.ci/apt-internal.gitlab-ci.yml

@@ -1,151 +0,0 @@
-.register_inputs: &register_inputs
-  stage: release-internal
-  runOnBranches: "^master$"
-  COMPONENT: "common"
-
-.register_inputs_stable_bookworm: &register_inputs_stable_bookworm
-  <<: *register_inputs
-  runOnChangesTo: ['RELEASE_NOTES']
-  FLAVOR: "bookworm"
-  SERIES: "stable"
-
-.register_inputs_stable_trixie: &register_inputs_stable_trixie
-  <<: *register_inputs
-  runOnChangesTo: ['RELEASE_NOTES']
-  FLAVOR: "trixie"
-  SERIES: "stable"
-
-.register_inputs_next_bookworm: &register_inputs_next_bookworm
-  <<: *register_inputs
-  FLAVOR: "bookworm"
-  SERIES: next
-
-.register_inputs_next_trixie: &register_inputs_next_trixie
-  <<: *register_inputs
-  FLAVOR: "trixie"
-  SERIES: next
-
-################################################
-### Generate Debian Package for Internal APT ###
-################################################
-.cloudflared-apt-build: &cloudflared_apt_build
-  stage: package
-  needs:
-    - ci-image-get-image-ref
-    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
-  image: $BUILD_IMAGE
-  cache: {}
-  script:
-    - make cloudflared-deb
-  artifacts:
-    paths:
-      - cloudflared*.deb
-
-##############
-### Stable ###
-##############
-cloudflared-amd64-stable:
-  <<: *cloudflared_apt_build
-  rules:
-    - !reference [.default-rules, run-on-release]
-  variables: &amd64-stable-vars
-    GOOS: linux
-    GOARCH: amd64
-    FIPS: true
-    ORIGINAL_NAME: true
-    CGO_ENABLED: 1
-
-cloudflared-arm64-stable:
-  <<: *cloudflared_apt_build
-  rules:
-    - !reference [.default-rules, run-on-release]
-  variables: &arm64-stable-vars
-    GOOS: linux
-    GOARCH: arm64
-    FIPS: false # TUN-7595
-    ORIGINAL_NAME: true
-    CGO_ENABLED: 1
-
-############
-### Next ###
-############
-cloudflared-amd64-next:
-  <<: *cloudflared_apt_build
-  rules:
-    - !reference [.default-rules, run-on-master]
-  variables:
-    <<: *amd64-stable-vars
-    NIGHTLY: true
-
-cloudflared-arm64-next:
-  <<: *cloudflared_apt_build
-  rules:
-    - !reference [.default-rules, run-on-master]
-  variables:
-    <<: *arm64-stable-vars
-    NIGHTLY: true
-
-include:
-  - local: .ci/commons.gitlab-ci.yml
-
-  ##########################################
-  ### Publish Packages to Internal Repos ###
-  ##########################################
-  # Bookworm AMD64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_stable_bookworm
-      jobPrefix: cloudflared-bookworm-amd64
-      needs: &amd64-stable ["cloudflared-amd64-stable"]
-
-  # Bookworm ARM64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_stable_bookworm
-      jobPrefix: cloudflared-bookworm-arm64
-      needs: &arm64-stable ["cloudflared-arm64-stable"]
-
-  # Trixie AMD64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_stable_trixie
-      jobPrefix: cloudflared-trixie-amd64
-      needs: *amd64-stable
-
-  # Trixie ARM64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_stable_trixie
-      jobPrefix: cloudflared-trixie-arm64
-      needs: *arm64-stable
-
-  ##################################################
-  ### Publish Nightly Packages to Internal Repos ###
-  ##################################################
-  # Bookworm AMD64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_next_bookworm
-      jobPrefix: cloudflared-nightly-bookworm-amd64
-      needs: &amd64-next ['cloudflared-amd64-next']
-
-  # Bookworm ARM64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_next_bookworm
-      jobPrefix: cloudflared-nightly-bookworm-arm64
-      needs: &arm64-next ['cloudflared-arm64-next']
-
-  # Trixie AMD64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_next_trixie
-      jobPrefix: cloudflared-nightly-trixie-amd64
-      needs: *amd64-next
-
-  # Trixie ARM64
-  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
-    inputs:
-      <<: *register_inputs_next_trixie
-      jobPrefix: cloudflared-nightly-trixie-arm64
-      needs: *arm64-next

.ci/ci-image.gitlab-ci.yml

@@ -1,31 +0,0 @@
-# Builds a custom CI Image when necessary
-
-include:
-  #####################################################
-  ############## Build and Push CI Image ##############
-  #####################################################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
-    inputs:
-      stage: pre-build
-      jobPrefix: ci-image
-      runOnChangesTo: [".ci/image/**"]
-      runOnMR: true
-      runOnBranches: '^master$'
-      commentImageRefs: false
-      runner: vm-linux-x86-4cpu-8gb
-      EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
-
-  #####################################################
-  ## Resolve the image reference for downstream jobs ##
-  #####################################################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
-    inputs:
-      stage: pre-build
-      jobPrefix: ci-image
-      runOnMR: true
-      runOnBranches: '^master$'
-      IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
-      VARIABLE_NAME: BUILD_IMAGE
-      needs:
-        - job: ci-image-build-push-image
-          optional: true

.ci/commons.gitlab-ci.yml

@@ -1,45 +0,0 @@
-## A set of predefined rules to use on the different jobs
-.default-rules:
-  # Rules to run the job only on the master branch
-  run-on-master:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: on_success
-    - when: never
-  # Rules to run the job only on merge requests
-  run-on-mr:
-    - if: $CI_COMMIT_TAG
-      when: never
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: on_success
-    - when: never
-  # Rules to run the job on merge_requests and master branch
-  run-always:
-    - if: $CI_COMMIT_TAG
-      when: never
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: on_success
-    - when: never
-  # Rules to run the job only when a release happens
-  run-on-release:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      changes:
-          - 'RELEASE_NOTES'
-      when: on_success
-    - when: never
-
-.component-tests:
-  image: $BUILD_IMAGE
-  rules:
-    - !reference [.default-rules, run-always]
-  variables:
-    COMPONENT_TESTS_CONFIG: component-test-config.yaml
-    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
-  secrets:
-    DNS_API_TOKEN:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
-      file: false
-    COMPONENT_TESTS_ORIGINCERT:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
-      file: false
-  cache: {}

.ci/github.gitlab-ci.yml

@@ -1,17 +0,0 @@
-include:
-  - local: .ci/commons.gitlab-ci.yml
-
-######################################
-### Sync master branch with Github ###
-######################################
-push-github:
-  stage: sync
-  rules:
-    - !reference [.default-rules, run-on-master]
-  script:
-    - ./.ci/scripts/github-push.sh
-  secrets:
-    CLOUDFLARED_DEPLOY_SSH_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
-      file: false
-  cache: {}

.ci/image/.docker-images

@@ -1,2 +0,0 @@
-images:
-  - name: ci-image

.ci/image/Dockerfile

@@ -1,35 +0,0 @@
-ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
-
-FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/bookworm/main:2025.7.0@sha256:6350da2f7e728dae2c1420f6dafc38e23cacc0b399d3d5b2f40fe48d9c8ff1ca
-
-RUN apt-get update && \
-    apt-get upgrade -y && \
-    apt-get install --no-install-recommends --allow-downgrades -y \
-        build-essential \
-        git \
-        go-boring=1.24.9-1 \
-        libffi-dev \
-        procps \
-        python3-dev \
-        python3-pip \
-        python3-setuptools \
-        python3-venv \
-        # libmsi and libgcab are libraries the wixl binary depends on.
-        libmsi-dev \
-        libgcab-dev \
-        # deb and rpm build tools
-        rubygem-fpm \
-        rpm \
-        # create deb and rpm repository files
-        reprepro \
-        createrepo-c \
-        # gcc for cross architecture compilation in arm
-        gcc-aarch64-linux-gnu \
-        libc6-dev-arm64-cross && \
-    rm -rf /var/lib/apt/lists/* && \
-    # Install wixl
-    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
-    chmod a+x /usr/local/bin/wixl && \
-    mkdir -p opt
-
-WORKDIR /opt

.ci/linux.gitlab-ci.yml

@@ -1,122 +0,0 @@
-.golang-inputs: &golang_inputs
-  runOnMR: true
-  runOnBranches: '^master$'
-  outputDir: artifacts
-  runner: linux-x86-8cpu-16gb
-  stage: build
-  golangVersion: "boring-1.24"
-  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
-  CGO_ENABLED: 1
-
-.default-packaging-job: &packaging-job-defaults
-  stage: package
-  needs:
-    - ci-image-get-image-ref
-  rules:
-    - !reference [.default-rules, run-on-master]
-  image: $BUILD_IMAGE
-  cache: {}
-  artifacts:
-    paths:
-      - artifacts/*
-
-include:
-  ###################
-  ### Linux Build ###
-  ###################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
-    inputs:
-      <<: *golang_inputs
-      jobPrefix: linux-build
-      GOLANG_MAKE_TARGET: ci-build
-
-  ########################
-  ### Linux FIPS Build ###
-  ########################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
-    inputs:
-      <<: *golang_inputs
-      jobPrefix: linux-fips-build
-      GOLANG_MAKE_TARGET: ci-fips-build
-
-  #################
-  ### Unit Tests ##
-  #################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
-    inputs:
-      <<: *golang_inputs
-      stage: test
-      jobPrefix: test
-      GOLANG_MAKE_TARGET: ci-test
-
-  ######################
-  ### Unit Tests FIPS ##
-  ######################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
-    inputs:
-      <<: *golang_inputs
-      stage: test
-      jobPrefix: test-fips
-      GOLANG_MAKE_TARGET: ci-fips-test
-
-  #################
-  ### Vuln Check ##
-  #################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
-    inputs:
-      <<: *golang_inputs
-      runOnBranches: '^$'
-      stage: validate
-      jobPrefix: vulncheck
-      GOLANG_MAKE_TARGET: vulncheck
-
-#################################
-### Run Linux Component Tests ###
-#################################
-linux-component-tests: &linux-component-tests
-  stage: test
-  extends: .component-tests
-  needs:
-    - ci-image-get-image-ref
-    - linux-build-boring-make
-  script:
-    - ./.ci/scripts/component-tests.sh
-  variables: &component-tests-variables
-    CI: 1
-    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
-  tags:
-    - linux-x86-8cpu-16gb
-  artifacts:
-    reports:
-      junit: report.xml
-
-######################################
-### Run Linux FIPS Component Tests ###
-######################################
-linux-component-tests-fips:
-  <<: *linux-component-tests
-  needs:
-    - ci-image-get-image-ref
-    - linux-fips-build-boring-make
-  variables:
-    <<: *component-tests-variables
-    COMPONENT_TESTS_FIPS: 1
-
-################################
-####### Linux Packaging ########
-################################
-linux-packaging:
-  <<: *packaging-job-defaults
-  parallel:
-    matrix:
-      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
-  script:
-    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
-
-################################
-##### Linux FIPS Packaging #####
-################################
-linux-packaging-fips:
-  <<: *packaging-job-defaults
-  script:
-    - ./.ci/scripts/linux/build-packages-fips.sh

.ci/mac.gitlab-ci.yml

@@ -1,66 +0,0 @@
-include:
-  - local: .ci/commons.gitlab-ci.yml
-
-###############################
-### Defaults for Mac Builds ###
-###############################
-.mac-build-defaults: &mac-build-defaults
-  rules:
-    - !reference [.default-rules, run-on-mr]
-  tags:
-    - "macstadium-${RUNNER_ARCH}"
-  parallel:
-    matrix:
-      - RUNNER_ARCH: [arm, intel]
-  cache: {}
-
-######################################
-### Build Cloudflared Mac Binaries ###
-######################################
-macos-build-cloudflared: &mac-build
-  <<: *mac-build-defaults
-  stage: build
-  artifacts:
-    paths:
-      - artifacts/*
-  script:
-    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
-    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
-    - ARCH=$(uname -m)
-    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
-    - ./.ci/scripts/mac/install-go.sh
-    - BUILD_SCRIPT=.ci/scripts/mac/build.sh
-    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
-    - set -euo pipefail
-    - echo "Executing ${BUILD_SCRIPT}"
-    - exec ${BUILD_SCRIPT}
-
-###############################################
-### Build and Sign Cloudflared Mac Binaries ###
-###############################################
-macos-build-and-sign-cloudflared:
-  <<: *mac-build
-  rules:
-    - !reference [.default-rules, run-on-master]
-  secrets:
-    APPLE_DEV_CA_CERT:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
-      file: false
-    CFD_CODE_SIGN_CERT:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
-      file: false
-    CFD_CODE_SIGN_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
-      file: false
-    CFD_CODE_SIGN_PASS:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
-      file: false
-    CFD_INSTALLER_CERT:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
-      file: false
-    CFD_INSTALLER_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
-      file: false
-    CFD_INSTALLER_PASS:
-      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
-      file: false

.ci/release.gitlab-ci.yml

@@ -1,133 +0,0 @@
-include:
-  - local: .ci/commons.gitlab-ci.yml
-
-  ######################################
-  ### Build and Push DockerHub Image ###
-  ######################################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
-    inputs:
-      stage: release
-      jobPrefix: docker-hub
-      runOnMR: false
-      runOnBranches: '^master$'
-      runOnChangesTo: ['RELEASE_NOTES']
-      needs:
-        - generate-version-file
-        - release-cloudflared-to-r2
-      commentImageRefs: false
-      runner: vm-linux-x86-4cpu-8gb
-      # Based on if the CI reference is protected or not the CI component will
-      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
-      # we simply set both to the same value.
-      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
-      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
-      DOCKER_USER_PROD: *docker-hub-user
-      DOCKER_PASSWORD_PROD: *docker-hub-password
-      EXTRA_DIB_ARGS: --overwrite
-
-.default-release-job: &release-job-defaults
-  stage: release
-  image: $BUILD_IMAGE
-  cache:
-    paths:
-      - .cache/pip
-  variables: &release-job-variables
-    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
-    # KV Vars
-    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
-    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
-    # R2 Vars
-    R2_BUCKET: cloudflared-pkgs
-    R2_ACCOUNT_ID: *cf-account
-    # APT and RPM Repository Vars
-    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
-    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
-    BINARY_NAME: cloudflared
-  secrets:
-    KV_API_TOKEN:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
-      file: false
-    API_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
-      file: false
-    R2_CLIENT_ID:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
-      file: false
-    R2_CLIENT_SECRET:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
-      file: false
-    LINUX_SIGNING_PUBLIC_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
-      file: false
-    LINUX_SIGNING_PRIVATE_KEY:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
-      file: false
-    LINUX_SIGNING_PUBLIC_KEY_2:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
-      file: false
-    LINUX_SIGNING_PRIVATE_KEY_2:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
-      file: false
-
-###########################################
-### Push Cloudflared Binaries to Github ###
-###########################################
-release-cloudflared-to-github:
-  <<: *release-job-defaults
-  rules:
-    - !reference [.default-rules, run-on-release]
-  needs:
-    - ci-image-get-image-ref
-    - linux-packaging
-    - linux-packaging-fips
-    - macos-build-and-sign-cloudflared
-    - windows-package-sign
-  script:
-    - ./.ci/scripts/release-target.sh github-release
-
-#########################################
-### Upload Cloudflared Binaries to R2 ###
-#########################################
-release-cloudflared-to-r2:
-  <<: *release-job-defaults
-  rules:
-    - !reference [.default-rules, run-on-release]
-  needs:
-    - ci-image-get-image-ref
-    - linux-packaging # We only release non-FIPS binaries to R2
-    - release-cloudflared-to-github
-  script:
-    - ./.ci/scripts/release-target.sh r2-linux-release
-
-#################################################
-### Upload Cloudflared Nightly Binaries to R2 ###
-#################################################
-release-cloudflared-nightly-to-r2:
-  <<: *release-job-defaults
-  rules:
-    - !reference [.default-rules, run-on-master]
-  variables:
-    <<: *release-job-variables
-    R2_BUCKET: cloudflared-pkgs-next
-    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
-    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
-  needs:
-    - ci-image-get-image-ref
-    - linux-packaging # We only release non-FIPS binaries to R2
-  script:
-    - ./.ci/scripts/release-target.sh r2-linux-release
-
-#############################
-### Generate Version File ###
-#############################
-generate-version-file:
-  <<: *release-job-defaults
-  rules:
-    - !reference [.default-rules, run-on-release]
-  needs:
-    - ci-image-get-image-ref
-  script:
-    - make generate-docker-version
-  artifacts:
-    paths:
-      - versions

.ci/scripts/component-tests.sh

@@ -1,25 +0,0 @@
-#!/bin/bash
-set -e -o pipefail
-
-# Fetch cloudflared from the artifacts folder
-mv ./artifacts/cloudflared ./cloudflared
-
-python3 -m venv env
-. env/bin/activate
-
-pip install --upgrade -r component-tests/requirements.txt
-
-# Creates and routes a Named Tunnel for this build. Also constructs
-# config file from env vars.
-python3 component-tests/setup.py --type create
-
-# Define the cleanup function
-cleanup() {
-    # The Named Tunnel is deleted and its route unprovisioned here.
-    python3 component-tests/setup.py --type cleanup
-}
-
-# The trap will call the cleanup function on script exit
-trap cleanup EXIT
-
-pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml

.ci/scripts/github-push.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-set -e -o pipefail
-
-BRANCH="master"
-TMP_PATH="$PWD/tmp"
-PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
-PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
-
-mkdir -p $TMP_PATH
-
-# Setup Private Key
-echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
-chmod 400 $PRIVATE_KEY_PATH
-
-# Download GitHub Public Key for KnownHostsFile
-ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
-
-# Setup git ssh command with the right configurations
-export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
-
-# Add GitHub as a new remote
-git remote add github git@github.com:cloudflare/cloudflared.git || true
-
-# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
-# Therefore, we need to manually fetch the reference to then push it to GitHub.
-git fetch origin $BRANCH:$BRANCH
-git push -u github $BRANCH
-
-if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
-  git push -u github "$TAG"
-fi

.ci/scripts/linux/build-packages.sh

@@ -1,59 +0,0 @@
-#!/bin/bash
-
-# Check if architecture argument is provided
-if [ $# -eq 0 ]; then
-    echo "Error: Architecture argument is required"
-    echo "Usage: $0 <architecture>"
-    exit 1
-fi
-
-# Parameters
-arch=$1
-
-# Get Version
-VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
-echo $VERSION
-
-# Disable FIPS module in go-boring
-export GOEXPERIMENT=noboringcrypto
-export CGO_ENABLED=0
-
-# This controls the directory the built artifacts go into
-export ARTIFACT_DIR=artifacts/
-mkdir -p $ARTIFACT_DIR
-
-export TARGET_OS=linux
-
-unset TARGET_ARM
-export TARGET_ARCH=$arch
-
-## Support for arm platforms without hardware FPU enabled
-if [[ $arch == arm ]] ; then
-    export TARGET_ARCH=arm
-    export TARGET_ARM=5
-fi
-
-## Support for armhf builds
-if [[ $arch == armhf ]] ; then
-    export TARGET_ARCH=arm
-    export TARGET_ARM=7
-fi
-
-make cloudflared-deb
-mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
-
-# rpm packages invert the - and _ and use x86_64 instead of amd64.
-RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
-RPMARCH=$arch
-if [ $arch == "amd64" ];then
-    RPMARCH="x86_64"
-fi
-if [ $arch == "arm64" ]; then
-    RPMARCH="aarch64"
-fi
-make cloudflared-rpm
-mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
-
-# finally move the linux binary as well.
-mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
-

.ci/scripts/release-target.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-set -e -o pipefail
-
-# Check if a make target is provided as an argument
-if [ $# -eq 0 ]; then
-    echo "Error: Make target argument is required"
-    echo "Usage: $0 <make-target>"
-    exit 1
-fi
-
-MAKE_TARGET=$1
-
-python3 -m venv venv
-source venv/bin/activate
-
-# Our release scripts are written in python, so we should install their dependecies here.
-pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
-make $MAKE_TARGET

.ci/scripts/vuln-check.sh

@@ -1,52 +0,0 @@
-#!/bin/bash
-set -e
-
-# Define the file to store the list of vulnerabilities to ignore.
-IGNORE_FILE=".vulnignore"
-
-# Check if the ignored vulnerabilities file exists. If not, create an empty one.
-if [ ! -f "$IGNORE_FILE" ]; then
-    touch "$IGNORE_FILE"
-    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
-    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
-    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
-    echo "" >> "$IGNORE_FILE"
-fi
-
-# Run govulncheck and capture its output.
-VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
-
-# Print the govuln output
-echo "====================================="
-echo "Full Output of govulncheck:"
-echo "====================================="
-echo "$VULN_OUTPUT"
-echo "====================================="
-echo "End of govulncheck Output"
-echo "====================================="
-
-# Process the ignore file to remove comments and empty lines.
-# The 'cut' command gets the vulnerability ID and removes anything after the '#'.
-# The 'grep' command filters out empty lines and lines starting with '#'.
-CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
-
-# Filter out the ignored vulnerabilities.
-UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
-
-# If the list of ignored vulnerabilities is not empty, filter them out.
-if [ -n "$CLEAN_IGNORES" ]; then
-    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
-fi
-
-# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
-if [ -n "$UNIGNORED_VULNS" ]; then
-    echo "🚨 Found new, unignored vulnerabilities:"
-    echo "-------------------------------------"
-    echo "$UNIGNORED_VULNS"
-    echo "-------------------------------------"
-    echo "Exiting with an error. ❌"
-    exit 1
-else
-    echo "🎉 No new vulnerabilities found. All clear! ✨"
-    exit 0
-fi

