Skip to content

feat(cubeproxy): add plaintext gRPC ingress on port 9090#837

Open
xiaojunxiang2023 wants to merge 1 commit into
TencentCloud:masterfrom
xiaojunxiang2023:feat/cubeproxy-grpc-ingress
Open

feat(cubeproxy): add plaintext gRPC ingress on port 9090#837
xiaojunxiang2023 wants to merge 1 commit into
TencentCloud:masterfrom
xiaojunxiang2023:feat/cubeproxy-grpc-ingress

Conversation

@xiaojunxiang2023

@xiaojunxiang2023 xiaojunxiang2023 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Add a plaintext HTTP/2 gRPC ingress listener on CubeProxy (default port 9090) so clients can reach sandbox gRPC services without wildcard DNS or TLS on CubeProxy.

Clients dial the CubeProxy IP and identify the target sandbox via the gRPC :authority pseudo-header, using the same <container_port>-<sandbox_id> format as host-based HTTP routing.

This supersedes the closed #679, rebased on current master after #705 (cube-lifecycle-manager). Review feedback from #679 is addressed:

  • Port 9090 opened on the CLB security group (not jumpserver)
  • grpc_buffering off for streaming RPCs
  • grpc_set_header for client IP forwarding
  • specify-protocol includes 9090 in both public and internal CLB modes

Changes

Area What
CubeProxy/nginx.conf Add grpc_backend upstream and HTTP/2 server block on port 9090
CubeProxy/Dockerfile Expose port 9090
One-click deploy CUBE_PROXY_GRPC_PORT templating, startup/postcheck, env.example
TKE CLB/service exposure and security group for port 9090
Docs gRPC access mode in https-and-domain.md; port/config in network-hardening.md, self-build-deploy.md, service-management.md
Tests Extend test_runtime_file_safety.sh for gRPC postcheck port
Examples examples/grpc-ingress/ for native gRPC client usage

Motivation

CubeProxy already supports sandbox ingress via:

  • Host mode: <container_port>-<sandbox_id>.<domain> on ports 80/443
  • Path mode: /sandbox/<sandbox_id>/<container_port>/...

gRPC clients often cannot rely on wildcard DNS or custom TLS. A dedicated plaintext HTTP/2 listener lets them connect directly to the CubeProxy IP.

Usage

dial: <cube-proxy-ip>:9090
:authority: <container_port>-<sandbox_id>

Example:

dial: 10.0.0.5:9090
:authority: 49983-abc123

See docs/guide/https-and-domain.md and examples/grpc-ingress/ for details.

Configuration

Variable Default Description
CUBE_PROXY_GRPC_PORT 9090 Plaintext gRPC (HTTP/2) listen port in one-click deploy

Test plan

  • bash deploy/one-click/tests/test_runtime_file_safety.sh (local macOS) — PASS
  • Same test suite on ubuntu22 test host — PASS
    Manual verification (operator):
  1. Deploy with one-click; confirm ss -lnt shows 9090 on cube-proxy node
  2. Run examples/grpc-ingress/grpc_plaintext.py against a live cluster
  3. (TKE) Confirm CLB exposes port 9090 and security group allows inbound TCP/9090

Expose a dedicated HTTP/2 listener so clients can dial the proxy IP
directly and route via :authority "<container_port>-<sandbox_id>"
without DNS.

Wire the listener through one-click deploy (CUBE_PROXY_GRPC_PORT),
systemd postcheck, release bundle templating, and TKE CLB exposure.
Document the access mode alongside existing Host and path-based routing.
Add examples/grpc-ingress for native gRPC client usage.

Rebased on master after TencentCloud#705 (cube-lifecycle-manager). Addresses review
feedback from the closed TencentCloud#679: CLB security group for 9090, grpc_buffering
off, client IP forwarding, and specify-protocol in internal mode.

Signed-off-by: xiaojunxiang <xiaojunxiang@kingsoft.com>
@xiaojunxiang2023 xiaojunxiang2023 force-pushed the feat/cubeproxy-grpc-ingress branch from 5fd9098 to f728c99 Compare July 9, 2026 06:27
@xiaojunxiang2023

Copy link
Copy Markdown
Contributor Author

@chenhengqi hi~, #705 is merged — I've rebased the gRPC ingress work from #679 onto master and opened a new PR. Same feature, CLM conflicts fixed, plus the review items from #679. Would appreciate a look when you can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants