feat: add debug server for tailnet coordinators (#5861)

coadler · web-flow · commit 1cd5f38cb0bf · 2023-01-25T21:27:36.000Z
Implements a Tailscale-like debug server for our in-memory coordinator. This should provide some visibility into why connections could be failing. Resolves: #5845 ![image](https://user-images.githubusercontent.com/6332295/214680832-2724d633-2d54-44d6-a7ce-5841e5824ee5.png)
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -1193,7 +1193,7 @@ func (c *client) ListenWorkspaceAgent(_ context.Context) (net.Conn, error) {
 	}
 	c.t.Cleanup(c.lastWorkspaceAgent)
 	go func() {
-		_ = c.coordinator.ServeAgent(serverConn, c.agentID)
+		_ = c.coordinator.ServeAgent(serverConn, c.agentID, "")
 		close(closed)
 	}()
 	return clientConn, nil
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -613,6 +613,25 @@ func New(options *Options) *API {
 				r.Get("/", api.workspaceApplicationAuth)
 			})
 		})
+
+		r.Route("/debug", func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+				// Ensure only owners can access debug endpoints.
+				func(next http.Handler) http.Handler {
+					return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+						if !api.Authorize(r, rbac.ActionRead, rbac.ResourceDebugInfo) {
+							httpapi.ResourceNotFound(rw)
+							return
+						}
+
+						next.ServeHTTP(rw, r)
+					})
+				},
+			)
+
+			r.Get("/coordinator", api.debugCoordinator)
+		})
 	})
 
 	if options.SwaggerEndpoint {
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -272,6 +272,11 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 			AssertAction: rbac.ActionRead,
 			AssertObject: rbac.ResourceTemplate,
 		},
+
+		"GET:/api/v2/debug/coordinator": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: rbac.ResourceDebugInfo,
+		},
 	}
 
 	// Routes like proxy routes support all HTTP methods. A helper func to expand
diff --git a/coderd/coderdtest/swaggerparser.go b/coderd/coderdtest/swaggerparser.go
@@ -327,7 +327,7 @@ func assertAccept(t *testing.T, comment SwaggerComment) {
 	}
 }
 
-var allowedProduceTypes = []string{"json", "text/event-stream"}
+var allowedProduceTypes = []string{"json", "text/event-stream", "text/html"}
 
 func assertProduce(t *testing.T, comment SwaggerComment) {
 	var hasResponseModel bool
@@ -344,7 +344,8 @@ func assertProduce(t *testing.T, comment SwaggerComment) {
 	} else {
 		if (comment.router == "/workspaceagents/me/app-health" && comment.method == "post") ||
 			(comment.router == "/workspaceagents/me/version" && comment.method == "post") ||
-			(comment.router == "/licenses/{id}" && comment.method == "delete") {
+			(comment.router == "/licenses/{id}" && comment.method == "delete") ||
+			(comment.router == "/debug/coordinator" && comment.method == "get") {
 			return // Exception: HTTP 200 is returned without response entity
 		}
 
diff --git a/coderd/debug.go b/coderd/debug.go
@@ -0,0 +1,14 @@
+package coderd
+
+import "net/http"
+
+// @Summary Debug Info Wireguard Coordinator
+// @ID debug-info-wireguard-coordinator
+// @Security CoderSessionToken
+// @Produce text/html
+// @Tags Debug
+// @Success 200
+// @Router /debug/coordinator [get]
+func (api *API) debugCoordinator(rw http.ResponseWriter, r *http.Request) {
+	(*api.TailnetCoordinator.Load()).ServeHTTPDebug(rw, r)
+}
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -150,6 +150,11 @@ var (
 	ResourceReplicas = Object{
 		Type: "replicas",
 	}
+
+	// ResourceDebugInfo controls access to the debug routes `/api/v2/debug/*`.
+	ResourceDebugInfo = Object{
+		Type: "debug_info",
+	}
 )
 