.ci/scripts/windows/builds.ps1

@@ -1,29 +0,0 @@
-Set-StrictMode -Version Latest
-$ErrorActionPreference = "Stop"
-$ProgressPreference = "SilentlyContinue"
-
-$env:TARGET_OS = "windows"
-$env:LOCAL_OS = "windows"
-$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
-
-New-Item -Path ".\artifacts" -ItemType Directory
-
-Write-Output "Building for amd64"
-$env:TARGET_ARCH = "amd64"
-$env:LOCAL_ARCH = "amd64"
-$env:CGO_ENABLED = 1
-& make cloudflared
-if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
-# Sign build
-azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
-copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
-
-Write-Output "Building for 386"
-$env:TARGET_ARCH = "386"
-$env:LOCAL_ARCH = "386"
-$env:CGO_ENABLED = 0
-& make cloudflared
-if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
-## Sign build
-azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
-copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe

.ci/scripts/windows/component-test.ps1

@@ -1,40 +0,0 @@
-Set-StrictMode -Version Latest
-$ErrorActionPreference = "Stop"
-$ProgressPreference = "SilentlyContinue"
-
-$env:TARGET_OS = "windows"
-$env:LOCAL_OS = "windows"
-$env:TARGET_ARCH = "amd64"
-$env:LOCAL_ARCH = "amd64"
-$env:CGO_ENABLED = 1
-
-python --version
-python -m pip --version
-
-
-Write-Host "Building cloudflared"
-& make cloudflared
-if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
-
-
-Write-Host "Running unit tests"
-# Not testing with race detector because of https://github.com/golang/go/issues/61058
-# We already test it on other platforms
-go test -failfast -v -mod=vendor ./...
-if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
-
-
-# On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
-$env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
-Write-Host "No Proxy: ${env:NO_PROXY}"
-Write-Host "Running component tests"
-try {
-    python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
-    python component-tests/setup.py --type create
-    python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
-    if ($LASTEXITCODE -ne 0) {
-        throw "Failed component tests"
-    }
-} finally {
-    python component-tests/setup.py --type cleanup
-}

.ci/scripts/windows/go-wrapper.ps1

@@ -1,69 +0,0 @@
-Param(
-    [string]$GoVersion,
-    [string]$ScriptToExecute
-)
-
-# The script is a wrapper that downloads a specific version
-# of go, adds it to the PATH and executes a script with that go
-# version in the path.
-
-Set-StrictMode -Version Latest
-$ErrorActionPreference = "Stop"
-$ProgressPreference = "SilentlyContinue"
-
-# Get the path to the system's temporary directory.
-$tempPath = [System.IO.Path]::GetTempPath()
-
-# Create a unique name for the new temporary folder.
-$folderName = "go_" + (Get-Random)
-
-# Join the temp path and the new folder name to create the full path.
-$fullPath = Join-Path -Path $tempPath -ChildPath $folderName
-
-# Store the current value of PATH environment variable.
-$oldPath = $env:Path
-
-# Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
-try {
-    # Create the temporary folder.
-    Write-Host "Creating temporary folder at: $fullPath"
-    $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
-
-    # Download go
-    $url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
-    $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
-    Write-Host "Downloading go from: $url"
-    Invoke-WebRequest -Uri $url -OutFile $destinationFile
-    Write-Host "File downloaded to: $destinationFile"
-
-    # Unzip the downloaded file.
-    Write-Host "Unzipping the file..."
-    Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
-    Write-Host "File unzipped successfully."
-
-    # Define the go/bin path wich is inside the temporary folder
-    $goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
-
-    # Add the go/bin path to the PATH environment variable.
-    $env:Path = "$goBinPath;$($env:Path)"
-    Write-Host "Added $goBinPath to the environment PATH."
-
-    go env
-    go version
-
-    & $ScriptToExecute
-} finally {
-    # Cleanup: Remove the path from the environment variable and then the temporary folder.
-    Write-Host "Starting cleanup..."
-
-    $env:Path = $oldPath
-    Write-Host "Reverted changes in the environment PATH."
-
-    # Remove the temporary folder and its contents.
-    if (Test-Path -Path $fullPath) {
-        Remove-Item -Path $fullPath -Recurse -Force
-        Write-Host "Temporary folder and its contents have been removed."
-    } else {
-        Write-Host "Temporary folder does not exist, no cleanup needed."
-    }
-}

.ci/scripts/windows/sign-msi.ps1

@@ -1,26 +0,0 @@
-# Sign Windows artifacts using azuretool
-# This script processes MSI files from the artifacts directory
-
-$ErrorActionPreference = "Stop"
-
-# Define paths
-$ARTIFACT_DIR = "artifacts"
-$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
-
-Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
-
-# Find all Windows MSI files
-$msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
-
-if ($msiFiles.Count -eq 0) {
-    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
-    exit 1
-}
-
-Write-Host "Found $($msiFiles.Count) file(s) to sign:"
-foreach ($file in $msiFiles) {
-    Write-Host "Running azuretool sign for $($file.Name)"
-    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
-}
-
-Write-Host "Signing process completed"

.ci/windows.gitlab-ci.yml

@@ -1,114 +0,0 @@
-include:
-  - local: .ci/commons.gitlab-ci.yml
-
-###################################
-### Defaults for Windows Builds ###
-###################################
-.windows-build-defaults: &windows-build-defaults
-  rules:
-    - !reference [.default-rules, run-always]
-  tags:
-    - windows-x86
-  cache: {}
-
-##########################################
-### Build Cloudflared Windows Binaries ###
-##########################################
-windows-build-cloudflared:
-  <<: *windows-build-defaults
-  stage: build
-  script:
-    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
-  artifacts:
-    paths:
-      - artifacts/*
-
-######################################################
-### Load Environment Variables for Component Tests ###
-######################################################
-windows-load-env-variables:
-  stage: pre-build
-  extends: .component-tests
-  script:
-    - echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
-    - echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
-    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
-    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
-    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
-    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
-    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
-    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
-    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
-    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
-  variables:
-    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
-  secrets:
-    KEY_VAULT_URL:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
-      file: false
-    KEY_VAULT_CLIENT_ID:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
-      file: false
-    KEY_VAULT_TENANT_ID:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
-      file: false
-    KEY_VAULT_SECRET:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
-      file: false
-    KEY_VAULT_CERTIFICATE:
-      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate_v2/key_vault_certificate@kv
-      file: false
-  artifacts:
-    access: 'none'
-    reports:
-      dotenv: windows.env
-
-###################################
-### Run Windows Component Tests ###
-###################################
-windows-component-tests-cloudflared:
-  <<: *windows-build-defaults
-  stage: test
-  needs: ["windows-load-env-variables"]
-  script:
-    # We have to decode the secret we encoded on the `windows-load-env-variables` job
-    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
-    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
-  artifacts:
-    reports:
-      junit: report.xml
-
-################################
-### Package Windows Binaries ###
-################################
-windows-package:
-  rules:
-    - !reference [.default-rules, run-on-master]
-  stage: package
-  needs:
-    - ci-image-get-image-ref
-    - windows-build-cloudflared
-  image: $BUILD_IMAGE
-  script:
-    - .ci/scripts/package-windows.sh
-  cache: {}
-  artifacts:
-    paths:
-      - artifacts/*
-
-#############################
-### Sign Windows Binaries ###
-#############################
-windows-package-sign:
-  <<: *windows-build-defaults
-  rules:
-    - !reference [.default-rules, run-on-master]
-  stage: package
-  needs:
-    - windows-package
-    - windows-load-env-variables
-  script:
-    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
-  artifacts:
-    paths:
-      - artifacts/*

.gitlab-ci.yml

@@ -1,58 +0,0 @@
-variables:
-  GO_VERSION: "go1.24.9"
-  GIT_DEPTH: "0"
-
-default:
-  id_tokens:
-    VAULT_ID_TOKEN:
-      aud: https://vault.cfdata.org
-
-stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
-
-include:
-  #####################################################
-  ########## Import Commons Configurations ############
-  #####################################################
-  - local: .ci/commons.gitlab-ci.yml
-
-  #####################################################
-  ########### Sync Repository with Github #############
-  #####################################################
-  - local: .ci/github.gitlab-ci.yml
-
-  #####################################################
-  ############# Build or Fetch CI Image ###############
-  #####################################################
-  - local: .ci/ci-image.gitlab-ci.yml
-
-  #####################################################
-  ################## Linux Builds ###################
-  #####################################################
-  - local: .ci/linux.gitlab-ci.yml
-
-  #####################################################
-  ################## Windows Builds ###################
-  #####################################################
-  - local: .ci/windows.gitlab-ci.yml
-
-  #####################################################
-  ################### macOS Builds ####################
-  #####################################################
-  - local: .ci/mac.gitlab-ci.yml
-
-  #####################################################
-  ################# Release Packages ##################
-  #####################################################
-  - local: .ci/release.gitlab-ci.yml
-
-  #####################################################
-  ########## Release Packages Internally ##############
-  #####################################################
-  - local: .ci/apt-internal.gitlab-ci.yml
-
-  #####################################################
-  ############## Manual Claude Review #################
-  #####################################################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
-    inputs:
-      whenToRun: "manual"

.golangci.yaml

@@ -27,7 +27,7 @@ linters:
     - sloglint         # Ensure consistent code style when using log/slog.
     - sqlclosecheck    # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
     - staticcheck      # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
-    - usetesting       # Reports uses of functions with replacement inside the testing package.
+    - tenv             # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
     - testableexamples # Linter checks if examples are testable (have an expected output).
     - testifylint      # Checks usage of github.com/stretchr/testify.
     - tparallel        # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.

.teamcity/install-cloudflare-go.sh

@@ -0,0 +1,8 @@
+# !/usr/bin/env bash
+
+cd /tmp
+git clone -q https://github.com/cloudflare/go
+cd go/src
+# https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
+git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
+./make.bash

.teamcity/mac/build.sh

@@ -49,7 +49,7 @@ import_certificate() {
       echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
       # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
       # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
-      local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
+      local out=$(security import ${CERTIFICATE_FILE_NAME} -A 2>&1) || true
       local exitcode=$?
       # delete the certificate from disk
       rm -rf ${CERTIFICATE_FILE_NAME}
@@ -68,28 +68,6 @@ import_certificate() {
     fi
 }
 
-create_cloudflared_build_keychain() {
-  # Reusing the private key password as the keychain key
-  local PRIVATE_KEY_PASS=$1
-
-  # Create keychain only if it doesn't already exist
-  if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
-    security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
-  else
-    echo "Keychain already exists: cloudflared_build_keychain"
-  fi
-
-  # Append temp keychain to the user domain
-  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
-
-  # Remove relock timeout
-  security set-keychain-settings cloudflared_build_keychain
-
-  # Unlock keychain so it doesn't require password
-  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
-
-}
-
 # Imports private keys to the Apple KeyChain
 import_private_keys() {
     local PRIVATE_KEY_NAME=$1
@@ -105,7 +83,7 @@ import_private_keys() {
         echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
         # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
         # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
-        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
+        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
         local exitcode=$?
         rm -rf ${PRIVATE_KEY_FILE_NAME}
         if [ -n "$out" ]; then
@@ -122,9 +100,6 @@ import_private_keys() {
     fi
 }
 
-# Create temp keychain only for this build
-create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
-
 # Add Apple Root Developer certificate to the key chain
 import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
 
@@ -144,8 +119,8 @@ import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
   CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
-    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
+  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
+    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
   else
     CODE_SIGN_NAME=""
   fi
@@ -155,8 +130,8 @@ fi
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
   PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
-    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
+  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
+    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
   else
     PKG_SIGN_NAME=""
   fi
@@ -167,16 +142,9 @@ rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 
-
-# This allows apple tools to use the certificates in the keychain without requiring password input.
-# This command always needs to run after the certificates have been loaded into the keychain
-if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
-  security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
-fi
-
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
-  codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
+  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
 
  # notarize the binary
  # TODO: TUN-5789
@@ -197,13 +165,11 @@ tar czf "$FILENAME" "${BINARY_NAME}"
 
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
-
   pkgbuild --identifier com.cloudflare.${PRODUCT} \
       --version ${VERSION} \
       --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
       --root ${ARCH_TARGET_DIRECTORY}/contents \
       --install-location /usr/local/bin \
-      --keychain cloudflared_build_keychain \
       --sign "${PKG_SIGN_NAME}" \
       ${PKGNAME}
 
@@ -221,8 +187,3 @@ fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
-
-# cleanup the keychain
-security default-keychain -d user -s login.keychain-db
-security list-keychains -d user -s login.keychain-db
-security delete-keychain cloudflared_build_keychain

.teamcity/mac/install-cloudflare-go.sh

@@ -2,9 +2,9 @@ rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 
-brew install go@1.24
+./.teamcity/install-cloudflare-go.sh
 
+export PATH="/tmp/go/bin:$PATH"
 go version
 which go
 go env
-

.teamcity/package-windows.sh

@@ -1,23 +1,19 @@
-#!/bin/bash
-python3 -m venv env
-. env/bin/activate
-pip install pynacl==1.4.0 pygithub==1.55
-
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
-export BUILT_ARTIFACT_DIR=artifacts/
+export BUILT_ARTIFACT_DIR=built_artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
     export TARGET_ARCH=$arch
-    # Copy .exe from artifacts directory
+    # Copy exe into final directory
     cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
     make cloudflared-msi
     # Copy msi into final directory
     mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
+    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done

.teamcity/windows/builds.ps1

@@ -0,0 +1,28 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+# Relative path to working directory
+$CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
+
+cd $CloudflaredDirectory
+
+Write-Output "Building for amd64"
+$env:TARGET_OS = "windows"
+$env:CGO_ENABLED = 1
+$env:TARGET_ARCH = "amd64"
+$env:Path = "$Env:Temp\go\bin;$($env:Path)"
+
+go env
+go version
+
+& make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
+copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
+
+Write-Output "Building for 386"
+$env:CGO_ENABLED = 0
+$env:TARGET_ARCH = "386"
+make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
+copy .\cloudflared.exe .\cloudflared-windows-386.exe

.teamcity/windows/component-test.ps1

@@ -0,0 +1,47 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+$WorkingDirectory = Get-Location
+$CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
+
+go env
+go version
+
+$env:TARGET_OS = "windows"
+$env:CGO_ENABLED = 1
+$env:TARGET_ARCH = "amd64"
+$env:Path = "$Env:Temp\go\bin;$($env:Path)"
+
+python --version
+python -m pip --version
+
+cd $CloudflaredDirectory
+
+go env
+go version
+
+Write-Output "Building cloudflared"
+
+& make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
+
+echo $LASTEXITCODE
+
+Write-Output "Running unit tests"
+
+# Not testing with race detector because of https://github.com/golang/go/issues/61058
+# We already test it on other platforms
+& go test -failfast -mod=vendor ./...
+if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
+
+Write-Output "Running component tests"
+
+python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
+python component-tests/setup.py --type create
+python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
+if ($LASTEXITCODE -ne 0) {
+    python component-tests/setup.py --type cleanup
+    throw "Failed component tests"
+}
+python component-tests/setup.py --type cleanup

.teamcity/windows/install-cloudflare-go.ps1

@@ -0,0 +1,16 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+Write-Output "Downloading cloudflare go..."
+
+Set-Location "$Env:Temp"
+
+git clone -q https://github.com/cloudflare/go
+Write-Output "Building go..."
+cd go/src
+# https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
+git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
+& ./make.bat
+
+Write-Output "Installed"

.teamcity/windows/install-go-msi.ps1

@@ -0,0 +1,20 @@
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+$GoMsiVersion = "go1.22.5.windows-amd64.msi"
+
+Write-Output "Downloading go installer..."
+
+Set-Location "$Env:Temp"
+
+(New-Object System.Net.WebClient).DownloadFile(
+    "https://go.dev/dl/$GoMsiVersion",
+    "$Env:Temp\$GoMsiVersion"
+)
+
+Write-Output "Installing go..."
+Install-Package "$Env:Temp\$GoMsiVersion" -Force
+
+# Go installer updates global $PATH
+go env
+
+Write-Output "Installed"

.vulnignore

@@ -1,3 +0,0 @@
-# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
-# You can also add comments on the same line after the ID.
-GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future

CHANGES.md

@@ -1,7 +1,3 @@
-## 2025.7.1
-### Notices
-- `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
-
 ## 2025.1.1
 ### New Features
 - This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.

Dockerfile

@@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.24.9 AS builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   TARGET_GOOS=${TARGET_GOOS} \
@@ -16,8 +16,10 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 
+RUN .teamcity/install-cloudflare-go.sh
+
 # compile cloudflared
-RUN make cloudflared
+RUN PATH="/tmp/go/bin:$PATH" make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian12:nonroot
@@ -27,11 +29,8 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 
-# run as nonroot user
-# We need to use numeric user id's because Kubernetes doesn't support strings:
-# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
-# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
-USER 65532:65532
+# run as non-privileged user
+USER nonroot
 
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]

Dockerfile.amd64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.9 AS builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@@ -11,8 +11,10 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 
+RUN .teamcity/install-cloudflare-go.sh
+
 # compile cloudflared
-RUN GOOS=linux GOARCH=amd64 make cloudflared
+RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian12:nonroot
@@ -22,11 +24,8 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 
-# run as nonroot user
-# We need to use numeric user id's because Kubernetes doesn't support strings:
-# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
-# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
-USER 65532:65532
+# run as non-privileged user
+USER nonroot
 
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]

Dockerfile.arm64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.9 AS builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
@@ -11,8 +11,10 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 
+RUN .teamcity/install-cloudflare-go.sh
+
 # compile cloudflared
-RUN GOOS=linux GOARCH=arm64 make cloudflared
+RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian12:nonroot-arm64
@@ -22,11 +24,8 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 
-# run as nonroot user
-# We need to use numeric user id's because Kubernetes doesn't support strings:
-# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
-# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
-USER 65532:65532
+# run as non-privileged user
+USER nonroot
 
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]

Makefile

@@ -24,13 +24,7 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
 
-# Use git in windows since we don't have access to the `date` tool
-ifeq ($(TARGET_OS), windows)
-	DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
-else
-	DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
-endif
-
+DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
@@ -62,6 +56,8 @@ PACKAGE_DIR    := $(CURDIR)/packaging
 PREFIX         := /usr
 INSTALL_BINDIR := $(PREFIX)/bin/
 INSTALL_MANDIR := $(PREFIX)/share/man/man1/
+CF_GO_PATH     := /tmp/go
+PATH           := $(CF_GO_PATH)/bin:$(PATH)
 
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
@@ -70,8 +66,6 @@ else ifeq ($(LOCAL_ARCH),x86_64)
     TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
     TARGET_ARCH ?= amd64
-else ifeq ($(LOCAL_ARCH),386)
-    TARGET_ARCH ?= 386
 else ifeq ($(LOCAL_ARCH),i686)
     TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@@ -128,8 +122,6 @@ endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 
-GO_TEST_LOG_OUTPUT = /tmp/gotest.log
-
 .PHONY: all
 all: cloudflared test
 
@@ -137,10 +129,6 @@ all: cloudflared test
 clean:
 	go clean
 
-.PHONY: vulncheck
-vulncheck:
-	@./.ci/scripts/vuln-check.sh
-
 .PHONY: cloudflared
 cloudflared:
 ifeq ($(FIPS), true)
@@ -162,9 +150,11 @@ generate-docker-version:
 
 .PHONY: test
 test: vet
-	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
-ifneq ($(FIPS), true)
-	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
+ifndef CI
+	go test -v -mod=vendor -race $(LDFLAGS) ./...
+else
+	@mkdir -p .cover
+	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
 endif
 
 .PHONY: cover
@@ -182,17 +172,26 @@ fuzz:
 	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
 	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
-	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
 	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
 
+.PHONY: install-go
+install-go:
+	rm -rf ${CF_GO_PATH}
+	./.teamcity/install-cloudflare-go.sh
+
+.PHONY: cleanup-go
+cleanup-go:
+	rm -rf ${CF_GO_PATH}
+
 cloudflared.1: cloudflared_man_template
 	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
 
-install: cloudflared cloudflared.1
+install: install-go cloudflared cloudflared.1 cleanup-go
 	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
 	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
@@ -221,6 +220,10 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 
+.PHONY: cloudflared-pkg
+cloudflared-pkg: cloudflared cloudflared.1
+	$(call build_package,osxpkg)
+
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@@ -231,18 +234,13 @@ github-release-dryrun:
 
 .PHONY: github-release
 github-release:
-	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
+	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
 	python3 github_message.py --release-version $(VERSION)
 
 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py
 
-.PHONY: r2-next-linux-release
-# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
-r2-next-linux-release:
-	python3 ./release_pkgs.py --upload-repo-file
-
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html
@@ -251,7 +249,7 @@ capnp:
 
 .PHONY: vet
 vet:
-	$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...
+	go vet -mod=vendor github.com/cloudflare/cloudflared/...
 
