Rebuild app fqdn based on inferred proxy public addr #52718
Conversation
avatus
added
the
no-changelog
avatus
force-pushed
the
avatus/web_proxy_addr
branch
from
62b3472 to
2d56b07
Compare
| // InferProxyPublicAddr tries to extract a proxyDNSName from a given fqdn and the list of proxy public addrs. | ||
| // If a proxyDNS name is not found, the default param will be returned. | ||
| func InferProxyPublicAddr(fqdn string, proxyDNSNames []string, defaultPublicAddr string) string { | ||
| if fqdn == "" || defaultPublicAddr == "" { | ||
| return defaultPublicAddr | ||
| } |
There was a problem hiding this comment.
Two questions:
- What is the source of
defaultPublicAddr? Does it come from app config spec or is calculated from some other values? - What are the implication of returning an empty string? Should we return an error here if the value is empty?
There was a problem hiding this comment.
the source is at the callsite. its up to the caller to pass in a default value, and if they pass in an empty string, it would be because they want to default to empty if the proxyDNSName cannot be inferred (i dont have a use case for it, but i dont think an error should be called here)
however, i wont die on this hill. tbh, the signature without any error is easier to deal with where this is called but, thats my only excuse
There was a problem hiding this comment.
Got it. From the name of the function, it seems like caller depends on the correct address to be inferred. As such, I would expect it to be explicitly return an inferred value or an error if it cant.
Alternatively, if we are sure that the empty return value is handeld at every call site, then maybe just explaining that in the comment would be ok too.
There was a problem hiding this comment.
Also please double check that if the we expect public_addr field from app spec to be not empty. I did a quick look and only found the value is checked to be a valid fqdn. I think whatever value this function returns, we should ensure the value is verified exactly as we do for the public_addr field.
| RequiresRequest: c.RequiresRequest, | ||
| Integration: app.GetIntegration(), | ||
| PermissionSets: permissionSets, | ||
| AlwaysUseProxyPublicAddr: app.GetAlwaysUseProxyPublicAddr(), |
There was a problem hiding this comment.
suggestion for the field name: useProxyPublicAddrAsFQDN so it conveys what the proxy public addr will be used for. Also a Godoc to explain that please.
There was a problem hiding this comment.
its not quite as simple as that name suggests, but i do agree my name isnt the best either.
whats actually happening is
"UseProxyPublicAddrFromThisRequestPrefixedWithAppNameAsFQDN" lol but that doesnt flow off the tongue
right now, our proxy allows multiple configured publicAddr, but for apps, unless they have a publicaddr specified explicitly, the apps public addr is just "appName.proxyPublicAddrs[0]".
however, this means if someone wants to access the app from some other proxyPublicAddr, they would have to then get redirected and authenticated with that publicaddr and all that yada yada yada.
I think I'll keep this field name but i will definitely expand upon the godoc for sure, also see here #52693 for more convo. maybe the field name will change there as well
There was a problem hiding this comment.
I think it is "always" that makes the name a bit controversial lol. Still think useProxyPublicAddrAsFQDN better suits here but I will let you decide on that. We add app name as prefix to that is an implementation detailed explained in a comment should suffice.
avatus
force-pushed
the
avatus/use_proxy_addr
branch
from
ab39323 to
6e528e2
Compare
avatus
force-pushed
the
avatus/web_proxy_addr
branch
from
2d56b07 to
34acece
Compare
avatus
force-pushed
the
avatus/use_proxy_addr
branch
from
6e528e2 to
2715530
Compare
avatus
force-pushed
the
avatus/web_proxy_addr
branch
from
34acece to
abcfcd8
Compare
avatus
force-pushed
the
avatus/use_proxy_addr
branch
from
2715530 to
2fa7b9d
Compare
avatus
force-pushed
the
avatus/web_proxy_addr
branch
from
abcfcd8 to
8660d82
Compare
avatus
force-pushed
the
avatus/use_proxy_addr
branch
from
2fa7b9d to
d317cc6
Compare
This allows web apps to be launched and authenticated from any registered proxy public addr. The web launcher will use the fqdn-only launch path for apps with this flag (AlwaysUseProxyPublicAddr).
avatus
force-pushed
the
avatus/web_proxy_addr
branch
from
8660d82 to
7cfc788
Compare
|
added steps to test in the description |
| @@ -35,3 +37,23 @@ func ClientIPFromConn(conn net.Conn) (string, error) { | |||
|
|
|||
| return clientIP, nil | |||
| } | |||
|
|
|||
| // InferProxyPublicAddr tries to extract a proxyDNSName from a given fqdn and the list of proxy public addrs. | |||
There was a problem hiding this comment.
