Merge pull request #17 from threefoldtech/development_load_balance_gateway

xmonader · web-flow · commit 4465cd7cb17c · 2025-04-07T12:22:48.000+02:00
Development load balance gateway
diff --git a/pkg/gateway/gateway.go b/pkg/gateway/gateway.go
@@ -558,10 +558,9 @@ func (g *gatewayModule) SetNamedProxy(wlID string, config zos.GatewayNameProxy)
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
 
-	if len(config.Backends) != 1 {
-		return "", fmt.Errorf("only one backend is supported got '%d'", len(config.Backends))
+	if len(config.Backends) == 0 {
+		return "", fmt.Errorf("at least one backend is needed got '%d'", len(config.Backends))
 	}
-
 	twinID, _, _, err := gridtypes.WorkloadID(wlID).Parts()
 	if err != nil {
 		return "", errors.Wrap(err, "invalid workload id")
@@ -600,10 +599,9 @@ func (g *gatewayModule) SetFQDNProxy(wlID string, config zos.GatewayFQDNProxy) e
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
 
-	if len(config.Backends) != 1 {
-		return fmt.Errorf("only one backend is supported got '%d'", len(config.Backends))
+	if len(config.Backends) == 0 {
+		return fmt.Errorf("at least one backend is needed got '%d'", len(config.Backends))
 	}
-
 	cfg, err := g.ensureGateway(ctx, false)
 	if err != nil {
 		return err
@@ -631,14 +629,12 @@ func (g *gatewayModule) setupRouting(ctx context.Context, wlID string, fqdn stri
 	g.domainLock.Lock()
 	defer g.domainLock.Unlock()
 
-	backend := config.Backends[0]
-
-	if err := backend.Valid(config.TLSPassthrough); err != nil {
-		return errors.Wrapf(err, "failed to validate backend '%s'", backend)
+	if err := zos.ValidateBackends(config.Backends, config.TLSPassthrough); err != nil {
+		return err
 	}
 
 	if _, ok := g.getReservedDomain(fqdn); ok {
-		return errors.New("domain already registered")
+		return errors.Errorf("domain already registered: %s", fqdn)
 	}
 
 	if config.Network == nil {
@@ -661,23 +657,28 @@ func (g *gatewayModule) setupRouting(ctx context.Context, wlID string, fqdn stri
 		return errors.Wrap(err, "failed to get user network")
 	}
 	ns := net.Namespace(ctx, netID)
-	backend, err = g.nncEnsure(wlID, ns, config.Backends[0])
-	if err != nil {
-		return errors.Wrap(err, "failed to ensure local gateway")
-	}
 
-	if !config.TLSPassthrough {
-		// if tls passthrough is disabled traefik expecting backend
-		// to be in the format http://<ip>:port
-		backend = zos.Backend(fmt.Sprintf("http://%s", backend))
+	processedBackends := []zos.Backend{}
+	for _, backend := range config.Backends {
+		processedBackend, err := g.nncEnsure(wlID, ns, backend)
+		if err != nil {
+			return errors.Wrap(err, "failed to ensure local gateway")
+		}
+
+		if !config.TLSPassthrough {
+			// Format for non-TLS passthrough
+			processedBackend = zos.Backend(fmt.Sprintf("http://%s", processedBackend))
+		}
+
+		processedBackends = append(processedBackends, processedBackend)
+
 	}
 
-	config.Backends = []zos.Backend{backend}
+	config.Backends = processedBackends
 	return g.setupRoutingGeneric(wlID, fqdn, tlsConfig, config)
 }
 
 func (g *gatewayModule) setupRoutingGeneric(wlID string, fqdn string, tlsConfig TlsConfig, config zos.GatewayBase) error {
-	backend := config.Backends[0]
 	var rule string
 	if config.TLSPassthrough {
 		rule = fmt.Sprintf("HostSNI(`%s`)", fqdn)
@@ -688,11 +689,15 @@ func (g *gatewayModule) setupRoutingGeneric(wlID string, fqdn string, tlsConfig
 		rule = fmt.Sprintf("Host(`%s`)", fqdn)
 	}
 
