coreweave · ChandonPierre · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.94.1
+1.96.5
diff --git a/k8s-operator/api-proxy/proxy.go b/k8s-operator/api-proxy/proxy.go
@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & AUTHORS
+// Copyright (c) Tailscale Inc & contributors
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !plan9
@@ -21,14 +21,14 @@ import (
 	"strings"
 	"time"
 
+	"github.com/pires/go-proxyproto"
 	"go.uber.org/zap"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
 	"tailscale.com/client/local"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/envknob"
 	ksr "tailscale.com/k8s-operator/sessionrecording"
 	"tailscale.com/kube/kubetypes"
 	"tailscale.com/net/netx"
@@ -43,13 +43,7 @@ import (
 var (
 	// counterNumRequestsproxies counts the number of API server requests proxied via this proxy.
 	counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
-	// NOTE: adding this metric so we can keep track of users during deprecation
-	counterExperimentalEventsVarUsed = clientmetric.NewCounter("ts_experimental_kube_api_events_var_used")
-	whoIsKey                         = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
-)
-
-const (
-	eventsEnabledVar = "TS_EXPERIMENTAL_KUBE_API_EVENTS"
+	whoIsKey                  = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
 )
 
 // NewAPIServerProxy creates a new APIServerProxy that's ready to start once Run
@@ -103,7 +97,6 @@ func NewAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, ts *tsn
 		upstreamURL:   u,
 		ts:            ts,
 		sendEventFunc: sessionrecording.SendEvent,
-		eventsEnabled: envknob.Bool(eventsEnabledVar),
 	}
 	ap.rp = &httputil.ReverseProxy{
 		Rewrite: func(pr *httputil.ProxyRequest) {
@@ -134,11 +127,6 @@ func (ap *APIServerProxy) Run(ctx context.Context) error {
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
 	}
 
-	if ap.eventsEnabled {
-		counterExperimentalEventsVarUsed.Add(1)
-		ap.log.Warnf("DEPRECATED: %q environment variable is deprecated, and will be removed in v1.96. See documentation for more detail.", eventsEnabledVar)
-	}
-
 	mode := "noauth"
 	if ap.authMode {
 		mode = "auth"
@@ -163,10 +151,18 @@ func (ap *APIServerProxy) Run(ctx context.Context) error {
 		}
 	} else {
 		var err error
-		proxyLn, err = net.Listen("tcp", "localhost:80")
+		baseLn, err := net.Listen("tcp", "localhost:80")
 		if err != nil {
 			return fmt.Errorf("could not listen on :80: %w", err)
 		}
+		proxyLn = &proxyproto.Listener{
+			Listener:          baseLn,
+			ReadHeaderTimeout: 10 * time.Second,
+			ConnPolicy: proxyproto.ConnPolicyFunc(func(opts proxyproto.ConnPolicyOptions) (proxyproto.Policy,
+				error) {
+				return proxyproto.REQUIRE, nil
+			}),
+		}
 		serve = ap.hs.Serve
 	}
 
@@ -205,10 +201,6 @@ type APIServerProxy struct {
 	upstreamURL *url.URL
 
 	sendEventFunc func(ap netip.AddrPort, event io.Reader, dial netx.DialFunc) error
-
-	// Flag used to enable sending API requests as events to tsrecorder.
-	// Deprecated: events are now set via ACLs (see https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-your-tailnet-policy-file)
-	eventsEnabled bool
 }
 
 // serveDefault is the default handler for Kubernetes API server requests.
@@ -237,8 +229,7 @@ func (ap *APIServerProxy) serveDefault(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// NOTE: (ChaosInTheCRD) ap.eventsEnabled deprecated, remove in v1.96
-	if c.enableEvents || ap.eventsEnabled {
+	if c.enableEvents {
 		if err = ap.recordRequestAsEvent(r, who, c.recorderAddresses, c.failOpen); err != nil {
 			msg := fmt.Sprintf("error recording Kubernetes API request: %v", err)
 			ap.log.Errorf(msg)
@@ -308,8 +299,7 @@ func (ap *APIServerProxy) sessionForProto(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	// NOTE: (ChaosInTheCRD) ap.eventsEnabled deprecated, remove in v1.96
-	if c.enableEvents || ap.eventsEnabled {
+	if c.enableEvents {
 		if err = ap.recordRequestAsEvent(r, who, c.recorderAddresses, c.failOpen); err != nil {
 			msg := fmt.Sprintf("error recording Kubernetes API request: %v", err)
 			ap.log.Errorf(msg)

