add functional options for embedded mode and embedding spicedb

Author: ecordell

README.md

@@ -155,9 +155,7 @@ Embedded mode is designed for programmatic use when embedding the proxy in Go ap
 
 ```go
 // Basic embedded mode setup
-opts := proxy.NewOptions()
-opts.EmbeddedMode = true
-opts.SpiceDBOptions.SpiceDBEndpoint = "embedded://"
+opts := proxy.NewOptions(proxy.WithEmbeddedProxy, proxy.WithEmbeddedSpiceDBEndpoint)
 
 // Complete configuration
 completedConfig, _ := opts.Complete(ctx)

docs/embedding.md

@@ -24,17 +24,15 @@ func main() {
     ctx := context.Background()
 
     // Create options with embedded mode enabled
-    opts := proxy.NewOptions()
-    opts.EmbeddedMode = true
+    opts := proxy.NewOptions(proxy.WithEmbeddedProxy, proxy.WithEmbeddedSpiceDBEndpoint)
 
     // Configure your backend Kubernetes cluster
     opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
         // Return your cluster's REST config and transport
         return myClusterConfig, myTransport, nil
     }
 
-    // Configure SpiceDB (can use embedded SpiceDB too)
-    opts.SpiceDBOptions.SpiceDBEndpoint = "embedded://"
+    // SpiceDB is already configured for embedded mode via WithEmbeddedSpiceDBEndpoint
 
     // Set up your authorization rules
     opts.RuleConfigFile = "rules.yaml"
@@ -87,22 +85,43 @@ func createKubernetesClient(embeddedClient *http.Client) *kubernetes.Clientset {
 
 ### Configuration Options
 
-When using embedded mode, you can set these options:
+## Configuration Options
 
+You can configure the proxy with different combinations of embedded options:
+
+### Full Embedded Mode (Proxy + SpiceDB)
 ```go
-opts := proxy.NewOptions()
+// Both proxy and SpiceDB run embedded
+opts := proxy.NewOptions(proxy.WithEmbeddedProxy, proxy.WithEmbeddedSpiceDBEndpoint)
+```
 
-// Enable embedded mode
-opts.EmbeddedMode = true
+### Embedded Proxy with Remote SpiceDB
+```go
+// Proxy runs embedded, but connects to remote SpiceDB
+opts := proxy.NewOptions(proxy.WithEmbeddedProxy)
+opts.SpiceDBOptions.SpiceDBEndpoint = "localhost:50051"
+opts.SpiceDBOptions.SecureSpiceDBTokensBySpace = "your-token"
+```
+
+### Regular Proxy with Embedded SpiceDB
+```go
+// Proxy runs with TLS termination, but uses embedded SpiceDB
+opts := proxy.NewOptions(proxy.WithEmbeddedSpiceDBEndpoint)
+```
+
+### Example Configuration
+```go
+opts := proxy.NewOptions(proxy.WithEmbeddedProxy, proxy.WithEmbeddedSpiceDBEndpoint)
 
 // Backend Kubernetes cluster configuration
 opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
     // Your cluster configuration
 }
 
-// SpiceDB configuration (can use embedded SpiceDB)
-opts.SpiceDBOptions.SpiceDBEndpoint = "embedded://"  // or "localhost:50051"
-opts.SpiceDBOptions.SecureSpiceDBTokensBySpace = "your-token"
+// SpiceDB configuration is already set to embedded via WithEmbeddedSpiceDBEndpoint
+// For remote SpiceDB, you would instead use:
+// opts.SpiceDBOptions.SpiceDBEndpoint = "localhost:50051"
+// opts.SpiceDBOptions.SecureSpiceDBTokensBySpace = "your-token"
 
 // Authorization rules
 opts.RuleConfigFile = "path/to/rules.yaml"
@@ -136,8 +155,7 @@ X-Remote-Extra-Team: platform
 **Example with custom headers (programmatic configuration):**
 
 ```go
-opts := proxy.NewOptions()
-opts.EmbeddedMode = true
+opts := proxy.NewOptions(proxy.WithEmbeddedProxy, proxy.WithEmbeddedSpiceDBEndpoint)
 
 // Configure custom header names
 opts.Authentication.Embedded.UsernameHeaders = []string{"Custom-User"}

e2e/e2e_test.go

@@ -118,7 +118,7 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 	Expect(err).To(Succeed())
 	clientCA = GenerateClientCA(port)
 
-	opts := proxy.NewOptions()
+	opts := proxy.NewOptions(proxy.WithEmbeddedSpiceDBEndpoint)
 	opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
 		conf, err := clientcmd.NewDefaultClientConfig(*backendCfg, nil).ClientConfig()
 		if err != nil {
@@ -130,7 +130,6 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 	}
 	opts.RuleConfigFile = "rules.yaml"
 	opts.SecureServing.BindPort = port
-	opts.SpiceDBOptions.SpiceDBEndpoint = proxy.EmbeddedSpiceDBEndpoint
 	opts.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
 	opts.Authentication.BuiltInOptions.ClientCert.ClientCA = clientCA.Path()
 

go.mod

@@ -2,6 +2,8 @@ module github.com/authzed/spicedb-kubeapi-proxy
 
 go 1.24.4
 
+tool github.com/ecordell/optgen
+
 require (
 	github.com/authzed/authzed-go v1.4.0
 	github.com/authzed/grpcutil v0.0.0-20240123194739-2ea1e3d2d98b
@@ -78,6 +80,7 @@ require (
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/dalzilio/rudd v1.1.1-0.20230806153452-9e08a6ea8170 // indirect
+	github.com/dave/jennifer v1.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlmiddlecote/sqlstats v1.0.2 // indirect
@@ -86,6 +89,7 @@ require (
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect

go.sum

@@ -752,6 +752,8 @@ github.com/cschleiden/go-workflows v0.16.3-0.20230928210702-d72004e1fdf2 h1:N2oz
 github.com/cschleiden/go-workflows v0.16.3-0.20230928210702-d72004e1fdf2/go.mod h1:a2TcOFW/byjgukUjo2DAD/Cuqdj/ISgh/PB39r1bdH8=
 github.com/dalzilio/rudd v1.1.1-0.20230806153452-9e08a6ea8170 h1:bHEN1z3EOO/IXHTQ8ZcmGoW4gTJt+mSrH2Sd458uo0E=
 github.com/dalzilio/rudd v1.1.1-0.20230806153452-9e08a6ea8170/go.mod h1:IxPC4Bdi3WqUwyGBMgLrWWGx67aRtUAZmOZrkIr7qaM=
+github.com/dave/jennifer v1.6.1 h1:T4T/67t6RAA5AIV6+NP8Uk/BIsXgDoqEowgycdQQLuk=
+github.com/dave/jennifer v1.6.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -811,6 +813,8 @@ github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/fatih/set v0.2.1 h1:nn2CaJyknWE/6txyUDGwysr3G5QC6xWB/PtVjPBbeaA=
 github.com/fatih/set v0.2.1/go.mod h1:+RKtMCH+favT2+3YecHGxcc0b4KyVWA1QWWJUs4E0CI=
+github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
+github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=

pkg/proxy/authn_test.go

@@ -95,7 +95,7 @@ func runProxyRequest(t testing.TB, ctx context.Context, headers map[string][]str
 		AllowedNames:        []string{"service"},
 	}
 
-	opts := NewOptions()
+	opts := NewOptions(WithEmbeddedSpiceDBEndpoint)
 	opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
 		ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Set("Content-Type", "application/json")
@@ -164,7 +164,6 @@ func runProxyRequest(t testing.TB, ctx context.Context, headers map[string][]str
 
 		return rc, transport, nil
 	}
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
 	opts.SecureServing.ServerCert.CertKey = certStore.servingCertKey
 	opts.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
 	opts.SecureServing.BindPort = port

pkg/proxy/embedded_test.go

@@ -203,10 +203,8 @@ func TestEmbeddedModeDefaults(t *testing.T) {
 	t.Cleanup(cancel)
 
 	// Create embedded proxy with no explicit header configuration to test defaults
-	opts := NewOptions()
-	opts.EmbeddedMode = true
