TUN-9800: Migrate apt internal builds to Gitlab

* TUN-9863: Introduce Code Signing for Windows Builds

This commit adds a signing step to the build script for windows binaries.
Since we package the MSI on Linux, this commit adds another CI step that depends on package-windows and signs all of the windows packages.

To do so, we use azuresigntool which relies on a certificate stored in Azure Vault.

Closes TUN-9863

.ci/apt-internal.gitlab-ci.yml

@@ -0,0 +1,151 @@
+.register_inputs: &register_inputs
+  stage: release-internal
+  runOnBranches: "^master$"
+  COMPONENT: "common"
+
+.register_inputs_stable_bookworm: &register_inputs_stable_bookworm
+  <<: *register_inputs
+  runOnChangesTo: ['RELEASE_NOTES']
+  FLAVOR: "bookworm"
+  SERIES: "stable"
+
+.register_inputs_stable_trixie: &register_inputs_stable_trixie
+  <<: *register_inputs
+  runOnChangesTo: ['RELEASE_NOTES']
+  FLAVOR: "trixie"
+  SERIES: "stable"
+
+.register_inputs_next_bookworm: &register_inputs_next_bookworm
+  <<: *register_inputs
+  FLAVOR: "bookworm"
+  SERIES: next
+
+.register_inputs_next_trixie: &register_inputs_next_trixie
+  <<: *register_inputs
+  FLAVOR: "trixie"
+  SERIES: next
+
+################################################
+### Generate Debian Package for Internal APT ###
+################################################
+.cloudflared-apt-build: &cloudflared_apt_build
+  stage: package
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
+  image: $BUILD_IMAGE
+  cache: {}
+  script:
+    - make cloudflared-deb
+  artifacts:
+    paths:
+      - cloudflared*.deb
+
+##############
+### Stable ###
+##############
+cloudflared-amd64-stable:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-release]
+  variables: &amd64-stable-vars
+    GOOS: linux
+    GOARCH: amd64
+    FIPS: true
+    ORIGINAL_NAME: true
+    CGO_ENABLED: 1
+
+cloudflared-arm64-stable:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-release]
+  variables: &arm64-stable-vars
+    GOOS: linux
+    GOARCH: arm64
+    FIPS: false # TUN-7595
+    ORIGINAL_NAME: true
+    CGO_ENABLED: 1
+
+############
+### Next ###
+############
+cloudflared-amd64-next:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-master]
+  variables:
+    <<: *amd64-stable-vars
+    NIGHTLY: true
+
+cloudflared-arm64-next:
+  <<: *cloudflared_apt_build
+  rules:
+    - !reference [.default-rules, run-on-master]
+  variables:
+    <<: *arm64-stable-vars
+    NIGHTLY: true
+
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+  ##########################################
+  ### Publish Packages to Internal Repos ###
+  ##########################################
+  # Bookworm AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_bookworm
+      jobPrefix: cloudflared-bookworm-amd64
+      needs: &amd64-stable ["cloudflared-amd64-stable"]
+
+  # Bookworm ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_bookworm
+      jobPrefix: cloudflared-bookworm-arm64
+      needs: &arm64-stable ["cloudflared-arm64-stable"]
+
+  # Trixie AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_trixie
+      jobPrefix: cloudflared-trixie-amd64
+      needs: *amd64-stable
+
+  # Trixie ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_stable_trixie
+      jobPrefix: cloudflared-trixie-arm64
+      needs: *arm64-stable
+
+  ##################################################
+  ### Publish Nightly Packages to Internal Repos ###
+  ##################################################
+  # Bookworm AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_bookworm
+      jobPrefix: cloudflared-nightly-bookworm-amd64
+      needs: &amd64-next ['cloudflared-amd64-next']
+
+  # Bookworm ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_bookworm
+      jobPrefix: cloudflared-nightly-bookworm-arm64
+      needs: &arm64-next ['cloudflared-arm64-next']
+
+  # Trixie AMD64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_trixie
+      jobPrefix: cloudflared-nightly-trixie-amd64
+      needs: *amd64-next
+
+  # Trixie ARM64
+  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
+    inputs:
+      <<: *register_inputs_next_trixie
+      jobPrefix: cloudflared-nightly-trixie-arm64
+      needs: *arm64-next

.ci/commons.gitlab-ci.yml

@@ -3,14 +3,14 @@
   # Rules to run the job only on the master branch
   run-on-master:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: always
+      when: on_success
     - when: never
   # Rules to run the job only on merge requests
   run-on-mr:
     - if: $CI_COMMIT_TAG
       when: never
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: always
+      when: on_success
     - when: never
   # Rules to run the job on merge_requests and master branch
   run-always:
@@ -18,23 +18,15 @@
       when: never
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: always
+      when: on_success
+    - when: never
+  # Rules to run the job only when a release happens
+  run-on-release:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      changes:
+          - 'RELEASE_NOTES'
+      when: on_success
     - when: never
-
-# This before_script is injected into every job that runs on master meaning that if there is no tag the step
-# will succeed but only write "No tag present - Skipping" to the console.
-.check-tag:
-  before_script:
-    - |
-      # Check if there is a Git tag pointing to HEAD
-      echo "Tag found: $(git tag --points-at HEAD | grep .)"
-      if git tag --points-at HEAD | grep .; then
-        echo "Tag found: $(git tag --points-at HEAD | grep .)"
-        export "VERSION=$(git tag --points-at HEAD | grep .)"
-      else
-        echo "No tag present — skipping."
-        exit 0
-      fi
 
 .component-tests:
   image: $BUILD_IMAGE

.ci/github.gitlab-ci.yml

@@ -0,0 +1,17 @@
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+######################################
+### Sync master branch with Github ###
+######################################
+push-github:
+  stage: sync
+  rules:
+    - !reference [.default-rules, run-on-master]
+  script:
+    - ./.ci/scripts/github-push.sh
+  secrets:
+    CLOUDFLARED_DEPLOY_SSH_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
+      file: false
+  cache: {}

.ci/image/Dockerfile

@@ -7,7 +7,7 @@ RUN apt-get update && \
     apt-get install --no-install-recommends --allow-downgrades -y \
         build-essential \
         git \
-        go-boring=1.24.6-1 \
+        go-boring=1.24.9-1 \
         libffi-dev \
         procps \
         python3-dev \
@@ -16,7 +16,16 @@ RUN apt-get update && \
         python3-venv \
         # libmsi and libgcab are libraries the wixl binary depends on.
         libmsi-dev \
-        libgcab-dev && \
+        libgcab-dev \
+        # deb and rpm build tools
+        rubygem-fpm \
+        rpm \
+        # create deb and rpm repository files
+        reprepro \
+        createrepo-c \
+        # gcc for cross architecture compilation in arm
+        gcc-aarch64-linux-gnu \
+        libc6-dev-arm64-cross && \
     rm -rf /var/lib/apt/lists/* && \
     # Install wixl
     curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \

.ci/linux.gitlab-ci.yml

@@ -5,8 +5,21 @@
   runner: linux-x86-8cpu-16gb
   stage: build
   golangVersion: "boring-1.24"
+  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
   CGO_ENABLED: 1
 
+.default-packaging-job: &packaging-job-defaults
+  stage: package
+  needs:
+    - ci-image-get-image-ref
+  rules:
+    - !reference [.default-rules, run-on-master]
+  image: $BUILD_IMAGE
+  cache: {}
+  artifacts:
+    paths:
+      - artifacts/*
+
 include:
   ###################
   ### Linux Build ###
@@ -60,7 +73,7 @@ include:
 #################################
 ### Run Linux Component Tests ###
 #################################
-component-tests-linux: &component-tests-linux
+linux-component-tests: &linux-component-tests
   stage: test
   extends: .component-tests
   needs:
@@ -70,7 +83,7 @@ component-tests-linux: &component-tests-linux
     - ./.ci/scripts/component-tests.sh
   variables: &component-tests-variables
     CI: 1
-    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZApjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
+    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
   tags:
     - linux-x86-8cpu-16gb
   artifacts:
@@ -80,11 +93,30 @@ component-tests-linux: &component-tests-linux
 ######################################
 ### Run Linux FIPS Component Tests ###
 ######################################
-component-tests-linux-fips:
-  <<: *component-tests-linux
+linux-component-tests-fips:
+  <<: *linux-component-tests
   needs:
     - ci-image-get-image-ref
     - linux-fips-build-boring-make
   variables:
     <<: *component-tests-variables
     COMPONENT_TESTS_FIPS: 1
+
+################################
+####### Linux Packaging ########
+################################
+linux-packaging:
+  <<: *packaging-job-defaults
+  parallel:
+    matrix:
+      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
+  script:
+    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
+
+################################
+##### Linux FIPS Packaging #####
+################################
+linux-packaging-fips:
+  <<: *packaging-job-defaults
+  script:
+    - ./.ci/scripts/linux/build-packages-fips.sh

.ci/mac.gitlab-ci.yml

@@ -17,7 +17,7 @@ include:
 ######################################
 ### Build Cloudflared Mac Binaries ###
 ######################################
-build-cloudflared-macos: &build-mac
+macos-build-cloudflared: &mac-build
   <<: *mac-build-defaults
   stage: build
   artifacts:
@@ -38,8 +38,8 @@ build-cloudflared-macos: &build-mac
 ###############################################
 ### Build and Sign Cloudflared Mac Binaries ###
 ###############################################
-build-and-sign-cloudflared-macos:
-  <<: *build-mac
+macos-build-and-sign-cloudflared:
+  <<: *mac-build
   rules:
     - !reference [.default-rules, run-on-master]
   secrets:

.ci/release.gitlab-ci.yml

@@ -1,26 +1,48 @@
 include:
   - local: .ci/commons.gitlab-ci.yml
 
-###########################################
-### Push Cloudflared Binaries to Github ###
-###########################################
-release-cloudflared-to-github:
+  ######################################
+  ### Build and Push DockerHub Image ###
+  ######################################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
+    inputs:
+      stage: release
+      jobPrefix: docker-hub
+      runOnMR: false
+      runOnBranches: '^master$'
+      runOnChangesTo: ['RELEASE_NOTES']
+      needs:
+        - generate-version-file
+        - release-cloudflared-to-r2
+      commentImageRefs: false
+      runner: vm-linux-x86-4cpu-8gb
+      # Based on if the CI reference is protected or not the CI component will
+      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
+      # we simply set both to the same value.
+      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
+      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
+      DOCKER_USER_PROD: *docker-hub-user
+      DOCKER_PASSWORD_PROD: *docker-hub-password
+      EXTRA_DIB_ARGS: --overwrite
+
+.default-release-job: &release-job-defaults
   stage: release
   image: $BUILD_IMAGE
-  extends: .check-tag
-  needs:
-    - ci-image-get-image-ref
-    - package-windows
-    - build-and-sign-cloudflared-macos
-  rules:
-    - !reference [.default-rules, run-on-master]
   cache:
     paths:
       - .cache/pip
-  variables:
+  variables: &release-job-variables
     PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
+    # KV Vars
     KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
-    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
+    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
+    # R2 Vars
+    R2_BUCKET: cloudflared-pkgs
+    R2_ACCOUNT_ID: *cf-account
+    # APT and RPM Repository Vars
+    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
+    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
+    BINARY_NAME: cloudflared
   secrets:
     KV_API_TOKEN:
       vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
@@ -28,12 +50,84 @@ release-cloudflared-to-github:
     API_KEY:
       vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
       file: false
+    R2_CLIENT_ID:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
+      file: false
+    R2_CLIENT_SECRET:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
+      file: false
+    LINUX_SIGNING_PUBLIC_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
+      file: false
+    LINUX_SIGNING_PRIVATE_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
+      file: false
+    LINUX_SIGNING_PUBLIC_KEY_2:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
+      file: false
+    LINUX_SIGNING_PRIVATE_KEY_2:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
+      file: false
+
+###########################################
+### Push Cloudflared Binaries to Github ###
+###########################################
+release-cloudflared-to-github:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-release]
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging
+    - linux-packaging-fips
+    - macos-build-and-sign-cloudflared
+    - windows-package-sign
   script:
-    - python3 --version ; pip --version  # For debugging
-    - python3 -m venv venv
-    - source venv/bin/activate
-    - pip install pynacl==1.4.0 pygithub==1.55
-    - echo $VERSION
-    - echo $TAG_EXISTS
-    - echo "Running release because tag exists."
-    - make gitlab-release
+    - ./.ci/scripts/release-target.sh github-release
+
+#########################################
+### Upload Cloudflared Binaries to R2 ###
+#########################################
+release-cloudflared-to-r2:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-release]
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging # We only release non-FIPS binaries to R2
+    - release-cloudflared-to-github
+  script:
+    - ./.ci/scripts/release-target.sh r2-linux-release
+
+#################################################
+### Upload Cloudflared Nightly Binaries to R2 ###
+#################################################
+release-cloudflared-nightly-to-r2:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-master]
+  variables:
+    <<: *release-job-variables
+    R2_BUCKET: cloudflared-pkgs-next
+    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
+    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
+  needs:
+    - ci-image-get-image-ref
+    - linux-packaging # We only release non-FIPS binaries to R2
+  script:
+    - ./.ci/scripts/release-target.sh r2-linux-release
+
+#############################
+### Generate Version File ###
+#############################
+generate-version-file:
+  <<: *release-job-defaults
+  rules:
+    - !reference [.default-rules, run-on-release]
+  needs:
+    - ci-image-get-image-ref
+  script:
+    - make generate-docker-version
+  artifacts:
+    paths:
+      - versions

