Initial pass on adding proxy peer server and configuration

[dboslee]

This implements the proxy service for peer proxies to connect and dial nodes through.

Closes https://github.com/gravitational/cloud/issues/1305

[russjones]

@dboslee Ping us when this is ready to review.

[NajiObeid]

I think this particular test case does not really represent what happens in the code.
The expected error is the result of the way the test is setup rather than actually be a legitimate error. I've removed it from my client branch as I was reworking the tests a bit after I implemented the equivalent of getConfigForClient on the client side.

[NajiObeid]

https://github.com/gravitational/teleport/pull/10440/files#diff-8668137b10a4a8bf67506307e688582892039b3bd03ac2090b20ad0da9b9a3d1R49-R56

[dboslee]

Not sure I understand the issue. This is specifically testing the server side cert validation. Could we leave this and have a separate test for the client side?

One change I might add is setting the tc.client.InsecureSkipVerify = true to ensure the failure happens server side.

[NajiObeid]

Unless I am seeing this wrong, there's nothing in the code itself that prevents a connection between a client and a server with certs from two different CAs. It is just triggered by the way the test case is implemented.

[dboslee]

The underlying call to ClientHandshake/ServerHandshake should return an error in this case.

[russjones]

@dboslee Is this PR ready for review?

[dboslee]

@dboslee Is this PR ready for review?

Yep, but I did open up this issue for discussion that could lead to the configuration changing slightly.

[rosstimothy]

Suggested change

	wantErr func(*testing.T, error)
	wantErr require.ErrorAssertionFunc

[dboslee]

Will resolve this once we settle on a config format.

[rosstimothy]

Instead of the faux boolean could we do something that is both backward compatible and open to changes in the future?

Suggested change

	ProxyPeering ProxyPeering = 9 [ (gogoproto.jsontag) = "proxy_peering,omitempty" ];
	}
	// ProxyPeeringMode represents the cluster proxy peering mode.
	enum ProxyPeering {
	// Disabled is set if proxy peering is disabled.
	Disabled = 0;
	// Enabled is set if proxy peering is enabled.
	Enabled = 1;
	TunnelDialingStrategy TunnelDialingStrategy = 9 [ (gogoproto.jsontag) = "tunnel_dialing_strategy,omitempty" ];
	}
	// TunnelDialingStrategy
	enum TunnelDialingStrategy {
	// Legacy/WarDialer/Whatever we are calling it
	Legacy = 0;
	// ProxyPeering
	ProxyPeering = 1;
	.....
	// SomeNewMechanism in the future could go here
	SomeNewMechanism = 2;

The naming in the suggestion could use some work - it was meant more to get the suggestion across than be anything concrete.

[dboslee]

Makes sense. I would be curious to hear your thoughts on updating the configuration based on this discussion as well. Basically another configuration we want to add is reversetunnel_count which would be dependent on ProxyPeering being enabled.

It feels a bit wrong but maybe not a big deal for reversetunnel_count to be ignored when TunnelDialingStrategy is not equal to ProxyPeering.

[rosstimothy]

I haven't fully looked into that discussion yet - but as far as allowing each type to have its own config parameters wouldn't that be similar to say how teleport storage configuration can have different parameters based on the type?

  storage:
    type: etcd
    peers: [https://etcd-0.etcd:2379, https://etcd-1.etcd:2379, https://etcd-2.etcd:2379]
    tls_cert_file: /etc/etcd/certs/client-cert.pem
    tls_key_file: /etc/etcd/certs/client-key.pem
    tls_ca_file: /etc/etcd/certs/ca-cert.pem
    prefix: teleport

  storage:
    type: dynamodb
    table_name: tablename
    region: us-east-2

[rosstimothy]

Should this return any errors from streamConn/pipeConn instead of always returning nil?

[dboslee]

Fixed comments on error handling here 39555e5

[rosstimothy]

Do you plan on adding any integration tests or extending the existing reverse tunnel tests to cover both agent mesh and proxy peering?

[rosstimothy]

Does this really need to be wrapped in a function?

Suggested change

	func() {
	defer conn.Close()
	client := proto.NewProxyServiceClient(conn)
	_, err = client.DialNode(context.Background())
	tc.assertErr(t, err)
	}()
	defer conn.Close()
	client := proto.NewProxyServiceClient(conn)
	_, err = client.DialNode(context.Background())
	tc.assertErr(t, err)

[NajiObeid]

@rosstimothy these server tests change a little bit on the client branch

[dboslee]

It made sense when this wasn't wrapped in the t.Run(tc.desc, func(t *testing.T). But agreed not necessary now.

[dboslee]

Do you plan on adding any integration tests or extending the existing reverse tunnel tests to cover both agent mesh and proxy peering?

@rosstimothy I think that will make sense to add in the pr that has the changes for the agent/reverse tunneling.

[pierrebeaucamp]

@rosstimothy / @fspmarshall / @espadolini could we get another review please?

[espadolini]

Suggested change

	func (c *streamConn) Read(b []byte) (n int, err error) {
	c.rLock.Lock()
	func (c *streamConn) Read(b []byte) (n int, err error) {
	if len(b) == 0 {
	return 0, nil
	}
	c.rLock.Lock()

[dboslee]

I would rather let this through that way it will fail if the stream is closed.

[espadolini]

A zero read would still be a noop if we had a non-empty buffer ready.

[rosstimothy]

Can you add some test coverage for this and pipeConn? They seem like pretty fundamental components yet are only indirectly tested through DialNode. Some dedicated unit tests would ensure all the edge cases are taken care of

[dboslee]

I've addressed these comments here a4053ec

[rosstimothy]

Suggested change

	// streamConn wraps a grpc stream with a net.streamConn interface.
	// streamConn wraps a grpc stream with a net.Conn interface.

[rosstimothy]

Suggested change

	// Read reads data reveived over the grpc stream.
	// Read reads data received over the grpc stream.

[rosstimothy]

// CloseSend closes the send direction of the stream. It closes the stream
// when non-nil error is met. It is also not safe to call CloseSend
// concurrently with SendMsg.
https://pkg.go.dev/google.golang.org/grpc#ClientStream

Should we prevent Close and Write from being called concurrently?

[rosstimothy]

Suggested change

	// proxyService impelements the grpc ProxyService.
	// proxyService implements the grpc ProxyService.

[rosstimothy]

Suggested change

	// DialNode opens a bidrectional stream to the requested node.
	// DialNode opens a bidirectional stream to the requested node.

[rosstimothy]

nit: missing godoc

[rosstimothy]

Assertions in spawned goroutines will cause problems due to semantics of t.FailNow. Here and in all other occurrences in this file the data needs to be sent over a channel and asserted on the main goroutine that is running the test

[dboslee]

So I believe using assert fixes this since it calls testing.Errorf and testing.Log under the hood which allows the test to continue and fails at the end. Updated here 7c047ff.

If its preferred to use require I can move all the checks to the the main goroutine but using assert feels a little easier to read/reason about in this case.