telepresenceio
diff --git a/‎CHANGELOG.yml
+37 b/‎CHANGELOG.yml
+37
diff --git a/‎charts/telepresence-oss/values.schema.yaml
+4 b/‎charts/telepresence-oss/values.schema.yaml
+4
diff --git a/‎cmd/traffic/cmd/manager/mutator/watcher.go
+6-3 b/‎cmd/traffic/cmd/manager/mutator/watcher.go
+6-3
diff --git a/‎cmd/traffic/cmd/manager/service.go
+47-41 b/‎cmd/traffic/cmd/manager/service.go
+47-41
diff --git a/‎docs/release-notes.md
+35 b/‎docs/release-notes.md
+35
diff --git a/‎docs/release-notes.mdx
+35 b/‎docs/release-notes.mdx
+35
diff --git a/‎go.mod
+1-1 b/‎go.mod
+1-1
diff --git a/‎integration_test/docker_daemon_test.go
+13 b/‎integration_test/docker_daemon_test.go
+13
@@ -36,6 +36,43 @@ items:
           Similar to an `ingest`, a `wiretap` will always enforce read-only status on all volume mounts, and since that
           makes the `wiretap` completely read-only, there's no limit to how many simultaneous wiretaps that can be
           served. In fact, a `wiretap` and an `intercept` on the same port can run simultaneously.
+  - version: 2.22.3
+    date: 2025-04-08
+    notes:
+      - type: change
+        title: The Windows install script will now install Telepresence to "%ProgramFiles%\telepresence"
+        body: |-
+          Telepresence is now installed into "%ProgramFiles%\telepresence" instead of "C:\telepresence".
+          The directory and the Path entry for  `C:\telepresence` are not longer used and should be removed.
+      - type: bugfix
+        title: The Windows install script didn't handle upgrades properly
+        body: |-
+          The following changes were made:
+          
+            - The script now requires administrator privileges
+            - The Path environment is only updated when there's a need for it
+        docs: https://github.com/telepresenceio/telepresence/issues/3827
+      - type: bugfix
+        title: The Telepresence Helm chart could not be used as a dependency in another chart.
+        body: >-
+          The JSON schema validation implemented in Telepresence 2.22.0 had a defect: it rejected the `global` object.
+          This object, a Helm-managed construct, facilitates the propagation of arbitrary configurations from a parent
+          chart to its dependencies. Consequently, charts intended for dependency use must permit the presence of the
+          `global` object.
+        docs: https://github.com/telepresenceio/telepresence/issues/3833
+      - type: bugfix
+        title: Recreating namespaces was not possible when using a dynamically namespaced Traffic Manager
+        body: >-
+          A shared informer was sometimes reused when namespaces were removed and then later added again, leading
+          to errors like "handler ... was not added to shared informer because it has stopped already".
+        docs: https://github.com/telepresenceio/telepresence/issues/3831
+      - type: bugfix
+        title: Single label name DNS lookups didn't work unless at least one traffic-agent was installed
+        body: >-
+          A problem with incorrect handling of single label names in the traffic-manager's DNS resolver was fixed. The
+          problem would cause lookups like `curl echo` to fail, even though telepresence was connected to a namespace
+          containing an "echo" service, unless at least one of the workloads in the connected namespace had a
+          traffic-agent.
   - version: 2.22.2
     date: 2025-03-28
     notes:
 
@@ -251,6 +251,10 @@ properties:
         items:
           $ref: "#/$defs/subject"
 
+  global:
+    type: object
+    additionalProperties: true
+
   grpc:
     type: object
     additionalProperties: false
 
@@ -442,11 +442,11 @@ func (c *configWatcher) namespacesChangeWatcher(ctx context.Context) error {
 					dlog.Debugf(ctx, "Adding watchers for namespace %s", ns)
 					iwc, err := c.startInformers(ctx, ns)
 					if err != nil {
-						dlog.Errorf(ctx, "Failed to create watchers namespace %s: %v", ns, err)
+						dlog.Errorf(ctx, "Failed to create watchers for namespace %s: %v", ns, err)
 						return nil, true
 					}
 					if err = c.startWatchers(ctx, iwc); err != nil {
-						dlog.Errorf(ctx, "Failed to start watchers namespace %s: %v", ns, err)
+						dlog.Errorf(ctx, "Failed to start watchers for namespace %s: %v", ns, err)
 						return nil, true
 					}
 					return iwc, false
@@ -475,7 +475,10 @@ func (c *configWatcher) DeleteMapsAndRolloutAll(ctx context.Context) {
 }
 
 func (c *configWatcher) deleteMapsAndRolloutNS(ctx context.Context, ns string, iwc *informersWithCancel) {
-	defer c.informers.Delete(ns)
+	defer func() {
+		c.informers.Delete(ns)
+		informer.DropFactory(ctx, ns)
+	}()
 
 	dlog.Debugf(ctx, "Cancelling watchers for namespace %s", ns)
 	for i := 0; i < watcherMax; i++ {
 