.ci/scripts/github-push.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e -o pipefail
+
+BRANCH="master"
+TMP_PATH="$PWD/tmp"
+PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
+PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
+
+mkdir -p $TMP_PATH
+
+# Setup Private Key
+echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
+chmod 400 $PRIVATE_KEY_PATH
+
+# Download GitHub Public Key for KnownHostsFile
+ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
+
+# Setup git ssh command with the right configurations
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
+
+# Add GitHub as a new remote
+git remote add github git@github.com:cloudflare/cloudflared.git || true
+
+# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
+# Therefore, we need to manually fetch the reference to then push it to GitHub.
+git fetch origin $BRANCH:$BRANCH
+git push -u github $BRANCH
+
+if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
+  git push -u github "$TAG"
+fi

.ci/scripts/linux/build-packages.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Check if architecture argument is provided
+if [ $# -eq 0 ]; then
+    echo "Error: Architecture argument is required"
+    echo "Usage: $0 <architecture>"
+    exit 1
+fi
+
+# Parameters
+arch=$1
+
+# Get Version
+VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
+echo $VERSION
+
+# Disable FIPS module in go-boring
+export GOEXPERIMENT=noboringcrypto
+export CGO_ENABLED=0
+
+# This controls the directory the built artifacts go into
+export ARTIFACT_DIR=artifacts/
+mkdir -p $ARTIFACT_DIR
+
+export TARGET_OS=linux
+
+unset TARGET_ARM
+export TARGET_ARCH=$arch
+
+## Support for arm platforms without hardware FPU enabled
+if [[ $arch == arm ]] ; then
+    export TARGET_ARCH=arm
+    export TARGET_ARM=5
+fi
+
+## Support for armhf builds
+if [[ $arch == armhf ]] ; then
+    export TARGET_ARCH=arm
+    export TARGET_ARM=7
+fi
+
+make cloudflared-deb
+mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
+
+# rpm packages invert the - and _ and use x86_64 instead of amd64.
+RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+RPMARCH=$arch
+if [ $arch == "amd64" ];then
+    RPMARCH="x86_64"
+fi
+if [ $arch == "arm64" ]; then
+    RPMARCH="aarch64"
+fi
+make cloudflared-rpm
+mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
+
+# finally move the linux binary as well.
+mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
+

.ci/scripts/release-target.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e -o pipefail
+
+# Check if a make target is provided as an argument
+if [ $# -eq 0 ]; then
+    echo "Error: Make target argument is required"
+    echo "Usage: $0 <make-target>"
+    exit 1
+fi
+
+MAKE_TARGET=$1
+
+python3 -m venv venv
+source venv/bin/activate
+
+# Our release scripts are written in python, so we should install their dependecies here.
+pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
+make $MAKE_TARGET

.ci/scripts/windows/builds.ps1

@@ -4,6 +4,7 @@ $ProgressPreference = "SilentlyContinue"
 
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
+$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 
 New-Item -Path ".\artifacts" -ItemType Directory
 
@@ -13,6 +14,8 @@ $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
+# Sign build
+azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
 
 Write-Output "Building for 386"
@@ -21,4 +24,6 @@ $env:LOCAL_ARCH = "386"
 $env:CGO_ENABLED = 0
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
+## Sign build
+azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe

.ci/scripts/windows/sign-msi.ps1

@@ -0,0 +1,26 @@
+# Sign Windows artifacts using azuretool
+# This script processes MSI files from the artifacts directory
+
+$ErrorActionPreference = "Stop"
+
+# Define paths
+$ARTIFACT_DIR = "artifacts"
+$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
+
+Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
+
+# Find all Windows MSI files
+$msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
+
+if ($msiFiles.Count -eq 0) {
+    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
+    exit 1
+}
+
+Write-Host "Found $($msiFiles.Count) file(s) to sign:"
+foreach ($file in $msiFiles) {
+    Write-Host "Running azuretool sign for $($file.Name)"
+    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
+}
+
+Write-Host "Signing process completed"

.ci/windows.gitlab-ci.yml

@@ -14,7 +14,7 @@ include:
 ##########################################
 ### Build Cloudflared Windows Binaries ###
 ##########################################
-build-cloudflared-windows:
+windows-build-cloudflared:
   <<: *windows-build-defaults
   stage: build
   script:
@@ -26,7 +26,7 @@ build-cloudflared-windows:
 ######################################################
 ### Load Environment Variables for Component Tests ###
 ######################################################
-load-windows-env-variables:
+windows-load-env-variables:
   stage: pre-build
   extends: .component-tests
   script:
@@ -35,8 +35,29 @@ load-windows-env-variables:
     - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
     # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
     - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
+    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
+    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
+    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
+    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
+    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
   variables:
-    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
+    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
+  secrets:
+    KEY_VAULT_URL:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
+      file: false
+    KEY_VAULT_CLIENT_ID:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
+      file: false
+    KEY_VAULT_TENANT_ID:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
+      file: false
+    KEY_VAULT_SECRET:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
+      file: false
+    KEY_VAULT_CERTIFICATE:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
+      file: false
   artifacts:
     access: 'none'
     reports:
@@ -45,12 +66,12 @@ load-windows-env-variables:
 ###################################
 ### Run Windows Component Tests ###
 ###################################
-component-tests-cloudflared-windows:
+windows-component-tests-cloudflared:
   <<: *windows-build-defaults
   stage: test
-  needs: ["load-windows-env-variables"]
+  needs: ["windows-load-env-variables"]
   script:
-    # We have to decode the secret we encoded on the `load-windows-env-variables` job
+    # We have to decode the secret we encoded on the `windows-load-env-variables` job
     - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
     - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
   artifacts:
@@ -60,13 +81,13 @@ component-tests-cloudflared-windows:
 ################################
 ### Package Windows Binaries ###
 ################################
-package-windows:
+windows-package:
   rules:
     - !reference [.default-rules, run-on-master]
   stage: package
   needs:
     - ci-image-get-image-ref
-    - build-cloudflared-windows
+    - windows-build-cloudflared
   image: $BUILD_IMAGE
   script:
     - .ci/scripts/package-windows.sh
@@ -74,3 +95,20 @@ package-windows:
   artifacts:
     paths:
       - artifacts/*
+
+#############################
+### Sign Windows Binaries ###
+#############################
+windows-package-sign:
+  <<: *windows-build-defaults
+  rules:
+    - !reference [.default-rules, run-on-master]
+  stage: package
+  needs:
+    - windows-package
+    - windows-load-env-variables
+  script:
+    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
+  artifacts:
+    paths:
+      - artifacts/*

.gitlab-ci.yml

@@ -1,5 +1,5 @@
 variables:
-  GO_VERSION: "go1.24.6"
+  GO_VERSION: "go1.24.9"
   GIT_DEPTH: "0"
 
 default:
@@ -7,7 +7,7 @@ default:
     VAULT_ID_TOKEN:
       aud: https://vault.cfdata.org
 
-stages: [pre-build, build, validate, test, package, release]
+stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
 
 include:
   #####################################################
@@ -15,6 +15,11 @@ include:
   #####################################################
   - local: .ci/commons.gitlab-ci.yml
 
+  #####################################################
+  ########### Sync Repository with Github #############
+  #####################################################
+  - local: .ci/github.gitlab-ci.yml
+
   #####################################################
   ############# Build or Fetch CI Image ###############
   #####################################################
@@ -39,3 +44,15 @@ include:
   ################# Release Packages ##################
   #####################################################
   - local: .ci/release.gitlab-ci.yml
+
+  #####################################################
+  ########## Release Packages Internally ##############
+  #####################################################
+  - local: .ci/apt-internal.gitlab-ci.yml
+
+  #####################################################
+  ############## Manual Claude Review #################
+  #####################################################
+  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
+    inputs:
+      whenToRun: "manual"

Dockerfile

@@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.24.4 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   TARGET_GOOS=${TARGET_GOOS} \

Dockerfile.amd64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.4 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual

Dockerfile.arm64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.4 AS builder
+FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual

Makefile

@@ -182,7 +182,7 @@ fuzz:
 	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
-	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
@@ -221,10 +221,6 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 
-.PHONY: cloudflared-pkg
-cloudflared-pkg: cloudflared cloudflared.1
-	$(call build_package,osxpkg)
-
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@@ -235,17 +231,18 @@ github-release-dryrun:
 
 .PHONY: github-release
 github-release:
-	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
-	python3 github_message.py --release-version $(VERSION)
-
-.PHONY: gitlab-release
-gitlab-release:
 	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
+	python3 github_message.py --release-version $(VERSION)
 
 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py
 
+.PHONY: r2-next-linux-release
+# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
+r2-next-linux-release:
+	python3 ./release_pkgs.py --upload-repo-file
+
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html

README.md

@@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
 
-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
 
 
@@ -19,41 +19,41 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
-2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
+1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
+2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
 
 
 ## Installing `cloudflared`
 
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
 
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
 * To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
 
-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
 
 
 ## Creating Tunnels and routing traffic
 
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
 
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
 
 
 ## TryCloudflare
 
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
 
 ## Deprecated versions
 
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
 
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
 

RELEASE_NOTES

@@ -1,3 +1,40 @@
+2025.11.1
+- 2025-11-07 TUN-9800: Fix docker hub push step
+
+2025.11.0
+- 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
+- 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
+- 2025-11-04 chore: Update cloudflared signing key name in index.html
+- 2025-10-31 chore: add claude review
+- 2025-10-31 Chore: Update documentation links in README
+- 2025-10-31 TUN-9800: Add pipelines for linux packaging
+
+2025.10.1
+- 2025-10-30 chore: Update ci image to use goboring 1.24.9
+- 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
+- 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
+- 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
+- 2025-10-23 Fix systemd service installation hanging
+- 2025-10-21 TUN-9941: Use new GPG key for RPM builds
+- 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
+- 2025-10-21 TUN-9941: Lookup correct key for RPM signature
+- 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
+- 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
+
+2025.10.0
+- 2025-10-14 chore: Fix upload of RPM repo file during double signing
+- 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
+- 2025-10-10 chore: Fix import of GPG keys when two keys are provided
+- 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
+- 2025-10-10 TUN-9883: Add new datagram v3 feature flag
+- 2025-10-09 chore: Force usage of go-boring 1.24
+- 2025-10-08 TUN-9882: Improve metrics for datagram v3
+- 2025-10-07 GRC-16749: Add fedramp tags to catalog
+- 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
+- 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
+- 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
+- 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
+
 2025.9.1
 - 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
 - 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command

build-packages.sh

@@ -1,48 +0,0 @@
-#!/bin/bash
-VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
-echo $VERSION
-
-# Disable FIPS module in go-boring
-export GOEXPERIMENT=noboringcrypto
-export CGO_ENABLED=0
-
-# This controls the directory the built artifacts go into
-export ARTIFACT_DIR=artifacts/
-mkdir -p $ARTIFACT_DIR
-
-linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
-export TARGET_OS=linux
-for arch in ${linuxArchs[@]}; do
-    unset TARGET_ARM
-    export TARGET_ARCH=$arch
-
-    ## Support for arm platforms without hardware FPU enabled
-    if [[ $arch == arm ]] ; then
-        export TARGET_ARCH=arm
-        export TARGET_ARM=5
-    fi
-    
-    ## Support for armhf builds 
-    if [[ $arch == armhf ]] ; then
-        export TARGET_ARCH=arm
-        export TARGET_ARM=7 
-    fi
-    
-    make cloudflared-deb
-    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
-
-    # rpm packages invert the - and _ and use x86_64 instead of amd64.
-    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
-    RPMARCH=$arch
-    if [ $arch == "amd64" ];then
-        RPMARCH="x86_64"
-    fi
-    if [ $arch == "arm64" ]; then
-        RPMARCH="aarch64"
-    fi
-    make cloudflared-rpm
-    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
-
-    # finally move the linux binary as well.
-    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
-done

catalog-info.yaml

@@ -14,4 +14,7 @@ spec:
   lifecycle: "Active"
   owner: "teams/tunnel-teams-routing"
   cf:
+    compliance:
+      fedramp-high: "pending"
+      fedramp-moderate: "yes"
     FIPS: "required"

