embeddable inmemory transport

Author: ecordell

docs/embedding.md

@@ -0,0 +1,146 @@
+# Embedding
+
+The SpiceDB KubeAPI Proxy supports an embedded mode that allows you to integrate the proxy directly into your application without requiring TLS certificates or binding to network ports. Under the hood, it uses the [`pkg/inmemory`](./pkg/inmemory/) transport package for zero-overhead HTTP communication.
+
+## Usage
+
+### Basic Setup
+
+```go
+package main
+
+import (
+    "context"
+    "net/http"
+
+    "k8s.io/client-go/kubernetes"
+    "k8s.io/client-go/rest"
+
+    "github.com/authzed/spicedb-kubeapi-proxy/pkg/proxy"
+)
+
+func main() {
+    ctx := context.Background()
+
+    // Create options with embedded mode enabled
+    opts := proxy.NewOptions()
+    opts.EmbeddedMode = true
+
+    // Configure your backend Kubernetes cluster
+    opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
+        // Return your cluster's REST config and transport
+        return myClusterConfig, myTransport, nil
+    }
+
+    // Configure SpiceDB (can use embedded SpiceDB too)
+    opts.SpiceDBOptions.SpiceDBEndpoint = "embedded://"
+
+    // Set up your authorization rules
+    opts.RuleConfigFile = "rules.yaml"
+
+    // Complete configuration
+    if err := opts.Complete(ctx); err != nil {
+        panic(err)
+    }
+
+    // Create the proxy server
+    proxySrv, err := proxy.NewServer(ctx, *opts)
+    if err != nil {
+        panic(err)
+    }
+
+    // Get an HTTP client that connects directly to the embedded proxy
+    embeddedClient := proxySrv.GetEmbeddedClient()
+
+    // Create a Kubernetes client that uses the embedded proxy
+    k8sClient := createKubernetesClient(embeddedClient, "my-user", []string{"my-group"})
+
+    // Use the client normally - all requests go through SpiceDB authorization
+    pods, err := k8sClient.CoreV1().Pods("default").List(ctx, metav1.ListOptions{})
+    if err != nil {
+        panic(err)
+    }
+
+    fmt.Printf("Found %d pods\n", len(pods.Items))
+}
+
+func createKubernetesClient(embeddedClient *http.Client, username string, groups []string) *kubernetes.Clientset {
+    restConfig := &rest.Config{
+        Host:      "http://embedded", // Special URL for embedded mode
+        Transport: embeddedClient.Transport,
+    }
+
+    // Add authentication headers
+    restConfig.WrapTransport = func(rt http.RoundTripper) http.RoundTripper {
+        return &authTransport{
+            username: username,
+            groups:   groups,
+            rt:       rt,
+        }
+    }
+
+    k8sClient, err := kubernetes.NewForConfig(restConfig)
+    if err != nil {
+        panic(err)
+    }
+
+    return k8sClient
+}
+
+type authTransport struct {
+    username string
+    groups   []string
+    rt       http.RoundTripper
+}
+
+func (t *authTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+    // Add authentication headers that embedded mode recognizes
+    req.Header.Set("X-Remote-User", t.username)
+    for _, group := range t.groups {
+        req.Header.Add("X-Remote-Group", group)
+    }
+    return t.rt.RoundTrip(req)
+}
+```
+
+### Configuration Options
+
+When using embedded mode, you can set these options:
+
+```go
+opts := proxy.NewOptions()
+
+// Enable embedded mode
+opts.EmbeddedMode = true
+
+// Backend Kubernetes cluster configuration
+opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
+    // Your cluster configuration
+}
+
+// SpiceDB configuration (can use embedded SpiceDB)
+opts.SpiceDBOptions.SpiceDBEndpoint = "embedded://"  // or "localhost:50051"
+opts.SpiceDBOptions.SecureSpiceDBTokensBySpace = "your-token"
+
+// Authorization rules
+opts.RuleConfigFile = "path/to/rules.yaml"
+```
+
+### Authentication Headers
+
+In embedded mode, authentication is handled via HTTP headers:
+
+- `X-Remote-User`: The username (required)
+- `X-Remote-Group`: Group membership (can be specified multiple times)
+- `X-Remote-Extra-*`: Extra user attributes (e.g., `X-Remote-Extra-Department: engineering`)
+
+Example:
+```
+X-Remote-User: alice
+X-Remote-Group: developers
+X-Remote-Group: admin
+X-Remote-Extra-Department: engineering
+X-Remote-Extra-Team: platform
+```
+
+This is similar to kube's request header auth mode, but client cert configuration is not required (the requests are trusted because the server is embedded).

pkg/inmemory/README.md

@@ -0,0 +1,140 @@
+# In-Memory HTTP Transport
+
+_note: written as if it will be split into its own package_
+
+A high-performance, zero-network-overhead HTTP transport implementation that bypasses the network layer entirely by calling handlers directly using lazy evaluation.
+
+## Overview
+
+The `inmemory` package provides an `http.RoundTripper` implementation that directly invokes HTTP handlers in memory, eliminating all network serialization, parsing, and connection overhead. This is ideal for embedded http services or testing and development environments.
+
+## Quick Start
+
+```go
+package main
+
+import (
+    "fmt"
+    "io"
+    "net/http"
+
+    "github.com/authzed/spicedb-kubeapi-proxy/pkg/inmemory"
+)
+
+func main() {
+    // Create your HTTP handler
+    handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        w.Header().Set("Content-Type", "application/json")
+        w.WriteHeader(http.StatusOK)
+        w.Write([]byte(`{"message": "Hello, World!"}`))
+    })
+
+    // Create an HTTP client with in-memory transport
+    client := inmemory.NewClient(handler)
+
+    // Make requests - no network involved!
+    resp, err := client.Get("http://api.example.com/hello")
+    if err != nil {
+        panic(err)
+    }
+    defer resp.Body.Close()
+
+    // Headers and status are available after reading the body
+    io.Copy(io.Discard, resp.Body) // Triggers handler execution
+    fmt.Printf("Status: %d\n", resp.StatusCode)
+    fmt.Printf("Content-Type: %s\n", resp.Header.Get("Content-Type"))
+}
+```
+
+## API Reference
+
+### `New(handler http.Handler) *Transport`
+
+Creates a new in-memory transport that will invoke the provided handler directly.
+
+```go
+transport := inmemory.New(myHandler)
+client := &http.Client{Transport: transport}
+```
+
+### `NewClient(handler http.Handler) *http.Client`
+
+Convenience function that creates an HTTP client with an in-memory transport.
+
+```go
+client := inmemory.NewClient(myHandler)
+```
+
+### Lazy Execution
+
+The transport uses lazy evaluation - the handler is executed only when the response body is read:
+
+```go
+resp, _ := client.Get("http://example.com/")
+// Handler not executed yet, headers/status not available
+
+// Reading body triggers execution
+body, _ := io.ReadAll(resp.Body) 
+// Now headers and status are available
+
+// Or manually trigger execution without reading body
+if lazyBody, ok := resp.Body.(*inmemory.LazyResponseBody); ok {
+    lazyBody.TriggerExecution() // Execute handler without reading body
+    // Headers and status now available
+}
+```
+
+## Examples
+
+### Basic Usage
+
+```go
+handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+    w.WriteHeader(http.StatusOK)
+    w.Write([]byte("Hello!"))
+})
+
+client := inmemory.NewClient(handler)
+resp, _ := client.Get("http://example.com/")
+io.ReadAll(resp.Body) // Triggers execution
+// Response contains "Hello!" with status 200
+```
+
+### With Request Bodies
+
+```go
+handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+    body, _ := io.ReadAll(r.Body)
+    w.Write([]byte(fmt.Sprintf("Echo: %s", body)))
+})
+
+client := inmemory.NewClient(handler)
+resp, _ := client.Post("http://example.com/echo", "text/plain",
+    strings.NewReader("test data"))
+io.ReadAll(resp.Body) // Triggers execution
+// Response contains "Echo: test data"
+```
+
+### Complex Handler
+
+```go
+mux := http.NewServeMux()
+mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
+    w.WriteHeader(http.StatusOK)
+    w.Write([]byte("healthy"))
+})
+mux.HandleFunc("/api/users", func(w http.ResponseWriter, r *http.Request) {
+    w.Header().Set("Content-Type", "application/json")
+    w.Write([]byte(`[{"id": 1, "name": "Alice"}]`))
+})
+
+client := inmemory.NewClient(mux)
+
+// Both endpoints work normally
+healthResp, _ := client.Get("http://api.com/health")
+usersResp, _ := client.Get("http://api.com/api/users")
+
+// Read responses to trigger execution
+io.ReadAll(healthResp.Body)
+io.ReadAll(usersResp.Body)
+```