golang http proxy

Author: aleoli

.github/workflows/integration.yml

@@ -99,9 +99,6 @@ jobs:
         id: set-architectures
         run: |
           ARCHITECTURES=${{ needs.configure.outputs.architectures }}
-          if [ "${{ matrix.component }}" == "proxy" ]; then
-            ARCHITECTURES=$(echo ${ARCHITECTURES} | sed 's/,linux\/arm\/v7//')
-          fi
           echo "ARCHITECTURES=${ARCHITECTURES}" >> $GITHUB_ENV
       - name: Set up QEMU
         uses: docker/[email protected]

build/proxy/Dockerfile

@@ -0,0 +1,16 @@
+// Copyright 2019-2024 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package proxy contains the logic for the Liqo proxy.
+package main

cmd/proxy/doc.go

@@ -0,0 +1,42 @@
+// Copyright 2019-2024 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"flag"
+	"os"
+
+	"k8s.io/klog/v2"
+
+	"github.com/liqotech/liqo/pkg/proxy"
+)
+
+func main() {
+	ctx := context.Background()
+
+	port := flag.Int("port", 8080, "port to listen on")
+	allowedHosts := flag.String("allowed-hosts", "", "comma separated list of allowed hosts")
+	forceHost := flag.String("force-host", "", "force the server Host to this value")
+
+	flag.Parse()
+
+	p := proxy.New(*allowedHosts, *port, *forceHost)
+
+	if err := p.Start(ctx); err != nil {
+		klog.Error(err)
+		os.Exit(1)
+	}
+}

cmd/proxy/main.go

@@ -36,23 +36,17 @@ spec:
           ports:
           - containerPort: {{ .Values.proxy.config.listeningPort }}
           resources: {{- toYaml .Values.proxy.pod.resources | nindent 12 }}
-          volumeMounts:
-          - mountPath: /etc/envoy/envoy.yaml
-            name: config-volume
-            subPath: config
-          {{- if or .Values.common.extraArgs .Values.proxy.pod.extraArgs }}
           args:
+          - --port={{ .Values.proxy.config.listeningPort }}
+          - --force-host=kubernetes.default.svc:443
+          {{- if or .Values.common.extraArgs .Values.proxy.pod.extraArgs }}
           {{- if .Values.common.extraArgs }}
           {{- toYaml .Values.common.extraArgs | nindent 10 }}
           {{- end }}
           {{- if .Values.proxy.pod.extraArgs }}
           {{- toYaml .Values.proxy.pod.extraArgs | nindent 10 }}
           {{- end }}
           {{- end }}
-      volumes:
-      - name: config-volume
-        configMap:
-          name: {{ include "liqo.prefixedName" $proxyConfig }}
       {{- if ((.Values.common).nodeSelector) }}
       nodeSelector:
       {{- toYaml .Values.common.nodeSelector | nindent 8 }}

deployments/liqo/templates/liqo-proxy-configmap.yaml

@@ -8,7 +8,7 @@ This feature is **internally** used by the [in-band peering](UsagePeeringInBand)
 If you just need to peer two clusters without publicly exposing the Kubernetes API server, you can use the [in-band peering](UsagePeeringInBand).
 ```
 
-The Kubernetes API Server Proxy is an Envoy HTTP server that accepts [HTTP Connect](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT) requests and forwards them to the Kubernetes API Server of the local cluster.
+The Kubernetes API Server Proxy is an HTTP server that accepts [HTTP Connect](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT) requests and forwards them to the Kubernetes API Server of the local cluster.
 It just proxy the requests to the API server and it has no permission on the local cluster.
 This means that, as usual, all the requesters must authenticate with the Kubernetes API Server to access the resources.
 

deployments/liqo/templates/liqo-proxy-deployment.yaml

@@ -0,0 +1,112 @@
+// Copyright 2019-2024 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proxy
+
+import (
+	"bufio"
+	"io"
+	"net"
+	"net/http"
+	"time"
+
+	"k8s.io/klog/v2"
+)
+
+func (p *Proxy) handleConnect(c net.Conn) {
+	br := bufio.NewReader(c)
+	req, err := http.ReadRequest(br)
+	if err != nil {
+		klog.Errorf("error reading request: %v", err)
+		return
+	}
+
+	if req.Method != http.MethodConnect {
+		response := &http.Response{
+			StatusCode: http.StatusMethodNotAllowed,
+			ProtoMajor: 1,
+			ProtoMinor: 1,
+		}
+		if err := response.Write(c); err != nil {
+			klog.Errorf("error writing response: %v", err)
+		}
+		if err := c.Close(); err != nil {
+			klog.Errorf("error closing connection: %v", err)
+		}
+		return
+	}
+
+	if p.ForceHost == "" && !p.isAllowed(req.URL.Host) {
+		klog.Infof("host %s is not allowed", req.URL.Host)
+
+		response := &http.Response{
+			StatusCode: http.StatusForbidden,
+			ProtoMajor: 1,
+			ProtoMinor: 1,
+		}
+		if err := response.Write(c); err != nil {
+			klog.Errorf("error writing response: %v", err)
+		}
+		return
+	}
+
+	klog.Infof("handling CONNECT to %s", req.URL.Host)
+
+	response := &http.Response{
+		StatusCode: 200,
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+	}
+	if err := response.Write(c); err != nil {
+		klog.Errorf("error writing response: %v", err)
+		if err := c.Close(); err != nil {
+			klog.Errorf("error closing connection: %v", err)
+		}
+		return
+	}
+
+	destConn, err := net.DialTimeout("tcp", p.getHost(req), 30*time.Second)
+	if err != nil {
+		klog.Errorf("error dialing destination: %v", err)
+
+		response := &http.Response{
+			StatusCode: http.StatusRequestTimeout,
+			ProtoMajor: 1,
+			ProtoMinor: 1,
+		}
+		if err := response.Write(c); err != nil {
+			klog.Errorf("error writing response: %v", err)
+		}
+		return
+	}
+
+	go transfer(destConn, c)
+	go transfer(c, destConn)
+}
+
+func (p *Proxy) getHost(req *http.Request) string {
+	if p.ForceHost != "" {
+		return p.ForceHost
+	}
+	return req.URL.Host
+}
+
+func transfer(destination io.WriteCloser, source io.ReadCloser) {
+	defer destination.Close()
+	defer source.Close()
+	_, err := io.Copy(destination, source)
+	if err != nil {
+		klog.Errorf("error copying data: %v", err)
+	}
+}

docs/advanced/k8s-api-server-proxy.md

@@ -0,0 +1,16 @@
+// Copyright 2019-2024 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package proxy contains the logic for the Liqo proxy.
+package proxy