cfsetup.yaml

@@ -1,234 +1,2 @@
-pinned_go: &pinned_go go-boring=1.24.4-1
-
-build_dir: &build_dir /cfsetup_build
-default-flavor: bookworm
-
-bookworm: &bookworm
-  build-linux:
-    build_dir: *build_dir
-    builddeps: &build_deps
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - libffi-dev
-      - golangci-lint=1.64.8-2
-    pre-cache: &build_pre_cache
-      - export GOCACHE=/cfsetup_build/.cache/go-build
-      - go install golang.org/x/tools/cmd/goimports@v0.30.0
-    post-cache:
-      # Linting
-      - make lint
-      - make fmt-check
-      # Build binary for component test
-      - GOOS=linux GOARCH=amd64 make cloudflared
-  build-linux-fips:
-    build_dir: *build_dir
-    builddeps: *build_deps
-    pre-cache: *build_pre_cache
-    post-cache:
-      - export FIPS=true
-      # Build binary for component test
-      - GOOS=linux GOARCH=amd64 make cloudflared
-  cover:
-    build_dir: *build_dir
-    builddeps: *build_deps
-    pre-cache: *build_pre_cache
-    post-cache:
-      - make cover
-  # except FIPS and macos
-  build-linux-release:
-    build_dir: *build_dir
-    builddeps: &build_deps_release
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - libffi-dev
-      - python3-dev
-      - python3-pip
-      - python3-setuptools
-      - wget
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . /cfsetup_build/env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
-      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
-      - ./build-packages.sh
-  # handle FIPS separately so that we built with gofips compiler
-  build-linux-fips-release:
-    build_dir: *build_dir
-    builddeps: *build_deps_release
-    post-cache:
-      # same logic as above, but for FIPS packages only
-      - ./build-packages-fips.sh
-  generate-versions-file:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-    post-cache:
-      - make generate-docker-version
-  build-deb:
-    build_dir: *build_dir
-    builddeps: &build_deb_deps
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make cloudflared-deb
-  build-fips-internal-deb:
-    build_dir: *build_dir
-    builddeps: &build_fips_deb_deps
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export FIPS=true
-      - export ORIGINAL_NAME=true
-      - make cloudflared-deb
-  build-internal-deb-nightly-amd64:
-    build_dir: *build_dir
-    builddeps: *build_fips_deb_deps
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export NIGHTLY=true
-      - export FIPS=true
-      - export ORIGINAL_NAME=true
-      - make cloudflared-deb
-  build-internal-deb-nightly-arm64:
-    build_dir: *build_dir
-    builddeps: *build_fips_deb_deps
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=arm64
-      - export NIGHTLY=true
-      # - export FIPS=true # TUN-7595
-      - export ORIGINAL_NAME=true
-      - make cloudflared-deb
-  build-deb-arm64:
-    build_dir: *build_dir
-    builddeps: *build_deb_deps
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=arm64
-      - make cloudflared-deb
-  test:
-    build_dir: *build_dir
-    builddeps: &build_deps_tests
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - libffi-dev
-      - gotest-to-teamcity
-    pre-cache: *build_pre_cache
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export PATH="$HOME/go/bin:$PATH"
-      - make test | gotest-to-teamcity
-  test-fips:
-    build_dir: *build_dir
-    builddeps: *build_deps_tests
-    pre-cache: *build_pre_cache
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - export FIPS=true
-      - export PATH="$HOME/go/bin:$PATH"
-      - make test | gotest-to-teamcity
-  component-test:
-    build_dir: *build_dir
-    builddeps: &build_deps_component_test
-      - *pinned_go
-      - python3
-      - python3-pip
-      - python3-setuptools
-      # procps installs the ps command which is needed in test_sysv_service
-      # because the init script uses ps pid to determine if the agent is
-      # running
-      - procps
-      - python3-venv
-    pre-cache-copy-paths:
-      - component-tests/requirements.txt
-    post-cache: &component_test_post_cache
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install --upgrade -r component-tests/requirements.txt
-      # Creates and routes a Named Tunnel for this build. Also constructs
-      # config file from env vars.
-      - python3 component-tests/setup.py --type create
-      - pytest component-tests -o log_cli=true --log-cli-level=INFO
-      # The Named Tunnel is deleted and its route unprovisioned here.
-      - python3 component-tests/setup.py --type cleanup
-  component-test-fips:
-    build_dir: *build_dir
-    builddeps: *build_deps_component_test
-    pre-cache-copy-paths:
-      - component-tests/requirements.txt
-    post-cache: *component_test_post_cache
-  github-release-dryrun:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55
-      - make github-release-dryrun
-  github-release:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55
-      - make github-release
-  r2-linux-release:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - wget
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-      - reprepro
-      - createrepo-c
-      - python3-venv
-    post-cache:
-      - python3 -m venv env
-      - . env/bin/activate
-      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
-      - make r2-linux-release
-
-trixie: *bookworm
+# A valid cfsetup.yaml is required but we dont have any real config to specify
+dummy_key: true

client/config_test.go

@@ -45,6 +45,6 @@ func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
 	return features.FeatureSnapshot{
 		PostQuantum:     features.PostQuantumPrefer,
 		DatagramVersion: features.DatagramV3,
-		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_1},
+		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
 	}
 }

cmd/cloudflared/linux_service.go

@@ -60,7 +60,7 @@ After=network-online.target
 Wants=network-online.target
 
 [Service]
-TimeoutStartSec=0
+TimeoutStartSec=15
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure

component-tests/test_management.py

@@ -107,7 +107,13 @@ class TestManagement:
             assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
 
 
+
+
 @retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
     with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        if resp.status_code == 530:
+            LOGGER.debug(f"Received 530 status, retrying request to {url}")
+            raise Exception(f"Received 530 status code from {url}")
+        return resp

component-tests/test_tunnel.py

@@ -33,13 +33,20 @@ class TestTunnel:
         LOGGER.debug(config)
         with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run"], new_process=True):
             wait_tunnel_ready(require_min_connections=1)
-            resp = send_request(config.get_url()+"/")
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
-            resp = send_request(config.get_url()+"/test")
-            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            expected_status_code = 503
+            resp = send_request(config.get_url()+"/", expected_status_code)
+            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/test", expected_status_code)
+            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
 
+def retry_if_result_none(result):
+    '''
+    Returns True if the result is None, indicating that the function should be retried.
+    '''
+    return result is None
 
-@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
-def send_request(url, headers={}):
+@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
+def send_request(url, expected_status_code=200):
     with requests.Session() as s:
-        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        resp = s.get(url, timeout=BACKOFF_SECS)
+        return resp if resp.status_code == expected_status_code else None

connection/header.go

@@ -53,7 +53,8 @@ var headerEncoding = base64.RawStdEncoding
 func IsControlResponseHeader(headerName string) bool {
 	return strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-")
+		strings.HasPrefix(headerName, "cf-cloudflared-") ||
+		strings.HasPrefix(headerName, "cf-proxy-")
 }
 
 // isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly

connection/header_test.go

@@ -1,18 +1,17 @@
 package connection
 
 import (
-	"fmt"
 	"net/http"
 	"reflect"
 	"sort"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestSerializeHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
 	mockHeaders := http.Header{
 		"Mock-Header-One":        {"Mock header one value", "three"},
@@ -39,22 +38,22 @@ func TestSerializeHeaders(t *testing.T) {
 	serializedHeaders := SerializeHeaders(request.Header)
 
 	// Sanity check: the headers serialized to something that's not an empty string
-	assert.NotEqual(t, "", serializedHeaders)
+	require.NotEqual(t, "", serializedHeaders)
 
 	// Deserialize back, and ensure we get the same set of headers
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
-	assert.Equal(t, 13, len(deserializedHeaders))
+	require.Len(t, deserializedHeaders, 13)
 	expectedHeaders := headerToReqHeader(mockHeaders)
 
 	sort.Sort(ByName(deserializedHeaders))
 	sort.Sort(ByName(expectedHeaders))
 
-	assert.True(
+	require.True(
 		t,
 		reflect.DeepEqual(expectedHeaders, deserializedHeaders),
-		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders),
+		"got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders,
 	)
 }
 
@@ -82,12 +81,12 @@ func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {
 
 func TestSerializeNoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
 	serializedHeaders := SerializeHeaders(request.Header)
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	assert.NoError(t, err)
-	assert.Equal(t, 0, len(deserializedHeaders))
+	require.NoError(t, err)
+	require.Empty(t, deserializedHeaders)
 }
 
 func TestDeserializeMalformed(t *testing.T) {
@@ -102,21 +101,22 @@ func TestDeserializeMalformed(t *testing.T) {
 
 	for _, malformedValue := range malformedData {
 		_, err = DeserializeHeaders(malformedValue)
-		assert.Error(t, err)
+		require.Error(t, err)
 	}
 }
 
 func TestIsControlResponseHeader(t *testing.T) {
 	controlResponseHeaders := []string{
-		// Anything that begins with cf-int- or cf-cloudflared-
+		// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-
 		"cf-int-sample-header",
 		"cf-cloudflared-sample-header",
+		"cf-proxy-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 	}
 
 	for _, header := range controlResponseHeaders {
-		assert.True(t, IsControlResponseHeader(header))
+		require.True(t, IsControlResponseHeader(header))
 	}
 }
 
@@ -130,6 +130,6 @@ func TestIsNotControlResponseHeader(t *testing.T) {
 	}
 
 	for _, header := range notControlResponseHeaders {
-		assert.False(t, IsControlResponseHeader(header))
+		require.False(t, IsControlResponseHeader(header))
 	}
 }

features/features.go

@@ -10,9 +10,10 @@ const (
 	FeaturePostQuantum       = "postquantum"
 	FeatureQUICSupportEOF    = "support_quic_eof"
 	FeatureManagementLogs    = "management_logs"
-	FeatureDatagramV3_1      = "support_datagram_v3_1"
+	FeatureDatagramV3_2      = "support_datagram_v3_2"
 
-	DeprecatedFeatureDatagramV3 = "support_datagram_v3" // Deprecated: TUN-9291
+	DeprecatedFeatureDatagramV3   = "support_datagram_v3"   // Deprecated: TUN-9291
+	DeprecatedFeatureDatagramV3_1 = "support_datagram_v3_1" // Deprecated: TUN-9883
 )
 
 var defaultFeatures = []string{
@@ -26,6 +27,7 @@ var defaultFeatures = []string{
 // List of features that are no longer in-use.
 var deprecatedFeatures = []string{
 	DeprecatedFeatureDatagramV3,
+	DeprecatedFeatureDatagramV3_1,
 }
 
 // Features set by user provided flags
@@ -58,7 +60,7 @@ const (
 	// DatagramV2 is the currently supported datagram protocol for UDP and ICMP packets
 	DatagramV2 DatagramVersion = FeatureDatagramV2
 	// DatagramV3 is a new datagram protocol for UDP and ICMP packets. It is not backwards compatible with datagram v2.
-	DatagramV3 DatagramVersion = FeatureDatagramV3_1
+	DatagramV3 DatagramVersion = FeatureDatagramV3_2
 )
 
 // Remove any duplicate features from the list and remove deprecated features

features/selector.go

@@ -23,9 +23,10 @@ const (
 // If the TXT record is missing a key, the field will unmarshal to the default Go value
 
 type featuresRecord struct {
-	DatagramV3Percentage uint32 `json:"dv3_1"`
+	DatagramV3Percentage uint32 `json:"dv3_2"`
 
 	// DatagramV3Percentage int32 `json:"dv3"` // Removed in TUN-9291
+	// DatagramV3Percentage uint32 `json:"dv3_1"` // Removed in TUN-9883
 	// PostQuantumPercentage int32 `json:"pq"` // Removed in TUN-7970
 }
 
@@ -105,7 +106,7 @@ func (fs *featureSelector) postQuantumMode() PostQuantumMode {
 
 func (fs *featureSelector) datagramVersion() DatagramVersion {
 	// If user provides the feature via the cli, we take it as priority over remote feature evaluation
-	if slices.Contains(fs.cliFeatures, FeatureDatagramV3_1) {
+	if slices.Contains(fs.cliFeatures, FeatureDatagramV3_2) {
 		return DatagramV3
 	}
 	// If the user specifies DatagramV2, we also take that over remote

features/selector_test.go

@@ -22,15 +22,15 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
 		expectedPercentage uint32
 	}{
 		{
-			record:             []byte(`{"dv3_1":0}`),
+			record:             []byte(`{"dv3_2":0}`),
 			expectedPercentage: 0,
 		},
 		{
-			record:             []byte(`{"dv3_1":39}`),
+			record:             []byte(`{"dv3_2":39}`),
 			expectedPercentage: 39,
 		},
 		{
-			record:             []byte(`{"dv3_1":100}`),
+			record:             []byte(`{"dv3_2":100}`),
 			expectedPercentage: 100,
 		},
 		{
@@ -40,7 +40,7 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
 			record: []byte(`{"kyber":768}`), // Unmarshal to default struct if key is not present
 		},
 		{
-			record: []byte(`{"pq": 101,"dv3":100}`), // Expired keys don't unmarshal to anything
+			record: []byte(`{"pq": 101,"dv3":100,"dv3_1":100}`), // Expired keys don't unmarshal to anything
 		},
 	}
 
@@ -111,10 +111,10 @@ func TestFeaturePrecedenceEvaluationDatagramVersion(t *testing.T) {
 		},
 		{
 			name:             "user_specified_v3",
-			cli:              []string{FeatureDatagramV3_1},
+			cli:              []string{FeatureDatagramV3_2},
 			remote:           featuresRecord{},
-			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_1)),
-			expectedVersion:  FeatureDatagramV3_1,
+			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_2)),
+			expectedVersion:  FeatureDatagramV3_2,
 		},
 	}
 
@@ -150,6 +150,12 @@ func TestDeprecatedFeaturesRemoved(t *testing.T) {
 			remote:           featuresRecord{},
 			expectedFeatures: defaultFeatures,
 		},
+		{
+			name:             "support_datagram_v3_1",
+			cli:              []string{DeprecatedFeatureDatagramV3_1},
+			remote:           featuresRecord{},
+			expectedFeatures: defaultFeatures,
+		},
 	}
 
 	for _, test := range tests {

ingress/origin_dialer.go

@@ -11,6 +11,8 @@ import (
 	"github.com/rs/zerolog"
 )
 
+const writeDeadlineUDP = 200 * time.Millisecond
+
 // OriginTCPDialer provides a TCP dial operation to a requested address.
 type OriginTCPDialer interface {
 	DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)
@@ -141,6 +143,21 @@ func (d *Dialer) DialUDP(dest netip.AddrPort) (net.Conn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("unable to dial udp to origin %s: %w", dest, err)
 	}
-
-	return conn, nil
+	return &writeDeadlineConn{
+		Conn: conn,
+	}, nil
+}
+
+// writeDeadlineConn is a wrapper around a net.Conn that sets a write deadline of 200ms.
+// This is to prevent the socket from blocking on the write operation if it were to occur. However,
+// we typically never expect this to occur except under high load or kernel issues.
+type writeDeadlineConn struct {
+	net.Conn
+}
+
+func (w *writeDeadlineConn) Write(b []byte) (int, error) {
+	if err := w.SetWriteDeadline(time.Now().Add(writeDeadlineUDP)); err != nil {
+		return 0, err
+	}
+	return w.Conn.Write(b)
 }

postinst.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 set -eu
-ln -s /usr/bin/cloudflared /usr/local/bin/cloudflared
+ln -sf /usr/bin/cloudflared /usr/local/bin/cloudflared
 mkdir -p /usr/local/etc/cloudflared/
 touch /usr/local/etc/cloudflared/.installedFromPackageManager || true

quic/v3/datagram_test.go

@@ -1,6 +1,7 @@
 package v3_test
 
 import (
+	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"net/netip"
@@ -14,12 +15,18 @@ import (
 
 func makePayload(size int) []byte {
 	payload := make([]byte, size)
-	for i := range len(payload) {
-		payload[i] = 0xfc
-	}
+	_, _ = rand.Read(payload)
 	return payload
 }
 
