feat: add yaml egress proxy benchmark

This commit is contained in:
Codex
2026-06-26 10:32:43 +00:00
parent 0bfff97848
commit 0ef9129bef
14 changed files with 1090 additions and 46 deletions
+4 -8
View File
@@ -60,9 +60,7 @@ nodes:
namespace: platform-infra
serviceName: sub2api-egress-proxy
port: 10808
sourceRef: platform-infra/master-vpn-subscription.env
sourceKey: MASTER_VPN_SUBSCRIPTION_URL
sourceType: subscription-url
sourceConfigRef: config/platform-infra/egress-proxy-sources.yaml#sources.master-shadowsocks
noProxy:
- localhost
- 127.0.0.1
@@ -82,8 +80,6 @@ nodes:
- 192.168.0.0/16
- 82.156.23.220
- 74.48.78.17
- registry.npmmirror.com
- cdn.npmmirror.com
- hyueapi.com
- .hyueapi.com
@@ -116,8 +112,8 @@ targets:
readUrl: http://git-mirror-http.devops-infra.svc.cluster.local/pikasTech/HWLAB.git
writeUrl: http://git-mirror-write.devops-infra.svc.cluster.local/pikasTech/HWLAB.git
egressProxy:
mode: direct
required: false
mode: node-global
required: true
githubTransport:
mode: ssh
tekton:
@@ -146,7 +142,7 @@ targets:
- ENV PATH=/usr/local/go/bin:$PATH
- RUN ln -sf /usr/local/bin/bun /usr/local/bin/bunx
- ENV HWLAB_CI_NODE_DEPS=/opt/hwlab-ci-node-deps/node_modules
- RUN set -eu; export HTTP_PROXY="${HTTP_PROXY:-${http_proxy:-}}"; export HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-$HTTP_PROXY}}"; export ALL_PROXY="${ALL_PROXY:-${all_proxy:-}}"; export NO_PROXY="${NO_PROXY:-${no_proxy:-}}"; export http_proxy="$HTTP_PROXY"; export https_proxy="$HTTPS_PROXY"; export all_proxy="$ALL_PROXY"; export no_proxy="$NO_PROXY"; export npm_config_registry="https://registry.npmmirror.com/"; export BUN_CONFIG_REGISTRY="https://registry.npmmirror.com/"; export NO_PROXY="${NO_PROXY:+$NO_PROXY,}registry.npmmirror.com,cdn.npmmirror.com"; export no_proxy="$NO_PROXY"; export npm_config_noproxy="$NO_PROXY"; export npm_config_proxy=""; export npm_config_https_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export ALL_PROXY=""; export http_proxy=""; export https_proxy=""; export all_proxy=""; export npm_config_fetch_retries=2; export npm_config_fetch_retry_mintimeout=2000; export npm_config_fetch_retry_maxtimeout=16000; export npm_config_fetch_timeout=120000; mkdir -p /opt/hwlab-ci-node-deps; cd /opt/hwlab-ci-node-deps; printf '{"private":true,"dependencies":{}}\n' > package.json; ok=0; delay=2; for attempt in 1 2 3 4 5; do echo "{\"event\":\"tools-yaml-node-npm-install\",\"attempt\":\"$attempt/5\",\"registry\":\"$npm_config_registry\",\"proxy\":\"direct\"}" >&2; if timeout 180s npm install --package-lock=false --no-save --ignore-scripts --no-audit --no-fund --omit=dev yaml@2.8.3; then ok=1; break; fi; if [ "$attempt" = 5 ]; then break; fi; echo "{\"event\":\"tools-yaml-node-npm-install\",\"status\":\"retrying\",\"attempt\":\"$attempt/5\",\"sleepSeconds\":$delay}" >&2; sleep "$delay"; delay=$((delay * 2)); done; test "$ok" = 1; node --input-type=module -e 'import("/opt/hwlab-ci-node-deps/node_modules/yaml/browser/dist/index.js").then((yaml)=>console.log("yaml-ok", typeof yaml.parse))'
- RUN set -eu; export HTTP_PROXY="${HTTP_PROXY:-${http_proxy:-}}"; export HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-$HTTP_PROXY}}"; export ALL_PROXY="${ALL_PROXY:-${all_proxy:-}}"; export NO_PROXY="${NO_PROXY:-${no_proxy:-}}"; export http_proxy="$HTTP_PROXY"; export https_proxy="$HTTPS_PROXY"; export all_proxy="$ALL_PROXY"; export no_proxy="$NO_PROXY"; export npm_config_registry="https://registry.npmmirror.com/"; export BUN_CONFIG_REGISTRY="https://registry.npmmirror.com/"; export npm_config_noproxy="$NO_PROXY"; if [ -n "$HTTP_PROXY" ]; then export npm_config_proxy="$HTTP_PROXY"; fi; if [ -n "$HTTPS_PROXY" ]; then export npm_config_https_proxy="$HTTPS_PROXY"; fi; export npm_config_fetch_retries=2; export npm_config_fetch_retry_mintimeout=2000; export npm_config_fetch_retry_maxtimeout=16000; export npm_config_fetch_timeout=120000; proxy_label="${HTTP_PROXY:+HTTP_PROXY}"; proxy_label="${proxy_label:-none}"; mkdir -p /opt/hwlab-ci-node-deps; cd /opt/hwlab-ci-node-deps; printf '{"private":true,"dependencies":{}}\n' > package.json; ok=0; delay=2; for attempt in 1 2 3 4 5; do echo "{\"event\":\"tools-yaml-node-npm-install\",\"attempt\":\"$attempt/5\",\"registry\":\"$npm_config_registry\",\"proxy\":\"$proxy_label\"}" >&2; if timeout 180s npm install --package-lock=false --no-save --ignore-scripts --no-audit --no-fund --omit=dev yaml@2.8.3; then ok=1; break; fi; if [ "$attempt" = 5 ]; then break; fi; echo "{\"event\":\"tools-yaml-node-npm-install\",\"status\":\"retrying\",\"attempt\":\"$attempt/5\",\"sleepSeconds\":$delay}" >&2; sleep "$delay"; delay=$((delay * 2)); done; test "$ok" = 1; node --input-type=module -e 'import("/opt/hwlab-ci-node-deps/node_modules/yaml/browser/dist/index.js").then((yaml)=>console.log("yaml-ok", typeof yaml.parse))'
- RUN node --version && npm --version && bun --version && git --version && python3 --version && docker --version && ssh -V && go version
buildArgs: {}
buildNetwork: host
+20
View File
@@ -624,3 +624,23 @@ downloadProfiles:
retries: 3
connectTimeoutSeconds: 10
maxTimeSeconds: 120
d601-node-no-mirror-benchmark:
git:
proxyMode: inherit
retries: 3
timeoutSeconds: 120
npm:
registry: https://registry.npmjs.org/
retries: 3
fetchTimeoutSeconds: 120
pip:
indexUrl: https://pypi.org/simple
retries: 3
timeoutSeconds: 120
docker:
registryMirrors: []
pullRetries: 3
curl:
retries: 3
connectTimeoutSeconds: 10
maxTimeSeconds: 120
@@ -0,0 +1,16 @@
version: 1
kind: platform-infra-egress-proxy-sources
metadata:
owner: unidesk
relatedIssues:
- 1004
sources:
master-shadowsocks:
sourceType: master-shadowsocks
sourceRef: platform-infra/sub2api-master-egress-proxy.env
sourceKey: SUB2API_MASTER_SHADOWSOCKS_PASSWORD
masterShadowsocks:
serverHost: 74.48.78.17
serverPort: 18792
method: chacha20-ietf-poly1305
