Add nomulus deployment and service manifests (#2389)

proxy/build.gradle

@@ -18,19 +18,17 @@ task buildProxyImage(dependsOn: deployJar, type: Exec) {
   commandLine 'docker', 'build', '-t', 'proxy', '.'
 }
 
-task deployProxy(dependsOn: buildProxyImage) {
+task tagProxyImage(dependsOn: buildProxyImage, type: Exec) {
+  commandLine 'docker', 'tag', 'proxy', "gcr.io/${rootProject.gcpProject}/proxy"
+}
+
+task pushProxyImage(dependsOn: tagProxyImage, type: Exec) {
+  commandLine 'docker', 'push', "gcr.io/${rootProject.gcpProject}/proxy"
+}
+
+task deployProxy(dependsOn: pushProxyImage, type: Exec) {
   configure verifyDeploymentConfig
-  doLast {
-    exec {
-      commandLine 'docker', 'tag', 'proxy', "gcr.io/${rootProject.gcpProject}/proxy"
-    }
-    exec {
-      commandLine 'docker', 'push', "gcr.io/${rootProject.gcpProject}/proxy"
-    }
-    exec {
-      commandLine './deploy-proxy-for-env.sh', "${rootProject.environment}"
-    }
-  }
+  commandLine './deploy-proxy-for-env.sh', "${rootProject.environment}"
 }
 
 project.build.dependsOn buildProxyImage

proxy/deploy-proxy-for-env.sh

@@ -18,8 +18,8 @@
 # manifest.
 
 if [[ $# -ne 1 ]]; then
- echo "Usage: $0 alpha|crash"
- exit 1
+  echo "Usage: $0 alpha|crash|qa"
+  exit 1
 fi
 
 environment=${1}

proxy/src/main/java/google/registry/proxy/EppProtocolModule.java

@@ -70,12 +70,14 @@ public final class EppProtocolModule {
       ProxyConfig config,
       @EppProtocol int eppPort,
       @EppProtocol ImmutableList<Provider<? extends ChannelHandler>> handlerProviders,
-      @HttpsRelayProtocol BackendProtocol.Builder backendProtocolBuilder) {
+      @HttpsRelayProtocol BackendProtocol.Builder backendProtocolBuilder,
+      @HttpsRelayProtocol boolean localRelay) {
     return Protocol.frontendBuilder()
         .name(PROTOCOL_NAME)
         .port(eppPort)
         .handlerProviders(handlerProviders)
-        .relayProtocol(backendProtocolBuilder.host(config.epp.relayHost).build())
+        .relayProtocol(
+            backendProtocolBuilder.host(localRelay ? "localhost" : config.epp.relayHost).build())
         .build();
   }
 
@@ -114,7 +116,7 @@ public final class EppProtocolModule {
         config.epp.headerLengthBytes,
         // Adjustment applied to the header field value in order to obtain message length.
         -config.epp.headerLengthBytes,
-        // Initial bytes to strip (i.e. strip the length header).
+        // Initial bytes to strip (i.e., strip the length header).
         config.epp.headerLengthBytes);
   }
 
@@ -150,9 +152,14 @@ public final class EppProtocolModule {
       @Named("idToken") Supplier<String> idTokenSupplier,
       @Named("hello") byte[] helloBytes,
       FrontendMetrics metrics,
-      ProxyConfig config) {
+      ProxyConfig config,
+      @HttpsRelayProtocol boolean localRelay) {
     return new EppServiceHandler(
-        config.epp.relayHost, config.epp.relayPath, idTokenSupplier, helloBytes, metrics);
+        localRelay ? "localhost" : config.epp.relayHost,
+        config.epp.relayPath,
+        idTokenSupplier,
+        helloBytes,
+        metrics);
   }
 
   @Singleton

proxy/src/main/java/google/registry/proxy/HttpsRelayProtocolModule.java

@@ -35,11 +35,19 @@ import javax.inject.Provider;
 import javax.inject.Qualifier;
 