-	var server Server
-	if config.TLSPassthrough {
-		server = Server{Address: string(backend)}
-	} else {
-		server = Server{Url: string(backend)}
+	servers := []Server{}
+	for _, backend := range config.Backends {
+		var server Server
+		if config.TLSPassthrough {
+			server = Server{Address: string(backend)}
+		} else {
+			server = Server{Url: string(backend)}
+		}
+		servers = append(servers, server)
 	}
 
 	route := fmt.Sprintf("%s-route", wlID)
@@ -709,7 +714,7 @@ func (g *gatewayModule) setupRoutingGeneric(wlID string, fqdn string, tlsConfig
 		Services: map[string]Service{
 			wlID: {
 				LoadBalancer: LoadBalancer{
-					Servers: []Server{server},
+					Servers: servers,
 				},
 			},
 		},
diff --git a/pkg/gateway_light/gateway.go b/pkg/gateway_light/gateway.go
@@ -569,10 +569,9 @@ func (g *gatewayModule) SetNamedProxy(wlID string, config zos.GatewayNameProxy)
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
 
-	if len(config.Backends) != 1 {
-		return "", fmt.Errorf("only one backend is supported got '%d'", len(config.Backends))
+	if len(config.Backends) == 0 {
+		return "", fmt.Errorf("at least one backend is needed got '%d'", len(config.Backends))
 	}
-
 	twinID, _, _, err := gridtypes.WorkloadID(wlID).Parts()
 	if err != nil {
 		return "", errors.Wrap(err, "invalid workload id")
@@ -611,10 +610,9 @@ func (g *gatewayModule) SetFQDNProxy(wlID string, config zos.GatewayFQDNProxy) e
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
 
-	if len(config.Backends) != 1 {
-		return fmt.Errorf("only one backend is supported got '%d'", len(config.Backends))
+	if len(config.Backends) == 0 {
+		return fmt.Errorf("at least one backend is needed got '%d'", len(config.Backends))
 	}
-
 	domain, err := g.ensureGateway(ctx, false)
 	if err != nil {
 		return err
@@ -642,10 +640,8 @@ func (g *gatewayModule) setupRouting(ctx context.Context, wlID string, fqdn stri
 	g.domainLock.Lock()
 	defer g.domainLock.Unlock()
 
-	backend := config.Backends[0]
-
-	if err := backend.Valid(config.TLSPassthrough); err != nil {
-		return errors.Wrapf(err, "failed to validate backend '%s'", backend)
+	if err := zos.ValidateBackends(config.Backends, config.TLSPassthrough); err != nil {
+		return err
 	}
 
 	if _, ok := g.getReservedDomain(fqdn); ok {
@@ -689,7 +685,6 @@ func (g *gatewayModule) setupRouting(ctx context.Context, wlID string, fqdn stri
 }
 
 func (g *gatewayModule) setupRoutingGeneric(wlID string, fqdn string, tlsConfig TlsConfig, config zos.GatewayBase) error {
-	backend := config.Backends[0]
 	var rule string
 	if config.TLSPassthrough {
 		rule = fmt.Sprintf("HostSNI(`%s`)", fqdn)
@@ -700,11 +695,15 @@ func (g *gatewayModule) setupRoutingGeneric(wlID string, fqdn string, tlsConfig
 		rule = fmt.Sprintf("Host(`%s`)", fqdn)
 	}
 
-	var server Server
-	if config.TLSPassthrough {
-		server = Server{Address: string(backend)}
-	} else {
-		server = Server{Url: string(backend)}
+	servers := []Server{}
+	for _, backend := range config.Backends {
+		var server Server
+		if config.TLSPassthrough {
+			server = Server{Address: string(backend)}
+		} else {
+			server = Server{Url: string(backend)}
+		}
+		servers = append(servers, server)
 	}
 
 	route := fmt.Sprintf("%s-route", wlID)
@@ -721,7 +720,7 @@ func (g *gatewayModule) setupRoutingGeneric(wlID string, fqdn string, tlsConfig
 		Services: map[string]Service{
 			wlID: {
 				LoadBalancer: LoadBalancer{
-					Servers: []Server{server},
+					Servers: servers,
 				},
 			},
 		},
diff --git a/pkg/gridtypes/zos/gw.go b/pkg/gridtypes/zos/gw.go
@@ -8,6 +8,7 @@ import (
 	"net/url"
 	"strconv"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/pkg/errors"
 	"github.com/threefoldtech/zosbase/pkg/gridtypes"
 )
@@ -44,6 +45,16 @@ func (b Backend) Valid(tlsPassthrough bool) error {
 	return nil
 }
 