| // InferProxyPublicAddr tries to extract a proxyDNSName from a given fqdn and the list of proxy public addrs. | |
| // InferProxyPublicAddr tries to extract a proxyDNSName from a given app FQDN and the list of proxy public addrs. |
I think this comment also warrant some more explanation on what each params field expects and how should the caller treat empty string return value.
| // InferProxyPublicAddr tries to extract a proxyDNSName from a given fqdn and the list of proxy public addrs. | ||
| // If a proxyDNS name is not found, the default param will be returned. | ||
| func InferProxyPublicAddr(fqdn string, proxyDNSNames []string, defaultPublicAddr string) string { | ||
| if fqdn == "" || defaultPublicAddr == "" { | ||
| return defaultPublicAddr | ||
| } |
There was a problem hiding this comment.
Got it. From the name of the function, it seems like caller depends on the correct address to be inferred. As such, I would expect it to be explicitly return an inferred value or an error if it cant.
Alternatively, if we are sure that the empty return value is handeld at every call site, then maybe just explaining that in the comment would be ok too.
| name: "Exact match", | ||
| fqdn: "proxy.example.com", | ||
| proxyDNSNames: []string{"proxy.example.com"}, | ||
| defaultPublicAddr: "default", |
There was a problem hiding this comment.
what is defaultPublicAddr. Is it the public_addr value from app spec?
Also can we use fqdn value instead of "default" string.
| RequiresRequest: c.RequiresRequest, | ||
| Integration: app.GetIntegration(), | ||
| PermissionSets: permissionSets, | ||
| AlwaysUseProxyPublicAddr: app.GetAlwaysUseProxyPublicAddr(), |
There was a problem hiding this comment.
I think it is "always" that makes the name a bit controversial lol. Still think useProxyPublicAddrAsFQDN better suits here but I will let you decide on that. We add app name as prefix to that is an implementation detailed explained in a comment should suffice.
| // InferProxyPublicAddr tries to extract a proxyDNSName from a given fqdn and the list of proxy public addrs. | ||
| // If a proxyDNS name is not found, the default param will be returned. | ||
| func InferProxyPublicAddr(fqdn string, proxyDNSNames []string, defaultPublicAddr string) string { | ||
| if fqdn == "" || defaultPublicAddr == "" { | ||
| return defaultPublicAddr | ||
| } |
There was a problem hiding this comment.
Also please double check that if the we expect public_addr field from app spec to be not empty. I did a quick look and only found the value is checked to be a valid fqdn. I think whatever value this function returns, we should ensure the value is verified exactly as we do for the public_addr field.
| @@ -121,7 +128,9 @@ type MakeAppsConfig struct { | |||
| // MakeApp creates an application object for the WebUI. | |||
| func MakeApp(app types.Application, c MakeAppsConfig) App { | |||
| labels := ui.MakeLabelsWithoutInternalPrefixes(app.GetAllLabels()) | |||
| fqdn := utils.AssembleAppFQDN(c.LocalClusterName, c.LocalProxyDNSName, c.AppClusterName, app) | |||
| proxyPublicAddr := utils.InferProxyPublicAddr(c.RequestHost, c.ProxyPublicAddrs, c.LocalProxyDNSName) | |||
There was a problem hiding this comment.
In this case, the value of c.RequestHost should always match one of the value in the ProxyPublicAddrs right? cause this request handled in the proxy itself.
Is it that if AlwaysUseProxyPublicAddr is true, can we directly use proxyPublicAddr = c.RequestHost ?
| fqdn := utils.AssembleAppFQDN(c.LocalClusterName, c.LocalProxyDNSName, c.AppClusterName, app) | ||
| proxyPublicAddr := utils.InferProxyPublicAddr(c.RequestHost, c.ProxyPublicAddrs, c.LocalProxyDNSName) | ||
|
|
||
| fqdn := utils.AssembleAppFQDN(c.LocalClusterName, proxyPublicAddr, c.AppClusterName, app) |
There was a problem hiding this comment.
Can we update TestMakeApps to cover that fqdn is derived as expected when AlwaysUseProxyPublicAddr is true/false?
This allows web apps to be launched and authenticated from any registered proxy public addr. The web launcher will use the fqdn-only launch path for apps with this flag (AlwaysUseProxyPublicAddr).
Requires #52693
to test:
in your proxy config, add a couple different public_addr. make sure your certs are valid for these domains
you can add
always_use_proxy_public_addrin your app spec. in the web UI, you should now see something like "appName.proxyPublicAddrYouAreOn" in the webUI on the app's card. this value should change depending on what proxy public addr you are on. also, when you authenticate the app, the destination should match that public addr. apps without these field set should work as expected (show the first public addr regardless of what proxy public addr youre on)