 .PHONY: fmt
 fmt:
@@ -260,7 +258,7 @@ fmt:
 
 .PHONY: fmt-check
 fmt-check:
-	@./.ci/scripts/fmt-check.sh
+	@./fmt-check.sh
 
 .PHONY: lint
 lint:
@@ -269,23 +267,3 @@ lint:
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
-
-.PHONY: ci-build
-ci-build:
-	@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
-	@mkdir -p artifacts
-	@mv cloudflared artifacts/cloudflared
-
-.PHONY: ci-fips-build
-ci-fips-build:
-	@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
-	@mkdir -p artifacts
-	@mv cloudflared artifacts/cloudflared
-
-.PHONY: ci-test
-ci-test: fmt-check lint test
-	@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
-
-.PHONY: ci-fips-test
-ci-fips-test:
-	@FIPS=true $(MAKE) ci-test

README.md

@@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
 
-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
 
 
@@ -19,41 +19,41 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
-2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
+1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
+2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
 
 
 ## Installing `cloudflared`
 
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
 
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
-* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
+* To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
 
-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 
 
 ## Creating Tunnels and routing traffic
 
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
 
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
 
 
 ## TryCloudflare
 
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
 
 ## Deprecated versions
 
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
 
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
 
@@ -62,7 +62,7 @@ For example, as of January 2023 Cloudflare will support cloudflared version 2023
 ### Requirements
 - [GNU Make](https://www.gnu.org/software/make/)
 - [capnp](https://capnproto.org/install.html)
-- [go >= 1.24](https://go.dev/doc/install)
+- [cloudflare go toolchain](https://github.com/cloudflare/go)
 - Optional tools:
   - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
   - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)

RELEASE_NOTES

@@ -1,105 +1,3 @@
-2025.11.1
-- 2025-11-07 TUN-9800: Fix docker hub push step
-
-2025.11.0
-- 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
-- 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
-- 2025-11-04 chore: Update cloudflared signing key name in index.html
-- 2025-10-31 chore: add claude review
-- 2025-10-31 Chore: Update documentation links in README
-- 2025-10-31 TUN-9800: Add pipelines for linux packaging
-
-2025.10.1
-- 2025-10-30 chore: Update ci image to use goboring 1.24.9
-- 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
-- 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
-- 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
-- 2025-10-23 Fix systemd service installation hanging
-- 2025-10-21 TUN-9941: Use new GPG key for RPM builds
-- 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
-- 2025-10-21 TUN-9941: Lookup correct key for RPM signature
-- 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
-- 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
-
-2025.10.0
-- 2025-10-14 chore: Fix upload of RPM repo file during double signing
-- 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
-- 2025-10-10 chore: Fix import of GPG keys when two keys are provided
-- 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
-- 2025-10-10 TUN-9883: Add new datagram v3 feature flag
-- 2025-10-09 chore: Force usage of go-boring 1.24
-- 2025-10-08 TUN-9882: Improve metrics for datagram v3
-- 2025-10-07 GRC-16749: Add fedramp tags to catalog
-- 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
-- 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
-- 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
-- 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
-
-2025.9.1
-- 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
-- 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
-
-2025.9.0
-- 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
-- 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
-- 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
-- 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
-
-2025.8.1
-- 2025-08-19 AUTH-7480 update fed callback url for login helper
-- 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
-- 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
-
-2025.8.0
-- 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
-- 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
-- 2025-07-07 TUN-9542: Remove unsupported Debian-based releases
-
-2025.7.0
-- 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles
-- 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
-- 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4
-- 2025-07-01 TUN-9511: Add metrics for virtual DNS origin
-- 2025-06-30 TUN-9470: Add OriginDialerService to include TCP
-- 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag
-- 2025-06-27 TUN-9472: Add virtual DNS service
-- 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service
-
-2025.6.1
-- 2025-06-16 TUN-9467: add vulncheck to cloudflared
-- 2025-06-16 TUN-9495: Remove references to cloudflare-go
-- 2025-06-16 TUN-9371: Add logging format as JSON
-- 2025-06-12 TUN-9467: bump coredns to solve CVE
-
-2025.6.0
-- 2025-06-06 TUN-9016: update go to 1.24
-- 2025-06-05 TUN-9171: Use `is_default_network` instead of `is_default` to create vnet's
-
-2025.5.0
-- 2025-05-14 TUN-9319: Add dynamic loading of features to connections via ConnectionOptionsSnapshot
-- 2025-05-13 TUN-9322: Add metric for unsupported RPC commands for datagram v3
-- 2025-05-07 TUN-9291: Remove dynamic reloading of features for datagram v3
-
-2025.4.2
-- 2025-04-30 chore: Do not use gitlab merge request pipelines
-- 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
-- 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge
-- 2025-04-10 SDLC-3727 - Adding FIPS status to backstage
-
-2025.4.0
-- 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service
-- 2025-04-02 chore: remove repetitive words
-- 2025-04-01 Fix messages to point to one.dash.cloudflare.com
-- 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes
-- 2025-04-01 Use RELEASE_NOTES date instead of build date
-- 2025-04-01 chore: Update tunnel configuration link in the readme
-- 2025-04-01 fix: expand home directory for credentials file
-- 2025-04-01 fix: Use path and filepath operation appropriately
-- 2025-04-01 feat: Adds a new command line for tunnel run for token file
-- 2025-04-01 chore: fix linter rules
-- 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`
-- 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
-
 2025.2.1
 - 2025-02-26 TUN-9016: update base-debian to v12
 - 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint

build-packages.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
+echo $VERSION
+
+# Disable FIPS module in go-boring
+export GOEXPERIMENT=noboringcrypto
+export CGO_ENABLED=0
+
+# This controls the directory the built artifacts go into
+export ARTIFACT_DIR=artifacts/
+mkdir -p $ARTIFACT_DIR
+
+linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
+export TARGET_OS=linux
+for arch in ${linuxArchs[@]}; do
+    unset TARGET_ARM
+    export TARGET_ARCH=$arch
+
+    ## Support for arm platforms without hardware FPU enabled
+    if [[ $arch == arm ]] ; then
+        export TARGET_ARCH=arm
+        export TARGET_ARM=5
+    fi
+    
+    ## Support for armhf builds 
+    if [[ $arch == armhf ]] ; then
+        export TARGET_ARCH=arm
+        export TARGET_ARM=7 
+    fi
+    
+    make cloudflared-deb
+    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
+
+    # rpm packages invert the - and _ and use x86_64 instead of amd64.
+    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+    RPMARCH=$arch
+    if [ $arch == "amd64" ];then
+        RPMARCH="x86_64"
+    fi
+    if [ $arch == "arm64" ]; then
+        RPMARCH="aarch64"
+    fi
+    make cloudflared-rpm
+    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
+
+    # finally move the linux binary as well.
+    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
+done

carrier/carrier.go

@@ -31,8 +31,6 @@ type StartOptions struct {
 	Headers         http.Header
 	Host            string
 	TLSClientConfig *tls.Config
-	AutoCloseInterstitial bool
-	IsFedramp             bool
 }
 
 // Connection wraps up all the needed functions to forward over the tunnel
@@ -48,6 +46,7 @@ type StdinoutStream struct{}
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
 	return os.Stdin.Read(p)
+
 }
 
 // Write will write to Stdout
@@ -140,7 +139,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}
 
-	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
 	if err != nil {
 		return nil, err
 	}

catalog-info.yaml

@@ -13,8 +13,3 @@ spec:
   type: "service"
   lifecycle: "Active"
   owner: "teams/tunnel-teams-routing"
-  cf:
-    compliance:
-      fedramp-high: "pending"
-      fedramp-moderate: "yes"
-    FIPS: "required"

cfapi/virtual_network.go

@@ -16,7 +16,7 @@ import (
 type NewVirtualNetwork struct {
 	Name      string `json:"name"`
 	Comment   string `json:"comment"`
-	IsDefault bool   `json:"is_default_network"`
+	IsDefault bool   `json:"is_default"`
 }
 
 type VirtualNetwork struct {

cfsetup.yaml

@@ -1,2 +1,257 @@
-# A valid cfsetup.yaml is required but we dont have any real config to specify
-dummy_key: true
+pinned_go: &pinned_go go-boring=1.22.10-1
+
+build_dir: &build_dir /cfsetup_build
+default-flavor: bookworm
+
+bullseye: &bullseye
+  build-linux:
+    build_dir: *build_dir
+    builddeps: &build_deps
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - libffi-dev
+      - golangci-lint
+    pre-cache: &build_pre_cache
+      - export GOCACHE=/cfsetup_build/.cache/go-build
+      - go install golang.org/x/tools/cmd/goimports@latest
+    post-cache:
+      # Linting
+      - make lint
+      - make fmt-check
+      # Build binary for component test
+      - GOOS=linux GOARCH=amd64 make cloudflared
+  build-linux-fips:
+    build_dir: *build_dir
+    builddeps: *build_deps
+    pre-cache: *build_pre_cache
+    post-cache:
+      - export FIPS=true
+      # Build binary for component test
+      - GOOS=linux GOARCH=amd64 make cloudflared
+  cover:
+    build_dir: *build_dir
+    builddeps: *build_deps
+    pre-cache: *build_pre_cache
+    post-cache:
+      - make cover
+  # except FIPS and macos
+  build-linux-release:
+    build_dir: *build_dir
+    builddeps: &build_deps_release
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - libffi-dev
+      - python3-dev
+      - python3-pip
+      - python3-setuptools
+      - wget
+      - python3-venv
+    post-cache:
+      - python3 -m venv env
+      - . /cfsetup_build/env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
+      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
+      - ./build-packages.sh
+  # handle FIPS separately so that we built with gofips compiler
+  build-linux-fips-release:
+    build_dir: *build_dir
+    builddeps: *build_deps_release
+    post-cache:
+      # same logic as above, but for FIPS packages only
+      - ./build-packages-fips.sh
+  generate-versions-file:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - build-essential
+    post-cache:
+      - make generate-docker-version
+  build-deb:
+    build_dir: *build_dir
+    builddeps: &build_deb_deps
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - make cloudflared-deb
+  build-fips-internal-deb:
+    build_dir: *build_dir
+    builddeps: &build_fips_deb_deps
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - export FIPS=true
+      - export ORIGINAL_NAME=true
+      - make cloudflared-deb
+  build-internal-deb-nightly-amd64:
+    build_dir: *build_dir
+    builddeps: *build_fips_deb_deps
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - export NIGHTLY=true
+      - export FIPS=true
+      - export ORIGINAL_NAME=true
+      - make cloudflared-deb
+  build-internal-deb-nightly-arm64:
+    build_dir: *build_dir
+    builddeps: *build_fips_deb_deps
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=arm64
+      - export NIGHTLY=true
+      # - export FIPS=true # TUN-7595
+      - export ORIGINAL_NAME=true
+      - make cloudflared-deb
+  build-deb-arm64:
+    build_dir: *build_dir
+    builddeps: *build_deb_deps
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=arm64
+      - make cloudflared-deb
+  package-windows:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - build-essential
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - wget
+      # libmsi and libgcab are libraries the wixl binary depends on.
+      - libmsi-dev
+      - libgcab-dev
+      - python3-venv
+    pre-cache:
+      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
+      - chmod a+x /usr/local/bin/wixl
+    post-cache:
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55
+      - .teamcity/package-windows.sh
+  test:
+    build_dir: *build_dir
+    builddeps: &build_deps_tests
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - libffi-dev
+      - gotest-to-teamcity
+    pre-cache: *build_pre_cache
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - export PATH="$HOME/go/bin:$PATH"
+      - make test | gotest-to-teamcity
+  test-fips:
+    build_dir: *build_dir
+    builddeps: *build_deps_tests
+    pre-cache: *build_pre_cache
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - export FIPS=true
+      - export PATH="$HOME/go/bin:$PATH"
+      - make test | gotest-to-teamcity
+  component-test:
+    build_dir: *build_dir
+    builddeps: &build_deps_component_test
+      - *pinned_go
+      - python3
+      - python3-pip
+      - python3-setuptools
+      # procps installs the ps command which is needed in test_sysv_service
+      # because the init script uses ps pid to determine if the agent is
+      # running
+      - procps
+      - python3-venv
+    pre-cache-copy-paths:
+      - component-tests/requirements.txt
+    post-cache: &component_test_post_cache
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install --upgrade -r component-tests/requirements.txt
+      # Creates and routes a Named Tunnel for this build. Also constructs
+      # config file from env vars.
+      - python3 component-tests/setup.py --type create
+      - pytest component-tests -o log_cli=true --log-cli-level=INFO
+      # The Named Tunnel is deleted and its route unprovisioned here.
+      - python3 component-tests/setup.py --type cleanup
+  component-test-fips:
+    build_dir: *build_dir
+    builddeps: *build_deps_component_test
+    pre-cache-copy-paths:
+      - component-tests/requirements.txt
+    post-cache: *component_test_post_cache
+  github-release-dryrun:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - build-essential
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - python3-venv
+    post-cache:
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55
+      - make github-release-dryrun
+  github-release:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - build-essential
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - python3-venv
+    post-cache:
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55
+      - make github-release
+  r2-linux-release:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - wget
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - reprepro
+      - createrepo-c
+      - python3-venv
+    post-cache:
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
+      - make r2-linux-release
+
+bookworm: *bullseye
+trixie: *bullseye

client/config.go

@@ -1,74 +0,0 @@
-package client
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/google/uuid"
-	"github.com/rs/zerolog"
-
-	"github.com/cloudflare/cloudflared/features"
-	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
-)
-
-// Config captures the local client runtime configuration.
-type Config struct {
-	ConnectorID uuid.UUID
-	Version     string
-	Arch        string
-
-	featureSelector features.FeatureSelector
-}
-
-func NewConfig(version string, arch string, featureSelector features.FeatureSelector) (*Config, error) {
-	connectorID, err := uuid.NewRandom()
-	if err != nil {
-		return nil, fmt.Errorf("unable to generate a connector UUID: %w", err)
-	}
-	return &Config{
-		ConnectorID:     connectorID,
-		Version:         version,
-		Arch:            arch,
-		featureSelector: featureSelector,
-	}, nil
-}
-
-// ConnectionOptionsSnapshot is a snapshot of the current client information used to initialize a connection.
-//
-// The FeatureSnapshot is the features that are available for this connection. At the client level they may
-// change, but they will not change within the scope of this struct.
-type ConnectionOptionsSnapshot struct {
-	client              pogs.ClientInfo
-	originLocalIP       net.IP
-	numPreviousAttempts uint8
-	FeatureSnapshot     features.FeatureSnapshot
-}
-
-func (c *Config) ConnectionOptionsSnapshot(originIP net.IP, previousAttempts uint8) *ConnectionOptionsSnapshot {
-	snapshot := c.featureSelector.Snapshot()
-	return &ConnectionOptionsSnapshot{
-		client: pogs.ClientInfo{
-			ClientID: c.ConnectorID[:],
-			Version:  c.Version,
-			Arch:     c.Arch,
-			Features: snapshot.FeaturesList,
-		},
-		originLocalIP:       originIP,
-		numPreviousAttempts: previousAttempts,
-		FeatureSnapshot:     snapshot,
-	}
-}
-
-func (c ConnectionOptionsSnapshot) ConnectionOptions() *pogs.ConnectionOptions {
-	return &pogs.ConnectionOptions{
-		Client:              c.client,
-		OriginLocalIP:       c.originLocalIP,
-		ReplaceExisting:     false,
-		CompressionQuality:  0,
-		NumPreviousAttempts: c.numPreviousAttempts,
-	}
-}
-
-func (c ConnectionOptionsSnapshot) LogFields(event *zerolog.Event) *zerolog.Event {
-	return event.Strs("features", c.client.Features)
-}

client/config_test.go

@@ -1,50 +0,0 @@
-package client
-
-import (
-	"net"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/cloudflare/cloudflared/features"
-)
-
-func TestGenerateConnectionOptions(t *testing.T) {
-	version := "1234"
-	arch := "linux_amd64"
-	originIP := net.ParseIP("192.168.1.1")
-	var previousAttempts uint8 = 4
-
-	config, err := NewConfig(version, arch, &mockFeatureSelector{})
-	require.NoError(t, err)
-	require.Equal(t, version, config.Version)
-	require.Equal(t, arch, config.Arch)
-
-	// Validate ConnectionOptionsSnapshot fields
-	connOptions := config.ConnectionOptionsSnapshot(originIP, previousAttempts)
-	require.Equal(t, version, connOptions.client.Version)
-	require.Equal(t, arch, connOptions.client.Arch)
-	require.Equal(t, config.ConnectorID[:], connOptions.client.ClientID)
-
-	// Vaidate snapshot feature fields against the connOptions generated
-	snapshot := config.featureSelector.Snapshot()
-	require.Equal(t, features.DatagramV3, snapshot.DatagramVersion)
-	require.Equal(t, features.DatagramV3, connOptions.FeatureSnapshot.DatagramVersion)
-
-	pogsConnOptions := connOptions.ConnectionOptions()
-	require.Equal(t, connOptions.client, pogsConnOptions.Client)
-	require.Equal(t, originIP, pogsConnOptions.OriginLocalIP)
-	require.False(t, pogsConnOptions.ReplaceExisting)
-	require.Equal(t, uint8(0), pogsConnOptions.CompressionQuality)
-	require.Equal(t, previousAttempts, pogsConnOptions.NumPreviousAttempts)
-}
-
-type mockFeatureSelector struct{}
-
-func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
-	return features.FeatureSnapshot{
-		PostQuantum:     features.PostQuantumPrefer,
-		DatagramVersion: features.DatagramV3,
-		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
-	}
-}

cmd/cloudflared/access/carrier.go

@@ -47,7 +47,6 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
-		IsFedramp: forwarder.IsFedramp,
 	}
 
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@@ -93,7 +92,6 @@ func ssh(c *cli.Context) error {
 		OriginURL: url.String(),
 		Headers:   headers,
 		Host:      url.Host,
-		IsFedramp: c.Bool(fedrampFlag),
 	}
 
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
@@ -106,7 +104,7 @@ func ssh(c *cli.Context) error {
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
-				InsecureSkipVerify: true, // #nosec G402
+				InsecureSkipVerify: true,
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
@@ -143,5 +141,6 @@ func ssh(c *cli.Context) error {
 		logger := log.With().Str("host", url.Host).Logger()
 		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
-	return carrier.StartClient(wsConn, s, options)
+	carrier.StartClient(wsConn, s, options)
+	return nil
 }

cmd/cloudflared/access/cmd.go

@@ -51,7 +51,6 @@ Host {{.Hostname}}
   ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
-	fedrampFlag = "fedramp"
 )
 
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@@ -80,10 +79,6 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
-			Flags: []cli.Flag{&cli.BoolFlag{
-				Name:  fedrampFlag,
-				Usage: "use when performing operations in fedramp account",
-			}},
 			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
 			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
 			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
@@ -109,10 +104,6 @@ func Commands() []*cli.Command {
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
-						&cli.BoolFlag{
-							Name:  "auto-close",
-							Usage: "automatically close the auth interstitial after action",
-						},
 						&cli.StringFlag{
 							Name: appURLFlag,
 						},
@@ -331,7 +322,7 @@ func curl(c *cli.Context) error {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
 			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
+		tok, err = token.FetchToken(appURL, appInfo, log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@@ -451,7 +442,7 @@ func sshGen(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
 	if err != nil {
 		return err
 	}
@@ -551,7 +542,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}
+	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
 
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err

cmd/cloudflared/cliutil/logger.go

@@ -4,32 +4,25 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )
 
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
-
-	FlagLogOutput = &cli.StringFlag{
-		Name:    flags.LogFormatOutput,
-		Usage:   "Output format for the logs (default, json)",
-		Value:   flags.LogFormatOutputValueDefault,
-		EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT", "TUNNEL_LOG_OUTPUT"},
-	}
 )
 
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    flags.LogLevel,
+			Name:    cfdflags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    flags.TransportLogLevel,
+			Name:    cfdflags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
@@ -37,23 +30,22 @@ func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    flags.LogFile,
+			Name:    cfdflags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    flags.LogDirectory,
+			Name:    cfdflags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    flags.TraceOutput,
+			Name:    cfdflags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
-		FlagLogOutput,
 	}
 }

cmd/cloudflared/flags/flags.go

@@ -138,11 +138,6 @@ const (
 	// LogDirectory is the command line flag to define the directory where application logs will be stored.
 	LogDirectory = "log-directory"
 
-	// LogFormatOutput allows the command line logs to be output as JSON.
-	LogFormatOutput             = "output"
-	LogFormatOutputValueDefault = "default"
-	LogFormatOutputValueJSON    = "json"
-
 	// TraceOutput is the command line flag to set the name of trace output file
 	TraceOutput = "trace-output"
 
@@ -157,13 +152,4 @@ const (
 
 	// ApiURL is the command line flag used to define the base URL of the API
 	ApiURL = "api-url"
-
-	// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
-	VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
-
-	// Management hostname to signify incoming management requests
-	ManagementHostname = "management-hostname"
-
-	// Automatically close the login interstitial browser window after the user makes a decision.
-	AutoCloseInterstitial = "auto-close"
 )

cmd/cloudflared/generic_service.go

@@ -3,38 +3,11 @@
 package main
 
 import (
-	"fmt"
 	"os"
 
 	cli "github.com/urfave/cli/v2"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
-	app.Commands = append(app.Commands, &cli.Command{
-		Name:  "service",
-		Usage: "Manages the cloudflared system service (not supported on this operating system)",
-		Subcommands: []*cli.Command{
-			{
-				Name:   "install",
-				Usage:  "Install cloudflared as a system service (not supported on this operating system)",
-				Action: cliutil.ConfiguredAction(installGenericService),
-			},
-			{
-				Name:   "uninstall",
-				Usage:  "Uninstall the cloudflared service (not supported on this operating system)",
-				Action: cliutil.ConfiguredAction(uninstallGenericService),
-			},
-		},
-	})
 	app.Run(os.Args)
 }
-
-func installGenericService(c *cli.Context) error {
-	return fmt.Errorf("service installation is not supported on this operating system")
-}
-
-func uninstallGenericService(c *cli.Context) error {
-	return fmt.Errorf("service uninstallation is not supported on this operating system")
-}

cmd/cloudflared/linux_service.go

@@ -4,7 +4,6 @@ package main
 
 import (
 	"fmt"
-	"io"
 	"os"
 