+	opts := NewOptions(WithEmbeddedProxy, WithEmbeddedSpiceDBEndpoint)
 	opts.Authentication.Embedded.Enabled = true
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
 
 	// Configure mock upstream server
 	opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
@@ -403,13 +401,9 @@ func (t *testTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 func createEmbeddedTestOptions(t *testing.T) *Options {
 	t.Helper()
 
-	opts := NewOptions()
-	opts.EmbeddedMode = true
+	opts := NewOptions(WithEmbeddedProxy, WithEmbeddedSpiceDBEndpoint)
 	opts.Authentication.Embedded.Enabled = true
 
-	// Use embedded SpiceDB for testing
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
-
 	// Configure mock upstream server
 	opts.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

pkg/proxy/options.go

@@ -41,8 +41,6 @@ const (
 	defaultDialerTimeout        = 5 * time.Second
 )
 
-//go:generate go run github.com/ecordell/optgen -output zz_spicedb_options.go . SpiceDBOptions
-
 type Options struct {
 	SecureServing  apiserveroptions.SecureServingOptionsWithLoopback `debugmap:"hidden"`
 	Authentication Authentication                                    `debugmap:"hidden"`
@@ -77,6 +75,7 @@ type Options struct {
 	PermissionsClient v1.PermissionsServiceClient `debugmap:"hidden"`
 }
 
+//go:generate go run github.com/ecordell/optgen -output zz_spicedb_options.go . SpiceDBOptions
 type SpiceDBOptions struct {
 	SpiceDBEndpoint            string                `debugmap:"visible"`
 	EmbeddedSpiceDB            server.RunnableServer `debugmap:"hidden"`
@@ -106,7 +105,9 @@ func (so *SpiceDBOptions) AddFlags(fs *pflag.FlagSet) {
 
 const tlsCertificatePairName = "tls"
 
-func NewOptions() *Options {
+type setOpt func(*Options)
+
+func NewOptions(opts ...setOpt) *Options {
 	o := &Options{
 		SecureServing:  *apiserveroptions.NewSecureServingOptions().WithLoopback(),
 		Authentication: *NewAuthentication(),
@@ -116,9 +117,28 @@ func NewOptions() *Options {
 	o.Logs.Verbosity = logsv1.VerbosityLevel(3)
 	o.SecureServing.BindPort = 443
 	o.SecureServing.ServerCert.PairName = tlsCertificatePairName
+
+	for _, opt := range opts {
+		opt(o)
+	}
+
 	return o
 }
 
+// WithEmbeddedProxy configures the proxy to run in embedded mode.
+// In embedded mode, the proxy runs as an HTTP server without TLS termination,
+// suitable for use behind a load balancer or ingress controller.
+func WithEmbeddedProxy(o *Options) {
+	o.EmbeddedMode = true
+}
+
+// WithEmbeddedSpiceDBEndpoint configures the proxy to use an embedded SpiceDB instance.
+// This creates an in-memory SpiceDB instance that runs within the proxy process.
+// Use this for development, testing, or single-node deployments.
+func WithEmbeddedSpiceDBEndpoint(o *Options) {
+	o.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
+}
+
 func (o *Options) FromRESTConfig(restConfig *rest.Config) *Options {
 	o.OverrideUpstream = false
 	o.UseInClusterConfig = false

pkg/proxy/options_test.go

@@ -25,8 +25,7 @@ import (
 func TestKubeConfig(t *testing.T) {
 	defer require.NoError(t, logsv1.ResetForTest(utilfeature.DefaultFeatureGate))
 
-	opts := optionsForTesting(t)
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
+	opts := optionsForTesting(t, WithEmbeddedSpiceDBEndpoint)
 	require.Empty(t, opts.Validate())
 
 	c, err := opts.Complete(context.Background())
@@ -46,8 +45,7 @@ func TestKubeConfig(t *testing.T) {
 func TestInClusterConfig(t *testing.T) {
 	defer require.NoError(t, logsv1.ResetForTest(utilfeature.DefaultFeatureGate))
 
-	opts := optionsForTesting(t)
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
+	opts := optionsForTesting(t, WithEmbeddedSpiceDBEndpoint)
 	opts.BackendKubeconfigPath = ""
 	opts.UseInClusterConfig = true
 	require.Empty(t, opts.Validate())
@@ -62,8 +60,7 @@ func TestInClusterConfig(t *testing.T) {
