_CA_CERT:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
+      file: false
+    CFD_CODE_SIGN_CERT:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
+      file: false
+    CFD_CODE_SIGN_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
+      file: false
+    CFD_CODE_SIGN_PASS:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
+      file: false
+    CFD_INSTALLER_CERT:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
+      file: false
+    CFD_INSTALLER_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
+      file: false
+    CFD_INSTALLER_PASS:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
+      file: false
--- a/.ci/release.gitlab-ci.yml
+++ b/.ci/release.gitlab-ci.yml
@ -0,0 +1,133 @@
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+  ######################################
+  ### Build and Push DockerHub Image ###
+  ######################################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
+    inputs:
+      stage: release
+      jobPrefix: docker-hub
+      runOnMR: false
+      runOnBranches: '^master$'
+      runOnChangesTo: ['RELEASE_NOTES']
+      needs:
+        - generate-version-file
+        - release-cloudflared-to-r2
+      commentImageRefs: false
+      runner: vm-linux-x86-4cpu-8gb
+      # Based on if the CI reference is protected or not the CI component will
+      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
+      # we simply set both to the same value.
+      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
+      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
+      DOCKER_USER_PROD: *docker-hub-user
+      DOCKER_PASSWORD_PROD: *docker-hub-password
+      EXTRA_DIB_ARGS: --overwrite
+
+.default-release-job: &release-job-defaults
+  stage: release
+  image: $BUILD_IMAGE
+  cache:
+    paths:
+      - .cache/pip
+  variables: &release-job-variables
+    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
+    # KV Vars
+    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
+    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
+    # R2 Vars
+    R2_BUCKET: cloudflared-pkgs
+    R2_ACCOUNT_ID: *cf-account
+    # APT and RPM Repository Vars
+    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
+    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
+    BINARY_NAME: cloudflared
+  secrets:
+    KV_API_TOKEN:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
+      file: false
+    API_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
+      file: false
+    R2_CLIENT_ID:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
+      file: false
+    R2_CLIENT_SECRET:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
+      file: false
+    LINUX_SIGNING_PUBLIC_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
+      file: false
+    LINUX_SIGNING_PRIVATE_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
+      file: false
+    LINUX_SIGNING_PUBLIC_KEY_2:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
+      file: false
+    LINUX_SIGNING_PRIVATE_KEY_2:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
+      file: false
+
+###########################################
+### Push Cloudflared Binaries to Github ###
+###########################################
+release-cloudflared-to-github:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-release]
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging
+    - linux-packaging-fips
+    - macos-build-and-sign-cloudflared
+    - windows-package-sign
+  script:
+    - ./.ci/scripts/release-target.sh github-release
+
+#########################################
+### Upload Cloudflared Binaries to R2 ###
+#########################################
+release-cloudflared-to-r2:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-release]
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging # We only release non-FIPS binaries to R2
+    - release-cloudflared-to-github
+  script:
+    - ./.ci/scripts/release-target.sh r2-linux-release
+
+#################################################
+### Upload Cloudflared Nightly Binaries to R2 ###
+#################################################
+release-cloudflared-nightly-to-r2:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-master]
+  variables:
+    <<: *release-job-variables
+    R2_BUCKET: cloudflared-pkgs-next
+    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
+    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging # We only release non-FIPS binaries to R2
+  script:
+    - ./.ci/scripts/release-target.sh r2-linux-release
+
+#############################
+### Generate Version File ###
+#############################
+generate-version-file:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-release]
+  needs:
+    - ci-image-get-image-ref
+  script:
+    - make generate-docker-version
+  artifacts:
+    paths:
+      - versions
--- a/.ci/scripts/component-tests.sh
+++ b/.ci/scripts/component-tests.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+set -e -o pipefail
+
+# Fetch cloudflared from the artifacts folder
+mv ./artifacts/cloudflared ./cloudflared
+
+python3 -m venv env
+. env/bin/activate
+
+pip install --upgrade -r component-tests/requirements.txt
+
+# Creates and routes a Named Tunnel for this build. Also constructs
+# config file from env vars.
+python3 component-tests/setup.py --type create
+
+# Define the cleanup function
+cleanup() {
+    # The Named Tunnel is deleted and its route unprovisioned here.
+    python3 component-tests/setup.py --type cleanup
+}
+
+# The trap will call the cleanup function on script exit
+trap cleanup EXIT
+
+pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
--- a/.ci/scripts/fmt-check.sh
+++ b/.ci/scripts/fmt-check.sh
@ -1,8 +1,7 @@
 #!/bin/bash
-
 set -e -o pipefail

-OUTPUT=$(goimports -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
+OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))

 if [ -n "$OUTPUT" ] ; then
  PAGER=$(which colordiff || echo cat)
--- a/.ci/scripts/github-push.sh
+++ b/.ci/scripts/github-push.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+set -e -o pipefail
+
+BRANCH="master"
+TMP_PATH="$PWD/tmp"
+PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
+PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
+
+mkdir -p $TMP_PATH
+
+# Setup Private Key
+echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
+chmod 400 $PRIVATE_KEY_PATH
+
+# Download GitHub Public Key for KnownHostsFile
+ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
+
+# Setup git ssh command with the right configurations
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
+
+# Add GitHub as a new remote
+git remote add github git@github.com:cloudflare/cloudflared.git || true
+
+# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
+# Therefore, we need to manually fetch the reference to then push it to GitHub.
+git fetch origin $BRANCH:$BRANCH
+git push -u github $BRANCH
+
+if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
+  git push -u github "$TAG"
+fi
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Check if architecture argument is provided
+if [ $# -eq 0 ]; then
+    echo "Error: Architecture argument is required"
+    echo "Usage: $0 <architecture>"
+    exit 1
+fi
+
+# Parameters
+arch=$1
+
+# Get Version
+VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
+echo $VERSION
+
+# Disable FIPS module in go-boring
+export GOEXPERIMENT=noboringcrypto
+export CGO_ENABLED=0
+
+# This controls the directory the built artifacts go into
+export ARTIFACT_DIR=artifacts/
+mkdir -p $ARTIFACT_DIR
+
+export TARGET_OS=linux
+
+unset TARGET_ARM
+export TARGET_ARCH=$arch
+
+## Support for arm platforms without hardware FPU enabled
+if [[ $arch == arm ]] ; then
+    export TARGET_ARCH=arm
+    export TARGET_ARM=5
+fi
+
+## Support for armhf builds
+if [[ $arch == armhf ]] ; then
+    export TARGET_ARCH=arm
+    export TARGET_ARM=7
+fi
+
+make cloudflared-deb
+mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
+
+# rpm packages invert the - and _ and use x86_64 instead of amd64.
+RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+RPMARCH=$arch
+if [ $arch == "amd64" ];then
+    RPMARCH="x86_64"
+fi
+if [ $arch == "arm64" ]; then
+    RPMARCH="aarch64"
+fi
+make cloudflared-rpm
+mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
+
+# finally move the linux binary as well.
+mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
+
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
--- a/.ci/scripts/mac/install-go.sh
+++ b/.ci/scripts/mac/install-go.sh
--- a/.ci/scripts/package-windows.sh
+++ b/.ci/scripts/package-windows.sh
@ -1,19 +1,23 @@
+#!/bin/bash
+python3 -m venv env
+. env/bin/activate
+pip install pynacl==1.4.0 pygithub==1.55
+
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION

 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
-export BUILT_ARTIFACT_DIR=built_artifacts/
+export BUILT_ARTIFACT_DIR=artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
-    # Copy exe into final directory
+    # Copy .exe from artifacts directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
-    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@ -0,0 +1,18 @@
+#!/bin/bash
+set -e -o pipefail
+
+# Check if a make target is provided as an argument
+if [ $# -eq 0 ]; then
+    echo "Error: Make target argument is required"
+    echo "Usage: $0 <make-target>"
+    exit 1
+fi
+
+MAKE_TARGET=$1
+
+python3 -m venv venv
+source venv/bin/activate
+
+# Our release scripts are written in python, so we should install their dependecies here.
+pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
+make $MAKE_TARGET
--- a/.ci/scripts/vuln-check.sh
+++ b/.ci/scripts/vuln-check.sh
@ -0,0 +1,52 @@
+#!/bin/bash
+set -e
+
+# Define the file to store the list of vulnerabilities to ignore.
+IGNORE_FILE=".vulnignore"
+
+# Check if the ignored vulnerabilities file exists. If not, create an empty one.
+if [ ! -f "$IGNORE_FILE" ]; then
+    touch "$IGNORE_FILE"
+    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
+    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
+    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
+    echo "" >> "$IGNORE_FILE"
+fi
+
+# Run govulncheck and capture its output.
+VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
+
+# Print the govuln output
+echo "====================================="
+echo "Full Output of govulncheck:"
+echo "====================================="
+echo "$VULN_OUTPUT"
+echo "====================================="
+echo "End of govulncheck Output"
+echo "====================================="
+
+# Process the ignore file to remove comments and empty lines.
+# The 'cut' command gets the vulnerability ID and removes anything after the '#'.
+# The 'grep' command filters out empty lines and lines starting with '#'.
+CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
+
+# Filter out the ignored vulnerabilities.
+UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
+
+# If the list of ignored vulnerabilities is not empty, filter them out.
+if [ -n "$CLEAN_IGNORES" ]; then
+    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
+fi
+
+# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
+if [ -n "$UNIGNORED_VULNS" ]; then
+    echo "🚨 Found new, unignored vulnerabilities:"
+    echo "-------------------------------------"
+    echo "$UNIGNORED_VULNS"
+    echo "-------------------------------------"
+    echo "Exiting with an error. ❌"
+    exit 1
+else
+    echo "🎉 No new vulnerabilities found. All clear! ✨"
+    exit 0
+fi
--- a/.ci/scripts/windows/builds.ps1
+++ b/.ci/scripts/windows/builds.ps1
@ -0,0 +1,29 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+$env:TARGET_OS = "windows"
+$env:LOCAL_OS = "windows"
+$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
+
+New-Item -Path ".\artifacts" -ItemType Directory
+
+Write-Output "Building for amd64"
+$env:TARGET_ARCH = "amd64"
+$env:LOCAL_ARCH = "amd64"
+$env:CGO_ENABLED = 1
+& make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
+# Sign build
+azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
+copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
+
+Write-Output "Building for 386"
+$env:TARGET_ARCH = "386"
+$env:LOCAL_ARCH = "386"
+$env:CGO_ENABLED = 0
+& make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
+## Sign build
+azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
+copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe
--- a/.ci/scripts/windows/component-test.ps1
+++ b/.ci/scripts/windows/component-test.ps1
@ -0,0 +1,40 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+$env:TARGET_OS = "windows"
+$env:LOCAL_OS = "windows"
+$env:TARGET_ARCH = "amd64"
+$env:LOCAL_ARCH = "amd64"
+$env:CGO_ENABLED = 1
+
+python --version
+python -m pip --version
+
+
+Write-Host "Building cloudflared"
+& make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
+
+
+Write-Host "Running unit tests"
+# Not testing with race detector because of https://github.com/golang/go/issues/61058
+# We already test it on other platforms
+go test -failfast -v -mod=vendor ./...
+if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
+
+
+# On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
+$env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
+Write-Host "No Proxy: ${env:NO_PROXY}"
+Write-Host "Running component tests"
+try {
+    python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
+    python component-tests/setup.py --type create
+    python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
+    if ($LASTEXITCODE -ne 0) {
+        throw "Failed component tests"
+    }
+} finally {
+    python component-tests/setup.py --type cleanup
+}
--- a/.ci/scripts/windows/go-wrapper.ps1
+++ b/.ci/scripts/windows/go-wrapper.ps1
@ -0,0 +1,69 @@
+Param(
+    [string]$GoVersion,
+    [string]$ScriptToExecute
+)
+
+# The script is a wrapper that downloads a specific version
+# of go, adds it to the PATH and executes a script with that go
+# version in the path.
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+# Get the path to the system's temporary directory.
+$tempPath = [System.IO.Path]::GetTempPath()
+
+# Create a unique name for the new temporary folder.
+$folderName = "go_" + (Get-Random)
+
+# Join the temp path and the new folder name to create the full path.
+$fullPath = Join-Path -Path $tempPath -ChildPath $folderName
+
+# Store the current value of PATH environment variable.
+$oldPath = $env:Path
+
+# Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
+try {
+    # Create the temporary folder.
+    Write-Host "Creating temporary folder at: $fullPath"
+    $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
+
+    # Download go
+    $url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
+    $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
+    Write-Host "Downloading go from: $url"
+    Invoke-WebRequest -Uri $url -OutFile $destinationFile
+    Write-Host "File downloaded to: $destinationFile"
+
+    # Unzip the downloaded file.
+    Write-Host "Unzipping the file..."
+    Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
+    Write-Host "File unzipped successfully."
+
+    # Define the go/bin path wich is inside the temporary folder
+    $goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
+
+    # Add the go/bin path to the PATH environment variable.
+    $env:Path = "$goBinPath;$($env:Path)"
+    Write-Host "Added $goBinPath to the environment PATH."
+
+    go env
+    go version
+
+    & $ScriptToExecute
+} finally {
+    # Cleanup: Remove the path from the environment variable and then the temporary folder.
+    Write-Host "Starting cleanup..."
+
+    $env:Path = $oldPath
+    Write-Host "Reverted changes in the environment PATH."
+
+    # Remove the temporary folder and its contents.
+    if (Test-Path -Path $fullPath) {
+        Remove-Item -Path $fullPath -Recurse -Force
+        Write-Host "Temporary folder and its contents have been removed."
+    } else {
+        Write-Host "Temporary folder does not exist, no cleanup needed."
+    }
+}
--- a/.ci/scripts/windows/sign-msi.ps1
+++ b/.ci/scripts/windows/sign-msi.ps1
@ -0,0 +1,26 @@
+# Sign Windows artifacts using azuretool
+# This script processes MSI files from the artifacts directory
+
+$ErrorActionPreference = "Stop"
+
+# Define paths
+$ARTIFACT_DIR = "artifacts"
+$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
+
+Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
+
+# Find all Windows MSI files
+$msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
+
+if ($msiFiles.Count -eq 0) {
+    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
+    exit 1
+}
+
+Write-Host "Found $($msiFiles.Count) file(s) to sign:"
+foreach ($file in $msiFiles) {
+    Write-Host "Running azuretool sign for $($file.Name)"
+    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
+}
+
+Write-Host "Signing process completed"
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@ -0,0 +1,114 @@
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+###################################
+### Defaults for Windows Builds ###
+###################################
+.windows-build-defaults: &windows-build-defaults
+  rules:
+    - !reference [.default-rules, run-always]
+  tags:
+    - windows-x86
+  cache: {}
+
+##########################################
+### Build Cloudflared Windows Binaries ###
+##########################################
+windows-build-cloudflared:
+  <<: *windows-build-defaults
+  stage: build
+  script:
+    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
+  artifacts:
+    paths:
+      - artifacts/*
+
+######################################################
+### Load Environment Variables for Component Tests ###
+######################################################
+windows-load-env-variables:
+  stage: pre-build
+  extends: .component-tests
+  script:
+    - echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
+    - echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
+    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
+    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
+    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
+    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
+    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
+    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
+    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
+    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
+  variables:
+    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
+  secrets:
+    KEY_VAULT_URL:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
+      file: false
+    KEY_VAULT_CLIENT_ID:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
+      file: false
+    KEY_VAULT_TENANT_ID:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
+      file: false
+    KEY_VAULT_SECRET:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
+      file: false
+    KEY_VAULT_CERTIFICATE:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate_v2/key_vault_certificate@kv
+      file: false
+  artifacts:
+    access: 'none'
+    reports:
+      dotenv: windows.env
+
+###################################
+### Run Windows Component Tests ###
+###################################
+windows-component-tests-cloudflared:
+  <<: *windows-build-defaults
+  stage: test
+  needs: ["windows-load-env-variables"]
+  script:
+    # We have to decode the secret we encoded on the `windows-load-env-variables` job
+    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
+    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
+  artifacts:
+    reports:
+      junit: report.xml
+
+################################
+### Package Windows Binaries ###
+################################
+windows-package:
+  rules:
+    - !reference [.default-rules, run-on-master]
+  stage: package
+  needs:
+    - ci-image-get-image-ref
+    - windows-build-cloudflared
+  image: $BUILD_IMAGE
+  script:
+    - .ci/scripts/package-windows.sh
+  cache: {}
+  artifacts:
+    paths:
+      - artifacts/*
+
+#############################
+### Sign Windows Binaries ###
+#############################
+windows-package-sign:
+  <<: *windows-build-defaults
+  rules:
+    - !reference [.default-rules, run-on-master]
+  stage: package
+  needs:
+    - windows-package
+    - windows-load-env-variables
+  script:
+    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
+  artifacts:
+    paths:
+      - artifacts/*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,130 +1,58 @@
-stages: [build, release]
+variables:
+  GO_VERSION: "go1.24.9"
+  GIT_DEPTH: "0"

 default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org

-# This before_script is injected into every job that runs on master meaning that if there is no tag the step
-# will succeed but only write "No tag present - Skipping" to the console.
-.check_tag:
-  before_script:
-    - |
-      # Check if there is a Git tag pointing to HEAD
-      echo "Tag found: $(git tag --points-at HEAD | grep .)"
-      if git tag --points-at HEAD | grep .; then
-        echo "Tag found: $(git tag --points-at HEAD | grep .)"
-        export "VERSION=$(git tag --points-at HEAD | grep .)"
-      else
-        echo "No tag present — skipping."
-        exit 0
-      fi
+stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]

-## A set of predefined rules to use on the different jobs
-.default_rules:
-  # Rules to run the job only on the master branch
-  run_on_master:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: always
-    - when: never
-  # Rules to run the job only on branches that are not master. This is needed because for now
-  # we need to keep a similar behavior due to the integration with teamcity, which requires us
-  # to not trigger pipelines on tags and/or merge requests.
-  run_on_branch:
-    - if: $CI_COMMIT_TAG
-      when: never
-    - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
-      when: always
-    - when: never
+include:
+  #####################################################
+  ########## Import Commons Configurations ############
+  #####################################################
+  - local: .ci/commons.gitlab-ci.yml

-# -----------------------------------------------
-# Stage 1: Build on every PR
-# -----------------------------------------------
-build_cloudflared_macos: &build
-  stage: build
-  rules:
-    - !reference [.default_rules, run_on_branch]
-  tags:
-    - "macstadium-${RUNNER_ARCH}"
-  parallel:
-    matrix:
-      - RUNNER_ARCH: [arm, intel]
-  artifacts:
-    paths:
-      - artifacts/*
-  script:
-    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
-    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
-    - ARCH=$(uname -m)
-    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
-    - ./.teamcity/mac/install-go.sh
-    - BUILD_SCRIPT=.teamcity/mac/build.sh
-    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
-    - set -euo pipefail
-    - echo "Executing ${BUILD_SCRIPT}"
-    - exec ${BUILD_SCRIPT}
+  #####################################################
+  ########### Sync Repository with Github #############
+  #####################################################
+  - local: .ci/github.gitlab-ci.yml

-# -----------------------------------------------
-# Stage 1: Build and sign only on releases
-# -----------------------------------------------
-build_and_sign_cloudflared_macos:
-  <<: *build
-  rules:
-    - !reference [.default_rules, run_on_master]
-  secrets:
-    APPLE_DEV_CA_CERT:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
-      file: false
-    CFD_CODE_SIGN_CERT:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
-      file: false
-    CFD_CODE_SIGN_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
-      file: false
-    CFD_CODE_SIGN_PASS:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
-      file: false
-    CFD_INSTALLER_CERT:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
-      file: false
-    CFD_INSTALLER_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
-      file: false
-    CFD_INSTALLER_PASS:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
-      file: false
+  #####################################################
+  ############# Build or Fetch CI Image ###############
+  #####################################################
+  - local: .ci/ci-image.gitlab-ci.yml