+func ValidateBackends(backends []Backend, tlsPassthrough bool) error {
+	var errs error
+	for _, backend := range backends {
+		if err := backend.Valid(tlsPassthrough); err != nil {
+			errs = multierror.Append(errs, errors.Wrapf(err, "failed to validate backend '%s'", backend))
+		}
+	}
+	return errs
+}
+
 func asIpPort(a string) (ip net.IP, port uint16, err error) {
 	h, p, err := net.SplitHostPort(a)
 	if err != nil {
@@ -105,10 +116,6 @@ func (g GatewayBase) Valid(getter gridtypes.WorkloadGetter) error {
 		return fmt.Errorf("backends list can not be empty")
 	}
 
-	if len(g.Backends) != 1 {
-		return fmt.Errorf("only one backend is supported")
-	}
-
 	for _, backend := range g.Backends {
 		if err := backend.Valid(g.TLSPassthrough); err != nil {
 			return errors.Wrapf(err, "failed to validate backend '%s'", backend)
diff --git a/pkg/gridtypes/zos/gw_test.go b/pkg/gridtypes/zos/gw_test.go
@@ -3,6 +3,7 @@ package zos
 import (
 	"testing"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/stretchr/testify/require"
 )
 
@@ -159,3 +160,111 @@ func TestValidBackendIP6(t *testing.T) {
 		require.Error(err)
 	})
 }
+
+func TestValidateBackends(t *testing.T) {
+	require := require.New(t)
+
+	t.Run("empty backends", func(t *testing.T) {
+		backends := []Backend{
+			"",
+		}
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+
+		err = ValidateBackends(backends, false)
+		require.Error(err)
+	})
+
+	t.Run("all valid backends with tlsPassthrough=true", func(t *testing.T) {
+		backends := []Backend{
+			"1.1.1.1:80",
+			"2.2.2.2:443",
+			"[2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF]:8080",
+		}
+		err := ValidateBackends(backends, true)
+		require.NoError(err)
+	})
+
+	t.Run("all valid backends with tlsPassthrough=false", func(t *testing.T) {
+		backends := []Backend{
+			"http://1.1.1.1",
+			"http://2.2.2.2:443",
+			"http://[2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF]",
+		}
+		err := ValidateBackends(backends, false)
+		require.NoError(err)
+	})
+
+	t.Run("mixed valid and invalid backends with tlsPassthrough=true", func(t *testing.T) {
+		backends := []Backend{
+			"1.1.1.1:80",
+			"http://2.2.2.2:443", // invalid (should be IP:port without http://)
+			"2.2.2.2",            // invalid (missing port)
+			"3.3.3.3:port",       // invalid (non-numeric port)
+			"127.0.0.1:8080",
+			"[::1]:8080",
+			"[2001:db8::1]:8080",
+			"2001:db8::1:8080", // invalid (wrong IPv6 format)
+		}
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+		merr, ok := err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(4, len(merr.Errors))
+	})
+
+	t.Run("mixed valid and invalid backends with tlsPassthrough=false", func(t *testing.T) {
+		backends := []Backend{
+			"http://1.1.1.1",
+			"1.1.1.1:80", // invalid (needs http://)
+			"http://2.2.2.2:443",
+			"https://3.3.3.3",  // invalid (wrong scheme)
+			"http://localhost", // invalid (loopback)
+			"http://127.0.0.1", // invalid (loopback)
+			"http://[::1]",     // invalid (loopback)
+			"http://[2001:db8::1]:8080",
+		}
+		err := ValidateBackends(backends, false)
+		require.Error(err)
+		merr, ok := err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(5, len(merr.Errors))
+	})
+
+	t.Run("scheme mismatch using https", func(t *testing.T) {
+		backends := []Backend{
+			"https://1.1.1.1",
+		}
+		err := ValidateBackends(backends, false)
+		require.Error(err)
+	})
+
+	t.Run("scheme mismatch using http with tlsPassthrough=true", func(t *testing.T) {
+		backends := []Backend{
+			"http://1.1.1.1:80",
+		}
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+	})
+
+	t.Run("invalid backends", func(t *testing.T) {
+		backends := []Backend{
+			"invalid",
+			"1.1.1.1:port",
+			"http://invalid",
+			"ftp://1.1.1.1",
+		}
+
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+		merr, ok := err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(4, len(merr.Errors))
+
+		err = ValidateBackends(backends, false)
+		require.Error(err)
+		merr, ok = err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(4, len(merr.Errors))
+	})
+}
