ipn/ipnlocal,tsd: add NoiseRoundTripper to tsd.Sys

Adds a new NoiseRoundTripper field to tsd.Sys
to expose an http.RoundTripper to make requests
over the control plane Noise connection.

This will be used in PAM use cases soon.

Updates tailscale/corp#41800

Signed-off-by: Adriano Sela Aviles <adriano@tailscale.com>

ipn/ipnlocal/local.go

@@ -536,6 +536,8 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 		needsCaptiveDetection: make(chan bool),
 	}
 
+	sys.NoiseRoundTripper.Set(noiseRoundTripper{b})
+
 	nb := newNodeBackend(ctx, b.logf, b.sys.Bus.Get())
 	b.currentNodeAtomic.Store(nb)
 	nb.ready()
@@ -7274,6 +7276,15 @@ func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error)
 	return cc.DoNoiseRequest(req)
 }
 
+// noiseRoundTripper adapts LocalBackend.DoNoiseRequest to http.RoundTripper.
+type noiseRoundTripper struct {
+	lb *LocalBackend
+}
+
+func (n noiseRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return n.lb.DoNoiseRequest(req)
+}
+
 // ActiveSSHConns returns the number of active SSH connections,
 // or 0 if SSH is not linked into the binary or available on the platform.
 func (b *LocalBackend) ActiveSSHConns() int {

tsd/tsd.go

@@ -20,6 +20,7 @@ package tsd
 import (
 	"crypto/x509"
 	"fmt"
+	"net/http"
 	"reflect"
 
 	"tailscale.com/control/controlknobs"
@@ -64,6 +65,10 @@ type System struct {
 	PolicyClient   SubSystem[policyclient.Client]
 	HealthTracker  SubSystem[*health.Tracker]
 
+	// NoiseRoundTripper, if set, provides an http.RoundTripper that
+	// sends requests over the control plane Noise connection.
+	NoiseRoundTripper SubSystem[http.RoundTripper]
+
 	// ExtraRootCAs, if non-nil, specifies additional trusted root CAs
 	// beyond the system roots. On Android, this includes user-installed
 	// CA certificates that Go's crypto/x509 does not see.