 }
 
 func TestEmbeddedSpiceDB(t *testing.T) {
-	opts := optionsForTesting(t)
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
+	opts := optionsForTesting(t, WithEmbeddedSpiceDBEndpoint)
 	require.Empty(t, opts.Validate())
 
 	c, err := opts.Complete(context.Background())
@@ -116,8 +113,7 @@ func TestRemoteSpiceDBCerts(t *testing.T) {
 }
 
 func TestRuleConfig(t *testing.T) {
-	opts := optionsForTesting(t)
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
+	opts := optionsForTesting(t, WithEmbeddedSpiceDBEndpoint)
 	require.Empty(t, opts.Validate())
 
 	c, err := opts.Complete(context.Background())
@@ -139,7 +135,7 @@ func TestRuleConfig(t *testing.T) {
 	errConfigBytes := []byte(`
 apiVersion: authzed.com/v1alpha1
 kind: ProxyRule
-lock: Pessimistic 
+lock: Pessimistic
 match:
 - apiVersion: authzed.com/v1alpha1
   resource: spicedbclusters
@@ -151,26 +147,59 @@ prefilter:
 `)
 	errConfigFile := path.Join(t.TempDir(), "rulesbad.yaml")
 	require.NoError(t, os.WriteFile(errConfigFile, errConfigBytes, 0o600))
-	opts = optionsForTesting(t)
-	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
+	opts = optionsForTesting(t, WithEmbeddedSpiceDBEndpoint)
 	opts.RuleConfigFile = errConfigFile
 	require.Empty(t, opts.Validate())
 
 	_, err = opts.Complete(context.Background())
 	require.ErrorContains(t, err, "expected")
 }
 
-func optionsForTesting(t *testing.T) *Options {
+func optionsForTesting(t *testing.T, opts ...setOpt) *Options {
 	t.Helper()
 
 	require.NoError(t, logsv1.ResetForTest(utilfeature.DefaultFeatureGate))
+	options := NewOptions(opts...)
+	options.SecureServing.BindPort = getFreePort(t, "127.0.0.1")
+	options.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
+	options.BackendKubeconfigPath = kubeConfigForTest(t)
+	options.RuleConfigFile = ruleConfigForTest(t)
+	require.Empty(t, options.Validate())
+	return options
+}
+
+func TestWithEmbeddedProxy(t *testing.T) {
+	opts := NewOptions(WithEmbeddedProxy)
+	require.True(t, opts.EmbeddedMode)
+}
+
+func TestWithEmbeddedSpiceDBEndpoint(t *testing.T) {
+	opts := NewOptions(WithEmbeddedSpiceDBEndpoint)
+	require.Equal(t, EmbeddedSpiceDBEndpoint, opts.SpiceDBOptions.SpiceDBEndpoint)
+}
+
+func TestWithBothEmbeddedOptions(t *testing.T) {
+	opts := NewOptions(WithEmbeddedProxy, WithEmbeddedSpiceDBEndpoint)
+	require.True(t, opts.EmbeddedMode)
+	require.Equal(t, EmbeddedSpiceDBEndpoint, opts.SpiceDBOptions.SpiceDBEndpoint)
+}
+
+func TestWithEmbeddedProxyOnly(t *testing.T) {
+	opts := NewOptions(WithEmbeddedProxy)
+	require.True(t, opts.EmbeddedMode)
+	require.NotEqual(t, EmbeddedSpiceDBEndpoint, opts.SpiceDBOptions.SpiceDBEndpoint)
+}
+
+func TestWithEmbeddedSpiceDBEndpointOnly(t *testing.T) {
+	opts := NewOptions(WithEmbeddedSpiceDBEndpoint)
+	require.False(t, opts.EmbeddedMode)
+	require.Equal(t, EmbeddedSpiceDBEndpoint, opts.SpiceDBOptions.SpiceDBEndpoint)
+}
+
+func TestNewOptionsWithoutEmbedded(t *testing.T) {
 	opts := NewOptions()
-	opts.SecureServing.BindPort = getFreePort(t, "127.0.0.1")
-	opts.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
-	opts.BackendKubeconfigPath = kubeConfigForTest(t)
-	opts.RuleConfigFile = ruleConfigForTest(t)
-	require.Empty(t, opts.Validate())
-	return opts
+	require.False(t, opts.EmbeddedMode)
+	require.NotEqual(t, EmbeddedSpiceDBEndpoint, opts.SpiceDBOptions.SpiceDBEndpoint)
 }
 
 func getFreePort(t *testing.T, listenAddr string) int {
@@ -238,10 +267,10 @@ func ruleConfigForTest(t *testing.T) string {
 	configBytes := []byte(`
 apiVersion: authzed.com/v1alpha1
 kind: ProxyRule
-lock: Pessimistic 
+lock: Pessimistic
 match:
 - apiVersion: authzed.com/v1alpha1
-  resource: spicedbclusters 
+  resource: spicedbclusters
   verbs: ["list"]
 prefilter:
 - fromObjectIDNameExpr: "{{request.name}}"