feat(container): update image ghcr.io/tailscale/tailscale to v1.78.3

[renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/tailscale/tailscale (source)	minor	v1.58.2 -> v1.78.3

---

Release Notes

tailscale/tailscale (ghcr.io/tailscale/tailscale)

v1.78.3

Compare Source

v1.78.1

Compare Source

Please refer to the changelog available at https://tailscale.com/changelog.

v1.76.6

Compare Source

Please refer to the changelog available at https://tailscale.com/changelog.

v1.76.1

Compare Source

Please refer to the changelog available at https://tailscale.com/changelog.

v1.74.1

Compare Source

Please refer to the changelog available at https://tailscale.com/changelog.

v1.72.1

Compare Source

Please refer to the changelog available at https://tailscale.com/changelog#2024-08-22.

v1.72.0

Compare Source

Please refer to the changelog available at https://tailscale.com/changelog#2024-08-19.

v1.70.0

Compare Source

All platforms

• New: Restrict recommended and automatically selected exit nodes using the new AllowedSuggestedExitNodes system policy. Applies only to platforms that support system policies.
• Changed: Improved NAT traversal for some uncommon scenarios.
• Changed: Optimized sending firewall rules to clients more efficiently.
• Fixed: Exit node suggestion CLI command now prints the hostname (which you can use with the tailscale set command).
• Fixed: Taildrive share paths configured through the CLI resolve relative to where you run the tailscale command.

Linux

• Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.

Windows

• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• New: The new AllowedSuggestedExitNodes system policy restricts which exit nodes Tailscale recommends or automatically selects.
• Fixed: DNS leak issue.
• Fixed: Switching from unstable to stable tracks using the tailscale update command now works correctly.
• Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.

macOS

Note: As previously announced, Tailscale v1.70 is the last version to support macOS 10.15 Catalina. macOS 10.15 is no longer supported by Apple and no longer receives security updates. Users still running macOS 10.15 should update to a newer version of macOS to continue receiving security updates and new features.

• New: Toggle Tailscale DNS from Siri or the Shortcuts app.
• New: Receive health notifications in the client menu on macOS to inform you about lack of internet connectivity, firewalls blocking Tailscale, misconfiguration issues, and other issues. Health issues that affect connectivity also change the Tailscale icon in the system menubar to show an exclamation mark.
• New: On MacBooks with a notch in the display, a notification window will now appear if the Tailscale icon is hidden behind the notch due to too many menubar items.
• New: The Tailscale client now warns you when the built-in macOS content filter (Screen Time) prevents Tailscale from connecting.
• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• Changed: The exit node picker no longer presents exit node suggestions if the organization enforces always using the suggested exit node using the ExitNodeID system policy.
• Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
• Fixed: Taildrive server no longer starts unnecessarily when no drives are configured.
• Fixed: Increased the reliability of the Install Updates Automatically setting.

iOS

• New: Toggle Tailscale DNS from Siri or the Shortcuts app.
• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• Fixed: wireguard-go memory pool deadlock issue is resolved.
• Fixed: Disconnect shortcut no longer connects to the VPN tunnel if executed when Tailscale is disconnected.
• Fixed: User interface no longer flickers when selecting an exit node.

tvOS

• New: Use the value auto:any to automatically select an exit node for the existing ExitNodeID system policy. Available for Enterprise plan users only.
• Fixed: wireguard-go memory pool deadlock issue is resolved.
• Fixed: User interface no longer flickers when selecting an exit node.

Android

• New: Access ping information and connection status by long-pressing on a device in the devices list and selecting Ping.
• New: Use split tunneling to force or exclude app traffic through your tailnet.
• Fixed: wireguard-go memory pool deadlock issue is resolved.

v1.68.1

Compare Source

All Platforms

• Fixed: 4via6 subnet router advertisement works as expected.

Linux

• Fixed: Tailscale SSH access to Security-Enhanced Linux (SELinux) machines works as expected.

v1.66.4

Compare Source

All platforms

• Fixed: Restored UDP connectivity through Mullvad exit nodes.

Linux

• Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.

v1.66.3

Compare Source

All platforms

• Fixed: Login URLs did not always appear in the console when running tailscale up.

Android

• Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
• Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
• Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
• Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color.

Kubernetes operator

• Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
• New: Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
• New: Expose tailnet services that use Tailscale HTTPS to cluster workloads. Refer to #​11019.
• New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #​11019.
• New: Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD.
  Refer to ProxyClass API.
• New: Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to ProxyClass API.
• New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
• New: Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to ProxyClass API.
• Fixed: Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #​11867.