-# -----------------------------------------------
-# Stage 2: Release to Github after building and signing
-# -----------------------------------------------
-release_cloudflared_macos_to_github:
-  stage: release
-  image: docker-registry.cfdata.org/stash/tun/docker-images/cloudflared-ci/main:6-8616fe631b76-amd64@sha256:96f4fd05e66cec03e0864c1bcf09324c130d4728eef45ee994716da499183614
-  extends: .check_tag
-  dependencies:
-    - build_and_sign_cloudflared_macos
-  rules:
-    - !reference [.default_rules, run_on_master]
-  cache:
-    paths:
-      - .cache/pip
-  variables:
-    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
-    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
-    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
-  secrets:
-    KV_API_TOKEN:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
-      file: false
-    API_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
-      file: false
-  script:
-    - python3 --version ; pip --version  # For debugging
-    - python3 -m venv venv
-    - source venv/bin/activate
-    - pip install pynacl==1.4.0 pygithub==1.55
-    - echo $VERSION
-    - echo $TAG_EXISTS
-    - echo "Running release because tag exists."
-    - make macos-release
+  #####################################################
+  ################## Linux Builds ###################
+  #####################################################
+  - local: .ci/linux.gitlab-ci.yml
+
+  #####################################################
+  ################## Windows Builds ###################
+  #####################################################
+  - local: .ci/windows.gitlab-ci.yml
+
+  #####################################################
+  ################### macOS Builds ####################
+  #####################################################
+  - local: .ci/mac.gitlab-ci.yml
+
+  #####################################################
+  ################# Release Packages ##################
+  #####################################################
+  - local: .ci/release.gitlab-ci.yml
+
+  #####################################################
+  ########## Release Packages Internally ##############
+  #####################################################
+  - local: .ci/apt-internal.gitlab-ci.yml
+
+  #####################################################
+  ############## Manual Claude Review #################
+  #####################################################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
+    inputs:
+      whenToRun: "manual"
--- a/.teamcity/install-cloudflare-go.sh
+++ b/.teamcity/install-cloudflare-go.sh
@ -1,8 +0,0 @@
-# !/usr/bin/env bash
-
-cd /tmp
-git clone -q https://github.com/cloudflare/go
-cd go/src
-# https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
-git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
-./make.bash
--- a/.teamcity/mac/install-cloudflare-go.sh
+++ b/.teamcity/mac/install-cloudflare-go.sh
@ -1,10 +0,0 @@
-rm -rf /tmp/go
-export GOCACHE=/tmp/gocache
-rm -rf $GOCACHE
-
-./.teamcity/install-cloudflare-go.sh
-
-export PATH="/tmp/go/bin:$PATH"
-go version
-which go
-go env
--- a/.teamcity/windows/builds.ps1
+++ b/.teamcity/windows/builds.ps1
@ -1,28 +0,0 @@
-Set-StrictMode -Version Latest
-$ErrorActionPreference = "Stop"
-$ProgressPreference = "SilentlyContinue"
-
-# Relative path to working directory
-$CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
-
-cd $CloudflaredDirectory
-
-Write-Output "Building for amd64"
-$env:TARGET_OS = "windows"
-$env:CGO_ENABLED = 1
-$env:TARGET_ARCH = "amd64"
-$env:Path = "$Env:Temp\go\bin;$($env:Path)"
-
-go env
-go version
-
-& make cloudflared
-if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
-copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
-
-Write-Output "Building for 386"
-$env:CGO_ENABLED = 0
-$env:TARGET_ARCH = "386"
-make cloudflared
-if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
-copy .\cloudflared.exe .\cloudflared-windows-386.exe
--- a/.teamcity/windows/component-test.ps1
+++ b/.teamcity/windows/component-test.ps1
@ -1,47 +0,0 @@
-Set-StrictMode -Version Latest
-$ErrorActionPreference = "Stop"
-$ProgressPreference = "SilentlyContinue"
-
-$WorkingDirectory = Get-Location
-$CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
-
-go env
-go version
-
-$env:TARGET_OS = "windows"
-$env:CGO_ENABLED = 1
-$env:TARGET_ARCH = "amd64"
-$env:Path = "$Env:Temp\go\bin;$($env:Path)"
-
-python --version
-python -m pip --version
-
-cd $CloudflaredDirectory
-
-go env
-go version
-
-Write-Output "Building cloudflared"
-
-& make cloudflared
-if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
-
-echo $LASTEXITCODE
-
-Write-Output "Running unit tests"
-
-# Not testing with race detector because of https://github.com/golang/go/issues/61058
-# We already test it on other platforms
-go test -failfast -v -mod=vendor ./...
-if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
-
-Write-Output "Running component tests"
-
-python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
-python component-tests/setup.py --type create
-python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
-if ($LASTEXITCODE -ne 0) {
-    python component-tests/setup.py --type cleanup
-    throw "Failed component tests"
-}
-python component-tests/setup.py --type cleanup
--- a/.teamcity/windows/install-cloudflare-go.ps1
+++ b/.teamcity/windows/install-cloudflare-go.ps1
@ -1,16 +0,0 @@
-Set-StrictMode -Version Latest
-$ErrorActionPreference = "Stop"
-$ProgressPreference = "SilentlyContinue"
-
-Write-Output "Downloading cloudflare go..."
-
-Set-Location "$Env:Temp"
-
-git clone -q https://github.com/cloudflare/go
-Write-Output "Building go..."
-cd go/src
-# https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
-git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
-& ./make.bat
-
-Write-Output "Installed"
--- a/.teamcity/windows/install-go-msi.ps1
+++ b/.teamcity/windows/install-go-msi.ps1
@ -1,20 +0,0 @@
-$ErrorActionPreference = "Stop"
-$ProgressPreference = "SilentlyContinue"
-$GoMsiVersion = "go1.22.5.windows-amd64.msi"
-
-Write-Output "Downloading go installer..."
-
-Set-Location "$Env:Temp"
-
-(New-Object System.Net.WebClient).DownloadFile(
-    "https://go.dev/dl/$GoMsiVersion",
-    "$Env:Temp\$GoMsiVersion"
-)
-
-Write-Output "Installing go..."
-Install-Package "$Env:Temp\$GoMsiVersion" -Force
-
-# Go installer updates global $PATH
-go env
-
-Write-Output "Installed"
--- a/.vulnignore
+++ b/.vulnignore
@ -0,0 +1,3 @@
+# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
+# You can also add comments on the same line after the ID.
+GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,3 +1,7 @@
+## 2025.7.1
+### Notices
+- `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
+
 ## 2025.1.1
 ### New Features
 - This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
--- a/9
+++ b/9
@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  TARGET_GOOS=${TARGET_GOOS} \
@ -27,8 +27,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/

-# run as non-privileged user
-USER nonroot
+# run as nonroot user
+# We need to use numeric user id's because Kubernetes doesn't support strings:
+# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
+# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
+USER 65532:65532

 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@ -22,8 +22,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/

-# run as non-privileged user
-USER nonroot
+# run as nonroot user
+# We need to use numeric user id's because Kubernetes doesn't support strings:
+# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
+# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
+USER 65532:65532

 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@ -22,8 +22,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/

-# run as non-privileged user
-USER nonroot
+# run as nonroot user
+# We need to use numeric user id's because Kubernetes doesn't support strings:
+# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
+# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
+USER 65532:65532

 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/82
+++ b/82
@ -24,13 +24,19 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif

-DATE          := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H%M UTC')
+# Use git in windows since we don't have access to the `date` tool
+ifeq ($(TARGET_OS), windows)
+	DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
+else
+	DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
+endif
+
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif

-ifdef CONTAINER_BUILD 
+ifdef CONTAINER_BUILD
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
 endif

@ -56,8 +62,6 @@ PACKAGE_DIR    := $(CURDIR)/packaging
 PREFIX         := /usr
 INSTALL_BINDIR := $(PREFIX)/bin/
 INSTALL_MANDIR := $(PREFIX)/share/man/man1/
-CF_GO_PATH     := /tmp/go
-PATH           := $(CF_GO_PATH)/bin:$(PATH)

 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
@ -66,6 +70,8 @@ else ifeq ($(LOCAL_ARCH),x86_64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
    TARGET_ARCH ?= amd64
+else ifeq ($(LOCAL_ARCH),386)
+    TARGET_ARCH ?= 386
 else ifeq ($(LOCAL_ARCH),i686)
    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@ -113,7 +119,7 @@ ifneq ($(TARGET_ARM), )
 	ARM_COMMAND := GOARM=$(TARGET_ARM)
 endif

-ifeq ($(TARGET_ARM), 7) 
+ifeq ($(TARGET_ARM), 7)
 	PACKAGE_ARCH := armhf
 else
 	PACKAGE_ARCH := $(TARGET_ARCH)
@ -122,6 +128,8 @@ endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256

+GO_TEST_LOG_OUTPUT = /tmp/gotest.log
+
 .PHONY: all
 all: cloudflared test

@ -129,6 +137,10 @@ all: cloudflared test
 clean:
 	go clean

+.PHONY: vulncheck
+vulncheck:
+	@./.ci/scripts/vuln-check.sh
+
 .PHONY: cloudflared
 cloudflared:
 ifeq ($(FIPS), true)
@ -150,11 +162,9 @@ generate-docker-version:

 .PHONY: test
 test: vet
-ifndef CI
-	go test -v -mod=vendor -race $(LDFLAGS) ./...
-else
-	@mkdir -p .cover
-	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
+	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
+ifneq ($(FIPS), true)
+	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
 endif

 .PHONY: cover
@ -172,26 +182,17 @@ fuzz:
 	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
-	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
 	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation

-.PHONY: install-go
-install-go:
-	rm -rf ${CF_GO_PATH}
-	./.teamcity/install-cloudflare-go.sh
-
-.PHONY: cleanup-go
-cleanup-go:
-	rm -rf ${CF_GO_PATH}
-
 cloudflared.1: cloudflared_man_template
 	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1

-install: install-go cloudflared cloudflared.1 cleanup-go
+install: cloudflared cloudflared.1
 	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
 	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
@ -220,10 +221,6 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)

-.PHONY: cloudflared-pkg
-cloudflared-pkg: cloudflared cloudflared.1
-	$(call build_package,osxpkg)
-
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@ -234,17 +231,18 @@ github-release-dryrun:

 .PHONY: github-release
 github-release:
-	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
-	python3 github_message.py --release-version $(VERSION)
-
-.PHONY: macos-release
-macos-release:
 	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
+	python3 github_message.py --release-version $(VERSION)

 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py

+.PHONY: r2-next-linux-release
+# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
+r2-next-linux-release:
+	python3 ./release_pkgs.py --upload-repo-file
+
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html
@ -253,7 +251,7 @@ capnp:

 .PHONY: vet
 vet:
-	go vet -mod=vendor github.com/cloudflare/cloudflared/...
+	$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...

 .PHONY: fmt
 fmt:
@ -262,7 +260,7 @@ fmt:

 .PHONY: fmt-check
 fmt-check:
-	@./fmt-check.sh
+	@./.ci/scripts/fmt-check.sh

 .PHONY: lint
 lint:
@ -271,3 +269,23 @@ lint:
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
+
+.PHONY: ci-build
+ci-build:
+	@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
+	@mkdir -p artifacts
+	@mv cloudflared artifacts/cloudflared
+
+.PHONY: ci-fips-build
+ci-fips-build:
+	@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
+	@mkdir -p artifacts
+	@mv cloudflared artifacts/cloudflared
+
+.PHONY: ci-test
+ci-test: fmt-check lint test
+	@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
+
+.PHONY: ci-fips-test
+ci-fips-test:
+	@FIPS=true $(MAKE) ci-test
--- a/README.md
+++ b/README.md
@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.

 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.

-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.


@ -19,41 +19,41 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
-2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
+1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
+2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)


 ## Installing `cloudflared`

 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.

-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
-* To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
+* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.

-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/


 ## Creating Tunnels and routing traffic

 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.

-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)


 ## TryCloudflare

-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).

 ## Deprecated versions

-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).

 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.

@ -62,7 +62,7 @@ For example, as of January 2023 Cloudflare will support cloudflared version 2023
 ### Requirements
 - [GNU Make](https://www.gnu.org/software/make/)
 - [capnp](https://capnproto.org/install.html)
- [cloudflare go toolchain](https://github.com/cloudflare/go)
+- [go >= 1.24](https://go.dev/doc/install)
 - Optional tools:
  - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
  - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
--- a/73
+++ b/73
@ -1,3 +1,76 @@
+2025.11.1
+- 2025-11-07 TUN-9800: Fix docker hub push step
+
+2025.11.0
+- 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
+- 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
+- 2025-11-04 chore: Update cloudflared signing key name in index.html
+- 2025-10-31 chore: add claude review
+- 2025-10-31 Chore: Update documentation links in README
+- 2025-10-31 TUN-9800: Add pipelines for linux packaging
+
+2025.10.1
+- 2025-10-30 chore: Update ci image to use goboring 1.24.9
+- 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
+- 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
+- 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
+- 2025-10-23 Fix systemd service installation hanging
+- 2025-10-21 TUN-9941: Use new GPG key for RPM builds
+- 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
+- 2025-10-21 TUN-9941: Lookup correct key for RPM signature
+- 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
+- 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
+
+2025.10.0
+- 2025-10-14 chore: Fix upload of RPM repo file during double signing
+- 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
+- 2025-10-10 chore: Fix import of GPG keys when two keys are provided
+- 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
+- 2025-10-10 TUN-9883: Add new datagram v3 feature flag
+- 2025-10-09 chore: Force usage of go-boring 1.24
+- 2025-10-08 TUN-9882: Improve metrics for datagram v3
+- 2025-10-07 GRC-16749: Add fedramp tags to catalog
+- 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
+- 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
+- 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
+- 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
+
+2025.9.1
+- 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
+- 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
+
+2025.9.0
+- 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
+- 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
+- 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
+- 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
+
+2025.8.1
+- 2025-08-19 AUTH-7480 update fed callback url for login helper
+- 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
+- 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
+
+2025.8.0
+- 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
+- 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
+- 2025-07-07 TUN-9542: Remove unsupported Debian-based releases
+
+2025.7.0
+- 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles
+- 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
+- 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4
+- 2025-07-01 TUN-9511: Add metrics for virtual DNS origin
+- 2025-06-30 TUN-9470: Add OriginDialerService to include TCP
+- 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag
+- 2025-06-27 TUN-9472: Add virtual DNS service
+- 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service
+
+2025.6.1
+- 2025-06-16 TUN-9467: add vulncheck to cloudflared
+- 2025-06-16 TUN-9495: Remove references to cloudflare-go
+- 2025-06-16 TUN-9371: Add logging format as JSON
+- 2025-06-12 TUN-9467: bump coredns to solve CVE
+
 2025.6.0
 - 2025-06-06 TUN-9016: update go to 1.24
 - 2025-06-05 TUN-9171: Use `is_default_network` instead of `is_default` to create vnet's
--- a/build-packages.sh
+++ b/build-packages.sh
@ -1,48 +0,0 @@
-#!/bin/bash
-VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
-echo $VERSION
-
-# Disable FIPS module in go-boring
-export GOEXPERIMENT=noboringcrypto
-export CGO_ENABLED=0
-
-# This controls the directory the built artifacts go into
-export ARTIFACT_DIR=artifacts/
-mkdir -p $ARTIFACT_DIR
-
-linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
-export TARGET_OS=linux
-for arch in ${linuxArchs[@]}; do
-    unset TARGET_ARM
-    export TARGET_ARCH=$arch
-
-    ## Support for arm platforms without hardware FPU enabled
-    if [[ $arch == arm ]] ; then
-        export TARGET_ARCH=arm
-        export TARGET_ARM=5
-    fi
-    
-    ## Support for armhf builds 
-    if [[ $arch == armhf ]] ; then
-        export TARGET_ARCH=arm
-        export TARGET_ARM=7 
-    fi
-    
-    make cloudflared-deb
-    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
-
-    # rpm packages invert the - and _ and use x86_64 instead of amd64.
-    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
-    RPMARCH=$arch
-    if [ $arch == "amd64" ];then
-        RPMARCH="x86_64"
-    fi
-    if [ $arch == "arm64" ]; then
-        RPMARCH="aarch64"
-    fi
-    make cloudflared-rpm
-    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
-
-    # finally move the linux binary as well.
-    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
-done
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -26,11 +26,13 @@ const (
 )

 type StartOptions struct {
-	AppInfo         *token.AppInfo
-	OriginURL       string
-	Headers         http.Header
-	Host            string
-	TLSClientConfig *tls.Config
+	AppInfo               *token.AppInfo
+	OriginURL             string
+	Headers               http.Header
+	Host                  string
+	TLSClientConfig       *tls.Config
+	AutoCloseInterstitial bool
+	IsFedramp             bool
 }

 // Connection wraps up all the needed functions to forward over the tunnel
@ -46,7 +48,6 @@ type StdinoutStream struct{}
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
 	return os.Stdin.Read(p)
-
 }

 // Write will write to Stdout
@ -139,7 +140,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}

-	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
 	if err != nil {
 		return nil, err
 	}
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -14,4 +14,7 @@ spec:
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
  cf:
+    compliance:
+      fedramp-high: "pending"
+      fedramp-moderate: "yes"
    FIPS: "required"
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,257 +1,2 @@
-pinned_go: &pinned_go go-boring=1.24.2-1
-
-build_dir: &build_dir /cfsetup_build
-default-flavor: bookworm
-
-bullseye: &bullseye
-  build-linux:
-    build_dir: *build_dir
-    builddeps: &build_deps
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - libffi-dev
-      - golangci-lint=1.64.8-2
-    pre-cache: &build_pre_cache
-      - export GOCACHE=/cfsetup_build/.cache/go-build
-      - go install golang.org/x/tools/cmd/goimports@v0.30.0
-    post-cache:
-      # Linting
-      - make lint
-      - make fmt-check
-      # Build binary for component test
-      - GOOS=linux GOARCH=amd64 make cloudflared
-  build-linux-fips:
-    build_dir: *build_dir
-    builddeps: *build_deps
-    pre-cache: *build_pre_cache
-    post-cache:
-      - export FIPS=true
-      # Build binary for component test
-      - GOOS=linux GOARCH=amd64 make cloudflared
-  cover:
-    build_dir: *build_dir
-    builddeps: *build_deps
-    pre-cache: *build_pre_cache
-    post-cache:
-      - make cover
-  # except FIPS and macos
-  build-linux-release:
-    build_dir: *build_dir
-    builddeps: &build_deps_release
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - libffi-dev
-      - python3-dev
-      - python3-pip
-      - python3-setuptools
-      - wget
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . /cfsetup_build/env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
-      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
-      - ./build-packages.sh
-  # handle FIPS separately so that we built with gofips compiler
-  build-linux-fips-release:
-    build_dir: *build_dir
-    builddeps: *build_deps_release
-    post-cache:
-      # same logic as above, but for FIPS packages only
-      - ./build-packages-fips.sh
-  generate-versions-file:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-    post-cache:
-      - make generate-docker-version
-  build-deb:
-    build_dir: *build_dir
-    builddeps: &build_deb_deps
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make cloudflared-deb
-  build-fips-internal-deb:
-    build_dir: *build_dir
-    builddeps: &build_fips_deb_deps
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export FIPS=true
-      - export ORIGINAL_NAME=true
-      - make cloudflared-deb
-  build-internal-deb-nightly-amd64:
-    build_dir: *build_dir
-    builddeps: *build_fips_deb_deps
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export NIGHTLY=true
-      - export FIPS=true
-      - export ORIGINAL_NAME=true
-      - make cloudflared-deb
-  build-internal-deb-nightly-arm64:
-    build_dir: *build_dir
-    builddeps: *build_fips_deb_deps
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=arm64
-      - export NIGHTLY=true
-      # - export FIPS=true # TUN-7595
-      - export ORIGINAL_NAME=true
-      - make cloudflared-deb
-  build-deb-arm64:
-    build_dir: *build_dir
-    builddeps: *build_deb_deps
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=arm64
-      - make cloudflared-deb
-  package-windows:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-      - wget
-      # libmsi and libgcab are libraries the wixl binary depends on.
-      - libmsi-dev
-      - libgcab-dev
-      - python3-venv
-    pre-cache:
-      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
-      - chmod a+x /usr/local/bin/wixl
-    post-cache:
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55
-      - .teamcity/package-windows.sh
-  test:
-    build_dir: *build_dir
-    builddeps: &build_deps_tests
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - libffi-dev
-      - gotest-to-teamcity
-    pre-cache: *build_pre_cache
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export PATH="$HOME/go/bin:$PATH"
-      - make test | gotest-to-teamcity
-  test-fips:
-    build_dir: *build_dir
-    builddeps: *build_deps_tests
-    pre-cache: *build_pre_cache
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export FIPS=true
-      - export PATH="$HOME/go/bin:$PATH"
-      - make test | gotest-to-teamcity
-  component-test:
-    build_dir: *build_dir
-    builddeps: &build_deps_component_test
-      - *pinned_go
-      - python3
-      - python3-pip
-      - python3-setuptools
-      # procps installs the ps command which is needed in test_sysv_service
-      # because the init script uses ps pid to determine if the agent is
-      # running
-      - procps
-      - python3-venv
-    pre-cache-copy-paths:
-      - component-tests/requirements.txt
-    post-cache: &component_test_post_cache
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install --upgrade -r component-tests/requirements.txt
-      # Creates and routes a Named Tunnel for this build. Also constructs
-      # config file from env vars.
-      - python3 component-tests/setup.py --type create
-      - pytest component-tests -o log_cli=true --log-cli-level=INFO
-      # The Named Tunnel is deleted and its route unprovisioned here.
-      - python3 component-tests/setup.py --type cleanup
-  component-test-fips:
-    build_dir: *build_dir
-    builddeps: *build_deps_component_test
-    pre-cache-copy-paths:
-      - component-tests/requirements.txt
-    post-cache: *component_test_post_cache
-  github-release-dryrun:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55
-      - make github-release-dryrun
-  github-release:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55
-      - make github-release
-  r2-linux-release:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - wget
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-      - reprepro
-      - createrepo-c
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
-      - make r2-linux-release
-
-bookworm: *bullseye
-trixie: *bullseye
+# A valid cfsetup.yaml is required but we dont have any real config to specify
+dummy_key: true
--- a/client/config_test.go
+++ b/client/config_test.go
@ -45,6 +45,6 @@ func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
 	return features.FeatureSnapshot{
 		PostQuantum:     features.PostQuantumPrefer,
 		DatagramVersion: features.DatagramV3,
-		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_1},
+		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
 	}
 }
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -47,6 +47,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
+		IsFedramp: forwarder.IsFedramp,
 	}