 	"github.com/rs/zerolog"
@@ -16,7 +15,7 @@ import (
 	"github.com/cloudflare/cloudflared/logger"
 )
 
-func runApp(app *cli.App, _ chan struct{}) {
+func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared system service",
@@ -36,7 +35,7 @@ func runApp(app *cli.App, _ chan struct{}) {
 			},
 		},
 	})
-	_ = app.Run(os.Args)
+	app.Run(os.Args)
 }
 
 // The directory and files that are used by the service.
@@ -60,7 +59,7 @@ After=network-online.target
 Wants=network-online.target
 
 [Service]
-TimeoutStartSec=15
+TimeoutStartSec=0
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
@@ -98,7 +97,6 @@ WantedBy=timers.target
 var sysvTemplate = ServiceTemplate{
 	Path:     "/etc/init.d/cloudflared",
 	FileMode: 0755,
-	// nolint: dupword
 	Content: `#!/bin/sh
 # For RedHat and cousins:
 # chkconfig: 2345 99 01
@@ -186,11 +184,13 @@ exit 0
 `,
 }
 
-var noUpdateServiceFlag = &cli.BoolFlag{
+var (
+	noUpdateServiceFlag = &cli.BoolFlag{
 		Name:  "no-update-service",
 		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
 		Value: false,
-}
+	}
+)
 
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
@@ -430,38 +430,3 @@ func uninstallSysv(log *zerolog.Logger) error {
 	}
 	return nil
 }
-
-func ensureConfigDirExists(configDir string) error {
-	ok, err := config.FileExists(configDir)
-	if !ok && err == nil {
-		err = os.Mkdir(configDir, 0755)
-	}
-	return err
-}
-
-func copyFile(src, dest string) error {
-	srcFile, err := os.Open(src)
-	if err != nil {
-		return err
-	}
-	defer srcFile.Close()
-
-	destFile, err := os.Create(dest)
-	if err != nil {
-		return err
-	}
-	ok := false
-	defer func() {
-		destFile.Close()
-		if !ok {
-			_ = os.Remove(dest)
-		}
-	}()
-
-	if _, err := io.Copy(destFile, srcFile); err != nil {
-		return err
-	}
-
-	ok = true
-	return nil
-}

cmd/cloudflared/macos_service.go

@@ -120,7 +120,7 @@ func installLaunchd(c *cli.Context) error {
 		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
 			"Note that cloudflared client will only run when the user is logged in. " +
 			"If you want to run cloudflared client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/")
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
 	}
 	etPath, err := os.Executable()
 	if err != nil {

cmd/cloudflared/service_template.go

@@ -1,16 +1,18 @@
 package main
 
 import (
+	"bufio"
 	"bytes"
-	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
-	"path/filepath"
+	"path"
 	"text/template"
 
 	homedir "github.com/mitchellh/go-homedir"
+
+	"github.com/cloudflare/cloudflared/config"
 )
 
 type ServiceTemplate struct {
@@ -42,7 +44,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
-		return errors.New(serviceAlreadyExistsWarn(resolvedPath))
+		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
 	}
 
 	var buffer bytes.Buffer
@@ -55,7 +57,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		fileMode = st.FileMode
 	}
 
-	plistFolder := filepath.Dir(resolvedPath)
+	plistFolder := path.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
@@ -107,3 +109,114 @@ func runCommand(command string, args ...string) error {
 	}
 	return nil
 }
+
+func ensureConfigDirExists(configDir string) error {
+	ok, err := config.FileExists(configDir)
+	if !ok && err == nil {
+		err = os.Mkdir(configDir, 0755)
+	}
+	return err
+}
+
+// openFile opens the file at path. If create is set and the file exists, returns nil, true, nil
+func openFile(path string, create bool) (file *os.File, exists bool, err error) {
+	expandedPath, err := homedir.Expand(path)
+	if err != nil {
+		return nil, false, err
+	}
+	if create {
+		fileInfo, err := os.Stat(expandedPath)
+		if err == nil && fileInfo.Size() > 0 {
+			return nil, true, nil
+		}
+		file, err = os.OpenFile(expandedPath, os.O_RDWR|os.O_CREATE, 0600)
+	} else {
+		file, err = os.Open(expandedPath)
+	}
+	return file, false, err
+}
+
+func copyCredential(srcCredentialPath, destCredentialPath string) error {
+	destFile, exists, err := openFile(destCredentialPath, true)
+	if err != nil {
+		return err
+	} else if exists {
+		// credentials already exist, do nothing
+		return nil
+	}
+	defer destFile.Close()
+
+	srcFile, _, err := openFile(srcCredentialPath, false)
+	if err != nil {
+		return err
+	}
+	defer srcFile.Close()
+
+	// Copy certificate
+	_, err = io.Copy(destFile, srcFile)
+	if err != nil {
+		return fmt.Errorf("unable to copy %s to %s: %v", srcCredentialPath, destCredentialPath, err)
+	}
+
+	return nil
+}
+
+func copyFile(src, dest string) error {
+	srcFile, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer srcFile.Close()
+
+	destFile, err := os.Create(dest)
+	if err != nil {
+		return err
+	}
+	ok := false
+	defer func() {
+		destFile.Close()
+		if !ok {
+			_ = os.Remove(dest)
+		}
+	}()
+
+	if _, err := io.Copy(destFile, srcFile); err != nil {
+		return err
+	}
+
+	ok = true
+	return nil
+}
+
+func copyConfig(srcConfigPath, destConfigPath string) error {
+	// Copy or create config
+	destFile, exists, err := openFile(destConfigPath, true)
+	if err != nil {
+		return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
+	} else if exists {
+		// config already exists, do nothing
+		return nil
+	}
+	defer destFile.Close()
+
+	srcFile, _, err := openFile(srcConfigPath, false)
+	if err != nil {
+		fmt.Println("Your service needs a config file that at least specifies the hostname option.")
+		fmt.Println("Type in a hostname now, or leave it blank and create the config file later.")
+		fmt.Print("Hostname: ")
+		reader := bufio.NewReader(os.Stdin)
+		input, _ := reader.ReadString('\n')
+		if input == "" {
+			return err
+		}
+		fmt.Fprintf(destFile, "hostname: %s\n", input)
+	} else {
+		defer srcFile.Close()
+		_, err = io.Copy(destFile, srcFile)
+		if err != nil {
+			return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
+		}
+	}
+
+	return nil
+}

cmd/cloudflared/tail/cmd.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
 	"net/url"
 	"os"
@@ -51,7 +50,6 @@ func buildTailManagementTokenSubcommand() *cli.Command {
 
 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
-
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
@@ -100,7 +98,13 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
-				Name:    cfdflags.ManagementHostname,
+				Name:    "output",
+				Usage:   "Output format for the logs (default, json)",
+				Value:   "default",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
+			},
+			&cli.StringFlag{
+				Name:    "management-hostname",
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
@@ -124,7 +128,6 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
-			cliutil.FlagLogOutput,
 		},
 		Subcommands: subcommands,
 	}
@@ -168,21 +171,10 @@ func createLogger(c *cli.Context) *zerolog.Logger {
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
-	var writer io.Writer
-	switch c.String(cfdflags.LogFormatOutput) {
-	case cfdflags.LogFormatOutputValueJSON:
-		// zerolog by default outputs as JSON
-		writer = os.Stderr
-	case cfdflags.LogFormatOutputValueDefault:
-		// "default" and unset use the same logger output format
-		fallthrough
-	default:
-		writer = zerolog.ConsoleWriter{
+	log := zerolog.New(zerolog.ConsoleWriter{
 		Out:        colorable.NewColorable(os.Stderr),
 		TimeFormat: time.RFC3339,
-		}
-	}
-	log := zerolog.New(writer).With().Timestamp().Logger().Level(level)
+	}).With().Timestamp().Logger().Level(level)
 	return &log
 }
 
@@ -237,14 +229,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 		return "", err
 	}
 
-	var apiURL string
-	if userCreds.IsFEDEndpoint() {
-		apiURL = credentials.FedRampBaseApiURL
-	} else {
-		apiURL = c.String(cfdflags.ApiURL)
-	}
-
-	client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
+	client, err := userCreds.Client(c.String(cfdflags.ApiURL), buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
@@ -269,7 +254,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
-
+	managementHostname := c.String("management-hostname")
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
@@ -277,19 +262,6 @@ func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
-
-	claims, err := management.ParseToken(token)
-	if err != nil {
-		return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
-	}
-
-	var managementHostname string
-	if claims.IsFed() {
-		managementHostname = credentials.FedRampHostname
-	} else {
-		managementHostname = c.String(cfdflags.ManagementHostname)
-	}
-
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")

cmd/cloudflared/tunnel/cmd.go

@@ -15,6 +15,7 @@ import (
 	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/getsentry/sentry-go"
+	"github.com/google/uuid"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
@@ -97,7 +98,7 @@ var (
 		"no-tls-verify",
 		"no-chunked-encoding",
 		"http2-origin",
-		cfdflags.ManagementHostname,
+		"management-hostname",
 		"service-op-ip",
 		"local-ssh-port",
 		"ssh-idle-timeout",
@@ -207,7 +208,7 @@ then protect with Cloudflare Access).
   B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
 those enrolled to a Zero Trust WARP Client.
 
-You can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command
+You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
 later in each machine where you wish to run a Tunnel.
 
 Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
@@ -445,7 +446,14 @@ func StartServer(
 		log.Err(err).Msg("Couldn't start tunnel")
 		return err
 	}
-	connectorID := tunnelConfig.ClientConfig.ConnectorID
+	var clientID uuid.UUID
+	if tunnelConfig.NamedTunnel != nil {
+		clientID, err = uuid.FromBytes(tunnelConfig.NamedTunnel.Client.ClientID)
+		if err != nil {
+			// set to nil for classic tunnels
+			clientID = uuid.Nil
+		}
+	}
 
 	// Disable ICMP packet routing for quick tunnels
 	if quickTunnelURL != "" {
@@ -459,26 +467,11 @@ func StartServer(
 		}
 	}
 
-	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
-	var isFEDEndpoint bool
-	if err != nil {
-		isFEDEndpoint = false
-	} else {
-		isFEDEndpoint = userCreds.IsFEDEndpoint()
-	}
-
-	var managementHostname string
-	if isFEDEndpoint {
-		managementHostname = credentials.FedRampHostname
-	} else {
-		managementHostname = c.String(cfdflags.ManagementHostname)
-	}
-
 	mgmt := management.New(
-		managementHostname,
+		c.String("management-hostname"),
 		c.Bool("management-diagnostics"),
 		serviceIP,
-		connectorID,
+		clientID,
 		c.String(cfdflags.ConnectorLabel),
 		logger.ManagementLogger.Log,
 		logger.ManagementLogger,
@@ -510,14 +503,14 @@ func StartServer(
 			sources = append(sources, ipv6.String())
 		}
 
-		readinessServer := metrics.NewReadyServer(connectorID, tracker)
+		readinessServer := metrics.NewReadyServer(clientID, tracker)
 		cliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)
 		diagnosticHandler := diagnostic.NewDiagnosticHandler(
 			log,
 			0,
 			diagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),
 			tunnelConfig.NamedTunnel.Credentials.TunnelID,
-			connectorID,
+			clientID,
 			tracker,
 			cliFlags,
 			sources,
@@ -1057,7 +1050,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    cfdflags.ManagementHostname,
+			Name:    "management-hostname",
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,

cmd/cloudflared/tunnel/config_test.go

@@ -0,0 +1,15 @@
+package tunnel
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/cloudflare/cloudflared/features"
+)
+
+func TestDedup(t *testing.T) {
+	expected := []string{"a", "b"}
+	actual := features.Dedup([]string{"a", "b", "a"})
+	require.ElementsMatch(t, expected, actual)
+}

cmd/cloudflared/tunnel/configuration.go

@@ -10,14 +10,13 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/pkg/errors"
-	"github.com/prometheus/client_golang/prometheus"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/term"
 
-	"github.com/cloudflare/cloudflared/client"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
@@ -26,7 +25,6 @@ import (
 	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
-	"github.com/cloudflare/cloudflared/ingress/origins"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
@@ -36,6 +34,7 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
+	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 
 var (
@@ -126,29 +125,27 @@ func prepareTunnelConfig(
 	observer *connection.Observer,
 	namedTunnel *connection.TunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
-	transportProtocol := c.String(flags.Protocol)
-	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
-	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), isPostQuantumEnforced, log)
+	clientID, err := uuid.NewRandom()
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
+		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
 	}
-
-	clientConfig, err := client.NewConfig(info.Version(), info.OSArch(), featureSelector)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	log.Info().Msgf("Generated Connector ID: %s", clientConfig.ConnectorID)
-
+	log.Info().Msgf("Generated Connector ID: %s", clientID)
 	tags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
 		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
-	tags = append(tags, pogs.Tag{Name: "ID", Value: clientConfig.ConnectorID.String()})
+	tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
 
-	clientFeatures := featureSelector.Snapshot()
-	pqMode := clientFeatures.PostQuantum
+	transportProtocol := c.String(flags.Protocol)
+	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
+
+	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice("features"), c.Bool("post-quantum"), log)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
+	}
+	clientFeatures := featureSelector.ClientFeatures()
+	pqMode := featureSelector.PostQuantumMode()
 	if pqMode == features.PostQuantumStrict {
 		// Error if the user tries to force a non-quic transport protocol
 		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
@@ -157,6 +154,12 @@ func prepareTunnelConfig(
 		transportProtocol = connection.QUIC.String()
 	}
 
+	namedTunnel.Client = pogs.ClientInfo{
+		ClientID: clientID[:],
+		Features: clientFeatures,
+		Version:  info.Version(),
+		Arch:     info.OSArch(),
+	}
 	cfg := config.GetConfiguration()
 	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
 	if err != nil {
@@ -220,30 +223,11 @@ func prepareTunnelConfig(
 		resolvedRegion = endpoint
 	}
 
-	warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
-
-	// Setup origin dialer service and virtual services
-	originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
-		DefaultDialer:   ingress.NewDialer(warpRoutingConfig),
-		TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
-	}, log)
-
-	// Setup DNS Resolver Service
-	originMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)
-	dnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)
-	dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)
-	if len(dnsResolverAddrs) > 0 {
-		addrs, err := parseResolverAddrPorts(dnsResolverAddrs)
-		if err != nil {
-			return nil, nil, fmt.Errorf("invalid %s provided: %w", flags.VirtualDNSServiceResolverAddresses, err)
-		}
-		dnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)
-	}
-	originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
-
 	tunnelConfig := &supervisor.TunnelConfig{
-		ClientConfig:    clientConfig,
 		GracePeriod:     gracePeriod,
+		ReplaceExisting: c.Bool(flags.Force),
+		OSArch:          info.OSArch(),
+		ClientID:        clientID.String(),
 		EdgeAddrs:       c.StringSlice(flags.Edge),
 		Region:          resolvedRegion,
 		EdgeIPVersion:   edgeIPVersion,
@@ -262,14 +246,13 @@ func prepareTunnelConfig(
 		NamedTunnel:                         namedTunnel,
 		ProtocolSelector:                    protocolSelector,
 		EdgeTLSConfigs:                      edgeTLSConfigs,
+		FeatureSelector:                     featureSelector,
 		MaxEdgeAddrRetries:                  uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec
 		RPCTimeout:                          c.Duration(flags.RpcTimeout),
 		WriteStreamTimeout:                  c.Duration(flags.WriteStreamTimeout),
 		DisableQUICPathMTUDiscovery:         c.Bool(flags.QuicDisablePathMTUDiscovery),
 		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
-		OriginDNSService:                    dnsService,
-		OriginDialerService:                 originDialerService,
 	}
 	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
@@ -279,9 +262,9 @@ func prepareTunnelConfig(
 	}
 	orchestratorConfig := &orchestration.Config{
 		Ingress:            &ingressRules,
-		WarpRouting:         warpRoutingConfig,
-		OriginDialerService: originDialerService,
+		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
 		ConfigurationFlags: parseConfigFlags(c),
+		WriteTimeout:       tunnelConfig.WriteStreamTimeout,
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
@@ -518,19 +501,3 @@ func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
-
-func parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {
-	// We don't allow more than 10 resolvers to be provided statically for the resolver service.
-	if len(input) > 10 {
-		return nil, errors.New("too many addresses provided, max: 10")
-	}
-	addrs := make([]netip.AddrPort, 0, len(input))
-	for _, val := range input {
-		addr, err := netip.ParseAddrPort(val)
-		if err != nil {
-			return nil, err
-		}
-		addrs = append(addrs, addr)
-	}
-	return addrs, nil
-}

cmd/cloudflared/tunnel/login.go

@@ -12,7 +12,6 @@ import (
 	"github.com/urfave/cli/v2"
 
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
-	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
@@ -22,8 +21,9 @@ import (
 const (
 	baseLoginURL = "https://dash.cloudflare.com/argotunnel"
 	callbackURL  = "https://login.cloudflareaccess.org/"
-	fedBaseLoginURL      = "https://dash.fed.cloudflare.com/argotunnel"
-	fedCallbackStoreURL  = "https://login.fed.cloudflareaccess.org/"
+	// For now these are the same but will change in the future once we know which URLs to use (TUN-8872)
+	fedBaseLoginURL      = "https://dash.cloudflare.com/argotunnel"
+	fedCallbackStoreURL  = "https://login.cloudflareaccess.org/"
 	fedRAMPParamName     = "fedramp"
 	loginURLParamName    = "loginURL"
 	callbackURLParamName = "callbackURL"
@@ -97,8 +97,6 @@ func login(c *cli.Context) error {
 		callbackStoreURL,
 		false,
 		false,
-		c.Bool(cfdflags.AutoCloseInterstitial),
-		isFEDRamp,
 		log,
 	)
 	if err != nil {

cmd/cloudflared/tunnel/subcommand_context.go

@@ -9,7 +9,6 @@ import (
 	"strings"
 
 	"github.com/google/uuid"
-	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@@ -55,13 +54,8 @@ func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 // Returns something that can find the given tunnel's credentials file.
 func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	if path := sc.c.String(CredFileFlag); path != "" {
-		// Expand path if CredFileFlag contains `~`
-		absPath, err := homedir.Expand(path)
-		if err != nil {
 		return newStaticPath(path, sc.fs)
 	}
-		return newStaticPath(absPath, sc.fs)
-	}
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
 
@@ -112,7 +106,7 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
 
 	var credentials connection.Credentials
 	if err = json.Unmarshal(body, &credentials); err != nil {
-		if filepath.Ext(filePath) == ".pem" {
+		if strings.HasSuffix(filePath, ".pem") {
 			return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
 				"The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
 				"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
@@ -155,12 +149,10 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 	if err != nil {
 		return nil, err
 	}
-
 	tunnelCredentials := connection.Credentials{
 		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
-		Endpoint:     credential.Endpoint(),
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {

cmd/cloudflared/tunnel/subcommands.go

@@ -41,7 +41,6 @@ const (
 	CredFileFlag            = "credentials-file"
 	CredContentsFlag        = "credentials-contents"
 	TunnelTokenFlag         = "token"
-	TunnelTokenFileFlag     = "token-file"
 	overwriteDNSFlagName    = "overwrite-dns"
 	noDiagLogsFlagName      = "no-diag-logs"
 	noDiagMetricsFlagName   = "no-diag-metrics"
@@ -127,14 +126,9 @@ var (
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
-		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file",
+		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
-	tunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
-		Name:    TunnelTokenFileFlag,
-		Usage:   "Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.",
-		EnvVars: []string{"TUNNEL_TOKEN_FILE"},
-	})
 	forceDeleteFlag = &cli.BoolFlag{
 		Name:    flags.Force,
 		Aliases: []string{"f"},
@@ -241,11 +235,6 @@ var (
 		Usage:   "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
 		EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
 	}
-	dnsResolverAddrsFlag = &cli.StringSliceFlag{
-		Name:    flags.VirtualDNSServiceResolverAddresses,
-		Usage:   "Overrides the dynamic DNS resolver resolution to use these address:port's instead.",
-		EnvVars: []string{"TUNNEL_DNS_RESOLVER_ADDRS"},
-	}
 )
 
 func buildCreateCommand() *cli.Command {
@@ -719,11 +708,9 @@ func buildRunCommand() *cli.Command {
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
-		tunnelTokenFileFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 		maxActiveFlowsFlag,
-		dnsResolverAddrsFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
@@ -761,22 +748,12 @@ func runCommand(c *cli.Context) error {
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
 
-	tokenStr := c.String(TunnelTokenFlag)
-	// Check if tokenStr is blank before checking for tokenFile
-	if tokenStr == "" {
-		if tokenFile := c.String(TunnelTokenFileFlag); tokenFile != "" {
-			data, err := os.ReadFile(tokenFile)
-			if err != nil {
-				return cliutil.UsageError("Failed to read token file: %s", err.Error())
-			}
-			tokenStr = strings.TrimSpace(string(data))
-		}
-	}
 	// Check if token is provided and if not use default tunnelID flag method
-	if tokenStr != "" {
+	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
+
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()

cmd/cloudflared/tunnel/teamnet_subcommands.go

@@ -22,7 +22,7 @@ var (
 		Usage:   "The ID or name of the virtual network to which the route is associated to.",
 	}
 