@@ -841,7 +841,7 @@ func (s *service) LookupDNS(ctx context.Context, request *rpc.DNSRequest) (respo
 			default:
 				result = rrs.String()
 			}
-			dlog.Debugf(ctx, "LookupDNS: %s %s -> %s", request.Name, qtn, result)
+			dlog.Debugf(ctx, "%s %s -> %s", request.Name, qtn, result)
 		}()
 	}
 
@@ -873,58 +873,64 @@ func (s *service) LookupDNS(ctx context.Context, request *rpc.DNSRequest) (respo
 			dlog.Errorf(ctx, "AgentsLookupDNS %s %s: %v", request.Name, qtn, err)
 		} else if rCode != state.RcodeNoAgents {
 			if len(rrs) == 0 {
-				dlog.Tracef(ctx, "LookupDNS on agents: %s %s -> %s", request.Name, qtn, dns2.RcodeToString[rCode])
+				dlog.Tracef(ctx, "agents: %s %s -> %s", request.Name, qtn, dns2.RcodeToString[rCode])
 			} else {
-				dlog.Tracef(ctx, "LookupDNS on agents: %s %s -> %s", request.Name, qtn, rrs)
+				dlog.Tracef(ctx, "agents: %s %s -> %s", request.Name, qtn, rrs)
 			}
 		}
 	}
 
 	if rCode == state.RcodeNoAgents {
-		client := s.state.GetClient(sessionID)
-		name := request.Name
-		restoreName := false
-		nDots := 0
-		if client != nil {
-			for _, c := range name {
-				if c == '.' {
-					nDots++
-				}
-			}
-			if nDots == 1 && client.Namespace != tmNamespace {
-				noSearchDomain = client.Namespace + "."
-				name += noSearchDomain
-				restoreName = true
+		rrs, rCode = s.lookupFromManager(ctx, sessionID, qType, request.Name, noSearchDomain)
+	}
+	return dnsproxy.ToRPC(rrs, rCode)
+}
+
+func (s *service) lookupFromManager(ctx context.Context, sessionID tunnel.SessionID, qType uint16, qName, noSearchDomain string) (dnsproxy.RRs, int) {
+	name := qName
+	client := s.state.GetClient(sessionID)
+	tmNamespace := managerutil.GetEnv(ctx).ManagerNamespace
+	restoreName := false
+	nDots := 0
+	if client != nil {
+		for _, c := range name {
+			if c == '.' {
+				nDots++
 			}
 		}
-		dlog.Tracef(ctx, "LookupDNS on traffic-manager: %s", name)
-		rrs, rCode, err = dnsproxy.Lookup(ctx, qType, name, noSearchDomain)
-		if err != nil {
-			// Could still be x.y.<client namespace>, but let's avoid x.<cluster domain>.<client namespace> and x.<client-namespace>.<client namespace>
-			if client != nil && nDots > 1 && client.Namespace != tmNamespace && !strings.HasSuffix(name, s.dotClusterDomain) && !hasDomainSuffix(name, client.Namespace) {
-				name += client.Namespace + "."
-				restoreName = true
-				dlog.Debugf(ctx, "LookupDNS on traffic-manager: %s", name)
-				rrs, rCode, err = dnsproxy.Lookup(ctx, qType, name, noSearchDomain)
-			}
-			if err != nil {
-				dlog.Tracef(ctx, "LookupDNS on traffic-manager: %s %s -> %s %s", request.Name, qtn, dns2.RcodeToString[rCode], err)
-				return nil, err
-			}
+		if nDots == 1 && client.Namespace != tmNamespace {
+			name += client.Namespace + "."
+			restoreName = true
 		}
-		if len(rrs) == 0 {
-			dlog.Tracef(ctx, "LookupDNS on traffic-manager: %s %s -> %s", request.Name, qtn, dns2.RcodeToString[rCode])
-		} else {
-			if restoreName {
-				dlog.Tracef(ctx, "LookupDNS on traffic-manager: restore %s to %s", name, request.Name)
-				for _, rr := range rrs {
-					rr.Header().Name = request.Name
-				}
+	}
+	dlog.Tracef(ctx, "traffic-manager: %s", name)
+	qtn := dns2.TypeToString[qType]
+	rrs, rCode, err := dnsproxy.Lookup(ctx, qType, name, noSearchDomain)
+	if err == nil && rCode == dns2.RcodeNameError {
+		// Could still be x.y.<client namespace>, but let's avoid x.<cluster domain>.<client namespace> and x.<client-namespace>.<client namespace>
+		if client != nil && nDots > 1 && client.Namespace != tmNamespace && !strings.HasSuffix(name, s.dotClusterDomain) && !hasDomainSuffix(name, client.Namespace) {
+			name += client.Namespace + "."
+			restoreName = true
+			dlog.Debugf(ctx, "traffic-manager: %s", name)
+			rrs, rCode, err = dnsproxy.Lookup(ctx, qType, name, noSearchDomain)
+		}
+	}
+	if err != nil {
+		dlog.Errorf(ctx, "traffic-manager: %s %s -> %s %s", qName, qtn, dns2.RcodeToString[rCode], err)
+		return nil, dns2.RcodeServerFailure
+	}
+	if len(rrs) == 0 {
+		dlog.Tracef(ctx, "traffic-manager: %s %s -> %s", qName, qtn, dns2.RcodeToString[rCode])
+	} else {
+		if restoreName {
+			dlog.Tracef(ctx, "traffic-manager: restore %s to %s", name, qName)
+			for _, rr := range rrs {
+				rr.Header().Name = qName
 			}
-			dlog.Tracef(ctx, "LookupDNS on traffic-manager: %s %s -> %s", request.Name, qtn, rrs)
 		}
+		dlog.Tracef(ctx, "traffic-manager: %s %s -> %s", qName, qtn, rrs)
 	}
-	return dnsproxy.ToRPC(rrs, rCode)
+	return rrs, rCode
 }
 
