Add L7 and PROXY protocol fields to gRPC API and CLI

Proto: Route message gains mode, tls_cert, tls_key, backend_tls, send_proxy_protocol fields. ListenerStatus gains proxy_protocol. Generated code regenerated with protoc v29.5. gRPC server: AddRoute validates mode ("l4"/"l7", defaults to "l4"), requires tls_cert/tls_key for L7 routes, persists all fields via write-through. ListRoutes returns full route info. GetStatus includes proxy_protocol on listener status. Client package: Route struct expanded with Mode, TLSCert, TLSKey, BackendTLS, SendProxyProtocol. AddRoute signature changed to accept a Route struct instead of individual hostname/backend strings. ListenerStatus gains ProxyProtocol. ListRoutes maps all proto fields. mcproxyctl: routes add gains --mode, --tls-cert, --tls-key, --backend-tls, --send-proxy-protocol flags. routes list displays mode and option tags for each route. New tests: add L7 route via gRPC with field round-trip verification, L7 route missing cert/key (InvalidArgument), invalid mode rejection, default-to-L4 backward compatibility, proxy_protocol in status. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 13:55:43 -07:00
parent 97909b7fbc
commit 498f040cbe
9 changed files with 341 additions and 35 deletions
--- a/internal/grpcserver/grpcserver.go
+++ b/internal/grpcserver/grpcserver.go
@@ -90,8 +90,13 @@ func (a *AdminServer) ListRoutes(_ context.Context, req *pb.ListRoutesRequest) (
 	}
 	for hostname, route := range routes {
 		resp.Routes = append(resp.Routes, &pb.Route{
-			Hostname: hostname,
-			Backend:  route.Backend,
+			Hostname:          hostname,
+			Backend:           route.Backend,
+			Mode:              route.Mode,
+			TlsCert:           route.TLSCert,
+			TlsKey:            route.TLSKey,
+			BackendTls:        route.BackendTLS,
+			SendProxyProtocol: route.SendProxyProtocol,
 		})
 	}
 	return resp, nil
@@ -118,17 +123,42 @@ func (a *AdminServer) AddRoute(_ context.Context, req *pb.AddRouteRequest) (*pb.

 	hostname := strings.ToLower(req.Route.Hostname)

+	// Normalize mode.
+	mode := req.Route.Mode
+	if mode == "" {
+		mode = "l4"
+	}
+	if mode != "l4" && mode != "l7" {
+		return nil, status.Errorf(codes.InvalidArgument, "mode must be \"l4\" or \"l7\", got %q", mode)
+	}
+
+	// L7 routes require cert/key paths.
+	if mode == "l7" {
+		if req.Route.TlsCert == "" || req.Route.TlsKey == "" {
+			return nil, status.Error(codes.InvalidArgument, "L7 routes require tls_cert and tls_key")
+		}
+	}
+
 	// Write-through: DB first, then memory.
-	if _, err := a.store.CreateRoute(ls.ID, hostname, req.Route.Backend, "l4", "", "", false, false); err != nil {
+	if _, err := a.store.CreateRoute(ls.ID, hostname, req.Route.Backend, mode,
+		req.Route.TlsCert, req.Route.TlsKey, req.Route.BackendTls, req.Route.SendProxyProtocol); err != nil {
 		return nil, status.Errorf(codes.AlreadyExists, "%v", err)
 	}

-	if err := ls.AddRoute(hostname, server.RouteInfo{Backend: req.Route.Backend, Mode: "l4"}); err != nil {
+	info := server.RouteInfo{
+		Backend:           req.Route.Backend,
+		Mode:              mode,
+		TLSCert:           req.Route.TlsCert,
+		TLSKey:            req.Route.TlsKey,
+		BackendTLS:        req.Route.BackendTls,
+		SendProxyProtocol: req.Route.SendProxyProtocol,
+	}
+	if err := ls.AddRoute(hostname, info); err != nil {
 		// DB succeeded but memory failed (should not happen since DB enforces uniqueness).
 		a.logger.Error("inconsistency: DB write succeeded but memory update failed", "error", err)
 	}

-	a.logger.Info("route added", "listener", ls.Addr, "hostname", hostname, "backend", req.Route.Backend)
+	a.logger.Info("route added", "listener", ls.Addr, "hostname", hostname, "backend", req.Route.Backend, "mode", mode)
 	return &pb.AddRouteResponse{}, nil
 }

@@ -287,6 +317,7 @@ func (a *AdminServer) GetStatus(_ context.Context, _ *pb.GetStatusRequest) (*pb.
 			Addr:              ls.Addr,
 			RouteCount:        int32(len(routes)),
 			ActiveConnections: ls.ActiveConnections.Load(),
+			ProxyProtocol:     ls.ProxyProtocol,
 		})
 	}