-	errAddRoute = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
+	routeAddError = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
 )
 
 func buildRouteIPSubcommand() *cli.Command {
@@ -32,7 +32,7 @@ func buildRouteIPSubcommand() *cli.Command {
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
 		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
 your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
-client. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to
+client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
 determine who can reach certain routes.
 By default IP routes all exist within a single virtual network. If you use the same IP
 space(s) in different physical private networks, all meant to be reachable via IP routes,
@@ -187,7 +187,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	}
 
 	if c.NArg() != 1 {
-		return errAddRoute
+		return routeAddError
 	}
 
 	var routeId uuid.UUID
@@ -195,7 +195,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	if err != nil {
 		_, network, err := net.ParseCIDR(c.Args().First())
 		if err != nil || network == nil {
-			return errAddRoute
+			return routeAddError
 		}
 
 		var vnetId *uuid.UUID

cmd/cloudflared/updater/update.go

@@ -22,7 +22,7 @@ import (
 
 const (
 	DefaultCheckUpdateFreq        = time.Hour * 24
-	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/"
+	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
 	noUpdateOnWindowsMessage      = "cloudflared will not automatically update on Windows systems."
 	noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
 	isManagedInstallFile          = ".installedFromPackageManager"

cmd/cloudflared/updater/workers_update.go

@@ -10,9 +10,9 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"runtime"
+	"strings"
 	"text/template"
 	"time"
 
@@ -134,7 +134,7 @@ func (v *WorkersVersion) Apply() error {
 
 	if err := os.Rename(newFilePath, v.targetPath); err != nil {
 		//attempt rollback
-		_ = os.Rename(oldFilePath, v.targetPath)
+		os.Rename(oldFilePath, v.targetPath)
 		return err
 	}
 	os.Remove(oldFilePath)
@@ -181,7 +181,7 @@ func download(url, filepath string, isCompressed bool) error {
 		tr := tar.NewReader(gr)
 
 		// advance the reader pass the header, which will be the single binary file
-		_, _ = tr.Next()
+		tr.Next()
 
 		r = tr
 	}
@@ -198,7 +198,7 @@ func download(url, filepath string, isCompressed bool) error {
 
 // isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped
 func isCompressedFile(urlstring string) bool {
-	if path.Ext(urlstring) == ".tgz" {
+	if strings.HasSuffix(urlstring, ".tgz") {
 		return true
 	}
 
@@ -206,7 +206,7 @@ func isCompressedFile(urlstring string) bool {
 	if err != nil {
 		return false
 	}
-	return path.Ext(u.Path) == ".tgz"
+	return strings.HasSuffix(u.Path, ".tgz")
 }
 
 // writeBatchFile writes a batch file out to disk
@@ -249,6 +249,7 @@ func runWindowsBatch(batchFile string) error {
 		if exitError, ok := err.(*exec.ExitError); ok {
 			return fmt.Errorf("Error during update : %s;", string(exitError.Stderr))
 		}
+
 	}
 	return err
 }

cmd/cloudflared/windows_service.go

@@ -26,7 +26,7 @@ import (
 const (
 	windowsServiceName        = "Cloudflared"
 	windowsServiceDescription = "Cloudflared agent"
-	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/"
+	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/windows/"
 
 	recoverActionDelay      = time.Second * 20
 	failureCountResetPeriod = time.Hour * 24
@@ -190,7 +190,7 @@ func installWindowsService(c *cli.Context) error {
 	log := zeroLogger.With().Str(LogFieldWindowsServiceName, windowsServiceName).Logger()
 	if err == nil {
 		s.Close()
-		return errors.New(serviceAlreadyExistsWarn(windowsServiceName))
+		return fmt.Errorf(serviceAlreadyExistsWarn(windowsServiceName))
 	}
 	extraArgs, err := getServiceExtraArgsFromCliArgs(c, &log)
 	if err != nil {
@@ -238,7 +238,7 @@ func uninstallWindowsService(c *cli.Context) error {
 	defer m.Disconnect()
 	s, err := m.OpenService(windowsServiceName)
 	if err != nil {
-		return fmt.Errorf("agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
+		return fmt.Errorf("Agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
 	}
 	defer s.Close()
 

component-tests/test_management.py

@@ -107,13 +107,7 @@ class TestManagement:
             assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
 
 
-
-
 @retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
     with requests.Session() as s:
-        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
-        if resp.status_code == 530:
-            LOGGER.debug(f"Received 530 status, retrying request to {url}")
-            raise Exception(f"Received 530 status code from {url}")
-        return resp
+        return s.get(url, timeout=BACKOFF_SECS, headers=headers)

component-tests/test_service.py

@@ -9,7 +9,7 @@ import pytest
 
 import test_logging
 from conftest import CfdModes
-from util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config
+from util import select_platform, start_cloudflared, wait_tunnel_ready, write_config
 
 
 def default_config_dir():
@@ -82,7 +82,6 @@ class TestServiceMode:
         os.remove(default_config_file())
         self.launchctl_cmd("list", success=False)
 
-    @skip_on_ci("we can't run sudo command on CI")
     @select_platform("Linux")
     @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                         reason=f"There is already a config file in default path")
@@ -99,7 +98,6 @@ class TestServiceMode:
 
         self.sysv_service_scenario(config, tmp_path, assert_log_file)
 
-    @skip_on_ci("we can't run sudo command on CI")
     @select_platform("Linux")
     @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                         reason=f"There is already a config file in default path")
@@ -118,7 +116,6 @@ class TestServiceMode:
 
         self.sysv_service_scenario(config, tmp_path, assert_rotating_log)
 
-    @skip_on_ci("we can't run sudo command on CI")
     @select_platform("Linux")
     @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
                         reason=f"There is already a config file in default path")

component-tests/test_token.py

@@ -1,7 +1,7 @@
 import base64
 import json
 
-from setup import get_config_from_file
+from setup import get_config_from_file, persist_origin_cert
 from util import start_cloudflared
 
 

component-tests/test_tunnel.py

@@ -33,20 +33,13 @@ class TestTunnel:
         LOGGER.debug(config)
         with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run"], new_process=True):
             wait_tunnel_ready(require_min_connections=1)
-            expected_status_code = 503
-            resp = send_request(config.get_url()+"/", expected_status_code)
-            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
-            resp = send_request(config.get_url()+"/test", expected_status_code)
-            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/")
+            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/test")
+            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
 
-def retry_if_result_none(result):
-    '''
-    Returns True if the result is None, indicating that the function should be retried.
-    '''
-    return result is None
 
-@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
-def send_request(url, expected_status_code=200):
+@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
+def send_request(url, headers={}):
     with requests.Session() as s:
-        resp = s.get(url, timeout=BACKOFF_SECS)
-        return resp if resp.status_code == expected_status_code else None
+        return s.get(url, timeout=BACKOFF_SECS, headers=headers)

component-tests/util.py

@@ -10,6 +10,7 @@ import pytest
 
 import requests
 import yaml
+import json
 from retrying import retry
 
 from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
@@ -34,12 +35,6 @@ def fips_enabled():
 nofips = pytest.mark.skipif(
         fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)")
 
-def skip_on_ci(reason):
-    env_ci = os.getenv("CI")
-    running_in_ci = env_ci is not None and env_ci != "0"
-    return pytest.mark.skipif(
-        running_in_ci, reason=f"This test can't run on CI due to: {reason}")
-
 def write_config(directory, config):
     config_path = directory / "config.yml"
     with open(config_path, 'w') as outfile:
@@ -116,7 +111,6 @@ def inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):
     metrics_url = f'http://localhost:{METRICS_PORT}/ready'
 
     with requests.Session() as s:
-        LOGGER.debug("Waiting for tunnel to be ready...")
         resp = send_request(s, metrics_url, True)
 
         ready_connections = resp.json()["readyConnections"]

config/configuration.go

@@ -242,8 +242,6 @@ type AccessConfig struct {
 
 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
-
-	Environment string `yaml:"environment" json:"environment,omitempty"`
 }
 
 type IngressIPRule struct {

config/model.go

@@ -1,7 +1,7 @@
 package config
 
 import (
-	"crypto/sha256"
+	"crypto/md5"
 	"fmt"
 	"io"
 	"strings"
@@ -16,7 +16,6 @@ type Forwarder struct {
 	TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
 	TokenSecret   string `json:"secret_token_id" yaml:"serviceTokenSecret"`
 	Destination   string `json:"destination"`
-	IsFedramp     bool   `json:"is_fedramp" yaml:"isFedramp"`
 }
 
 // Tunnel represents a tunnel that should be started
@@ -47,24 +46,24 @@ type Root struct {
 
 // Hash returns the computed values to see if the forwarder values change
 func (f *Forwarder) Hash() string {
-	h := sha256.New()
-	_, _ = io.WriteString(h, f.URL)
-	_, _ = io.WriteString(h, f.Listener)
-	_, _ = io.WriteString(h, f.TokenClientID)
-	_, _ = io.WriteString(h, f.TokenSecret)
-	_, _ = io.WriteString(h, f.Destination)
+	h := md5.New()
+	io.WriteString(h, f.URL)
+	io.WriteString(h, f.Listener)
+	io.WriteString(h, f.TokenClientID)
+	io.WriteString(h, f.TokenSecret)
+	io.WriteString(h, f.Destination)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 
 // Hash returns the computed values to see if the forwarder values change
 func (r *DNSResolver) Hash() string {
-	h := sha256.New()
-	_, _ = io.WriteString(h, r.Address)
-	_, _ = io.WriteString(h, strings.Join(r.Bootstraps, ","))
-	_, _ = io.WriteString(h, strings.Join(r.Upstreams, ","))
-	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.Port))
-	_, _ = io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
-	_, _ = io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
+	h := md5.New()
+	io.WriteString(h, r.Address)
+	io.WriteString(h, strings.Join(r.Bootstraps, ","))
+	io.WriteString(h, strings.Join(r.Upstreams, ","))
+	io.WriteString(h, fmt.Sprintf("%d", r.Port))
+	io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
+	io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 

connection/connection.go

@@ -27,19 +27,13 @@ const (
 	MaxConcurrentStreams   = math.MaxUint32
 
 	contentTypeHeader = "content-type"
-	contentLengthHeader    = "content-length"
-	transferEncodingHeader = "transfer-encoding"
-
 	sseContentType    = "text/event-stream"
 	grpcContentType   = "application/grpc"
-	sseJsonContentType = "application/x-ndjson"
-
-	chunkTransferEncoding = "chunked"
 )
 
 var (
 	switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
-	flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}
+	flushableContentTypes = []string{sseContentType, grpcContentType}
 )
 
 // TunnelConnection represents the connection to the edge.
@@ -57,6 +51,7 @@ type Orchestrator interface {
 
 type TunnelProperties struct {
 	Credentials    Credentials
+	Client         pogs.ClientInfo
 	QuickTunnelUrl string
 }
 
@@ -279,22 +274,6 @@ type ConnectedFuse interface {
 // Helper method to let the caller know what content-types should require a flush on every
 // write to a ResponseWriter.
 func shouldFlush(headers http.Header) bool {
-	// When doing Server Side Events (SSE), some frameworks don't respect the `Content-Type` header.
-	// Therefore, we need to rely on other ways to know whether we should flush on write or not. A good
-	// approach is to assume that responses without `Content-Length` or with `Transfer-Encoding: chunked`
-	// are streams, and therefore, should be flushed right away to the eyeball.
-	// References:
-	// - https://datatracker.ietf.org/doc/html/rfc7230#section-4.1
-	// - https://datatracker.ietf.org/doc/html/rfc9112#section-6.1
-	if contentLength := headers.Get(contentLengthHeader); contentLength == "" {
-		return true
-	}
-	if transferEncoding := headers.Get(transferEncodingHeader); transferEncoding != "" {
-		transferEncoding = strings.ToLower(transferEncoding)
-		if strings.Contains(transferEncoding, chunkTransferEncoding) {
-			return true
-		}
-	}
 	if contentType := headers.Get(contentTypeHeader); contentType != "" {
 		contentType = strings.ToLower(contentType)
 		for _, c := range flushableContentTypes {
@@ -303,6 +282,7 @@ func shouldFlush(headers http.Header) bool {
 			}
 		}
 	}
+
 	return false
 }
 

connection/connection_test.go

@@ -7,12 +7,10 @@ import (
 	"io"
 	"math/big"
 	"net/http"
-	"testing"
 	"time"
 
 	pkgerrors "github.com/pkg/errors"
 	"github.com/rs/zerolog"
-	"github.com/stretchr/testify/require"
 
 	cfdflow "github.com/cloudflare/cloudflared/flow"
 
@@ -211,48 +209,3 @@ func (mcf mockConnectedFuse) Connected() {}
 func (mcf mockConnectedFuse) IsConnected() bool {
 	return true
 }
-
-func TestShouldFlushHeaders(t *testing.T) {
-	tests := []struct {
-		headers     map[string]string
-		shouldFlush bool
-	}{
-		{
-			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "1"},
-			shouldFlush: false,
-		},
-		{
-			headers:     map[string]string{contentTypeHeader: "text/html", contentLengthHeader: "1"},
-			shouldFlush: false,
-		},
-		{
-			headers:     map[string]string{contentTypeHeader: "text/event-stream", contentLengthHeader: "1"},
-			shouldFlush: true,
-		},
-		{
-			headers:     map[string]string{contentTypeHeader: "application/grpc", contentLengthHeader: "1"},
-			shouldFlush: true,
-		},
-		{
-			headers:     map[string]string{contentTypeHeader: "application/x-ndjson", contentLengthHeader: "1"},
-			shouldFlush: true,
-		},
-		{
-			headers:     map[string]string{contentTypeHeader: "application/json"},
-			shouldFlush: true,
-		},
-		{
-			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "-1", transferEncodingHeader: "chunked"},
-			shouldFlush: true,
-		},
-	}
-
-	for _, test := range tests {
-		headers := http.Header{}
-		for k, v := range test.headers {
-			headers.Add(k, v)
-		}
-
-		require.Equal(t, test.shouldFlush, shouldFlush(headers))
-	}
-}

connection/control.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/cloudflare/cloudflared/management"
 	"github.com/cloudflare/cloudflared/tunnelrpc"
-	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
 // registerClient derives a named tunnel rpc client that can then be used to register and unregister connections.
@@ -36,7 +36,7 @@ type controlStream struct {
 // ControlStreamHandler registers connections with origintunneld and initiates graceful shutdown.
 type ControlStreamHandler interface {
 	// ServeControlStream handles the control plane of the transport in the current goroutine calling this
-	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *pogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
+	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *tunnelpogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
 	// IsStopped tells whether the method above has finished
 	IsStopped() bool
 }
@@ -78,11 +78,11 @@ func NewControlStream(
 func (c *controlStream) ServeControlStream(
 	ctx context.Context,
 	rw io.ReadWriteCloser,
-	connOptions *pogs.ConnectionOptions,
+	connOptions *tunnelpogs.ConnectionOptions,
 	tunnelConfigGetter TunnelConfigJSONGetter,
 ) error {
 	registrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)
-	c.observer.logConnecting(c.connIndex, c.edgeAddress, c.protocol)
+
 	registrationDetails, err := registrationClient.RegisterConnection(
 		ctx,
 		c.tunnelProperties.Credentials.Auth(),

connection/errors.go

@@ -1,6 +1,7 @@
 package connection
 
 import (
+	"github.com/cloudflare/cloudflared/edgediscovery"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
@@ -52,26 +53,26 @@ func serverRegistrationErrorFromRPC(err error) ServerRegisterTunnelError {
 	}
 }
 
-type ControlStreamError struct{}
+type muxerShutdownError struct{}
 
-var _ error = &ControlStreamError{}
-
-func (e *ControlStreamError) Error() string {
-	return "control stream encountered a failure while serving"
+func (e muxerShutdownError) Error() string {
+	return "muxer shutdown"
 }
 
-type StreamListenerError struct{}
+var errMuxerStopped = muxerShutdownError{}
 
-var _ error = &StreamListenerError{}
+func isHandshakeErrRecoverable(err error, connIndex uint8, observer *Observer) bool {
+	log := observer.log.With().
+		Uint8(LogFieldConnIndex, connIndex).
+		Err(err).
+		Logger()
 
-func (e *StreamListenerError) Error() string {
-	return "accept stream listener encountered a failure while serving"
-}
-
-type DatagramManagerError struct{}
-
-var _ error = &DatagramManagerError{}
-
-func (e *DatagramManagerError) Error() string {
-	return "datagram manager encountered a failure while serving"
+	switch err.(type) {
+	case edgediscovery.DialError:
+		log.Error().Msg("Connection unable to dial edge")
+	default:
+		log.Error().Msg("Connection failed")
+		return false
+	}
+	return true
 }

connection/header.go

@@ -53,8 +53,7 @@ var headerEncoding = base64.RawStdEncoding
 func IsControlResponseHeader(headerName string) bool {
 	return strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-") ||
-		strings.HasPrefix(headerName, "cf-proxy-")
+		strings.HasPrefix(headerName, "cf-cloudflared-")
 }
 
 // isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly

connection/header_test.go

@@ -1,17 +1,18 @@
 package connection
 
 import (
+	"fmt"
 	"net/http"
 	"reflect"
 	"sort"
 	"testing"
 
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestSerializeHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 
 	mockHeaders := http.Header{
 		"Mock-Header-One":        {"Mock header one value", "three"},
@@ -38,22 +39,22 @@ func TestSerializeHeaders(t *testing.T) {
 	serializedHeaders := SerializeHeaders(request.Header)
 
 	// Sanity check: the headers serialized to something that's not an empty string
-	require.NotEqual(t, "", serializedHeaders)
+	assert.NotEqual(t, "", serializedHeaders)
 
 	// Deserialize back, and ensure we get the same set of headers
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 
-	require.Len(t, deserializedHeaders, 13)
+	assert.Equal(t, 13, len(deserializedHeaders))
 	expectedHeaders := headerToReqHeader(mockHeaders)
 
 	sort.Sort(ByName(deserializedHeaders))
 	sort.Sort(ByName(expectedHeaders))
 
-	require.True(
+	assert.True(
 		t,
 		reflect.DeepEqual(expectedHeaders, deserializedHeaders),
-		"got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders,
+		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders),
 	)
 }
 
@@ -81,12 +82,12 @@ func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {
 
 func TestSerializeNoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 
 	serializedHeaders := SerializeHeaders(request.Header)
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	require.NoError(t, err)
-	require.Empty(t, deserializedHeaders)
+	assert.NoError(t, err)
+	assert.Equal(t, 0, len(deserializedHeaders))
 }
 
 func TestDeserializeMalformed(t *testing.T) {
@@ -101,22 +102,21 @@ func TestDeserializeMalformed(t *testing.T) {
 
 	for _, malformedValue := range malformedData {
 		_, err = DeserializeHeaders(malformedValue)
-		require.Error(t, err)
+		assert.Error(t, err)
 	}
 }
 
 func TestIsControlResponseHeader(t *testing.T) {
 	controlResponseHeaders := []string{
-		// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-
+		// Anything that begins with cf-int- or cf-cloudflared-
 		"cf-int-sample-header",
 		"cf-cloudflared-sample-header",
-		"cf-proxy-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 	}
 
 	for _, header := range controlResponseHeaders {
-		require.True(t, IsControlResponseHeader(header))
+		assert.True(t, IsControlResponseHeader(header))
 	}
 }
 
@@ -130,6 +130,6 @@ func TestIsNotControlResponseHeader(t *testing.T) {
 	}
 
 	for _, header := range notControlResponseHeaders {
-		require.False(t, IsControlResponseHeader(header))
+		assert.False(t, IsControlResponseHeader(header))
 	}
 }

connection/http2.go

@@ -16,10 +16,10 @@ import (
 	"github.com/rs/zerolog"
 	"golang.org/x/net/http2"
 
-	"github.com/cloudflare/cloudflared/client"
 	cfdflow "github.com/cloudflare/cloudflared/flow"
 
 	"github.com/cloudflare/cloudflared/tracing"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
 // note: these constants are exported so we can reuse them in the edge-side code
@@ -39,7 +39,7 @@ type HTTP2Connection struct {
 	conn         net.Conn
 	server       *http2.Server
 	orchestrator Orchestrator
-	connOptions  *client.ConnectionOptionsSnapshot
+	connOptions  *tunnelpogs.ConnectionOptions
 	observer     *Observer
 	connIndex    uint8
 
@@ -54,7 +54,7 @@ type HTTP2Connection struct {
 func NewHTTP2Connection(
 	conn net.Conn,
 	orchestrator Orchestrator,
-	connOptions *client.ConnectionOptionsSnapshot,
+	connOptions *tunnelpogs.ConnectionOptions,
 	observer *Observer,
 	connIndex uint8,
 	controlStreamHandler ControlStreamHandler,
@@ -118,7 +118,7 @@ func (c *HTTP2Connection) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	var requestErr error
 	switch connType {
 	case TypeControlStream:
-		requestErr = c.controlStreamHandler.ServeControlStream(r.Context(), respWriter, c.connOptions.ConnectionOptions(), c.orchestrator)
+		requestErr = c.controlStreamHandler.ServeControlStream(r.Context(), respWriter, c.connOptions, c.orchestrator)
 		if requestErr != nil {
 			c.controlStreamErr = requestErr
 		}

connection/http2_test.go

@@ -20,18 +20,19 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/http2"
 
-	"github.com/cloudflare/cloudflared/client"
 	"github.com/cloudflare/cloudflared/tracing"
 