 // Object is used to create objects for authz checks when you have none in
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -521,6 +521,16 @@ func (api *API) workspaceAgentCoordinate(rw http.ResponseWriter, r *http.Request
 		})
 		return
 	}
+
+	workspace, err := api.Database.GetWorkspaceByID(ctx, build.WorkspaceID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Internal error fetching workspace.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
 	// Ensure the resource is still valid!
 	// We only accept agents for resources on the latest build.
 	ensureLatestBuild := func() error {
@@ -618,7 +628,7 @@ func (api *API) workspaceAgentCoordinate(rw http.ResponseWriter, r *http.Request
 	closeChan := make(chan struct{})
 	go func() {
 		defer close(closeChan)
-		err := (*api.TailnetCoordinator.Load()).ServeAgent(wsNetConn, workspaceAgent.ID)
+		err := (*api.TailnetCoordinator.Load()).ServeAgent(wsNetConn, workspaceAgent.ID, fmt.Sprintf("%s-%s", workspace.Name, workspaceAgent.Name))
 		if err != nil {
 			api.Logger.Warn(ctx, "tailnet coordinator agent error", slog.Error(err))
 			_ = conn.Close(websocket.StatusInternalError, err.Error())
diff --git a/coderd/wsconncache/wsconncache_test.go b/coderd/wsconncache/wsconncache_test.go
@@ -207,7 +207,7 @@ func (c *client) ListenWorkspaceAgent(_ context.Context) (net.Conn, error) {
 		<-closed
 	})
 	go func() {
-		_ = c.coordinator.ServeAgent(serverConn, c.agentID)
+		_ = c.coordinator.ServeAgent(serverConn, c.agentID, "")
 		close(closed)
 	}()
 	return clientConn, nil
diff --git a/docs/api/debug.md b/docs/api/debug.md
@@ -0,0 +1,21 @@
+# Debug
+
+## Debug Info Wireguard Coordinator
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X GET http://coder-server:8080/api/v2/debug/coordinator \
+  -H 'Coder-Session-Token: API_KEY'
+```
+
+`GET /debug/coordinator`
+
+### Responses
+
+| Status | Meaning                                                 | Description | Schema |
+| ------ | ------------------------------------------------------- | ----------- | ------ |
+| 200    | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK          |        |
+
+To perform this operation, you must be authenticated. [Learn more](authentication.md).
diff --git a/docs/manifest.json b/docs/manifest.json
@@ -364,6 +364,10 @@
           "title": "Builds",
           "path": "./api/builds.md"
         },
+        {
+          "title": "Debug",
+          "path": "./api/debug.md"
+        },
         {
           "title": "Enterprise",
           "path": "./api/enterprise.md"
diff --git a/enterprise/tailnet/coordinator.go b/enterprise/tailnet/coordinator.go
@@ -5,8 +5,10 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"net"
+	"net/http"
 	"sync"
 	"time"
 
@@ -174,7 +176,7 @@ func (c *haCoordinator) handleNextClientMessage(id, agent uuid.UUID, decoder *js
 
 // ServeAgent accepts a WebSocket connection to an agent that listens to
 // incoming connections and publishes node updates.
-func (c *haCoordinator) ServeAgent(conn net.Conn, id uuid.UUID) error {
+func (c *haCoordinator) ServeAgent(conn net.Conn, id uuid.UUID, _ string) error {
 	// Tell clients on other instances to send a callmemaybe to us.
 	err := c.publishAgentHello(id)
 	if err != nil {
@@ -573,3 +575,9 @@ func (c *haCoordinator) formatAgentUpdate(id uuid.UUID, node *agpl.Node) ([]byte
 
