loft-sh
diff --git a/‎cmd/agent/container/credentials_server.go‎
Lines changed: 18 additions & 3 deletions b/‎cmd/agent/container/credentials_server.go‎
Lines changed: 18 additions & 3 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 0 deletions b/‎go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 80 additions & 4 deletions b/‎go.sum‎
Lines changed: 80 additions & 4 deletions
diff --git a/‎pkg/agent/tunnelserver/client.go‎
Lines changed: 53 additions & 11 deletions b/‎pkg/agent/tunnelserver/client.go‎
Lines changed: 53 additions & 11 deletions
diff --git a/‎pkg/agent/tunnelserver/tunnelserver.go‎
Lines changed: 17 additions & 0 deletions b/‎pkg/agent/tunnelserver/tunnelserver.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎pkg/daemon/local/credentials_proxy.go‎
Lines changed: 85 additions & 80 deletions b/‎pkg/daemon/local/credentials_proxy.go‎
Lines changed: 85 additions & 80 deletions
@@ -13,12 +13,14 @@ import (
 	"github.com/loft-sh/devpod/pkg/agent/tunnel"
 	"github.com/loft-sh/devpod/pkg/agent/tunnelserver"
 	"github.com/loft-sh/devpod/pkg/credentials"
+	locald "github.com/loft-sh/devpod/pkg/daemon/local"
 	"github.com/loft-sh/devpod/pkg/dockercredentials"
 	"github.com/loft-sh/devpod/pkg/gitcredentials"
 	"github.com/loft-sh/devpod/pkg/gitsshsigning"
 	"github.com/loft-sh/devpod/pkg/netstat"
 	portpkg "github.com/loft-sh/devpod/pkg/port"
 	"github.com/loft-sh/log"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
 
@@ -69,10 +71,23 @@ func NewCredentialsServerCmd(flags *flags.GlobalFlags) *cobra.Command {
 
 // Run runs the command logic
 func (cmd *CredentialsServerCmd) Run(ctx context.Context, port int) error {
+	var tunnelClient tunnel.TunnelClient
+	var err error
+	fileLogger := log.NewFileLogger("/tmp/credentials_server_cmd.log", logrus.DebugLevel)
 	// create a grpc client
-	tunnelClient, err := tunnelserver.NewTunnelClient(os.Stdin, os.Stdout, true, ExitCodeIO)
-	if err != nil {
-		return fmt.Errorf("error creating tunnel client: %w", err)
+	// if we have client address, lets use the http client
+	if cmd.Client != "" {
+		// address := ts.EnsureURL(cmd.Client, locald.LocalCredentialsServerPort)
+		tunnelClient, err = tunnelserver.NewHTTPTunnelClient(cmd.Client, fmt.Sprintf("%d", locald.LocalCredentialsServerPort), fileLogger)
+		if err != nil {
+			return fmt.Errorf("error creating tunnel client: %w", err)
+		}
+	} else {
+		// otherwise we fallback to stdio client
+		tunnelClient, err = tunnelserver.NewTunnelClient(os.Stdin, os.Stdout, true, ExitCodeIO)
+		if err != nil {
+			return fmt.Errorf("error creating tunnel client: %w", err)
+		}
 	}
 
 	// this message serves as a ping to the client
 
@@ -41,6 +41,7 @@ require (
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
 	github.com/moby/buildkit v0.20.1
 	github.com/moby/term v0.5.2
+	github.com/mwitkow/grpc-proxy v0.0.0-20230212185441-f345521cb9c9
 	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.35.1
 	github.com/otiai10/copy v1.7.0
 
@@ -2,14 +2,17 @@ package tunnelserver
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"net"
 
 	"github.com/loft-sh/devpod/pkg/agent/tunnel"
 	"github.com/loft-sh/devpod/pkg/daemon/workspace/network"
 	"github.com/loft-sh/devpod/pkg/stdio"
+	"github.com/loft-sh/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/resolver"
 )
 
@@ -36,23 +39,62 @@ func NewTunnelClient(reader io.Reader, writer io.WriteCloser, exitOnClose bool,
 	return c, nil
 }
 