+func makePayloads(size int, count int) [][]byte {
+	payloads := make([][]byte, count)
+	for i := range payloads {
+		payloads[i] = makePayload(size)
+	}
+	return payloads
+}
+
 func TestSessionRegistration_MarshalUnmarshal(t *testing.T) {
 	payload := makePayload(1280)
 	tests := []*v3.UDPSessionRegistrationDatagram{

quic/v3/metrics.go

@@ -9,28 +9,59 @@ import (
 )
 
 const (
-	namespace = "cloudflared"
-	subsystem = "udp"
+	namespace      = "cloudflared"
+	subsystem_udp  = "udp"
+	subsystem_icmp = "icmp"
 
 	commandMetricLabel = "command"
+	reasonMetricLabel  = "reason"
 )
 
+type DroppedReason int
+
+const (
+	DroppedWriteFailed DroppedReason = iota
+	DroppedWriteDeadlineExceeded
+	DroppedWriteFull
+	DroppedWriteFlowUnknown
+	DroppedReadFailed
+	// Origin payloads that are too large to proxy.
+	DroppedReadTooLarge
+)
+
+var droppedReason = map[DroppedReason]string{
+	DroppedWriteFailed:           "write_failed",
+	DroppedWriteDeadlineExceeded: "write_deadline_exceeded",
+	DroppedWriteFull:             "write_full",
+	DroppedWriteFlowUnknown:      "write_flow_unknown",
+	DroppedReadFailed:            "read_failed",
+	DroppedReadTooLarge:          "read_too_large",
+}
+
+func (dr DroppedReason) String() string {
+	return droppedReason[dr]
+}
+
 type Metrics interface {
 	IncrementFlows(connIndex uint8)
 	DecrementFlows(connIndex uint8)
-	PayloadTooLarge(connIndex uint8)
+	FailedFlow(connIndex uint8)
 	RetryFlowResponse(connIndex uint8)
 	MigrateFlow(connIndex uint8)
 	UnsupportedRemoteCommand(connIndex uint8, command string)
+	DroppedUDPDatagram(connIndex uint8, reason DroppedReason)
+	DroppedICMPPackets(connIndex uint8, reason DroppedReason)
 }
 
 type metrics struct {
 	activeUDPFlows            *prometheus.GaugeVec
 	totalUDPFlows             *prometheus.CounterVec
-	payloadTooLarge           *prometheus.CounterVec
 	retryFlowResponses        *prometheus.CounterVec
 	migratedFlows             *prometheus.CounterVec
 	unsupportedRemoteCommands *prometheus.CounterVec
+	droppedUDPDatagrams       *prometheus.CounterVec
+	droppedICMPPackets        *prometheus.CounterVec
+	failedFlows               *prometheus.CounterVec
 }
 
 func (m *metrics) IncrementFlows(connIndex uint8) {
@@ -42,8 +73,8 @@ func (m *metrics) DecrementFlows(connIndex uint8) {
 	m.activeUDPFlows.WithLabelValues(fmt.Sprintf("%d", connIndex)).Dec()
 }
 
-func (m *metrics) PayloadTooLarge(connIndex uint8) {
-	m.payloadTooLarge.WithLabelValues(fmt.Sprintf("%d", connIndex)).Inc()
+func (m *metrics) FailedFlow(connIndex uint8) {
+	m.failedFlows.WithLabelValues(fmt.Sprintf("%d", connIndex)).Inc()
 }
 
 func (m *metrics) RetryFlowResponse(connIndex uint8) {
@@ -58,52 +89,74 @@ func (m *metrics) UnsupportedRemoteCommand(connIndex uint8, command string) {
 	m.unsupportedRemoteCommands.WithLabelValues(fmt.Sprintf("%d", connIndex), command).Inc()
 }
 
+func (m *metrics) DroppedUDPDatagram(connIndex uint8, reason DroppedReason) {
+	m.droppedUDPDatagrams.WithLabelValues(fmt.Sprintf("%d", connIndex), reason.String()).Inc()
+}
+
+func (m *metrics) DroppedICMPPackets(connIndex uint8, reason DroppedReason) {
+	m.droppedICMPPackets.WithLabelValues(fmt.Sprintf("%d", connIndex), reason.String()).Inc()
+}
+
 func NewMetrics(registerer prometheus.Registerer) Metrics {
 	m := &metrics{
 		activeUDPFlows: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "active_flows",
 			Help:      "Concurrent count of UDP flows that are being proxied to any origin",
 		}, []string{quic.ConnectionIndexMetricLabel}),
 		totalUDPFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "total_flows",
 			Help:      "Total count of UDP flows that have been proxied to any origin",
 		}, []string{quic.ConnectionIndexMetricLabel}),
-		payloadTooLarge: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
+		failedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
-			Name:      "payload_too_large",
-			Help:      "Total count of UDP flows that have had origin payloads that are too large to proxy",
+			Subsystem: subsystem_udp,
+			Name:      "failed_flows",
+			Help:      "Total count of flows that errored and closed",
 		}, []string{quic.ConnectionIndexMetricLabel}),
 		retryFlowResponses: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "retry_flow_responses",
 			Help:      "Total count of UDP flows that have had to send their registration response more than once",
 		}, []string{quic.ConnectionIndexMetricLabel}),
 		migratedFlows: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "migrated_flows",
 			Help:      "Total count of UDP flows have been migrated across local connections",
 		}, []string{quic.ConnectionIndexMetricLabel}),
-		unsupportedRemoteCommands: prometheus.NewCounterVec(prometheus.CounterOpts{
+		unsupportedRemoteCommands: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
 			Namespace: namespace,
-			Subsystem: subsystem,
+			Subsystem: subsystem_udp,
 			Name:      "unsupported_remote_command_total",
-			Help:      "Total count of unsupported remote RPC commands for the ",
+			Help:      "Total count of unsupported remote RPC commands called",
 		}, []string{quic.ConnectionIndexMetricLabel, commandMetricLabel}),
+		droppedUDPDatagrams: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
+			Namespace: namespace,
+			Subsystem: subsystem_udp,
+			Name:      "dropped_datagrams",
+			Help:      "Total count of UDP dropped datagrams",
+		}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),
+		droppedICMPPackets: prometheus.NewCounterVec(prometheus.CounterOpts{ //nolint:promlinter
+			Namespace: namespace,
+			Subsystem: subsystem_icmp,
+			Name:      "dropped_packets",
+			Help:      "Total count of ICMP dropped datagrams",
+		}, []string{quic.ConnectionIndexMetricLabel, reasonMetricLabel}),
 	}
 	registerer.MustRegister(
 		m.activeUDPFlows,
 		m.totalUDPFlows,
-		m.payloadTooLarge,
+		m.failedFlows,
 		m.retryFlowResponses,
 		m.migratedFlows,
 		m.unsupportedRemoteCommands,
+		m.droppedUDPDatagrams,
+		m.droppedICMPPackets,
 	)
 	return m
 }

quic/v3/metrics_test.go

@@ -1,10 +1,15 @@
 package v3_test
 
+import v3 "github.com/cloudflare/cloudflared/quic/v3"
+
 type noopMetrics struct{}
 
-func (noopMetrics) IncrementFlows(connIndex uint8)                           {}
-func (noopMetrics) DecrementFlows(connIndex uint8)                           {}
-func (noopMetrics) PayloadTooLarge(connIndex uint8)                          {}
-func (noopMetrics) RetryFlowResponse(connIndex uint8)                        {}
-func (noopMetrics) MigrateFlow(connIndex uint8)                              {}
-func (noopMetrics) UnsupportedRemoteCommand(connIndex uint8, command string) {}
+func (noopMetrics) IncrementFlows(connIndex uint8)                              {}
+func (noopMetrics) DecrementFlows(connIndex uint8)                              {}
+func (noopMetrics) FailedFlow(connIndex uint8)                                  {}
+func (noopMetrics) PayloadTooLarge(connIndex uint8)                             {}
+func (noopMetrics) RetryFlowResponse(connIndex uint8)                           {}
+func (noopMetrics) MigrateFlow(connIndex uint8)                                 {}
+func (noopMetrics) UnsupportedRemoteCommand(connIndex uint8, command string)    {}
+func (noopMetrics) DroppedUDPDatagram(connIndex uint8, reason v3.DroppedReason) {}
+func (noopMetrics) DroppedICMPPackets(connIndex uint8, reason v3.DroppedReason) {}

quic/v3/muxer.go

@@ -17,6 +17,9 @@ const (
 	// Allocating a 16 channel buffer here allows for the writer to be slightly faster than the reader.
 	// This has worked previously well for datagramv2, so we will start with this as well
 	demuxChanCapacity = 16
+	// This provides a small buffer for the PacketRouter to poll ICMP packets from the QUIC connection
+	// before writing them to the origin.
+	icmpDatagramChanCapacity = 128
 
 	logSrcKey      = "src"
 	logDstKey      = "dst"
@@ -59,14 +62,15 @@ type QuicConnection interface {
 }
 
 type datagramConn struct {
-	conn           QuicConnection
-	index          uint8
-	sessionManager SessionManager
-	icmpRouter     ingress.ICMPRouter
-	metrics        Metrics
-	logger         *zerolog.Logger
-	datagrams      chan []byte
-	readErrors     chan error
+	conn             QuicConnection
+	index            uint8
+	sessionManager   SessionManager
+	icmpRouter       ingress.ICMPRouter
+	metrics          Metrics
+	logger           *zerolog.Logger
+	datagrams        chan []byte
+	icmpDatagramChan chan *ICMPDatagram
+	readErrors       chan error
 
 	icmpEncoderPool sync.Pool // a pool of *packet.Encoder
 	icmpDecoderPool sync.Pool
@@ -75,14 +79,15 @@ type datagramConn struct {
 func NewDatagramConn(conn QuicConnection, sessionManager SessionManager, icmpRouter ingress.ICMPRouter, index uint8, metrics Metrics, logger *zerolog.Logger) DatagramConn {
 	log := logger.With().Uint8("datagramVersion", 3).Logger()
 	return &datagramConn{
-		conn:           conn,
-		index:          index,
-		sessionManager: sessionManager,
-		icmpRouter:     icmpRouter,
-		metrics:        metrics,
-		logger:         &log,
-		datagrams:      make(chan []byte, demuxChanCapacity),
-		readErrors:     make(chan error, 2),
+		conn:             conn,
+		index:            index,
+		sessionManager:   sessionManager,
+		icmpRouter:       icmpRouter,
+		metrics:          metrics,
+		logger:           &log,
+		datagrams:        make(chan []byte, demuxChanCapacity),
+		icmpDatagramChan: make(chan *ICMPDatagram, icmpDatagramChanCapacity),
+		readErrors:       make(chan error, 2),
 		icmpEncoderPool: sync.Pool{
 			New: func() any {
 				return packet.NewEncoder()
@@ -168,6 +173,9 @@ func (c *datagramConn) Serve(ctx context.Context) error {
 	readCtx, cancel := context.WithCancel(connCtx)
 	defer cancel()
 	go c.pollDatagrams(readCtx)
+	// Processing ICMP datagrams also monitors the reader context since the ICMP datagrams from the reader are the input
+	// for the routine.
+	go c.processICMPDatagrams(readCtx)
 	for {
 		// We make sure to monitor the context of cloudflared and the underlying connection to return if any errors occur.
 		var datagram []byte
@@ -181,58 +189,59 @@ func (c *datagramConn) Serve(ctx context.Context) error {
 		// Monitor for any hard errors from reading the connection
 		case err := <-c.readErrors:
 			return err
-		// Otherwise, wait and dequeue datagrams as they come in
+		// Wait and dequeue datagrams as they come in
 		case d := <-c.datagrams:
 			datagram = d
 		}
 