Containers

• Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #​11326.
• Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #​11326.

v1.64.2

Compare Source

Windows

• Changed: Installers are now built using WiX toolchain version 3.14.1.

Synology

• Fixed: DiskStation Manager UI no longer freezes for a few minutes at startup when attempting to clean unused routes. This update is applicable to the version provided on pkgs.tailscale.com[^1].

[^1]: We initially noted this as being released in 1.64.1, but that package was not uploaded incorrectly, so 1.64.2 has the actual fix.

v1.64.1

Compare Source

Synology

• Fixed: No longer freezes for a few minutes at startup when attempting to clean unused routes

v1.64.0

Compare Source

All platforms

• Changed: tailscale serve headers are now RFC 2047 Q-encoded

macOS

• New: Access a new Internet Access Policy for Little Snitch users
• New: Receive alerts when an error occurs while changing client preferences
• New: Use Tailscale for macOS as a Tailscale SSH client (Standalone variant only)
• New: tailscale ssh and tailscale nc are now supported in the Standalone variant of the client.
• Changed: The .pkg installer no longer requires a system restart after installing the client (Standalone variant only)
• Fixed: Reduced number of alerts if the network extension terminates unexpectedly
• Fixed: Unexpected terminations for some macOS 10.15 Catalina users

iOS

• Fixed: Improved reliability of the ping chart presentation

Synology

• New: Update certificates using the configure synology-cert CLI command
• Fixed: IPv6 addresses are available again

Kubernetes operator

• New: tailscale configure kubeconfig now respects KUBECONFIG environment variable.
• Fixed: tailscale configure kubeconfig now works with partially empty kubeconfig.
• Fixed: MSS clamping for Kubernetes operator proxies using nftables.

Containers

• Fixed: Containers on hosts with partial support for ip6tables no longer crash.

v1.62.1

Compare Source

Linux

New: Send load balancing hint HTTP request header

Windows

Fixed: Do not allow msiexec to reboot the operating system

macOS

Issue that could cause the Tailscale system extension to not be installed upon app launch, when deploying Tailscale using MDM and using a configuration profile to pre-approve the VPN tunnel (applies to standalone variant only)

Synology

Fixed: IPv6 routing

Kubernetes operator

Fixed: Kubernetes operator proxies should not accept subnet routes

v1.62.0: 1.62.0

All platforms

• New: Web interface now uses ACL grants to manage access on tagged devices
• Changed: Tailscale SSH connections now disable unnecessary hostname canonicalization
• Changed: tailscale bugreport command for generating diagnostic logs now contain ethtool information
• Changed: Mullvad's family-friendly server is added to the list of well known DNS over HTTPS (DoH) servers
• Changed: DNS over HTTP requests now contain a timeout
• Changed: TCP forwarding attempts in userspace mode now have a per-client limit
• Changed: Endpoints with link-local IPv6 addresses is preferred over private addresses
• Changed: WireGuard logs are less verbose
• Changed: Go is updated to version 1.22.1
• Fixed: DERP server region no longer changes if connectivity to the new DERP region is degraded

Linux

• Changed: Auto-update version detection on Alpine Linux is improved
• Changed: IPv6 support detection in a container environment is improved
• Fixed: DNS configuration on Amazon Linux 2023 no longer causes an infinite loop

Windows

• Changed: ManagedByOrganizationName, ManagedByCaption, and ManagedByURL system policy keys are now supported
• Fixed: Tailscale Tunnel WinTun adapter handling is improved
• Fixed: MSI upgrades no longer ignore policy properties set during initial install

macOS

• New: A .pkg installer package is now available for the standalone release of the Tailscale client
• Changed: Taildrop notifications now include actions to reveal the received file in the Finder, or delete it
• Changed: Tailnet lock settings UI displays more information about the status, including key and public key trust status
• Changed: The onboarding flow now guides the user in enabling the Tailscale system extension
• Changed: Launch Tailscale at login settings item can now be toggled when the Tailscale client is disconnected
• Changed: DNS behavior is improved when handling transitions between network interfaces

iOS

• Changed: Battery usage is improved
• Changed: Taildrop notifications now include actions to reveal the received file in the Files app, or delete it
• Changed: Tailnet lock settings UI displays more information about the status, including key and public key trust status
• Changed: Unnecessary log messages are removed when triggered by changes to device power state and routing
• Changed: DNS behavior is improved when handling interface transitions between Wi-Fi and Cellular

Android

• Changed: Settings persist from previous sign-ins
• Changed: Always-on VPN handling is improved
• Changed: Custom control server is applied on first start