 /**
- * Module that provides a {@link BackendProtocol.Builder} for HTTPS protocol.
+ * Module that provides a {@link BackendProtocol.Builder} for HTTP(S) protocol.
  *
  * <p>Only a builder is provided because the client protocol itself depends on the remote host
  * address, which is provided in the server protocol module that relays to this client protocol
- * module, e. g. {@link WhoisProtocolModule}.
+ * module, e.g., {@link WhoisProtocolModule}.
+ *
+ * <p>The protocol can be configured without TLS. In this case, the remote host has to be
+ * "localhost". Plan HTTP is only expected to be used when communication with Nomulus is via local
+ * loopback (for security reasons), as is the case when both the proxy and Nomulus container live in
+ * the same Kubernetes pod.
+ *
+ * @see <a href=https://kubernetes.io/docs/concepts/services-networking/>The Kubernetes network
+ *     model</a>
  */
 @Module
 public class HttpsRelayProtocolModule {
@@ -54,10 +62,12 @@ public class HttpsRelayProtocolModule {
   @HttpsRelayProtocol
   static BackendProtocol.Builder provideProtocolBuilder(
       ProxyConfig config,
+      @HttpsRelayProtocol boolean localRelay,
       @HttpsRelayProtocol ImmutableList<Provider<? extends ChannelHandler>> handlerProviders) {
     return Protocol.backendBuilder()
         .name(PROTOCOL_NAME)
-        .port(config.httpsRelay.port)
+        .isLocal(localRelay)
+        .port(localRelay ? config.httpsRelay.localPort : config.httpsRelay.port)
         .handlerProviders(handlerProviders);
   }
 
@@ -74,6 +84,7 @@ public class HttpsRelayProtocolModule {
   @Provides
   @HttpsRelayProtocol
   static ImmutableList<Provider<? extends ChannelHandler>> provideHandlerProviders(
+      @HttpsRelayProtocol boolean localRelay,
       @HttpsRelayProtocol
           Provider<SslClientInitializer<NioSocketChannel>> sslClientInitializerProvider,
       Provider<HttpClientCodec> httpClientCodecProvider,
@@ -81,13 +92,17 @@ public class HttpsRelayProtocolModule {
       Provider<BackendMetricsHandler> backendMetricsHandlerProvider,
       Provider<LoggingHandler> loggingHandlerProvider,
       Provider<FullHttpResponseRelayHandler> relayHandlerProvider) {
-    return ImmutableList.of(
-        sslClientInitializerProvider,
-        httpClientCodecProvider,
-        httpObjectAggregatorProvider,
-        backendMetricsHandlerProvider,
-        loggingHandlerProvider,
-        relayHandlerProvider);
+    ImmutableList.Builder<Provider<? extends ChannelHandler>> builder =
+        new ImmutableList.Builder<>();
+    if (!localRelay) {
+      builder.add(sslClientInitializerProvider);
+    }
+    builder.add(httpClientCodecProvider);
+    builder.add(httpObjectAggregatorProvider);
+    builder.add(backendMetricsHandlerProvider);
+    builder.add(loggingHandlerProvider);
+    builder.add(relayHandlerProvider);
+    return builder.build();
   }
 
   @Provides

proxy/src/main/java/google/registry/proxy/Protocol.java

@@ -47,8 +47,9 @@ public interface Protocol {
     return new AutoValue_Protocol_FrontendProtocol.Builder().hasBackend(true);
   }
 
+  /** A builder for {@link FrontendProtocol}, by default it connects to a remote host. */
   static BackendProtocol.Builder backendBuilder() {
-    return new AutoValue_Protocol_BackendProtocol.Builder();
+    return new AutoValue_Protocol_BackendProtocol.Builder().isLocal(false);
   }
 