-// NewTunnelClient creates a gRPC tunnel client that connects via the Unix domain socket,
-// using the shared dialer from the network package.
-func NewHTTPTunnelClient(_ io.Reader, _ io.WriteCloser, _ bool, _ int) (tunnel.TunnelClient, error) {
-	// After moving from deprecated grpc.Dial to grpc.NewClient we need to setup resolver first
-	// https://github.com/grpc/grpc-go/issues/1786#issuecomment-2119088770
+// NewHTTPTunnelClient creates a new gRPC client that connects via the network proxy.
+func NewHTTPTunnelClient(targetHost string, targetPort string, log log.Logger) (tunnel.TunnelClient, error) {
 	resolver.SetDefaultScheme("passthrough")
+	log.Infof("Starting tunnel client targeting %s:%s via proxy", targetHost, targetPort)
 
-	// Set up a connection to the server.
-	conn, err := grpc.NewClient("",
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
-		grpc.WithContextDialer(network.GetContextDialer()),
+	// Create a unary interceptor to attach the target metadata.
+	unaryInterceptor := func(
+		ctx context.Context,
+		method string,
+		req, reply interface{},
+		cc *grpc.ClientConn,
+		invoker grpc.UnaryInvoker,
+		opts ...grpc.CallOption,
+	) error {
+		md := metadata.New(map[string]string{
+			"x-target-host": targetHost,
+			"x-target-port": targetPort,
+		})
+		// Create a new outgoing context with the metadata attached.
+		ctx = metadata.NewOutgoingContext(ctx, md)
+		log.Debugf("Unary interceptor adding metadata: host=%s, port=%s", targetHost, targetPort)
+		return invoker(ctx, method, req, reply, cc, opts...)
+	}
+
+	streamInterceptor := func(
+		ctx context.Context,
+		desc *grpc.StreamDesc,
+		cc *grpc.ClientConn,
+		method string,
+		streamer grpc.Streamer,
+		opts ...grpc.CallOption,
+	) (grpc.ClientStream, error) {
+		md := metadata.New(map[string]string{
+			"x-target-host": targetHost,
+			"x-target-port": targetPort,
+		})
+		// Create a new outgoing context with the metadata attached.
+		ctx = metadata.NewOutgoingContext(ctx, md)
+		log.Debugf("Stream interceptor adding metadata: host=%s, port=%s", targetHost, targetPort)
+		return streamer(ctx, desc, cc, method, opts...)
+	}
+
+	target := "passthrough:///proxy-socket-target"
+
+	conn, err := grpc.NewClient(target,
+		grpc.WithTransportCredentials(insecure.NewCredentials()), // Connect to proxy socket without TLS
+		grpc.WithContextDialer(network.GetContextDialer()),       // Use our custom dialer
+		grpc.WithUnaryInterceptor(unaryInterceptor),              // Add metadata for unary calls
+		grpc.WithStreamInterceptor(streamInterceptor),            // Add metadata for streaming calls
 	)
 	if err != nil {
-		return nil, err
+		log.Errorf("Failed to create gRPC client connection via proxy: %v", err)
+		return nil, fmt.Errorf("failed to create gRPC client via proxy: %w", err)
 	}
 
+	log.Infof("Successfully connected tunnel client via proxy socket")
 	c := tunnel.NewTunnelClient(conn)
-
 	return c, nil
 }
@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -23,13 +24,29 @@ import (
 	"github.com/loft-sh/devpod/pkg/netstat"
 	"github.com/loft-sh/devpod/pkg/platform"
 	provider2 "github.com/loft-sh/devpod/pkg/provider"
+	"github.com/loft-sh/devpod/pkg/stdio"
 	"github.com/loft-sh/log"
 	"github.com/moby/patternmatcher/ignorefile"
 	perrors "github.com/pkg/errors"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
 )
 
+// GetListener returns correct listener for services server - either stdio or tcp
+func GetListener(client string, reader io.Reader, writer io.WriteCloser, exitOnClose bool, log log.Logger) (net.Listener, error) {
+	if client == "" {
+		log.Info("GetListener - returning stdio listener")
+		return stdio.NewStdioListener(reader, writer, exitOnClose), nil
+	}
+	log.Info("GetListener - returning tcp listener")
+	listener, err := net.Listen("tcp", ":4795") // FIXME
+	if err != nil {
+		return nil, err
+	}
+
+	return listener, nil
+}
+
 func RunServicesServer(ctx context.Context, lis net.Listener, allowGitCredentials, allowDockerCredentials bool, forwarder netstat.Forwarder, workspace *provider2.Workspace, log log.Logger, options ...Option) error {
 	opts := append(options, []Option{
 		WithForwarder(forwarder),
 
@@ -4,123 +4,128 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
 	"time"
 