healthProbeUrl: https://www.gstatic.com/generate_204
+2 -13
View File
@@ -150,16 +150,9 @@ targets:
image: 127.0.0.1:5000/platform-infra/sing-box:latest
imagePullPolicy: IfNotPresent
listenPort: 10808
sourceRef: platform-infra/sub2api-master-egress-proxy.env
sourceKey: SUB2API_MASTER_SHADOWSOCKS_PASSWORD
sourceType: master-shadowsocks
masterShadowsocks:
serverHost: 74.48.78.17
serverPort: 18792
method: chacha20-ietf-poly1305
sourceConfigRef: config/platform-infra/egress-proxy-sources.yaml#sources.master-shadowsocks
applyToSub2Api: true
applyToSentinel: true
healthProbeUrl: https://www.gstatic.com/generate_204
noProxy:
- localhost
- 127.0.0.1
@@ -252,13 +245,9 @@ targets:
image: ghcr.io/sagernet/sing-box:latest
imagePullPolicy: IfNotPresent
listenPort: 10808
sourceRef: platform-infra/master-vpn-subscription.env
sourceKey: MASTER_VPN_SUBSCRIPTION_URL
sourceType: subscription-url
preferredOutbound: hysteria2
sourceConfigRef: config/platform-infra/egress-proxy-sources.yaml#sources.master-shadowsocks
applyToSub2Api: true
applyToSentinel: true
healthProbeUrl: https://www.gstatic.com/generate_204
noProxy:
- localhost
- 127.0.0.1
+375
View File
@@ -0,0 +1,375 @@
import type { CommandResult } from "./command";
export interface EgressBenchmarkSpec {
scope: "platform-infra" | "hwlab-control-plane";
targetId: string;
route: string;
namespace: string;
serviceName: string;
port: number;
noProxy: readonly string[];
sourceType: string;
sourceRef: string;
sourceConfigRef: string | null;
sourceFingerprint: string | null;
profile: "no-mirror";
samples: number;
sampleTimeoutSeconds: number;
}
export function egressBenchmarkStateDir(spec: EgressBenchmarkSpec): string {
return `/tmp/unidesk-egress-benchmark/${spec.scope}/${safeSegment(spec.targetId)}/${spec.profile}`;
}
export function egressBenchmarkStartScript(spec: EgressBenchmarkSpec): string {
const stateDir = egressBenchmarkStateDir(spec);
const noProxy = unique(["localhost", "127.0.0.1", "::1", ".svc", ".svc.cluster.local", ".cluster.local", ...spec.noProxy]).join(",");
return `
set -eu
state_dir=${shQuote(stateDir)}
mkdir -p "$state_dir"
if [ -s "$state_dir/pid" ] && kill -0 "$(cat "$state_dir/pid")" >/dev/null 2>&1; then
printf '{"started":false,"reason":"job-already-running","pid":%s,"stateDir":"%s"}\\n' "$(cat "$state_dir/pid")" "$state_dir"
exit 0
fi
cat >"$state_dir/job.sh" <<'JOB'
#!/bin/sh
set -eu
state_dir=${shQuote(stateDir)}
status="$state_dir/status.json"
log="$state_dir/job.log"
samples=${shQuote(String(spec.samples))}
sample_timeout=${shQuote(String(spec.sampleTimeoutSeconds))}
target_id=${shQuote(spec.targetId)}
target_safe=${shQuote(safeSegment(spec.targetId).toLowerCase())}
scope=${shQuote(spec.scope)}
profile=${shQuote(spec.profile)}
namespace=${shQuote(spec.namespace)}
service_name=${shQuote(spec.serviceName)}
service_port=${shQuote(String(spec.port))}
source_type=${shQuote(spec.sourceType)}
source_ref=${shQuote(spec.sourceRef)}
source_config_ref=${shQuote(spec.sourceConfigRef ?? "")}
source_fingerprint=${shQuote(spec.sourceFingerprint ?? "")}
docker_image='quay.io/prometheus/busybox:latest'
no_proxy=${shQuote(noProxy)}
write_state() {
state="$1"; shift
message="$1"; shift || true
python3 - "$status" "$state" "$message" "$target_id" "$scope" "$profile" <<'PY'
import json, pathlib, sys, time
path=pathlib.Path(sys.argv[1])
payload={"ok": sys.argv[2] == "succeeded", "state":sys.argv[2], "message":sys.argv[3], "target":sys.argv[4], "scope":sys.argv[5], "profile":sys.argv[6], "updatedAt":time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime())}
if path.exists():
try:
old=json.loads(path.read_text())
if isinstance(old, dict):
old.update(payload)
payload=old
except Exception:
pass
path.write_text(json.dumps(payload, ensure_ascii=False) + "\\n")
PY
}
classify_family() {
rc="$1"
text="$2"
if [ "$rc" = "0" ]; then printf success; return; fi
printf '%s' "$text" | grep -Eiq 'toomanyrequests|too many requests|rate limit' && { printf rate-limit; return; }
printf '%s' "$text" | grep -Eiq 'timed out|timeout|i/o timeout|TLS handshake timeout' && { printf timeout; return; }
printf '%s' "$text" | grep -Eiq 'Could not resolve|no such host|ENOTFOUND|getaddrinfo|Temporary failure in name resolution' && { printf dns; return; }
printf '%s' "$text" | grep -Eiq '407|proxy|CONNECT|connection reset|ECONNRESET|ECONNREFUSED' && { printf proxy-or-connect; return; }
printf exit-"$rc"
}
sample_json() {
test_name="$1"
sample="$2"
cache_state="$3"
started_ms="$4"
rc="$5"
family="$6"
elapsed_ms="$7"
python3 - "$state_dir/results.ndjson" "$test_name" "$sample" "$cache_state" "$started_ms" "$rc" "$family" "$elapsed_ms" "$source_type" "$source_ref" "$source_config_ref" "$source_fingerprint" <<'PY'
import json, pathlib, sys
path=pathlib.Path(sys.argv[1])
payload={
"test": sys.argv[2],
"sample": int(sys.argv[3]),
"proxy": "on",
"cacheState": sys.argv[4],
"startedMs": int(sys.argv[5]),
"exitCode": int(sys.argv[6]),
"failureFamily": sys.argv[7],
"elapsedMs": int(sys.argv[8]),
"sourceType": sys.argv[9],
"sourceRef": sys.argv[10],
"sourceConfigRef": sys.argv[11] or None,
"sourceFingerprint": sys.argv[12] or None,
"valuesPrinted": False,
}
with path.open("a", encoding="utf-8") as handle:
handle.write(json.dumps(payload, ensure_ascii=False) + "\\n")
PY
}
run_sample() {
test_name="$1"
sample="$2"
cache_state="$3"
shift 3
out="$state_dir/\${test_name}-\${sample}.out"
err="$state_dir/\${test_name}-\${sample}.err"
started_ms=$(date +%s%3N 2>/dev/null || python3 - <<'PY'
import time
print(int(time.time()*1000))
PY
)
set +e
env HTTP_PROXY="$proxy_url" HTTPS_PROXY="$proxy_url" ALL_PROXY="$proxy_url" http_proxy="$proxy_url" https_proxy="$proxy_url" all_proxy="$proxy_url" NO_PROXY="$no_proxy" no_proxy="$no_proxy" npm_config_proxy="$proxy_url" npm_config_https_proxy="$proxy_url" npm_config_noproxy="$no_proxy" "$@" >"$out" 2>"$err"
rc=$?