   /**
@@ -121,10 +122,26 @@ public interface Protocol {
     /** The hostname that the proxy connects to. */
     public abstract String host();
 
+    /** Whether the protocol is expected to connect to localhost. */
+    public abstract boolean isLocal();
+
     /** Builder of {@link BackendProtocol}. */
     @AutoValue.Builder
     public abstract static class Builder extends Protocol.Builder<Builder, BackendProtocol> {
       public abstract Builder host(String value);
+
+      public abstract Builder isLocal(boolean value);
+
+      abstract BackendProtocol autoBuild();
+
+      @Override
+      public BackendProtocol build() {
+        BackendProtocol protocol = autoBuild();
+        Preconditions.checkState(
+            !protocol.isLocal() || protocol.host().equals("localhost"),
+            "Local backend protocol must connect to localhost");
+        return autoBuild();
+      }
     }
   }
 }

proxy/src/main/java/google/registry/proxy/ProxyConfig.java

@@ -103,6 +103,7 @@ public class ProxyConfig {
   /** Configuration options that apply to HTTPS relay protocol. */
   public static class HttpsRelay {
     public int port;
+    public int localPort;
     public int maxMessageLengthBytes;
   }
 

proxy/src/main/java/google/registry/proxy/ProxyModule.java

@@ -37,6 +37,7 @@ import google.registry.networking.module.CertificateSupplierModule;
 import google.registry.networking.module.CertificateSupplierModule.Mode;
 import google.registry.proxy.EppProtocolModule.EppProtocol;
 import google.registry.proxy.HealthCheckProtocolModule.HealthCheckProtocol;
+import google.registry.proxy.HttpsRelayProtocolModule.HttpsRelayProtocol;
 import google.registry.proxy.Protocol.FrontendProtocol;
 import google.registry.proxy.ProxyConfig.Environment;
 import google.registry.proxy.WebWhoisProtocolsModule.HttpWhoisProtocol;
@@ -91,6 +92,13 @@ public class ProxyModule {
   @Parameter(names = "--https_whois", description = "Port for HTTPS WHOIS")
   private Integer httpsWhoisPort;
 
+  @Parameter(
+      names = "--local",
+      description =
+          "Whether EPP/WHOIS traffic should be forwarded to localhost using HTTP on port defined in"
+              + " httpsRelay.localPort")
+  private boolean local = false;
+
   @Parameter(names = "--env", description = "Environment to run the proxy in")
   private Environment env = Environment.LOCAL;
 
@@ -168,6 +176,13 @@ public class ProxyModule {
     return config.oauthClientId;
   }
 
+  @Provides
+  @HttpsRelayProtocol
+  @Singleton
+  boolean provideIsLocal() {
+    return local;
+  }
+
   @Provides
   @WhoisProtocol
   int provideWhoisPort(ProxyConfig config) {
@@ -204,7 +219,7 @@ public class ProxyModule {
   }
 
   /**
-   * Provides shared logging handler.
+   * Provides a shared logging handler.
    *
    * <p>Note that this handler always records logs at {@code LogLevel.DEBUG}, it is up to the JUL
    * logger that it contains to decide if logs at this level should actually be captured. The log

proxy/src/main/java/google/registry/proxy/WhoisProtocolModule.java

@@ -61,12 +61,14 @@ public final class WhoisProtocolModule {
       ProxyConfig config,
       @WhoisProtocol int whoisPort,
       @WhoisProtocol ImmutableList<Provider<? extends ChannelHandler>> handlerProviders,
-      @HttpsRelayProtocol BackendProtocol.Builder backendProtocolBuilder) {
+      @HttpsRelayProtocol BackendProtocol.Builder backendProtocolBuilder,
+      @HttpsRelayProtocol boolean localRelay) {
     return Protocol.frontendBuilder()
         .name(PROTOCOL_NAME)
         .port(whoisPort)
         .handlerProviders(handlerProviders)
-        .relayProtocol(backendProtocolBuilder.host(config.whois.relayHost).build())
+        .relayProtocol(
+            backendProtocolBuilder.host(localRelay ? "localhost" : config.whois.relayHost).build())
         .build();
   }
 