 	"github.com/loft-sh/log"
+	"github.com/mwitkow/grpc-proxy/proxy"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
 	"tailscale.com/tsnet"
 )
 
 const (
-	// Listen on this port via tsnet.
-	LocalCredentialsServerPort = 9999 // FIXME - use random prot
-	// Target server: local gRPC server running on port 5555.
-	TargetServer = "http://localhost:5555" // FIXME - get port from request
+	LocalCredentialsServerPort int    = 9999
+	DefaultTargetHost          string = "localhost"
 )
 
-// LocalCredentialsServerProxy acts as a reverse proxy that blindly forwards
-// all incoming traffic to the local gRPC server on port 5555.
 type LocalCredentialsServerProxy struct {
-	log      log.Logger
-	tsServer *tsnet.Server
-
-	ln  net.Listener
-	srv *http.Server
+	log        log.Logger
+	tsServer   *tsnet.Server
+	grpcServer *grpc.Server
+	ln         net.Listener
 }
 
-// NewLocalCredentialsServerProxy initializes a new LocalCredentialsServerProxy.
-func NewLocalCredentialsServerProxy(tsServer *tsnet.Server, log log.Logger) (*LocalCredentialsServerProxy, error) {
+func NewLocalCredentialsServerProxy(tsServer *tsnet.Server, logger log.Logger) (*LocalCredentialsServerProxy, error) {
+	logger.Infof("NewLocalCredentialsServerProxy: initializing local reverse proxy")
+	if tsServer == nil {
+		return nil, fmt.Errorf("tsnet.Server cannot be nil")
+	}
 	return &LocalCredentialsServerProxy{
-		log:      log,
+		log:      logger,
 		tsServer: tsServer,
 	}, nil
 }
 
-// Listen creates the tsnet listener and HTTP server,
-// and registers a catch-all handler that acts as the reverse proxy.
 func (s *LocalCredentialsServerProxy) Listen(ctx context.Context) error {
-	s.log.Info("Starting reverse proxy for local gRPC server")
+	s.log.Infof("LocalCredentialsServerProxy: Starting reverse proxy on tsnet port %d", LocalCredentialsServerPort)
 
-	// Create a tsnet listener.
-	ln, err := s.tsServer.Listen("tcp", fmt.Sprintf(":%d", LocalCredentialsServerPort))
+	listenAddr := fmt.Sprintf(":%d", LocalCredentialsServerPort)
+	ln, err := s.tsServer.Listen("tcp", listenAddr)
 	if err != nil {
-		s.log.Infof("Failed to listen on tsnet port %d: %v", LocalCredentialsServerPort, err)
-		return fmt.Errorf("failed to listen on tsnet port %d: %w", LocalCredentialsServerPort, err)
+		s.log.Errorf("LocalCredentialsServerProxy: Failed to listen on tsnet %s: %v", listenAddr, err)
+		return fmt.Errorf("failed to listen on tsnet %s: %w", listenAddr, err)
 	}
 	s.ln = ln
 
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", s.handleReverseProxy)
+	s.log.Infof("LocalCredentialsServerProxy: tsnet listener started on %s", ln.Addr().String())
 
-	// Create the HTTP server.
-	s.srv = &http.Server{
-		Handler: mux,
-	}
+	director := func(ctx context.Context, fullMethodName string) (context.Context, *grpc.ClientConn, error) {
+		md, ok := metadata.FromIncomingContext(ctx)
+		if !ok {
+			return nil, nil, status.Errorf(codes.InvalidArgument, "missing metadata")
+		}
 
-	go func() {
-		<-ctx.Done()
-		s.log.Info("Context canceled, shutting down reverse proxy")
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		if err := s.srv.Shutdown(shutdownCtx); err != nil {
-			s.log.Errorf("Error shutting down reverse proxy: %v", err)
+		// Get the target port from metadata. Host is always localhost.
+		targetPorts := md.Get("x-target-port")
+		if len(targetPorts) == 0 {
+			s.log.Error("LocalCredentialsServerProxy: Director missing x-target-port metadata")
+			return nil, nil, status.Errorf(codes.InvalidArgument, "missing x-target-port metadata")
 		}
-	}()
+		// targetPort := targetPorts[0]
+		targetPort := "4795" // FIXME
 