set -e
finished_ms=$(date +%s%3N 2>/dev/null || python3 - <<'PY'
import time
print(int(time.time()*1000))
PY
)
elapsed_ms=$((finished_ms - started_ms))
family=$(classify_family "$rc" "$(cat "$err" "$out" 2>/dev/null | tail -40)")
sample_json "$test_name" "$sample" "$cache_state" "$started_ms" "$rc" "$family" "$elapsed_ms"
}
summarize() {
python3 - "$state_dir/results.ndjson" "$status" "$target_id" "$scope" "$profile" "$proxy_url" "$source_type" "$source_ref" "$source_config_ref" "$source_fingerprint" <<'PY'
import json, pathlib, statistics, sys, time
results_path=pathlib.Path(sys.argv[1])
status_path=pathlib.Path(sys.argv[2])
items=[]
if results_path.exists():
items=[json.loads(line) for line in results_path.read_text().splitlines() if line.strip()]
by_test={}
for item in items:
by_test.setdefault(item["test"], []).append(item)
rows=[]
for name in sorted(by_test):
values=by_test[name]
elapsed=sorted(int(item["elapsedMs"]) for item in values)
failures={}
for item in values:
if item["failureFamily"] != "success":
failures[item["failureFamily"]] = failures.get(item["failureFamily"], 0) + 1
def percentile(p):
if not elapsed:
return None
idx=min(len(elapsed)-1, max(0, round((len(elapsed)-1)*p)))
return elapsed[idx]
rows.append({
"test": name,
"samples": len(values),
"success": sum(1 for item in values if item["exitCode"] == 0),
"successRate": (sum(1 for item in values if item["exitCode"] == 0) / len(values)) if values else 0,
"p50Ms": percentile(0.50),
"p95Ms": percentile(0.95),
"maxMs": max(elapsed) if elapsed else None,
"failureFamilies": failures,
})
ok=bool(rows) and all(row["success"] == row["samples"] for row in rows)
payload={
"ok": ok,
"state": "succeeded" if ok else "failed",
"message": "benchmark-complete" if ok else "benchmark-failed",
"target": sys.argv[3],
"scope": sys.argv[4],
"profile": sys.argv[5],
"proxy": {"mode": "on", "urlRedacted": sys.argv[6].replace("://", "://").split("@")[-1], "valuesPrinted": False},
"source": {"sourceType": sys.argv[7], "sourceRef": sys.argv[8], "sourceConfigRef": sys.argv[9] or None, "sourceFingerprint": sys.argv[10] or None, "valuesPrinted": False},
"rows": rows,
"resultCount": len(items),
"updatedAt": time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()),
}
status_path.write_text(json.dumps(payload, ensure_ascii=False) + "\\n")
PY
}
run_job() {
write_state running resolving-proxy
rm -f "$state_dir/results.ndjson"
proxy_ip="$(kubectl -n "$namespace" get svc "$service_name" -o 'jsonpath={.spec.clusterIP}' 2>/dev/null || true)"
if [ -z "$proxy_ip" ]; then echo "egress proxy service missing: $namespace/$service_name" >&2; write_state failed proxy-service-missing; exit 41; fi
proxy_url="http://$proxy_ip:$service_port"
echo "benchmark target=$target_id scope=$scope profile=$profile proxy=$proxy_url sourceType=$source_type sourceRef=$source_ref sourceFingerprint=$source_fingerprint valuesPrinted=false"
for sample in $(seq 1 "$samples"); do
write_state running docker-manifest
run_sample docker-manifest "$sample" none timeout "$sample_timeout" docker manifest inspect "$docker_image"
write_state running docker-pull
docker image rm -f "$docker_image" >/dev/null 2>&1 || true
cache_state=absent
docker image inspect "$docker_image" >/dev/null 2>&1 && cache_state=present || true
run_sample docker-pull "$sample" "$cache_state" timeout "$sample_timeout" docker pull "$docker_image"
write_state running docker-build
build_dir="$state_dir/build-$sample"
rm -rf "$build_dir"
mkdir -p "$build_dir"
printf 'FROM quay.io/prometheus/busybox:latest\\nRUN printf no-mirror-benchmark >/benchmark.txt\\n' >"$build_dir/Dockerfile"
run_sample docker-build "$sample" no-cache timeout "$sample_timeout" docker build --pull --no-cache --network host --build-arg HTTP_PROXY="$proxy_url" --build-arg HTTPS_PROXY="$proxy_url" --build-arg ALL_PROXY="$proxy_url" --build-arg NO_PROXY="$no_proxy" -t "unidesk-egress-benchmark-$target_safe:$sample" "$build_dir"
write_state running npm-install
npm_dir="$state_dir/npm-$sample"
rm -rf "$npm_dir"
mkdir -p "$npm_dir/cache" "$npm_dir/pkg"
printf '{"private":true,"dependencies":{}}\\n' >"$npm_dir/pkg/package.json"
run_sample npm-install "$sample" temp-cache timeout "$sample_timeout" npm --prefix "$npm_dir/pkg" install --package-lock=false --no-save --ignore-scripts --no-audit --no-fund --omit=dev --registry=https://registry.npmjs.org/ --cache "$npm_dir/cache" --fetch-timeout 120000 --fetch-retries 2 yaml@2.8.3
done
summarize
}
run_job >>"$log" 2>&1 || {
rc=$?
summarize || true
exit "$rc"
}
JOB
chmod +x "$state_dir/job.sh"
: >"$state_dir/job.log"
nohup "$state_dir/job.sh" >/dev/null 2>&1 &
pid=$!
printf '%s' "$pid" >"$state_dir/pid"
printf '{"started":true,"pid":%s,"stateDir":"%s","statusCommand":"%s","logsCommand":"%s"}\\n' "$pid" "$state_dir" ${shQuote(statusCommand(spec))} ${shQuote(logsCommand(spec))}
`;
}
export function egressBenchmarkStatusScript(spec: EgressBenchmarkSpec, tailLines: number): string {
const stateDir = egressBenchmarkStateDir(spec);
return `
set +e
state_dir=${shQuote(stateDir)}
status_file="$state_dir/status.json"
log_file="$state_dir/job.log"
pid_file="$state_dir/pid"
running=false
pid=null
if [ -s "$pid_file" ]; then
pid_raw="$(cat "$pid_file" 2>/dev/null || true)"
if [ -n "$pid_raw" ] && kill -0 "$pid_raw" >/dev/null 2>&1; then running=true; pid="$pid_raw"; else pid="$pid_raw"; fi
fi
python3 - "$state_dir" "$status_file" "$log_file" "$running" "$pid" ${shQuote(String(tailLines))} <<'PY'
import json, pathlib, sys
state_dir=pathlib.Path(sys.argv[1])
status_path=pathlib.Path(sys.argv[2])
log_path=pathlib.Path(sys.argv[3])
running=sys.argv[4] == "true"
pid=None if sys.argv[5] in ("", "null") else sys.argv[5]
tail_lines=int(sys.argv[6])
status=None
if status_path.exists():
try:
status=json.loads(status_path.read_text())
except Exception as error:
status={"parseError": str(error), "raw": status_path.read_text(errors="replace")[-1000:]}
if isinstance(status, dict) and not running and status.get("state") == "running":
status["state"]="stopped"
status["ok"]=False
status["message"]="job-not-running"
log_tail=""
if log_path.exists():
lines=log_path.read_text(errors="replace").splitlines()
log_tail="\\n".join(lines[-tail_lines:])
results_path=state_dir/"results.ndjson"
items=[]
if results_path.exists():
for line in results_path.read_text(errors="replace").splitlines():
if not line.strip():
continue
try:
items.append(json.loads(line))
except Exception:
pass
if items:
by_test={}
for item in items:
by_test.setdefault(item.get("test", "unknown"), []).append(item)
rows=[]
for name in sorted(by_test):
values=by_test[name]
elapsed=sorted(int(item.get("elapsedMs", 0)) for item in values)
failures={}
for item in values:
family=str(item.get("failureFamily", "unknown"))
if family.startswith("exit-"):
err_path=state_dir/(str(item.get("test", "unknown")) + "-" + str(item.get("sample", "")) + ".err")
out_path=state_dir/(str(item.get("test", "unknown")) + "-" + str(item.get("sample", "")) + ".out")
text=""
for path in (err_path, out_path):
if path.exists():
text += path.read_text(errors="replace")[-2000:]
lowered=text.lower()
if "toomanyrequests" in lowered or "too many requests" in lowered or "rate limit" in lowered:
family="rate-limit"
if family != "success":
failures[family] = failures.get(family, 0) + 1
def percentile(p):
if not elapsed:
return None
idx=min(len(elapsed)-1, max(0, round((len(elapsed)-1)*p)))
return elapsed[idx]
rows.append({"test": name, "samples": len(values), "success": sum(1 for item in values if item.get("exitCode") == 0), "successRate": (sum(1 for item in values if item.get("exitCode") == 0) / len(values)) if values else 0, "p50Ms": percentile(0.50), "p95Ms": percentile(0.95), "maxMs": max(elapsed) if elapsed else None, "failureFamilies": failures})
if status is None:
status={"state": "running" if running else "unknown", "ok": False}
status["rows"]=rows
status["resultCount"]=len(items)
print(json.dumps({"stateDir": str(state_dir), "pid": pid, "running": running, "status": status, "logBytes": log_path.stat().st_size if log_path.exists() else 0, "logTail": log_tail}, ensure_ascii=False))
PY
`;
}
export function egressBenchmarkDryRun(spec: EgressBenchmarkSpec): Record<string, unknown> {
return {
profile: spec.profile,
target: spec.targetId,
route: spec.route,
namespace: spec.namespace,
serviceName: spec.serviceName,
servicePort: spec.port,
