Proper WebSocket TLS support
Currently if TLS and WebSockets are enabled, the HTTP/WebSocket server listens for cleartext WebSocket, then unwraps the WebSocket stream into raw byte stream and then gRPC listener tries to decrypt it as if it was TLS. This is simply wrong
This MR does it the right way - TLS for WebSockets is unwrapped by the listener, then HTTP server is handling WebSockets, then gRPC server handles encapsulated gRPC.
Fixes #217 (closed).
Tested this locally with GDK, which generated the following config, which I modified a bit to bypass GDK's nginx.
agent:
listen:
network: "tcp"
address: "172.16.123.1:8159"
websocket: true # works fine with false here too
certificate_file: "/Users/mikhail/src/gitlab-development-kit/gdk.test.pem" # added these two lines
key_file: "/Users/mikhail/src/gitlab-development-kit/gdk.test-key.pem"
kubernetes_api:
listen:
network: "tcp"
address: "172.16.123.1:8154"
url_path_prefix: "/-/k8s-proxy/"
gitlab:
address: "http://gdk.test:3333"
authentication_secret_file: "/Users/mikhail/src/gitlab-development-kit/gitlab/.gitlab_kas_secret"
api:
listen:
network: "tcp"
address: "127.0.0.1:8153"
authentication_secret_file: "/Users/mikhail/src/gitlab-development-kit/gitlab/.gitlab_kas_secret"
redis:
network: unix
server:
address: "/Users/mikhail/src/gitlab-development-kit/redis/redis.socket"
private_api:
listen:
network: "tcp"
address: "127.0.0.1:8155"
authentication_secret_file: "/Users/mikhail/src/gitlab-development-kit/gitlab/.gitlab_kas_secret"
observability:
logging:
level: debug
kas was started with --configuration-file=/Users/mikhail/src/gitlab-development-kit/gitlab-k8s-agent-config.yml
and agentk was started with --kas-address=wss://gdk.test:8159/-/kubernetes-agent --token-file=token.txt --context=rancher-desktop --ca-cert-file='/Users/mikhail/src/gitlab-development-kit/gdk.test.pem'
or --kas-address=grpcs://gdk.test:8159 --token-file=token.txt --context=rancher-desktop --ca-cert-file='/Users/mikhail/src/gitlab-development-kit/gdk.test.pem'