Merge pull request #10018 from jandubois/steve-dynamic-ports

Use dynamic ports for Steve to avoid conflicts with other software

Author: jandubois

.github/actions/spelling/expect.txt

@@ -641,6 +641,7 @@ toggleable
 togglefullscreen
 tonistiigi
 toolsets
+TOCTOU
 topmenu
 TQF
 traefik

background.ts

@@ -35,7 +35,7 @@ import { ImageEventHandler } from '@pkg/main/imageEvents';
 import { getIpcMainProxy } from '@pkg/main/ipcMain';
 import mainEvents from '@pkg/main/mainEvents';
 import buildApplicationMenu from '@pkg/main/mainmenu';
-import setupNetworking from '@pkg/main/networking';
+import setupNetworking, { setSteveCertPort } from '@pkg/main/networking';
 import { Snapshots } from '@pkg/main/snapshots/snapshots';
 import { Snapshot, SnapshotDialog } from '@pkg/main/snapshots/types';
 import { Tray } from '@pkg/main/tray';
@@ -45,6 +45,7 @@ import getCommandLineArgs from '@pkg/utils/commandLine';
 import dockerDirManager from '@pkg/utils/dockerDirManager';
 import { isDevEnv } from '@pkg/utils/environment';
 import Logging, { clearLoggingDirectory, setLogLevel } from '@pkg/utils/logging';
+import { getAvailablePorts } from '@pkg/utils/networks';
 import { fetchMacOsVersion, getMacOsVersion } from '@pkg/utils/osVersion';
 import paths from '@pkg/utils/paths';
 import { protocolsRegistered, setupProtocolHandlers } from '@pkg/utils/protocols';
@@ -227,10 +228,10 @@ Electron.app.whenReady().then(async() => {
     // Check for required OS versions and features
     await checkPrerequisites();
 
-    DashboardServer.getInstance().init();
-
     await setupNetworking();
 
+    DashboardServer.getInstance().init();
+
     try {
       deploymentProfiles = await readDeploymentProfiles();
     } catch (ex: any) {
@@ -1268,21 +1269,31 @@ function newK8sManager() {
 
   mgr.on('state-changed', async(state: K8s.State) => {
     try {
-      mainEvents.emit('k8s-check-state', mgr);
-
       if ([K8s.State.STARTED, K8s.State.DISABLED].includes(state)) {
         if (!cfg.kubernetes.version) {
           writeSettings({ kubernetes: { version: mgr.kubeBackend.version } });
         }
         currentImageProcessor?.relayNamespaces();
 
         if (enabledK8s) {
-          await Steve.getInstance().start();
+          try {
+            const [stevePort] = await getAvailablePorts(1);
+
+            console.log(`Steve HTTPS port: ${ stevePort }`);
+            // Set the Steve HTTPS port for certificate checking before setting
+            // up Steve itself.
+            setSteveCertPort(stevePort);
+            await Steve.getInstance().start(stevePort);
+            DashboardServer.getInstance().setStevePort(stevePort); // recreate proxy middleware
+          } catch (ex) {
+            console.error('Failed to start Steve:', ex);
+          }
         }
       }
 
-      // Notify UI after Steve is ready, so the dashboard button is only enabled
-      // when Steve can accept connections.
+      // Notify the tray and renderer after Steve is ready, so the dashboard
+      // button is only enabled when Steve can accept connections.
+      mainEvents.emit('k8s-check-state', mgr);
       window.send('k8s-check-state', state);
 
       if (state === K8s.State.STOPPING) {

pkg/rancher-desktop/assets/dependencies.yaml

@@ -13,7 +13,7 @@ dockerCompose: 5.1.1
 golangci-lint: 2.11.4
 trivy: 0.69.3
 steve: 0.1.0-beta9.1
-rancherDashboard: 2.11.1.rd3
+rancherDashboard: 2.11.1.rd4
 dockerProvidedCredentialHelpers: 0.9.5
 ECRCredentialHelper: 0.12.0
 mobyOpenAPISpec: "1.54"

pkg/rancher-desktop/backend/steve.ts

@@ -1,25 +1,25 @@
 import { ChildProcess, spawn } from 'child_process';
-import net from 'net';
 import os from 'os';
 import path from 'path';
 import { setTimeout } from 'timers/promises';
 
+import Electron from 'electron';
+
 import K3sHelper from '@pkg/backend/k3sHelper';
 import Logging from '@pkg/utils/logging';
 import paths from '@pkg/utils/paths';
 
-const STEVE_PORT = 9443;
-
 const console = Logging.steve;
 
