grpc reverse proxy

Author: janekbaraniewski

cmd/agent/container/credentials_server.go

@@ -13,11 +13,13 @@ import (
 	"github.com/loft-sh/devpod/pkg/agent/tunnel"
 	"github.com/loft-sh/devpod/pkg/agent/tunnelserver"
 	"github.com/loft-sh/devpod/pkg/credentials"
+	locald "github.com/loft-sh/devpod/pkg/daemon/local"
 	"github.com/loft-sh/devpod/pkg/dockercredentials"
 	"github.com/loft-sh/devpod/pkg/gitcredentials"
 	"github.com/loft-sh/devpod/pkg/gitsshsigning"
 	"github.com/loft-sh/devpod/pkg/netstat"
 	portpkg "github.com/loft-sh/devpod/pkg/port"
+	"github.com/loft-sh/devpod/pkg/ts"
 	"github.com/loft-sh/log"
 	"github.com/spf13/cobra"
 )
@@ -69,10 +71,23 @@ func NewCredentialsServerCmd(flags *flags.GlobalFlags) *cobra.Command {
 
 // Run runs the command logic
 func (cmd *CredentialsServerCmd) Run(ctx context.Context, port int) error {
+	var tunnelClient tunnel.TunnelClient
+	var err error
+
 	// create a grpc client
-	tunnelClient, err := tunnelserver.NewTunnelClient(os.Stdin, os.Stdout, true, ExitCodeIO)
-	if err != nil {
-		return fmt.Errorf("error creating tunnel client: %w", err)
+	// if we have client address, lets use the http client
+	if cmd.Client != "" {
+		address := ts.EnsureURL(cmd.Client, locald.LocalCredentialsServerPort)
+		tunnelClient, err = tunnelserver.NewHTTPTunnelClient(address)
+		if err != nil {
+			return fmt.Errorf("error creating tunnel client: %w", err)
+		}
+	} else {
+		// otherwise we fallback to stdio client
+		tunnelClient, err = tunnelserver.NewTunnelClient(os.Stdin, os.Stdout, true, ExitCodeIO)
+		if err != nil {
+			return fmt.Errorf("error creating tunnel client: %w", err)
+		}
 	}
 
 	// this message serves as a ping to the client

go.mod

@@ -50,6 +50,7 @@ require (
 	github.com/rhysd/go-github-selfupdate v1.2.3
 	github.com/sirupsen/logrus v1.9.3
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
+	github.com/soheilhy/cmux v0.1.5
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/takama/daemon v1.0.0

go.sum

@@ -767,6 +767,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=

pkg/agent/tunnelserver/client.go

@@ -10,6 +10,7 @@ import (
 	"github.com/loft-sh/devpod/pkg/stdio"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/resolver"
 )
 
@@ -36,23 +37,58 @@ func NewTunnelClient(reader io.Reader, writer io.WriteCloser, exitOnClose bool,
 	return c, nil
 }
 
-// NewTunnelClient creates a gRPC tunnel client that connects via the Unix domain socket,
-// using the shared dialer from the network package.
-func NewHTTPTunnelClient(_ io.Reader, _ io.WriteCloser, _ bool, _ int) (tunnel.TunnelClient, error) {
-	// After moving from deprecated grpc.Dial to grpc.NewClient we need to setup resolver first
-	// https://github.com/grpc/grpc-go/issues/1786#issuecomment-2119088770
+func NewHTTPTunnelClient(localServerAddr string) (tunnel.TunnelClient, error) {
+	// Set the default resolver scheme.
 	resolver.SetDefaultScheme("passthrough")
 
-	// Set up a connection to the server.
-	conn, err := grpc.NewClient("",
+	// Create a unary interceptor to attach the metadata.
+	unaryInterceptor := func(
+		ctx context.Context,
+		method string,
+		req, reply interface{},
+		cc *grpc.ClientConn,
+		invoker grpc.UnaryInvoker,
+		opts ...grpc.CallOption,
+	) error {
+		// Create new metadata with the required headers.
+		md := metadata.New(map[string]string{
+			"X-LOFT-TARGET": localServerAddr,
+			"X-TARGET-PORT": "9999",
+		})
+		// Add this metadata to the outgoing context.
+		ctx = metadata.NewOutgoingContext(ctx, md)
+		return invoker(ctx, method, req, reply, cc, opts...)
+	}
+
+	// Create a stream interceptor to attach the metadata.
+	streamInterceptor := func(
+		ctx context.Context,
+		desc *grpc.StreamDesc,
+		cc *grpc.ClientConn,
+		method string,
+		streamer grpc.Streamer,
+		opts ...grpc.CallOption,
+	) (grpc.ClientStream, error) {
+		md := metadata.New(map[string]string{
+			"X-LOFT-TARGET": localServerAddr,
+			"X-TARGET-PORT": "9999",
+		})
+		ctx = metadata.NewOutgoingContext(ctx, md)
+		return streamer(ctx, desc, cc, method, opts...)
+	}
+
+	// Set up a connection to the server using the shared dialer.
+	conn, err := grpc.NewClient(localServerAddr,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithContextDialer(network.GetContextDialer()),
+		grpc.WithUnaryInterceptor(unaryInterceptor),
+		grpc.WithStreamInterceptor(streamInterceptor),
 	)
 	if err != nil {
 		return nil, err
 	}
 
