chore: Add support for developing on non-local K8s via reverse tunnel (#399)

Signed-off-by: Jonathan West <jonwest@redhat.com>
Signed-off-by: Jonathan West <jgwest@users.noreply.github.com>
Co-authored-by: Jann Fischer <jann@mistrust.net>

Author: jgwest

hack/dev-env/reverse-tunnel/README.md

@@ -0,0 +1,62 @@
+# Reverse-proxy via rathole
+
+This folder contains shell scripts and Kubernetes resources to establish a reverse tunnel from the K8s cluster, back to your local development environment.
+
+Primarily this enables the resource-proxy feature when developing on remote K8s clusters, as Argo CD (running on vcluster-control-plane) is now able to tunnel to principal running locally.
+
+This also allows all the E2E tests to pass in this configuration. Previously, the resource proxy E2E tests were failing when running against a remote cluster.
+
+
+**NOTE**: The current implementation requires Service LoadBalancer support from K8s (which is available from, for example, Red Hat's 'clusterbot' service).
+
+The tunnel that is enabled is:
+* Argo CD 'server' workload  (on vcluster-control-plane) -> managed-agent cluster Secret (on vcluster-control-plane) -> rathole Deployment (on vcluster) -> rathole Container (running on local machine) -> argocd-agent 'principal' OS process (local machine)
+
+
+
+### How to enable
+
+To enable the configuration:
+
+```
+# Setup environment as usual
+make setup-e2e2
+
+# Installs Rathole Deployment/Services on vcluster, update 'managed-agent' cluster Secret to point to Rathole Deployment, and start local rathole container
+./hack/dev-env/reverse-tunnel/setup.sh
+
+```
+
+To test the configuration:
+
+```
+# Start E2E tests
+make start-e2e2
+```
+
+
+
+### Configuration
+
+Running 'setup-e2e2', followed by 'reverse-tunnel/setup.sh', enables this configuration:
+
+
+'vcluster-control-plane' vcluster (on k8s cluster):
+- argocd namespace:
+    - Argo CD workloads
+        - Argo CD Server (no change)
+        - Argo CD 'agent-managed' Cluster Secret
+            - `.data.server` field points to Service, `https://rathole-container-internal:9090?agentName=agent-managed`
+            - `.data.config` field is updated to enable insecure mode, and remove `caData` from TLS config
+    - K8s Service
+        - `rathole-container-internal`: internal service that directs traffic on port 9090 to `rathole` Deployment (below)
+
+    - Rathole:
+        - Deployment `rathole`:
+            - redirects traffic from argocd (above) to local rathole container (below)
+        - Service `rathole-container-external`: Redirect LoadBalancer to `rathole` Deployment (allows local machine to connect to cluster rathole)
+
+Running Locally:
+- Principal process (no change)
+    - resource-proxy: traffic is redirect from cluster rathole Deployment to here
+- `rathole` container: Ultimately redirects traffic from remote argocd server (via cluster rathole) to local resource-proxy in principal process

hack/dev-env/reverse-tunnel/client/client.toml

@@ -0,0 +1,15 @@
+# client.toml
+[client]
+remote_addr = "EXTERNAL-HOSTNAME:2333" # The address of the server. The port must be the same with the port in `server.bind_addr`
+
+[client.services.one]
+token = "AUTHENTICATION_TOKEN" # Must be the same with the server to pass the validation
+local_addr = "127.0.0.1:9090" # The address of the service that needs to be forwarded
+
+# Client Side Configuration
+[client.transport]
+type = "noise"
+
+[client.transport.noise]
+remote_public_key = "REMOTE_PUBLIC_KEY"
+

hack/dev-env/reverse-tunnel/client/run.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+SCRIPTPATH="$(
+  cd -- "$(dirname "$0")" >/dev/null 2>&1 || exit
+  pwd -P
+)"
+
+docker run --network host  --name rathole-proxy -it --rm -v "$SCRIPTPATH/client.toml:/app/config.toml" "quay.io/jgwest-redhat/rathole:latest@sha256:53999f80b69f9a5020e19e9c9be90fc34b973d9bd822d4fd44b968f2ebe0845f" --client /app/config.toml
+# Container image is built from 'rathole-image' directory
+
+# or, without docker:
+# 
+# rathole --client $SCRIPTPATH/config.toml
+