samples: spec.samples,
sampleTimeoutSeconds: spec.sampleTimeoutSeconds,
tests: ["docker-manifest", "docker-pull", "docker-build", "npm-install"],
dockerImage: "quay.io/prometheus/busybox:latest",
forbiddenMirrors: ["DaoCloud mirror", "registry.npmmirror.com", "cnpm", "pnpm mirror", "preheated cache as success"],
source: {
sourceType: spec.sourceType,
sourceRef: spec.sourceRef,
sourceConfigRef: spec.sourceConfigRef,
sourceFingerprint: spec.sourceFingerprint,
valuesPrinted: false,
},
stateDir: egressBenchmarkStateDir(spec),
};
}
export function egressBenchmarkCompactResult(result: CommandResult): Record<string, unknown> {
return {
exitCode: result.exitCode,
stdoutBytes: Buffer.byteLength(result.stdout, "utf8"),
stderrBytes: Buffer.byteLength(result.stderr, "utf8"),
stdoutTail: result.stdout.slice(-2000),
stderrTail: result.stderr.slice(-2000),
};
}
export function statusCommand(spec: EgressBenchmarkSpec): string {
if (spec.scope === "platform-infra") return `bun scripts/cli.ts platform-infra egress-proxy benchmark-status --target ${spec.targetId} --profile ${spec.profile}`;
const [node, lane] = spec.targetId.split("/", 2);
return `bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark status --node ${node} --lane ${lane} --profile ${spec.profile}`;
}
export function logsCommand(spec: EgressBenchmarkSpec): string {
if (spec.scope === "platform-infra") return `bun scripts/cli.ts platform-infra egress-proxy benchmark-logs --target ${spec.targetId} --profile ${spec.profile}`;
const [node, lane] = spec.targetId.split("/", 2);
return `bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark logs --node ${node} --lane ${lane} --profile ${spec.profile}`;
}
function unique(values: readonly string[]): string[] {
return [...new Set(values.filter((value) => value.length > 0))];
}
function safeSegment(value: string): string {
return value.replace(/[^A-Za-z0-9._-]+/gu, "-").replace(/^-+|-+$/gu, "") || "target";
}
function shQuote(value: string): string {
return `'${value.replaceAll("'", "'\"'\"'")}'`;
}
+147
View File
@@ -0,0 +1,147 @@
import { createHash } from "node:crypto";
import { readFileSync } from "node:fs";
import { rootPath } from "./config";
export type EgressProxySourceType = "subscription-url" | "master-shadowsocks";
export type EgressProxyPreferredOutbound = "vless-reality" | "hysteria2";
export interface MasterShadowsocksSourceSpec {
serverHost: string;
serverPort: number;
method: string;
}
export interface SharedEgressProxySourceSpec {
id: string;
configRef: string;
sourceType: EgressProxySourceType;
sourceRef: string;
sourceKey: string;
preferredOutbound: EgressProxyPreferredOutbound | null;
masterShadowsocks: MasterShadowsocksSourceSpec | null;
healthProbeUrl: string;
fingerprint: string;
valuesPrinted: false;
}
export function resolveEgressProxySourceRef(ref: string, label: string): SharedEgressProxySourceSpec {
const { file, path } = parseConfigRef(ref, label);
if (!path.startsWith("sources.")) throw new Error(`${label} must reference sources.<id>`);
const sourceId = path.slice("sources.".length);
if (!/^[A-Za-z0-9._-]+$/u.test(sourceId)) throw new Error(`${label} has an unsupported source id`);
const parsed = Bun.YAML.parse(readFileSync(rootPath(file), "utf8")) as unknown;
const root = record(parsed, file);
if (root.kind !== "platform-infra-egress-proxy-sources") throw new Error(`${file}.kind must be platform-infra-egress-proxy-sources`);
const sources = record(root.sources, `${file}.sources`);
const raw = record(sources[sourceId], `${file}#sources.${sourceId}`);
return parseSharedEgressProxySource(sourceId, ref, raw, `${file}#sources.${sourceId}`);
}
function parseSharedEgressProxySource(id: string, configRef: string, raw: Record<string, unknown>, label: string): SharedEgressProxySourceSpec {
const sourceType = enumField(raw, "sourceType", label, ["subscription-url", "master-shadowsocks"] as const);
const preferredOutbound = raw.preferredOutbound === undefined
? null
: enumField(raw, "preferredOutbound", label, ["vless-reality", "hysteria2"] as const);
const masterShadowsocks = raw.masterShadowsocks === undefined
? null
: masterShadowsocksSpec(record(raw.masterShadowsocks, `${label}.masterShadowsocks`), `${label}.masterShadowsocks`);
const spec: SharedEgressProxySourceSpec = {
id,
configRef,
sourceType,
sourceRef: sourceRefField(raw, "sourceRef", label),
sourceKey: envKeyField(raw, "sourceKey", label),
preferredOutbound,
masterShadowsocks,
healthProbeUrl: urlField(raw, "healthProbeUrl", label),
fingerprint: "",
valuesPrinted: false,
};
validateSharedEgressProxySource(spec, label);
return {
...spec,
fingerprint: `sha256:${createHash("sha256").update(JSON.stringify({
sourceType: spec.sourceType,
sourceRef: spec.sourceRef,
sourceKey: spec.sourceKey,
preferredOutbound: spec.preferredOutbound,
masterShadowsocks: spec.masterShadowsocks,
healthProbeUrl: spec.healthProbeUrl,
})).digest("hex").slice(0, 16)}`,
};
}
function validateSharedEgressProxySource(spec: SharedEgressProxySourceSpec, label: string): void {
if (spec.sourceType === "subscription-url" && spec.preferredOutbound === null) {
throw new Error(`${label}.preferredOutbound is required for sourceType=subscription-url`);
}
if (spec.sourceType === "master-shadowsocks") {
if (spec.masterShadowsocks === null) throw new Error(`${label}.masterShadowsocks is required for sourceType=master-shadowsocks`);
if (spec.preferredOutbound !== null) throw new Error(`${label}.preferredOutbound must be omitted for sourceType=master-shadowsocks`);
}
}
function masterShadowsocksSpec(raw: Record<string, unknown>, label: string): MasterShadowsocksSourceSpec {
const serverHost = stringField(raw, "serverHost", label);
if (!/^[A-Za-z0-9._:-]+$/u.test(serverHost)) throw new Error(`${label}.serverHost has an unsupported format`);
const serverPort = integerField(raw, "serverPort", label);
if (serverPort < 1 || serverPort > 65535) throw new Error(`${label}.serverPort must be a TCP port`);
const method = stringField(raw, "method", label);
if (!/^[A-Za-z0-9-]+$/u.test(method)) throw new Error(`${label}.method has an unsupported format`);
return { serverHost, serverPort, method };
}
function parseConfigRef(ref: string, label: string): { file: string; path: string } {
const [file, path, extra] = ref.split("#");
if (extra !== undefined || file === undefined || path === undefined || file.length === 0 || path.length === 0) {
throw new Error(`${label} must use path/to/file.yaml#sources.<id> syntax`);
}
if (file.startsWith("/") || file.includes("..") || !file.startsWith("config/") || !file.endsWith(".yaml")) {
throw new Error(`${label} must reference a repo-relative config/*.yaml file without ..`);
}
if (!/^[A-Za-z0-9_.-]+$/u.test(path)) throw new Error(`${label} has an unsupported YAML path`);
return { file, path };
}
function record(value: unknown, label: string): Record<string, unknown> {
if (typeof value !== "object" || value === null || Array.isArray(value)) throw new Error(`${label} must be a YAML object`);
return value as Record<string, unknown>;
}
function stringField(obj: Record<string, unknown>, key: string, label: string): string {
const value = obj[key];
if (typeof value !== "string" || value.trim().length === 0) throw new Error(`${label}.${key} must be a non-empty string`);
return value.trim();
}
function integerField(obj: Record<string, unknown>, key: string, label: string): number {
const value = obj[key];
if (typeof value !== "number" || !Number.isInteger(value)) throw new Error(`${label}.${key} must be an integer`);
return value;
}
function enumField<const T extends readonly string[]>(obj: Record<string, unknown>, key: string, label: string, values: T): T[number] {
const value = stringField(obj, key, label);
if (!(values as readonly string[]).includes(value)) throw new Error(`${label}.${key} must be one of ${values.join(", ")}`);
return value as T[number];
}
function sourceRefField(obj: Record<string, unknown>, key: string, label: string): string {
const value = stringField(obj, key, label);
if (value.startsWith("/") || value.includes("..") || !/^[A-Za-z0-9_./-]+$/u.test(value)) throw new Error(`${label}.${key} has an unsupported sourceRef format`);
return value;
}
function envKeyField(obj: Record<string, unknown>, key: string, label: string): string {
const value = stringField(obj, key, label);
if (!/^[A-Z_][A-Z0-9_]*$/u.test(value)) throw new Error(`${label}.${key} must be an env key`);