+	// Create and return the TunnelClient using the generated proto.
 	c := tunnel.NewTunnelClient(conn)
-
 	return c, nil
 }

pkg/agent/tunnelserver/tunnelserver.go

@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -23,13 +24,27 @@ import (
 	"github.com/loft-sh/devpod/pkg/netstat"
 	"github.com/loft-sh/devpod/pkg/platform"
 	provider2 "github.com/loft-sh/devpod/pkg/provider"
+	"github.com/loft-sh/devpod/pkg/stdio"
 	"github.com/loft-sh/log"
 	"github.com/moby/patternmatcher/ignorefile"
 	perrors "github.com/pkg/errors"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
 )
 
+// GetListener returns correct listener for services server - either stdio or tcp
+func GetListener(client string, reader io.Reader, writer io.WriteCloser, exitOnClose bool) (net.Listener, error) {
+	if client == "" {
+		return stdio.NewStdioListener(reader, writer, exitOnClose), nil
+	}
+	listener, err := net.Listen("tcp", ":4795") // FIXME
+	if err != nil {
+		return nil, err
+	}
+	defer listener.Close()
+	return listener, nil
+}
+
 func RunServicesServer(ctx context.Context, lis net.Listener, allowGitCredentials, allowDockerCredentials bool, forwarder netstat.Forwarder, workspace *provider2.Workspace, log log.Logger, options ...Option) error {
 	opts := append(options, []Option{
 		WithForwarder(forwarder),

pkg/daemon/local/credentials_proxy.go

@@ -3,25 +3,25 @@ package local
 import (
 	"context"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
-	"net/http/httputil"
-	"net/url"
 	"time"
 
 	"github.com/loft-sh/log"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
 	"tailscale.com/tsnet"
 )
 
 const (
 	// Listen on this port via tsnet.
 	LocalCredentialsServerPort = 9999 // FIXME - use random prot
 	// Target server: local gRPC server running on port 5555.
-	TargetServer = "http://localhost:5555" // FIXME - get port from request
+	TargetServer = "http://localhost:4795" // FIXME - get port from request
 )
 
-// LocalCredentialsServerProxy acts as a reverse proxy that blindly forwards
-// all incoming traffic to the local gRPC server on port 5555.
 type LocalCredentialsServerProxy struct {
 	log      log.Logger
 	tsServer *tsnet.Server
@@ -30,16 +30,13 @@ type LocalCredentialsServerProxy struct {
 	srv *http.Server
 }
 
-// NewLocalCredentialsServerProxy initializes a new LocalCredentialsServerProxy.
 func NewLocalCredentialsServerProxy(tsServer *tsnet.Server, log log.Logger) (*LocalCredentialsServerProxy, error) {
 	return &LocalCredentialsServerProxy{
 		log:      log,
 		tsServer: tsServer,
 	}, nil
 }
 
-// Listen creates the tsnet listener and HTTP server,
-// and registers a catch-all handler that acts as the reverse proxy.
 func (s *LocalCredentialsServerProxy) Listen(ctx context.Context) error {
 	s.log.Info("Starting reverse proxy for local gRPC server")
 
@@ -51,67 +48,132 @@ func (s *LocalCredentialsServerProxy) Listen(ctx context.Context) error {
 	}
 	s.ln = ln
 
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", s.handleReverseProxy)
+	serverOpts := []grpc.ServerOption{
+		grpc.UnaryInterceptor(s.unaryProxyInterceptor),
+		grpc.StreamInterceptor(s.streamProxyInterceptor),
+	}
 
-	// Create the HTTP server.
-	s.srv = &http.Server{
-		Handler: mux,
+	grpcServer := grpc.NewServer(serverOpts...)
+	s.log.Infof("gRPC reverse proxy listening on %s", fmt.Sprintf(":%d", LocalCredentialsServerPort))
+	if err := grpcServer.Serve(ln); err != nil {
+		s.log.Fatalf("failed to serve: %v", err)
 	}
+	return nil
+}
 
-	go func() {
-		<-ctx.Done()
-		s.log.Info("Context canceled, shutting down reverse proxy")
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		if err := s.srv.Shutdown(shutdownCtx); err != nil {
-			s.log.Errorf("Error shutting down reverse proxy: %v", err)
-		}
-	}()
+func (s *LocalCredentialsServerProxy) unaryProxyInterceptor(
+	ctx context.Context,
+	req interface{},
+	info *grpc.UnaryServerInfo,
+	handler grpc.UnaryHandler,
+) (interface{}, error) {
+	s.log.Infof("Start unary proxy interceptor - %v \n", info)
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, status.Errorf(400, "missing metadata")
+	}
 
