This repository include development shell (using nix develop) in which it is easy to test how apiserver-network-proxy components works and how to reuse them in own code.
clients/ dir contains example go implementation of grpc/tcp clients which dials into proxy server and pass net.Conn interface to private ns endpoint connection constructor. This article in my opinion is a good description of tunnel approach. Clients will be available in development shell as proxy-grpc and proxy-tcp.
services/ dir contains example rust implementation of grpc and tcp servers. They will be available in development shell as endpoint-grpc and endpoint-tcp.
┌─────────────────────────────┐ ┌─────────────────────────────┐
│ │ │ │
│ ┌────────────┐ │ │ ┌───────────┐ │
│ │proxy-server├────┼────────────────────tunnel (grpc / http)───────────────────┼─┤proxy-agent├──────┐ │
│ └───▲───▲────┘ │ │ └─────────┬─┘ │ │
│ │ │ │ ┌──────────────────────┐ ┌──────────────────────┐ │ │ │ │
│ │ │ │ │ │ │ │ │ │ ┌──────▼──────┐ │
│ ┌───────────┐ │ │ │ │ 10.10.10.1│ │10.10.10.2 │ │ │ │grpc-endpoint│ │
│ │grpc-client├─┘ │ x─────┼────┼────x x────┼───┼─────x x────┼────┼────x │ └─────────────┘ │
│ └───────────┘ │ 2.2.2.2│ │2.2.2.1 │ │ 192.168.1.1│ │192.168.1.2│ │
│ │ │ │ │ │ │ │ │ ┌─────────────┐ │
│ ┌───────────┐ │ │ │ netns rtr-pub │ │ netns rtr-priv │ │ └─►http-endpoint│ │
│ │http-client├─────┘ │ └──────────────────────┘ └──────────────────────┘ │ └─────────────┘ │
│ └───────────┘ │ │ │
│ │ │ │
│ netns public │ │ netns private │
└─────────────────────────────┘ └─────────────────────────────┘
Clone repo and enter directory
$ git clone https://github.com/michalskalski/demo-proxy-grpc
$ cd demo-proxy-grpc Enter dev shell (install nix if you haven't done that yet)
$ nix developor if you using direnv and direnv-nix
$ direnv allowCreate setup consisting of public and private network namespaces (and two extra ns simulating internet connections)
prepare.sh -rit will create four network namespaces
$ ip netns ls
public
private
rtr-pub
rtr-priv
verify that you can connect from private namespace to public
$ in_ns.sh private ping -c 1 2.2.2.2but not from public to private
in_ns.sh public ping -c 1 192.168.1.2start proxy server in public ns
in_ns.sh public proxy-server $PROXY_SERVER_CERTS --mode http-connectrun proxy agent in private ns, it will connect to proxy server and create a tunnel which will allow communication from public to private
in_ns.sh private proxy-agent $PROXY_AGENT_CERTS --agent-id demo --proxy-server-host 2.2.2.2run grpc endpoint in private ns
in_ns.sh private endpoint-grpc -a 192.168.1.2 -p 4001and try to reach it from public using proxy server
in_ns.sh public proxy-grpc $PROXY_CLIENT_CERTS --request-host 192.168.1.2 --request-port 4001 --request-client-name demorun tcp endpoint in private ns
in_ns.sh private endpoint-tcp -a 192.168.1.2 -p 8080and try to reach it from public using proxy server
in_ns.sh public proxy-http $PROXY_CLIENT_CERTS --request-endpoint http://192.168.1.2:8080/okrun dnsmasq in private ns to test requesting endpoint by it local dns name
in_ns.sh private dnsmasq -d -q -a 192.168.1.2 --host-record=local-server.svc,192.168.1.2verify it resolves in private ns
in_ns.sh private nslookup local-server.svcbut not in public ns
in_ns.sh public nslookup local-server.svcbecause name resolution happen on agent end it still should be possible to request endpoint by dns name from public ns
in_ns.sh public proxy-http $PROXY_CLIENT_CERTS --request-endpoint http://local-server.svc:8080/okonce you finished you can run cleanup
prepare.sh -c
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent