implement websockets natively

Author: awesomenix

.pipelines/scripts/e2e_run.sh

@@ -94,7 +94,7 @@ rm -f "$temp_file"
 # gotestsum configure to only show logs for failed tests, json file for detailed logs
 # Run the tests! Yey!
 test_exit_code=0
-./bin/gotestsum --format testdox --junitfile "${BUILD_SRC_DIR}/e2e/report.xml" --jsonfile "${BUILD_SRC_DIR}/e2e/test-log.json" -- -parallel 100 -timeout 90m || test_exit_code=$?
+./bin/gotestsum --format standard-verbose --junitfile "${BUILD_SRC_DIR}/e2e/report.xml" --jsonfile "${BUILD_SRC_DIR}/e2e/test-log.json" -- -parallel 150 -timeout 30m || test_exit_code=$?
 
 # Upload test results as Azure DevOps artifacts
 echo "##vso[artifact.upload containerfolder=test-results;artifactname=e2e-test-log]${BUILD_SRC_DIR}/e2e/test-log.json"

e2e/bastionssh.go

@@ -0,0 +1,270 @@
+package e2e
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/coder/websocket"
+	"golang.org/x/crypto/ssh"
+)
+
+type Bastion struct {
+	credential                                 *azidentity.AzureCLICredential
+	subscriptionID, resourceGroupName, dnsName string
+	httpClient                                 *http.Client
+	httpTransport                              *http.Transport
+}
+
+func NewBastion(credential *azidentity.AzureCLICredential, subscriptionID, resourceGroupName, dnsName string) *Bastion {
+	transport := &http.Transport{
+		MaxIdleConns:        100,
+		MaxIdleConnsPerHost: 100,
+		IdleConnTimeout:     30 * time.Second,
+	}
+
+	return &Bastion{
+		credential:        credential,
+		subscriptionID:    subscriptionID,
+		resourceGroupName: resourceGroupName,
+		dnsName:           dnsName,
+		httpTransport:     transport,
+		httpClient: &http.Client{
+			Transport: transport,
+			Timeout:   30 * time.Second,
+		},
+	}
+}
+
+type tunnelSession struct {
+	bastion *Bastion
+	ws      *websocket.Conn
+	session *sessionToken
+}
+
+func (b *Bastion) NewTunnelSession(targetHost string, port uint16) (*tunnelSession, error) {
+	session, err := b.newSessionToken(targetHost, port)
+	if err != nil {
+		return nil, err
+	}
+
+	wsUrl := fmt.Sprintf("wss://%v/webtunnelv2/%v?X-Node-Id=%v", b.dnsName, session.WebsocketToken, session.NodeID)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	ws, _, err := websocket.Dial(ctx, wsUrl, &websocket.DialOptions{
+		CompressionMode: websocket.CompressionDisabled,
+	})
+	cancel()
+	if err != nil {
+		return nil, err
+	}
+
+	ws.SetReadLimit(32 * 1024 * 1024)
+
+	return &tunnelSession{
+		bastion: b,
+		ws:      ws,
+		session: session,
+	}, nil
+}
+
+type sessionToken struct {
+	AuthToken            string   `json:"authToken"`
+	Username             string   `json:"username"`
+	DataSource           string   `json:"dataSource"`
+	NodeID               string   `json:"nodeId"`
+	AvailableDataSources []string `json:"availableDataSources"`
+	WebsocketToken       string   `json:"websocketToken"`
+}
+
+func (t *tunnelSession) Close() error {
+	_ = t.ws.Close(websocket.StatusNormalClosure, "")
+
+	req, err := http.NewRequest("DELETE", fmt.Sprintf("https://%v/api/tokens/%v", t.bastion.dnsName, t.session.AuthToken), nil)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Add("X-Node-Id", t.session.NodeID)
+
+	resp, err := t.bastion.httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == 404 {
+		return nil
+	}
+
+	if resp.StatusCode != 204 {
+		return fmt.Errorf("unexpected status code: %v", resp.StatusCode)
+	}
+
+	if t.bastion.httpTransport != nil {
+		t.bastion.httpTransport.CloseIdleConnections()
+	}
+
+	return nil
+}
+
+func (b *Bastion) newSessionToken(targetHost string, port uint16) (*sessionToken, error) {
+
+	token, err := b.credential.GetToken(context.Background(), policy.TokenRequestOptions{
+		Scopes: []string{fmt.Sprintf("%s/.default", cloud.AzurePublic.Services[cloud.ResourceManager].Endpoint)},
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	apiUrl := fmt.Sprintf("https://%v/api/tokens", b.dnsName)
+
+	// target_resource_id = f"/subscriptions/{get_subscription_id(cmd.cli_ctx)}/resourceGroups/{resource_group_name}/providers/Microsoft.Network/bh-hostConnect/{target_ip_address}"
+	data := url.Values{}
+	data.Set("resourceId", fmt.Sprintf("/subscriptions/%v/resourceGroups/%v/providers/Microsoft.Network/bh-hostConnect/%v", b.subscriptionID, b.resourceGroupName, targetHost))
+	data.Set("protocol", "tcptunnel")
+	data.Set("workloadHostPort", fmt.Sprintf("%v", port))
+	data.Set("aztoken", token.Token)
+	data.Set("hostname", targetHost)
+
+	req, err := http.NewRequest("POST", apiUrl, strings.NewReader(data.Encode()))
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	resp, err := b.httpClient.Do(req) // TODO client settings
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("error creating tunnel: %v", resp.Status)
+	}
+
+	var response sessionToken
+
+	if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
+		return nil, err
+	}
+
+	return &response, nil
+}
+
+func (t *tunnelSession) Pipe(conn net.Conn) error {
+
+	defer t.Close()
+	defer conn.Close()
+
+	done := make(chan error, 2)
+
+	go func() {
+		for {
+			_, data, err := t.ws.Read(context.Background())
+			if err != nil {
+				done <- err
+				return
+			}
+
+			if _, err := io.Copy(conn, bytes.NewReader(data)); err != nil {
+				done <- err
+				return
+			}
+		}
+	}()
+
+	go func() {
+		buf := make([]byte, 4096) // 4096 is copy from az cli bastion code
+
+		for {
+			n, err := conn.Read(buf)
+			if err != nil {
+				done <- err
+				return
+			}
+
+			if err := t.ws.Write(context.Background(), websocket.MessageBinary, buf[:n]); err != nil {
+				done <- err
+				return
+			}
+		}
+	}()
+
+	return <-done
+}
+
+func sshClientConfig(user string, privateKey []byte) (*ssh.ClientConfig, error) {
+	signer, err := ssh.ParsePrivateKey(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ssh.ClientConfig{
+		User: user,
+		Auth: []ssh.AuthMethod{
+			ssh.PublicKeys(signer),
+		},
+		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+			return nil
+		}, // same as StrictHostKeyChecking=no
+		Timeout: 5 * time.Second,
+	}, nil
+}
+
+func DialSSHOverBastion(
+	ctx context.Context,
+	bastion *Bastion,
+	vmPrivateIP string,
+	sshPrivateKey []byte,
+) (*ssh.Client, error) {
+
+	// Create Bastion tunnel session (SSH = port 22)
+	tunnel, err := bastion.NewTunnelSession(
+		vmPrivateIP,
+		22,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create in-memory connection pair
+	sshSide, tunnelSide := net.Pipe()
+
+	// Start Bastion tunnel piping
+	go func() {
+		_ = tunnel.Pipe(tunnelSide)
+		fmt.Printf("Closed tunnel for VM IP %s\n", vmPrivateIP)
+	}()
+
+	// SSH client configuration
+	sshConfig, err := sshClientConfig("azureuser", sshPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Establish SSH over the Bastion tunnel
+	sshConn, chans, reqs, err := ssh.NewClientConn(
+		sshSide,
+		vmPrivateIP,
+		sshConfig,
+	)
+	if err != nil {
+		sshSide.Close()
+		return nil, err
+	}
+
+	return ssh.NewClient(sshConn, chans, reqs), nil
+}

e2e/cluster.go

@@ -41,7 +41,7 @@ type Cluster struct {
 	ClusterParams   *ClusterParams
 	Maintenance     *armcontainerservice.MaintenanceConfiguration
 	DebugPod        *corev1.Pod
-	Bastion         *armnetwork.BastionHost
+	Bastion         *Bastion
 }
 
 // Returns true if the cluster is configured with Azure CNI
@@ -479,7 +479,7 @@ func createNewMaintenanceConfiguration(ctx context.Context, cluster *armcontaine
 	return &maintenance, nil
 }
 
-func getOrCreateBastion(ctx context.Context, cluster *armcontainerservice.ManagedCluster) (*armnetwork.BastionHost, error) {
+func getOrCreateBastion(ctx context.Context, cluster *armcontainerservice.ManagedCluster) (*Bastion, error) {
 	nodeRG := *cluster.Properties.NodeResourceGroup
 	bastionName := fmt.Sprintf("%s-bastion", *cluster.Name)
 
@@ -491,10 +491,11 @@ func getOrCreateBastion(ctx context.Context, cluster *armcontainerservice.Manage
 	if err != nil {
 		return nil, fmt.Errorf("failed to get bastion %q in rg %q: %w", bastionName, nodeRG, err)
 	}
-	return &existing.BastionHost, nil
+
+	return NewBastion(config.Azure.Credential, config.Config.SubscriptionID, nodeRG, *existing.BastionHost.Properties.DNSName), nil
 }
 
-func createNewBastion(ctx context.Context, cluster *armcontainerservice.ManagedCluster) (*armnetwork.BastionHost, error) {
+func createNewBastion(ctx context.Context, cluster *armcontainerservice.ManagedCluster) (*Bastion, error) {
 	nodeRG := *cluster.Properties.NodeResourceGroup
 	location := *cluster.Location
 	bastionName := fmt.Sprintf("%s-bastion", *cluster.Name)
@@ -565,7 +566,7 @@ func createNewBastion(ctx context.Context, cluster *armcontainerservice.ManagedC
 		return nil, fmt.Errorf("bastion public IP response missing ID")
 	}
 
-	bastion := armnetwork.BastionHost{
+	bastionHost := armnetwork.BastionHost{
 		Location: to.Ptr(location),
 		SKU: &armnetwork.SKU{
 			Name: to.Ptr(armnetwork.BastionHostSKUNameStandard),
@@ -590,7 +591,7 @@ func createNewBastion(ctx context.Context, cluster *armcontainerservice.ManagedC
 	}
 
 	logf(ctx, "creating bastion %s (native client/tunneling enabled) in rg %s", bastionName, nodeRG)
-	bastionPoller, err := config.Azure.BastionHosts.BeginCreateOrUpdate(ctx, nodeRG, bastionName, bastion, nil)
+	bastionPoller, err := config.Azure.BastionHosts.BeginCreateOrUpdate(ctx, nodeRG, bastionName, bastionHost, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to start creating bastion: %w", err)
 	}
@@ -599,13 +600,15 @@ func createNewBastion(ctx context.Context, cluster *armcontainerservice.ManagedC
 		return nil, fmt.Errorf("failed to create bastion: %w", err)
 	}
 
-	if err := verifyBastion(ctx, cluster, &resp.BastionHost); err != nil {
+	bastion := NewBastion(config.Azure.Credential, config.Config.SubscriptionID, nodeRG, *resp.BastionHost.Properties.DNSName)
+
+	if err := verifyBastion(ctx, cluster, bastion); err != nil {
 		return nil, fmt.Errorf("failed to verify bastion: %w", err)
 	}
-	return &resp.BastionHost, nil
+	return bastion, nil
 }
 
-func verifyBastion(ctx context.Context, cluster *armcontainerservice.ManagedCluster, bastion *armnetwork.BastionHost) error {
+func verifyBastion(ctx context.Context, cluster *armcontainerservice.ManagedCluster, bastion *Bastion) error {
 	nodeRG := *cluster.Properties.NodeResourceGroup
 	vmssName, err := getSystemPoolVMSSName(ctx, cluster)
 	if err != nil {
@@ -624,23 +627,26 @@ func verifyBastion(ctx context.Context, cluster *armcontainerservice.ManagedClus
 		}
 	}
 
+	vmPrivateIP, err := getPrivateIPFromVMSSVM(ctx, nodeRG, vmssName, *vmssVM.InstanceID)
+
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
-	localPort, pid, err := startBastionTunnel(ctx, *bastion.Name, nodeRG, *vmssVM.ID)
+
+	sshClient, err := DialSSHOverBastion(ctx, bastion, vmPrivateIP, config.SysSSHPrivateKey)
 	if err != nil {
 		return err
 	}
 
-	defer cleanupBastionTunnel(localPort, pid)
+	defer sshClient.Close()
 
-	result, err := runSSHCommandWithPrivateKeyFile(ctx, localPort, "uname -a", config.SysSSHPrivateKey)
+	result, err := runSSHCommandWithPrivateKeyFile(ctx, sshClient, "uname -a")
 	if err != nil {
 		return err
 	}
-	if strings.Contains(result.stdout, *vmssVM.Name) {
+	if strings.Contains(result.stdout, vmssName) {
 		return nil
 	}
-	return fmt.Errorf("Executed ssh on wrong VM: %s", result.stdout)
+	return fmt.Errorf("Executed ssh on wrong VM, Expected %s: %s", vmssName, result.stdout)
 }
 
 func getSystemPoolVMSSName(ctx context.Context, cluster *armcontainerservice.ManagedCluster) (string, error) {

e2e/config/config.go

@@ -145,7 +145,7 @@ func mustLoadConfig() *Configuration {
 	if cfg.SysSSHPrivateKeyB64 == "" {
 		SysSSHPrivateKeyFileName = VMSSHPrivateKeyFileName
 	} else {
-		SysSSHPrivateKey, err := base64.StdEncoding.DecodeString(cfg.SysSSHPrivateKeyB64)
+		SysSSHPrivateKey, err = base64.StdEncoding.DecodeString(cfg.SysSSHPrivateKeyB64)
 		if err != nil {
 			panic(err)
 		}

e2e/config/vhd.go

@@ -323,9 +323,7 @@ func GetRandomLinuxAMD64VHD() *Image {
 	vhds := []*Image{
 		VHDUbuntu2404Gen2Containerd,
 		VHDUbuntu2204Gen2Containerd,
-		VHDAzureLinuxV2Gen2,
 		VHDAzureLinuxV3Gen2,
-		VHDCBLMarinerV2Gen2,
 	}
 
 	// Return a random VHD from the list