 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@ -92,6 +93,7 @@ func ssh(c *cli.Context) error {
 		OriginURL: url.String(),
 		Headers:   headers,
 		Host:      url.Host,
+		IsFedramp: c.Bool(fedrampFlag),
 	}

 	if connectTo := c.String(sshConnectTo); connectTo != "" {
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -51,6 +51,7 @@ Host {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
+	fedrampFlag = "fedramp"
 )

 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@ -79,6 +80,10 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
+			Flags: []cli.Flag{&cli.BoolFlag{
+				Name:  fedrampFlag,
+				Usage: "use when performing operations in fedramp account",
+			}},
 			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
 			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
 			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
@ -104,6 +109,10 @@ func Commands() []*cli.Command {
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
+						&cli.BoolFlag{
+							Name:  "auto-close",
+							Usage: "automatically close the auth interstitial after action",
+						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
@ -322,7 +331,7 @@ func curl(c *cli.Context) error {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, appInfo, log)
+		tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@ -442,7 +451,7 @@ func sshGen(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 	if err != nil {
 		return err
 	}
@ -542,7 +551,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
+	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}

 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -4,25 +4,32 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"

-	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )

 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
+
+	FlagLogOutput = &cli.StringFlag{
+		Name:    flags.LogFormatOutput,
+		Usage:   "Output format for the logs (default, json)",
+		Value:   flags.LogFormatOutputValueDefault,
+		EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT", "TUNNEL_LOG_OUTPUT"},
+	}
 )

 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.LogLevel,
+			Name:    flags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.TransportLogLevel,
+			Name:    flags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
@ -30,22 +37,23 @@ func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.LogFile,
+			Name:    flags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.LogDirectory,
+			Name:    flags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.TraceOutput,
+			Name:    flags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
+		FlagLogOutput,
 	}
 }
--- a/cmd/cloudflared/flags/flags.go
+++ b/cmd/cloudflared/flags/flags.go
@ -138,6 +138,11 @@ const (
 	// LogDirectory is the command line flag to define the directory where application logs will be stored.
 	LogDirectory = "log-directory"

+	// LogFormatOutput allows the command line logs to be output as JSON.
+	LogFormatOutput             = "output"
+	LogFormatOutputValueDefault = "default"
+	LogFormatOutputValueJSON    = "json"
+
 	// TraceOutput is the command line flag to set the name of trace output file
 	TraceOutput = "trace-output"

@ -152,4 +157,13 @@ const (

 	// ApiURL is the command line flag used to define the base URL of the API
 	ApiURL = "api-url"
+
+	// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
+	VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
+
+	// Management hostname to signify incoming management requests
+	ManagementHostname = "management-hostname"
+
+	// Automatically close the login interstitial browser window after the user makes a decision.
+	AutoCloseInterstitial = "auto-close"
 )
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -60,7 +60,7 @@ After=network-online.target
 Wants=network-online.target

 [Service]
-TimeoutStartSec=0
+TimeoutStartSec=15
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
@ -50,6 +51,7 @@ func buildTailManagementTokenSubcommand() *cli.Command {

 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
+
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
@ -98,13 +100,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
-				Name:    "output",
-				Usage:   "Output format for the logs (default, json)",
-				Value:   "default",
-				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
-			},
-			&cli.StringFlag{
-				Name:    "management-hostname",
+				Name:    cfdflags.ManagementHostname,
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
@ -128,6 +124,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
+			cliutil.FlagLogOutput,
 		},
 		Subcommands: subcommands,
 	}
@ -171,10 +168,21 @@ func createLogger(c *cli.Context) *zerolog.Logger {
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
-	log := zerolog.New(zerolog.ConsoleWriter{
-		Out:        colorable.NewColorable(os.Stderr),
-		TimeFormat: time.RFC3339,
-	}).With().Timestamp().Logger().Level(level)
+	var writer io.Writer
+	switch c.String(cfdflags.LogFormatOutput) {
+	case cfdflags.LogFormatOutputValueJSON:
+		// zerolog by default outputs as JSON
+		writer = os.Stderr
+	case cfdflags.LogFormatOutputValueDefault:
+		// "default" and unset use the same logger output format
+		fallthrough
+	default:
+		writer = zerolog.ConsoleWriter{
+			Out:        colorable.NewColorable(os.Stderr),
+			TimeFormat: time.RFC3339,
+		}
+	}
+	log := zerolog.New(writer).With().Timestamp().Logger().Level(level)
 	return &log
 }

@ -229,7 +237,14 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 		return "", err
 	}

-	client, err := userCreds.Client(c.String(cfdflags.ApiURL), buildInfo.UserAgent(), log)
+	var apiURL string
+	if userCreds.IsFEDEndpoint() {
+		apiURL = credentials.FedRampBaseApiURL
+	} else {
+		apiURL = c.String(cfdflags.ApiURL)
+	}
+
+	client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
@ -254,7 +269,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
-	managementHostname := c.String("management-hostname")
+
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
@ -262,6 +277,19 @@ func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
+
+	claims, err := management.ParseToken(token)
+	if err != nil {
+		return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
+	}
+
+	var managementHostname string
+	if claims.IsFed() {
+		managementHostname = credentials.FedRampHostname
+	} else {
+		managementHostname = c.String(cfdflags.ManagementHostname)
+	}
+
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -97,7 +97,7 @@ var (
 		"no-tls-verify",
 		"no-chunked-encoding",
 		"http2-origin",
-		"management-hostname",
+		cfdflags.ManagementHostname,
 		"service-op-ip",
 		"local-ssh-port",
 		"ssh-idle-timeout",
@ -459,8 +459,23 @@ func StartServer(
 		}
 	}

+	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
+	var isFEDEndpoint bool
+	if err != nil {
+		isFEDEndpoint = false
+	} else {
+		isFEDEndpoint = userCreds.IsFEDEndpoint()
+	}
+
+	var managementHostname string
+	if isFEDEndpoint {
+		managementHostname = credentials.FedRampHostname
+	} else {
+		managementHostname = c.String(cfdflags.ManagementHostname)
+	}
+
 	mgmt := management.New(
-		c.String("management-hostname"),
+		managementHostname,
 		c.Bool("management-diagnostics"),
 		serviceIP,
 		connectorID,
@ -1042,7 +1057,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "management-hostname",
+			Name:    cfdflags.ManagementHostname,
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/pkg/errors"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
@ -25,6 +26,7 @@ import (
 	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
+	"github.com/cloudflare/cloudflared/ingress/origins"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
@ -34,7 +36,6 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
-	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )

 var (
@ -219,6 +220,27 @@ func prepareTunnelConfig(
 		resolvedRegion = endpoint
 	}

+	warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
+
+	// Setup origin dialer service and virtual services
+	originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   ingress.NewDialer(warpRoutingConfig),
+		TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
+	}, log)
+
+	// Setup DNS Resolver Service
+	originMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)
+	dnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)
+	dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)
+	if len(dnsResolverAddrs) > 0 {
+		addrs, err := parseResolverAddrPorts(dnsResolverAddrs)
+		if err != nil {
+			return nil, nil, fmt.Errorf("invalid %s provided: %w", flags.VirtualDNSServiceResolverAddresses, err)
+		}
+		dnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)
+	}
+	originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
+
 	tunnelConfig := &supervisor.TunnelConfig{
 		ClientConfig:    clientConfig,
 		GracePeriod:     gracePeriod,
@ -246,6 +268,8 @@ func prepareTunnelConfig(
 		DisableQUICPathMTUDiscovery:         c.Bool(flags.QuicDisablePathMTUDiscovery),
 		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
+		OriginDNSService:                    dnsService,
+		OriginDialerService:                 originDialerService,
 	}
 	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
@ -254,10 +278,10 @@ func prepareTunnelConfig(
 		tunnelConfig.ICMPRouterServer = icmpRouter
 	}
 	orchestratorConfig := &orchestration.Config{
-		Ingress:            &ingressRules,
-		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
-		ConfigurationFlags: parseConfigFlags(c),
-		WriteTimeout:       tunnelConfig.WriteStreamTimeout,
+		Ingress:             &ingressRules,
+		WarpRouting:         warpRoutingConfig,
+		OriginDialerService: originDialerService,
+		ConfigurationFlags:  parseConfigFlags(c),
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
@ -494,3 +518,19 @@ func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
+
+func parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {
+	// We don't allow more than 10 resolvers to be provided statically for the resolver service.
+	if len(input) > 10 {
+		return nil, errors.New("too many addresses provided, max: 10")
+	}
+	addrs := make([]netip.AddrPort, 0, len(input))
+	for _, val := range input {
+		addr, err := netip.ParseAddrPort(val)
+		if err != nil {
+			return nil, err
+		}
+		addrs = append(addrs, addr)
+	}
+	return addrs, nil
+}
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -12,6 +12,7 @@ import (
 	"github.com/urfave/cli/v2"

 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
@ -19,11 +20,10 @@ import (
 )

 const (
-	baseLoginURL = "https://dash.cloudflare.com/argotunnel"
-	callbackURL  = "https://login.cloudflareaccess.org/"
-	// For now these are the same but will change in the future once we know which URLs to use (TUN-8872)
-	fedBaseLoginURL      = "https://dash.cloudflare.com/argotunnel"
-	fedCallbackStoreURL  = "https://login.cloudflareaccess.org/"
+	baseLoginURL         = "https://dash.cloudflare.com/argotunnel"
+	callbackURL          = "https://login.cloudflareaccess.org/"
+	fedBaseLoginURL      = "https://dash.fed.cloudflare.com/argotunnel"
+	fedCallbackStoreURL  = "https://login.fed.cloudflareaccess.org/"
 	fedRAMPParamName     = "fedramp"
 	loginURLParamName    = "loginURL"
 	callbackURLParamName = "callbackURL"
@ -97,6 +97,8 @@ func login(c *cli.Context) error {
 		callbackStoreURL,
 		false,
 		false,
+		c.Bool(cfdflags.AutoCloseInterstitial),
+		isFEDRamp,
 		log,
 	)
 	if err != nil {
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -155,10 +155,12 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 	if err != nil {
 		return nil, err
 	}
+
 	tunnelCredentials := connection.Credentials{
 		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
+		Endpoint:     credential.Endpoint(),
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
--- a/cmd/cloudflared/tunnel/subcommands.go
+++ b/cmd/cloudflared/tunnel/subcommands.go
@ -241,6 +241,11 @@ var (
 		Usage:   "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
 		EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
 	}
+	dnsResolverAddrsFlag = &cli.StringSliceFlag{
+		Name:    flags.VirtualDNSServiceResolverAddresses,
+		Usage:   "Overrides the dynamic DNS resolver resolution to use these address:port's instead.",
+		EnvVars: []string{"TUNNEL_DNS_RESOLVER_ADDRS"},
+	}
 )

 func buildCreateCommand() *cli.Command {
@ -718,6 +723,7 @@ func buildRunCommand() *cli.Command {
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 		maxActiveFlowsFlag,
+		dnsResolverAddrsFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
--- a/component-tests/test_management.py
+++ b/component-tests/test_management.py
@ -107,7 +107,13 @@ class TestManagement:
            assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"


+
+
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        if resp.status_code == 530:
+            LOGGER.debug(f"Received 530 status, retrying request to {url}")
+            raise Exception(f"Received 530 status code from {url}")
+        return resp
--- a/component-tests/test_service.py
+++ b/component-tests/test_service.py
@ -9,7 +9,7 @@ import pytest

 import test_logging
 from conftest import CfdModes
-from util import select_platform, start_cloudflared, wait_tunnel_ready, write_config
+from util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config


 def default_config_dir():
@ -82,6 +82,7 @@ class TestServiceMode:
        os.remove(default_config_file())
        self.launchctl_cmd("list", success=False)

+    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -98,6 +99,7 @@ class TestServiceMode:

        self.sysv_service_scenario(config, tmp_path, assert_log_file)

+    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
@ -116,6 +118,7 @@ class TestServiceMode:

        self.sysv_service_scenario(config, tmp_path, assert_rotating_log)

+    @skip_on_ci("we can't run sudo command on CI")
    @select_platform("Linux")
    @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                        reason=f"There is already a config file in default path")
--- a/component-tests/test_token.py
+++ b/component-tests/test_token.py
@ -1,7 +1,7 @@
 import base64
 import json

-from setup import get_config_from_file, persist_origin_cert
+from setup import get_config_from_file
 from util import start_cloudflared


--- a/component-tests/test_tunnel.py
+++ b/component-tests/test_tunnel.py
@ -33,13 +33,20 @@ class TestTunnel:
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
-            resp = send_request(config.get_url()+"/")
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
-            resp = send_request(config.get_url()+"/test")
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            expected_status_code = 503
+            resp = send_request(config.get_url()+"/", expected_status_code)
+            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/test", expected_status_code)
+            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"

+def retry_if_result_none(result):
+    '''
+    Returns True if the result is None, indicating that the function should be retried.
+    '''
+    return result is None

-@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
-def send_request(url, headers={}):
+@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
+def send_request(url, expected_status_code=200):
    with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS)
+        return resp if resp.status_code == expected_status_code else None
--- a/component-tests/util.py
+++ b/component-tests/util.py
@ -10,7 +10,6 @@ import pytest

 import requests
 import yaml
-import json
 from retrying import retry

 from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
@ -35,6 +34,12 @@ def fips_enabled():
 nofips = pytest.mark.skipif(
        fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)")

+def skip_on_ci(reason):
+    env_ci = os.getenv("CI")
+    running_in_ci = env_ci is not None and env_ci != "0"
+    return pytest.mark.skipif(
+        running_in_ci, reason=f"This test can't run on CI due to: {reason}")
+
 def write_config(directory, config):
    config_path = directory / "config.yml"
    with open(config_path, 'w') as outfile:
@ -111,6 +116,7 @@ def inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):
    metrics_url = f'http://localhost:{METRICS_PORT}/ready'

    with requests.Session() as s:
+        LOGGER.debug("Waiting for tunnel to be ready...")
        resp = send_request(s, metrics_url, True)

        ready_connections = resp.json()["readyConnections"]
--- a/config/configuration.go
+++ b/config/configuration.go
@ -242,6 +242,8 @@ type AccessConfig struct {

 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
+
+	Environment string `yaml:"environment" json:"environment,omitempty"`
 }

 type IngressIPRule struct {
--- a/config/model.go
+++ b/config/model.go
@ -1,7 +1,7 @@
 package config

 import (
-	"crypto/md5"
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"strings"
@ -16,6 +16,7 @@ type Forwarder struct {
 	TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
 	TokenSecret   string `json:"secret_token_id" yaml:"serviceTokenSecret"`
 	Destination   string `json:"destination"`
+	IsFedramp     bool   `json:"is_fedramp" yaml:"isFedramp"`
 }

 // Tunnel represents a tunnel that should be started
@ -46,24 +47,24 @@ type Root struct {

 // Hash returns the computed values to see if the forwarder values change
 func (f *Forwarder) Hash() string {
-	h := md5.New()
-	io.WriteString(h, f.URL)
-	io.WriteString(h, f.Listener)
-	io.WriteString(h, f.TokenClientID)
-	io.WriteString(h, f.TokenSecret)
-	io.WriteString(h, f.Destination)
+	h := sha256.New()
+	_, _ = io.WriteString(h, f.URL)
+	_, _ = io.WriteString(h, f.Listener)
+	_, _ = io.WriteString(h, f.TokenClientID)
+	_, _ = io.WriteString(h, f.TokenSecret)
+	_, _ = io.WriteString(h, f.Destination)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }

 // Hash returns the computed values to see if the forwarder values change
 func (r *DNSResolver) Hash() string {
-	h := md5.New()
-	io.WriteString(h, r.Address)
-	io.WriteString(h, strings.Join(r.Bootstraps, ","))
-	io.WriteString(h, strings.Join(r.Upstreams, ","))
-	io.WriteString(h, fmt.Sprintf("%d", r.Port))
-	io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
-	io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
+	h := sha256.New()
+	_, _ = io.WriteString(h, r.Address)
+	_, _ = io.WriteString(h, strings.Join(r.Bootstraps, ","))
+	_, _ = io.WriteString(h, strings.Join(r.Upstreams, ","))
+	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.Port))
+	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
+	_, _ = io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }

--- a/connection/control.go
+++ b/connection/control.go
@ -82,7 +82,7 @@ func (c *controlStream) ServeControlStream(
 	tunnelConfigGetter TunnelConfigJSONGetter,
 ) error {
 	registrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)
-
+	c.observer.logConnecting(c.connIndex, c.edgeAddress, c.protocol)
 	registrationDetails, err := registrationClient.RegisterConnection(
 		ctx,
 		c.tunnelProperties.Credentials.Auth(),
--- a/connection/errors.go
+++ b/connection/errors.go
@ -1,7 +1,6 @@
 package connection

 import (
-	"github.com/cloudflare/cloudflared/edgediscovery"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )

@ -53,26 +52,26 @@ func serverRegistrationErrorFromRPC(err error) ServerRegisterTunnelError {
 	}
 }

-type muxerShutdownError struct{}
+type ControlStreamError struct{}

-func (e muxerShutdownError) Error() string {
-	return "muxer shutdown"
+var _ error = &ControlStreamError{}
+
+func (e *ControlStreamError) Error() string {
+	return "control stream encountered a failure while serving"
 }

-var errMuxerStopped = muxerShutdownError{}
+type StreamListenerError struct{}

-func isHandshakeErrRecoverable(err error, connIndex uint8, observer *Observer) bool {
-	log := observer.log.With().
-		Uint8(LogFieldConnIndex, connIndex).
-		Err(err).
-		Logger()
+var _ error = &StreamListenerError{}

-	switch err.(type) {
-	case edgediscovery.DialError:
-		log.Error().Msg("Connection unable to dial edge")
-	default:
-		log.Error().Msg("Connection failed")
-		return false
-	}
-	return true
+func (e *StreamListenerError) Error() string {
+	return "accept stream listener encountered a failure while serving"
+}
+
+type DatagramManagerError struct{}
+
+var _ error = &DatagramManagerError{}
+
+func (e *DatagramManagerError) Error() string {
+	return "datagram manager encountered a failure while serving"
 }
--- a/connection/header.go
+++ b/connection/header.go
@ -53,7 +53,8 @@ var headerEncoding = base64.RawStdEncoding
 func IsControlResponseHeader(headerName string) bool {
 	return strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-")
+		strings.HasPrefix(headerName, "cf-cloudflared-") ||
+		strings.HasPrefix(headerName, "cf-proxy-")
 }

 // isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly
--- a/connection/header_test.go
+++ b/connection/header_test.go
@ -1,18 +1,17 @@
 package connection

 import (
-	"fmt"
 	"net/http"
 	"reflect"
 	"sort"
 	"testing"

-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestSerializeHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	mockHeaders := http.Header{
 		"Mock-Header-One":        {"Mock header one value", "three"},
@ -39,22 +38,22 @@ func TestSerializeHeaders(t *testing.T) {
 	serializedHeaders := SerializeHeaders(request.Header)

 	// Sanity check: the headers serialized to something that's not an empty string
-	assert.NotEqual(t, "", serializedHeaders)
+	require.NotEqual(t, "", serializedHeaders)

 	// Deserialize back, and ensure we get the same set of headers
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
+	require.NoError(t, err)

-	assert.Equal(t, 13, len(deserializedHeaders))
+	require.Len(t, deserializedHeaders, 13)
 	expectedHeaders := headerToReqHeader(mockHeaders)

 	sort.Sort(ByName(deserializedHeaders))
 	sort.Sort(ByName(expectedHeaders))

-	assert.True(
+	require.True(
 		t,
 		reflect.DeepEqual(expectedHeaders, deserializedHeaders),
-		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders),
+		"got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders,
 	)
 }

@ -82,12 +81,12 @@ func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {

 func TestSerializeNoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	serializedHeaders := SerializeHeaders(request.Header)
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
-	assert.Equal(t, 0, len(deserializedHeaders))
+	require.NoError(t, err)
+	require.Empty(t, deserializedHeaders)
 }

 func TestDeserializeMalformed(t *testing.T) {
@ -102,21 +101,22 @@ func TestDeserializeMalformed(t *testing.T) {

 	for _, malformedValue := range malformedData {
 		_, err = DeserializeHeaders(malformedValue)
-		assert.Error(t, err)
+		require.Error(t, err)
 	}
 }

 func TestIsControlResponseHeader(t *testing.T) {
 	controlResponseHeaders := []string{
-		// Anything that begins with cf-int- or cf-cloudflared-
+		// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-
 		"cf-int-sample-header",
 		"cf-cloudflared-sample-header",
+		"cf-proxy-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 	}

 	for _, header := range controlResponseHeaders {
-		assert.True(t, IsControlResponseHeader(header))
+		require.True(t, IsControlResponseHeader(header))
 	}
 }

@ -130,6 +130,6 @@ func TestIsNotControlResponseHeader(t *testing.T) {
 	}

 	for _, header := range notControlResponseHeaders {
-		assert.False(t, IsControlResponseHeader(header))
+		require.False(t, IsControlResponseHeader(header))
 	}
 }
--- a/connection/http2_test.go
+++ b/connection/http2_test.go
@ -295,7 +295,7 @@ func TestServeWS(t *testing.T) {
 	require.False(t, respWriter.panicked)
 }