-	s.log.Infof("Reverse proxy listening on tsnet port %d", LocalCredentialsServerPort)
-	err = s.srv.Serve(ln)
-	if err != nil && err != http.ErrServerClosed {
-		s.log.Errorf("Reverse proxy error: %v", err)
-		return err
+	// Retrieve target headers.
+	targetHosts := md.Get("x-target-host")
+	targetPorts := md.Get("x-target-port")
+	if len(targetHosts) == 0 || len(targetPorts) == 0 {
+		return nil, status.Errorf(400, "missing x-target-host or x-target-port metadata")
 	}
+	targetAddr := fmt.Sprintf("%s:%s", targetHosts[0], targetPorts[0])
+	s.log.Infof("Proxying unary call %q to target %s", info.FullMethod, targetAddr)
 
-	return nil
+	// Establish connection to the target server.
+	conn, err := grpc.Dial(targetAddr, grpc.WithInsecure())
+	if err != nil {
+		return nil, status.Errorf(503, "failed to dial target %s: %v", targetAddr, err)
+	}
+	defer conn.Close()
+
+	var resp interface{}
+	// Forward the call.
+	err = conn.Invoke(ctx, info.FullMethod, req, &resp)
+	if err != nil {
+		return nil, status.Errorf(500, "error invoking target: %v", err)
+	}
+	return resp, nil
 }
 
-// handleReverseProxy forwards every request to the target gRPC server.
-func (s *LocalCredentialsServerProxy) handleReverseProxy(w http.ResponseWriter, r *http.Request) {
-	s.log.Infof("Forwarding request %s %s to target server", r.Method, r.URL.String())
+func (s *LocalCredentialsServerProxy) streamProxyInterceptor(
+	srv interface{},
+	ss grpc.ServerStream,
+	info *grpc.StreamServerInfo,
+	handler grpc.StreamHandler,
+) error {
+	s.log.Infof("Start stream proxy interceptor - %v \n", info)
+	// Extract incoming metadata.
+	md, ok := metadata.FromIncomingContext(ss.Context())
+	if !ok {
+		return status.Errorf(400, "missing metadata")
+	}
+
+	// Retrieve target metadata.
+	targetHosts := md.Get("x-target-host")
+	targetPorts := md.Get("x-target-port")
+	if len(targetHosts) == 0 || len(targetPorts) == 0 {
+		return status.Errorf(400, "missing x-target-host or x-target-port metadata")
+	}
+	targetAddr := fmt.Sprintf("%s:%s", targetHosts[0], targetPorts[0])
+	s.log.Infof("Proxying streaming call %q to target %s", info.FullMethod, targetAddr)
 
-	// Parse the target URL.
-	targetURL, err := url.Parse(TargetServer)
+	// Dial the target server.
+	conn, err := grpc.Dial(targetAddr, grpc.WithInsecure())
 	if err != nil {
-		s.log.Errorf("Error parsing target URL %s: %v", TargetServer, err)
-		http.Error(w, "Bad Gateway", http.StatusBadGateway)
-		return
+		return status.Errorf(503, "failed to dial target %s: %v", targetAddr, err)
 	}
+	defer conn.Close()
 
-	// Create the reverse proxy.
-	proxy := httputil.NewSingleHostReverseProxy(targetURL)
+	// Create a new context for the client stream and attach metadata.
+	clientCtx := metadata.NewOutgoingContext(ss.Context(), md)
 
-	// Customize the director to forward the Host header to the target.
-	originalDirector := proxy.Director
-	proxy.Director = func(req *http.Request) {
-		originalDirector(req)
-		req.Host = targetURL.Host
+	clientStream, err := conn.NewStream(clientCtx, &grpc.StreamDesc{
+		ServerStreams: info.IsServerStream,
+		ClientStreams: info.IsClientStream,
+	}, info.FullMethod)
+	if err != nil {
+		return status.Errorf(500, "failed to create stream to target: %v", err)
 	}
 
-	// Use an error handler to log any errors that occur.
-	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
-		s.log.Errorf("Reverse proxy error: %v", err)
-		http.Error(w, "Bad Gateway", http.StatusBadGateway)
-	}
+	errChan := make(chan error, 2)
+	go func() {
+		for {
+			var msg interface{}
+			if err := ss.RecvMsg(&msg); err != nil {
+				errChan <- err
+				return
+			}
+			if err := clientStream.SendMsg(msg); err != nil {
+				errChan <- err
+				return
+			}
+		}
+	}()
 
-	// Forward the request.
-	proxy.ServeHTTP(w, r)
+	go func() {
+		for {
+			var msg interface{}
+			if err := clientStream.RecvMsg(&msg); err != nil {
+				errChan <- err
+				return
+			}
+			if err := ss.SendMsg(msg); err != nil {
+				errChan <- err
+				return
+			}
+		}
+	}()
+
+	err = <-errChan
+	if err == io.EOF {
+		return nil
+	}
+	return err
 }
 
-// Close gracefully shuts down the reverse proxy.
 func (s *LocalCredentialsServerProxy) Close() error {
 	s.log.Info("Closing reverse proxy")
 	if s.srv != nil {