feat(network): add egress tunneling #10
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Enabled `ssh -R` for tunneling from the cluster to the local host. This introduces a bunch of weirdness around "how does the cluster contact the server". - Moved `stream` to `tunnel` and `direct` to `ingress`. This is closer to what it is actually doing, especially because I didn't understand the difference between direct/forward/tcpip. - Added feature flags. Now, what features are enabled can be configured at runtime. This allows any incoming requests to be short-circuited if they'd never work or shouldn't be supported. - Made `Authenticate` return an identity (that has been authenticated) instead of a client. It is weird to have `Identity::authenticate` return an identity, but it makes more sense for `Key`. - Moved `Identity` into `State::Authenticated`. This was primarily to get the user's identity on the created `Egress` tunnel but likely makes more sense anyways as you end up creating a new client all the time as it is. Unfortunately, the `Controller` is still required to create that client - they can't be minted fresh from an Identity.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ssh -Rfor tunneling from the cluster to the local host. This introduces a bunch of weirdness around "how does the cluster contact the server".streamtotunnelanddirecttoingress. This is closer to what it is actually doing, especially because I didn't understand the difference between direct/forward/tcpip.Authenticatereturn an identity (that has been authenticated) instead of a client. It is weird to haveIdentity::authenticatereturn an identity, but it makes more sense forKey.IdentityintoState::Authenticated. This was primarily to get the user's identity on the createdEgresstunnel but likely makes more sense anyways as you end up creating a new client all the time as it is. Unfortunately, theControlleris still required to create that client - they can't be minted fresh from an Identity.