return value;
}
function urlField(obj: Record<string, unknown>, key: string, label: string): string {
const value = stringField(obj, key, label);
const url = new URL(value);
if (url.protocol !== "http:" && url.protocol !== "https:") throw new Error(`${label}.${key} must use http:// or https://`);
if (url.username || url.password || url.search || url.hash) throw new Error(`${label}.${key} must not include credentials, query, or hash`);
return value;
}
+6 -3
View File
@@ -644,7 +644,7 @@ function agentRunHelpSummary(): unknown {
function platformInfraHelpSummary(): unknown {
return {
command: "platform-infra sub2api|langbot|n8n|wechat-archive ...",
command: "platform-infra sub2api|egress-proxy|langbot|n8n|wechat-archive ...",
output: "json",
usage: [
"bun scripts/cli.ts platform-infra sub2api plan",
@@ -654,6 +654,8 @@ function platformInfraHelpSummary(): unknown {
"bun scripts/cli.ts platform-infra sub2api codex-pool sentinel-image status",
"bun scripts/cli.ts platform-infra sub2api codex-pool sentinel-probe --account unidesk-codex-hy --confirm",
"bun scripts/cli.ts platform-infra sub2api codex-pool sentinel-report",
"bun scripts/cli.ts platform-infra egress-proxy benchmark --target D601 --profile no-mirror --confirm",
"bun scripts/cli.ts platform-infra egress-proxy benchmark-status --target D601 --profile no-mirror",
"bun scripts/cli.ts platform-infra langbot plan",
"bun scripts/cli.ts platform-infra langbot apply --confirm",
"bun scripts/cli.ts platform-infra langbot status",
@@ -669,7 +671,7 @@ function platformInfraHelpSummary(): unknown {
"bun scripts/cli.ts platform-infra wechat-archive wcf-host-status --full",
"bun scripts/cli.ts platform-infra wechat-archive collector-status --full",
],
description: "Operate G14 platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, and the YAML-controlled Codex pool.",
description: "Operate G14 platform-infra services such as Sub2API, shared egress-proxy benchmarks, LangBot, n8n, WeChat archive workflows, and the YAML-controlled Codex pool.",
};
}
@@ -682,6 +684,7 @@ function hwlabNodeHelpSummary(): unknown {
"bun scripts/cli.ts hwlab nodes control-plane infra status --node D601 --lane v03",
"bun scripts/cli.ts hwlab nodes control-plane infra tools-image status --node D601 --lane v03",
"bun scripts/cli.ts hwlab nodes control-plane infra argo status --node D601 --lane v03",
"bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark --node D601 --lane v03 --profile no-mirror --confirm",
"bun scripts/cli.ts hwlab nodes control-plane status --node G14 --lane v03",
"bun scripts/cli.ts hwlab nodes git-mirror status --node G14 --lane v03",
"bun scripts/cli.ts hwlab nodes hwpod-preinstall plan --node D601 --lane v03 --dry-run",
@@ -690,7 +693,7 @@ function hwlabNodeHelpSummary(): unknown {
"bun scripts/cli.ts hwlab nodes test-accounts status --node D601 --lane v03",
"bun scripts/cli.ts hwlab nodes test-accounts sync --node D601 --lane v03 --confirm",
],
description: "Operate HWLAB node/lane runtime prerequisites with node and lane passed as data. The infra subcommand manages YAML-controlled node-local CI/CD, git-mirror, public Dockerfile tools image, and declarative Argo CD prerequisites for D601 v03 while keeping cross-node work semi-automatic; hwpod-preinstall renders D601/v03 71-FREQ HWPOD/MDTODO/gateway configRefs without runtime mutation; observability reads runtime metrics and authenticated Web Performance summaries; test-accounts prepares UniDesk YAML-declared admin/test account API keys with redacted sourceRef/fingerprint output. Web probe commands moved to top-level `bun scripts/cli.ts web-probe`.",
description: "Operate HWLAB node/lane runtime prerequisites with node and lane passed as data. The infra subcommand manages YAML-controlled node-local CI/CD, git-mirror, public Dockerfile tools image, no-mirror egress benchmarks, and declarative Argo CD prerequisites for D601 v03 while keeping cross-node work semi-automatic; hwpod-preinstall renders D601/v03 71-FREQ HWPOD/MDTODO/gateway configRefs without runtime mutation; observability reads runtime metrics and authenticated Web Performance summaries; test-accounts prepares UniDesk YAML-declared admin/test account API keys with redacted sourceRef/fingerprint output. Web probe commands moved to top-level `bun scripts/cli.ts web-probe`.",
};
}
+273 -15
View File
@@ -2,6 +2,9 @@ import { createHash } from "node:crypto";
import { readFileSync } from "node:fs";
import { rootPath } from "./config";
import { runCommand, type CommandResult } from "./command";
import { egressBenchmarkCompactResult, egressBenchmarkDryRun, egressBenchmarkStartScript, egressBenchmarkStatusScript, type EgressBenchmarkSpec } from "./egress-proxy-benchmark";
import { resolveEgressProxySourceRef } from "./egress-proxy-sources";
import type { RenderedCliResult } from "./output";
import { fingerprintSecretValues, readEnvSourceFile, requiredEnvValue } from "./secrets";
export const HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH = "config/hwlab-node-control-plane.yaml";
@@ -9,6 +12,7 @@ export const HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH = "config/hwlab-node-control-p
type InfraAction = "plan" | "status" | "apply";
type ToolsImageAction = "status" | "build" | "logs";
type ArgoAction = "status" | "apply" | "logs";
type EgressBenchmarkAction = "benchmark" | "status" | "logs";
interface InfraOptions {
action: InfraAction;
@@ -39,15 +43,31 @@ interface ArgoOptions {
tailLines: number;
}
interface EgressBenchmarkOptions {
action: EgressBenchmarkAction;
node: string;
lane: string;
profile: "no-mirror";
dryRun: boolean;
confirm: boolean;
samples: number;
sampleTimeoutSeconds: number;
timeoutSeconds: number;
tailLines: number;
}
interface ControlPlaneEgressProxySpec {
mode: "k8s-service-cluster-ip";
clientName: string;
namespace: string;
serviceName: string;
port: number;
sourceConfigRef: string | null;
sourceFingerprint: string | null;
sourceRef: string;
sourceKey: string;
sourceType: "subscription-url";
sourceType: "subscription-url" | "master-shadowsocks";
preferredOutbound: "vless-reality" | "hysteria2" | null;
noProxy: readonly string[];
}
@@ -180,7 +200,7 @@ interface ControlPlaneConfig {
targets: readonly ControlPlaneTargetSpec[];
}
export function runHwlabNodeControlPlaneInfra(args: string[]): Record<string, unknown> {
export function runHwlabNodeControlPlaneInfra(args: string[]): Record<string, unknown> | RenderedCliResult {
if (args[0] === "tools-image") {
const options = parseToolsImageOptions(args.slice(1));
const { config, node, target } = controlPlaneContext(options.node, options.lane);
@@ -191,6 +211,11 @@ export function runHwlabNodeControlPlaneInfra(args: string[]): Record<string, un
const { config, node, target } = controlPlaneContext(options.node, options.lane);
return runArgoCommand(config, node, target, options);
}
if (args[0] === "egress-benchmark") {
const options = parseEgressBenchmarkOptions(args.slice(1));
const { config, node, target } = controlPlaneContext(options.node, options.lane);
return runEgressBenchmarkCommand(config, node, target, options);
}
const options = parseInfraOptions(args);
const { config, node, target } = controlPlaneContext(options.node, options.lane);
@@ -228,6 +253,8 @@ export function hwlabNodeControlPlaneInfraHelp(): Record<string, unknown> {
"bun scripts/cli.ts hwlab nodes control-plane infra argo apply --node D601 --lane v03 --dry-run",
"bun scripts/cli.ts hwlab nodes control-plane infra argo apply --node D601 --lane v03 --confirm",
"bun scripts/cli.ts hwlab nodes control-plane infra argo logs --node D601 --lane v03",
"bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark --node D601 --lane v03 --profile no-mirror --confirm",
"bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark status --node D601 --lane v03 --profile no-mirror",
],
g14Consistency: "D601 target fields mirror the existing G14 runtime lane control-plane vocabulary: source branch, gitops branch/path, Pipeline, PipelineRun prefix, ServiceAccount, Argo Application, and git-mirror read/write/sync/flush status concepts.",
};
@@ -402,6 +429,116 @@ function runArgoCommand(_config: ControlPlaneConfig, node: ControlPlaneNodeSpec,
return argoApply(node, target, options);
}
function runEgressBenchmarkCommand(_config: ControlPlaneConfig, node: ControlPlaneNodeSpec, target: ControlPlaneTargetSpec, options: EgressBenchmarkOptions): Record<string, unknown> | RenderedCliResult {