 func (s *service) AgentLookupDNSResponse(ctx context.Context, response *rpc.DNSAgentResponse) (*empty.Empty, error) {
 
@@ -9,6 +9,41 @@ The new `telepresence wiretap` command introduces a read-only form of an `interc
 Similar to an `ingest`, a `wiretap` will always enforce read-only status on all volume mounts, and since that makes the `wiretap` completely read-only, there's no limit to how many simultaneous wiretaps that can be served. In fact, a `wiretap` and an `intercept` on the same port can run simultaneously.
 </div>
 
+## Version 2.22.3 <span style="font-size: 16px;">(April  8)</span>
+## <div style="display:flex;"><img src="images/change.png" alt="change" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">The Windows install script will now install Telepresence to "%ProgramFiles%\telepresence"</div></div>
+<div style="margin-left: 15px">
+
+Telepresence is now installed into "%ProgramFiles%\telepresence" instead of "C:\telepresence".
+The directory and the Path entry for  `C:\telepresence` are not longer used and should be removed.
+</div>
+
+## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">[The Windows install script didn't handle upgrades properly](https://github.com/telepresenceio/telepresence/issues/3827)</div></div>
+<div style="margin-left: 15px">
+
+The following changes were made:
+
+  - The script now requires administrator privileges
+  - The Path environment is only updated when there's a need for it
+</div>
+
+## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">[The Telepresence Helm chart could not be used as a dependency in another chart.](https://github.com/telepresenceio/telepresence/issues/3833)</div></div>
+<div style="margin-left: 15px">
+
+The JSON schema validation implemented in Telepresence 2.22.0 had a defect: it rejected the `global` object. This object, a Helm-managed construct, facilitates the propagation of arbitrary configurations from a parent chart to its dependencies. Consequently, charts intended for dependency use must permit the presence of the `global` object.
+</div>
+
+## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">[Recreating namespaces was not possible when using a dynamically namespaced Traffic Manager](https://github.com/telepresenceio/telepresence/issues/3831)</div></div>
+<div style="margin-left: 15px">
+
+A shared informer was sometimes reused when namespaces were removed and then later added again, leading to errors like "handler ... was not added to shared informer because it has stopped already".
+</div>
+
+## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Single label name DNS lookups didn't work unless at least one traffic-agent was installed</div></div>
+<div style="margin-left: 15px">
+
+A problem with incorrect handling of single label names in the traffic-manager's DNS resolver was fixed. The problem would cause lookups like `curl echo` to fail, even though telepresence was connected to a namespace containing an "echo" service, unless at least one of the workloads in the connected namespace had a traffic-agent.
+</div>
+
 ## Version 2.22.2 <span style="font-size: 16px;">(March 28)</span>
 ## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">[Panic when using telepresence replace in a IPv6-only cluster](https://github.com/telepresenceio/telepresence/issues/3828)</div></div>
 <div style="margin-left: 15px">
 