 		// Each incoming datagram will be processed in a new go routine to handle the demuxing and action associated.
-		go func() {
-			typ, err := ParseDatagramType(datagram)
+		typ, err := ParseDatagramType(datagram)
+		if err != nil {
+			c.logger.Err(err).Msgf("unable to parse datagram type: %d", typ)
+			continue
+		}
+		switch typ {
+		case UDPSessionRegistrationType:
+			reg := &UDPSessionRegistrationDatagram{}
+			err := reg.UnmarshalBinary(datagram)
 			if err != nil {
-				c.logger.Err(err).Msgf("unable to parse datagram type: %d", typ)
-				return
+				c.logger.Err(err).Msgf("unable to unmarshal session registration datagram")
+				continue
 			}
-			switch typ {
-			case UDPSessionRegistrationType:
-				reg := &UDPSessionRegistrationDatagram{}
-				err := reg.UnmarshalBinary(datagram)
-				if err != nil {
-					c.logger.Err(err).Msgf("unable to unmarshal session registration datagram")
-					return
-				}
-				logger := c.logger.With().Str(logFlowID, reg.RequestID.String()).Logger()
-				// We bind the new session to the quic connection context instead of cloudflared context to allow for the
-				// quic connection to close and close only the sessions bound to it. Closing of cloudflared will also
-				// initiate the close of the quic connection, so we don't have to worry about the application context
-				// in the scope of a session.
-				c.handleSessionRegistrationDatagram(connCtx, reg, &logger)
-			case UDPSessionPayloadType:
-				payload := &UDPSessionPayloadDatagram{}
-				err := payload.UnmarshalBinary(datagram)
-				if err != nil {
-					c.logger.Err(err).Msgf("unable to unmarshal session payload datagram")
-					return
-				}
-				logger := c.logger.With().Str(logFlowID, payload.RequestID.String()).Logger()
-				c.handleSessionPayloadDatagram(payload, &logger)
-			case ICMPType:
-				packet := &ICMPDatagram{}
-				err := packet.UnmarshalBinary(datagram)
-				if err != nil {
-					c.logger.Err(err).Msgf("unable to unmarshal icmp datagram")
-					return
-				}
-				c.handleICMPPacket(packet)
-			case UDPSessionRegistrationResponseType:
-				// cloudflared should never expect to receive UDP session responses as it will not initiate new
-				// sessions towards the edge.
-				c.logger.Error().Msgf("unexpected datagram type received: %d", UDPSessionRegistrationResponseType)
-				return
-			default:
-				c.logger.Error().Msgf("unknown datagram type received: %d", typ)
+			logger := c.logger.With().Str(logFlowID, reg.RequestID.String()).Logger()
+			// We bind the new session to the quic connection context instead of cloudflared context to allow for the
+			// quic connection to close and close only the sessions bound to it. Closing of cloudflared will also
+			// initiate the close of the quic connection, so we don't have to worry about the application context
+			// in the scope of a session.
+			//
+			// Additionally, we spin out the registration into a separate go routine to handle the Serve'ing of the
+			// session in a separate routine from the demuxer.
+			go c.handleSessionRegistrationDatagram(connCtx, reg, &logger)
+		case UDPSessionPayloadType:
+			payload := &UDPSessionPayloadDatagram{}
+			err := payload.UnmarshalBinary(datagram)
+			if err != nil {
+				c.logger.Err(err).Msgf("unable to unmarshal session payload datagram")
+				continue
 			}
-		}()
+			logger := c.logger.With().Str(logFlowID, payload.RequestID.String()).Logger()
+			c.handleSessionPayloadDatagram(payload, &logger)
+		case ICMPType:
+			packet := &ICMPDatagram{}
+			err := packet.UnmarshalBinary(datagram)
+			if err != nil {
+				c.logger.Err(err).Msgf("unable to unmarshal icmp datagram")
+				continue
+			}
+			c.handleICMPPacket(packet)
+		case UDPSessionRegistrationResponseType:
+			// cloudflared should never expect to receive UDP session responses as it will not initiate new
+			// sessions towards the edge.
+			c.logger.Error().Msgf("unexpected datagram type received: %d", UDPSessionRegistrationResponseType)
+			continue
+		default:
+			c.logger.Error().Msgf("unknown datagram type received: %d", typ)
+		}
 	}
 }
 
@@ -243,24 +252,21 @@ func (c *datagramConn) handleSessionRegistrationDatagram(ctx context.Context, da
 		Str(logDstKey, datagram.Dest.String()).
 		Logger()
 	session, err := c.sessionManager.RegisterSession(datagram, c)
-	switch err {
-	case nil:
-		// Continue as normal
-	case ErrSessionAlreadyRegistered:
-		// Session is already registered and likely the response got lost
-		c.handleSessionAlreadyRegistered(datagram.RequestID, &log)
-		return
-	case ErrSessionBoundToOtherConn:
-		// Session is already registered but to a different connection
-		c.handleSessionMigration(datagram.RequestID, &log)
-		return
-	case ErrSessionRegistrationRateLimited:
-		// There are too many concurrent sessions so we return an error to force a retry later
-		c.handleSessionRegistrationRateLimited(datagram, &log)
-		return
-	default:
-		log.Err(err).Msg("flow registration failure")
-		c.handleSessionRegistrationFailure(datagram.RequestID, &log)
+	if err != nil {
+		switch err {
+		case ErrSessionAlreadyRegistered:
+			// Session is already registered and likely the response got lost
+			c.handleSessionAlreadyRegistered(datagram.RequestID, &log)
+		case ErrSessionBoundToOtherConn:
+			// Session is already registered but to a different connection
+			c.handleSessionMigration(datagram.RequestID, &log)
+		case ErrSessionRegistrationRateLimited:
+			// There are too many concurrent sessions so we return an error to force a retry later
+			c.handleSessionRegistrationRateLimited(datagram, &log)
+		default:
+			log.Err(err).Msg("flow registration failure")
+			c.handleSessionRegistrationFailure(datagram.RequestID, &log)
+		}
 		return
 	}
 	log = log.With().Str(logSrcKey, session.LocalAddr().String()).Logger()
@@ -362,30 +368,54 @@ func (c *datagramConn) handleSessionRegistrationRateLimited(datagram *UDPSession
 func (c *datagramConn) handleSessionPayloadDatagram(datagram *UDPSessionPayloadDatagram, logger *zerolog.Logger) {
 	s, err := c.sessionManager.GetSession(datagram.RequestID)
 	if err != nil {
+		c.metrics.DroppedUDPDatagram(c.index, DroppedWriteFlowUnknown)
 		logger.Err(err).Msgf("unable to find flow")
 		return
 	}
-	// We ignore the bytes written to the socket because any partial write must return an error.
-	_, err = s.Write(datagram.Payload)
-	if err != nil {
-		logger.Err(err).Msgf("unable to write payload for the flow")
-		return
-	}
+	s.Write(datagram.Payload)
 }
 
-// Handles incoming ICMP datagrams.
+// Handles incoming ICMP datagrams into a serialized channel to be handled by a single consumer.
 func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	if c.icmpRouter == nil {
 		// ICMPRouter is disabled so we drop the current packet and ignore all incoming ICMP packets
 		return
 	}
+	select {
+	case c.icmpDatagramChan <- datagram:
+	default:
+		// If the ICMP datagram channel is full, drop any additional incoming.
+		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFull)
+		c.logger.Warn().Msg("failed to write icmp packet to origin: dropped")
+	}
+}
 
+// Consumes from the ICMP datagram channel to write out the ICMP requests to an origin.
+func (c *datagramConn) processICMPDatagrams(ctx context.Context) {
+	if c.icmpRouter == nil {
+		// ICMPRouter is disabled so we ignore all incoming ICMP packets
+		return
+	}
+
+	for {
+		select {
+		// If the provided context is closed we want to exit the write loop
+		case <-ctx.Done():
+			return
+		case datagram := <-c.icmpDatagramChan:
+			c.writeICMPPacket(datagram)
+		}
+	}
+}
+
+func (c *datagramConn) writeICMPPacket(datagram *ICMPDatagram) {
 	// Decode the provided ICMPDatagram as an ICMP packet
 	rawPacket := packet.RawPacket{Data: datagram.Payload}
 	cachedDecoder := c.icmpDecoderPool.Get()
 	defer c.icmpDecoderPool.Put(cachedDecoder)
 	decoder, ok := cachedDecoder.(*packet.ICMPDecoder)
 	if !ok {
+		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 		c.logger.Error().Msg("Could not get ICMPDecoder from the pool. Dropping packet")
 		return
 	}
@@ -393,6 +423,7 @@ func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	icmp, err := decoder.Decode(rawPacket)
 
 	if err != nil {
+		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 		c.logger.Err(err).Msgf("unable to marshal icmp packet")
 		return
 	}
@@ -400,6 +431,7 @@ func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	// If the ICMP packet's TTL is expired, we won't send it to the origin and immediately return a TTL Exceeded Message
 	if icmp.TTL <= 1 {
 		if err := c.SendICMPTTLExceed(icmp, rawPacket); err != nil {
+			c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 			c.logger.Err(err).Msg("failed to return ICMP TTL exceed error")
 		}
 		return
@@ -411,6 +443,7 @@ func (c *datagramConn) handleICMPPacket(datagram *ICMPDatagram) {
 	// connection context which will have no tracing information available.
 	err = c.icmpRouter.Request(c.conn.Context(), icmp, newPacketResponder(c, c.index))
 	if err != nil {
+		c.metrics.DroppedICMPPackets(c.index, DroppedWriteFailed)
 		c.logger.Err(err).
 			Str(logSrcKey, icmp.Src.String()).
 			Str(logDstKey, icmp.Dst.String()).

quic/v3/muxer_test.go

@@ -13,6 +13,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/fortytw2/leaktest"
 	"github.com/google/gopacket/layers"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
@@ -92,7 +93,7 @@ func TestDatagramConn_New(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	conn := v3.NewDatagramConn(newMockQuicConn(), v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
+	conn := v3.NewDatagramConn(newMockQuicConn(t.Context()), v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 	if conn == nil {
 		t.Fatal("expected valid connection")
 	}
@@ -104,7 +105,9 @@ func TestDatagramConn_SendUDPSessionDatagram(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 
 	payload := []byte{0xef, 0xef}
@@ -123,7 +126,9 @@ func TestDatagramConn_SendUDPSessionResponse(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 
 	err := conn.SendUDPSessionResponse(testRequestID, v3.ResponseDestinationUnreachable)
@@ -149,7 +154,9 @@ func TestDatagramConnServe_ApplicationClosed(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	conn := v3.NewDatagramConn(quic, v3.NewSessionManager(&noopMetrics{}, &log, originDialerService, cfdflow.NewLimiter(0)), &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 
 	ctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)
@@ -166,7 +173,9 @@ func TestDatagramConnServe_ConnectionClosed(t *testing.T) {
 		DefaultDialer:   testDefaultDialer,
 		TCPWriteTimeout: 0,
 	}, &log)
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	ctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)
 	defer cancel()
 	quic.ctx = ctx
@@ -195,15 +204,17 @@ func TestDatagramConnServe_ReceiveDatagramError(t *testing.T) {
 
 func TestDatagramConnServe_SessionRegistrationRateLimit(t *testing.T) {
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	sessionManager := &mockSessionManager{
 		expectedRegErr: v3.ErrSessionRegistrationRateLimited,
 	}
 	conn := v3.NewDatagramConn(quic, sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 
 	// Setup the muxer
-	ctx, cancel := context.WithCancel(t.Context())
-	defer cancel()
+	ctx, cancel := context.WithCancelCause(t.Context())
+	defer cancel(context.Canceled)
 	done := make(chan error, 1)
 	go func() {
 		done <- conn.Serve(ctx)
@@ -223,9 +234,12 @@ func TestDatagramConnServe_SessionRegistrationRateLimit(t *testing.T) {
 
 	require.EqualValues(t, testRequestID, resp.RequestID)
 	require.EqualValues(t, v3.ResponseTooManyActiveFlows, resp.ResponseType)
+
+	assertContextClosed(t, ctx, done, cancel)
 }
 
 func TestDatagramConnServe_ErrorDatagramTypes(t *testing.T) {
+	defer leaktest.Check(t)()
 	for _, test := range []struct {
 		name     string
 		input    []byte
@@ -250,7 +264,9 @@ func TestDatagramConnServe_ErrorDatagramTypes(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			logOutput := new(LockedBuffer)
 			log := zerolog.New(logOutput)
-			quic := newMockQuicConn()
+			connCtx, connCancel := context.WithCancelCause(t.Context())
+			defer connCancel(context.Canceled)
+			quic := newMockQuicConn(connCtx)
 			quic.send <- test.input
 			conn := v3.NewDatagramConn(quic, &mockSessionManager{}, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
 
@@ -289,8 +305,11 @@ func (b *LockedBuffer) String() string {
 }
 
 func TestDatagramConnServe_RegisterSession_SessionManagerError(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	expectedErr := errors.New("unable to register session")
 	sessionManager := mockSessionManager{expectedRegErr: expectedErr}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@@ -324,8 +343,11 @@ func TestDatagramConnServe_RegisterSession_SessionManagerError(t *testing.T) {
 }
 
 func TestDatagramConnServe(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@@ -372,8 +394,11 @@ func TestDatagramConnServe(t *testing.T) {
 // instances causes inteference resulting in multiple different raw packets being decoded
 // as the same decoded packet.
 func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	router := newMockICMPRouter()
@@ -413,10 +438,14 @@ func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
 	wg := sync.WaitGroup{}
 	var receivedPackets []*packet.ICMP
 	go func() {
-		for ctx.Err() == nil {
-			icmpPacket := <-router.recv
-			receivedPackets = append(receivedPackets, icmpPacket)
-			wg.Done()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case icmpPacket := <-router.recv:
+				receivedPackets = append(receivedPackets, icmpPacket)
+				wg.Done()
+			}
 		}
 	}()
 
@@ -452,8 +481,11 @@ func TestDatagramConnServeDecodeMultipleICMPInParallel(t *testing.T) {
 }
 
 func TestDatagramConnServe_RegisterTwice(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@@ -514,12 +546,17 @@ func TestDatagramConnServe_RegisterTwice(t *testing.T) {
 }
 
 func TestDatagramConnServe_MigrateConnection(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
-	quic2 := newMockQuicConn()
+	conn2Ctx, conn2Cancel := context.WithCancelCause(t.Context())
+	defer conn2Cancel(context.Canceled)
+	quic2 := newMockQuicConn(conn2Ctx)
 	conn2 := v3.NewDatagramConn(quic2, &sessionManager, &noopICMPRouter{}, 1, &noopMetrics{}, &log)
 
 	// Setup the muxer
@@ -597,8 +634,11 @@ func TestDatagramConnServe_MigrateConnection(t *testing.T) {
 }
 
 func TestDatagramConnServe_Payload_GetSessionError(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	// mockSessionManager will return the ErrSessionNotFound for any session attempting to be queried by the muxer
 	sessionManager := mockSessionManager{session: nil, expectedGetErr: v3.ErrSessionNotFound}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@@ -624,9 +664,12 @@ func TestDatagramConnServe_Payload_GetSessionError(t *testing.T) {
 	assertContextClosed(t, ctx, done, cancel)
 }
 
-func TestDatagramConnServe_Payload(t *testing.T) {
+func TestDatagramConnServe_Payloads(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	session := newMockSession()
 	sessionManager := mockSessionManager{session: &session}
 	conn := v3.NewDatagramConn(quic, &sessionManager, &noopICMPRouter{}, 0, &noopMetrics{}, &log)
@@ -639,15 +682,26 @@ func TestDatagramConnServe_Payload(t *testing.T) {
 		done <- conn.Serve(ctx)
 	}()
 
-	// Send new session registration
-	expectedPayload := []byte{0xef, 0xef}
-	datagram := newSessionPayloadDatagram(testRequestID, expectedPayload)
-	quic.send <- datagram
+	// Send session payloads
+	expectedPayloads := makePayloads(256, 16)
+	go func() {
+		for _, payload := range expectedPayloads {
+			datagram := newSessionPayloadDatagram(testRequestID, payload)
+			quic.send <- datagram
+		}
+	}()
 
-	// Session should receive the payload
-	payload := <-session.recv
-	if !slices.Equal(expectedPayload, payload) {
-		t.Fatalf("expected session receieve the payload sent via the muxer")
+	// Session should receive the payloads (in-order)
+	for i, payload := range expectedPayloads {
+		select {
+		case recv := <-session.recv:
+			if !slices.Equal(recv, payload) {
+				t.Fatalf("expected session receieve the payload[%d] sent via the muxer: (%x) (%x)", i, recv[:16], payload[:16])
+			}
+		case err := <-ctx.Done():
+			// we expect the payload to return before the context to cancel on the session
+			t.Fatal(err)
+		}
 	}
 
 	// Cancel the muxer Serve context and make sure it closes with the expected error
@@ -655,8 +709,11 @@ func TestDatagramConnServe_Payload(t *testing.T) {
 }
 
 func TestDatagramConnServe_ICMPDatagram_TTLDecremented(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	router := newMockICMPRouter()
 	conn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)
 
@@ -701,8 +758,11 @@ func TestDatagramConnServe_ICMPDatagram_TTLDecremented(t *testing.T) {
 }
 
 func TestDatagramConnServe_ICMPDatagram_TTLExceeded(t *testing.T) {
+	defer leaktest.Check(t)()
 	log := zerolog.Nop()
-	quic := newMockQuicConn()
+	connCtx, connCancel := context.WithCancelCause(t.Context())
+	defer connCancel(context.Canceled)
+	quic := newMockQuicConn(connCtx)
 	router := newMockICMPRouter()
 	conn := v3.NewDatagramConn(quic, &mockSessionManager{}, router, 0, &noopMetrics{}, &log)
 
@@ -821,9 +881,9 @@ type mockQuicConn struct {
 	recv chan []byte
 }
 
-func newMockQuicConn() *mockQuicConn {
+func newMockQuicConn(ctx context.Context) *mockQuicConn {
 	return &mockQuicConn{
-		ctx:  context.Background(),
+		ctx:  ctx,
 		send: make(chan []byte, 1),
 		recv: make(chan []byte, 1),
 	}
@@ -841,7 +901,12 @@ func (m *mockQuicConn) SendDatagram(payload []byte) error {
 }
 
 func (m *mockQuicConn) ReceiveDatagram(_ context.Context) ([]byte, error) {
-	return <-m.send, nil
+	select {
+	case <-m.ctx.Done():
+		return nil, m.ctx.Err()
+	case b := <-m.send:
+		return b, nil
+	}
 }
 
 type mockQuicConnReadError struct {
@@ -905,11 +970,10 @@ func (m *mockSession) Serve(ctx context.Context) error {
 	return v3.SessionCloseErr
 }
 
-func (m *mockSession) Write(payload []byte) (n int, err error) {
+func (m *mockSession) Write(payload []byte) {
 	b := make([]byte, len(payload))
 	copy(b, payload)
 	m.recv <- b
-	return len(b), nil
 }
 
 func (m *mockSession) Close() error {

quic/v3/session.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"os"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -22,6 +23,11 @@ const (
 	// this value (maxDatagramPayloadLen).
 	maxOriginUDPPacketSize = 1500
 
+	// The maximum amount of datagrams a session will queue up before it begins dropping datagrams.
+	// This channel buffer is small because we assume that the dedicated writer to the origin is typically
+	// fast enought to keep the channel empty.
+	writeChanCapacity = 512
+
 	logFlowID        = "flowID"
 	logPacketSizeKey = "packetSize"
 )
@@ -49,7 +55,7 @@ func newSessionIdleErr(timeout time.Duration) error {
 }
 
 type Session interface {
-	io.WriteCloser
+	io.Closer
 	ID() RequestID
 	ConnectionID() uint8
 	RemoteAddr() net.Addr
@@ -58,6 +64,7 @@ type Session interface {
 	Migrate(eyeball DatagramConn, ctx context.Context, logger *zerolog.Logger)
 	// Serve starts the event loop for processing UDP packets
 	Serve(ctx context.Context) error
+	Write(payload []byte)
 }
 
 type session struct {
@@ -67,12 +74,18 @@ type session struct {
 	originAddr     net.Addr
 	localAddr      net.Addr
 	eyeball        atomic.Pointer[DatagramConn]
+	writeChan      chan []byte
 	// activeAtChan is used to communicate the last read/write time
 	activeAtChan chan time.Time
-	closeChan    chan error
-	contextChan  chan context.Context
-	metrics      Metrics
-	log          *zerolog.Logger
+	errChan      chan error
+	// The close channel signal only exists for the write loop because the read loop is always waiting on a read
+	// from the UDP socket to the origin. To close the read loop we close the socket.
+	// Additionally, we can't close the writeChan to indicate that writes are complete because the producer (edge)
+	// side may still be trying to write to this session.
+	closeWrite  chan struct{}
+	contextChan chan context.Context
+	metrics     Metrics
+	log         *zerolog.Logger
 
 	// A special close function that we wrap with sync.Once to make sure it is only called once
 	closeFn func() error
@@ -89,10 +102,12 @@ func NewSession(
 	log *zerolog.Logger,
 ) Session {
 	logger := log.With().Str(logFlowID, id.String()).Logger()
-	// closeChan has two slots to allow for both writers (the closeFn and the Serve routine) to both be able to
-	// write to the channel without blocking since there is only ever one value read from the closeChan by the
+	writeChan := make(chan []byte, writeChanCapacity)
+	// errChan has three slots to allow for all writers (the closeFn, the read loop and the write loop) to
+	// write to the channel without blocking since there is only ever one value read from the errChan by the
 	// waitForCloseCondition.
-	closeChan := make(chan error, 2)
+	errChan := make(chan error, 3)
+	closeWrite := make(chan struct{})
 	session := &session{
 		id:             id,
 		closeAfterIdle: closeAfterIdle,
@@ -100,10 +115,12 @@ func NewSession(
 		originAddr:     originAddr,
 		localAddr:      localAddr,
 		eyeball:        atomic.Pointer[DatagramConn]{},
+		writeChan:      writeChan,
 		// activeAtChan has low capacity. It can be full when there are many concurrent read/write. markActive() will
 		// drop instead of blocking because last active time only needs to be an approximation
 		activeAtChan: make(chan time.Time, 1),
-		closeChan:    closeChan,
+		errChan:      errChan,
+		closeWrite:   closeWrite,
 		// contextChan is an unbounded channel to help enforce one active migration of a session at a time.
 		contextChan: make(chan context.Context),
 		metrics:     metrics,
@@ -111,9 +128,12 @@ func NewSession(
 		closeFn: sync.OnceValue(func() error {
 			// We don't want to block on sending to the close channel if it is already full
 			select {
-			case closeChan <- SessionCloseErr:
+			case errChan <- SessionCloseErr:
 			default:
 			}
+			// Indicate to the write loop that the session is now closed
+			close(closeWrite)
+			// Close the socket directly to unblock the read loop and cause it to also end
 			return origin.Close()
 		}),
 	}
@@ -154,66 +174,115 @@ func (s *session) Migrate(eyeball DatagramConn, ctx context.Context, logger *zer
 }
 
 func (s *session) Serve(ctx context.Context) error {
-	go func() {
-		// QUIC implementation copies data to another buffer before returning https://github.com/quic-go/quic-go/blob/v0.24.0/session.go#L1967-L1975
-		// This makes it safe to share readBuffer between iterations
-		readBuffer := [maxOriginUDPPacketSize + DatagramPayloadHeaderLen]byte{}
-		// To perform a zero copy write when passing the datagram to the connection, we prepare the buffer with
-		// the required datagram header information. We can reuse this buffer for this session since the header is the
-		// same for the each read.
-		_ = MarshalPayloadHeaderTo(s.id, readBuffer[:DatagramPayloadHeaderLen])
-		for {
-			// Read from the origin UDP socket
-			n, err := s.origin.Read(readBuffer[DatagramPayloadHeaderLen:])
-			if err != nil {
-				if errors.Is(err, io.EOF) ||
-					errors.Is(err, io.ErrUnexpectedEOF) {
-					s.log.Debug().Msgf("flow (origin) connection closed: %v", err)
-				}
-				s.closeChan <- err
-				return
-			}
-			if n < 0 {
-				s.log.Warn().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was negative and was dropped")
-				continue
-			}
-			if n > maxDatagramPayloadLen {
-				connectionIndex := s.ConnectionID()
-				s.metrics.PayloadTooLarge(connectionIndex)
-				s.log.Error().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was too large and was dropped")
-				continue
-			}
-			// We need to synchronize on the eyeball in-case that the connection was migrated. This should be rarely a point
-			// of lock contention, as a migration can only happen during startup of a session before traffic flow.
-			eyeball := *(s.eyeball.Load())
-			// Sending a packet to the session does block on the [quic.Connection], however, this is okay because it
-			// will cause back-pressure to the kernel buffer if the writes are not fast enough to the edge.
-			err = eyeball.SendUDPSessionDatagram(readBuffer[:DatagramPayloadHeaderLen+n])
-			if err != nil {
-				s.closeChan <- err
-				return
-			}
-			// Mark the session as active since we proxied a valid packet from the origin.
-			s.markActive()
-		}
-	}()
+	go s.writeLoop()
+	go s.readLoop()
 	return s.waitForCloseCondition(ctx, s.closeAfterIdle)
 }
 
-func (s *session) Write(payload []byte) (n int, err error) {
-	n, err = s.origin.Write(payload)
-	if err != nil {
-		s.log.Err(err).Msg("failed to write payload to flow (remote)")
-		return n, err
+// Read datagrams from the origin and write them to the connection.
+func (s *session) readLoop() {
+	// QUIC implementation copies data to another buffer before returning https://github.com/quic-go/quic-go/blob/v0.24.0/session.go#L1967-L1975
+	// This makes it safe to share readBuffer between iterations
+	readBuffer := [maxOriginUDPPacketSize + DatagramPayloadHeaderLen]byte{}
+	// To perform a zero copy write when passing the datagram to the connection, we prepare the buffer with
+	// the required datagram header information. We can reuse this buffer for this session since the header is the
+	// same for the each read.
+	_ = MarshalPayloadHeaderTo(s.id, readBuffer[:DatagramPayloadHeaderLen])
+	for {
+		// Read from the origin UDP socket
+		n, err := s.origin.Read(readBuffer[DatagramPayloadHeaderLen:])
+		if err != nil {
+			if isConnectionClosed(err) {
+				s.log.Debug().Msgf("flow (read) connection closed: %v", err)
+			}
+			s.closeSession(err)
+			return
+		}
+		if n < 0 {
+			s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadFailed)
+			s.log.Warn().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was negative and was dropped")
+			continue
+		}
+		if n > maxDatagramPayloadLen {
+			s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedReadTooLarge)
+			s.log.Error().Int(logPacketSizeKey, n).Msg("flow (origin) packet read was too large and was dropped")
+			continue
+		}
+		// We need to synchronize on the eyeball in-case that the connection was migrated. This should be rarely a point
+		// of lock contention, as a migration can only happen during startup of a session before traffic flow.
+		eyeball := *(s.eyeball.Load())
+		// Sending a packet to the session does block on the [quic.Connection], however, this is okay because it
+		// will cause back-pressure to the kernel buffer if the writes are not fast enough to the edge.
+		err = eyeball.SendUDPSessionDatagram(readBuffer[:DatagramPayloadHeaderLen+n])
+		if err != nil {
+			s.closeSession(err)
+			return
+		}
+		// Mark the session as active since we proxied a valid packet from the origin.
+		s.markActive()
 	}
-	// Write must return a non-nil error if it returns n < len(p). https://pkg.go.dev/io#Writer
-	if n < len(payload) {
-		s.log.Err(io.ErrShortWrite).Msg("failed to write the full payload to flow (remote)")
-		return n, io.ErrShortWrite
+}
+
+func (s *session) Write(payload []byte) {
+	select {
+	case s.writeChan <- payload:
+	default:
+		s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFull)
+		s.log.Error().Msg("failed to write flow payload to origin: dropped")
+	}
+}
+
+// Read datagrams from the write channel to the origin.
+func (s *session) writeLoop() {
+	for {
+		select {
+		case <-s.closeWrite:
+			// When the closeWrite channel is closed, we will no longer write to the origin and end this
+			// goroutine since the session is now closed.
+			return
+		case payload := <-s.writeChan:
+			n, err := s.origin.Write(payload)
+			if err != nil {
+				// Check if this is a write deadline exceeded to the connection
+				if errors.Is(err, os.ErrDeadlineExceeded) {
+					s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteDeadlineExceeded)
+					s.log.Warn().Err(err).Msg("flow (write) deadline exceeded: dropping packet")
+					continue
+				}
+				if isConnectionClosed(err) {
+					s.log.Debug().Msgf("flow (write) connection closed: %v", err)
+				}
+				s.log.Err(err).Msg("failed to write flow payload to origin")
+				s.closeSession(err)
+				// If we fail to write to the origin socket, we need to end the writer and close the session
+				return
+			}
+			// Write must return a non-nil error if it returns n < len(p). https://pkg.go.dev/io#Writer
+			if n < len(payload) {
+				s.metrics.DroppedUDPDatagram(s.ConnectionID(), DroppedWriteFailed)
+				s.log.Err(io.ErrShortWrite).Msg("failed to write the full flow payload to origin")
+				continue
+			}
+			// Mark the session as active since we successfully proxied a packet to the origin.
+			s.markActive()
+		}
+	}
+}
+
+func isConnectionClosed(err error) bool {
+	return errors.Is(err, net.ErrClosed) || errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)
+}
+
+// Send an error to the error channel to report that an error has either happened on the tunnel or origin side of the
+// proxied connection.
+func (s *session) closeSession(err error) {
+	select {
+	case s.errChan <- err:
+	default:
+		// In the case that the errChan is already full, we will skip over it and return as to not block
+		// the caller because we should start cleaning up the session.
+		s.log.Warn().Msg("error channel was full")
 	}
-	// Mark the session as active since we proxied a packet to the origin.
-	s.markActive()
-	return n, err
 }
 