--- a/internal/grpcserver/grpcserver_test.go
+++ b/internal/grpcserver/grpcserver_test.go
@@ -517,3 +517,162 @@ func TestRemoveFirewallRuleNotFound(t *testing.T) {
 		t.Fatal("expected error for removing nonexistent rule")
 	}
 }
+
+func TestAddRouteL7(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	_, err := env.client.AddRoute(ctx, &pb.AddRouteRequest{
+		ListenerAddr: ":443",
+		Route: &pb.Route{
+			Hostname:          "l7.test",
+			Backend:           "127.0.0.1:8080",
+			Mode:              "l7",
+			TlsCert:           "/certs/l7.crt",
+			TlsKey:            "/certs/l7.key",
+			BackendTls:        false,
+			SendProxyProtocol: true,
+		},
+	})
+	if err != nil {
+		t.Fatalf("AddRoute L7: %v", err)
+	}
+
+	// Verify in-memory via ListRoutes.
+	resp, err := env.client.ListRoutes(ctx, &pb.ListRoutesRequest{ListenerAddr: ":443"})
+	if err != nil {
+		t.Fatalf("ListRoutes: %v", err)
+	}
+
+	var found *pb.Route
+	for _, r := range resp.Routes {
+		if r.Hostname == "l7.test" {
+			found = r
+			break
+		}
+	}
+	if found == nil {
+		t.Fatal("L7 route not found in ListRoutes response")
+	}
+	if found.Mode != "l7" {
+		t.Fatalf("mode = %q, want %q", found.Mode, "l7")
+	}
+	if found.TlsCert != "/certs/l7.crt" {
+		t.Fatalf("tls_cert = %q, want %q", found.TlsCert, "/certs/l7.crt")
+	}
+	if found.TlsKey != "/certs/l7.key" {
+		t.Fatalf("tls_key = %q, want %q", found.TlsKey, "/certs/l7.key")
+	}
+	if found.BackendTls {
+		t.Fatal("expected backend_tls = false")
+	}
+	if !found.SendProxyProtocol {
+		t.Fatal("expected send_proxy_protocol = true")
+	}
+
+	// Verify DB persistence.
+	dbListeners, _ := env.store.ListListeners()
+	dbRoutes, _ := env.store.ListRoutes(dbListeners[0].ID)
+	var dbRoute *db.Route
+	for i := range dbRoutes {
+		if dbRoutes[i].Hostname == "l7.test" {
+			dbRoute = &dbRoutes[i]
+			break
+		}
+	}
+	if dbRoute == nil {
+		t.Fatal("L7 route not found in DB")
+	}
+	if dbRoute.Mode != "l7" {
+		t.Fatalf("DB mode = %q, want %q", dbRoute.Mode, "l7")
+	}
+	if !dbRoute.SendProxyProtocol {
+		t.Fatal("DB send_proxy_protocol should be true")
+	}
+}
+
+func TestAddRouteL7MissingCert(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	_, err := env.client.AddRoute(ctx, &pb.AddRouteRequest{
+		ListenerAddr: ":443",
+		Route: &pb.Route{
+			Hostname: "nocert.test",
+			Backend:  "127.0.0.1:8080",
+			Mode:     "l7",
+		},
+	})
+	if err == nil {
+		t.Fatal("expected error for L7 route without cert/key")
+	}
+	if s, ok := status.FromError(err); !ok || s.Code() != codes.InvalidArgument {
+		t.Fatalf("expected InvalidArgument, got %v", err)
+	}
+}
+
+func TestAddRouteInvalidMode(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	_, err := env.client.AddRoute(ctx, &pb.AddRouteRequest{
+		ListenerAddr: ":443",
+		Route: &pb.Route{
+			Hostname: "badmode.test",
+			Backend:  "127.0.0.1:8080",
+			Mode:     "l5",
+		},
+	})
+	if err == nil {
+		t.Fatal("expected error for invalid mode")
+	}
+	if s, ok := status.FromError(err); !ok || s.Code() != codes.InvalidArgument {
+		t.Fatalf("expected InvalidArgument, got %v", err)
+	}
+}
+
+func TestAddRouteDefaultsToL4(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	// Add route without specifying mode — should default to "l4".
+	_, err := env.client.AddRoute(ctx, &pb.AddRouteRequest{
+		ListenerAddr: ":443",
+		Route: &pb.Route{
+			Hostname: "default.test",
+			Backend:  "127.0.0.1:9443",
+		},
+	})
+	if err != nil {
+		t.Fatalf("AddRoute: %v", err)
+	}
+
+	resp, _ := env.client.ListRoutes(ctx, &pb.ListRoutesRequest{ListenerAddr: ":443"})
+	for _, r := range resp.Routes {
+		if r.Hostname == "default.test" {
+			if r.Mode != "l4" {
+				t.Fatalf("mode = %q, want %q", r.Mode, "l4")
+			}
+			return
+		}
+	}
+	t.Fatal("route not found")
+}
+
+func TestGetStatusProxyProtocol(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	resp, err := env.client.GetStatus(ctx, &pb.GetStatusRequest{})
+	if err != nil {
+		t.Fatalf("GetStatus: %v", err)
+	}
+
+	// The seeded listener has proxy_protocol = false.
+	if len(resp.Listeners) != 1 {
+		t.Fatalf("got %d listeners, want 1", len(resp.Listeners))
+	}
+	if resp.Listeners[0].ProxyProtocol {
+		t.Fatal("expected proxy_protocol = false")
+	}
+}