feat: use different port for ingress proxy (#783)

Co-authored-by: taskbot <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

cmd/thv/app/inspector.go

@@ -106,7 +106,7 @@ func inspectorCmdFunc(cmd *cobra.Command, args []string) error {
 
 	labelsMap := map[string]string{}
 	labels.AddStandardLabels(labelsMap, "inspector", "inspector", string(types.TransportTypeInspector), inspectorUIPort)
-	_, err = rt.DeployWorkload(
+	_, _, err = rt.DeployWorkload(
 		ctx,
 		processedImage,
 		"inspector",

pkg/container/docker/client.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -26,6 +27,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/container/runtime"
 	lb "github.com/stacklok/toolhive/pkg/labels"
 	"github.com/stacklok/toolhive/pkg/logger"
+	"github.com/stacklok/toolhive/pkg/networking"
 	"github.com/stacklok/toolhive/pkg/permissions"
 )
 
@@ -320,6 +322,43 @@ func addEgressEnvVars(envVars map[string]string, egressContainerName string) map
 	return envVars
 }
 
+func (c *Client) createIngressContainer(ctx context.Context, containerName string, upstreamPort int, attachStdio bool,
+	externalEndpointsConfig map[string]*network.EndpointSettings) (int, error) {
+	squidPort, err := networking.FindOrUsePort(upstreamPort + 1)
+	if err != nil {
+		return 0, fmt.Errorf("failed to find or use port %d: %v", squidPort, err)
+	}
+	squidExposedPorts := map[string]struct{}{
+		fmt.Sprintf("%d/tcp", squidPort): {},
+	}
+	squidPortBindings := map[string][]runtime.PortBinding{
+		fmt.Sprintf("%d/tcp", squidPort): {
+			{
+				HostIP:   "127.0.0.1",
+				HostPort: fmt.Sprintf("%d", squidPort),
+			},
+		},
+	}
+	ingressContainerName := fmt.Sprintf("%s-ingress", containerName)
+	_, err = createIngressSquidContainer(
+		ctx,
+		c,
+		containerName,
+		ingressContainerName,
+		attachStdio,
+		upstreamPort,
+		squidPort,
+		squidExposedPorts,
+		externalEndpointsConfig,
+		squidPortBindings,
+	)
+	if err != nil {
+		return 0, fmt.Errorf("failed to create ingress container: %v", err)
+	}
+	return squidPort, nil
+
+}
+
 // DeployWorkload creates and starts a workload.
 // It configures the workload based on the provided permission profile and transport type.
 // If options is nil, default options will be used.
@@ -334,11 +373,11 @@ func (c *Client) DeployWorkload(
 	transportType string,
 	options *runtime.DeployWorkloadOptions,
 	isolateNetwork bool,
-) (string, error) {
+) (string, int, error) {
 	// Get permission config from profile
 	permissionConfig, err := c.getPermissionConfigFromProfile(permissionProfile, transportType)
 	if err != nil {
-		return "", fmt.Errorf("failed to get permission config: %w", err)
+		return "", 0, fmt.Errorf("failed to get permission config: %w", err)
 	}
 
 	// Determine if we should attach stdio
@@ -365,7 +404,7 @@ func (c *Client) DeployWorkload(
 		lb.AddNetworkLabels(internalNetworkLabels, networkName)
 		err := c.createNetwork(ctx, networkName, internalNetworkLabels, true)
 		if err != nil {
-			return "", fmt.Errorf("failed to create internal network: %v", err)
+			return "", 0, fmt.Errorf("failed to create internal network: %v", err)
 		}
 
 		// create dns container
@@ -375,26 +414,23 @@ func (c *Client) DeployWorkload(
 			additionalDNS = dnsContainerIP
 		}
 		if err != nil {
-			return "", fmt.Errorf("failed to create dns container: %v", err)
+			return "", 0, fmt.Errorf("failed to create dns container: %v", err)
 		}
 