 	return buf.Bytes(), nil
 }
+
+func (*haCoordinator) ServeHTTPDebug(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	fmt.Fprintf(w, "<h1>coordinator</h1>")
+	fmt.Fprintf(w, "<h2>ha debug coming soon</h2>")
+}
diff --git a/enterprise/tailnet/coordinator_test.go b/enterprise/tailnet/coordinator_test.go
@@ -60,7 +60,7 @@ func TestCoordinatorSingle(t *testing.T) {
 		id := uuid.New()
 		closeChan := make(chan struct{})
 		go func() {
-			err := coordinator.ServeAgent(server, id)
+			err := coordinator.ServeAgent(server, id, "")
 			assert.NoError(t, err)
 			close(closeChan)
 		}()
@@ -91,7 +91,7 @@ func TestCoordinatorSingle(t *testing.T) {
 		agentID := uuid.New()
 		closeAgentChan := make(chan struct{})
 		go func() {
-			err := coordinator.ServeAgent(agentServerWS, agentID)
+			err := coordinator.ServeAgent(agentServerWS, agentID, "")
 			assert.NoError(t, err)
 			close(closeAgentChan)
 		}()
@@ -142,7 +142,7 @@ func TestCoordinatorSingle(t *testing.T) {
 		})
 		closeAgentChan = make(chan struct{})
 		go func() {
-			err := coordinator.ServeAgent(agentServerWS, agentID)
+			err := coordinator.ServeAgent(agentServerWS, agentID, "")
 			assert.NoError(t, err)
 			close(closeAgentChan)
 		}()
@@ -184,7 +184,7 @@ func TestCoordinatorHA(t *testing.T) {
 		agentID := uuid.New()
 		closeAgentChan := make(chan struct{})
 		go func() {
-			err := coordinator1.ServeAgent(agentServerWS, agentID)
+			err := coordinator1.ServeAgent(agentServerWS, agentID, "")
 			assert.NoError(t, err)
 			close(closeAgentChan)
 		}()
@@ -240,7 +240,7 @@ func TestCoordinatorHA(t *testing.T) {
 		})
 		closeAgentChan = make(chan struct{})
 		go func() {
-			err := coordinator1.ServeAgent(agentServerWS, agentID)
+			err := coordinator1.ServeAgent(agentServerWS, agentID, "")
 			assert.NoError(t, err)
 			close(closeAgentChan)
 		}()
diff --git a/tailnet/coordinator.go b/tailnet/coordinator.go
diff --git a/tailnet/coordinator_test.go b/tailnet/coordinator_test.go

Original file line number	Diff line number	Diff line change
`@@ -1193,7 +1193,7 @@ func (c *client) ListenWorkspaceAgent(_ context.Context) (net.Conn, error) {`
`1193`	`1193`	`}`
`1194`	`1194`	`c.t.Cleanup(c.lastWorkspaceAgent)`
`1195`	`1195`	`go func() {`
`1196`		`- _ = c.coordinator.ServeAgent(serverConn, c.agentID)`
	`1196`	`+ _ = c.coordinator.ServeAgent(serverConn, c.agentID, "")`
`1197`	`1197`	`close(closed)`
`1198`	`1198`	`}()`
`1199`	`1199`	`return clientConn, nil`
Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,7 @@ func assertAccept(t *testing.T, comment SwaggerComment) {`
`327`	`327`	`}`
`328`	`328`	`}`
`329`	`329`
`330`		`-var allowedProduceTypes = []string{"json", "text/event-stream"}`
	`330`	`+var allowedProduceTypes = []string{"json", "text/event-stream", "text/html"}`
`331`	`331`
`332`	`332`	`func assertProduce(t *testing.T, comment SwaggerComment) {`
`333`	`333`	`var hasResponseModel bool`
`@@ -344,7 +344,8 @@ func assertProduce(t *testing.T, comment SwaggerComment) {`
`344`	`344`	`} else {`
`345`	`345`	`if (comment.router == "/workspaceagents/me/app-health" && comment.method == "post") \|\|`
`346`	`346`	`(comment.router == "/workspaceagents/me/version" && comment.method == "post") \|\|`
`347`		`- (comment.router == "/licenses/{id}" && comment.method == "delete") {`
	`347`	`+ (comment.router == "/licenses/{id}" && comment.method == "delete") \|\|`
	`348`	`+ (comment.router == "/debug/coordinator" && comment.method == "get") {`
`348`	`349`	`return // Exception: HTTP 200 is returned without response entity`
`349`	`350`	`}`
`350`	`351`
Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,11 @@ var (`
`150`	`150`	`ResourceReplicas = Object{`
`151`	`151`	`Type: "replicas",`
`152`	`152`	`}`
	`153`	`+`
	`154`	+ // ResourceDebugInfo controls access to the debug routes `/api/v2/debug/*`.
	`155`	`+ ResourceDebugInfo = Object{`
	`156`	`+ Type: "debug_info",`
	`157`	`+ }`
`153`	`158`	`)`
`154`	`159`
`155`	`160`	`// Object is used to create objects for authz checks when you have none in`