fix: disable relay if built-in DERP is disabled

coadler · coadler · commit d16d19dd541d · 2024-03-18T22:31:07.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -284,7 +284,7 @@ func New(options *Options) *API {
 	if options.PrometheusRegistry == nil {
 		options.PrometheusRegistry = prometheus.NewRegistry()
 	}
-	if options.DERPServer == nil {
+	if options.DERPServer == nil && options.DeploymentValues.DERP.Server.Enable {
 		options.DERPServer = derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp")))
 	}
 	if options.DERPMapUpdateFrequency == 0 {
@@ -567,8 +567,6 @@ func New(options *Options) *API {
 	// replicas or instances of this middleware.
 	apiRateLimiter := httpmw.RateLimit(options.APIRateLimit, time.Minute)
 
-	derpHandler := derphttp.Handler(api.DERPServer)
-	derpHandler, api.derpCloseFunc = tailnet.WithWebsocketSupport(api.DERPServer, derpHandler)
 	// Register DERP on expvar HTTP handler, which we serve below in the router, c.f. expvar.Handler()
 	// These are the metrics the DERP server exposes.
 	// TODO: export via prometheus
@@ -577,7 +575,9 @@ func New(options *Options) *API {
 		// register multiple times.  In production there is only one Coderd and one DERP server per
 		// process, but in testing, we create multiple of both, so the Once protects us from
 		// panicking.
-		expvar.Publish("derp", api.DERPServer.ExpVar())
+		if options.DERPServer != nil {
+			expvar.Publish("derp", api.DERPServer.ExpVar())
+		}
 	})
 	cors := httpmw.Cors(options.DeploymentValues.Dangerous.AllowAllCors.Value())
 	prometheusMW := httpmw.Prometheus(options.PrometheusRegistry)
@@ -627,13 +627,18 @@ func New(options *Options) *API {
 		api.workspaceAppServer.Attach(r)
 	})
 
-	r.Route("/derp", func(r chi.Router) {
-		r.Get("/", derpHandler.ServeHTTP)
-		// This is used when UDP is blocked, and latency must be checked via HTTP(s).
-		r.Get("/latency-check", func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
+	if options.DERPServer != nil {
+		derpHandler := derphttp.Handler(api.DERPServer)
+		derpHandler, api.derpCloseFunc = tailnet.WithWebsocketSupport(api.DERPServer, derpHandler)
+
+		r.Route("/derp", func(r chi.Router) {
+			r.Get("/", derpHandler.ServeHTTP)
+			// This is used when UDP is blocked, and latency must be checked via HTTP(s).
+			r.Get("/latency-check", func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
 		})
-	})
+	}
 
 	// Register callback handlers for each OAuth2 provider.
 	// We must support gitauth and externalauth for backwards compatibility.
@@ -1056,9 +1061,11 @@ func New(options *Options) *API {
 				r.Use(httpmw.ExtractUserParam(options.Database))
 				r.Get("/debug-link", api.userDebugOIDC)
 			})
-			r.Route("/derp", func(r chi.Router) {
-				r.Get("/traffic", options.DERPServer.ServeDebugTraffic)
-			})
+			if options.DERPServer != nil {
+				r.Route("/derp", func(r chi.Router) {
+					r.Get("/traffic", options.DERPServer.ServeDebugTraffic)
+				})
+			}
 			r.Method("GET", "/expvar", expvar.Handler()) // contains DERP metrics as well as cmdline and memstats
 		})
 	})
diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -37,41 +37,42 @@ func (r *RootCmd) Server(_ func()) *clibase.Cmd {
 			}
 		}
 
-		options.DERPServer = derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp")))
-
-		var meshKey string
-		err := options.Database.InTx(func(tx database.Store) error {
-			// This will block until the lock is acquired, and will be
-			// automatically released when the transaction ends.
-			err := tx.AcquireLock(ctx, database.LockIDEnterpriseDeploymentSetup)
-			if err != nil {
-				return xerrors.Errorf("acquire lock: %w", err)
-			}
+		if options.DeploymentValues.DERP.Server.Enable {
+			options.DERPServer = derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp")))
+			var meshKey string
+			err := options.Database.InTx(func(tx database.Store) error {
+				// This will block until the lock is acquired, and will be
+				// automatically released when the transaction ends.
+				err := tx.AcquireLock(ctx, database.LockIDEnterpriseDeploymentSetup)
+				if err != nil {
+					return xerrors.Errorf("acquire lock: %w", err)
+				}
 