 		// create egress container
 		egressContainerName := fmt.Sprintf("%s-egress", name)
-		egressExposedPorts := map[string]struct{}{
-			"3128/tcp": {},
-		}
 		_, err = createEgressSquidContainer(
 			ctx,
 			c,
 			name,
 			egressContainerName,
 			attachStdio,
-			egressExposedPorts,
+			nil,
 			externalEndpointsConfig,
 			permissionProfile.Network,
 		)
 		if err != nil {
-			return "", fmt.Errorf("failed to create egress container: %v", err)
+			return "", 0, fmt.Errorf("failed to create egress container: %v", err)
 		}
 
 		envVars = addEgressEnvVars(envVars, egressContainerName)
@@ -418,28 +454,34 @@ func (c *Client) DeployWorkload(
 		isolateNetwork,
 	)
 	if err != nil {
-		return "", fmt.Errorf("failed to create mcp container: %v", err)
+		return "", 0, fmt.Errorf("failed to create mcp container: %v", err)
 	}
 
 	// now create ingress container
+	var firstPort string
+	if len(options.ExposedPorts) == 0 {
+		return "", 0, fmt.Errorf("no exposed ports specified in options.ExposedPorts")
+	}
+	for port := range options.ExposedPorts {
+		firstPort = port
+
+		// need to strip the protocol
+		firstPort = strings.Split(firstPort, "/")[0]
+		break // take only the first one
+	}
+	firstPortInt, err := strconv.Atoi(firstPort)
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to convert port %s to int: %v", firstPort, err)
+	}
+
 	if isolateNetwork {
-		ingressContainerName := fmt.Sprintf("%s-ingress", name)
-		_, err = createIngressSquidContainer(
-			ctx,
-			c,
-			name,
-			ingressContainerName,
-			attachStdio,
-			options.ExposedPorts,
-			externalEndpointsConfig,
-			options.PortBindings,
-		)
+		firstPortInt, err = c.createIngressContainer(ctx, name, firstPortInt, attachStdio, externalEndpointsConfig)
 		if err != nil {
-			return "", fmt.Errorf("failed to create ingress container: %v", err)
+			return "", 0, fmt.Errorf("failed to create ingress container: %v", err)
 		}
 	}
 
-	return containerId, nil
+	return containerId, firstPortInt, nil
 }
 
 // ListWorkloads lists workloads

pkg/container/docker/squid.go

@@ -25,11 +25,13 @@ func createIngressSquidContainer(
 	containerName string,
 	squidContainerName string,
 	attachStdio bool,
+	upstreamPort int,
+	squidPort int,
 	exposedPorts map[string]struct{},
 	endpointsConfig map[string]*network.EndpointSettings,
 	portBindings map[string][]runtime.PortBinding,
 ) (string, error) {
-	squidConfPath, err := createTempIngressSquidConf(containerName, exposedPorts)
+	squidConfPath, err := createTempIngressSquidConf(containerName, upstreamPort, squidPort)
 	if err != nil {
 		return "", fmt.Errorf("failed to create temporary squid.conf: %v", err)
 	}
@@ -259,13 +261,13 @@ func getSquidImage() string {
 
 func createTempIngressSquidConf(
 	serverHostname string,
-	ingressPorts map[string]struct{},
+	upstreamPort int,
+	squidPort int,
 ) (string, error) {
 	var sb strings.Builder
 
 	sb.WriteString(
-		"http_port 3128\n" +
-			"visible_hostname " + serverHostname + "-ingress\n" +
+		"visible_hostname " + serverHostname + "-ingress\n" +
 			"access_log stdio:/var/log/squid/access.log squid\n" +
 			"pid_filename /tmp/squid.pid\n" +
 			"# Disable memory and disk caching\n" +
@@ -277,7 +279,7 @@ func createTempIngressSquidConf(
 			"cache_dir null /tmp\n" +
 			"cache_store_log none\n\n")
 