const spec = controlPlaneEgressBenchmarkSpec(node, target, options);
if (options.action === "status" || options.action === "logs") {
const result = runTransK3s(node.kubeRoute, egressBenchmarkStatusScript(spec, options.tailLines), options.timeoutSeconds);
const parsed = parseRemoteJson(result.stdout);
const status = record(record(parsed).status);
const state = renderCell(status.state, "unknown");
return renderControlPlaneBenchmarkResult({
ok: result.exitCode === 0 && (options.action === "logs" || state !== "failed"),
command: `hwlab nodes control-plane infra egress-benchmark ${options.action}`,
configPath: HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH,
node: node.id,
lane: target.lane,
mutation: false,
job: typeof parsed === "object" && parsed !== null ? parsed : { stdoutPreview: result.stdout.slice(0, 2000) },
result: egressBenchmarkCompactResult(result),
});
}
if (options.dryRun) {
return renderControlPlaneBenchmarkResult({
ok: true,
command: "hwlab nodes control-plane infra egress-benchmark",
configPath: HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH,
node: node.id,
lane: target.lane,
mode: "dry-run",
mutation: false,
plan: egressBenchmarkDryRun(spec),
next: { confirm: `bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark --node ${node.id} --lane ${target.lane} --profile ${options.profile} --confirm` },
});
}
const result = runTransK3s(node.kubeRoute, egressBenchmarkStartScript(spec), options.timeoutSeconds);
const parsed = parseRemoteJson(result.stdout);
return renderControlPlaneBenchmarkResult({
ok: result.exitCode === 0,
command: "hwlab nodes control-plane infra egress-benchmark",
configPath: HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH,
node: node.id,
lane: target.lane,
mode: "async-job",
mutation: result.exitCode === 0,
start: typeof parsed === "object" && parsed !== null ? parsed : { stdoutPreview: result.stdout.slice(0, 2000) },
result: egressBenchmarkCompactResult(result),
});
}
function controlPlaneEgressBenchmarkSpec(node: ControlPlaneNodeSpec, target: ControlPlaneTargetSpec, options: EgressBenchmarkOptions): EgressBenchmarkSpec {
const proxy = node.egressProxy;
if (proxy === null) throw new Error(`nodes.${node.id}.egressProxy is required for egress-benchmark`);
return {
scope: "hwlab-control-plane",
targetId: `${node.id}/${target.lane}`,
route: node.kubeRoute,
namespace: proxy.namespace,
serviceName: proxy.serviceName,
port: proxy.port,
noProxy: proxy.noProxy,
sourceType: proxy.sourceType,
sourceRef: proxy.sourceRef,
sourceConfigRef: proxy.sourceConfigRef,
sourceFingerprint: proxy.sourceFingerprint,
profile: options.profile,
samples: options.samples,
sampleTimeoutSeconds: options.sampleTimeoutSeconds,
};
}
function renderControlPlaneBenchmarkResult(result: Record<string, unknown>): RenderedCliResult {
const start = record(result.start);
const job = record(result.job);
const status = record(job.status);
const plan = record(result.plan);
const next = record(result.next);
const rows = Array.isArray(status.rows) ? status.rows.map(record) : [];
const statusText = renderCell(status.state, result.ok === false ? "failed" : "ok");
const logTail = typeof job.logTail === "string" ? job.logTail.trimEnd() : "";
const node = renderCell(result.node);
const lane = renderCell(result.lane);
const target = `${node}/${lane}`;
const profile = renderCell(result.profile ?? plan.profile ?? status.profile, "no-mirror");
const statusCommand = renderCell(start.statusCommand, `bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark status --node ${node} --lane ${lane} --profile ${profile}`);
const logsCommand = renderCell(start.logsCommand, `bun scripts/cli.ts hwlab nodes control-plane infra egress-benchmark logs --node ${node} --lane ${lane} --profile ${profile}`);
const lines = [
"HWLAB CONTROL-PLANE EGRESS BENCHMARK",
"",
...renderTable(["TARGET", "PROFILE", "MODE", "STATUS"], [[target, profile, renderCell(result.mode ?? optionsModeFromCommand(result.command)), statusText]]),
"",
rows.length === 0 ? "RESULTS\n-" : [
"RESULTS",
...renderTable(["TEST", "SUCCESS", "SAMPLES", "P50", "P95", "FAILURES"], rows.map((row) => [
renderCell(row.test),
renderCell(row.success),
renderCell(row.samples),
renderCell(row.p50Ms),
renderCell(row.p95Ms),
JSON.stringify(row.failureFamilies ?? {}),
])),
].join("\n"),
...(logTail.length === 0 ? [] : ["", "LOG TAIL", logTail]),
"",
"NEXT",
` ${renderCell(next.confirm, "")}`,
` ${statusCommand}`,
` ${logsCommand}`,
"",
"Disclosure: default output is bounded; Secret/proxy source values are not printed.",
].filter((line) => line !== " ");
return { ok: result.ok !== false, command: renderCell(result.command, "hwlab nodes control-plane infra egress-benchmark"), renderedText: lines.join("\n"), contentType: "text/plain" };
}
function toolsImageCommandStatus(node: ControlPlaneNodeSpec, target: ControlPlaneTargetSpec, options: ToolsImageOptions): Record<string, unknown> {
const registry = toolsImageStatus(node, target, options.timeoutSeconds);
const jobResult = runTransK3s(node.kubeRoute, remoteJobStatusScript(target, "tools-image", options.tailLines), options.timeoutSeconds);
@@ -437,7 +574,7 @@ function toolsImageBuild(node: ControlPlaneNodeSpec, target: ControlPlaneTargetS
buildNetwork: target.tekton.toolsImage.buildNetwork,
publicBaseImages: target.tekton.toolsImage.publicBaseImages,
nodeLocalRegistryOutputOnly: true,
egressProxy: node.egressProxy,
egressProxy: controlPlaneEgressProxySummary(node.egressProxy),
stateDir: remoteJobStateDir(target, "tools-image"),
};
if (dryRun) {
@@ -536,7 +673,7 @@ function argoApply(node: ControlPlaneNodeSpec, target: ControlPlaneTargetSpec, o
desired: manifestObjectSummary(desired),
desiredSha256: sha256Short(desiredYaml),
stateDir: remoteJobStateDir(target, "argo"),
egressProxy: node.egressProxy,
egressProxy: controlPlaneEgressProxySummary(node.egressProxy),
};
if (dryRun) {
return {
@@ -628,6 +765,34 @@ function parseArgoOptions(args: string[]): ArgoOptions {
};
}
function parseEgressBenchmarkOptions(args: string[]): EgressBenchmarkOptions {
const first = args[0];
const action: EgressBenchmarkAction = first === "status" || first === "logs"
? first
: "benchmark";
const effectiveArgs = action === "benchmark" ? args : args.slice(1);
if (first === "--help" || first === "-h" || first === "help") {
throw new Error("infra egress-benchmark usage: egress-benchmark [status|logs] --node NODE --lane vNN --profile no-mirror [--dry-run|--confirm]");
}
const profileRaw = optionValue(effectiveArgs, "--profile") ?? "no-mirror";
if (profileRaw !== "no-mirror") throw new Error("egress-benchmark --profile currently supports no-mirror");
const confirm = effectiveArgs.includes("--confirm");
const explicitDryRun = effectiveArgs.includes("--dry-run");
if (confirm && explicitDryRun) throw new Error("egress-benchmark accepts only one of --confirm or --dry-run");
return {
action,
node: requiredOption(effectiveArgs, "--node"),
lane: requiredOption(effectiveArgs, "--lane"),
profile: profileRaw,
confirm,
dryRun: action === "benchmark" ? explicitDryRun || !confirm : false,
samples: positiveIntegerOption(effectiveArgs, "--samples", 5, 20),
sampleTimeoutSeconds: positiveIntegerOption(effectiveArgs, "--sample-timeout-seconds", 240, 900),
timeoutSeconds: positiveIntegerOption(effectiveArgs, "--timeout-seconds", 60, 60),
tailLines: positiveIntegerOption(effectiveArgs, "--tail-lines", 80, 1000),
};
}
function readControlPlaneConfig(): ControlPlaneConfig {
const parsed = asRecord(Bun.YAML.parse(readFileSync(rootPath(HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH), "utf8")) as unknown, HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH);
const version = numberField(parsed, "version", HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH);
@@ -846,21 +1011,45 @@ function execStartPreField(raw: unknown, path: string): readonly (readonly strin
function egressProxySpec(raw: Record<string, unknown>, path: string): ControlPlaneEgressProxySpec {
const mode = stringField(raw, "mode", path);
if (mode !== "k8s-service-cluster-ip") throw new Error(`${path}.mode must be k8s-service-cluster-ip`);
const sourceType = stringField(raw, "sourceType", path);
if (sourceType !== "subscription-url") throw new Error(`${path}.sourceType must be subscription-url`);