-			meshKey, err = tx.GetDERPMeshKey(ctx)
-			if err == nil {
+				meshKey, err = tx.GetDERPMeshKey(ctx)
+				if err == nil {
+					return nil
+				}
+				if !errors.Is(err, sql.ErrNoRows) {
+					return xerrors.Errorf("get DERP mesh key: %w", err)
+				}
+				meshKey, err = cryptorand.String(32)
+				if err != nil {
+					return xerrors.Errorf("generate DERP mesh key: %w", err)
+				}
+				err = tx.InsertDERPMeshKey(ctx, meshKey)
+				if err != nil {
+					return xerrors.Errorf("insert DERP mesh key: %w", err)
+				}
 				return nil
-			}
-			if !errors.Is(err, sql.ErrNoRows) {
-				return xerrors.Errorf("get DERP mesh key: %w", err)
-			}
-			meshKey, err = cryptorand.String(32)
+			}, nil)
 			if err != nil {
-				return xerrors.Errorf("generate DERP mesh key: %w", err)
+				return nil, nil, err
 			}
-			err = tx.InsertDERPMeshKey(ctx, meshKey)
-			if err != nil {
-				return xerrors.Errorf("insert DERP mesh key: %w", err)
+			if meshKey == "" {
+				return nil, nil, xerrors.New("mesh key is empty")
 			}
-			return nil
-		}, nil)
-		if err != nil {
-			return nil, nil, err
-		}
-		if meshKey == "" {
-			return nil, nil, xerrors.New("mesh key is empty")
+			options.DERPServer.SetMeshKey(meshKey)
 		}
-		options.DERPServer.SetMeshKey(meshKey)
 
 		options.Auditor = audit.NewAuditor(
 			options.Database,
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -418,6 +418,8 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	if err != nil {
 		return nil, xerrors.Errorf("create DERP mesh TLS config: %w", err)
 	}
+	// We always want to run the replica manager even if we don't have DERP
+	// enabled, since it's used to detect other coder servers for licensing.
 	api.replicaManager, err = replicasync.New(ctx, options.Logger, options.Database, options.Pubsub, &replicasync.Options{
 		ID:             api.AGPL.ID,
 		RelayAddress:   options.DERPServerRelayAddress,
@@ -428,7 +430,9 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	if err != nil {
 		return nil, xerrors.Errorf("initialize replica: %w", err)
 	}
-	api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, meshTLSConfig)
+	if api.DERPServer != nil {
+		api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, meshTLSConfig)
+	}
 
 	// Moon feature init. Proxyhealh is a go routine to periodically check
 	// the health of all workspace proxies.
@@ -666,11 +670,18 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 			}
 
 			api.replicaManager.SetCallback(func() {
-				addresses := make([]string, 0)
-				for _, replica := range api.replicaManager.Regional() {
-					addresses = append(addresses, replica.RelayAddress)
+				// Only update DERP mesh if the built-in server is enabled.
+				if api.Options.DeploymentValues.DERP.Server.Enable {
+					addresses := make([]string, 0)
+					for _, replica := range api.replicaManager.Regional() {
+						// Don't add replicas with an empty relay address.
+						if replica.RelayAddress == "" {
+							continue
+						}
+						addresses = append(addresses, replica.RelayAddress)
+					}
+					api.derpMesh.SetAddresses(addresses, false)
 				}
-				api.derpMesh.SetAddresses(addresses, false)
 				_ = api.updateEntitlements(ctx)
 			})
 		} else {
diff --git a/enterprise/replicasync/replicasync.go b/enterprise/replicasync/replicasync.go
@@ -17,7 +17,6 @@ import (
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
-
 	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/cli/cliutil"
 	"github.com/coder/coder/v2/coderd/database"
@@ -38,8 +37,9 @@ type Options struct {
 	TLSConfig       *tls.Config
 }
 
-// New registers the replica with the database and periodically updates to ensure
-// it's healthy. It contacts all other alive replicas to ensure they are reachable.
+// New registers the replica with the database and periodically updates to
+// ensure it's healthy. It contacts all other alive replicas to ensure they are
+// reachable.
 func New(ctx context.Context, logger slog.Logger, db database.Store, ps pubsub.Pubsub, options *Options) (*Manager, error) {
 	if options == nil {
 		options = &Options{}