-	writeIngressProxyConfig(&sb, ingressPorts, serverHostname)
+	writeIngressProxyConfig(&sb, serverHostname, upstreamPort, squidPort)
 	sb.WriteString("http_access deny all\n")
 
 	tmpFile, err := os.CreateTemp("", "squid-*.conf")
@@ -298,19 +300,18 @@ func createTempIngressSquidConf(
 	return tmpFile.Name(), nil
 }
 
-func writeIngressProxyConfig(sb *strings.Builder, ingressPorts map[string]struct{}, serverHostname string) {
-	for port := range ingressPorts {
-		portNum := strings.Split(port, "/")[0]
-		sb.WriteString(
-			"\n# Reverse proxy setup for port " + portNum + "\n" +
-				"http_port " + portNum + " accel defaultsite=" + serverHostname + "\n" +
-				"cache_peer " + serverHostname + " parent " + portNum + " 0 no-query originserver name=origin_" +
-				portNum + " connect-timeout=5 connect-fail-limit=5\n" +
-				"acl site_" + portNum + " dstdomain " + serverHostname + "\n" +
-				"acl local_dst dst 127.0.0.1\n" +
-				"acl local_domain dstdomain localhost\n" +
-				"http_access allow site_" + portNum + "\n" +
-				"http_access allow local_dst\n" +
-				"http_access allow local_domain\n")
-	}
+func writeIngressProxyConfig(sb *strings.Builder, serverHostname string, upstreamPort int, squidPort int) {
+	portNum := strconv.Itoa(upstreamPort)
+	squidPortNum := strconv.Itoa(squidPort)
+	sb.WriteString(
+		"\n# Reverse proxy setup for port " + portNum + "\n" +
+			"http_port 0.0.0.0:" + squidPortNum + " accel defaultsite=" + serverHostname + "\n" +
+			"cache_peer " + serverHostname + " parent " + portNum + " 0 no-query originserver name=origin_" +
+			portNum + " connect-timeout=5 connect-fail-limit=5\n" +
+			"acl site_" + portNum + " dstdomain " + serverHostname + "\n" +
+			"acl local_dst dst 127.0.0.1\n" +
+			"acl local_domain dstdomain localhost\n" +
+			"http_access allow site_" + portNum + "\n" +
+			"http_access allow local_dst\n" +
+			"http_access allow local_domain\n")
 }

pkg/container/kubernetes/client.go

@@ -259,7 +259,7 @@ func (c *Client) DeployWorkload(ctx context.Context,
 	transportType string,
 	options *runtime.DeployWorkloadOptions,
 	_ bool,
-) (string, error) {
+) (string, int, error) {
 	namespace := getCurrentNamespace()
 	containerLabels["app"] = containerName
 	containerLabels["toolhive"] = "true"
@@ -280,7 +280,7 @@ func (c *Client) DeployWorkload(ctx context.Context,
 		var err error
 		podTemplateSpec, err = applyPodTemplatePatch(podTemplateSpec, options.K8sPodTemplatePatch)
 		if err != nil {
-			return "", fmt.Errorf("failed to apply pod template patch: %w", err)
+			return "", 0, fmt.Errorf("failed to apply pod template patch: %w", err)
 		}
 	}
 
@@ -298,7 +298,7 @@ func (c *Client) DeployWorkload(ctx context.Context,
 		options,
 	)
 	if err != nil {
-		return "", err
+		return "", 0, err
 	}
 
 	// Create an apply configuration for the statefulset
@@ -321,7 +321,7 @@ func (c *Client) DeployWorkload(ctx context.Context,
 			Force:        true,
 		})
 	if err != nil {
-		return "", fmt.Errorf("failed to apply statefulset: %v", err)
+		return "", 0, fmt.Errorf("failed to apply statefulset: %v", err)
 	}
 
 	logger.Infof("Applied statefulset %s", createdStatefulSet.Name)
@@ -330,7 +330,7 @@ func (c *Client) DeployWorkload(ctx context.Context,
 		// Create a headless service for SSE transport
 		err := c.createHeadlessService(ctx, containerName, namespace, containerLabels, options)
 		if err != nil {
-			return "", fmt.Errorf("failed to create headless service: %v", err)
+			return "", 0, fmt.Errorf("failed to create headless service: %v", err)
 		}
 	}
 