 /**
- * @description Singleton that manages the lifecycle of the Steve API
+ * @description Singleton that manages the lifecycle of the Steve API.
  */
 export class Steve {
   private static instance: Steve;
   private process!:        ChildProcess;
 
   private isRunning: boolean;
+  private httpsPort = 0;
 
   private constructor() {
     this.isRunning = false;
@@ -40,8 +40,9 @@ export class Steve {
   /**
    * @description Starts the Steve API if one is not already running.
    * Returns only after Steve is ready to accept connections.
+   * @param httpsPort The HTTPS port for Steve to listen on.
    */
-  public async start() {
+  public async start(httpsPort: number) {
     const { pid } = this.process || { };
 
     if (this.isRunning && pid) {
@@ -50,6 +51,8 @@ export class Steve {
       return;
     }
 
+    this.httpsPort = httpsPort;
+
     const osSpecificName = /^win/i.test(os.platform()) ? 'steve.exe' : 'steve';
     const stevePath = path.join(paths.resources, os.platform(), 'internal', osSpecificName);
     const env = Object.assign({}, process.env);
@@ -68,6 +71,10 @@ export class Steve {
         path.join(paths.resources, 'rancher-dashboard'),
         '--offline',
         'true',
+        '--https-listen-port',
+        String(httpsPort),
+        '--http-listen-port',
+        '0', // Disable HTTP support; it does not work correctly anyway.
       ],
       { env },
     );
@@ -93,26 +100,22 @@ export class Steve {
       this.isRunning = false;
     });
 
-    try {
-      await new Promise<void>((resolve, reject) => {
-        this.process.once('spawn', () => {
-          this.isRunning = true;
-          console.debug(`Spawned child pid: ${ this.process.pid }`);
-          resolve();
-        });
-        this.process.once('error', (err) => {
-          reject(new Error(`Failed to spawn Steve: ${ err.message }`, { cause: err }));
-        });
+    await new Promise<void>((resolve, reject) => {
+      this.process.once('spawn', () => {
+        this.isRunning = true;
+        console.debug(`Spawned child pid: ${ this.process.pid }`);
+        resolve();
+      });
+      this.process.once('error', (err) => {
+        reject(new Error(`Failed to spawn Steve: ${ err.message }`, { cause: err }));
       });
+    });
 
-      await this.waitForReady();
-    } catch (ex) {
-      console.error(ex);
-    }
+    await this.waitForReady();
   }
 
   /**
-   * Wait for Steve to be ready to accept connections.
+   * Wait for Steve to be ready to serve API requests.
    */
   private async waitForReady(): Promise<void> {
     const maxAttempts = 60;
@@ -124,7 +127,7 @@ export class Steve {
       }
 
       if (await this.isPortReady()) {
-        console.debug(`Steve is ready after ${ attempt } attempt(s)`);
+        console.debug(`Steve is ready after ${ attempt } / ${ maxAttempts } attempt(s)`);
 
         return;
       }
@@ -136,26 +139,61 @@ export class Steve {
   }
 
   /**
-   * Check if Steve is accepting connections on its port.
+   * Check if Steve has finished initializing its API controllers.
+   * Steve accepts HTTP connections and responds to /v1 before its
+   * controllers have discovered all resource schemas from the K8s
+   * API server. The dashboard fails if schemas are incomplete, so
+   * we probe a core resource endpoint that returns 404 until the
+   * schema controller has registered it.
    */
   private isPortReady(): Promise<boolean> {
+    // Steve's HTTP port just redirects to HTTPS, so we might as well go to the
+    // HTTPS port directly.  We will need to ignore certificate errors; however,
+    // neither the NodeJS stack nor Electron.net.request() would pass through
+    // the `Electron.app.on('certificate-error', ...)` handler, so we cannot use
+    // the normal certificate handling for this health check.  Instead, we
+    // create a temporary session with a certificate verify proc that ignores
+    // errors, and use that session for the health check request.
     return new Promise((resolve) => {
-      const socket = new net.Socket();
-
-      socket.setTimeout(1000);
-      socket.once('connect', () => {
-        socket.destroy();
-        resolve(true);
+      const session = Electron.session.fromPartition('steve-healthcheck', { cache: false });
+
+      session.setCertificateVerifyProc((request, callback) => {
+        if (request.hostname === '127.0.0.1') {
+          // We do not have any more information to narrow down the certificate;
+          // given that we're doing this in a private partition, it should be
+          // safe to allow all localhost certificates.  In particular, we do not
+          // get access to the port number, and all the Steve certificates have
+          // generic fields (e.g. subject).
+          callback(0);
+        } else {
+          // Unexpected request; not sure how this could happen in a new session,
+          // but we can at least pretend to do the right thing.
+          callback(-3); // Use Chromium's default verification.
+        }
       });
-      socket.once('error', () => {
-        socket.destroy();
-        resolve(false);
+
+      const req = Electron.net.request({
+        protocol: 'https:',
+        hostname: '127.0.0.1',
+        port:     this.httpsPort,
+        path:     '/v1/namespaces',
+        method:   'GET',
+        redirect: 'error',
+        session,
       });
-      socket.once('timeout', () => {
-        socket.destroy();
+
+      req.on('response', (res) => resolve(res.statusCode === 200));
+      req.on('error', () => resolve(false));
+      // Timeout if we don't get a response in a reasonable time.
+      setTimeout(1_000).then(() => {
+        try {
+          req.abort();
+        } catch {
+          // ignore
+        }
         resolve(false);
       });
-      socket.connect(STEVE_PORT, '127.0.0.1');
+      req.end();
     });
   }
 

pkg/rancher-desktop/main/dashboardServer/index.ts

@@ -26,9 +26,28 @@ export class DashboardServer {
   private dashboardApp: Server = new Server();
   private host = '127.0.0.1';
   private port = 6120;
-  private api = 'https://127.0.0.1:9443';
+  private stevePort = 0;
+  private proxies:      Record<ProxyKeys, ReturnType<typeof createProxyMiddleware>> = Object.create(null);
 