Kubernetes operator

• Changed: Ingress resource handling is improved when deployed before its backing Service resource
• Fixed: Destination NAT (DNAT) rule management by egress proxies in nftables mode when IP address of tailscale.com/tailnet-fqdn changes

v1.60.1: 1.60.1

Compare Source

All Platforms

Fixed: Exposing port 8080 to other devices on your tailnet works as expected

v1.60.0: 1.60.0

Compare Source

All Platforms

• build Tailscale with Go 1.22
• authentication: present users with a valid login page when attempting to login even after leaving device unattended for several days
• networking: mute noisy peer mtu discovery errors
• networking: expose gVisor metrics in debug mode
• port mapper: support legacy "urn:dslforum-org" port mapping services
• port mapper: fix crash when no support mapping services found
• ssh: log warning when unable to find SSH host keys
• serve: improve error message when running as non-root
• cloud servers: Detect when Tailscale is running on Digital Ocean and automatically use Digital Ocean's DNS resolvers (ask Andrew)
• app connectors: enable app connectors to install routes for domains that resolve to CNAME records
• app connectors: support pre-configured routes from control server
• web client: add new read-only mode
• tailscale status command: fix output formatting Tailnet includes location-based exit nodes

Windows

• Fixed: tailscaled could be slow or cause increased CPU usage with large routing tables

Synology

• fix stalling SMB transfers of large files

macOS

• Added: New UI to add/remove/switch between user accounts, including using custom control servers
• Added: New UI to change client preferences
• Added: New UI to manage updates for the Standalone variant of the client, including switching in-app between stable and unstable builds.
• Added: VPN On-Demand is now supported on macOS, to automatically connect/disconnect Tailscale when specific conditions are triggered
• Added: ‘Reset VPN Configuration’ menu item in the Debug Menu is now available to reset the system VPN configuration if needed
• Improved: An alert window is presented when the Tailscale network extension fails to start, providing suggested troubleshooting steps
• Improved: Tailscale appears in the macOS Dock when an app window is presented
• Improved: The devices list now shows all devices known to the control server, not only the ones seen in the last 4 days.
• Improved: The onboarding flow automatically advances once the user is connected
• Fixed: The authentication flow is now more reliable when Tailscale has been running for an extended period of time, and the session has expired server-side
• Fixed: Resolved a potential crash and excessive logging upon client launch
• Fixed: “Start on Login” is set correctly on macOS Ventura and earlier versions

iOS / tvOS

• Fixed: The authentication flow is now more reliable when Tailscale has been running for an extended period of time, and the session has expired server-side
• Fixed: Resolved a potential crash and excessive logging upon client launch
• Fixed: Stale devices are no longer presented in the devices list

Android

• Improved: Sort Mullvad exit nodes to make it easier to find best node for each location
• Fixed: Quick settings tile now works
• Fixed: Mullvad tunnels are no longer shown as regular nodes in UI

Kubernetes operator

• New: a new ProxyClass custom resource that allows to provide custom configuration for cluster resources that the operator creates
• New: ACL tags for the operator can now be configured via Helm chart values
• Fixed: routing to Ingress backends that require an exact path without a slash (/) suffix

---

Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- HelmRelease: networking/tailscale-gateway Deployment: networking/tailscale-gateway

+++ HelmRelease: networking/tailscale-gateway Deployment: networking/tailscale-gateway

@@ -28,13 +28,13 @@

         runAsGroup: 1000
         runAsUser: 1000
       dnsPolicy: ClusterFirst
       enableServiceLinks: true
       containers:
       - name: tailscale-gateway
-        image: ghcr.io/tailscale/tailscale:v1.58.2
+        image: ghcr.io/tailscale/tailscale:v1.64.2
         imagePullPolicy: null
         env:
         - name: PORT
           value: ${SECRET_PUBLIC_PORT}
         - name: SA_NAME
           value: tailscale

[github-actions]

--- kubernetes/apps/networking/tailscale/app Kustomization: flux-system/cluster-apps-tailscale HelmRelease: networking/tailscale-gateway

+++ kubernetes/apps/networking/tailscale/app Kustomization: flux-system/cluster-apps-tailscale HelmRelease: networking/tailscale-gateway

@@ -36,13 +36,13 @@

       TZ: ${TIMEZONE}
     envFrom:
     - secretRef:
         name: tailscale-auth
     image:
       repository: ghcr.io/tailscale/tailscale
-      tag: v1.58.2
+      tag: v1.64.2
     ingress:
       main:
         enabled: false
     podSecurityContext:
       runAsGroup: 1000
       runAsUser: 1000