@@ -341,10 +341,10 @@ func (c *Client) DeployWorkload(ctx context.Context,
 	}
 	err = waitFunc(ctx, c.client, namespace, createdStatefulSet.Name)
 	if err != nil {
-		return createdStatefulSet.Name, fmt.Errorf("statefulset applied but failed to become ready: %w", err)
+		return createdStatefulSet.Name, 0, fmt.Errorf("statefulset applied but failed to become ready: %w", err)
 	}
 
-	return createdStatefulSet.Name, nil
+	return createdStatefulSet.Name, 0, nil
 }
 
 // GetWorkloadInfo implements runtime.Runtime.

pkg/container/kubernetes/client_test.go

@@ -171,7 +171,7 @@ func TestCreateContainerWithPodTemplatePatch(t *testing.T) {
 			options.K8sPodTemplatePatch = tc.k8sPodTemplatePatch
 
 			// Deploy the workload
-			containerID, err := client.DeployWorkload(
+			containerID, _, err := client.DeployWorkload(
 				context.Background(),
 				"test-image",
 				"test-container",
@@ -667,7 +667,7 @@ func TestCreateContainerWithMCP(t *testing.T) {
 			}
 
 			// Deploy the workload
-			containerID, err := client.DeployWorkload(
+			containerID, _, err := client.DeployWorkload(
 				context.Background(),
 				tc.image,
 				"test-container",

pkg/container/runtime/types.go

@@ -81,7 +81,7 @@ type Runtime interface {
 		transportType string,
 		options *DeployWorkloadOptions,
 		isolateNetwork bool,
-	) (string, error)
+	) (string, int, error)
 
 	// ListWorkloads lists all deployed workloads managed by this runtime.
 	// Returns information about each workload including its components,

pkg/runner/config_test.go

@@ -32,8 +32,8 @@ func (*mockRuntime) DeployWorkload(
 	_ string,
 	_ *rt.DeployWorkloadOptions,
 	_ bool,
-) (string, error) {
-	return "container-id", nil
+) (string, int, error) {
+	return "container-id", 8080, nil
 }
 
 func (*mockRuntime) StartContainer(_ context.Context, _ string) error {

pkg/transport/sse.go

@@ -144,7 +144,7 @@ func (t *SSETransport) Setup(ctx context.Context, runtime rt.Runtime, containerN
 
 	// Create the container
 	logger.Infof("Deploying workload %s from image %s...", containerName, image)
-	containerID, err := t.runtime.DeployWorkload(
+	containerID, exposedPort, err := t.runtime.DeployWorkload(
 		ctx,
 		image,
 		containerName,
@@ -169,6 +169,9 @@ func (t *SSETransport) Setup(ctx context.Context, runtime rt.Runtime, containerN
 		t.targetHost = containerOptions.SSEHeadlessServiceName
 	}
 
+	// also override the exposed port, in case we need it via ingress
+	t.targetPort = exposedPort
+
 	return nil
 }
 

pkg/transport/stdio.go

@@ -110,7 +110,7 @@ func (t *StdioTransport) Setup(
 
 	// Create the container
 	logger.Infof("Deploying workload %s from image %s...", containerName, image)
-	containerID, err := t.runtime.DeployWorkload(
+	containerID, _, err := t.runtime.DeployWorkload(
 		ctx,
 		image,
 		containerName,

pkg/workloads/manager.go

@@ -228,6 +228,10 @@ func (*defaultManager) RunWorkloadDetached(runConfig *runner.RunConfig) error {
 		detachedArgs = append(detachedArgs, "--debug")
 	}
 
+	if runConfig.IsolateNetwork {
+		detachedArgs = append(detachedArgs, "--isolate-network")
+	}
+
 	// Use Name if available
 	if runConfig.Name != "" {
 		detachedArgs = append(detachedArgs, "--name", runConfig.Name)