-	s.log.Infof("Reverse proxy listening on tsnet port %d", LocalCredentialsServerPort)
-	err = s.srv.Serve(ln)
-	if err != nil && err != http.ErrServerClosed {
-		s.log.Errorf("Reverse proxy error: %v", err)
-		return err
-	}
+		targetAddr := net.JoinHostPort(DefaultTargetHost, targetPort)
 
-	return nil
-}
+		s.log.Infof("[LocalCredentialsServerProxy] [gRPC] Proxying call %q to target %s", fullMethodName, targetAddr)
 
-// handleReverseProxy forwards every request to the target gRPC server.
-func (s *LocalCredentialsServerProxy) handleReverseProxy(w http.ResponseWriter, r *http.Request) {
-	s.log.Infof("Forwarding request %s %s to target server", r.Method, r.URL.String())
+		conn, err := grpc.DialContext(ctx, targetAddr,
+			grpc.WithTransportCredentials(insecure.NewCredentials()),
+			grpc.WithCodec(proxy.Codec()), // Use proxy codec for transparency
+		)
+		if err != nil {
+			s.log.Errorf("[LocalCredentialsServerProxy] [gRPC] Failed to dial local target backend %s: %v", targetAddr, err)
+			return nil, nil, status.Errorf(codes.Internal, "failed to dial local target backend: %v", err)
+		}
 
-	// Parse the target URL.
-	targetURL, err := url.Parse(TargetServer)
-	if err != nil {
-		s.log.Errorf("Error parsing target URL %s: %v", TargetServer, err)
-		http.Error(w, "Bad Gateway", http.StatusBadGateway)
-		return
+		return ctx, conn, nil
 	}
 
-	// Create the reverse proxy.
-	proxy := httputil.NewSingleHostReverseProxy(targetURL)
+	// Create the gRPC server using the transparent handler.
+	// It will forward any unknown service call based on the director logic.
+	s.grpcServer = grpc.NewServer(
+		grpc.UnknownServiceHandler(proxy.TransparentHandler(director)),
+	)
 
-	// Customize the director to forward the Host header to the target.
-	originalDirector := proxy.Director
-	proxy.Director = func(req *http.Request) {
-		originalDirector(req)
-		req.Host = targetURL.Host
-	}
+	s.log.Infof("LocalCredentialsServerProxy: gRPC reverse proxy configured, starting server on %s", ln.Addr().String())
 
-	// Use an error handler to log any errors that occur.
-	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
-		s.log.Errorf("Reverse proxy error: %v", err)
-		http.Error(w, "Bad Gateway", http.StatusBadGateway)
+	if err := s.grpcServer.Serve(s.ln); err != nil {
+		if err.Error() != "grpc: the server has been stopped" {
+			s.log.Errorf("LocalCredentialsServerProxy: failed to serve: %v", err)
+			return fmt.Errorf("gRPC server error: %w", err)
+		} else {
+			s.log.Infof("LocalCredentialsServerProxy: gRPC server stopped gracefully.")
+		}
 	}
-
-	// Forward the request.
-	proxy.ServeHTTP(w, r)
+	return nil
 }
 
-// Close gracefully shuts down the reverse proxy.
-func (s *LocalCredentialsServerProxy) Close() error {
-	s.log.Info("Closing reverse proxy")
-	if s.srv != nil {
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		if err := s.srv.Shutdown(shutdownCtx); err != nil {
-			s.log.Errorf("Error during reverse proxy shutdown: %v", err)
-			return err
+func (s *LocalCredentialsServerProxy) Stop() {
+	s.log.Info("LocalCredentialsServerProxy: Stopping reverse proxy...")
+	if s.grpcServer != nil {
+		stopped := make(chan struct{})
+		go func() {
+			s.grpcServer.GracefulStop()
+			close(stopped)
+		}()
+
+		select {
+		case <-time.After(10 * time.Second):
+			s.log.Warnf("LocalCredentialsServerProxy: Graceful shutdown timed out after 10 seconds, forcing stop.")
+			s.grpcServer.Stop()
+		case <-stopped:
+			s.log.Infof("LocalCredentialsServerProxy: gRPC server stopped gracefully.")
 		}
 	}
-	return nil
+
+	if s.ln != nil {
+		if err := s.ln.Close(); err != nil {
+			s.log.Errorf("LocalCredentialsServerProxy: Error closing listener: %v", err)
+		} else {
+			s.log.Infof("LocalCredentialsServerProxy: Listener closed.")
+		}
+	}
+	s.log.Info("LocalCredentialsServerProxy: Reverse proxy stopped.")
 }