-// TestNoWriteAfterServeHTTPReturns is a regression test of https://jira.cfops.it/browse/TUN-5184
+// TestNoWriteAfterServeHTTPReturns is a regression test of https://jira.cfdata.org/browse/TUN-5184
 // to make sure we don't write to the ResponseWriter after the ServeHTTP method returns
 func TestNoWriteAfterServeHTTPReturns(t *testing.T) {
 	cfdHTTP2Conn, edgeTCPConn := newTestHTTP2Connection()
--- a/connection/observer.go
+++ b/connection/observer.go
@ -46,6 +46,15 @@ func (o *Observer) RegisterSink(sink EventSink) {
 	o.addSinkChan <- sink
 }

+func (o *Observer) logConnecting(connIndex uint8, address net.IP, protocol Protocol) {
+	o.log.Debug().
+		Int(management.EventTypeKey, int(management.Cloudflared)).
+		Uint8(LogFieldConnIndex, connIndex).
+		IPAddr(LogFieldIPAddress, address).
+		Str(LogFieldProtocol, protocol.String()).
+		Msg("Registering tunnel connection")
+}
+
 func (o *Observer) logConnected(connectionID uuid.UUID, connIndex uint8, location string, address net.IP, protocol Protocol) {
 	o.log.Info().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
--- a/connection/quic_connection.go
+++ b/connection/quic_connection.go
@ -3,6 +3,7 @@ package connection
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@ -12,7 +13,6 @@ import (
 	"sync/atomic"
 	"time"

-	"github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
 	"golang.org/x/sync/errgroup"
@ -65,7 +65,7 @@ func NewTunnelConnection(
 	streamWriteTimeout time.Duration,
 	gracePeriod time.Duration,
 	logger *zerolog.Logger,
-) (TunnelConnection, error) {
+) TunnelConnection {
 	return &quicConnection{
 		conn:                 conn,
 		logger:               logger,
@ -77,10 +77,11 @@ func NewTunnelConnection(
 		rpcTimeout:           rpcTimeout,
 		streamWriteTimeout:   streamWriteTimeout,
 		gracePeriod:          gracePeriod,
-	}, nil
+	}
 }

 // Serve starts a QUIC connection that begins accepting streams.
+// Returning a nil error means cloudflared will exit for good and will not attempt to reconnect.
 func (q *quicConnection) Serve(ctx context.Context) error {
 	// The edge assumes the first stream is used for the control plane
 	controlStream, err := q.conn.OpenStream()
@ -88,16 +89,16 @@ func (q *quicConnection) Serve(ctx context.Context) error {
 		return fmt.Errorf("failed to open a registration control stream: %w", err)
 	}

-	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
-	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
-	// connection).
 	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
-	// other goroutine as fast as possible.
-	ctx, cancel := context.WithCancel(ctx)
+	// other goroutines. We enforce returning a not-nil error for each function started in the errgroup by logging
+	// the error returned and returning a custom error type instead.
 	errGroup, ctx := errgroup.WithContext(ctx)

-	// In the future, if cloudflared can autonomously push traffic to the edge, we have to make sure the control
-	// stream is already fully registered before the other goroutines can proceed.
+	// Close the quic connection if any of the following routines return from the errgroup (regardless of their error)
+	// because they are no longer processing requests for the connection.
+	defer q.Close()
+
+	// Start the control stream routine
 	errGroup.Go(func() error {
 		// err is equal to nil if we exit due to unregistration. If that happens we want to wait the full
 		// amount of the grace period, allowing requests to finish before we cancel the context, which will
@ -114,16 +115,26 @@ func (q *quicConnection) Serve(ctx context.Context) error {
 				}
 			}
 		}
-		cancel()
-		return err
+		if err != nil {
+			q.logger.Error().Err(err).Msg("failed to serve the control stream")
+		}
+		return &ControlStreamError{}
 	})
+	// Start the accept stream loop routine
 	errGroup.Go(func() error {
-		defer cancel()
-		return q.acceptStream(ctx)
+		err := q.acceptStream(ctx)
+		if err != nil {
+			q.logger.Error().Err(err).Msg("failed to accept incoming stream requests")
+		}
+		return &StreamListenerError{}
 	})
+	// Start the datagram handler routine
 	errGroup.Go(func() error {
-		defer cancel()
-		return q.datagramHandler.Serve(ctx)
+		err := q.datagramHandler.Serve(ctx)
+		if err != nil {
+			q.logger.Error().Err(err).Msg("failed to run the datagram handler")
+		}
+		return &DatagramManagerError{}
 	})

 	return errGroup.Wait()
@ -140,7 +151,6 @@ func (q *quicConnection) Close() {
 }

 func (q *quicConnection) acceptStream(ctx context.Context) error {
-	defer q.Close()
 	for {
 		quicStream, err := q.conn.AcceptStream(ctx)
 		if err != nil {
@ -230,7 +240,7 @@ func (q *quicConnection) dispatchRequest(ctx context.Context, stream *rpcquic.Re
 			ConnIndex: q.connIndex,
 		}), rwa.connectResponseSent
 	default:
-		return errors.Errorf("unsupported error type: %s", request.Type), false
+		return fmt.Errorf("unsupported error type: %s", request.Type), false
 	}
 }

--- a/connection/quic_connection_test.go
+++ b/connection/quic_connection_test.go
@ -30,6 +30,7 @@ import (
 	"golang.org/x/net/nettest"

 	"github.com/cloudflare/cloudflared/client"
+	"github.com/cloudflare/cloudflared/config"
 	cfdflow "github.com/cloudflare/cloudflared/flow"

 	"github.com/cloudflare/cloudflared/datagramsession"
@ -823,6 +824,15 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 	sessionManager := datagramsession.NewManager(&log, datagramMuxer.SendToSession, sessionDemuxChan)
 	var connIndex uint8 = 0
 	packetRouter := ingress.NewPacketRouter(nil, datagramMuxer, connIndex, &log)
+	testDefaultDialer := ingress.NewDialer(ingress.WarpRoutingConfig{
+		ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
+		TCPKeepAlive:   config.CustomDuration{Duration: 15 * time.Second},
+		MaxActiveFlows: 0,
+	})
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &log)

 	datagramConn := &datagramV2Connection{
 		conn,
@ -830,13 +840,14 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 		sessionManager,
 		cfdflow.NewLimiter(0),
 		datagramMuxer,
+		originDialer,
 		packetRouter,
 		15 * time.Second,
 		0 * time.Second,
 		&log,
 	}

-	tunnelConn, err := NewTunnelConnection(
+	tunnelConn := NewTunnelConnection(
 		ctx,
 		conn,
 		index,
@ -849,7 +860,6 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 		0*time.Second,
 		&log,
 	)
-	require.NoError(t, err)
 	return tunnelConn, datagramConn
 }

--- a/connection/quic_datagram_v2.go
+++ b/connection/quic_datagram_v2.go
@ -4,9 +4,11 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 	"time"

 	"github.com/google/uuid"
+	"github.com/pkg/errors"
 	pkgerrors "github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
@ -32,6 +34,10 @@ const (
 	demuxChanCapacity = 16
 )

+var (
+	errInvalidDestinationIP = errors.New("unable to parse destination IP")
+)
+
 // DatagramSessionHandler is a service that can serve datagrams for a connection and handle sessions from incoming
 // connection streams.
 type DatagramSessionHandler interface {
@ -51,7 +57,10 @@ type datagramV2Connection struct {

 	// datagramMuxer mux/demux datagrams from quic connection
 	datagramMuxer *cfdquic.DatagramMuxerV2
-	packetRouter  *ingress.PacketRouter
+	// originDialer is the origin dialer for UDP requests
+	originDialer ingress.OriginUDPDialer
+	// packetRouter acts as the origin router for ICMP requests
+	packetRouter *ingress.PacketRouter

 	rpcTimeout         time.Duration
 	streamWriteTimeout time.Duration
@ -61,6 +70,7 @@ type datagramV2Connection struct {

 func NewDatagramV2Connection(ctx context.Context,
 	conn quic.Connection,
+	originDialer ingress.OriginUDPDialer,
 	icmpRouter ingress.ICMPRouter,
 	index uint8,
 	rpcTimeout time.Duration,
@ -79,6 +89,7 @@ func NewDatagramV2Connection(ctx context.Context,
 		sessionManager:     sessionManager,
 		flowLimiter:        flowLimiter,
 		datagramMuxer:      datagramMuxer,
+		originDialer:       originDialer,
 		packetRouter:       packetRouter,
 		rpcTimeout:         rpcTimeout,
 		streamWriteTimeout: streamWriteTimeout,
@ -87,24 +98,17 @@ func NewDatagramV2Connection(ctx context.Context,
 }

 func (d *datagramV2Connection) Serve(ctx context.Context) error {
-	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
-	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
-	// connection).
-	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
-	// other goroutine as fast as possible.
-	ctx, cancel := context.WithCancel(ctx)
+	// If either goroutine from the errgroup returns at all (error or nil), we rely on its cancellation to make sure
+	// the other goroutines as well.
 	errGroup, ctx := errgroup.WithContext(ctx)

 	errGroup.Go(func() error {
-		defer cancel()
 		return d.sessionManager.Serve(ctx)
 	})
 	errGroup.Go(func() error {
-		defer cancel()
 		return d.datagramMuxer.ServeReceive(ctx)
 	})
 	errGroup.Go(func() error {
-		defer cancel()
 		return d.packetRouter.Serve(ctx)
 	})

@ -128,12 +132,29 @@ func (q *datagramV2Connection) RegisterUdpSession(ctx context.Context, sessionID
 		tracing.EndWithErrorStatus(registerSpan, err)
 		return nil, err
 	}
+	// We need to force the net.IP to IPv4 (if it's an IPv4 address) otherwise the net.IP conversion from capnp
+	// will be a IPv4-mapped-IPv6 address.
+	// In the case that the address is IPv6 we leave it untouched and parse it as normal.
+	ip := dstIP.To4()
+	if ip == nil {
+		ip = dstIP
+	}
+	// Parse the dstIP and dstPort into a netip.AddrPort
+	// This should never fail because the IP was already parsed as a valid net.IP
+	destAddr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		log.Err(errInvalidDestinationIP).Msgf("Failed to parse destination proxy IP: %s", ip)
+		tracing.EndWithErrorStatus(registerSpan, errInvalidDestinationIP)
+		q.flowLimiter.Release()
+		return nil, errInvalidDestinationIP
+	}
+	dstAddrPort := netip.AddrPortFrom(destAddr, dstPort)

 	// Each session is a series of datagram from an eyeball to a dstIP:dstPort.
 	// (src port, dst IP, dst port) uniquely identifies a session, so it needs a dedicated connected socket.
-	originProxy, err := ingress.DialUDP(dstIP, dstPort)
+	originProxy, err := q.originDialer.DialUDP(dstAddrPort)
 	if err != nil {
-		log.Err(err).Msgf("Failed to create udp proxy to %s:%d", dstIP, dstPort)
+		log.Err(err).Msgf("Failed to create udp proxy to %s", dstAddrPort)
 		tracing.EndWithErrorStatus(registerSpan, err)
 		q.flowLimiter.Release()
 		return nil, err
--- a/connection/quic_datagram_v2_test.go
+++ b/connection/quic_datagram_v2_test.go
@ -84,6 +84,7 @@ func TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {
 		t.Context(),
 		conn,
 		nil,
+		nil,
 		0,
 		0*time.Second,
 		0*time.Second,
--- a/credentials/credentials.go
+++ b/credentials/credentials.go
@ -10,6 +10,8 @@ import (
 const (
 	logFieldOriginCertPath = "originCertPath"
 	FedEndpoint            = "fed"
+	FedRampBaseApiURL      = "https://api.fed.cloudflare.com/client/v4"
+	FedRampHostname        = "management.fed.argotunnel.com"
 )

 type User struct {
@ -21,6 +23,10 @@ func (c User) AccountID() string {
 	return c.cert.AccountID
 }

+func (c User) Endpoint() string {
+	return c.cert.Endpoint
+}
+
 func (c User) ZoneID() string {
 	return c.cert.ZoneID
 }
--- a/features/features.go
+++ b/features/features.go
@ -10,9 +10,10 @@ const (
 	FeaturePostQuantum       = "postquantum"
 	FeatureQUICSupportEOF    = "support_quic_eof"
 	FeatureManagementLogs    = "management_logs"
-	FeatureDatagramV3_1      = "support_datagram_v3_1"
+	FeatureDatagramV3_2      = "support_datagram_v3_2"

-	DeprecatedFeatureDatagramV3 = "support_datagram_v3" // Deprecated: TUN-9291
+	DeprecatedFeatureDatagramV3   = "support_datagram_v3"   // Deprecated: TUN-9291
+	DeprecatedFeatureDatagramV3_1 = "support_datagram_v3_1" // Deprecated: TUN-9883
 )

 var defaultFeatures = []string{
@ -26,6 +27,7 @@ var defaultFeatures = []string{
 // List of features that are no longer in-use.
 var deprecatedFeatures = []string{
 	DeprecatedFeatureDatagramV3,
+	DeprecatedFeatureDatagramV3_1,
 }

 // Features set by user provided flags
@ -58,7 +60,7 @@ const (
 	// DatagramV2 is the currently supported datagram protocol for UDP and ICMP packets
 	DatagramV2 DatagramVersion = FeatureDatagramV2
 	// DatagramV3 is a new datagram protocol for UDP and ICMP packets. It is not backwards compatible with datagram v2.
-	DatagramV3 DatagramVersion = FeatureDatagramV3_1
+	DatagramV3 DatagramVersion = FeatureDatagramV3_2
 )

 // Remove any duplicate features from the list and remove deprecated features
--- a/features/selector.go
+++ b/features/selector.go
@ -23,9 +23,10 @@ const (
 // If the TXT record is missing a key, the field will unmarshal to the default Go value

 type featuresRecord struct {
-	DatagramV3Percentage uint32 `json:"dv3_1"`
+	DatagramV3Percentage uint32 `json:"dv3_2"`

 	// DatagramV3Percentage int32 `json:"dv3"` // Removed in TUN-9291
+	// DatagramV3Percentage uint32 `json:"dv3_1"` // Removed in TUN-9883
 	// PostQuantumPercentage int32 `json:"pq"` // Removed in TUN-7970
 }

@ -105,7 +106,7 @@ func (fs *featureSelector) postQuantumMode() PostQuantumMode {

 func (fs *featureSelector) datagramVersion() DatagramVersion {
 	// If user provides the feature via the cli, we take it as priority over remote feature evaluation
-	if slices.Contains(fs.cliFeatures, FeatureDatagramV3_1) {
+	if slices.Contains(fs.cliFeatures, FeatureDatagramV3_2) {
 		return DatagramV3
 	}
 	// If the user specifies DatagramV2, we also take that over remote
--- a/features/selector_test.go
+++ b/features/selector_test.go
@ -22,15 +22,15 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
 		expectedPercentage uint32
 	}{
 		{
-			record:             []byte(`{"dv3_1":0}`),
+			record:             []byte(`{"dv3_2":0}`),
 			expectedPercentage: 0,
 		},
 		{
-			record:             []byte(`{"dv3_1":39}`),
+			record:             []byte(`{"dv3_2":39}`),
 			expectedPercentage: 39,
 		},
 		{
-			record:             []byte(`{"dv3_1":100}`),
+			record:             []byte(`{"dv3_2":100}`),
 			expectedPercentage: 100,
 		},
 		{
@ -40,7 +40,7 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
 			record: []byte(`{"kyber":768}`), // Unmarshal to default struct if key is not present
 		},
 		{
-			record: []byte(`{"pq": 101,"dv3":100}`), // Expired keys don't unmarshal to anything
+			record: []byte(`{"pq": 101,"dv3":100,"dv3_1":100}`), // Expired keys don't unmarshal to anything
 		},
 	}

@ -111,10 +111,10 @@ func TestFeaturePrecedenceEvaluationDatagramVersion(t *testing.T) {
 		},
 		{
 			name:             "user_specified_v3",
-			cli:              []string{FeatureDatagramV3_1},
+			cli:              []string{FeatureDatagramV3_2},
 			remote:           featuresRecord{},
-			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_1)),
-			expectedVersion:  FeatureDatagramV3_1,
+			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_2)),
+			expectedVersion:  FeatureDatagramV3_2,
 		},
 	}

@ -150,6 +150,12 @@ func TestDeprecatedFeaturesRemoved(t *testing.T) {
 			remote:           featuresRecord{},
 			expectedFeatures: defaultFeatures,
 		},
+		{
+			name:             "support_datagram_v3_1",
+			cli:              []string{DeprecatedFeatureDatagramV3_1},
+			remote:           featuresRecord{},
+			expectedFeatures: defaultFeatures,
+		},
 	}

 	for _, test := range tests {
--- a/go.mod
+++ b/go.mod
@ -3,45 +3,45 @@ module github.com/cloudflare/cloudflared
 go 1.24

 require (
-	github.com/coredns/coredns v1.11.3
+	github.com/coredns/coredns v1.12.2
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434
 	github.com/fortytw2/leaktest v1.3.0
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/getsentry/sentry-go v0.16.0
-	github.com/go-chi/chi/v5 v5.0.8
+	github.com/go-chi/chi/v5 v5.2.2
 	github.com/go-chi/cors v1.2.1
 	github.com/go-jose/go-jose/v4 v4.1.0
 	github.com/gobwas/ws v1.2.1
 	github.com/google/gopacket v1.1.19
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/websocket v1.4.2
+	github.com/gorilla/websocket v1.5.0
 	github.com/json-iterator/go v1.1.12
 	github.com/mattn/go-colorable v0.1.13
-	github.com/miekg/dns v1.1.58
+	github.com/miekg/dns v1.1.66
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.19.1
-	github.com/prometheus/client_model v0.6.0
-	github.com/quic-go/quic-go v0.51.0
+	github.com/prometheus/client_golang v1.22.0
+	github.com/prometheus/client_model v0.6.2
+	github.com/quic-go/quic-go v0.52.0
 	github.com/rs/zerolog v1.20.0
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/cli/v2 v2.3.0
 	go.opentelemetry.io/contrib/propagators v0.22.0
-	go.opentelemetry.io/otel v1.26.0
+	go.opentelemetry.io/otel v1.35.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0
-	go.opentelemetry.io/otel/sdk v1.26.0
-	go.opentelemetry.io/otel/trace v1.26.0
+	go.opentelemetry.io/otel/sdk v1.35.0
+	go.opentelemetry.io/otel/trace v1.35.0
 	go.opentelemetry.io/proto/otlp v1.2.0
 	go.uber.org/automaxprocs v1.6.0
 	go.uber.org/mock v0.5.1
-	golang.org/x/crypto v0.37.0
-	golang.org/x/net v0.39.0
-	golang.org/x/sync v0.13.0
-	golang.org/x/sys v0.32.0
-	golang.org/x/term v0.31.0
-	google.golang.org/protobuf v1.36.5
+	golang.org/x/crypto v0.38.0
+	golang.org/x/net v0.40.0
+	golang.org/x/sync v0.14.0
+	golang.org/x/sys v0.33.0
+	golang.org/x/term v0.32.0
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v3 v3.0.1
 	nhooyr.io/websocket v1.8.7
@ -52,8 +52,9 @@ require (
 	github.com/BurntSushi/toml v1.2.0 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/coredns/caddy v1.1.1 // indirect
+	github.com/bytedance/sonic v1.12.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/coredns/caddy v1.1.2-0.20241029205200-8de985351a98 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 // indirect
@ -61,35 +62,42 @@ require (
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 // indirect
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gin-gonic/gin v1.9.1 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-playground/validator/v10 v10.15.1 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/pprof v0.0.0-20250418163039-24c5476c6587 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
-	github.com/klauspost/compress v1.15.11 // indirect
-	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/common v0.53.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/common v0.64.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	go.opentelemetry.io/otel/metric v1.26.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
+	golang.org/x/arch v0.4.0 // indirect
 	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/oauth2 v0.29.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/tools v0.32.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
-	google.golang.org/grpc v1.63.2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 // indirect
+	google.golang.org/grpc v1.72.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

