commit f6ad298e24e22c1fadb203d85f8b8dd6cb118e25
author gio <gio@v1.dodo.cloud> Fri Aug 23 17:42:49 2024 +0400
committer gio <gio@v1.dodo.cloud> Fri Sep 20 14:19:48 2024 +0000
tree ec764428f186cf879085d6956b20d315434408aa
parent 4a3e54c86c05e4881105f7aced6f039a383ed5a1

ClusterManager: Implements support of remote clusters.

After this change users will be able to:
* Create cluster and add/remove servers to it
* Install apps on remote cluster
* Move already installed apps between clusters
* Apps running on server being removed will auto-migrate
  to another server from that same cluster

This is achieved by:
* Installing and running minimal version of dodo on remote cluster
* Ingress-nginx is installed automatically on new clusters
* Next to nginx we run VPN client in the same pod, so that
  default cluster can establish secure communication with it
* Multiple reverse proxies are configured to get to the
  remote cluster service from ingress installed on default cluster.

Next steps:
* Support remote clusters in dodo apps (prototype ready)
* Clean up old cluster when moving app to the new one. Currently
  old cluster keeps running app pods even though no ingress can
  reach it anymore.

Change-Id: Iffc908c93416d4126a8e1c2832eae7b659cb8044

core/headscale/client.go

diff --git a/core/headscale/client.go b/core/headscale/client.go
index 18c37df..159fffb 100644
--- a/core/headscale/client.go
+++ b/core/headscale/client.go
@@ -5,12 +5,14 @@
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"os/exec"
 	"strconv"
 	"strings"
 )
 
 var ErrorAlreadyExists = errors.New("already exists")
+var ErrorNotFound = errors.New("not found")
 
 type client struct {
 	config string
@@ -89,8 +91,9 @@
 }
 
 type nodeInfo struct {
-	Id   int    `json:"id"`
-	Name string `json:"name"`
+	Id          int      `json:"id"`
+	Name        string   `json:"name"`
+	IPAddresses []net.IP `json:"ip_addresses"`
 }
 
 func (c *client) getNodeId(user, node string) (string, error) {
@@ -111,6 +114,24 @@
 	return "", fmt.Errorf("not found")
 }
 
+func (c *client) getNodeAddresses(user, node string) ([]net.IP, error) {
+	cmd := exec.Command("headscale", c.config, "--user", user, "node", "list", "-o", "json")
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, err
+	}
+	var nodes []nodeInfo
+	if err := json.NewDecoder(bytes.NewReader(out)).Decode(&nodes); err != nil {
+		return nil, err
+	}
+	for _, n := range nodes {
+		if n.Name == node {
+			return n.IPAddresses, nil
+		}
+	}
+	return nil, ErrorNotFound
+}
+
 func extractLastLine(s string) (string, error) {
 	items := strings.Split(s, "\n")
 	for i := len(items) - 1; i >= 0; i-- {

core/headscale/main.go

diff --git a/core/headscale/main.go b/core/headscale/main.go
index 698d9d2..194da06 100644
--- a/core/headscale/main.go
+++ b/core/headscale/main.go
@@ -39,6 +39,11 @@
     },
   },
   "acls": [
+    // {
+    //   "action": "accept",
+    //   "src": ["10.42.0.0/16", "10.43.0.0/16", "135.181.48.180/32", "65.108.39.172/32"],
+    //   "dst": ["10.42.0.0/16:*", "10.43.0.0/16:*", "135.181.48.180/32:*", "65.108.39.172/32:*"],
+    // },
     {{- range .cidrs }}
     { // Everyone has passthough access to private-network-proxy node
       "action": "accept",
@@ -46,8 +51,18 @@
       "dst": ["{{ . }}:*", "private-network-proxy:0"],
     },
     {{- end }}
+    { // Everyone has access to every port of nodes owned by private-network-proxy
+      "action": "accept",
+      "src": ["*"],
+      "dst": ["private-network-proxy:*"],
+    },
+    {
+      "action": "accept",
+      "src": ["private-network-proxy"],
+      "dst": ["private-network-proxy:*"],
+    },
     {{- range .users }}
-    { // Everyone has passthough access to private-network-proxy node
+    {
       "action": "accept",
       "src": ["{{ . }}"],
       "dst": ["{{ . }}:*"],
@@ -90,6 +105,7 @@
 	r.HandleFunc("/user/{user}/preauthkey", s.createReusablePreAuthKey).Methods(http.MethodPost)
 	r.HandleFunc("/user/{user}/preauthkey", s.expireReusablePreAuthKey).Methods(http.MethodDelete)
 	r.HandleFunc("/user/{user}/node/{node}/expire", s.expireUserNode).Methods(http.MethodPost)
+	r.HandleFunc("/user/{user}/node/{node}/ip", s.getNodeIP).Methods(http.MethodGet)
 	r.HandleFunc("/user/{user}/node/{node}", s.removeUserNode).Methods(http.MethodDelete)
 	r.HandleFunc("/user", s.createUser).Methods(http.MethodPost)
 	r.HandleFunc("/routes/{id}/enable", s.enableRoute).Methods(http.MethodPost)
@@ -247,6 +263,33 @@
 	}
 }
 
+func (s *server) getNodeIP(w http.ResponseWriter, r *http.Request) {
+	user, ok := mux.Vars(r)["user"]
+	if !ok || user == "" {
+		http.Error(w, "no user", http.StatusBadRequest)
+		return
+	}
+	node, ok := mux.Vars(r)["node"]
+	if !ok || node == "" {
+		http.Error(w, "no name", http.StatusBadRequest)
+		return
+	}
+	addr, err := s.client.getNodeAddresses(user, node)
+	if err != nil {
+		if errors.Is(err, ErrorNotFound) {
+			http.Error(w, err.Error(), http.StatusNotFound)
+		} else {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+		return
+	}
+	if len(addr) == 0 || addr[0] == nil {
+		http.Error(w, "no address", http.StatusPreconditionFailed)
+		return
+	}
+	fmt.Fprintf(w, "%s", addr[0].String())
+}
+
 func updateACLs(aclsPath string, cidrs []string, users []string) ([]byte, error) {
 	tmpl, err := template.New("acls").Parse(defaultACLs)
 	if err != nil {