 // ResetIdleTimer will restart the current idle timer.
@@ -240,7 +309,8 @@ func (s *session) Close() error {
 
 func (s *session) waitForCloseCondition(ctx context.Context, closeAfterIdle time.Duration) error {
 	connCtx := ctx
-	// Closing the session at the end cancels read so Serve() can return
+	// Closing the session at the end cancels read so Serve() can return, additionally, it closes the
+	// closeWrite channel which indicates to the write loop to return.
 	defer s.Close()
 	if closeAfterIdle == 0 {
 		// Provided that the default caller doesn't specify one
@@ -260,7 +330,10 @@ func (s *session) waitForCloseCondition(ctx context.Context, closeAfterIdle time
 			// still be active on the existing connection.
 			connCtx = newContext
 			continue
-		case reason := <-s.closeChan:
+		case reason := <-s.errChan:
+			// Any error returned here is from the read or write loops indicating that it can no longer process datagrams
+			// and as such the session needs to close.
+			s.metrics.FailedFlow(s.ConnectionID())
 			return reason
 		case <-checkIdleTimer.C:
 			// The check idle timer will only return after an idle period since the last active

quic/v3/session_fuzz_test.go

@@ -4,20 +4,24 @@ import (
 	"testing"
 )
 
-// FuzzSessionWrite verifies that we don't run into any panics when writing variable sized payloads to the origin.
+// FuzzSessionWrite verifies that we don't run into any panics when writing a single variable sized payload to the origin.
 func FuzzSessionWrite(f *testing.F) {
-	f.Fuzz(func(t *testing.T, b []byte) {
-		testSessionWrite(t, b)
-	})
-}
-
-// FuzzSessionServe verifies that we don't run into any panics when reading variable sized payloads from the origin.
-func FuzzSessionServe(f *testing.F) {
 	f.Fuzz(func(t *testing.T, b []byte) {
 		// The origin transport read is bound to 1280 bytes
 		if len(b) > 1280 {
 			b = b[:1280]
 		}
-		testSessionServe_Origin(t, b)
+		testSessionWrite(t, [][]byte{b})
+	})
+}
+
+// FuzzSessionRead verifies that we don't run into any panics when reading a single variable sized payload from the origin.
+func FuzzSessionRead(f *testing.F) {
+	f.Fuzz(func(t *testing.T, b []byte) {
+		// The origin transport read is bound to 1280 bytes
+		if len(b) > 1280 {
+			b = b[:1280]
+		}
+		testSessionRead(t, [][]byte{b})
 	})
 }

quic/v3/session_test.go

@@ -31,60 +31,61 @@ func TestSessionNew(t *testing.T) {
 	}
 }
 
-func testSessionWrite(t *testing.T, payload []byte) {
+func testSessionWrite(t *testing.T, payloads [][]byte) {
 	log := zerolog.Nop()
 	origin, server := net.Pipe()
 	defer origin.Close()
 	defer server.Close()
-	// Start origin server read
-	serverRead := make(chan []byte, 1)
+	// Start origin server reads
+	serverRead := make(chan []byte, len(payloads))
 	go func() {
-		read := make([]byte, 1500)
-		_, _ = server.Read(read[:])
-		serverRead <- read
+		for range len(payloads) {
+			buf := make([]byte, 1500)
+			_, _ = server.Read(buf[:])
+			serverRead <- buf
+		}
+		close(serverRead)
 	}()
-	// Create session and write to origin
+
+	// Create a session
 	session := v3.NewSession(testRequestID, 5*time.Second, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)
-	n, err := session.Write(payload)
 	defer session.Close()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if n != len(payload) {
-		t.Fatal("unable to write the whole payload")
+	// Start the Serve to begin the writeLoop
+	ctx, cancel := context.WithCancelCause(t.Context())
+	defer cancel(context.Canceled)
+	done := make(chan error)
+	go func() {
+		done <- session.Serve(ctx)
+	}()
+	// Write the payloads to the session
+	for _, payload := range payloads {
+		session.Write(payload)
 	}
 
-	read := <-serverRead
-	if !slices.Equal(payload, read[:len(payload)]) {
-		t.Fatal("payload provided from origin and read value are not the same")
+	// Read from the origin to ensure the payloads were received (in-order)
+	for i, payload := range payloads {
+		read := <-serverRead
+		if !slices.Equal(payload, read[:len(payload)]) {
+			t.Fatalf("payload[%d] provided from origin and read value are not the same (%x) and (%x)", i, payload[:16], read[:16])
+		}
+	}
+	_, more := <-serverRead
+	if more {
+		t.Fatalf("expected the session to have all of the origin payloads received: %d", len(serverRead))
+	}
+
+	assertContextClosed(t, ctx, done, cancel)
+}
+
+func TestSessionWrite(t *testing.T) {
+	defer leaktest.Check(t)()
+	for i := range 1280 {
+		payloads := makePayloads(i, 16)
+		testSessionWrite(t, payloads)
 	}
 }
 
-func TestSessionWrite_Max(t *testing.T) {
-	defer leaktest.Check(t)()
-	payload := makePayload(1280)
-	testSessionWrite(t, payload)
-}
-
-func TestSessionWrite_Min(t *testing.T) {
-	defer leaktest.Check(t)()
-	payload := makePayload(0)
-	testSessionWrite(t, payload)
-}
-
-func TestSessionServe_OriginMax(t *testing.T) {
-	defer leaktest.Check(t)()
-	payload := makePayload(1280)
-	testSessionServe_Origin(t, payload)
-}
-
-func TestSessionServe_OriginMin(t *testing.T) {
-	defer leaktest.Check(t)()
-	payload := makePayload(0)
-	testSessionServe_Origin(t, payload)
-}
-
-func testSessionServe_Origin(t *testing.T, payload []byte) {
+func testSessionRead(t *testing.T, payloads [][]byte) {
 	log := zerolog.Nop()
 	origin, server := net.Pipe()
 	defer origin.Close()
@@ -100,37 +101,42 @@ func testSessionServe_Origin(t *testing.T, payload []byte) {
 		done <- session.Serve(ctx)
 	}()
 
-	// Write from the origin server
-	_, err := server.Write(payload)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	select {
-	case data := <-eyeball.recvData:
-		// check received data matches provided from origin
-		expectedData := makePayload(1500)
-		_ = v3.MarshalPayloadHeaderTo(testRequestID, expectedData[:])
-		copy(expectedData[17:], payload)
-		if !slices.Equal(expectedData[:v3.DatagramPayloadHeaderLen+len(payload)], data) {
-			t.Fatal("expected datagram did not equal expected")
+	// Write from the origin server to the eyeball
+	go func() {
+		for _, payload := range payloads {
+			_, _ = server.Write(payload)
+		}
+	}()
+
+	// Read from the eyeball to ensure the payloads were received (in-order)
+	for i, payload := range payloads {
+		select {
+		case data := <-eyeball.recvData:
+			// check received data matches provided from origin
+			expectedData := makePayload(1500)
+			_ = v3.MarshalPayloadHeaderTo(testRequestID, expectedData[:])
+			copy(expectedData[17:], payload)
+			if !slices.Equal(expectedData[:v3.DatagramPayloadHeaderLen+len(payload)], data) {
+				t.Fatalf("expected datagram[%d] did not equal expected", i)
+			}
+		case err := <-ctx.Done():
+			// we expect the payload to return before the context to cancel on the session
+			t.Fatal(err)
 		}
-		cancel(errExpectedContextCanceled)
-	case err := <-ctx.Done():
-		// we expect the payload to return before the context to cancel on the session
-		t.Fatal(err)
 	}
 
-	err = <-done
-	if !errors.Is(err, context.Canceled) {
-		t.Fatal(err)
-	}
-	if !errors.Is(context.Cause(ctx), errExpectedContextCanceled) {
-		t.Fatal(err)
+	assertContextClosed(t, ctx, done, cancel)
+}
+
+func TestSessionRead(t *testing.T) {
+	defer leaktest.Check(t)()
+	for i := range 1280 {
+		payloads := makePayloads(i, 16)
+		testSessionRead(t, payloads)
 	}
 }
 
-func TestSessionServe_OriginTooLarge(t *testing.T) {
+func TestSessionRead_OriginTooLarge(t *testing.T) {
 	defer leaktest.Check(t)()
 	log := zerolog.Nop()
 	eyeball := newMockEyeball()
@@ -317,6 +323,8 @@ func TestSessionServe_IdleTimeout(t *testing.T) {
 	closeAfterIdle := 2 * time.Second
 	session := v3.NewSession(testRequestID, closeAfterIdle, origin, testOriginAddr, testLocalAddr, &noopEyeball{}, &noopMetrics{}, &log)
 	err := session.Serve(t.Context())
+
+	// Session should idle timeout if no reads or writes occur
 	if !errors.Is(err, v3.SessionIdleErr{}) {
 		t.Fatal(err)
 	}

release/index.html

@@ -0,0 +1,212 @@
+<!-- TODO(TUN-9963): Create pipeline to push this file to repo automatically -->
+
+<html>
+<body>
+<h1>Cloudflare packages</h1>
+<ul>
+    <li><a href="#cloudflared-packages">Cloudflared packages</a></li>
+    <li><a href="#gokeyless-packages">Gokeyless Packages</a></li>
+</ul>
+
+<br>
+<h2><a name="cloudflared-packages">Cloudflared</a></h2>
+
+<ul>
+    <li><a href="#debian-any">Any Debian Based Distribution (Recommended)</a></li>
+    <li><a href="#debian-bookworm">Debian Bookworm</a></li>
+    <li><a href="#ubuntu-focal">Ubuntu 20.04 (Focal Fossa)</a></li>
+    <li><a href="#ubuntu-jammy">Ubuntu 22.04 (Jammy Jellyfish)</a></li>
+    <li><a href="#ubuntu-noble">Ubuntu 24.04 (Noble Numbat)</a></li>
+    <li><a href="#Amazon-Linux">Amazon Linux</a></li>
+    <li><a href="#RHEL-generic">RHEL Generic</a></li>
+    <li><a href="#centos-7">Centos 7</a></li>
+    <li><a href="#centos-8">Centos 8</a></li>
+    <li><a href="#centos-stream">Centos Stream</a></li>
+</ul>
+
+<h3 style="color: #d9534f;">Warning: Public Key Rollover (30 October 2025)</h3>
+<p style="background-color: #fff3cd; border-left: 4px solid #ffc107; padding: 10px; margin: 10px 0;">
+    <strong>We have rolled our public key for package signing.</strong> If you are using RPM-based distributions (RHEL,
+    CentOS, Amazon Linux, etc.) or Debian Trixie and have the old key installed, RPM/Deb packages will no longer work with the old key.
+    Please update your repository configuration using the instructions below to ensure you can continue receiving
+    package updates. The previous keys will still work for other distributions for the time being, but it is now DEPRECATED and will be removed on 30 April 2026
+</p>
+
+<h3><a name="debian-any">Any Debian Based Distribution (Recommended)</a></h3>
+<pre>
+# Add cloudflare gpg key
+sudo mkdir -p --mode=0755 /usr/share/keyrings
+curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
+
+# Add this repo to your apt repositories
+# Stable
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+# Nightly
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+
+# install cloudflared
+sudo apt-get update && sudo apt-get install cloudflared
+</pre>
+
+<h3><a name="debian-bookworm">Debian Bookworm</a></h3>
+<pre>
+# Add cloudflare gpg key
+sudo mkdir -p --mode=0755 /usr/share/keyrings
+curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
+
+# Add this repo to your apt repositories
+# Stable
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+# Nightly
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+
+# install cloudflared
+sudo apt-get update && sudo apt-get install cloudflared
+</pre>
+
+<h3><a name="ubuntu-focal">Ubuntu 20.04 (Focal Fossa)</a></h3>
+<pre>
+# Add cloudflare gpg key
+sudo mkdir -p --mode=0755 /usr/share/keyrings
+curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
+
+# Add this repo to your apt repositories
+# Stable
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+# Nightly
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+
+# install cloudflared
+sudo apt-get update && sudo apt-get install cloudflared
+</pre>
+
+<h3><a name="ubuntu-jammy">Ubuntu 22.04 (Jammy Jellyfish)</a></h3>
+<pre>
+# Add cloudflare gpg key
+sudo mkdir -p --mode=0755 /usr/share/keyrings
+curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
+
+# Add this repo to your apt repositories
+# Stable
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+# Nightly
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+
+# install cloudflared
+sudo apt-get update && sudo apt-get install cloudflared
+</pre>
+
+<h3><a name="ubuntu-noble">Ubuntu 24.04 (Noble Numbat)</a></h3>
+<pre>
+# Add cloudflare gpg key
+sudo mkdir -p --mode=0755 /usr/share/keyrings
+curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
+
+# Add this repo to your apt repositories
+# Stable
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+# Nightly
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
+
+# install cloudflared
+sudo apt-get update && sudo apt-get install cloudflared
+</pre>
+
+<h3><a name="Amazon-Linux">Amazon Linux</a></h3>
+<pre>
+# Add cloudflared.repo to /etc/yum.repos.d/
+# Stable
+curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
+# Nightly
+curl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
+
+#update repo
+sudo yum update
+
+# install cloudflared
+sudo yum install cloudflared
+</pre>
+
+
+<h3><a name="RHEL-generic">RHEL Generic</a></h3>
+<pre>
+# Add cloudflared.repo to /etc/yum.repos.d/
+# Stable
+curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
+# Nightly
+curl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
+
+#update repo
+sudo yum update
+
+# install cloudflared
+sudo yum install cloudflared
+</pre>
+
+
+<h3><a name="centos-7">Centos 7</a></h3>
+<pre>
+# This requires yum config-manager
+sudo yum install yum-utils
+
+# Add cloudflared.repo to config-manager
+# Stable
+sudo yum-config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
+# Nightly
+sudo yum-config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
+
+# install cloudflared
+yum install cloudflared
+</pre>
+
+<h3><a name="centos-8">Centos 8</a></h3>
+<pre>
+# This requires dnf config-manager
+# Add cloudflared.repo to config-manager
+# Stable
+sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
+# Nightly
+sudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
+
+# install cloudflared
+sudo dnf install cloudflared
+</pre>
+
+<h3><a name="centos-stream">Centos Stream</a></h3>
+<pre>
+# This requires dnf config-manager
+# Add cloudflared.repo to config-manager
+# Stable
+sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
+# Nightly
+sudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
+
+# install cloudflared
+sudo dnf install cloudflared
+</pre>
+
+
+<h2><a name="gokeyless-packages"></a>Gokeyless</a></h2>
+<h3><a name="go-keyless-debian">Debian</a></h3>
+<pre>
+sudo mkdir -p --mode=0755 /usr/share/keyrings
+curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
+
+# Add this repo to your apt repositories
+echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/gokeyless buster main' | sudo tee /etc/apt/sources.list.d/cloudflare.list
+
+# install gokeyless
+sudo apt-get update && sudo apt-get install gokeyless
+</pre>
+
+<h3><a name="go-keyless-centos">Centos 8</a></h3>
+<pre>
+# This requires dnf config-manager
+# Add gokeyless.repo to config-manager
+sudo dnf config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo
+
+# install gokeyless
+sudo dnf install gokeyless
+</pre>
+</body>
+</html>