--- a/go.sum
+++ b/go.sum
@ -5,14 +5,22 @@ github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4t
 github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/bytedance/sonic v1.12.0 h1:YGPgxF9xzaCNvd/ZKdQ28yRovhfMFZQjuk6fKBzZ3ls=
+github.com/bytedance/sonic v1.12.0/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
+github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
+github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd h1:VdYI5zFQ2h1/qzoC6rhyPx479bkF8i177Qpg4Q2n1vk=
 github.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
-github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0=
-github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
-github.com/coredns/coredns v1.11.3 h1:8RjnpZc42db5th84/QJKH2i137ecJdzZK1HJwhetSPk=
-github.com/coredns/coredns v1.11.3/go.mod h1:lqFkDsHjEUdY7LJ75Nib3lwqJGip6ewWOqNIf8OavIQ=
+github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
+github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
+github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/coredns/caddy v1.1.2-0.20241029205200-8de985351a98 h1:c+Epklw9xk6BZ1OFBPWLA2PcL8QalKvl3if8CP9x8uw=
+github.com/coredns/caddy v1.1.2-0.20241029205200-8de985351a98/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
+github.com/coredns/coredns v1.12.2 h1:G4oDfi340zlVsriZ8nYiUemiQIew7nqOO+QPvPxIA4Y=
+github.com/coredns/coredns v1.12.2/go.mod h1:GFz31oVOfCyMArFoypfu1SoaFoNkbdh6lDxtF1B6vfU=
 github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
 github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@ -41,15 +49,17 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
+github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
 github.com/getsentry/sentry-go v0.16.0 h1:owk+S+5XcgJLlGR/3+3s6N4d+uKwqYvh/eS0AIMjPWo=
 github.com/getsentry/sentry-go v0.16.0/go.mod h1:ZXCloQLj0pG7mja5NK6NPf2V4A88YJ4pNlc2mOHwh6Y=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
-github.com/gin-gonic/gin v1.8.1 h1:4+fr/el88TOO3ewCmQr8cx/CtZ/umlIRIs5M4NTNjf8=
-github.com/gin-gonic/gin v1.8.1/go.mod h1:ji8BvRH1azfM+SYow9zQ6SZMvR8qOMZHmsCuWR9tTTk=
-github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
-github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
+github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
+github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
+github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@ -57,20 +67,20 @@ github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3Bop
 github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
 github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
-github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU=
-github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
-github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho=
-github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
-github.com/go-playground/validator/v10 v10.11.1 h1:prmOlTVv+YjZjmRmNSF3VmspqJIxJWXmqUsHwfTRRkQ=
-github.com/go-playground/validator/v10 v10.11.1/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU=
+github.com/go-playground/validator/v10 v10.15.1 h1:BSe8uhN+xQ4r5guV/ywQI4gO59C2raYcGffYWZEjZzM=
+github.com/go-playground/validator/v10 v10.15.1/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
@ -82,8 +92,8 @@ github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6Wezm
 github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
 github.com/gobwas/ws v1.2.1 h1:F2aeBZrm2NDsc7vbovKrWSogd4wvfAxg0FQ89/iqOTk=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
-github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk=
-github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
@ -103,10 +113,10 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
 github.com/ipostelnik/cli/v2 v2.3.1-0.20210324024421-b6ea8234fe3d h1:PRDnysJ9dF1vUMmEzBu6aHQeUluSQy4eWH3RsSSy/vI=
@ -115,8 +125,10 @@ github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/u
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c=
-github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
+github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@ -124,17 +136,18 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
-github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w=
-github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
+github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
+github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
-github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
+github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@ -143,35 +156,38 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
 github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
-github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
-github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
-github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
+github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
+github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
+github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c h1:dAMKvw0MlJT1GshSTtih8C2gDs04w8dReiOGXrGLNoY=
+github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
-github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
-github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
-github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE=
-github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4=
+github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.20.0 h1:38k9hgtUBdxFwE34yS8rTHmHBa4eN16E4DJlv177LNs=
 github.com/rs/zerolog v1.20.0/go.mod h1:IzD0RJ65iWH0w97OQQebJEvTZYvsCUm9WVLWBQrJRjo=
@ -180,70 +196,86 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
-github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
+github.com/tinylib/msgp v1.2.5 h1:WeQg1whrXRFiZusidTQqzETkRpGjFjcIhW6uqWH09po=
+github.com/tinylib/msgp v1.2.5/go.mod h1:ykjzy2wzgrlvpDCRc4LA8UXy6D8bzMSuAF3WD57Gok0=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
-github.com/ugorji/go/codec v1.2.7 h1:YPXUKf7fYbp/y8xloBqZOw2qaVggbfwMlI8WM3wZUJ0=
-github.com/ugorji/go/codec v1.2.7/go.mod h1:WGN1fab3R1fzQlVQTkfxVtIBhWDRqOviHU95kRgeqEY=
+github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
+github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/propagators v0.22.0 h1:KGdv58M2//veiYLIhb31mofaI2LgkIPXXAZVeYVyfd8=
 go.opentelemetry.io/contrib/propagators v0.22.0/go.mod h1:xGOuXr6lLIF9BXipA4pm6UuOSI0M98U6tsI3khbOiwU=
 go.opentelemetry.io/otel v1.0.0-RC2/go.mod h1:w1thVQ7qbAy8MHb0IFj8a5Q2QU0l2ksf8u/CN8m3NOM=
-go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
-go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs=
-go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
-go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
-go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
-go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
 go.opentelemetry.io/otel/trace v1.0.0-RC2/go.mod h1:JPQ+z6nNw9mqEGT8o3eoPTdnNI+Aj5JcxEsVGREIAy4=
-go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
-go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94=
 go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.5.1 h1:ASgazW/qBmR+A32MYFDB6E2POoTgOwT509VP0CT/fjs=
 go.uber.org/mock v0.5.1/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+golang.org/x/arch v0.4.0 h1:A8WCeEWhLwPBKNbFi5Wv5UTCBx5zzubnXDlMOFAzFMc=
+golang.org/x/arch v0.4.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
 golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190828213141-aed303cbaa74/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@ -253,14 +285,14 @@ golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
-google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
-google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 h1:vPV0tzlsK6EzEDHNNH5sa7Hs9bd7iXR7B1tSiPepkV0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:pKLAc5OolXC3ViWGI62vvC0n10CpwAtRcTNCFwTKBEw=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 h1:IkAfh6J/yllPtpYFU0zZN1hUPYdT0ogkBT/9hMxHjvg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/ingress/ingress.go
+++ b/ingress/ingress.go
@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 				return Ingress{}, err
 			}
 			if access.Required {
-				verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
+				verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
 				handlers = append(handlers, verifier)
 			}
 		}
--- a/ingress/middleware/jwtvalidator.go
+++ b/ingress/middleware/jwtvalidator.go
@ -6,6 +6,8 @@ import (
 	"net/http"

 	"github.com/coreos/go-oidc/v3/oidc"
+
+	"github.com/cloudflare/cloudflared/credentials"
 )

 const (
@ -13,7 +15,8 @@ const (
 )

 var (
-	cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"
+	cloudflareAccessCertsURL    = "https://%s.cloudflareaccess.com"
+	cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"
 )

 // JWTValidator is an implementation of Verifier that validates access based JWT tokens.
@ -22,10 +25,14 @@ type JWTValidator struct {
 	audTags []string
 }

-func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator {
-	if certsURL == "" {
+func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {
+	var certsURL string
+	if environment == credentials.FedEndpoint {
+		certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)
+	} else {
 		certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)
 	}
+
 	certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)

 	config := &oidc.Config{
--- a/ingress/origin_connection.go
+++ b/ingress/origin_connection.go
@ -19,7 +19,7 @@ import (
 type OriginConnection interface {
 	// Stream should generally be implemented as a bidirectional io.Copy.
 	Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)
-	Close()
+	Close() error
 }

 type streamHandlerFunc func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)
@ -48,16 +48,7 @@ func (tc *tcpConnection) Write(b []byte) (int, error) {
 		}
 	}

-	nBytes, err := tc.Conn.Write(b)
-	if err != nil {
-		tc.logger.Err(err).Msg("Error writing to the TCP connection")
-	}
-
-	return nBytes, err
-}
-
-func (tc *tcpConnection) Close() {
-	tc.Conn.Close()
+	return tc.Conn.Write(b)
 }

 // tcpOverWSConnection is an OriginConnection that streams to TCP over WS.
@ -75,8 +66,8 @@ func (wc *tcpOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWri
 	wsConn.Close()
 }

-func (wc *tcpOverWSConnection) Close() {
-	wc.conn.Close()
+func (wc *tcpOverWSConnection) Close() error {
+	return wc.conn.Close()
 }

 // socksProxyOverWSConnection is an OriginConnection that streams SOCKS connections over WS.
@ -95,5 +86,6 @@ func (sp *socksProxyOverWSConnection) Stream(ctx context.Context, tunnelConn io.
 	wsConn.Close()
 }

-func (sp *socksProxyOverWSConnection) Close() {
+func (sp *socksProxyOverWSConnection) Close() error {
+	return nil
 }
--- a/ingress/origin_dialer.go
+++ b/ingress/origin_dialer.go
@ -0,0 +1,163 @@
+package ingress
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog"
+)
+
+const writeDeadlineUDP = 200 * time.Millisecond
+
+// OriginTCPDialer provides a TCP dial operation to a requested address.
+type OriginTCPDialer interface {
+	DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)
+}
+
+// OriginUDPDialer provides a UDP dial operation to a requested address.
+type OriginUDPDialer interface {
+	DialUDP(addr netip.AddrPort) (net.Conn, error)
+}
+
+// OriginDialer provides both TCP and UDP dial operations to an address.
+type OriginDialer interface {
+	OriginTCPDialer
+	OriginUDPDialer
+}
+
+type OriginConfig struct {
+	// The default Dialer used if no reserved services are found for an origin request.
+	DefaultDialer OriginDialer
+	// Timeout on write operations for TCP connections to the origin.
+	TCPWriteTimeout time.Duration
+}
+
+// OriginDialerService provides a proxy TCP and UDP dialer to origin services while allowing reserved
+// services to be provided. These reserved services are assigned to specific [netip.AddrPort]s
+// and provide their own [OriginDialer]'s to handle origin dialing per protocol.
+type OriginDialerService struct {
+	// Reserved TCP services for reserved AddrPort values
+	reservedTCPServices map[netip.AddrPort]OriginTCPDialer
+	// Reserved UDP services for reserved AddrPort values
+	reservedUDPServices map[netip.AddrPort]OriginUDPDialer
+	// The default Dialer used if no reserved services are found for an origin request
+	defaultDialer  OriginDialer
+	defaultDialerM sync.RWMutex
+	// Write timeout for TCP connections
+	writeTimeout time.Duration
+
+	logger *zerolog.Logger
+}
+
+func NewOriginDialer(config OriginConfig, logger *zerolog.Logger) *OriginDialerService {
+	return &OriginDialerService{
+		reservedTCPServices: map[netip.AddrPort]OriginTCPDialer{},
+		reservedUDPServices: map[netip.AddrPort]OriginUDPDialer{},
+		defaultDialer:       config.DefaultDialer,
+		writeTimeout:        config.TCPWriteTimeout,
+		logger:              logger,
+	}
+}
+
+// AddReservedService adds a reserved virtual service to dial to.
+// Not locked and expected to be initialized before calling first dial and not afterwards.
+func (d *OriginDialerService) AddReservedService(service OriginDialer, addrs []netip.AddrPort) {
+	for _, addr := range addrs {
+		d.reservedTCPServices[addr] = service
+		d.reservedUDPServices[addr] = service
+	}
+}
+
+// UpdateDefaultDialer updates the default dialer.
+func (d *OriginDialerService) UpdateDefaultDialer(dialer *Dialer) {
+	d.defaultDialerM.Lock()
+	defer d.defaultDialerM.Unlock()
+	d.defaultDialer = dialer
+}
+
+// DialTCP will perform a dial TCP to the requested addr.
+func (d *OriginDialerService) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
+	conn, err := d.dialTCP(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	// Assign the write timeout for the TCP operations
+	return &tcpConnection{
+		Conn:         conn,
+		writeTimeout: d.writeTimeout,
+		logger:       d.logger,
+	}, nil
+}
+
+func (d *OriginDialerService) dialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
+	// Check to see if any reserved services are available for this addr and call their dialer instead.
+	if dialer, ok := d.reservedTCPServices[addr]; ok {
+		return dialer.DialTCP(ctx, addr)
+	}
+	d.defaultDialerM.RLock()
+	dialer := d.defaultDialer
+	d.defaultDialerM.RUnlock()
+	return dialer.DialTCP(ctx, addr)
+}
+
+// DialUDP will perform a dial UDP to the requested addr.
+func (d *OriginDialerService) DialUDP(addr netip.AddrPort) (net.Conn, error) {
+	// Check to see if any reserved services are available for this addr and call their dialer instead.
+	if dialer, ok := d.reservedUDPServices[addr]; ok {
+		return dialer.DialUDP(addr)
+	}
+	d.defaultDialerM.RLock()
+	dialer := d.defaultDialer
+	d.defaultDialerM.RUnlock()
+	return dialer.DialUDP(addr)
+}
+
+type Dialer struct {
+	Dialer net.Dialer
+}
+
+func NewDialer(config WarpRoutingConfig) *Dialer {
+	return &Dialer{
+		Dialer: net.Dialer{
+			Timeout:   config.ConnectTimeout.Duration,
+			KeepAlive: config.TCPKeepAlive.Duration,
+		},
+	}
+}
+
+func (d *Dialer) DialTCP(ctx context.Context, dest netip.AddrPort) (net.Conn, error) {
+	conn, err := d.Dialer.DialContext(ctx, "tcp", dest.String())
+	if err != nil {
+		return nil, fmt.Errorf("unable to dial tcp to origin %s: %w", dest, err)
+	}
+
+	return conn, nil
+}
+
+func (d *Dialer) DialUDP(dest netip.AddrPort) (net.Conn, error) {
+	conn, err := d.Dialer.Dial("udp", dest.String())
+	if err != nil {
+		return nil, fmt.Errorf("unable to dial udp to origin %s: %w", dest, err)
+	}
+	return &writeDeadlineConn{
+		Conn: conn,
+	}, nil
+}
+
+// writeDeadlineConn is a wrapper around a net.Conn that sets a write deadline of 200ms.
+// This is to prevent the socket from blocking on the write operation if it were to occur. However,
+// we typically never expect this to occur except under high load or kernel issues.
+type writeDeadlineConn struct {
+	net.Conn
+}
+
+func (w *writeDeadlineConn) Write(b []byte) (int, error) {
+	if err := w.SetWriteDeadline(time.Now().Add(writeDeadlineUDP)); err != nil {
+		return 0, err
+	}
+	return w.Conn.Write(b)
+}
--- a/ingress/origin_udp_proxy.go
+++ b/ingress/origin_udp_proxy.go
@ -1,46 +0,0 @@
-package ingress
-
-import (
-	"fmt"
-	"io"
-	"net"
-	"net/netip"
-)
-
-type UDPProxy interface {
-	io.ReadWriteCloser
-	LocalAddr() net.Addr
-}
-
-type udpProxy struct {
-	*net.UDPConn
-}
-
-func DialUDP(dstIP net.IP, dstPort uint16) (UDPProxy, error) {
-	dstAddr := &net.UDPAddr{
-		IP:   dstIP,
-		Port: int(dstPort),
-	}
-
-	// We use nil as local addr to force runtime to find the best suitable local address IP given the destination
-	// address as context.
-	udpConn, err := net.DialUDP("udp", nil, dstAddr)
-	if err != nil {
-		return nil, fmt.Errorf("unable to create UDP proxy to origin (%v:%v): %w", dstIP, dstPort, err)
-	}
-
-	return &udpProxy{udpConn}, nil
-}
-
-func DialUDPAddrPort(dest netip.AddrPort) (*net.UDPConn, error) {
-	addr := net.UDPAddrFromAddrPort(dest)
-
-	// We use nil as local addr to force runtime to find the best suitable local address IP given the destination
-	// address as context.
-	udpConn, err := net.DialUDP("udp", nil, addr)
-	if err != nil {
-		return nil, fmt.Errorf("unable to dial udp to origin %s: %w", dest, err)
-	}
-
-	return udpConn, nil
-}
--- a/ingress/origins/dns.go
+++ b/ingress/origins/dns.go
@ -0,0 +1,219 @@
+package origins
+
+import (
+	"context"
+	"crypto/rand"
+	"math/big"
+	"net"
+	"net/netip"
+	"slices"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/ingress"
+)
+
+const (
+	// We need a DNS record:
+	// 1. That will be around for as long as cloudflared is
+	// 2. That Cloudflare controls: to allow us to make changes if needed
+	// 3. That is an external record to a typical customer's network: enforcing that the DNS request go to the
+	//    local DNS resolver over any local /etc/host configurations setup.
+	// 4. That cloudflared would normally query: ensuring that users with a positive security model for DNS queries
+	//    don't need to adjust anything.
+	//
+	// This hostname is one that used during the edge discovery process and as such satisfies the above constraints.
+	defaultLookupHost          = "region1.v2.argotunnel.com"
+	defaultResolverPort uint16 = 53
+
+	// We want the refresh time to be short to accommodate DNS resolver changes locally, but not too frequent as to
+	// shuffle the resolver if multiple are configured.
+	refreshFreq    = 5 * time.Minute
+	refreshTimeout = 5 * time.Second
+)
+
+var (
+	// Virtual DNS service address
+	VirtualDNSServiceAddr = netip.AddrPortFrom(netip.MustParseAddr("2606:4700:0cf1:2000:0000:0000:0000:0001"), 53)
+
+	defaultResolverAddr = netip.AddrPortFrom(netip.MustParseAddr("127.0.0.1"), defaultResolverPort)
+)
+
+type netDial func(network string, address string) (net.Conn, error)
+
+// DNSResolverService will make DNS requests to the local DNS resolver via the Dial method.
+type DNSResolverService struct {
+	addresses  []netip.AddrPort
+	addressesM sync.RWMutex
+	static     bool
+	dialer     ingress.OriginDialer
+	resolver   peekResolver
+	logger     *zerolog.Logger
+	metrics    Metrics
+}
+
+func NewDNSResolverService(dialer ingress.OriginDialer, logger *zerolog.Logger, metrics Metrics) *DNSResolverService {
+	return &DNSResolverService{
+		addresses: []netip.AddrPort{defaultResolverAddr},
+		dialer:    dialer,
+		resolver:  &resolver{dialFunc: net.Dial},
+		logger:    logger,
+		metrics:   metrics,
+	}
+}
+
+func NewStaticDNSResolverService(resolverAddrs []netip.AddrPort, dialer ingress.OriginDialer, logger *zerolog.Logger, metrics Metrics) *DNSResolverService {
+	s := NewDNSResolverService(dialer, logger, metrics)
+	s.addresses = resolverAddrs
+	s.static = true
+	return s
+}
+
+func (s *DNSResolverService) DialTCP(ctx context.Context, _ netip.AddrPort) (net.Conn, error) {
+	s.metrics.IncrementDNSTCPRequests()
+	dest := s.getAddress()
+	// The dialer ignores the provided address because the request will instead go to the local DNS resolver.
+	return s.dialer.DialTCP(ctx, dest)
+}
+
+func (s *DNSResolverService) DialUDP(_ netip.AddrPort) (net.Conn, error) {
+	s.metrics.IncrementDNSUDPRequests()
+	dest := s.getAddress()
+	// The dialer ignores the provided address because the request will instead go to the local DNS resolver.
+	return s.dialer.DialUDP(dest)
+}
+
+// StartRefreshLoop is a routine that is expected to run in the background to update the DNS local resolver if
+// adjusted while the cloudflared process is running.
+// Does not run when the resolver was provided with external resolver addresses via CLI.
+func (s *DNSResolverService) StartRefreshLoop(ctx context.Context) {
+	if s.static {
+		s.logger.Debug().Msgf("Canceled DNS local resolver refresh loop because static resolver addresses were provided: %s", s.addresses)
+		return
+	}
+	// Call update first to load an address before handling traffic
+	err := s.update(ctx)
+	if err != nil {
+		s.logger.Err(err).Msg("Failed to initialize DNS local resolver")
+	}
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.Tick(refreshFreq):
+			err := s.update(ctx)
+			if err != nil {
+				s.logger.Err(err).Msg("Failed to refresh DNS local resolver")
+			}
+		}
+	}
+}
+
+func (s *DNSResolverService) update(ctx context.Context) error {
+	ctx, cancel := context.WithTimeout(ctx, refreshTimeout)
+	defer cancel()
+	// Make a standard DNS request to a well-known DNS record that will last a long time
+	_, err := s.resolver.lookupNetIP(ctx, defaultLookupHost)
+	if err != nil {
+		return err
+	}
+
+	// Validate the address before updating internal reference
+	_, address := s.resolver.addr()
+	peekAddrPort, err := netip.ParseAddrPort(address)
+	if err == nil {
+		s.setAddress(peekAddrPort)
+		return nil
+	}
+	// It's possible that the address didn't have an attached port, attempt to parse just the address and use
+	// the default port 53
+	peekAddr, err := netip.ParseAddr(address)
+	if err != nil {
+		return err
+	}
+	s.setAddress(netip.AddrPortFrom(peekAddr, defaultResolverPort))
+	return nil
+}
+
+// returns the address from the peekResolver or from the static addresses if provided.
+// If multiple addresses are provided in the static addresses pick one randomly.
+func (s *DNSResolverService) getAddress() netip.AddrPort {
+	s.addressesM.RLock()
+	defer s.addressesM.RUnlock()
+	l := len(s.addresses)
+	if l <= 0 {
+		return defaultResolverAddr
+	}
+	if l == 1 {
+		return s.addresses[0]
+	}
+	// Only initialize the random selection if there is more than one element in the list.
+	var i int64 = 0
+	r, err := rand.Int(rand.Reader, big.NewInt(int64(l)))
+	// We ignore errors from crypto rand and use index 0; this should be extremely unlikely and the
+	// list index doesn't need to be cryptographically secure, but linters insist.
+	if err == nil {
+		i = r.Int64()
+	}
+	return s.addresses[i]
+}
+
+// lock and update the address used for the local DNS resolver
+func (s *DNSResolverService) setAddress(addr netip.AddrPort) {
+	s.addressesM.Lock()
+	defer s.addressesM.Unlock()
+	if !slices.Contains(s.addresses, addr) {
+		s.logger.Debug().Msgf("Updating DNS local resolver: %s", addr)
+	}
+	// We only store one address when reading the peekResolver, so we just replace the whole list.
+	s.addresses = []netip.AddrPort{addr}
+}
+
+type peekResolver interface {
+	addr() (network string, address string)
+	lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error)
+}
+
+// resolver is a shim that inspects the go runtime's DNS resolution process to capture the DNS resolver
+// address used to complete a DNS request.
+type resolver struct {
+	network  string
+	address  string
+	dialFunc netDial
+}
+
+func (r *resolver) addr() (network string, address string) {
+	return r.network, r.address
+}
+
+func (r *resolver) lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error) {
+	resolver := &net.Resolver{
+		PreferGo: true,
+		// Use the peekDial to inspect the results of the DNS resolver used during the LookupIPAddr call.
+		Dial: r.peekDial,
+	}
+	return resolver.LookupNetIP(ctx, "ip", host)
+}
+
+func (r *resolver) peekDial(ctx context.Context, network, address string) (net.Conn, error) {
+	r.network = network
+	r.address = address
+	return r.dialFunc(network, address)
+}
+
+// NewDNSDialer creates a custom dialer for the DNS resolver service to utilize.
+func NewDNSDialer() *ingress.Dialer {
+	return &ingress.Dialer{
+		Dialer: net.Dialer{
+			// We want short timeouts for the DNS requests
+			Timeout: 5 * time.Second,
+			// We do not want keep alive since the edge will not reuse TCP connections per request
+			KeepAlive: -1,
+			KeepAliveConfig: net.KeepAliveConfig{
+				Enable: false,
+			},
+		},
+	}
+}
--- a/ingress/origins/dns_test.go
+++ b/ingress/origins/dns_test.go
@ -0,0 +1,195 @@
+package origins
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/netip"
+	"slices"
+	"testing"
+	"time"
+
+	"github.com/rs/zerolog"
+)
+
+func TestDNSResolver_DefaultResolver(t *testing.T) {
+	log := zerolog.Nop()
+	service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
+	mockResolver := &mockPeekResolver{
+		address: "127.0.0.2:53",
+	}
+	service.resolver = mockResolver
+	validateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)
+}
+
+func TestStaticDNSResolver_DefaultResolver(t *testing.T) {
+	log := zerolog.Nop()
+	addresses := []netip.AddrPort{netip.MustParseAddrPort("1.1.1.1:53"), netip.MustParseAddrPort("1.0.0.1:53")}
+	service := NewStaticDNSResolverService(addresses, NewDNSDialer(), &log, &noopMetrics{})
+	mockResolver := &mockPeekResolver{
+		address: "127.0.0.2:53",
+	}
+	service.resolver = mockResolver
+	validateAddrs(t, addresses, service.addresses)
+}
+
+func TestDNSResolver_UpdateResolverAddress(t *testing.T) {
+	log := zerolog.Nop()
+	service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
+
+	mockResolver := &mockPeekResolver{}
+	service.resolver = mockResolver
+
+	tests := []struct {
+		addr     string
+		expected netip.AddrPort
+	}{
+		{"127.0.0.2:53", netip.MustParseAddrPort("127.0.0.2:53")},
+		// missing port should be added (even though this is unlikely to happen)
+		{"127.0.0.3", netip.MustParseAddrPort("127.0.0.3:53")},
+	}
+
+	for _, test := range tests {
+		mockResolver.address = test.addr
+		// Update the resolver address
+		err := service.update(t.Context())
+		if err != nil {
+			t.Error(err)
+		}
+		// Validate expected
+		validateAddrs(t, []netip.AddrPort{test.expected}, service.addresses)
+	}
+}
+
+func TestStaticDNSResolver_RefreshLoopExits(t *testing.T) {
+	log := zerolog.Nop()
+	addresses := []netip.AddrPort{netip.MustParseAddrPort("1.1.1.1:53"), netip.MustParseAddrPort("1.0.0.1:53")}
+	service := NewStaticDNSResolverService(addresses, NewDNSDialer(), &log, &noopMetrics{})
+
+	mockResolver := &mockPeekResolver{
+		address: "127.0.0.2:53",
+	}
+	service.resolver = mockResolver
+
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+
+	go service.StartRefreshLoop(ctx)
+
+	// Wait for the refresh loop to end _and_ not update the addresses
+	time.Sleep(10 * time.Millisecond)
+
+	// Validate expected
+	validateAddrs(t, addresses, service.addresses)
+}
+
+func TestDNSResolver_UpdateResolverAddressInvalid(t *testing.T) {
+	log := zerolog.Nop()
+	service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
+	mockResolver := &mockPeekResolver{}
+	service.resolver = mockResolver
+
+	invalidAddresses := []string{
+		"999.999.999.999",
+		"localhost",
+		"255.255.255",
+	}
+
+	for _, addr := range invalidAddresses {
+		mockResolver.address = addr
+		// Update the resolver address should not update for these invalid addresses
+		err := service.update(t.Context())
+		if err == nil {
+			t.Error("service update should throw an error")
+		}
+		// Validate expected
+		validateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)
+	}
+}
+
+func TestDNSResolver_UpdateResolverErrorIgnored(t *testing.T) {
+	log := zerolog.Nop()
+	service := NewDNSResolverService(NewDNSDialer(), &log, &noopMetrics{})
+	resolverErr := errors.New("test resolver error")
+	mockResolver := &mockPeekResolver{err: resolverErr}
+	service.resolver = mockResolver
+
+	// Update the resolver address should not update when the resolver cannot complete the lookup
+	err := service.update(t.Context())
+	if err != resolverErr {
+		t.Error("service update should throw an error")
+	}
+	// Validate expected
+	validateAddrs(t, []netip.AddrPort{defaultResolverAddr}, service.addresses)
+}
+
+func TestDNSResolver_DialUDPUsesResolvedAddress(t *testing.T) {
+	log := zerolog.Nop()
+	mockDialer := &mockDialer{expected: defaultResolverAddr}
+	service := NewDNSResolverService(mockDialer, &log, &noopMetrics{})
+	mockResolver := &mockPeekResolver{}
+	service.resolver = mockResolver
+
+	// Attempt a dial to 127.0.0.2:53 which should be ignored and instead resolve to 127.0.0.1:53
+	_, err := service.DialUDP(netip.MustParseAddrPort("127.0.0.2:53"))
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestDNSResolver_DialTCPUsesResolvedAddress(t *testing.T) {
+	log := zerolog.Nop()
+	mockDialer := &mockDialer{expected: defaultResolverAddr}
+	service := NewDNSResolverService(mockDialer, &log, &noopMetrics{})
+	mockResolver := &mockPeekResolver{}
+	service.resolver = mockResolver
+
+	// Attempt a dial to 127.0.0.2:53 which should be ignored and instead resolve to 127.0.0.1:53
+	_, err := service.DialTCP(t.Context(), netip.MustParseAddrPort("127.0.0.2:53"))
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+type mockPeekResolver struct {
+	err     error
+	address string
+}
+
+func (r *mockPeekResolver) addr() (network, address string) {
+	return "udp", r.address
+}
+
+func (r *mockPeekResolver) lookupNetIP(ctx context.Context, host string) ([]netip.Addr, error) {
+	// We can return an empty result as it doesn't matter as long as the lookup doesn't fail
+	return []netip.Addr{}, r.err
+}
+
+type mockDialer struct {
+	expected netip.AddrPort
+}
+
+func (d *mockDialer) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
+	if d.expected != addr {
+		return nil, errors.New("unexpected address dialed")
+	}
+	return nil, nil
+}
+
+func (d *mockDialer) DialUDP(addr netip.AddrPort) (net.Conn, error) {
+	if d.expected != addr {
+		return nil, errors.New("unexpected address dialed")
+	}
+	return nil, nil
+}
+
+func validateAddrs(t *testing.T, expected []netip.AddrPort, actual []netip.AddrPort) {
+	if len(actual) != len(expected) {
+		t.Errorf("addresses should only contain one element: %s", actual)
+	}
+	for _, e := range expected {
+		if !slices.Contains(actual, e) {
+			t.Errorf("missing address: %s in %s", e, actual)
+		}
+	}
+}
--- a/ingress/origins/metrics.go
+++ b/ingress/origins/metrics.go
@ -0,0 +1,40 @@
+package origins
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+const (
+	namespace = "cloudflared"
+	subsystem = "virtual_origins"
+)
+
+type Metrics interface {
+	IncrementDNSUDPRequests()
+	IncrementDNSTCPRequests()
+}
+
+type metrics struct {
+	dnsResolverRequests *prometheus.CounterVec
+}
+
+func (m *metrics) IncrementDNSUDPRequests() {
+	m.dnsResolverRequests.WithLabelValues("udp").Inc()
+}
+
+func (m *metrics) IncrementDNSTCPRequests() {
+	m.dnsResolverRequests.WithLabelValues("tcp").Inc()
+}
+
+func NewMetrics(registerer prometheus.Registerer) Metrics {
+	m := &metrics{
+		dnsResolverRequests: prometheus.NewCounterVec(prometheus.CounterOpts{
+			Namespace: namespace,
+			Subsystem: subsystem,
+			Name:      "dns_requests_total",
+			Help:      "Total count of DNS requests that have been proxied to the virtual DNS resolver origin",
+		}, []string{"protocol"}),
+	}
+	registerer.MustRegister(m.dnsResolverRequests)
+	return m
+}
--- a/ingress/origins/metrics_test.go
+++ b/ingress/origins/metrics_test.go
@ -0,0 +1,6 @@
+package origins
+
+type noopMetrics struct{}
+
+func (noopMetrics) IncrementDNSUDPRequests() {}
+func (noopMetrics) IncrementDNSTCPRequests() {}
--- a/logger/configuration.go
+++ b/logger/configuration.go
@ -17,6 +17,7 @@ type Config struct {