 	"github.com/cloudflare/cloudflared/tunnelrpc"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
-var testTransport = http2.Transport{}
+var (
+	testTransport = http2.Transport{}
+)
 
 func newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {
 	edgeConn, cfdConn := net.Pipe()
-	connIndex := uint8(0)
+	var connIndex = uint8(0)
 	log := zerolog.Nop()
 	obs := NewObserver(&log, &log)
 	controlStream := NewControlStream(
@@ -50,7 +51,7 @@ func newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {
 		cfdConn,
 		// OriginProxy is set in testConfigManager
 		testOrchestrator,
-		&client.ConnectionOptionsSnapshot{},
+		&pogs.ConnectionOptions{},
 		obs,
 		connIndex,
 		controlStream,
@@ -61,7 +62,7 @@ func newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {
 func TestHTTP2ConfigurationSet(t *testing.T) {
 	http2Conn, edgeConn := newTestHTTP2Connection()
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
@@ -129,7 +130,7 @@ func TestServeHTTP(t *testing.T) {
 
 	http2Conn, edgeConn := newTestHTTP2Connection()
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
@@ -260,7 +261,7 @@ func (w *wsRespWriter) close() {
 func TestServeWS(t *testing.T) {
 	http2Conn, _ := newTestHTTP2Connection()
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 
 	respWriter := newWSRespWriter()
 	readPipe, writePipe := io.Pipe()
@@ -295,12 +296,12 @@ func TestServeWS(t *testing.T) {
 	require.False(t, respWriter.panicked)
 }
 
-// TestNoWriteAfterServeHTTPReturns is a regression test of https://jira.cfdata.org/browse/TUN-5184
+// TestNoWriteAfterServeHTTPReturns is a regression test of https://jira.cfops.it/browse/TUN-5184
 // to make sure we don't write to the ResponseWriter after the ServeHTTP method returns
 func TestNoWriteAfterServeHTTPReturns(t *testing.T) {
 	cfdHTTP2Conn, edgeTCPConn := newTestHTTP2Connection()
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 
 	serverDone := make(chan struct{})
@@ -378,7 +379,7 @@ func TestServeControlStream(t *testing.T) {
 	)
 	http2Conn.controlStreamHandler = controlStream
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
@@ -432,7 +433,7 @@ func TestFailRegistration(t *testing.T) {
 	)
 	http2Conn.controlStreamHandler = controlStream
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
@@ -483,7 +484,7 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 
 	http2Conn.controlStreamHandler = controlStream
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
@@ -533,7 +534,7 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 }
 
 func TestServeTCP_RateLimited(t *testing.T) {
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	http2Conn, edgeConn := newTestHTTP2Connection()
 
 	var wg sync.WaitGroup
@@ -565,7 +566,7 @@ func TestServeTCP_RateLimited(t *testing.T) {
 func benchmarkServeHTTP(b *testing.B, test testRequest) {
 	http2Conn, edgeConn := newTestHTTP2Connection()
 
-	ctx, cancel := context.WithCancel(b.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {

connection/observer.go

@@ -46,15 +46,6 @@ func (o *Observer) RegisterSink(sink EventSink) {
 	o.addSinkChan <- sink
 }
 
-func (o *Observer) logConnecting(connIndex uint8, address net.IP, protocol Protocol) {
-	o.log.Debug().
-		Int(management.EventTypeKey, int(management.Cloudflared)).
-		Uint8(LogFieldConnIndex, connIndex).
-		IPAddr(LogFieldIPAddress, address).
-		Str(LogFieldProtocol, protocol.String()).
-		Msg("Registering tunnel connection")
-}
-
 func (o *Observer) logConnected(connectionID uuid.UUID, connIndex uint8, location string, address net.IP, protocol Protocol) {
 	o.log.Info().
 		Int(management.EventTypeKey, int(management.Cloudflared)).

connection/quic_connection.go

@@ -3,7 +3,6 @@ package connection
 import (
 	"bufio"
 	"context"
-	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -13,16 +12,17 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
 	"golang.org/x/sync/errgroup"
 
-	"github.com/cloudflare/cloudflared/client"
 	cfdflow "github.com/cloudflare/cloudflared/flow"
 
 	cfdquic "github.com/cloudflare/cloudflared/quic"
 	"github.com/cloudflare/cloudflared/tracing"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 	rpcquic "github.com/cloudflare/cloudflared/tunnelrpc/quic"
 )
 
@@ -44,7 +44,7 @@ type quicConnection struct {
 	orchestrator         Orchestrator
 	datagramHandler      DatagramSessionHandler
 	controlStreamHandler ControlStreamHandler
-	connOptions          *client.ConnectionOptionsSnapshot
+	connOptions          *tunnelpogs.ConnectionOptions
 	connIndex            uint8
 
 	rpcTimeout         time.Duration
@@ -60,12 +60,12 @@ func NewTunnelConnection(
 	orchestrator Orchestrator,
 	datagramSessionHandler DatagramSessionHandler,
 	controlStreamHandler ControlStreamHandler,
-	connOptions *client.ConnectionOptionsSnapshot,
+	connOptions *pogs.ConnectionOptions,
 	rpcTimeout time.Duration,
 	streamWriteTimeout time.Duration,
 	gracePeriod time.Duration,
 	logger *zerolog.Logger,
-) TunnelConnection {
+) (TunnelConnection, error) {
 	return &quicConnection{
 		conn:                 conn,
 		logger:               logger,
@@ -77,11 +77,10 @@ func NewTunnelConnection(
 		rpcTimeout:           rpcTimeout,
 		streamWriteTimeout:   streamWriteTimeout,
 		gracePeriod:          gracePeriod,
-	}
+	}, nil
 }
 
 // Serve starts a QUIC connection that begins accepting streams.
-// Returning a nil error means cloudflared will exit for good and will not attempt to reconnect.
 func (q *quicConnection) Serve(ctx context.Context) error {
 	// The edge assumes the first stream is used for the control plane
 	controlStream, err := q.conn.OpenStream()
@@ -89,16 +88,16 @@ func (q *quicConnection) Serve(ctx context.Context) error {
 		return fmt.Errorf("failed to open a registration control stream: %w", err)
 	}
 
+	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
+	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
+	// connection).
 	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
-	// other goroutines. We enforce returning a not-nil error for each function started in the errgroup by logging
-	// the error returned and returning a custom error type instead.
+	// other goroutine as fast as possible.
+	ctx, cancel := context.WithCancel(ctx)
 	errGroup, ctx := errgroup.WithContext(ctx)
 
-	// Close the quic connection if any of the following routines return from the errgroup (regardless of their error)
-	// because they are no longer processing requests for the connection.
-	defer q.Close()
-
-	// Start the control stream routine
+	// In the future, if cloudflared can autonomously push traffic to the edge, we have to make sure the control
+	// stream is already fully registered before the other goroutines can proceed.
 	errGroup.Go(func() error {
 		// err is equal to nil if we exit due to unregistration. If that happens we want to wait the full
 		// amount of the grace period, allowing requests to finish before we cancel the context, which will
@@ -115,26 +114,16 @@ func (q *quicConnection) Serve(ctx context.Context) error {
 				}
 			}
 		}
-		if err != nil {
-			q.logger.Error().Err(err).Msg("failed to serve the control stream")
-		}
-		return &ControlStreamError{}
+		cancel()
+		return err
 	})
-	// Start the accept stream loop routine
 	errGroup.Go(func() error {
-		err := q.acceptStream(ctx)
-		if err != nil {
-			q.logger.Error().Err(err).Msg("failed to accept incoming stream requests")
-		}
-		return &StreamListenerError{}
+		defer cancel()
+		return q.acceptStream(ctx)
 	})
-	// Start the datagram handler routine
 	errGroup.Go(func() error {
-		err := q.datagramHandler.Serve(ctx)
-		if err != nil {
-			q.logger.Error().Err(err).Msg("failed to run the datagram handler")
-		}
-		return &DatagramManagerError{}
+		defer cancel()
+		return q.datagramHandler.Serve(ctx)
 	})
 
 	return errGroup.Wait()
@@ -142,7 +131,7 @@ func (q *quicConnection) Serve(ctx context.Context) error {
 
 // serveControlStream will serve the RPC; blocking until the control plane is done.
 func (q *quicConnection) serveControlStream(ctx context.Context, controlStream quic.Stream) error {
-	return q.controlStreamHandler.ServeControlStream(ctx, controlStream, q.connOptions.ConnectionOptions(), q.orchestrator)
+	return q.controlStreamHandler.ServeControlStream(ctx, controlStream, q.connOptions, q.orchestrator)
 }
 
 // Close the connection with no errors specified.
@@ -151,6 +140,7 @@ func (q *quicConnection) Close() {
 }
 
 func (q *quicConnection) acceptStream(ctx context.Context) error {
+	defer q.Close()
 	for {
 		quicStream, err := q.conn.AcceptStream(ctx)
 		if err != nil {
@@ -240,12 +230,12 @@ func (q *quicConnection) dispatchRequest(ctx context.Context, stream *rpcquic.Re
 			ConnIndex: q.connIndex,
 		}), rwa.connectResponseSent
 	default:
-		return fmt.Errorf("unsupported error type: %s", request.Type), false
+		return errors.Errorf("unsupported error type: %s", request.Type), false
 	}
 }
 
 // UpdateConfiguration is the RPC method invoked by edge when there is a new configuration
-func (q *quicConnection) UpdateConfiguration(ctx context.Context, version int32, config []byte) *pogs.UpdateConfigurationResponse {
+func (q *quicConnection) UpdateConfiguration(ctx context.Context, version int32, config []byte) *tunnelpogs.UpdateConfigurationResponse {
 	return q.orchestrator.UpdateConfig(version, config)
 }
 

connection/quic_connection_test.go

@@ -29,8 +29,6 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/nettest"
 
-	"github.com/cloudflare/cloudflared/client"
-	"github.com/cloudflare/cloudflared/config"
 	cfdflow "github.com/cloudflare/cloudflared/flow"
 
 	"github.com/cloudflare/cloudflared/datagramsession"
@@ -61,7 +59,7 @@ func TestQUICServer(t *testing.T) {
 	err := wsutil.WriteClientBinary(wsBuf, []byte("Hello"))
 	require.NoError(t, err)
 
-	tests := []struct {
+	var tests = []struct {
 		desc             string
 		dest             string
 		connectionType   pogs.ConnectionType
@@ -151,7 +149,7 @@ func TestQUICServer(t *testing.T) {
 	for i, test := range tests {
 		test := test // capture range variable
 		t.Run(test.desc, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(t.Context())
+			ctx, cancel := context.WithCancel(context.Background())
 			// Start a UDP Listener for QUIC.
 			udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0")
 			require.NoError(t, err)
@@ -195,7 +193,6 @@ func (fakeControlStream) ServeControlStream(ctx context.Context, rw io.ReadWrite
 	<-ctx.Done()
 	return nil
 }
-
 func (fakeControlStream) IsStopped() bool {
 	return true
 }
@@ -213,7 +210,7 @@ func quicServer(
 	session, err := listener.Accept(ctx)
 	require.NoError(t, err)
 
-	quicStream, err := session.OpenStreamSync(t.Context())
+	quicStream, err := session.OpenStreamSync(context.Background())
 	require.NoError(t, err)
 	stream := cfdquic.NewSafeStreamCloser(quicStream, defaultQUICTimeout, &log)
 
@@ -280,7 +277,7 @@ func (moc *mockOriginProxyWithRequest) ProxyHTTP(w ResponseWriter, tr *tracing.T
 }
 
 func TestBuildHTTPRequest(t *testing.T) {
-	tests := []struct {
+	var tests = []struct {
 		name           string
 		connectRequest *pogs.ConnectRequest
 		body           io.ReadCloser
@@ -501,7 +498,7 @@ func TestBuildHTTPRequest(t *testing.T) {
 	for _, test := range tests {
 		test := test // capture range variable
 		t.Run(test.name, func(t *testing.T) {
-			req, err := buildHTTPRequest(t.Context(), test.connectRequest, test.body, 0, &log)
+			req, err := buildHTTPRequest(context.Background(), test.connectRequest, test.body, 0, &log)
 			require.NoError(t, err)
 			test.req = test.req.WithContext(req.Context())
 			require.Equal(t, test.req, req.Request)
@@ -527,7 +524,7 @@ func TestServeUDPSession(t *testing.T) {
 	require.NoError(t, err)
 	defer udpListener.Close()
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 
 	// Establish QUIC connection with edge
 	edgeQUICSessionChan := make(chan quic.Connection)
@@ -608,7 +605,7 @@ func TestCreateUDPConnReuseSourcePort(t *testing.T) {
 // TestTCPProxy_FlowRateLimited tests if the pogs.ConnectResponse returns the expected error and metadata, when a
 // new flow is rate limited.
 func TestTCPProxy_FlowRateLimited(t *testing.T) {
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 
 	// Start a UDP Listener for QUIC.
 	udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0")
@@ -629,7 +626,7 @@ func TestTCPProxy_FlowRateLimited(t *testing.T) {
 		session, err := quicListener.Accept(ctx)
 		assert.NoError(t, err)
 
-		quicStream, err := session.OpenStreamSync(t.Context())
+		quicStream, err := session.OpenStreamSync(context.Background())
 		assert.NoError(t, err)
 		stream := cfdquic.NewSafeStreamCloser(quicStream, defaultQUICTimeout, &log)
 
@@ -690,7 +687,9 @@ func testCreateUDPConnReuseSourcePortForEdgeIP(t *testing.T, edgeIP netip.AddrPo
 }
 
 func serveSession(ctx context.Context, datagramConn *datagramV2Connection, edgeQUICSession quic.Connection, closeType closeReason, expectedReason string, t *testing.T) {
-	payload := []byte(t.Name())
+	var (
+		payload = []byte(t.Name())
+	)
 	sessionID := uuid.New()
 	cfdConn, originConn := net.Pipe()
 	// Registers and run a new session
@@ -803,7 +802,7 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 	}
 	// Start a mock httpProxy
 	log := zerolog.New(io.Discard)
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
 	// Dial the QUIC connection to the edge
@@ -824,15 +823,6 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 	sessionManager := datagramsession.NewManager(&log, datagramMuxer.SendToSession, sessionDemuxChan)
 	var connIndex uint8 = 0
 	packetRouter := ingress.NewPacketRouter(nil, datagramMuxer, connIndex, &log)
-	testDefaultDialer := ingress.NewDialer(ingress.WarpRoutingConfig{
-		ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
-		TCPKeepAlive:   config.CustomDuration{Duration: 15 * time.Second},
-		MaxActiveFlows: 0,
-	})
-	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
-		DefaultDialer:   testDefaultDialer,
-		TCPWriteTimeout: 1 * time.Second,
-	}, &log)
 
 	datagramConn := &datagramV2Connection{
 		conn,
@@ -840,26 +830,26 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 		sessionManager,
 		cfdflow.NewLimiter(0),
 		datagramMuxer,
-		originDialer,
 		packetRouter,
 		15 * time.Second,
 		0 * time.Second,
 		&log,
 	}
 
-	tunnelConn := NewTunnelConnection(
+	tunnelConn, err := NewTunnelConnection(
 		ctx,
 		conn,
 		index,
 		&mockOrchestrator{originProxy: &mockOriginProxyWithRequest{}},
 		datagramConn,
 		fakeControlStream{},
-		&client.ConnectionOptionsSnapshot{},
+		&pogs.ConnectionOptions{},
 		15*time.Second,
 		0*time.Second,
 		0*time.Second,
 		&log,
 	)
+	require.NoError(t, err)
 	return tunnelConn, datagramConn
 }
 

connection/quic_datagram_v2.go

@@ -4,11 +4,9 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"time"
 
 	"github.com/google/uuid"
-	"github.com/pkg/errors"
 	pkgerrors "github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
@@ -34,10 +32,6 @@ const (
 	demuxChanCapacity = 16
 )
 
-var (
-	errInvalidDestinationIP = errors.New("unable to parse destination IP")
-)
-
 // DatagramSessionHandler is a service that can serve datagrams for a connection and handle sessions from incoming
 // connection streams.
 type DatagramSessionHandler interface {
@@ -57,9 +51,6 @@ type datagramV2Connection struct {
 
 	// datagramMuxer mux/demux datagrams from quic connection
 	datagramMuxer *cfdquic.DatagramMuxerV2
-	// originDialer is the origin dialer for UDP requests
-	originDialer ingress.OriginUDPDialer
-	// packetRouter acts as the origin router for ICMP requests
 	packetRouter  *ingress.PacketRouter
 
 	rpcTimeout         time.Duration
@@ -70,7 +61,6 @@ type datagramV2Connection struct {
 
 func NewDatagramV2Connection(ctx context.Context,
 	conn quic.Connection,
-	originDialer ingress.OriginUDPDialer,
 	icmpRouter ingress.ICMPRouter,
 	index uint8,
 	rpcTimeout time.Duration,
@@ -89,7 +79,6 @@ func NewDatagramV2Connection(ctx context.Context,
 		sessionManager:     sessionManager,
 		flowLimiter:        flowLimiter,
 		datagramMuxer:      datagramMuxer,
-		originDialer:       originDialer,
 		packetRouter:       packetRouter,
 		rpcTimeout:         rpcTimeout,
 		streamWriteTimeout: streamWriteTimeout,
@@ -98,17 +87,24 @@ func NewDatagramV2Connection(ctx context.Context,
 }
 
 func (d *datagramV2Connection) Serve(ctx context.Context) error {
-	// If either goroutine from the errgroup returns at all (error or nil), we rely on its cancellation to make sure
-	// the other goroutines as well.
+	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
+	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
+	// connection).
+	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
+	// other goroutine as fast as possible.
+	ctx, cancel := context.WithCancel(ctx)
 	errGroup, ctx := errgroup.WithContext(ctx)
 
 	errGroup.Go(func() error {
+		defer cancel()
 		return d.sessionManager.Serve(ctx)
 	})
 	errGroup.Go(func() error {
+		defer cancel()
 		return d.datagramMuxer.ServeReceive(ctx)
 	})
 	errGroup.Go(func() error {
+		defer cancel()
 		return d.packetRouter.Serve(ctx)
 	})
 
@@ -132,29 +128,12 @@ func (q *datagramV2Connection) RegisterUdpSession(ctx context.Context, sessionID
 		tracing.EndWithErrorStatus(registerSpan, err)
 		return nil, err
 	}
-	// We need to force the net.IP to IPv4 (if it's an IPv4 address) otherwise the net.IP conversion from capnp
-	// will be a IPv4-mapped-IPv6 address.
-	// In the case that the address is IPv6 we leave it untouched and parse it as normal.
-	ip := dstIP.To4()
-	if ip == nil {
-		ip = dstIP
-	}
-	// Parse the dstIP and dstPort into a netip.AddrPort
-	// This should never fail because the IP was already parsed as a valid net.IP
-	destAddr, ok := netip.AddrFromSlice(ip)
-	if !ok {
-		log.Err(errInvalidDestinationIP).Msgf("Failed to parse destination proxy IP: %s", ip)
-		tracing.EndWithErrorStatus(registerSpan, errInvalidDestinationIP)
-		q.flowLimiter.Release()
-		return nil, errInvalidDestinationIP
-	}
-	dstAddrPort := netip.AddrPortFrom(destAddr, dstPort)
 
 	// Each session is a series of datagram from an eyeball to a dstIP:dstPort.
 	// (src port, dst IP, dst port) uniquely identifies a session, so it needs a dedicated connected socket.
-	originProxy, err := q.originDialer.DialUDP(dstAddrPort)
+	originProxy, err := ingress.DialUDP(dstIP, dstPort)
 	if err != nil {
-		log.Err(err).Msgf("Failed to create udp proxy to %s", dstAddrPort)
+		log.Err(err).Msgf("Failed to create udp proxy to %s:%d", dstIP, dstPort)
 		tracing.EndWithErrorStatus(registerSpan, err)
 		q.flowLimiter.Release()
 		return nil, err

connection/quic_datagram_v2_test.go

@@ -16,7 +16,8 @@ import (
 	"github.com/cloudflare/cloudflared/mocks"
 )
 
-type mockQuicConnection struct{}
+type mockQuicConnection struct {
+}
 
 func (m *mockQuicConnection) AcceptStream(_ context.Context) (quic.Stream, error) {
 	return nil, nil
@@ -70,10 +71,6 @@ func (m *mockQuicConnection) ReceiveDatagram(_ context.Context) ([]byte, error)
 	return nil, nil
 }
 
-func (m *mockQuicConnection) AddPath(*quic.Transport) (*quic.Path, error) {
-	return nil, nil
-}
-
 func TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {
 	log := zerolog.Nop()
 	conn := &mockQuicConnection{}
@@ -81,10 +78,9 @@ func TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {
 	flowLimiterMock := mocks.NewMockLimiter(ctrl)
 
 	datagramConn := NewDatagramV2Connection(
-		t.Context(),
+		context.Background(),
 		conn,
 		nil,
-		nil,
 		0,
 		0*time.Second,
 		0*time.Second,
@@ -95,6 +91,6 @@ func TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {
 	flowLimiterMock.EXPECT().Acquire("udp").Return(cfdflow.ErrTooManyActiveFlows)
 	flowLimiterMock.EXPECT().Release().Times(0)
 
-	_, err := datagramConn.RegisterUdpSession(t.Context(), uuid.New(), net.IPv4(0, 0, 0, 0), 1000, 1*time.Second, "")
+	_, err := datagramConn.RegisterUdpSession(context.Background(), uuid.New(), net.IPv4(0, 0, 0, 0), 1000, 1*time.Second, "")
 	require.ErrorIs(t, err, cfdflow.ErrTooManyActiveFlows)
 }

connection/quic_datagram_v3.go

@@ -2,11 +2,11 @@ package connection
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"time"
 
 	"github.com/google/uuid"
-	"github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
 
@@ -16,17 +16,10 @@ import (
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
-var (
-	ErrUnsupportedRPCUDPRegistration   = errors.New("datagram v3 does not support RegisterUdpSession RPC")
-	ErrUnsupportedRPCUDPUnregistration = errors.New("datagram v3 does not support UnregisterUdpSession RPC")
-)
-
 type datagramV3Connection struct {
 	conn quic.Connection
-	index uint8
 	// datagramMuxer mux/demux datagrams from quic connection
 	datagramMuxer cfdquic.DatagramConn
-	metrics       cfdquic.Metrics
 	logger        *zerolog.Logger
 }
 