release_pkgs.py

@@ -50,7 +50,7 @@ class PkgUploader:
             config=config,
         )
 
-        print(f"uploading asset: {filename} to {upload_file_path} in bucket{self.bucket_name}...")
+        print(f"uploading asset: {filename} to {upload_file_path} in bucket {self.bucket_name}...")
         try:
             r2.upload_file(filename, self.bucket_name, upload_file_path)
         except ClientError as e:
@@ -133,16 +133,19 @@ class PkgCreator:
     """
 
     def create_repo_file(self, file_path, binary_name, baseurl, gpgkey_url):
-        with open(os.path.join(file_path, binary_name + '.repo'), "w+") as repo_file:
-            repo_file.write(f"[{binary_name}-stable]")
-            repo_file.write(f"{binary_name}-stable")
-            repo_file.write(f"baseurl={baseurl}/rpm")
-            repo_file.write("enabled=1")
-            repo_file.write("type=rpm")
-            repo_file.write("gpgcheck=1")
-            repo_file.write(f"gpgkey={gpgkey_url}")
+        repo_file_path = os.path.join(file_path, binary_name + '.repo')
+        with open(repo_file_path, "w+") as repo_file:
+            repo_file.write(f"[{binary_name}-stable]\n")
+            repo_file.write(f"name={binary_name}-stable\n")
+            repo_file.write(f"baseurl={baseurl}/rpm\n")
+            repo_file.write("enabled=1\n")
+            repo_file.write("type=rpm\n")
+            repo_file.write("gpgcheck=1\n")
+            repo_file.write(f"gpgkey={gpgkey_url}\n")
+        return repo_file_path
 
-    def _sign_rpms(self, file_path):
+
+    def _sign_rpms(self, file_path, gpg_key_name):
         p = Popen(["rpm", "--define", f"_gpg_name {gpg_key_name}", "--addsign", file_path], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         if p.returncode != 0:
@@ -150,7 +153,7 @@ class PkgCreator:
             raise
 
     def _sign_repomd(self):
-        p = Popen(["gpg", "--batch", "--detach-sign", "--armor", "./rpm/repodata/repomd.xml"], stdout=PIPE, stderr=PIPE)
+        p = Popen(["gpg", "--batch", "--yes", "--detach-sign", "--armor", "./rpm/repodata/repomd.xml"], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         if p.returncode != 0:
             print(f"sign repomd result => {out}, {err}")
@@ -176,7 +179,7 @@ class PkgCreator:
                         old_path = os.path.join(root, file)
                         new_path = os.path.join(new_dir, file)
                         shutil.copyfile(old_path, new_path)
-                        self._sign_rpms(new_path)
+                        self._sign_rpms(new_path, gpg_key_name)
 
     """
         imports gpg keys into the system so reprepro and createrepo can use it to sign packages.
@@ -186,11 +189,34 @@ class PkgCreator:
     def import_gpg_keys(self, private_key, public_key):
         gpg = gnupg.GPG()
         private_key = base64.b64decode(private_key)
-        gpg.import_keys(private_key)
+        import_result = gpg.import_keys(private_key)
+        if not import_result.fingerprints:
+            raise Exception("Failed to import private key")
+
         public_key = base64.b64decode(public_key)
         gpg.import_keys(public_key)
+
+        imported_fingerprint = import_result.fingerprints[0]
         data = gpg.list_keys(secret=True)
-        return (data[0]["fingerprint"], data[0]["uids"][0])
+
+        # Find the specific key we just imported by comparing fingerprints
+        for key in data:
+            if key["fingerprint"] == imported_fingerprint:
+                return (key["fingerprint"], key["uids"][0])
+
+        raise Exception(f"Could not find imported key with fingerprint {imported_fingerprint}")
+
+    def import_multiple_gpg_keys(self, primary_private_key, primary_public_key, secondary_private_key=None, secondary_public_key=None):
+        """
+        Import one or two GPG keypairs. Returns a list of (fingerprint, uid) with the primary first.
+        """
+        results = []
+        if primary_private_key and primary_public_key:
+            results.append(self.import_gpg_keys(primary_private_key, primary_public_key))
+        if secondary_private_key and secondary_public_key:
+            # Ensure secondary is imported and appended
+            results.append(self.import_gpg_keys(secondary_private_key, secondary_public_key))
+        return results
 
     """
         basically rpm --import <key_file>
@@ -234,7 +260,7 @@ def upload_from_directories(pkg_uploader, directory, release, binary):
 
 
 """ 
-    1. looks into a built_artifacts folder for cloudflared debs
+    1. looks into a artifacts folder for cloudflared debs
     2. creates Packages.gz, InRelease (signed) files
     3. uploads them to Cloudflare R2 
 
@@ -247,11 +273,13 @@ def upload_from_directories(pkg_uploader, directory, release, binary):
 """
 
 
-def create_deb_packaging(pkg_creator, pkg_uploader, releases, gpg_key_id, binary_name, archs, package_component,
+def create_deb_packaging(pkg_creator, pkg_uploader, releases, primary_gpg_key_id, secondary_gpg_key_id, binary_name, archs, package_component,
                          release_version):
     # set configuration for package creation.
     print(f"initialising configuration for {binary_name} , {archs}")
     Path("./conf").mkdir(parents=True, exist_ok=True)
+    # If in rollover mode (secondary provided), tell reprepro to sign with both keys.
+    sign_with_ids = primary_gpg_key_id if not secondary_gpg_key_id else f"{primary_gpg_key_id} {secondary_gpg_key_id}"
     pkg_creator.create_distribution_conf(
         "./conf/distributions",
         binary_name,
@@ -260,13 +288,13 @@ def create_deb_packaging(pkg_creator, pkg_uploader, releases, gpg_key_id, binary
         archs,
         package_component,
         f"apt repository for {binary_name}",
-        gpg_key_id)
+        sign_with_ids)
 
     # create deb pkgs
     for release in releases:
         for arch in archs:
             print(f"creating deb pkgs for {release} and {arch}...")
-            pkg_creator.create_deb_pkgs(release, f"./built_artifacts/cloudflared-linux-{arch}.deb")
+            pkg_creator.create_deb_pkgs(release, f"./artifacts/cloudflared-linux-{arch}.deb")
 
     print("uploading latest to r2...")
     upload_from_directories(pkg_uploader, "dists", None, binary_name)
@@ -287,15 +315,19 @@ def create_rpm_packaging(
         gpg_key_name,
         base_url,
         gpg_key_url,
+        upload_repo_file=False,
 ):
     print(f"creating rpm pkgs...")
     pkg_creator.create_rpm_pkgs(artifacts_path, gpg_key_name)
-    pkg_creator.create_repo_file(artifacts_path, binary_name, base_url, gpg_key_url)
+    repo_file = pkg_creator.create_repo_file(artifacts_path, binary_name, base_url, gpg_key_url)
+
+    print("Uploading repo file")
+    pkg_uploader.upload_pkg_to_r2(repo_file, binary_name + ".repo")
 
     print("uploading latest to r2...")
     upload_from_directories(pkg_uploader, "rpm", None, binary_name)
 
-    if release_version:
+    if upload_repo_file:
         print(f"uploading versioned release {release_version} to r2...")
         upload_from_directories(pkg_uploader, "rpm", release_version, binary_name)
 
@@ -336,6 +368,14 @@ def parse_args():
             signing packages"
     )
 
+    # Optional secondary keypair for key rollover
+    parser.add_argument(
+        "--gpg-private-key-2", default=os.environ.get("LINUX_SIGNING_PRIVATE_KEY_2"), help="Secondary GPG private key for rollover"
+    )
+    parser.add_argument(
+        "--gpg-public-key-2", default=os.environ.get("LINUX_SIGNING_PUBLIC_KEY_2"), help="Secondary GPG public key for rollover"
+    )
+
     parser.add_argument(
         "--gpg-public-key-url", default=os.environ.get("GPG_PUBLIC_KEY_URL"), help="GPG public key url that\
             downloaders can use to verify signing"
@@ -355,6 +395,10 @@ def parse_args():
             it is the caller's responsiblity to ensure that these debs are already present in a directory. This script\
             will not build binaries or create their debs."
     )
+
+    parser.add_argument(
+        "--upload-repo-file", action='store_true', help="Upload RPM repo file to R2"
+    )
     args = parser.parse_args()
 
     return args
@@ -368,21 +412,51 @@ if __name__ == "__main__":
         exit(1)
 
     pkg_creator = PkgCreator()
-    (gpg_key_id, gpg_key_name) = pkg_creator.import_gpg_keys(args.gpg_private_key, args.gpg_public_key)
-    pkg_creator.import_rpm_key(args.gpg_public_key)
+    # Import one or two keypairs; primary first
+    key_results = pkg_creator.import_multiple_gpg_keys(
+        args.gpg_private_key,
+        args.gpg_public_key,
+        args.gpg_private_key_2,
+        args.gpg_public_key_2,
+    )
+    if not key_results or len(key_results) == 0:
+        raise SystemExit("No GPG keys were provided for signing")
+    primary_gpg_key_id, primary_gpg_key_name = key_results[0]
+    secondary_gpg_key_id = None
+    secondary_gpg_key_name = None
+    if len(key_results) > 1:
+        secondary_gpg_key_id, secondary_gpg_key_name = key_results[1]
+
+    if args.gpg_private_key_2:
+        print(f"signing RPM with secondary gpg_key: {secondary_gpg_key_id}")
+        pkg_creator.import_rpm_key(args.gpg_public_key_2)
+    else:
+        print(f"signing RPM with primary gpg_key: {primary_gpg_key_name}")
+        pkg_creator.import_rpm_key(args.gpg_public_key)
+
 
     pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)
-    print(f"signing with gpg_key: {gpg_key_id}")
-    create_deb_packaging(pkg_creator, pkg_uploader, args.deb_based_releases, gpg_key_id, args.binary, args.archs,
-                         "main", args.release_tag)
+    print(f"signing deb with primary gpg_key: {primary_gpg_key_id} and secondary gpg_key: {secondary_gpg_key_id}")
+    create_deb_packaging(
+        pkg_creator,
+        pkg_uploader,
+        args.deb_based_releases,
+        primary_gpg_key_id,
+        secondary_gpg_key_id,
+        args.binary,
+        args.archs,
+        "main",
+        args.release_tag,
+    )
 
     create_rpm_packaging(
         pkg_creator,
         pkg_uploader,
-        "./built_artifacts",
+        "./artifacts",
         args.release_tag,
         args.binary,
-        gpg_key_name,
-        args.gpg_public_key_url,
+        secondary_gpg_key_name,
         args.pkg_upload_url,
+        args.gpg_public_key_url,
+        args.upload_repo_file,
     )