diff --git a/net/netmon/interfaces.go b/net/netmon/interfaces.go
@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & AUTHORS
+// Copyright (c) Tailscale Inc & contributors
 // SPDX-License-Identifier: BSD-3-Clause
 
 package netmon

diff --git a/tsnet/example/tsnet-services/tsnet-services.go b/tsnet/example/tsnet-services/tsnet-services.go
@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & AUTHORS
+// Copyright (c) Tailscale Inc & contributors
 // SPDX-License-Identifier: BSD-3-Clause
 
 // The tsnet-services example demonstrates how to use tsnet with Services.

diff --git a/tsnet/example_tsnet_listen_service_multiple_ports_test.go b/tsnet/example_tsnet_listen_service_multiple_ports_test.go
@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & AUTHORS
+// Copyright (c) Tailscale Inc & contributors
 // SPDX-License-Identifier: BSD-3-Clause
 
 package tsnet_test
@@ -19,21 +19,19 @@ import (
 // Service on multiple ports. In this example, we run an HTTPS server on 443 and
 // an HTTP server handling pprof requests to the same runtime on 6060.
 func ExampleServer_ListenService_multiplePorts() {
-	s := &tsnet.Server{
-		Hostname: "tsnet-services-demo",
+	srv := &tsnet.Server{
+		Hostname: "shu",
 	}
-	defer s.Close()
 
-	ln, err := s.ListenService("svc:my-service", tsnet.ServiceModeHTTP{
+	ln, err := srv.ListenService("svc:my-service", tsnet.ServiceModeHTTP{
 		HTTPS: true,
 		Port:  443,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
-	defer ln.Close()
 
-	pprofLn, err := s.ListenService("svc:my-service", tsnet.ServiceModeTCP{
+	pprofLn, err := srv.ListenService("svc:my-service", tsnet.ServiceModeTCP{
 		Port: 6060,
 	})
 	if err != nil {

diff --git a/tsnet/example_tsnet_test.go b/tsnet/example_tsnet_test.go
@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & AUTHORS
+// Copyright (c) Tailscale Inc & contributors
 // SPDX-License-Identifier: BSD-3-Clause
 
 package tsnet_test
@@ -205,19 +205,17 @@ func ExampleServer_ListenFunnel_funnelOnly() {
 
 // ExampleServer_ListenService demonstrates how to advertise an HTTPS Service.
 func ExampleServer_ListenService() {
-	s := &tsnet.Server{
-		Hostname: "tsnet-services-demo",
+	srv := &tsnet.Server{
+		Hostname: "atum",
 	}
-	defer s.Close()
 
-	ln, err := s.ListenService("svc:my-service", tsnet.ServiceModeHTTP{
+	ln, err := srv.ListenService("svc:my-service", tsnet.ServiceModeHTTP{
 		HTTPS: true,
 		Port:  443,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
-	defer ln.Close()
 
 	log.Printf("Listening on https://%v\n", ln.FQDN)
 	log.Fatal(http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -238,19 +236,17 @@ func ExampleServer_ListenService_reverseProxy() {
 		Host:   targetAddress,
 	})
 
-	s := &tsnet.Server{
-		Hostname: "tsnet-services-demo",
+	srv := &tsnet.Server{
+		Hostname: "tefnut",
 	}
-	defer s.Close()
 
-	ln, err := s.ListenService("svc:my-service", tsnet.ServiceModeHTTP{
+	ln, err := srv.ListenService("svc:my-service", tsnet.ServiceModeHTTP{
 		HTTPS: true,
 		Port:  443,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
-	defer ln.Close()
 
 	log.Printf("Listening on https://%v\n", ln.FQDN)
 	log.Fatal(http.Serve(ln, reverseProxy))