-  private proxies = (() => {
+  /**
+   * Checks for an existing instance of Dashboard server.
+   * Instantiate a new one if it does not exist.
+   */
+  public static getInstance(): DashboardServer {
+    DashboardServer.instance ??= new DashboardServer();
+
+    return DashboardServer.instance;
+  }
+
+  /**
+   * Recreate proxy middleware instances with the current Steve URL as
+   * the target.  Each proxy must be created with a static `target` (not
+   * a dynamic `router`) because the onProxyReqWs callback in proxyUtils
+   * reads options.target to correct websocket paths — without a valid
+   * target URL, it destroys every websocket connection.
+   */
+  private createProxies() {
+    const api = `https://127.0.0.1:${ this.stevePort }`;
     const proxy: Record<ProxyKeys, Options> = {
       '/k8s':       proxyWsOpts, // Straight to a remote cluster (/k8s/clusters/<id>/)
       '/pp':        proxyWsOpts, // For (epinio) standalone API
@@ -42,20 +61,19 @@ export class DashboardServer {
       '/v1-*etc':   proxyOpts, // SAML, KDM, etc
     };
     const entries = Object.entries(proxy).map(([key, options]) => {
-      return [key, createProxyMiddleware({ ...options, target: this.api + key })] as const;
+      return [key, createProxyMiddleware({ ...options, target: api + key })] as const;
     });
 
-    return Object.fromEntries(entries);
-  })();
+    this.proxies = Object.fromEntries(entries) as typeof this.proxies;
+  }
 
   /**
-   * Checks for an existing instance of Dashboard server.
-   * Instantiate a new one if it does not exist.
+   * Update the Steve HTTPS port and recreate proxies with the new
+   * target.  Call this before each Steve start.
    */
-  public static getInstance(): DashboardServer {
-    DashboardServer.instance ??= new DashboardServer();
-
-    return DashboardServer.instance;
+  public setStevePort(stevePort: number) {
+    this.stevePort = stevePort;
+    this.createProxies();
   }
 
   /**
@@ -68,8 +86,22 @@ export class DashboardServer {
       return;
     }
 
+    // Consumed by Rancher Dashboard to discover Steve's dynamic HTTPS
+    // port.  Registered before the proxy routes so it is not captured
+    // by the /api proxy to Steve.
+    this.dashboardServer.get('/api/steve-port', (_req, res) => {
+      res.json({ port: this.stevePort });
+    });
+
+    // Register wrapper functions so that when createProxies() replaces
+    // this.proxies (on each Steve restart), express and the upgrade
+    // handler automatically use the new instances.  The call is safe: proxies
+    // are always created before the UI is notified that Kubernetes is ready,
+    // and the dashboard button is disabled until then.
     ProxyKeys.forEach((key) => {
-      this.dashboardServer.use(key, this.proxies[key]);
+      this.dashboardServer.use(key, (req, res, next) => {
+        return this.proxies[key] ? this.proxies[key](req, res, next) : next();
+      });
     });
 
     this.dashboardApp = this.dashboardServer
@@ -99,17 +131,17 @@ export class DashboardServer {
           return;
         }
 
-        if (req.url?.startsWith('/v1')) {
-          return this.proxies['/v1'].upgrade(req, socket, head);
-        } else if (req.url?.startsWith('/v3')) {
-          return this.proxies['/v3'].upgrade(req, socket, head);
-        } else if (req.url?.startsWith('/k8s/')) {
-          return this.proxies['/k8s'].upgrade(req, socket, head);
-        } else if (req.url?.startsWith('/api/')) {
-          return this.proxies['/api'].upgrade(req, socket, head);
-        } else {
-          console.log(`Unknown Web socket upgrade request for ${ req.url }`);
+        const upgradeKeys = new Set<ProxyKeys>(['/v1', '/v3', '/k8s', '/api']);
+        const key = Array.from(upgradeKeys).find((key) => {
+          return req.url === key || req.url?.startsWith(key + '/');
+        });
+
+        if (key && this.proxies[key]) {
+          return this.proxies[key].upgrade(req, socket, head);
         }
+
+        console.log(`Unknown WebSocket upgrade request for ${ req.url }`);
+        socket.destroy();
       });
   }