const sourceConfigRef = optionalStringField(raw, "sourceConfigRef", path) ?? null;
const source = sourceConfigRef === null ? null : resolveEgressProxySourceRef(sourceConfigRef, `${HWLAB_NODE_CONTROL_PLANE_CONFIG_PATH}.${path}.sourceConfigRef`);
const sourceType = source?.sourceType ?? stringField(raw, "sourceType", path);
if (sourceType !== "subscription-url" && sourceType !== "master-shadowsocks") throw new Error(`${path}.sourceType must be subscription-url or master-shadowsocks`);
if (raw.sourceType !== undefined && raw.sourceType !== sourceType) throw new Error(`${path}.sourceType must match sourceConfigRef value ${sourceType}`);
const preferredOutbound = source?.preferredOutbound ?? (raw.preferredOutbound === undefined ? null : preferredOutboundField(raw, "preferredOutbound", path));
if (source !== null && source.preferredOutbound !== null && raw.preferredOutbound !== undefined && raw.preferredOutbound !== source.preferredOutbound) {
throw new Error(`${path}.preferredOutbound must match sourceConfigRef value ${source.preferredOutbound}`);
}
if (source !== null) {
if (raw.sourceRef !== undefined && raw.sourceRef !== source.sourceRef) throw new Error(`${path}.sourceRef must match sourceConfigRef value ${source.sourceRef}`);
if (raw.sourceKey !== undefined && raw.sourceKey !== source.sourceKey) throw new Error(`${path}.sourceKey must match sourceConfigRef value ${source.sourceKey}`);
}
const sourceRef = source?.sourceRef ?? stringField(raw, "sourceRef", path);
const sourceKey = source?.sourceKey ?? stringField(raw, "sourceKey", path);
validateSourceRef(sourceRef, `${path}.sourceRef`);
validateEnvKey(sourceKey, `${path}.sourceKey`);
return {
mode,
clientName: stringField(raw, "clientName", path),
namespace: stringField(raw, "namespace", path),
serviceName: stringField(raw, "serviceName", path),
port: positiveConfigIntegerField(raw, "port", path),
sourceRef: stringField(raw, "sourceRef", path),
sourceKey: stringField(raw, "sourceKey", path),
sourceConfigRef,
sourceFingerprint: source?.fingerprint ?? null,
sourceRef,
sourceKey,
sourceType,
preferredOutbound,
noProxy: stringArrayField(raw, "noProxy", path),
};
}
function preferredOutboundField(raw: Record<string, unknown>, key: string, path: string): "vless-reality" | "hysteria2" {
const value = stringField(raw, key, path);
if (value !== "vless-reality" && value !== "hysteria2") throw new Error(`${path}.${key} must be vless-reality or hysteria2`);
return value;
}
function gitMirrorEgressProxySpec(raw: Record<string, unknown>, path: string): ControlPlaneGitMirrorEgressProxySpec {
const mode = stringField(raw, "mode", path);
if (mode !== "node-global" && mode !== "direct") throw new Error(`${path}.mode must be node-global or direct`);
@@ -1297,11 +1486,14 @@ function gitMirrorProxyPrelude(node: ControlPlaneNodeSpec, target: ControlPlaneT
const proxyPort = useDirect || node.egressProxy === null ? 0 : node.egressProxy.port;
const proxyUrl = useDirect ? "" : `http://${proxyHost}:${proxyPort}`;
const noProxy = useDirect || node.egressProxy === null ? "" : node.egressProxy.noProxy.join(",");
const proxySource = useDirect || node.egressProxy === null
? "sourceType=direct sourceRef=- sourceFingerprint=-"
: `sourceType=${node.egressProxy.sourceType} sourceRef=${node.egressProxy.sourceRef} sourceFingerprint=${node.egressProxy.sourceFingerprint ?? "-"}`;
const proxySummary = useDirect
? `git-mirror-egress-proxy mode=direct required=false transport=${transport.mode} source=yaml`
: transport.mode === "https"
? `git-mirror-egress-proxy client=${node.egressProxy?.clientName} mode=node-global required=${proxyRequired ? "true" : "false"} host=${proxyHost} port=${proxyPort} transport=https proxy=HTTP_PROXY authSecret=${transport.tokenSecretName} authKey=${transport.tokenSecretKey} authSourceRef=${transport.tokenSourceRef} source=yaml`
: `git-mirror-egress-proxy client=${node.egressProxy?.clientName} mode=node-global required=${proxyRequired ? "true" : "false"} host=${proxyHost} port=${proxyPort} transport=ssh ssh=GIT_SSH-wrapper source=yaml`;
? `git-mirror-egress-proxy client=${node.egressProxy?.clientName} mode=node-global required=${proxyRequired ? "true" : "false"} host=${proxyHost} port=${proxyPort} transport=https proxy=HTTP_PROXY authSecret=${transport.tokenSecretName} authKey=${transport.tokenSecretKey} authSourceRef=${transport.tokenSourceRef} ${proxySource} source=yaml`
: `git-mirror-egress-proxy client=${node.egressProxy?.clientName} mode=node-global required=${proxyRequired ? "true" : "false"} host=${proxyHost} port=${proxyPort} transport=ssh ssh=GIT_SSH-wrapper ${proxySource} source=yaml`;
const proxyCommand = useDirect ? "" : `ProxyCommand=node /tmp/hwlab-github-proxy-connect.cjs ${proxyHost} ${proxyPort} %h %p`;
const common = [
`printf '%s\\n' ${shQuote(proxySummary)} >&2`,
@@ -1574,7 +1766,7 @@ function planSummary(node: ControlPlaneNodeSpec, target: ControlPlaneTargetSpec)
runtimeNamespace: target.runtimeNamespace,
k3sNodeConfig: k3sNodeConfigPlan(node),
registry: node.registry.endpoint,
egressProxy: node.egressProxy,
egressProxy: controlPlaneEgressProxySummary(node.egressProxy),
sourceBranch: target.source.branch,
gitopsBranch: target.gitops.branch,
gitopsPath: target.gitops.path,
@@ -1615,6 +1807,7 @@ function expectedSummary(node: ControlPlaneNodeSpec, target: ControlPlaneTargetS
deploymentReplicas: target.gitMirror.deploymentReplicas,
syncConfigMap: target.gitMirror.syncConfigMapName,
egressProxy: target.gitMirror.egressProxy,
effectiveEgressProxy: gitMirrorEffectiveEgressProxySummary(node, target),
githubTransport: gitMirrorGithubTransportSummary(target.gitMirror.githubTransport),
statusSummaryKeys: ["localSource", "githubSource", "localGitops", "githubGitops", "pendingFlush", "flushNeeded", "githubInSync"],
},
@@ -1670,6 +1863,45 @@ function k3sDropInContent(spec: ControlPlaneK3sNodeSpec): string {
].join("\n");
}
function controlPlaneEgressProxySummary(proxy: ControlPlaneEgressProxySpec | null): Record<string, unknown> | null {
if (proxy === null) return null;
return {
mode: proxy.mode,
clientName: proxy.clientName,
namespace: proxy.namespace,
serviceName: proxy.serviceName,
port: proxy.port,
sourceConfigRef: proxy.sourceConfigRef,
sourceType: proxy.sourceType,
sourceRef: proxy.sourceRef,
sourceKey: proxy.sourceKey,
sourceFingerprint: proxy.sourceFingerprint,
preferredOutbound: proxy.preferredOutbound,
valuesPrinted: false,
};
}
function gitMirrorEffectiveEgressProxySummary(node: ControlPlaneNodeSpec, target: ControlPlaneTargetSpec): Record<string, unknown> {
const config = target.gitMirror.egressProxy;
if (config === null || config.mode === "direct") {
return {
mode: "direct",
required: false,
transport: target.gitMirror.githubTransport.mode,
valuesPrinted: false,
};
}
const proxy = node.egressProxy;
return {
mode: config.mode,
required: config.required,
transport: target.gitMirror.githubTransport.mode,
ready: proxy !== null,
nodeProxy: controlPlaneEgressProxySummary(proxy),
valuesPrinted: false,
};
}
function gitMirrorGithubTransportSummary(transport: ControlPlaneGitMirrorGithubTransportSpec): Record<string, unknown> {
if (transport.mode === "ssh") return { mode: "ssh", valuesPrinted: false };
return {
@@ -1694,6 +1926,7 @@ function statusScript(nodeSpec: ControlPlaneNodeSpec, target: ControlPlaneTarget
const argoStatefulSets = shellJsonArray(target.argo.install.expectedStatefulSets);
const k3s = nodeSpec.k3s;
const k3sDropIn = k3s === null ? "" : k3sDropInContent(k3s);
const gitMirrorEgressProxyJson = JSON.stringify(gitMirrorEffectiveEgressProxySummary(nodeSpec, target));
return `
set +e
node=${shQuote(target.node)}
@@ -1712,6 +1945,7 @@ github_token_secret=${shQuote(target.gitMirror.githubTransport.mode === "https"
github_token_key=${shQuote(target.gitMirror.githubTransport.mode === "https" ? target.gitMirror.githubTransport.tokenSecretKey : "")}
github_token_source_ref=${shQuote(target.gitMirror.githubTransport.mode === "https" ? target.gitMirror.githubTransport.tokenSourceRef : "")}
github_token_source_key=${shQuote(target.gitMirror.githubTransport.mode === "https" ? target.gitMirror.githubTransport.tokenSourceKey : "")}
gitmirror_egress_proxy_json=${shQuote(gitMirrorEgressProxyJson)}
pipeline=${shQuote(target.tekton.pipelineName)}
service_account=${shQuote(target.tekton.serviceAccountName)}
argo_ns=${shQuote(target.argo.namespace)}