@@ -94,9 +96,13 @@ public final class WhoisProtocolModule {
   static WhoisServiceHandler provideWhoisServiceHandler(
       ProxyConfig config,
       @Named("idToken") Supplier<String> idTokenSupplier,
-      FrontendMetrics metrics) {
+      FrontendMetrics metrics,
+      @HttpsRelayProtocol boolean localRelay) {
     return new WhoisServiceHandler(
-        config.whois.relayHost, config.whois.relayPath, idTokenSupplier, metrics);
+        localRelay ? "localhost" : config.whois.relayHost,
+        config.whois.relayPath,
+        idTokenSupplier,
+        metrics);
   }
 
   @Provides

proxy/src/main/java/google/registry/proxy/config/default-config.yaml

@@ -177,7 +177,7 @@ healthCheck:
 
 httpsRelay:
   port: 443
-
+  localPort: 8080
   # Maximum size of an HTTP message in bytes.
   maxMessageLengthBytes: 524288
 

proxy/src/test/java/google/registry/proxy/ProtocolModuleTest.java

@@ -67,7 +67,7 @@ import org.junit.jupiter.api.BeforeEach;
 /**
  * Base class for end-to-end tests of a {@link Protocol}.
  *
- * <p>The end-to-end tests ensures that the business logic that a {@link Protocol} defines are
+ * <p>The end-to-end tests ensure that the business logic that a {@link Protocol} defines are
  * correctly performed by various handlers attached to its pipeline. Non-business essential handlers
  * should be excluded.
  *
@@ -91,7 +91,7 @@ public abstract class ProtocolModuleTest {
           // The PROXY protocol is only used when the proxy is behind the GCP load balancer. It is
           // not part of any business logic.
           ProxyProtocolHandler.class,
-          // SSL is part of the business logic for some protocol (EPP for example), but its
+          // SSL is part of the business logic for some protocol (EPP, for example), but its
           // impact is isolated. Including it makes tests much more complicated. It should be tested
           // separately in its own unit tests.
           SslClientInitializer.class,
@@ -152,7 +152,7 @@ public abstract class ProtocolModuleTest {
   void initializeChannel(Consumer<Channel> initializer) {
     channel =
         new EmbeddedChannel(
-            new ChannelInitializer<Channel>() {
+            new ChannelInitializer<>() {
               @Override
               protected void initChannel(Channel ch) {
                 initializer.accept(ch);
@@ -218,8 +218,8 @@ public abstract class ProtocolModuleTest {
    *
    * <p>Most of the binding provided in this module should be either a fake, or a {@link
    * ChannelHandler} that is excluded, and annotated with {@code @Singleton}. This module acts as a
-   * replacement for {@link ProxyModule} used in production component. Providing a handler that is
-   * part of the business logic of a {@link Protocol} from this module is a sign that the binding
+   * replacement for {@link ProxyModule} used in the production component. Providing a handler that
+   * is part of the business logic of a {@link Protocol} from this module is a sign that the binding
    * should be provided in the respective {@code ProtocolModule} instead.
    */
   @Module
@@ -306,12 +306,19 @@ public abstract class ProtocolModuleTest {
     }
 
     // This method is only here to satisfy Dagger binding, but is never used. In test environment,
-    // it is the self-signed certificate and its key that end up being used.
+    // it is the self-signed certificate and its key that ends up being used.
     @Singleton
     @Provides
     @Named("pemBytes")
     static byte[] providePemBytes() {
       return new byte[0];
     }
+
+    @Singleton
+    @Provides
+    @HttpsRelayProtocol
+    static boolean provideLocalRelay() {
+      return false;
+    }
   }
 }