@@ -47,9 +40,7 @@ func NewDatagramV3Connection(ctx context.Context,
 
 	return &datagramV3Connection{
 		conn,
-		index,
 		datagramMuxer,
-		metrics,
 		logger,
 	}
 }
@@ -59,11 +50,9 @@ func (d *datagramV3Connection) Serve(ctx context.Context) error {
 }
 
 func (d *datagramV3Connection) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*pogs.RegisterUdpSessionResponse, error) {
-	d.metrics.UnsupportedRemoteCommand(d.index, "register_udp_session")
-	return nil, ErrUnsupportedRPCUDPRegistration
+	return nil, fmt.Errorf("datagram v3 does not support RegisterUdpSession RPC")
 }
 
 func (d *datagramV3Connection) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {
-	d.metrics.UnsupportedRemoteCommand(d.index, "unregister_udp_session")
-	return ErrUnsupportedRPCUDPUnregistration
+	return fmt.Errorf("datagram v3 does not support UnregisterUdpSession RPC")
 }

credentials/credentials.go

@@ -10,8 +10,6 @@ import (
 const (
 	logFieldOriginCertPath = "originCertPath"
 	FedEndpoint            = "fed"
-	FedRampBaseApiURL      = "https://api.fed.cloudflare.com/client/v4"
-	FedRampHostname        = "management.fed.argotunnel.com"
 )
 
 type User struct {
@@ -23,10 +21,6 @@ func (c User) AccountID() string {
 	return c.cert.AccountID
 }
 
-func (c User) Endpoint() string {
-	return c.cert.Endpoint
-}
-
 func (c User) ZoneID() string {
 	return c.cert.ZoneID
 }

credentials/credentials_test.go

@@ -3,7 +3,7 @@ package credentials
 import (
 	"io/fs"
 	"os"
-	"path/filepath"
+	"path"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -13,8 +13,8 @@ func TestCredentialsRead(t *testing.T) {
 	file, err := os.ReadFile("test-cloudflare-tunnel-cert-json.pem")
 	require.NoError(t, err)
 	dir := t.TempDir()
-	certPath := filepath.Join(dir, originCertFile)
-	_ = os.WriteFile(certPath, file, fs.ModePerm)
+	certPath := path.Join(dir, originCertFile)
+	os.WriteFile(certPath, file, fs.ModePerm)
 	user, err := Read(certPath, &nopLog)
 	require.NoError(t, err)
 	require.Equal(t, certPath, user.CertPath())

credentials/origin_cert_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"io/fs"
 	"os"
-	"path/filepath"
+	"path"
 	"testing"
 
 	"github.com/rs/zerolog"
@@ -63,7 +63,7 @@ func TestFindOriginCert_Valid(t *testing.T) {
 	file, err := os.ReadFile("test-cloudflare-tunnel-cert-json.pem")
 	require.NoError(t, err)
 	dir := t.TempDir()
-	certPath := filepath.Join(dir, originCertFile)
+	certPath := path.Join(dir, originCertFile)
 	_ = os.WriteFile(certPath, file, fs.ModePerm)
 	path, err := FindOriginCert(certPath, &nopLog)
 	require.NoError(t, err)
@@ -72,7 +72,7 @@ func TestFindOriginCert_Valid(t *testing.T) {
 
 func TestFindOriginCert_Missing(t *testing.T) {
 	dir := t.TempDir()
-	certPath := filepath.Join(dir, originCertFile)
+	certPath := path.Join(dir, originCertFile)
 	_, err := FindOriginCert(certPath, &nopLog)
 	require.Error(t, err)
 }

datagramsession/session.go

@@ -84,7 +84,7 @@ func (s *Session) waitForCloseCondition(ctx context.Context, closeAfterIdle time
 	// Closing dstConn cancels read so dstToTransport routine in Serve() can return
 	defer s.dstConn.Close()
 	if closeAfterIdle == 0 {
-		// provide default is caller doesn't specify one
+		// provide deafult is caller doesn't specify one
 		closeAfterIdle = defaultCloseIdleAfter
 	}
 

datagramsession/session_test.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sync/errgroup"
 
@@ -35,10 +34,12 @@ func TestCloseIdle(t *testing.T) {
 }
 
 func testSessionReturns(t *testing.T, closeBy closeMethod, closeAfterIdle time.Duration) {
-	localCloseReason := &errClosedSession{
+	var (
+		localCloseReason = &errClosedSession{
 			message:  "connection closed by origin",
 			byRemote: false,
 		}
+	)
 	sessionID := uuid.New()
 	cfdConn, originConn := net.Pipe()
 	payload := testPayload(sessionID)
@@ -47,28 +48,28 @@ func testSessionReturns(t *testing.T, closeBy closeMethod, closeAfterIdle time.D
 	mg := NewManager(&log, nil, nil)
 	session := mg.newSession(sessionID, cfdConn)
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	sessionDone := make(chan struct{})
 	go func() {
 		closedByRemote, err := session.Serve(ctx, closeAfterIdle)
 		switch closeBy {
 		case closeByContext:
-			assert.Equal(t, context.Canceled, err)
-			assert.False(t, closedByRemote)
+			require.Equal(t, context.Canceled, err)
+			require.False(t, closedByRemote)
 		case closeByCallingClose:
-			assert.Equal(t, localCloseReason, err)
-			assert.Equal(t, localCloseReason.byRemote, closedByRemote)
+			require.Equal(t, localCloseReason, err)
+			require.Equal(t, localCloseReason.byRemote, closedByRemote)
 		case closeByTimeout:
-			assert.Equal(t, SessionIdleErr(closeAfterIdle), err)
-			assert.False(t, closedByRemote)
+			require.Equal(t, SessionIdleErr(closeAfterIdle), err)
+			require.False(t, closedByRemote)
 		}
 		close(sessionDone)
 	}()
 
 	go func() {
 		n, err := session.transportToDst(payload)
-		assert.NoError(t, err)
-		assert.Equal(t, len(payload), n)
+		require.NoError(t, err)
+		require.Equal(t, len(payload), n)
 	}()
 
 	readBuffer := make([]byte, len(payload)+1)
@@ -83,8 +84,6 @@ func testSessionReturns(t *testing.T, closeBy closeMethod, closeAfterIdle time.D
 		cancel()
 	case closeByCallingClose:
 		session.close(localCloseReason)
-	default:
-		// ignore
 	}
 
 	<-sessionDone
@@ -126,10 +125,10 @@ func testActiveSessionNotClosed(t *testing.T, readFromDst bool, writeToDst bool)
 
 	startTime := time.Now()
 	activeUntil := startTime.Add(activeTime)
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	errGroup, ctx := errgroup.WithContext(ctx)
 	errGroup.Go(func() error {
-		_, _ = session.Serve(ctx, closeAfterIdle)
+		session.Serve(ctx, closeAfterIdle)
 		if time.Now().Before(startTime.Add(activeTime)) {
 			return fmt.Errorf("session closed while it's still active")
 		}
@@ -209,7 +208,7 @@ func TestZeroBytePayload(t *testing.T) {
 	mg := NewManager(&nopLogger, sender.muxSession, nil)
 	session := mg.newSession(sessionID, cfdConn)
 
-	ctx, cancel := context.WithCancel(t.Context())
+	ctx, cancel := context.WithCancel(context.Background())
 	errGroup, ctx := errgroup.WithContext(ctx)
 	errGroup.Go(func() error {
 		// Read from underlying conn and send to transport

dev.Dockerfile

@@ -0,0 +1,10 @@
+FROM golang:1.22.10 as builder
+ENV GO111MODULE=on \
+  CGO_ENABLED=0
+WORKDIR /go/src/github.com/cloudflare/cloudflared/
+RUN apt-get update
+COPY . .
+RUN .teamcity/install-cloudflare-go.sh
+# compile cloudflared
+RUN PATH="/tmp/go/bin:$PATH" make cloudflared
+RUN cp /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/

features/features.go

@@ -1,7 +1,5 @@
 package features
 
-import "slices"
-
 const (
 	FeatureSerializedHeaders = "serialized_headers"
 	FeatureQuickReconnects   = "quick_reconnects"
@@ -10,10 +8,7 @@ const (
 	FeaturePostQuantum       = "postquantum"
 	FeatureQUICSupportEOF    = "support_quic_eof"
 	FeatureManagementLogs    = "management_logs"
-	FeatureDatagramV3_2      = "support_datagram_v3_2"
-
-	DeprecatedFeatureDatagramV3   = "support_datagram_v3"   // Deprecated: TUN-9291
-	DeprecatedFeatureDatagramV3_1 = "support_datagram_v3_1" // Deprecated: TUN-9883
+	FeatureDatagramV3        = "support_datagram_v3"
 )
 
 var defaultFeatures = []string{
@@ -24,26 +19,11 @@ var defaultFeatures = []string{
 	FeatureManagementLogs,
 }
 
-// List of features that are no longer in-use.
-var deprecatedFeatures = []string{
-	DeprecatedFeatureDatagramV3,
-	DeprecatedFeatureDatagramV3_1,
-}
-
 // Features set by user provided flags
 type staticFeatures struct {
 	PostQuantumMode *PostQuantumMode
 }
 
-type FeatureSnapshot struct {
-	PostQuantum     PostQuantumMode
-	DatagramVersion DatagramVersion
-
-	// We provide the list of features since we need it to send in the ConnectionOptions during connection
-	// registrations.
-	FeaturesList []string
-}
-
 type PostQuantumMode uint8
 
 const (
@@ -60,19 +40,15 @@ const (
 	// DatagramV2 is the currently supported datagram protocol for UDP and ICMP packets
 	DatagramV2 DatagramVersion = FeatureDatagramV2
 	// DatagramV3 is a new datagram protocol for UDP and ICMP packets. It is not backwards compatible with datagram v2.
-	DatagramV3 DatagramVersion = FeatureDatagramV3_2
+	DatagramV3 DatagramVersion = FeatureDatagramV3
 )
 
-// Remove any duplicate features from the list and remove deprecated features
-func dedupAndRemoveFeatures(features []string) []string {
+// Remove any duplicates from the slice
+func Dedup(slice []string) []string {
 	// Convert the slice into a set
-	set := map[string]bool{}
-	for _, feature := range features {
-		// Remove deprecated features from the provided list
-		if slices.Contains(deprecatedFeatures, feature) {
-			continue
-		}
-		set[feature] = true
+	set := make(map[string]bool, 0)
+	for _, str := range slice {
+		set[str] = true
 	}
 
 	// Convert the set back into a slice

features/selector.go

@@ -15,32 +15,28 @@ import (
 
 const (
 	featureSelectorHostname = "cfd-features.argotunnel.com"
+	defaultRefreshFreq      = time.Hour * 6
 	lookupTimeout           = time.Second * 10
-	defaultLookupFreq       = time.Hour
 )
 
 // If the TXT record adds other fields, the umarshal logic will ignore those keys
 // If the TXT record is missing a key, the field will unmarshal to the default Go value
 
 type featuresRecord struct {
-	DatagramV3Percentage uint32 `json:"dv3_2"`
+	// support_datagram_v3
+	DatagramV3Percentage int32 `json:"dv3"`
 
-	// DatagramV3Percentage int32 `json:"dv3"` // Removed in TUN-9291
-	// DatagramV3Percentage uint32 `json:"dv3_1"` // Removed in TUN-9883
 	// PostQuantumPercentage int32 `json:"pq"` // Removed in TUN-7970
 }
 
-func NewFeatureSelector(ctx context.Context, accountTag string, cliFeatures []string, pq bool, logger *zerolog.Logger) (FeatureSelector, error) {
-	return newFeatureSelector(ctx, accountTag, logger, newDNSResolver(), cliFeatures, pq, defaultLookupFreq)
+func NewFeatureSelector(ctx context.Context, accountTag string, cliFeatures []string, pq bool, logger *zerolog.Logger) (*FeatureSelector, error) {
+	return newFeatureSelector(ctx, accountTag, logger, newDNSResolver(), cliFeatures, pq, defaultRefreshFreq)
 }
 
-type FeatureSelector interface {
-	Snapshot() FeatureSnapshot
-}
-
-// FeatureSelector determines if this account will try new features; loaded once during startup.
-type featureSelector struct {
-	accountHash uint32
+// FeatureSelector determines if this account will try new features. It periodically queries a DNS TXT record
+// to see which features are turned on.
+type FeatureSelector struct {
+	accountHash int32
 	logger      *zerolog.Logger
 	resolver    resolver
 
@@ -49,10 +45,10 @@ type featureSelector struct {
 
 	// lock protects concurrent access to dynamic features
 	lock     sync.RWMutex
-	remoteFeatures featuresRecord
+	features featuresRecord
 }
 
-func newFeatureSelector(ctx context.Context, accountTag string, logger *zerolog.Logger, resolver resolver, cliFeatures []string, pq bool, refreshFreq time.Duration) (*featureSelector, error) {
+func newFeatureSelector(ctx context.Context, accountTag string, logger *zerolog.Logger, resolver resolver, cliFeatures []string, pq bool, refreshFreq time.Duration) (*FeatureSelector, error) {
 	// Combine default features and user-provided features
 	var pqMode *PostQuantumMode
 	if pq {
@@ -63,40 +59,28 @@ func newFeatureSelector(ctx context.Context, accountTag string, logger *zerolog.
 	staticFeatures := staticFeatures{
 		PostQuantumMode: pqMode,
 	}
-	selector := &featureSelector{
+	selector := &FeatureSelector{
 		accountHash:    switchThreshold(accountTag),
 		logger:         logger,
 		resolver:       resolver,
 		staticFeatures: staticFeatures,
-		cliFeatures:    dedupAndRemoveFeatures(cliFeatures),
+		cliFeatures:    Dedup(cliFeatures),
 	}
 
-	// Load the remote features
 	if err := selector.refresh(ctx); err != nil {
 		logger.Err(err).Msg("Failed to fetch features, default to disable")
 	}
 
-	// Spin off reloading routine
 	go selector.refreshLoop(ctx, refreshFreq)
 
 	return selector, nil
 }
 
-func (fs *featureSelector) Snapshot() FeatureSnapshot {
-	fs.lock.RLock()
-	defer fs.lock.RUnlock()
-	return FeatureSnapshot{
-		PostQuantum:     fs.postQuantumMode(),
-		DatagramVersion: fs.datagramVersion(),
-		FeaturesList:    fs.clientFeatures(),
-	}
-}
-
-func (fs *featureSelector) accountEnabled(percentage uint32) bool {
+func (fs *FeatureSelector) accountEnabled(percentage int32) bool {
 	return percentage > fs.accountHash
 }
 
-func (fs *featureSelector) postQuantumMode() PostQuantumMode {
+func (fs *FeatureSelector) PostQuantumMode() PostQuantumMode {
 	if fs.staticFeatures.PostQuantumMode != nil {
 		return *fs.staticFeatures.PostQuantumMode
 	}
@@ -104,9 +88,12 @@ func (fs *featureSelector) postQuantumMode() PostQuantumMode {
 	return PostQuantumPrefer
 }
 
-func (fs *featureSelector) datagramVersion() DatagramVersion {
+func (fs *FeatureSelector) DatagramVersion() DatagramVersion {
+	fs.lock.RLock()
+	defer fs.lock.RUnlock()
+
 	// If user provides the feature via the cli, we take it as priority over remote feature evaluation
-	if slices.Contains(fs.cliFeatures, FeatureDatagramV3_2) {
+	if slices.Contains(fs.cliFeatures, FeatureDatagramV3) {
 		return DatagramV3
 	}
 	// If the user specifies DatagramV2, we also take that over remote
@@ -114,20 +101,36 @@ func (fs *featureSelector) datagramVersion() DatagramVersion {
 		return DatagramV2
 	}
 
-	if fs.accountEnabled(fs.remoteFeatures.DatagramV3Percentage) {
+	if fs.accountEnabled(fs.features.DatagramV3Percentage) {
 		return DatagramV3
 	}
-
 	return DatagramV2
 }
 
-// clientFeatures will return the list of currently available features that cloudflared should provide to the edge.
-func (fs *featureSelector) clientFeatures() []string {
+// ClientFeatures will return the list of currently available features that cloudflared should provide to the edge.
+//
+// This list is dynamic and can change in-between returns.
+func (fs *FeatureSelector) ClientFeatures() []string {
 	// Evaluate any remote features along with static feature list to construct the list of features
-	return dedupAndRemoveFeatures(slices.Concat(defaultFeatures, fs.cliFeatures, []string{string(fs.datagramVersion())}))
+	return Dedup(slices.Concat(defaultFeatures, fs.cliFeatures, []string{string(fs.DatagramVersion())}))
 }
 
-func (fs *featureSelector) refresh(ctx context.Context) error {
+func (fs *FeatureSelector) refreshLoop(ctx context.Context, refreshFreq time.Duration) {
+	ticker := time.NewTicker(refreshFreq)
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			err := fs.refresh(ctx)
+			if err != nil {
+				fs.logger.Err(err).Msg("Failed to refresh feature selector")
+			}
+		}
+	}
+}
+
+func (fs *FeatureSelector) refresh(ctx context.Context) error {
 	record, err := fs.resolver.lookupRecord(ctx)
 	if err != nil {
 		return err
@@ -141,26 +144,11 @@ func (fs *featureSelector) refresh(ctx context.Context) error {
 	fs.lock.Lock()
 	defer fs.lock.Unlock()
 
-	fs.remoteFeatures = features
+	fs.features = features
 
 	return nil
 }
 
-func (fs *featureSelector) refreshLoop(ctx context.Context, refreshFreq time.Duration) {
-	ticker := time.NewTicker(refreshFreq)
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ticker.C:
-			err := fs.refresh(ctx)
-			if err != nil {
-				fs.logger.Err(err).Msg("Failed to refresh feature selector")
-			}
-		}
-	}
-}
-
 // resolver represents an object that can look up featuresRecord
 type resolver interface {
 	lookupRecord(ctx context.Context) ([]byte, error)
@@ -192,8 +180,8 @@ func (dr *dnsResolver) lookupRecord(ctx context.Context) ([]byte, error) {
 	return []byte(records[0]), nil
 }
 
-func switchThreshold(accountTag string) uint32 {
+func switchThreshold(accountTag string) int32 {
 	h := fnv.New32a()
 	_, _ = h.Write([]byte(accountTag))
-	return h.Sum32() % 100
+	return int32(h.Sum32() % 100)
 }

features/selector_test.go

@@ -11,26 +11,21 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-const (
-	testAccountTag  = "123456"
-	testAccountHash = 74 // switchThreshold of `accountTag`
-)
-
 func TestUnmarshalFeaturesRecord(t *testing.T) {
 	tests := []struct {
 		record             []byte
-		expectedPercentage uint32
+		expectedPercentage int32
 	}{
 		{
-			record:             []byte(`{"dv3_2":0}`),
+			record:             []byte(`{"dv3":0}`),
 			expectedPercentage: 0,
 		},
 		{
-			record:             []byte(`{"dv3_2":39}`),
+			record:             []byte(`{"dv3":39}`),
 			expectedPercentage: 39,
 		},
 		{
-			record:             []byte(`{"dv3_2":100}`),
+			record:             []byte(`{"dv3":100}`),
 			expectedPercentage: 100,
 		},
 		{
@@ -39,9 +34,6 @@ func TestUnmarshalFeaturesRecord(t *testing.T) {
 		{
 			record: []byte(`{"kyber":768}`), // Unmarshal to default struct if key is not present
 		},
-		{
-			record: []byte(`{"pq": 101,"dv3":100,"dv3_1":100}`), // Expired keys don't unmarshal to anything
-		},
 	}
 
 	for _, test := range tests {
@@ -69,7 +61,7 @@ func TestFeaturePrecedenceEvaluationPostQuantum(t *testing.T) {
 		{
 			name:             "user_specified",
 			cli:              true,
-			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeaturePostQuantum)),
+			expectedFeatures: Dedup(append(defaultFeatures, FeaturePostQuantum)),
 			expectedVersion:  PostQuantumStrict,
 		},
 	}
@@ -77,11 +69,10 @@ func TestFeaturePrecedenceEvaluationPostQuantum(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			resolver := &staticResolver{record: featuresRecord{}}
-			selector, err := newFeatureSelector(t.Context(), test.name, &logger, resolver, []string{}, test.cli, time.Second)
+			selector, err := newFeatureSelector(context.Background(), test.name, &logger, resolver, []string{}, test.cli, time.Second)
 			require.NoError(t, err)
-			snapshot := selector.Snapshot()
-			require.ElementsMatch(t, test.expectedFeatures, snapshot.FeaturesList)
-			require.Equal(t, test.expectedVersion, snapshot.PostQuantum)
+			require.ElementsMatch(t, test.expectedFeatures, selector.ClientFeatures())
+			require.Equal(t, test.expectedVersion, selector.PostQuantumMode())
 		})
 	}
 }
@@ -111,126 +102,97 @@ func TestFeaturePrecedenceEvaluationDatagramVersion(t *testing.T) {
 		},
 		{
 			name:             "user_specified_v3",
-			cli:              []string{FeatureDatagramV3_2},
+			cli:              []string{FeatureDatagramV3},
 			remote:           featuresRecord{},
-			expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_2)),
-			expectedVersion:  FeatureDatagramV3_2,
+			expectedFeatures: Dedup(append(defaultFeatures, FeatureDatagramV3)),
+			expectedVersion:  FeatureDatagramV3,
 		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			resolver := &staticResolver{record: test.remote}
-			selector, err := newFeatureSelector(t.Context(), test.name, &logger, resolver, test.cli, false, time.Second)
-			require.NoError(t, err)
-			snapshot := selector.Snapshot()
-			require.ElementsMatch(t, test.expectedFeatures, snapshot.FeaturesList)
-			require.Equal(t, test.expectedVersion, snapshot.DatagramVersion)
-		})
-	}
-}
-
-func TestDeprecatedFeaturesRemoved(t *testing.T) {
-	logger := zerolog.Nop()
-	tests := []struct {
-		name             string
-		cli              []string
-		remote           featuresRecord
-		expectedFeatures []string
-	}{
 		{
-			name:             "no_removals",
+			name: "remote_specified_v3",
 			cli:  []string{},
-			remote:           featuresRecord{},
-			expectedFeatures: defaultFeatures,
+			remote: featuresRecord{
+				DatagramV3Percentage: 100,
+			},
+			expectedFeatures: Dedup(append(defaultFeatures, FeatureDatagramV3)),
+			expectedVersion:  FeatureDatagramV3,
 		},
 		{
-			name:             "support_datagram_v3",
-			cli:              []string{DeprecatedFeatureDatagramV3},
-			remote:           featuresRecord{},
-			expectedFeatures: defaultFeatures,
+			name: "remote_and_user_specified_v3",
+			cli:  []string{FeatureDatagramV3},
+			remote: featuresRecord{
+				DatagramV3Percentage: 100,
+			},
+			expectedFeatures: Dedup(append(defaultFeatures, FeatureDatagramV3)),
+			expectedVersion:  FeatureDatagramV3,
 		},
 		{
-			name:             "support_datagram_v3_1",
-			cli:              []string{DeprecatedFeatureDatagramV3_1},
-			remote:           featuresRecord{},
+			name: "remote_v3_and_user_specified_v2",
+			cli:  []string{FeatureDatagramV2},
+			remote: featuresRecord{
+				DatagramV3Percentage: 100,
+			},
 			expectedFeatures: defaultFeatures,
+			expectedVersion:  DatagramV2,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			resolver := &staticResolver{record: test.remote}
-			selector, err := newFeatureSelector(t.Context(), test.name, &logger, resolver, test.cli, false, time.Second)
+			selector, err := newFeatureSelector(context.Background(), test.name, &logger, resolver, test.cli, false, time.Second)
 			require.NoError(t, err)
-			snapshot := selector.Snapshot()
-			require.ElementsMatch(t, test.expectedFeatures, snapshot.FeaturesList)
+			require.ElementsMatch(t, test.expectedFeatures, selector.ClientFeatures())
+			require.Equal(t, test.expectedVersion, selector.DatagramVersion())
 		})
 	}
 }
 
 func TestRefreshFeaturesRecord(t *testing.T) {
-	percentages := []uint32{0, 10, testAccountHash - 1, testAccountHash, testAccountHash + 1, 100, 101, 1000}
-	selector := newTestSelector(t, percentages, false, time.Minute)
+	// The hash of the accountTag is 82
+	accountTag := t.Name()
+	threshold := switchThreshold(accountTag)
+
+	percentages := []int32{0, 10, 81, 82, 83, 100, 101, 1000}
+	refreshFreq := time.Millisecond * 10
+	selector := newTestSelector(t, percentages, false, refreshFreq)
 