@@ -15,6 +15,41 @@ The new `telepresence wiretap` command introduces a read-only form of an `interc
 Similar to an `ingest`, a `wiretap` will always enforce read-only status on all volume mounts, and since that makes the `wiretap` completely read-only, there's no limit to how many simultaneous wiretaps that can be served. In fact, a `wiretap` and an `intercept` on the same port can run simultaneously.
   </Body>
 </Note>
+## Version 2.22.3 <span style={{fontSize:'16px'}}>(April  8)</span>
+<Note>
+	<Title type="change">The Windows install script will now install Telepresence to "%ProgramFiles%\telepresence"</Title>
+	<Body>
+Telepresence is now installed into "%ProgramFiles%\telepresence" instead of "C:\telepresence".
+The directory and the Path entry for  `C:\telepresence` are not longer used and should be removed.
+  </Body>
+</Note>
+<Note>
+	<Title type="bugfix" docs="https://github.com/telepresenceio/telepresence/issues/3827">The Windows install script didn't handle upgrades properly</Title>
+	<Body>
+The following changes were made:
+
+  - The script now requires administrator privileges
+  - The Path environment is only updated when there's a need for it
+  </Body>
+</Note>
+<Note>
+	<Title type="bugfix" docs="https://github.com/telepresenceio/telepresence/issues/3833">The Telepresence Helm chart could not be used as a dependency in another chart.</Title>
+	<Body>
+The JSON schema validation implemented in Telepresence 2.22.0 had a defect: it rejected the `global` object. This object, a Helm-managed construct, facilitates the propagation of arbitrary configurations from a parent chart to its dependencies. Consequently, charts intended for dependency use must permit the presence of the `global` object.
+  </Body>
+</Note>
+<Note>
+	<Title type="bugfix" docs="https://github.com/telepresenceio/telepresence/issues/3831">Recreating namespaces was not possible when using a dynamically namespaced Traffic Manager</Title>
+	<Body>
+A shared informer was sometimes reused when namespaces were removed and then later added again, leading to errors like "handler ... was not added to shared informer because it has stopped already".
+  </Body>
+</Note>
+<Note>
+	<Title type="bugfix">Single label name DNS lookups didn't work unless at least one traffic-agent was installed</Title>
+	<Body>
+A problem with incorrect handling of single label names in the traffic-manager's DNS resolver was fixed. The problem would cause lookups like `curl echo` to fail, even though telepresence was connected to a namespace containing an "echo" service, unless at least one of the workloads in the connected namespace had a traffic-agent.
+  </Body>
+</Note>
 ## Version 2.22.2 <span style={{fontSize:'16px'}}>(March 28)</span>
 <Note>
 	<Title type="bugfix" docs="https://github.com/telepresenceio/telepresence/issues/3828">Panic when using telepresence replace in a IPv6-only cluster</Title>
 
@@ -39,7 +39,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/telepresenceio/go-fuseftp v0.6.6
 	github.com/telepresenceio/go-fuseftp/rpc v0.6.6
-	github.com/telepresenceio/telepresence/rpc/v2 v2.22.2
+	github.com/telepresenceio/telepresence/rpc/v2 v2.22.3
 	github.com/vishvananda/netlink v1.3.0
 	golang.org/x/net v0.37.0
 	golang.org/x/sys v0.31.0
 
@@ -118,6 +118,19 @@ func (s *dockerDaemonSuite) Test_DockerDaemon_daemonHostNotConflict() {
 	s.TelepresenceConnect(ctx)
 }
 
+func (s *dockerDaemonSuite) Test_DockerDaemon_singleNameLookup() {
+	ctx := s.Context()
+	const svc = "echo-easy"
+	s.ApplyApp(ctx, svc, "deploy/"+svc)
+	defer s.DeleteSvcAndWorkload(ctx, "deploy", svc)
+	out := s.TelepresenceConnect(ctx, "--docker", "--", itest.GetExecutable(ctx), "curl", "--silent", "--max-time", "1", svc)
+	s.Contains(out, "Request served by "+svc)
+	so, err := itest.TelepresenceStatus(ctx)
+	s.NoError(err)
+	s.Nil(so.ContainerizedDaemon)
+	s.False(so.UserDaemon.Running)
+}
+
 func (s *dockerDaemonSuite) Test_DockerDaemon_cacheFiles() {
 	ctx := s.Context()
 	rq := s.Require()