 type ConsoleConfig struct {
 	noColor bool
+	asJSON  bool
 }

 type FileConfig struct {
@ -48,6 +49,7 @@ func createDefaultConfig() Config {
 	return Config{
 		ConsoleConfig: &ConsoleConfig{
 			noColor: false,
+			asJSON:  false,
 		},
 		FileConfig: &FileConfig{
 			Dirname:  "",
@ -67,11 +69,12 @@ func createDefaultConfig() Config {
 func CreateConfig(
 	minLevel string,
 	disableTerminal bool,
+	formatJSON bool,
 	rollingLogPath, nonRollingLogFilePath string,
 ) *Config {
 	var console *ConsoleConfig
 	if !disableTerminal {
-		console = createConsoleConfig()
+		console = createConsoleConfig(formatJSON)
 	}

 	var file *FileConfig
@ -95,9 +98,10 @@ func CreateConfig(
 	}
 }

-func createConsoleConfig() *ConsoleConfig {
+func createConsoleConfig(formatJSON bool) *ConsoleConfig {
 	return &ConsoleConfig{
 		noColor: false,
+		asJSON:  formatJSON,
 	}
 }

--- a/logger/console.go
+++ b/logger/console.go
@ -0,0 +1,37 @@
+package logger
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+
+	jsoniter "github.com/json-iterator/go"
+)
+
+var json = jsoniter.ConfigCompatibleWithStandardLibrary
+
+// consoleWriter allows us the simplicity to prevent duplicate json keys in the logger events reported.
+//
+// By default zerolog constructs the json event in parts by appending each additional key after the first. It
+// doesn't have any internal state or struct of the json message representation so duplicate keys can be
+// inserted without notice and no pruning will occur before writing the log event out to the io.Writer.
+//
+// To help prevent these duplicate keys, we will decode the json log event and then immediately re-encode it
+// again as writing it to the output io.Writer. Since we encode it to a map[string]any, duplicate keys
+// are pruned. We pay the cost of decoding and encoding the log event for each time, but helps prevent
+// us from needing to worry about adding duplicate keys in the log event from different areas of code.
+type consoleWriter struct {
+	out io.Writer
+}
+
+func (c *consoleWriter) Write(p []byte) (n int, err error) {
+	var evt map[string]any
+	d := json.NewDecoder(bytes.NewReader(p))
+	d.UseNumber()
+	err = d.Decode(&evt)
+	if err != nil {
+		return n, fmt.Errorf("cannot decode event: %s", err)
+	}
+	e := json.NewEncoder(c.out)
+	return len(p), e.Encode(evt)
+}
--- a/logger/console_test.go
+++ b/logger/console_test.go
@ -0,0 +1,33 @@
+package logger
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/rs/zerolog"
+)
+
+func TestConsoleLoggerDuplicateKeys(t *testing.T) {
+	r := bytes.NewBuffer(make([]byte, 500))
+	logger := zerolog.New(&consoleWriter{out: r}).With().Timestamp().Logger()
+	logger.Debug().Str("test", "1234").Int("number", 45).Str("test", "5678").Msg("log message")
+
+	event, err := r.ReadString('\n')
+	if err != nil {
+		t.Error(err)
+	}
+
+	if !strings.Contains(event, "\"test\":\"5678\"") {
+		t.Errorf("log event missing key 'test': %s", event)
+	}
+	if !strings.Contains(event, "\"number\":45") {
+		t.Errorf("log event missing key 'number': %s", event)
+	}
+	if !strings.Contains(event, "\"time\":") {
+		t.Errorf("log event missing key 'time': %s", event)
+	}
+	if !strings.Contains(event, "\"level\":\"debug\"") {
+		t.Errorf("log event missing key 'level': %s", event)
+	}
+}
--- a/logger/create.go
+++ b/logger/create.go
@ -149,10 +149,21 @@ func createFromContext(
 	logLevel := c.String(logLevelFlagName)
 	logFile := c.String(cfdflags.LogFile)
 	logDirectory := c.String(logDirectoryFlagName)
+	var logFormatJSON bool
+	switch c.String(cfdflags.LogFormatOutput) {
+	case cfdflags.LogFormatOutputValueJSON:
+		logFormatJSON = true
+	case cfdflags.LogFormatOutputValueDefault:
+		// "default" and unset use the same logger output format
+		fallthrough
+	default:
+		logFormatJSON = false
+	}

 	loggerConfig := CreateConfig(
 		logLevel,
 		disableTerminal,
+		logFormatJSON,
 		logDirectory,
 		logFile,
 	)
@ -177,6 +188,9 @@ func Create(loggerConfig *Config) *zerolog.Logger {
 }

 func createConsoleLogger(config ConsoleConfig) io.Writer {
+	if config.asJSON {
+		return &consoleWriter{out: os.Stderr}
+	}
 	consoleOut := os.Stderr
 	return zerolog.ConsoleWriter{
 		Out:        colorable.NewColorable(consoleOut),
--- a/management/middleware.go
+++ b/management/middleware.go
@ -12,14 +12,7 @@ const (
 	accessClaimsCtxKey ctxKey = iota
 )

-const (
-	connectorIDQuery = "connector_id"
-	accessTokenQuery = "access_token"
-)
-
-var (
-	errMissingAccessToken = managementError{Code: 1001, Message: "missing access_token query parameter"}
-)
+var errMissingAccessToken = managementError{Code: 1001, Message: "missing access_token query parameter"}

 // HTTP middleware setting the parsed access_token claims in the request context
 func ValidateAccessTokenQueryMiddleware(next http.Handler) http.Handler {
@ -30,7 +23,7 @@ func ValidateAccessTokenQueryMiddleware(next http.Handler) http.Handler {
 			writeHTTPErrorResponse(w, errMissingAccessToken)
 			return
 		}
-		token, err := parseToken(accessToken)
+		token, err := ParseToken(accessToken)
 		if err != nil {
 			writeHTTPErrorResponse(w, errMissingAccessToken)
 			return
--- a/management/token.go
+++ b/management/token.go
@ -7,9 +7,12 @@ import (
 	"github.com/go-jose/go-jose/v4/jwt"
 )

+const tunnelstoreFEDIssuer = "fed-tunnelstore"
+
 type managementTokenClaims struct {
 	Tunnel tunnel `json:"tun"`
 	Actor  actor  `json:"actor"`
+	jwt.Claims
 }

 // VerifyTunnel compares the tun claim isn't empty
@ -37,7 +40,7 @@ func (t *actor) verify() bool {
 	return t.ID != ""
 }

-func parseToken(token string) (*managementTokenClaims, error) {
+func ParseToken(token string) (*managementTokenClaims, error) {
 	jwt, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.ES256})
 	if err != nil {
 		return nil, fmt.Errorf("malformed jwt: %v", err)
@ -54,3 +57,7 @@ func parseToken(token string) (*managementTokenClaims, error) {
 	}
 	return &claims, nil
 }
+
+func (m *managementTokenClaims) IsFed() bool {
+	return m.Issuer == tunnelstoreFEDIssuer
+}
--- a/management/token_test.go
+++ b/management/token_test.go
@ -12,7 +12,7 @@ import (
 )

 const (
-	validToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ.eyJ0dW4iOnsiaWQiOiI3YjA5ODE0OS01MWZlLTRlZTUtYTY4Ny0zZTM3NDQ2NmVmYzciLCJhY2NvdW50X3RhZyI6ImNkMzkxZTljMDYyNmE4Zjc2Y2IxZjY3MGY2NTkxYjA1In0sImFjdG9yIjp7ImlkIjoiZGNhcnJAY2xvdWRmbGFyZS5jb20iLCJzdXBwb3J0IjpmYWxzZX0sInJlcyI6WyJsb2dzIl0sImV4cCI6MTY3NzExNzY5NiwiaWF0IjoxNjc3MTE0MDk2LCJpc3MiOiJ0dW5uZWxzdG9yZSJ9.mKenOdOy3Xi4O-grldFnAAemdlE9WajEpTDC_FwezXQTstWiRTLwU65P5jt4vNsIiZA4OJRq7bH-QYID9wf9NA"
+	validToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ.eyJ0dW4iOnsiaWQiOiI3YjA5ODE0OS01MWZlLTRlZTUtYTY4Ny0zZTM3NDQ2NmVmYzciLCJhY2NvdW50X3RhZyI6ImNkMzkxZTljMDYyNmE4Zjc2Y2IxZjY3MGY2NTkxYjA1In0sImFjdG9yIjp7ImlkIjoiZGNhcnJAY2xvdWRmbGFyZS5jb20iLCJzdXBwb3J0IjpmYWxzZX0sInJlcyI6WyJsb2dzIl0sImV4cCI6MTY3NzExNzY5NiwiaWF0IjoxNjc3MTE0MDk2LCJpc3MiOiJ0dW5uZWxzdG9yZSJ9.mKenOdOy3Xi4O-grldFnAAemdlE9WajEpTDC_FwezXQTstWiRTLwU65P5jt4vNsIiZA4OJRq7bH-QYID9wf9NA" // nolint: gosec

 	accountTag = "cd391e9c0626a8f76cb1f670f6591b05"
 	tunnelID   = "7b098149-51fe-4ee5-a687-3e374466efc7"
@ -105,12 +105,12 @@ func TestParseToken(t *testing.T) {
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			jwt := signToken(t, test.claims, key)
-			claims, err := parseToken(jwt)
+			claims, err := ParseToken(jwt)
 			if test.err != nil {
 				require.EqualError(t, err, test.err.Error())
 				return
 			}
-			require.Nil(t, err)
+			require.NoError(t, err)
 			require.Equal(t, test.claims, *claims)
 		})
 	}
--- a/orchestration/config.go
+++ b/orchestration/config.go
@ -2,7 +2,6 @@ package orchestration

 import (
 	"encoding/json"
-	"time"

 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/ingress"
@ -20,9 +19,9 @@ type newLocalConfig struct {

 // Config is the original config as read and parsed by cloudflared.
 type Config struct {
-	Ingress      *ingress.Ingress
-	WarpRouting  ingress.WarpRoutingConfig
-	WriteTimeout time.Duration
+	Ingress             *ingress.Ingress
+	WarpRouting         ingress.WarpRoutingConfig
+	OriginDialerService *ingress.OriginDialerService

 	// Extra settings used to configure this instance but that are not eligible for remotely management
 	// ie. (--protocol, --loglevel, ...)
--- a/orchestration/orchestrator.go
+++ b/orchestration/orchestrator.go
@ -38,7 +38,9 @@ type Orchestrator struct {
 	tags   []pogs.Tag
 	// flowLimiter tracks active sessions across the tunnel and limits new sessions if they are above the limit.
 	flowLimiter cfdflow.Limiter
-	log         *zerolog.Logger
+	// Origin dialer service to manage egress socket dialing.
+	originDialerService *ingress.OriginDialerService
+	log                 *zerolog.Logger

