integration: add tailscale-rs client test harness#3196
Merged
kradalby merged 3 commits intojuanfont:mainfrom Apr 29, 2026
Merged
integration: add tailscale-rs client test harness#3196kradalby merged 3 commits intojuanfont:mainfrom
kradalby merged 3 commits intojuanfont:mainfrom
Conversation
kradalby
requested review from
juanfont,
nblock and
ohdearaugustin
as code owners
kradalby
force-pushed
the
kradalby/tailscale-rs
branch
2 times, most recently
from
1ce3e83 to
f6e44a3
Compare
Add TailscaleRustInContainer (tsric), a Rust-client counterpart to integration/tsic. It runs the axum example from tailscale-rs in a Docker container and exposes the same lifecycle hooks as tsic (Shutdown, SaveLog, Execute, WriteFile) so integration tests can treat it as any other Tailscale node. Dockerfile.tailscale-rs clones tailscale-rs at build time, so no local source checkout is required. The repo URL and ref are Docker build arguments (TAILSCALE_RS_REPO, TAILSCALE_RS_REF) exposed as tsric.WithRepo / tsric.WithRef options. The HEADSCALE_INTEGRATION_ TAILSCALE_RS_IMAGE environment variable provides an escape hatch for using a pre-built image instead of building from source. The Dockerfile patches the cloned root Cargo.toml to expose ts_control's insecure-keyfetch feature through the tailscale crate so the axum example can fetch the control key over plain HTTP. The integration harness serves the control plane without TLS, which is the only mode tailscale-rs can register against until it grows a way to inject a custom CA bundle.
Add an integration test that runs the tailscale-rs axum example
against headscale end-to-end. The test provisions one headscale
instance, one Go tailscale probe client (tsic), and one
tailscale-rs node (tsric) on the same tailnet, then verifies:
- the tailscale-rs node registers and is assigned both an IPv4
and an IPv6 address
- the Go probe sees the tailscale-rs node as a peer in its status
- GET /index.html and GET /assets/index.css from the axum server
return the expected content over the tailnet
- three sequential POST /count calls return distinct, incrementing
counter values, proving netstack state is maintained across
multiple TCP connections
This is the first integration test that exercises a non-Go
Tailscale client against headscale, giving end-to-end coverage of
the control protocol for alternate implementations.
Pick up the new tailscale-rs integration test in the CI job matrix.
kradalby
force-pushed
the
kradalby/tailscale-rs
branch
from
f6e44a3 to
17661da
Compare
juanfont
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds integration tests for the new tailscale-rs library with Headscale to make sure it works from the beginning.
integration/tsric—TailscaleRustInContainer, Rust counterpartto
tsic.Dockerfile.tailscale-rs— clones tailscale-rs at build time andcompiles the
axumexample. Repo/ref are build-args; default isupstream
main.TestTailscaleRustAxum— registration, peer visibility, HTTP(
GET /index.html,GET /assets/index.css,POST /count).Headscale's integration harness runs the control plane over plain
HTTP, so the Dockerfile patches the cloned root
Cargo.tomltore-expose
ts_control/insecure-keyfetchthrough thetailscalecrateand builds the axum example with that feature enabled.