feat(cubeproxy): add plaintext gRPC ingress on port 9090#837
Open
xiaojunxiang2023 wants to merge 1 commit into
Open
feat(cubeproxy): add plaintext gRPC ingress on port 9090#837xiaojunxiang2023 wants to merge 1 commit into
xiaojunxiang2023 wants to merge 1 commit into
Conversation
Expose a dedicated HTTP/2 listener so clients can dial the proxy IP directly and route via :authority "<container_port>-<sandbox_id>" without DNS. Wire the listener through one-click deploy (CUBE_PROXY_GRPC_PORT), systemd postcheck, release bundle templating, and TKE CLB exposure. Document the access mode alongside existing Host and path-based routing. Add examples/grpc-ingress for native gRPC client usage. Rebased on master after TencentCloud#705 (cube-lifecycle-manager). Addresses review feedback from the closed TencentCloud#679: CLB security group for 9090, grpc_buffering off, client IP forwarding, and specify-protocol in internal mode. Signed-off-by: xiaojunxiang <xiaojunxiang@kingsoft.com>
5fd9098 to
f728c99
Compare
Contributor
Author
|
@chenhengqi hi~, #705 is merged — I've rebased the gRPC ingress work from #679 onto master and opened a new PR. Same feature, CLM conflicts fixed, plus the review items from #679. Would appreciate a look when you can. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a plaintext HTTP/2 gRPC ingress listener on CubeProxy (default port
9090) so clients can reach sandbox gRPC services without wildcard DNS or TLS on CubeProxy.Clients dial the CubeProxy IP and identify the target sandbox via the gRPC
:authoritypseudo-header, using the same<container_port>-<sandbox_id>format as host-based HTTP routing.This supersedes the closed #679, rebased on current
masterafter #705 (cube-lifecycle-manager). Review feedback from #679 is addressed:9090opened on the CLB security group (not jumpserver)grpc_buffering offfor streaming RPCsgrpc_set_headerfor client IP forwardingspecify-protocolincludes9090in both public and internal CLB modesChanges
CubeProxy/nginx.confgrpc_backendupstream and HTTP/2 server block on port9090CubeProxy/Dockerfile9090CUBE_PROXY_GRPC_PORTtemplating, startup/postcheck,env.example9090https-and-domain.md; port/config innetwork-hardening.md,self-build-deploy.md,service-management.mdtest_runtime_file_safety.shfor gRPC postcheck portexamples/grpc-ingress/for native gRPC client usageMotivation
CubeProxy already supports sandbox ingress via:
<container_port>-<sandbox_id>.<domain>on ports 80/443/sandbox/<sandbox_id>/<container_port>/...gRPC clients often cannot rely on wildcard DNS or custom TLS. A dedicated plaintext HTTP/2 listener lets them connect directly to the CubeProxy IP.
Usage
Example:
See
docs/guide/https-and-domain.mdandexamples/grpc-ingress/for details.Configuration
CUBE_PROXY_GRPC_PORT9090Test plan
bash deploy/one-click/tests/test_runtime_file_safety.sh(local macOS) — PASSManual verification (operator):
ss -lntshows9090on cube-proxy nodeexamples/grpc-ingress/grpc_plaintext.pyagainst a live cluster9090and security group allows inbound TCP/9090