 	// orchestrator must not handle any more updates after shutdownC is closed
 	shutdownC <-chan struct{}
@ -50,18 +52,20 @@ func NewOrchestrator(ctx context.Context,
 	config *Config,
 	tags []pogs.Tag,
 	internalRules []ingress.Rule,
-	log *zerolog.Logger) (*Orchestrator, error) {
+	log *zerolog.Logger,
+) (*Orchestrator, error) {
 	o := &Orchestrator{
 		// Lowest possible version, any remote configuration will have version higher than this
 		// Starting at -1 allows a configuration migration (local to remote) to override the current configuration as it
 		// will start at version 0.
-		currentVersion: -1,
-		internalRules:  internalRules,
-		config:         config,
-		tags:           tags,
-		flowLimiter:    cfdflow.NewLimiter(config.WarpRouting.MaxActiveFlows),
-		log:            log,
-		shutdownC:      ctx.Done(),
+		currentVersion:      -1,
+		internalRules:       internalRules,
+		config:              config,
+		tags:                tags,
+		flowLimiter:         cfdflow.NewLimiter(config.WarpRouting.MaxActiveFlows),
+		originDialerService: config.OriginDialerService,
+		log:                 log,
+		shutdownC:           ctx.Done(),
 	}
 	if err := o.updateIngress(*config.Ingress, config.WarpRouting); err != nil {
 		return nil, err
@ -175,7 +179,15 @@ func (o *Orchestrator) updateIngress(ingressRules ingress.Ingress, warpRouting i
 	// Update the flow limit since the configuration might have changed
 	o.flowLimiter.SetLimit(warpRouting.MaxActiveFlows)

-	proxy := proxy.NewOriginProxy(ingressRules, warpRouting, o.tags, o.flowLimiter, o.config.WriteTimeout, o.log)
+	// Update the origin dialer service with the new dialer settings
+	// We need to update the dialer here instead of creating a new instance of OriginDialerService because it has
+	// its own references and go routines. Specifically, the UDP dialer is a reference to this same service all the
+	// way into the datagram manager. Reconstructing the datagram manager is not something we currently provide during
+	// runtime in response to a configuration push except when starting a tunnel connection.
+	o.originDialerService.UpdateDefaultDialer(ingress.NewDialer(warpRouting))
+
+	// Create and replace the origin proxy with a new instance
+	proxy := proxy.NewOriginProxy(ingressRules, o.originDialerService, o.tags, o.flowLimiter, o.log)
 	o.proxy.Store(proxy)
 	o.config.Ingress = &ingressRules
 	o.config.WarpRouting = warpRouting
--- a/orchestration/orchestrator_test.go
+++ b/orchestration/orchestrator_test.go
@ -41,6 +41,11 @@ var (
 			Value: "test",
 		},
 	}
+	testDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{
+		ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
+		TCPKeepAlive:   config.CustomDuration{Duration: 15 * time.Second},
+		MaxActiveFlows: 0,
+	})
 )

 // TestUpdateConfiguration tests that
@ -50,8 +55,13 @@ var (
 // - configurations can be deserialized
 // - receiving an old version is noop
 func TestUpdateConfiguration(t *testing.T) {
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &testLogger)
 	initConfig := &Config{
-		Ingress: &ingress.Ingress{},
+		Ingress:             &ingress.Ingress{},
+		OriginDialerService: originDialer,
 	}
 	orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{ingress.NewManagementRule(management.New("management.argotunnel.com", false, "1.1.1.1:80", uuid.Nil, "", &testLogger, nil))}, &testLogger)
 	require.NoError(t, err)
@ -179,8 +189,13 @@ func TestUpdateConfiguration(t *testing.T) {
 // Validates that a new version 0 will be applied if the configuration is loaded locally.
 // This will happen when a locally managed tunnel is migrated to remote configuration and receives its first configuration.
 func TestUpdateConfiguration_FromMigration(t *testing.T) {
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &testLogger)
 	initConfig := &Config{
-		Ingress: &ingress.Ingress{},
+		Ingress:             &ingress.Ingress{},
+		OriginDialerService: originDialer,
 	}
 	orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)
 	require.NoError(t, err)
@ -205,8 +220,13 @@ func TestUpdateConfiguration_FromMigration(t *testing.T) {

 // Validates that the default ingress rule will be set if there is no rule provided from the remote.
 func TestUpdateConfiguration_WithoutIngressRule(t *testing.T) {
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &testLogger)
 	initConfig := &Config{
-		Ingress: &ingress.Ingress{},
+		Ingress:             &ingress.Ingress{},
+		OriginDialerService: originDialer,
 	}
 	orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)
 	require.NoError(t, err)
@ -244,6 +264,11 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
 	require.NoError(t, err)
 	defer tcpOrigin.Close()

+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &testLogger)
+
 	var (
 		configJSONV1 = []byte(fmt.Sprintf(`
 {
@ -296,7 +321,8 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
 		appliedV2 = make(chan struct{})

 		initConfig = &Config{
-			Ingress: &ingress.Ingress{},
+			Ingress:             &ingress.Ingress{},
+			OriginDialerService: originDialer,
 		}
 	)

@ -313,7 +339,7 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
 	go func() {
 		serveTCPOrigin(t, tcpOrigin, &wg)
 	}()
-	for i := 0; i < concurrentRequests; i++ {
+	for i := range concurrentRequests {
 		originProxy, err := orchestrator.GetOriginProxy()
 		require.NoError(t, err)
 		wg.Add(1)
@ -323,48 +349,37 @@ func TestConcurrentUpdateAndRead(t *testing.T) {
 			assert.NoError(t, err, "proxyHTTP %d failed %v", i, err)
 			defer resp.Body.Close()

-			var warpRoutingDisabled bool
 			// The response can be from initOrigin, http_status:204 or http_status:418
 			switch resp.StatusCode {
-			// v1 proxy, warp enabled
+			// v1 proxy
 			case 200:
 				body, err := io.ReadAll(resp.Body)
 				assert.NoError(t, err)
 				assert.Equal(t, t.Name(), string(body))
-				warpRoutingDisabled = false
-			// v2 proxy, warp disabled
+			// v2 proxy
 			case 204:
 				assert.Greater(t, i, concurrentRequests/4)
-				warpRoutingDisabled = true
-			// v3 proxy, warp enabled
+			// v3 proxy
 			case 418:
 				assert.Greater(t, i, concurrentRequests/2)
-				warpRoutingDisabled = false
 			}

 			// Once we have originProxy, it won't be changed by configuration updates.
 			// We can infer the version by the ProxyHTTP response code
 			pr, pw := io.Pipe()
-
 			w := newRespReadWriteFlusher()

 			// Write TCP message and make sure it's echo back. This has to be done in a go routune since ProxyTCP doesn't
 			// return until the stream is closed.
-			if !warpRoutingDisabled {
-				wg.Add(1)
-				go func() {
-					defer wg.Done()
-					defer pw.Close()
-					tcpEyeball(t, pw, tcpBody, w)
-				}()
-			}
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				defer pw.Close()
+				tcpEyeball(t, pw, tcpBody, w)
+			}()

 			err = proxyTCP(ctx, originProxy, tcpOrigin.Addr().String(), w, pr)
-			if warpRoutingDisabled {
-				assert.Error(t, err, "expect proxyTCP %d to return error", i)
-			} else {
-				assert.NoError(t, err, "proxyTCP %d failed %v", i, err)
-			}
+			assert.NoError(t, err, "proxyTCP %d failed %v", i, err)
 		}(i, originProxy)

 		if i == concurrentRequests/4 {
@ -406,39 +421,47 @@ func TestOverrideWarpRoutingConfigWithLocalValues(t *testing.T) {
 		require.EqualValues(t, expectedValue, warpRouting["maxActiveFlows"])
 	}

-	remoteValue := uint64(100)
-	remoteIngress := ingress.Ingress{}
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &testLogger)
+
+	// All the possible values set for MaxActiveFlows from the various points that can provide it:
+	// 1. Initialized value
+	// 2. Local CLI flag config
+	// 3. Remote configuration value
+	initValue := uint64(0)
+	localValue := uint64(100)
+	remoteValue := uint64(500)
+
+	initConfig := &Config{
+		Ingress: &ingress.Ingress{},
+		WarpRouting: ingress.WarpRoutingConfig{
+			MaxActiveFlows: initValue,
+		},
+		OriginDialerService: originDialer,
+		ConfigurationFlags: map[string]string{
+			flags.MaxActiveFlows: fmt.Sprintf("%d", localValue),
+		},
+	}
+
+	// We expect the local configuration flag to be the starting value
+	orchestrator, err := NewOrchestrator(ctx, initConfig, testTags, []ingress.Rule{}, &testLogger)
+	require.NoError(t, err)
+
+	assertMaxActiveFlows(orchestrator, localValue)
+
+	// Assigning the MaxActiveFlows in the remote config should be ignored over the local config
 	remoteWarpConfig := ingress.WarpRoutingConfig{
 		MaxActiveFlows: remoteValue,
 	}
-	remoteConfig := &Config{
-		Ingress:            &remoteIngress,
-		WarpRouting:        remoteWarpConfig,
-		ConfigurationFlags: map[string]string{},
-	}
-	orchestrator, err := NewOrchestrator(ctx, remoteConfig, testTags, []ingress.Rule{}, &testLogger)
-	require.NoError(t, err)

-	assertMaxActiveFlows(orchestrator, remoteValue)
-
-	// Add a local override for the maxActiveFlows
-	localValue := uint64(500)
-	remoteConfig.ConfigurationFlags[flags.MaxActiveFlows] = fmt.Sprintf("%d", localValue)
 	// Force a configuration refresh
-	err = orchestrator.updateIngress(remoteIngress, remoteWarpConfig)
+	err = orchestrator.updateIngress(ingress.Ingress{}, remoteWarpConfig)
 	require.NoError(t, err)

 	// Check the value being used is the local one
 	assertMaxActiveFlows(orchestrator, localValue)
-
-	// Remove local override for the maxActiveFlows
-	delete(remoteConfig.ConfigurationFlags, flags.MaxActiveFlows)
-	// Force a configuration refresh
-	err = orchestrator.updateIngress(remoteIngress, remoteWarpConfig)
-	require.NoError(t, err)
-
-	// Check the value being used is now the remote again
-	assertMaxActiveFlows(orchestrator, remoteValue)
 }

 func proxyHTTP(originProxy connection.OriginProxy, hostname string) (*http.Response, error) {
@ -546,6 +569,10 @@ func updateWithValidation(t *testing.T, orchestrator *Orchestrator, version int3

 // TestClosePreviousProxies makes sure proxies started in the previous configuration version are shutdown
 func TestClosePreviousProxies(t *testing.T) {
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &testLogger)
 	var (
 		hostname             = "hello.tunnel1.org"
 		configWithHelloWorld = []byte(fmt.Sprintf(`
@ -576,7 +603,8 @@ func TestClosePreviousProxies(t *testing.T) {
 }
 `)
 		initConfig = &Config{
-			Ingress: &ingress.Ingress{},
+			Ingress:             &ingress.Ingress{},
+			OriginDialerService: originDialer,
 		}
 	)

@ -638,8 +666,13 @@ func TestPersistentConnection(t *testing.T) {
 		hostname = "http://ws.tunnel.org"
 	)
 	msg := t.Name()
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &testLogger)
 	initConfig := &Config{
-		Ingress: &ingress.Ingress{},
+		Ingress:             &ingress.Ingress{},
+		OriginDialerService: originDialer,
 	}
 	orchestrator, err := NewOrchestrator(t.Context(), initConfig, testTags, []ingress.Rule{}, &testLogger)
 	require.NoError(t, err)
@ -752,8 +785,9 @@ func TestSerializeLocalConfig(t *testing.T) {
 		ConfigurationFlags: map[string]string{"a": "b"},
 	}

-	result, _ := json.Marshal(c)
-	fmt.Println(string(result))
+	result, err := json.Marshal(c)
+	require.NoError(t, err)
+	require.JSONEq(t, `{"__configuration_flags":{"a":"b"},"ingress":[],"warp-routing":{"connectTimeout":0,"tcpKeepAlive":0}}`, string(result))
 }

 func wsEcho(w http.ResponseWriter, r *http.Request) {
--- a/postinst.sh
+++ b/postinst.sh
@ -1,5 +1,5 @@
 #!/bin/bash
 set -eu
-ln -s /usr/bin/cloudflared /usr/local/bin/cloudflared
+ln -sf /usr/bin/cloudflared /usr/local/bin/cloudflared
 mkdir -p /usr/local/etc/cloudflared/
 touch /usr/local/etc/cloudflared/.installedFromPackageManager || true
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -5,11 +5,11 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/netip"
 	"strconv"
 	"time"

 	"github.com/pkg/errors"
-	pkgerrors "github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
@ -35,7 +35,7 @@ const (
 // Proxy represents a means to Proxy between cloudflared and the origin services.
 type Proxy struct {
 	ingressRules ingress.Ingress
-	warpRouting  *ingress.WarpRoutingService
+	originDialer ingress.OriginTCPDialer
 	tags         []pogs.Tag
 	flowLimiter  cfdflow.Limiter
 	log          *zerolog.Logger
@ -44,21 +44,19 @@ type Proxy struct {
 // NewOriginProxy returns a new instance of the Proxy struct.
 func NewOriginProxy(
 	ingressRules ingress.Ingress,
-	warpRouting ingress.WarpRoutingConfig,
+	originDialer ingress.OriginDialer,
 	tags []pogs.Tag,
 	flowLimiter cfdflow.Limiter,
-	writeTimeout time.Duration,
 	log *zerolog.Logger,
 ) *Proxy {
 	proxy := &Proxy{
 		ingressRules: ingressRules,
+		originDialer: originDialer,
 		tags:         tags,
 		flowLimiter:  flowLimiter,
 		log:          log,
 	}

-	proxy.warpRouting = ingress.NewWarpRoutingService(warpRouting, writeTimeout)
-
 	return proxy
 }

@ -146,24 +144,18 @@ func (p *Proxy) ProxyHTTP(
 // ProxyTCP proxies to a TCP connection between the origin service and cloudflared.
 func (p *Proxy) ProxyTCP(
 	ctx context.Context,
-	rwa connection.ReadWriteAcker,
+	conn connection.ReadWriteAcker,
 	req *connection.TCPRequest,
 ) error {
 	incrementTCPRequests()
 	defer decrementTCPConcurrentRequests()

-	if p.warpRouting == nil {
-		err := errors.New(`cloudflared received a request from WARP client, but your configuration has disabled ingress from WARP clients. To enable this, set "warp-routing:\n\t enabled: true" in your config.yaml`)
-		p.log.Error().Msg(err.Error())
-		return err
-	}
-
 	logger := newTCPLogger(p.log, req)

 	// Try to start a new flow
 	if err := p.flowLimiter.Acquire(management.TCP.String()); err != nil {
 		logger.Warn().Msg("Too many concurrent flows being handled, rejecting tcp proxy")
-		return pkgerrors.Wrap(err, "failed to start tcp flow due to rate limiting")
+		return errors.Wrap(err, "failed to start tcp flow due to rate limiting")
 	}
 	defer p.flowLimiter.Release()

@ -173,7 +165,14 @@ func (p *Proxy) ProxyTCP(
 	tracedCtx := tracing.NewTracedContext(serveCtx, req.CfTraceID, &logger)
 	logger.Debug().Msg("tcp proxy stream started")

-	if err := p.proxyStream(tracedCtx, rwa, req.Dest, p.warpRouting.Proxy, &logger); err != nil {
+	// Parse the destination into a netip.AddrPort
+	dest, err := netip.ParseAddrPort(req.Dest)
+	if err != nil {
+		logRequestError(&logger, err)
+		return err
+	}
+
+	if err := p.proxyTCPStream(tracedCtx, conn, dest, p.originDialer, &logger); err != nil {
 		logRequestError(&logger, err)
 		return err
 	}
@ -279,14 +278,14 @@ func (p *Proxy) proxyStream(
 	tr *tracing.TracedContext,
 	rwa connection.ReadWriteAcker,
 	dest string,
-	connectionProxy ingress.StreamBasedOriginProxy,
+	originDialer ingress.StreamBasedOriginProxy,
 	logger *zerolog.Logger,
 ) error {
 	ctx := tr.Context
 	_, connectSpan := tr.Tracer().Start(ctx, "stream-connect")

 	start := time.Now()
-	originConn, err := connectionProxy.EstablishConnection(ctx, dest, logger)
+	originConn, err := originDialer.EstablishConnection(ctx, dest, logger)
 	if err != nil {
 		connectStreamErrors.Inc()
 		tracing.EndWithErrorStatus(connectSpan, err)
@ -310,6 +309,45 @@ func (p *Proxy) proxyStream(
 	return nil
 }

+// proxyTCPStream proxies private network type TCP connections as a stream towards an available origin.
+//
+// This is different than proxyStream because it's not leveraged ingress rule services and uses the
+// originDialer from OriginDialerService.
+func (p *Proxy) proxyTCPStream(
+	tr *tracing.TracedContext,
+	tunnelConn connection.ReadWriteAcker,
+	dest netip.AddrPort,
+	originDialer ingress.OriginTCPDialer,
+	logger *zerolog.Logger,
+) error {
+	ctx := tr.Context
+	_, connectSpan := tr.Tracer().Start(ctx, "stream-connect")
+
+	start := time.Now()
+	originConn, err := originDialer.DialTCP(ctx, dest)
+	if err != nil {
+		connectStreamErrors.Inc()
+		tracing.EndWithErrorStatus(connectSpan, err)
+		return err
+	}
+	connectSpan.End()
+	defer originConn.Close()
+	logger.Debug().Msg("origin connection established")
+
+	encodedSpans := tr.GetSpans()
+
+	if err := tunnelConn.AckConnection(encodedSpans); err != nil {
+		connectStreamErrors.Inc()
+		return err
+	}
+
+	connectLatency.Observe(float64(time.Since(start).Milliseconds()))
+	logger.Debug().Msg("proxy stream acknowledged")
+
+	stream.Pipe(tunnelConn, originConn, logger)
+	return nil
+}
+
 func (p *Proxy) proxyLocalRequest(proxy ingress.HTTPLocalProxy, w connection.ResponseWriter, req *http.Request, isWebsocket bool) {
 	if isWebsocket {
 		// These headers are added since they are stripped off during an eyeball request to origintunneld, but they
--- a/proxy/proxy_test.go
+++ b/proxy/proxy_test.go
@ -33,17 +33,17 @@ import (
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/hello"
 	"github.com/cloudflare/cloudflared/ingress"
-	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/tracing"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )

 var (
-	testTags        = []pogs.Tag{{Name: "Name", Value: "value"}}
-	noWarpRouting   = ingress.WarpRoutingConfig{}
-	testWarpRouting = ingress.WarpRoutingConfig{
-		ConnectTimeout: config.CustomDuration{Duration: time.Second},
-	}
+	testTags          = []pogs.Tag{{Name: "Name", Value: "value"}}
+	testDefaultDialer = ingress.NewDialer(ingress.WarpRoutingConfig{
+		ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
+		TCPKeepAlive:   config.CustomDuration{Duration: 15 * time.Second},
+		MaxActiveFlows: 0,
+	})
 )

 type mockHTTPRespWriter struct {
@ -162,7 +162,12 @@ func TestProxySingleOrigin(t *testing.T) {

 	require.NoError(t, ingressRule.StartOrigins(&log, ctx.Done()))

-	proxy := NewOriginProxy(ingressRule, noWarpRouting, testTags, cfdflow.NewLimiter(0), time.Duration(0), &log)
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &log)
+
+	proxy := NewOriginProxy(ingressRule, originDialer, testTags, cfdflow.NewLimiter(0), &log)
 	t.Run("testProxyHTTP", testProxyHTTP(proxy))
 	t.Run("testProxyWebsocket", testProxyWebsocket(proxy))
 	t.Run("testProxySSE", testProxySSE(proxy))
@ -357,7 +362,7 @@ type MultipleIngressTest struct {
 }

 func runIngressTestScenarios(t *testing.T, unvalidatedIngress []config.UnvalidatedIngressRule, tests []MultipleIngressTest) {
-	ingress, err := ingress.ParseIngress(&config.Configuration{
+	ingressRule, err := ingress.ParseIngress(&config.Configuration{
 		TunnelID: t.Name(),
 		Ingress:  unvalidatedIngress,
 	})
@ -366,9 +371,14 @@ func runIngressTestScenarios(t *testing.T, unvalidatedIngress []config.Unvalidat
 	log := zerolog.Nop()

 	ctx, cancel := context.WithCancel(t.Context())
-	require.NoError(t, ingress.StartOrigins(&log, ctx.Done()))
+	require.NoError(t, ingressRule.StartOrigins(&log, ctx.Done()))

-	proxy := NewOriginProxy(ingress, noWarpRouting, testTags, cfdflow.NewLimiter(0), time.Duration(0), &log)
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &log)
+
+	proxy := NewOriginProxy(ingressRule, originDialer, testTags, cfdflow.NewLimiter(0), &log)

 	for _, test := range tests {
 		responseWriter := newMockHTTPRespWriter()
@ -416,7 +426,12 @@ func TestProxyError(t *testing.T) {

 	log := zerolog.Nop()

-	proxy := NewOriginProxy(ing, noWarpRouting, testTags, cfdflow.NewLimiter(0), time.Duration(0), &log)
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &log)
+
+	proxy := NewOriginProxy(ing, originDialer, testTags, cfdflow.NewLimiter(0), &log)

 	responseWriter := newMockHTTPRespWriter()
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1", nil)
@ -467,7 +482,7 @@ func (r *replayer) Bytes() []byte {
 // WS - TCP: When a tcp based ingress is configured on the origin and the
 // eyeball sends tcp packets wrapped in websockets. (E.g: cloudflared access).
 func TestConnections(t *testing.T) {
-	logger := logger.Create(nil)
+	log := zerolog.Nop()
 	replayer := &replayer{rw: bytes.NewBuffer([]byte{})}
 	type args struct {
 		ingressServiceScheme  string
@ -475,9 +490,6 @@ func TestConnections(t *testing.T) {
 		eyeballResponseWriter connection.ResponseWriter
 		eyeballRequestBody    io.ReadCloser

