[public-api] Caddy serves gRPC port instead of http

[easyCZ]

Description

For now, we've been serving HTTP to easily show the server runs. But we actually need to serve the gRPC port for the API.

gRPC requires that we know the cert of the server, such that we can establish a TLS connection.

Related Issue(s)

• Part of Deploy a Hello World server as initial Public API  #9229

How to test

The easy way:

1. Open workspace from [public-api] Simple CLI tool to interact with Public API #9588
2. cd components/public-api-server/cmd
3. go run main.go workspace get --address apimp-papi-caddy-grpc.preview.gitpod-dev.com:443
4. Observe it connects and returns Unimplemented - this is the expected response!

The hard way:

• There is no client implemented at this stage yet.
• Fetch the public certificate we use for *.<domain> in preview envs with

kubectl get secret proxy-config-certificates -o yaml | yq '.data.["tls.crt"]' | base64 -d > tls.crt

• Extend the components/public-api-server/integration_test.go with, update pemServerCA path to where you wrote the tls.crt

func loadTLSCredentials() (credentials.TransportCredentials, error) {
	// Load certificate of the CA who signed server's certificate
	// TO TEST: update this path to where you downloaded the cert
	pemServerCA, err := ioutil.ReadFile("/workspace/gitpod/tls.crt")
	if err != nil {
		return nil, err
	}

	certPool := x509.NewCertPool()
	if !certPool.AppendCertsFromPEM(pemServerCA) {
		return nil, fmt.Errorf("failed to add server CA's certificate")
	}

	// Create the credentials and return it
	config := &tls.Config{
		RootCAs: certPool,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		},
		CurvePreferences: []tls.CurveID{tls.X25519, tls.CurveP256},
		MinVersion:       tls.VersionTLS12,
		MaxVersion:       tls.VersionTLS12,
		NextProtos:       []string{"h2"},
	}

	return credentials.NewTLS(config), nil
}

func TestPublicAPIServer_v1(t *testing.T) {
	ctx := context.Background()
	tlsCredentials, err := loadTLSCredentials()
	require.NoError(t, err)

	addr := "api.mp-papi-caddy-grpc.preview.gitpod-dev.com:443"
	var opts []grpc.DialOption

	opts = append(opts, grpc.WithTransportCredentials(tlsCredentials))

	conn, err := grpc.Dial(addr, opts...)
	require.NoError(t, err)

	workspaceClient := v1.NewWorkspacesServiceClient(conn)

	_, err = workspaceClient.GetWorkspace(ctx, &v1.GetWorkspaceRequest{})
	requireErrorStatusCode(t, codes.Unimplemented, err)
}

Release Notes

NONE

Documentation

NONE

/werft with-vm

[easyCZ]

/werft run with-vm=true

👍 started the job as gitpod-build-mp-papi-caddy-grpc.22
(with .werft/ from main)

[easyCZ]

/werft run with-vm=true with-clean-slate-deployment=true

👍 started the job as gitpod-build-mp-papi-caddy-grpc.27
(with .werft/ from main)

[easyCZ]

/werft run

👍 started the job as gitpod-build-mp-papi-caddy-grpc.31
(with .werft/ from main)

[easyCZ]

/werft run with-vm=true with-clean-slate-deployment=true

👍 started the job as gitpod-build-mp-papi-caddy-grpc.52
(with .werft/ from main)

[easyCZ]

If you want to have a laugh, it took about a week to figure out the right 10 lines (or so) in this PR..

[AlexTugarev]

LGTM!