hack/dev-env/reverse-tunnel/rathole-image/artifacts/Dockerfile.new

@@ -0,0 +1,16 @@
+FROM rust:1.79-bookworm AS builder
+RUN apt update && apt install -y libssl-dev
+WORKDIR /home/rust/src
+COPY . .
+ARG FEATURES
+RUN cargo build --locked --release --features ${FEATURES:-default}
+RUN mkdir -p build-out/
+RUN cp target/release/rathole build-out/
+
+
+
+FROM gcr.io/distroless/cc-debian12
+WORKDIR /app
+COPY --from=builder /home/rust/src/build-out/rathole .
+USER 1000:1000
+ENTRYPOINT ["./rathole"]

hack/dev-env/reverse-tunnel/rathole-image/build-and-push.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Build and push a multi-arch docker container containing latest rathole release built from source.
+
+# I needed to run this first:
+# - docker buildx create --name mybuilder --driver docker-container --use
+# I'm on Linux x64 (Fedora)
+
+REPO=quay.io/jgwest-redhat
+
+set -ex
+
+SCRIPTPATH="$(
+    cd -- "$(dirname "$0")" >/dev/null 2>&1 || exit
+    pwd -P
+)"
+
+TEMP_DIR=$(mktemp -d)
+
+cd $TEMP_DIR
+git clone https://github.com/yujqiao/rathole
+
+cd rathole
+
+git checkout ebb764ae53d7ffe4fcb45f83f7563bec5c74199d  # v0.5.0
+
+cp $SCRIPTPATH/artifacts/Dockerfile.new $TEMP_DIR/rathole/Dockerfile
+
+docker buildx build -t $REPO/rathole:latest --platform linux/amd64,linux/arm64 --push .
+

hack/dev-env/reverse-tunnel/server/deployment.yaml

@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rathole-container
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: rathole-container
+  template:
+    metadata:
+      labels:
+        app: rathole-container
+    spec:
+      containers:
+        - image: 'quay.io/jgwest-redhat/rathole:latest@sha256:53999f80b69f9a5020e19e9c9be90fc34b973d9bd822d4fd44b968f2ebe0845f' # built by rathole-image directory
+          name: rathole-container
+          ports:
+            - containerPort: 2333
+              protocol: TCP
+            - containerPort: 9090
+              protocol: TCP
+          command:
+            - /app/rathole
+          args:
+            - '--server'
+            - /config/server.toml
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config
+      volumes:
+        - name: config-volume
+          secret:
+            secretName: rathole-container

hack/dev-env/reverse-tunnel/server/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - service.yaml
+  - service-internal.yaml
+
+secretGenerator:
+  - name: rathole-container
+    files:
+      - server.toml

hack/dev-env/reverse-tunnel/server/server.toml

@@ -0,0 +1,14 @@
+# server.toml
+[server]
+bind_addr = "0.0.0.0:2333" # `2333` specifies the port that rathole listens for clients
+
+[server.services.one]
+token = "AUTHENTICATION_TOKEN" # Token that is used to authenticate the client for the service. Change to a arbitrary value.
+bind_addr = "0.0.0.0:9090" # `9090` specifies the port that exposes `one` to the Internet
+
+# Server Side Configuration
+[server.transport]
+type = "noise"
+
+[server.transport.noise]
+local_private_key = "LOCAL_PRIVATE_KEY"

hack/dev-env/reverse-tunnel/server/service-internal.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: rathole-container-internal
+spec:
+  ports:
+  - name: "9090"
+    port: 9090
+    targetPort: 9090
+    protocol: TCP
+  selector:
+    app: rathole-container

hack/dev-env/reverse-tunnel/server/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: rathole-container-external
+spec:
+  selector:
+    app: rathole-container
+  # type: NodePort
+  type: LoadBalancer
+  ports:
+    - protocol: TCP
+      name: "2333"
+      port: 2333 # The port the service listens on inside the cluster
+      targetPort: 2333 # The port your application is listening on in the pod
+#      nodePort: 30000 # The static port exposed on each node (optional, Kubernetes assigns if omitted)