-		// Can be set to nil to show warp routing is not enabled.
-		warpRoutingService *ingress.WarpRoutingService
-
 		// eyeball connection type.
 		connectionType connection.Type

@ -488,6 +500,11 @@ func TestConnections(t *testing.T) {
 		flowLimiterResponse error
 	}

+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 0,
+	}, &log)
+
 	type want struct {
 		message []byte
 		headers http.Header
@ -530,7 +547,6 @@ func TestConnections(t *testing.T) {
 				originService:         runEchoTCPService,
 				eyeballResponseWriter: newTCPRespWriter(replayer),
 				eyeballRequestBody:    newTCPRequestBody([]byte("test2")),
-				warpRoutingService:    ingress.NewWarpRoutingService(testWarpRouting, time.Duration(0)),
 				connectionType:        connection.TypeTCP,
 				requestHeaders: map[string][]string{
 					"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
@ -548,7 +564,6 @@ func TestConnections(t *testing.T) {
 				originService:        runEchoWSService,
 				// eyeballResponseWriter gets set after roundtrip dial.
 				eyeballRequestBody: newPipedWSRequestBody([]byte("test3")),
-				warpRoutingService: ingress.NewWarpRoutingService(testWarpRouting, time.Duration(0)),
 				requestHeaders: map[string][]string{
 					"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
 				},
@ -601,23 +616,6 @@ func TestConnections(t *testing.T) {
 				headers: map[string][]string{},
 			},
 		},
-		{
-			name: "tcp-tcp proxy without warpRoutingService enabled",
-			args: args{
-				ingressServiceScheme:  "tcp://",
-				originService:         runEchoTCPService,
-				eyeballResponseWriter: newTCPRespWriter(replayer),
-				eyeballRequestBody:    newTCPRequestBody([]byte("test2")),
-				connectionType:        connection.TypeTCP,
-				requestHeaders: map[string][]string{
-					"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
-				},
-			},
-			want: want{
-				message: []byte{},
-				err:     true,
-			},
-		},
 		{
 			name: "ws-ws proxy when origin is different",
 			args: args{
@ -670,7 +668,6 @@ func TestConnections(t *testing.T) {
 				originService:         runEchoTCPService,
 				eyeballResponseWriter: newTCPRespWriter(replayer),
 				eyeballRequestBody:    newTCPRequestBody([]byte("rate-limited")),
-				warpRoutingService:    ingress.NewWarpRoutingService(testWarpRouting, time.Duration(0)),
 				connectionType:        connection.TypeTCP,
 				requestHeaders: map[string][]string{
 					"Cf-Cloudflared-Proxy-Src": {"non-blank-value"},
@ -693,7 +690,7 @@ func TestConnections(t *testing.T) {
 			test.args.originService(t, ln)

 			ingressRule := createSingleIngressConfig(t, test.args.ingressServiceScheme+ln.Addr().String())
-			_ = ingressRule.StartOrigins(logger, ctx.Done())
+			_ = ingressRule.StartOrigins(&log, ctx.Done())

 			// Mock flow limiter
 			ctrl := gomock.NewController(t)
@ -702,8 +699,7 @@ func TestConnections(t *testing.T) {
 			flowLimiter.EXPECT().Acquire("tcp").AnyTimes().Return(test.args.flowLimiterResponse)
 			flowLimiter.EXPECT().Release().AnyTimes()

-			proxy := NewOriginProxy(ingressRule, testWarpRouting, testTags, flowLimiter, time.Duration(0), logger)
-			proxy.warpRouting = test.args.warpRoutingService
+			proxy := NewOriginProxy(ingressRule, originDialer, testTags, flowLimiter, &log)

 			dest := ln.Addr().String()
 			req, err := http.NewRequest(
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
GitLab Maintenance Bot	0d2a7a0385	Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go	2025-11-21 05:33:09 +00:00
João "Pisco" Fernandes	789a9b110d	TUN-9863: Update pipelines to use cloudflared EV Certificate	2025-11-19 18:05:33 +00:00
João "Pisco" Fernandes	31f45fb505	TUN-9800: Migrate apt internal builds to Gitlab	2025-11-10 14:43:10 +00:00
João "Pisco" Fernandes	17533b124c	Release 2025.11.1	2025-11-07 16:30:58 +00:00
João "Pisco" Fernandes	9ce16c5aac	TUN-9800: Fix docker hub push step	2025-11-07 15:26:22 +00:00
GoncaloGarcia	29e8d936f2	Release 2025.11.0	2025-11-07 08:15:20 +00:00
João "Pisco" Fernandes	4cfebb8319	TUN-9800: Prefix gitlab steps with operating system	2025-11-06 16:00:05 +00:00
Gonçalo Garcia	eedbcf46d4	TUN-9863: Introduce Code Signing for Windows Builds * TUN-9863: Introduce Code Signing for Windows Builds This commit adds a signing step to the build script for windows binaries. Since we package the MSI on Linux, this commit adds another CI step that depends on package-windows and signs all of the windows packages. To do so, we use azuresigntool which relies on a certificate stored in Azure Vault. Closes TUN-9863	2025-11-06 11:41:21 +00:00
João "Pisco" Fernandes	a8fdbb83d0	TUN-9800: Add pipelines for linux packaging	2025-11-05 10:45:04 +00:00
Gonçalo Garcia	70658b863b	chore: Update cloudflared signing key name in index.html * chore: Update cloudflared signing key name in index.html We want to preserve the old key name so that we don't have to update the dev docs. We will have the same key under this name and the v2 name to account for everyone who has already updated.	2025-11-04 16:59:30 +00:00
Chung-Ting	334300bae7	Chore: Update documentation links in README	2025-10-31 19:45:17 +00:00
Luis Neto	e9f0628555	chore: add claude review * chore: add claude review	2025-10-31 14:03:45 +00:00
João "Pisco" Fernandes	0caf31c543	Release 2025.10.1	2025-10-30 16:38:01 +00:00
GoncaloGarcia	4faa03dfed	TUN-9961: Add pkg.cloudflared.com index.html to git repo This makes it easier to track changes and allows us to update it in a gitlab pipeline if we choose to in the future	2025-10-30 16:37:33 +00:00
João "Pisco" Fernandes	58519d1268	chore: Update ci image to use goboring 1.24.9	2025-10-30 16:37:04 +00:00
chungthuang	1367b967b3	TUN-9849: Add cf-proxy-* to control response headers These headers will not be returned to the eyeball	2025-10-28 09:17:05 -05:00
Christopher Meng	114683f49e	Fix systemd service installation hanging * Fix systemd service installation hanging --- This kills the hanging when there is a network issue (port blocking or no Internet) and the installation cannot be completed with no error sent to the output. Before (killed manually since it hangs forever): ![499987567-de9003f9-4aaa-4667-9495-1d4b01069bed](/uploads/01063e6c2cf81fdd91ac8fbcd7f04a1b/499987567-de9003f9-4aaa-4667-9495-1d4b01069bed.png){width=817 height=69} After: ![499986549-f031035f-1633-46c0-a896-d9fd37054e83](/uploads/00c273f37d415617104b44736921b3d7/499986549-f031035f-1633-46c0-a896-d9fd37054e83.png){width=825 height=78} ---	2025-10-23 14:38:09 +00:00
João "Pisco" Fernandes	2b456b9a79	TUN-9954: Update from go1.24.6 to go1.24.9	2025-10-23 10:54:18 +01:00
Gonçalo Garcia	3a71c1bcd8	TUN-9941: Lookup correct key for RPM signature * TUN-9941: Lookup correct key for RPM signature Closes TUN-9941	2025-10-21 15:51:57 +00:00
Gonçalo Garcia	95642486c6	TUN-9941: Fix typo causing r2-release-next deployment to fail * TUN-9941: Fix typo causing r2-release-next deployment to fail Closes TUN-9941	2025-10-21 13:11:33 +00:00
Gonçalo Garcia	691550a6f2	TUN-9941: Use new GPG key for RPM builds * TUN-9941: Use new GPG key for RPM builds Closes TUN-9941	2025-10-21 09:57:22 +00:00
chungthuang	12c2a8e144	TUN-9916: Fix the cloudflared binary path used in the component test	2025-10-15 14:34:54 +00:00
Gonçalo Garcia	d943602d21	TUN-9919: Make RPM postinstall scriplet idempotent * TUN-9919: Make RPM postinstall scriplet idempotent Before this commit the postinstall scriptlet isn't idempotent, meaning the users see this error in their upgrade logs: `ln: failed to create symbolic link '/usr/local/bin/cloudflared': File exists warning: %post(cloudflared-2025.10.0-1.x86_64) scriptlet failed, exit status 1` This doesn't break the upgrade (which is why we haven't touched this in 5 years), but adding the -f (force) flag to the symlink command prevents this issue from happening Closes TUN-9919	2025-10-15 14:33:43 +00:00
Devin Carr	e10e072599	Release 2025.10.0	2025-10-14 09:16:36 -07:00
Gonçalo Garcia	686347cf91	chore: Fix upload of RPM repo file during double signing * chore: Fix upload of RPM repo file during double signing This commit fixes a variable that was supposed to hold the path of the repo file, but instead was being overwritten with the repo file handle	2025-10-14 09:12:54 +00:00
Devin Carr	f45b3a1baf	TUN-9882: Bump datagram v3 write channel capacity Bumping from 16 to 512 gives each flow a bit more buffer if the local OS is having trouble writing to the origin. Closes TUN-9882	2025-10-13 17:18:22 -07:00
Devin Carr	1ac6c45dad	TUN-9883: Add new datagram v3 feature flag After the previous rollout was reverted, the original `support_datagram_v3_1` is deprecated and replaced with `support_datagram_v3_2`. Closes TUN-9883	2025-10-10 13:55:31 -07:00
Gonçalo Garcia	d78e64c8cc	chore: Fix parameter order when uploading RPM .repo file to R2 * chore: Fix parameter order when uploading RPM .repo file to R2	2025-10-10 15:44:28 +00:00
Gonçalo Garcia	7987d01a6e	chore: Fix import of GPG keys when two keys are provided * chore: Fix import of GPG keys when two keys are provided We were only retrieving the first output of gpg.list keys because previously we were only running import_gpg_keys once. Now that we run it twice we need to ensure that the key we select from the list matches the one we've imported.	2025-10-10 07:58:55 +00:00
Gonçalo Garcia	e1dacbcea8	chore: Force usage of go-boring 1.24 * chore: Force usage of go-boring 1.24	2025-10-09 13:18:29 +00:00
Devin Carr	1cc15c6ffa	TUN-9882: Improve metrics for datagram v3 Adds new metrics for: - Dropped UDP datagrams for reads and write paths - Dropped ICMP packets for write paths - Failures that preemptively close UDP flows Closes TUN-9882	2025-10-08 12:17:23 -07:00
Devin Carr	51c5ef726c	TUN-9882: Add write deadline for UDP origin writes Add a deadline for origin writes as a preventative measure in the case that the kernel blocks any writes for too long. In the case that the socket exceeds the write deadline, the datagram will be dropped. Closes TUN-9882	2025-10-07 19:54:42 -07:00
Devin Carr	1fb466941a	TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3 Instead of creating a go routine to process each incoming datagram from the tunnel, a single consumer (the demuxer) will process each of the datagrams in serial. Registration datagrams will still be spun out into separate go routines since they are responsible for managing the lifetime of the session once started via the `Serve` method. UDP payload datagrams will be handled in separate channels to allow for parallel writing inside of the scope of a session via a new write loop. This channel will have a small buffer to help unblock the demuxer from dequeueing other datagrams. ICMP datagrams will be funneled into a single channel across all possible origins with a single consumer to write to their respective destinations. Each of these changes is to prevent datagram reordering from occurring when dequeuing from the tunnel connection. By establishing a single demuxer that serializes the writes per session, each session will be able to write sequentially, but in parallel to their respective origins. Closes TUN-9882	2025-10-07 16:14:01 -07:00
João Oliveirinha	fff1fc7390	GRC-16749: Add fedramp tags to catalog * GRC-16749: Add fedramp tags to catalog	2025-10-07 11:27:41 +00:00
Gonçalo Garcia	9551f2a381	TUN-9776: Support signing Debian packages with two keys for rollover * TUN-9776: Support signing Debian packages with two keys for rollover Debian Trixie doesn't support the SHA-1 algo for GPG keys. This commit leverages the ability of providing two keys in the reprepro configuration in order to have two signatures in InRelease and Release.gpg files. This allows users that have the old key to continue fetching the binaries with the old key while allowing us to provide a new key that can be used in Trixie. Unfortunately current versions of RPM (since 2002) don't support double signing, so we can't apply the same logic for RPM Closes TUN-9776	2025-09-29 14:48:12 +00:00
João "Pisco" Fernandes	71448c1f7f	TUN-9800: Add pipeline to sync between gitlab and github repos	2025-09-22 16:34:33 +01:00
João "Pisco" Fernandes	80b1634515	Release 2025.9.1	2025-09-22 13:02:11 +01:00
João "Pisco" Fernandes	4ac0c1f2d7	TUN-9852: Remove fmt.Println from cloudflared access command	2025-09-22 12:01:48 +01:00
João "Pisco" Fernandes	4dafc15f22	TUN-9855: Create script to ignore vulnerabilities from govuln check	2025-09-22 12:01:38 +01:00
João "Pisco" Fernandes	92ef55650f	Release 2025.9.0	2025-09-17 17:29:52 +01:00
Gonçalo Garcia	9e94122d2b	TUN-9820: Add support for FedRAMP in originRequest Access config * TUN-9820: Add support for FedRAMP in originRequest Access config Closes TUN-9820	2025-09-15 11:11:23 +00:00
João "Pisco" Fernandes	173396be90	TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI ## Summary This commit migrates the cloduflared ci pipelines, that built, tested and component tested the linux binaries to gitlab ci. The only thing that is remaining to move from teamcity to gitlab are now the release pipelines that run on master. Relates to TUN-9800	2025-09-11 11:33:24 +01:00
João "Pisco" Fernandes	d9e13ab2ab	TUN-9803: Add windows builds to gitlab-ci	2025-09-10 11:23:41 +01:00
Gonçalo Garcia	9e6d58aaea	TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token * TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token Closes TUN-9755	2025-08-27 15:57:58 +00:00
João "Pisco" Fernandes	f9c2bd51ae	Release 2025.8.1	2025-08-21 10:53:31 +01:00
Devin Carr	41dffd7f3c	CUSTESC-53681: Correct QUIC connection management for datagram handlers Corrects the pattern of using errgroup's and context cancellation to simplify the logic for canceling extra routines for the QUIC connection. This is because the extra context cancellation is redundant with the fact that the errgroup also cancels it's own provided context when a routine returns (error or not). For the datagram handler specifically, since it can respond faster to a context cancellation from the QUIC connection, we wrap the error before surfacing it outside of the QUIC connection scope to the supervisor. Additionally, the supervisor will look for this error type to check if it should retry the QUIC connection. These two operations are required because the supervisor does not look for a context canceled error when deciding to retry a connection. If a context canceled from the datagram handler were to be returned up to the supervisor on the initial connection, the cloudflared application would exit. We want to ensure that cloudflared maintains connection attempts even if any of the services on-top of a QUIC connection fail (datagram handler in this case). Additional logging is also introduced along these paths to help with understanding the error conditions from the specific handlers on-top of a QUIC connection. Related CUSTESC-53681 Closes TUN-9610	2025-08-19 16:10:00 -07:00
Kyle Hiller	8825ceecb5	AUTH-7480 update fed callback url for login helper * AUTH-7480 update fed callback url for login helper	2025-08-19 18:54:31 +00:00
Kevin Marshall	50104548cf	AUTH-7260: Add support for login interstitial auto closure Adds a switch `--auto-close` which automatically closes Access login interstitial windows/tabs immediately after the user chooses Approve or Deny.	2025-08-12 20:41:12 +00:00
GoncaloGarcia	08efe4c103	Release 2025.8.0	2025-08-08 15:07:54 +01:00
João "Pisco" Fernandes	6c3df26b3c	vuln: Fix GO-2025-3770 vulnerability	2025-08-07 16:40:53 +01:00
Luis Neto	1cedefa1c2	TUN-9583: set proper url and hostname for cloudflared tail command This commit adds support for FedRAMP environments. Cloudflared will now dynamically configure the management hostname and API URL, switching to FedRAMP-specific values like `management.fed.argotunnel.com` and `https://api.fed.cloudflare.com/client/v4` when a FedRAMP endpoint is detected. Key to this is an enhanced `ParseToken` function, which now includes an `IsFed()` method to determine if a management token's issuer is `fed-tunnelstore`. This allows cloudflared to correctly identify and operate within a FedRAMP context, ensuring proper connectivity. Closes TUN-9583	2025-07-23 20:09:50 +01:00
João "Pisco" Fernandes	ddf4e6d854	TUN-9542: Remove unsupported Debian-based releases ## Summary This commit removes configurations and references for Debian-based releases that are no longer supported in the build and packaging processes. For Ubuntu versions for most of them only PRO users still have support, so we might decide remove some of them as well. Information available in: - Debian Releases: https://wiki.debian.org/LTS (we no longer support bullseye at Cloudflare) - Ubuntu Releases: https://ubuntu.com/about/release-cycle Closes TUN-9542	2025-07-07 11:56:02 +01:00
João "Pisco" Fernandes	8e7955ae89	Release 2025.7.0	2025-07-03 17:14:44 +01:00
João "Pisco" Fernandes	ae197908be	TUN-9540: Use numeric user id for Dockerfiles ## Summary This commit changes the USER instruction in our Dockerfiles from using the string "nonroot" to its numeric ID "65532". This change is necessary because Kubernetes does not support string-based user IDs in security contexts, requiring numeric IDs instead. The nonroot user maps to 65532 in distroless images.	2025-07-03 11:31:04 +01:00
Devin Carr	6ec699509d	TUN-9511: Add metrics for virtual DNS origin Closes TUN-9511	2025-07-01 13:26:34 -07:00
João "Pisco" Fernandes	242fccefa4	TUN-9531: Bump go-boring from 1.24.2 to 1.24.4	2025-07-01 12:25:34 +01:00
Luis Neto	d0a6318334	TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences and add tests to verify that the advertised curves are the same as the curve preferences we set. Closes TUN-9161	2025-07-01 12:24:59 +01:00
Devin Carr	398da8860f	TUN-9473: Add --dns-resolver-addrs flag To help support users with environments that don't work well with the DNS local resolver's automatic resolution process for local resolver addresses, we introduce a flag to provide them statically to the runtime. When providing the resolver addresses, cloudflared will no longer lookup the DNS resolver addresses and use the user input directly. When provided with a list of DNS resolvers larger than one, the resolver service will randomly select one at random for each incoming request. Closes TUN-9473	2025-06-30 15:20:32 -07:00
Devin Carr	70ed7ffc5f	TUN-9470: Add OriginDialerService to include TCP Adds an OriginDialerService that takes over the roles of both DialUDP and DialTCP towards the origin. This provides the possibility to leverage dialer "middleware" to inject virtual origins, such as the DNS resolver service. DNS Resolver service also gains access to the DialTCP operation to service TCP DNS requests. Minor refactoring includes changes to remove the needs previously provided by the warp-routing configuration. This configuration cannot be disabled by cloudflared so many of the references have been adjusted or removed. Closes TUN-9470	2025-06-30 13:24:16 -07:00
Devin Carr	9ca8b41cf7	TUN-9472: Add virtual DNS service Adds a new reserved service to route UDP requests towards the local DNS resolver. Closes TUN-9472	2025-06-27 13:09:29 -07:00
Devin Carr	b4a98b13fe	TUN-9469: Centralize UDP origin proxy dialing as ingress service Introduces a new `UDPOriginProxy` interface and `UDPOriginService` to standardize how UDP connections are dialed to origins. Allows for future overrides of the ingress service for specific dial destinations. Simplifies dependency injection for UDP dialing throughout both datagram v2 and v3 by using the same ingress service. Previous invocations called into a DialUDP function in the ingress package that was a light wrapper over `net.DialUDP`. Now a reference is passed into both datagram controllers that allows more control over the DialUDP method. Closes TUN-9469	2025-06-23 18:01:15 +00:00
João "Pisco" Fernandes	64fdc52855	Release 2025.6.1	2025-06-17 10:42:18 +01:00
Devin Carr	a65da54933	TUN-9371: Add logging format as JSON Closes TUN-9371	2025-06-16 21:25:13 +00:00
João "Pisco" Fernandes	43a3ba347b	TUN-9495: Remove references to cloudflare-go ## Summary When bumping cloudflared to use go1.24, we no longer need cloudflare-go, since most of the PQ and FIPS compliant curves are already available in go 1.24. Therefore, we can remove everything related with installing our go toolchain.	2025-06-16 14:51:22 +00:00
João Oliveirinha	47085ee0c9	TUN-9467: add vulncheck to cloudflared * TUN-9467: add vulncheck to cloudflared	2025-06-16 14:50:28 +00:00
João Oliveirinha	a408612f26	TUN-9467: bump coredns to solve CVE * TUN-9467: bump coredns to solve CVE	2025-06-12 10:46:10 +00:00