 	// Starting out should default to DatagramV2
-	snapshot := selector.Snapshot()
-	require.Equal(t, DatagramV2, snapshot.DatagramVersion)
+	require.Equal(t, DatagramV2, selector.DatagramVersion())
 
 	for _, percentage := range percentages {
-		snapshot = selector.Snapshot()
-		if percentage > testAccountHash {
-			require.Equal(t, DatagramV3, snapshot.DatagramVersion)
+		if percentage > threshold {
+			require.Equal(t, DatagramV3, selector.DatagramVersion())
 		} else {
-			require.Equal(t, DatagramV2, snapshot.DatagramVersion)
+			require.Equal(t, DatagramV2, selector.DatagramVersion())
 		}
 
-		// Manually progress the next refresh
-		_ = selector.refresh(t.Context())
+		time.Sleep(refreshFreq + time.Millisecond)
 	}
 
-	// Make sure a resolver error doesn't override the last fetched features
-	snapshot = selector.Snapshot()
-	require.Equal(t, DatagramV3, snapshot.DatagramVersion)
-}
-
-func TestSnapshotIsolation(t *testing.T) {
-	percentages := []uint32{testAccountHash, testAccountHash + 1}
-	selector := newTestSelector(t, percentages, false, time.Minute)
-
-	// Starting out should default to DatagramV2
-	snapshot := selector.Snapshot()
-	require.Equal(t, DatagramV2, snapshot.DatagramVersion)
-
-	// Manually progress the next refresh
-	_ = selector.refresh(t.Context())
-
-	snapshot2 := selector.Snapshot()
-	require.Equal(t, DatagramV3, snapshot2.DatagramVersion)
-	require.NotEqual(t, snapshot.DatagramVersion, snapshot2.DatagramVersion)
+	// Make sure error doesn't override the last fetched features
+	require.Equal(t, DatagramV3, selector.DatagramVersion())
 }
 
 func TestStaticFeatures(t *testing.T) {
-	percentages := []uint32{0}
+	percentages := []int32{0}
 	// PostQuantum Enabled from user flag
-	selector := newTestSelector(t, percentages, true, time.Second)
-	snapshot := selector.Snapshot()
-	require.Equal(t, PostQuantumStrict, snapshot.PostQuantum)
+	selector := newTestSelector(t, percentages, true, time.Millisecond*10)
+	require.Equal(t, PostQuantumStrict, selector.PostQuantumMode())
 
 	// PostQuantum Disabled (or not set)
-	selector = newTestSelector(t, percentages, false, time.Second)
-	snapshot = selector.Snapshot()
-	require.Equal(t, PostQuantumPrefer, snapshot.PostQuantum)
+	selector = newTestSelector(t, percentages, false, time.Millisecond*10)
+	require.Equal(t, PostQuantumPrefer, selector.PostQuantumMode())
 }
 
-func newTestSelector(t *testing.T, percentages []uint32, pq bool, refreshFreq time.Duration) *featureSelector {
+func newTestSelector(t *testing.T, percentages []int32, pq bool, refreshFreq time.Duration) *FeatureSelector {
+	accountTag := t.Name()
 	logger := zerolog.Nop()
 
 	resolver := &mockResolver{
 		percentages: percentages,
 	}
 
-	selector, err := newFeatureSelector(t.Context(), testAccountTag, &logger, resolver, []string{}, pq, refreshFreq)
+	selector, err := newFeatureSelector(context.Background(), accountTag, &logger, resolver, []string{}, pq, refreshFreq)
 	require.NoError(t, err)
 
 	return selector
@@ -238,7 +200,7 @@ func newTestSelector(t *testing.T, percentages []uint32, pq bool, refreshFreq ti
 
 type mockResolver struct {
 	nextIndex   int
-	percentages []uint32
+	percentages []int32
 }
 
 func (mr *mockResolver) lookupRecord(ctx context.Context) ([]byte, error) {

fmt-check.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
+
 set -e -o pipefail
 
-OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
+OUTPUT=$(goimports -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
 
 if [ -n "$OUTPUT" ] ; then
   PAGER=$(which colordiff || echo cat)

github_release.py

@@ -61,7 +61,7 @@ def assert_tag_exists(repo, version):
         raise Exception("Tag {} not found".format(version))
 
 
-def get_or_create_release(repo, version, dry_run=False, is_draft=False):
+def get_or_create_release(repo, version, dry_run=False):
     """
     Get a Github Release matching the version tag or create a new one.
     If a conflict occurs on creation, attempt to fetch the Release on last time
@@ -81,11 +81,8 @@ def get_or_create_release(repo, version, dry_run=False, is_draft=False):
         return
 
     try:
-        if is_draft:
-            logging.info("Drafting release %s", version)
-        else:
         logging.info("Creating release %s", version)
-        return repo.create_git_release(version, version, "", is_draft)
+        return repo.create_git_release(version, version, "")
     except GithubException as e:
         errors = e.data.get("errors", [])
         if e.status == 422 and any(
@@ -132,10 +129,6 @@ def parse_args():
         "--dry-run", action="store_true", help="Do not create release or upload asset"
     )
 
-    parser.add_argument(
-        "--draft", action="store_true", help="Create a draft release"
-    )
-
     args = parser.parse_args()
     is_valid = True
     if not args.release_version:
@@ -299,7 +292,7 @@ def main():
                 for filename in onlyfiles:
                     binary_path = os.path.join(args.path, filename)
                     assert_asset_version(binary_path, args.release_version)
-                release = get_or_create_release(repo, args.release_version, args.dry_run, args.draft)
+                release = get_or_create_release(repo, args.release_version, args.dry_run)
                 for filename in onlyfiles:
                     binary_path = os.path.join(args.path, filename)
                     upload_asset(release, binary_path, filename, args.release_version, args.kv_account_id, args.namespace_id,

go.mod

@@ -1,47 +1,47 @@
 module github.com/cloudflare/cloudflared
 
-go 1.24
+go 1.22
 
 require (
-	github.com/coredns/coredns v1.12.2
+	github.com/coredns/coredns v1.11.3
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434
 	github.com/fortytw2/leaktest v1.3.0
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/getsentry/sentry-go v0.16.0
-	github.com/go-chi/chi/v5 v5.2.2
+	github.com/go-chi/chi/v5 v5.0.8
 	github.com/go-chi/cors v1.2.1
-	github.com/go-jose/go-jose/v4 v4.1.0
+	github.com/go-jose/go-jose/v4 v4.0.1
 	github.com/gobwas/ws v1.2.1
 	github.com/google/gopacket v1.1.19
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/websocket v1.4.2
 	github.com/json-iterator/go v1.1.12
 	github.com/mattn/go-colorable v0.1.13
-	github.com/miekg/dns v1.1.66
+	github.com/miekg/dns v1.1.58
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.22.0
-	github.com/prometheus/client_model v0.6.2
-	github.com/quic-go/quic-go v0.52.0
+	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_model v0.6.0
+	github.com/quic-go/quic-go v0.45.0
 	github.com/rs/zerolog v1.20.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.9.0
 	github.com/urfave/cli/v2 v2.3.0
 	go.opentelemetry.io/contrib/propagators v0.22.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/otel v1.26.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0
-	go.opentelemetry.io/otel/sdk v1.35.0
-	go.opentelemetry.io/otel/trace v1.35.0
+	go.opentelemetry.io/otel/sdk v1.26.0
+	go.opentelemetry.io/otel/trace v1.26.0
 	go.opentelemetry.io/proto/otlp v1.2.0
-	go.uber.org/automaxprocs v1.6.0
-	go.uber.org/mock v0.5.1
-	golang.org/x/crypto v0.38.0
-	golang.org/x/net v0.40.0
-	golang.org/x/sync v0.14.0
-	golang.org/x/sys v0.33.0
-	golang.org/x/term v0.32.0
-	google.golang.org/protobuf v1.36.6
+	go.uber.org/automaxprocs v1.4.0
+	go.uber.org/mock v0.5.0
+	golang.org/x/crypto v0.31.0
+	golang.org/x/net v0.26.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/sys v0.28.0
+	golang.org/x/term v0.27.0
+	google.golang.org/protobuf v1.34.1
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v3 v3.0.1
 	nhooyr.io/websocket v1.8.7
@@ -52,9 +52,8 @@ require (
 	github.com/BurntSushi/toml v1.2.0 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytedance/sonic v1.12.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/coredns/caddy v1.1.2-0.20241029205200-8de985351a98 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/coredns/caddy v1.1.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 // indirect
@@ -62,42 +61,38 @@ require (
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 // indirect
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
-	github.com/gin-gonic/gin v1.9.1 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-playground/validator/v10 v10.15.1 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/pprof v0.0.0-20250418163039-24c5476c6587 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/klauspost/compress v1.15.11 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
+	github.com/onsi/ginkgo/v2 v2.13.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/common v0.64.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/common v0.53.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
-	golang.org/x/arch v0.4.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/text v0.25.0 // indirect
-	golang.org/x/tools v0.32.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 // indirect
-	google.golang.org/grpc v1.72.2 // indirect
+	go.opentelemetry.io/otel/metric v1.26.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
+	google.golang.org/grpc v1.63.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
@@ -109,4 +104,4 @@ replace github.com/prometheus/golang_client => github.com/prometheus/golang_clie
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
 
 // This fork is based on quic-go v0.45
-replace github.com/quic-go/quic-go => github.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd
+replace github.com/quic-go/quic-go => github.com/chungthuang/quic-go v0.45.1-0.20250128102735-2687bd175910

go.sum

@@ -5,22 +5,14 @@ github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4t
 github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bytedance/sonic v1.12.0 h1:YGPgxF9xzaCNvd/ZKdQ28yRovhfMFZQjuk6fKBzZ3ls=
-github.com/bytedance/sonic v1.12.0/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
-github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
-github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd h1:VdYI5zFQ2h1/qzoC6rhyPx479bkF8i177Qpg4Q2n1vk=
-github.com/chungthuang/quic-go v0.45.1-0.20250428085412-43229ad201fd/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
-github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
-github.com/coredns/caddy v1.1.2-0.20241029205200-8de985351a98 h1:c+Epklw9xk6BZ1OFBPWLA2PcL8QalKvl3if8CP9x8uw=
-github.com/coredns/caddy v1.1.2-0.20241029205200-8de985351a98/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
-github.com/coredns/coredns v1.12.2 h1:G4oDfi340zlVsriZ8nYiUemiQIew7nqOO+QPvPxIA4Y=
-github.com/coredns/coredns v1.12.2/go.mod h1:GFz31oVOfCyMArFoypfu1SoaFoNkbdh6lDxtF1B6vfU=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chungthuang/quic-go v0.45.1-0.20250128102735-2687bd175910 h1:/hTvBpxBDj/3NIzTodi1oEOyNBpirvgDSPKSV7VqAZU=
+github.com/chungthuang/quic-go v0.45.1-0.20250128102735-2687bd175910/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI=
+github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0=
+github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
+github.com/coredns/coredns v1.11.3 h1:8RjnpZc42db5th84/QJKH2i137ecJdzZK1HJwhetSPk=
+github.com/coredns/coredns v1.11.3/go.mod h1:lqFkDsHjEUdY7LJ75Nib3lwqJGip6ewWOqNIf8OavIQ=
 github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
 github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -29,6 +21,7 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -49,40 +42,38 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
-github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
 github.com/getsentry/sentry-go v0.16.0 h1:owk+S+5XcgJLlGR/3+3s6N4d+uKwqYvh/eS0AIMjPWo=
 github.com/getsentry/sentry-go v0.16.0/go.mod h1:ZXCloQLj0pG7mja5NK6NPf2V4A88YJ4pNlc2mOHwh6Y=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
-github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
-github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
-github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
-github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/gin-gonic/gin v1.8.1 h1:4+fr/el88TOO3ewCmQr8cx/CtZ/umlIRIs5M4NTNjf8=
+github.com/gin-gonic/gin v1.8.1/go.mod h1:ji8BvRH1azfM+SYow9zQ6SZMvR8qOMZHmsCuWR9tTTk=
+github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
+github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
-github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
+github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
-github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
-github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU=
+github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs=
 github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
-github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
-github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho=
+github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
 github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
-github.com/go-playground/validator/v10 v10.15.1 h1:BSe8uhN+xQ4r5guV/ywQI4gO59C2raYcGffYWZEjZzM=
-github.com/go-playground/validator/v10 v10.15.1/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
-github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-playground/validator/v10 v10.11.1 h1:prmOlTVv+YjZjmRmNSF3VmspqJIxJWXmqUsHwfTRRkQ=
+github.com/go-playground/validator/v10 v10.11.1/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
 github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
@@ -92,31 +83,34 @@ github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6Wezm
 github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
 github.com/gobwas/ws v1.2.1 h1:F2aeBZrm2NDsc7vbovKrWSogd4wvfAxg0FQ89/iqOTk=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk=
+github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
-github.com/google/pprof v0.0.0-20250418163039-24c5476c6587 h1:b/8HpQhvKLSNzH5oTXN2WkNcMl6YB5K3FRbb+i+Ml34=
-github.com/google/pprof v0.0.0-20250418163039-24c5476c6587/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b h1:h9U78+dx9a4BKdQkBBos92HalKpaGKHrp+3Uo6yTodo=
+github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
+github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
 github.com/ipostelnik/cli/v2 v2.3.1-0.20210324024421-b6ea8234fe3d h1:PRDnysJ9dF1vUMmEzBu6aHQeUluSQy4eWH3RsSSy/vI=
@@ -125,29 +119,29 @@ github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/u
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
-github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c=
+github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
-github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
-github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
+github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w=
+github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
-github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -156,38 +150,33 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
-github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
-github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
+github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
-github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
-github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c h1:dAMKvw0MlJT1GshSTtih8C2gDs04w8dReiOGXrGLNoY=
-github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
+github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
+github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
+github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
+github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
-github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4=
-github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
+github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
+github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE=
+github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.20.0 h1:38k9hgtUBdxFwE34yS8rTHmHBa4eN16E4DJlv177LNs=
 github.com/rs/zerolog v1.20.0/go.mod h1:IzD0RJ65iWH0w97OQQebJEvTZYvsCUm9WVLWBQrJRjo=
@@ -196,104 +185,115 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tinylib/msgp v1.2.5 h1:WeQg1whrXRFiZusidTQqzETkRpGjFjcIhW6uqWH09po=
-github.com/tinylib/msgp v1.2.5/go.mod h1:ykjzy2wzgrlvpDCRc4LA8UXy6D8bzMSuAF3WD57Gok0=
-github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
-github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
+github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
 github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
-github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
-github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+github.com/ugorji/go/codec v1.2.7 h1:YPXUKf7fYbp/y8xloBqZOw2qaVggbfwMlI8WM3wZUJ0=
+github.com/ugorji/go/codec v1.2.7/go.mod h1:WGN1fab3R1fzQlVQTkfxVtIBhWDRqOviHU95kRgeqEY=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/contrib/propagators v0.22.0 h1:KGdv58M2//veiYLIhb31mofaI2LgkIPXXAZVeYVyfd8=
 go.opentelemetry.io/contrib/propagators v0.22.0/go.mod h1:xGOuXr6lLIF9BXipA4pm6UuOSI0M98U6tsI3khbOiwU=
 go.opentelemetry.io/otel v1.0.0-RC2/go.mod h1:w1thVQ7qbAy8MHb0IFj8a5Q2QU0l2ksf8u/CN8m3NOM=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
+go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
+go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
+go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
+go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
 go.opentelemetry.io/otel/trace v1.0.0-RC2/go.mod h1:JPQ+z6nNw9mqEGT8o3eoPTdnNI+Aj5JcxEsVGREIAy4=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
+go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
 go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94=
 go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A=
-go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.5.1 h1:ASgazW/qBmR+A32MYFDB6E2POoTgOwT509VP0CT/fjs=
-go.uber.org/mock v0.5.1/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
-golang.org/x/arch v0.4.0 h1:A8WCeEWhLwPBKNbFi5Wv5UTCBx5zzubnXDlMOFAzFMc=
-golang.org/x/arch v0.4.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
+go.uber.org/automaxprocs v1.4.0 h1:CpDZl6aOlLhReez+8S3eEotD7Jx0Os++lemPlMULQP0=
+go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q=
+go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
-golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
+golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
-golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190828213141-aed303cbaa74/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
-golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 h1:vPV0tzlsK6EzEDHNNH5sa7Hs9bd7iXR7B1tSiPepkV0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:pKLAc5OolXC3ViWGI62vvC0n10CpwAtRcTNCFwTKBEw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9 h1:IkAfh6J/yllPtpYFU0zZN1hUPYdT0ogkBT/9hMxHjvg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250512202823-5a2f75b736a9/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
-google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
+google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
+google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=

ingress/icmp_windows_test.go

@@ -1,4 +1,4 @@
-//go:build windows && cgo
+//go:build windows
 
 package ingress
 

ingress/ingress.go

@@ -113,7 +113,7 @@ func ParseIngressFromConfigAndCLI(conf *config.Configuration, c *cli.Context, lo
 		// If no token is provided, the probability of NOT being a remotely managed tunnel is higher.
 		// So, we should warn the user that no ingress rules were found, because remote configuration will most likely not exist.
 		if !c.IsSet("token") {
-			log.Warn().Msg(ErrNoIngressRulesCLI.Error())
+			log.Warn().Msgf(ErrNoIngressRulesCLI.Error())
 		}
 		return newDefaultOrigin(c, log), nil
 	}
@@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 				return Ingress{}, err
 			}
 			if access.Required {
-				verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
+				verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
 				handlers = append(handlers, verifier)
 			}
 		}
@@ -378,17 +378,17 @@ func validateHostname(r config.UnvalidatedIngressRule, ruleIndex, totalRules int
 	}
 	// ONLY the last rule should catch all hostnames.
 	if !isLastRule && isCatchAllRule {
-		return ruleShouldNotBeCatchAllError{index: ruleIndex, hostname: r.Hostname}
+		return errRuleShouldNotBeCatchAll{index: ruleIndex, hostname: r.Hostname}
 	}
 	return nil
 }
 
-type ruleShouldNotBeCatchAllError struct {
+type errRuleShouldNotBeCatchAll struct {
 	index    int
 	hostname string
 }
 
-func (e ruleShouldNotBeCatchAllError) Error() string {
+func (e errRuleShouldNotBeCatchAll) Error() string {
 	return fmt.Sprintf("Rule #%d is matching the hostname '%s', but "+
 		"this will match every hostname, meaning the rules which follow it "+
 		"will never be triggered.", e.index+1, e.hostname)