@@ -1845,7 +2079,7 @@ print(json.dumps({"crds": crds, "deployments": deploy, "statefulSets": sts, "crd
PY
argo_fragment=$(cat /tmp/hwlab-node-status-fragments.json 2>/dev/null || printf '{}')
cat <<JSON
{"observedAt":"$(date -u +%Y-%m-%dT%H:%M:%SZ)","node":"$node","lane":"$lane","components":{"k3sNodeConfig":$k3s_fragment,"tekton":{"installed":$(kubectl get crd pipelines.tekton.dev pipelineruns.tekton.dev >/dev/null 2>&1 && printf true || printf false),"controllerReady":$(deploy_ready tekton-pipelines tekton-pipelines-controller),"webhookReady":$(deploy_ready tekton-pipelines tekton-pipelines-webhook)},"ciNamespace":{"name":"$ci_ns","exists":$(exists_ns "$ci_ns"),"serviceAccountExists":$(exists_res "$ci_ns" serviceaccount "$service_account"),"pipelineExists":$(exists_res "$ci_ns" pipeline "$pipeline")},"gitMirror":{"namespace":"$gitmirror_ns","namespaceExists":$(exists_ns "$gitmirror_ns"),"readDeploymentReady":$(deploy_ready "$gitmirror_ns" "$read_deploy"),"writeDeploymentReady":$(deploy_ready "$gitmirror_ns" "$write_deploy"),"readServiceExists":$(exists_res "$gitmirror_ns" service "$read_svc"),"writeServiceExists":$(exists_res "$gitmirror_ns" service "$write_svc"),"readEndpointsReady":$(endpoint_ready "$gitmirror_ns" "$read_svc"),"writeEndpointsReady":$(endpoint_ready "$gitmirror_ns" "$write_svc"),"cachePvcExists":$(exists_res "$gitmirror_ns" pvc "$cache_pvc"),"cacheHostPath":"$cache_host_path","cacheHostPathReady":$cache_host_path_ready,"githubTransport":$github_transport_json,"summary":{"localSource":null,"githubSource":null,"localGitops":null,"githubGitops":null,"pendingFlush":null,"flushNeeded":null,"githubInSync":null}},"argo":{"namespace":"$argo_ns","namespaceExists":$(exists_ns "$argo_ns"),"installed":$(kubectl get crd applications.argoproj.io appprojects.argoproj.io >/dev/null 2>&1 && printf true || printf false),"projectExists":$(kubectl -n "$argo_ns" get appproject "$argo_project" >/dev/null 2>&1 && printf true || printf false),"applicationExists":$(kubectl -n "$argo_ns" get application "$argo_app" >/dev/null 2>&1 && printf true || printf false),"install":$argo_fragment},"registry":{"endpoint":"$registry","ready":$registry_ready,"toolsImage":"$tools_image","toolsImageReady":$tools_image_ready},"runtimeNamespace":{"name":"$runtime_ns","exists":$(exists_ns "$runtime_ns")}}}
{"observedAt":"$(date -u +%Y-%m-%dT%H:%M:%SZ)","node":"$node","lane":"$lane","components":{"k3sNodeConfig":$k3s_fragment,"tekton":{"installed":$(kubectl get crd pipelines.tekton.dev pipelineruns.tekton.dev >/dev/null 2>&1 && printf true || printf false),"controllerReady":$(deploy_ready tekton-pipelines tekton-pipelines-controller),"webhookReady":$(deploy_ready tekton-pipelines tekton-pipelines-webhook)},"ciNamespace":{"name":"$ci_ns","exists":$(exists_ns "$ci_ns"),"serviceAccountExists":$(exists_res "$ci_ns" serviceaccount "$service_account"),"pipelineExists":$(exists_res "$ci_ns" pipeline "$pipeline")},"gitMirror":{"namespace":"$gitmirror_ns","namespaceExists":$(exists_ns "$gitmirror_ns"),"readDeploymentReady":$(deploy_ready "$gitmirror_ns" "$read_deploy"),"writeDeploymentReady":$(deploy_ready "$gitmirror_ns" "$write_deploy"),"readServiceExists":$(exists_res "$gitmirror_ns" service "$read_svc"),"writeServiceExists":$(exists_res "$gitmirror_ns" service "$write_svc"),"readEndpointsReady":$(endpoint_ready "$gitmirror_ns" "$read_svc"),"writeEndpointsReady":$(endpoint_ready "$gitmirror_ns" "$write_svc"),"cachePvcExists":$(exists_res "$gitmirror_ns" pvc "$cache_pvc"),"cacheHostPath":"$cache_host_path","cacheHostPathReady":$cache_host_path_ready,"egressProxy":$gitmirror_egress_proxy_json,"githubTransport":$github_transport_json,"summary":{"localSource":null,"githubSource":null,"localGitops":null,"githubGitops":null,"pendingFlush":null,"flushNeeded":null,"githubInSync":null}},"argo":{"namespace":"$argo_ns","namespaceExists":$(exists_ns "$argo_ns"),"installed":$(kubectl get crd applications.argoproj.io appprojects.argoproj.io >/dev/null 2>&1 && printf true || printf false),"projectExists":$(kubectl -n "$argo_ns" get appproject "$argo_project" >/dev/null 2>&1 && printf true || printf false),"applicationExists":$(kubectl -n "$argo_ns" get application "$argo_app" >/dev/null 2>&1 && printf true || printf false),"install":$argo_fragment},"registry":{"endpoint":"$registry","ready":$registry_ready,"toolsImage":"$tools_image","toolsImageReady":$tools_image_ready},"runtimeNamespace":{"name":"$runtime_ns","exists":$(exists_ns "$runtime_ns")}}}
JSON
`;
}
@@ -2509,6 +2743,23 @@ function record(value: unknown): Record<string, unknown> {
return typeof value === "object" && value !== null && !Array.isArray(value) ? value as Record<string, unknown> : {};
}
function renderTable(headers: string[], rows: string[][]): string[] {
const widths = headers.map((header, index) => Math.max(header.length, ...rows.map((row) => row[index]?.length ?? 0)));
const render = (row: string[]) => row.map((cell, index) => cell.padEnd(widths[index] ?? cell.length)).join(" ").trimEnd();
return [render(headers), ...rows.map(render)];
}
function renderCell(value: unknown, fallback = "-"): string {
if (value === undefined || value === null || value === "") return fallback;
return String(value);
}
function optionsModeFromCommand(command: unknown): string {
const value = String(command ?? "");
if (value.endsWith(" status") || value.endsWith(" logs")) return "status";
return "benchmark";
}
function stringField(obj: Record<string, unknown>, key: string, path: string): string {
const value = obj[key];
if (typeof value !== "string" || value.length === 0) throw new Error(`${path}.${key} must be a non-empty string`);
@@ -2600,10 +2851,17 @@ function requiredOption(args: string[], name: string): string {
return value;
}
function positiveIntegerOption(args: string[], name: string, defaultValue: number, maxValue: number): number {
function optionValue(args: string[], name: string): string | null {
const index = args.indexOf(name);
if (index === -1) return defaultValue;
const raw = args[index + 1];
if (index === -1) return null;
const value = args[index + 1];
if (value === undefined || value.startsWith("--") || value.length === 0) throw new Error(`${name} requires a value`);
return value;
}
function positiveIntegerOption(args: string[], name: string, defaultValue: number, maxValue: number): number {
const raw = optionValue(args, name);
if (raw === null) return defaultValue;
const value = Number(raw);
if (!Number.isInteger(value) || value <= 0) throw new Error(`${name} must be a positive integer`);
return Math.min(value, maxValue);
+202
View File
@@ -0,0 +1,202 @@
import type { UniDeskConfig } from "./config";
import { rootPath } from "./config";
import { runCommand } from "./command";
import type { RenderedCliResult } from "./output";
import { egressBenchmarkCompactResult, egressBenchmarkDryRun, egressBenchmarkStartScript, egressBenchmarkStatusScript, type EgressBenchmarkSpec } from "./egress-proxy-benchmark";
import { readSub2ApiConfig } from "./platform-infra/config";
import { resolveTarget } from "./platform-infra/manifest";
type BenchmarkAction = "benchmark" | "benchmark-status" | "benchmark-logs";
interface BenchmarkOptions {
action: BenchmarkAction;
targetId: string;
profile: "no-mirror";
confirm: boolean;
dryRun: boolean;
samples: number;
sampleTimeoutSeconds: number;
timeoutSeconds: number;
tailLines: number;
}
export async function runPlatformInfraEgressProxyCommand(_config: UniDeskConfig, args: string[]): Promise<Record<string, unknown> | RenderedCliResult> {
const options = parseBenchmarkOptions(args);
const spec = platformBenchmarkSpec(options);
if (options.action === "benchmark-status" || options.action === "benchmark-logs") return benchmarkStatus(spec, options);
if (options.dryRun) {
return renderBenchmark({
ok: true,
command: "platform-infra egress-proxy benchmark",
mode: "dry-run",
mutation: false,
plan: egressBenchmarkDryRun(spec),
next: { confirm: `bun scripts/cli.ts platform-infra egress-proxy benchmark --target ${options.targetId} --profile ${options.profile} --confirm` },
});
}
const result = runTrans(spec.route, egressBenchmarkStartScript(spec), options.timeoutSeconds);
const parsed = parseJson(result.stdout);
return renderBenchmark({
ok: result.exitCode === 0,
command: "platform-infra egress-proxy benchmark",
mode: "async-job",
mutation: result.exitCode === 0,
target: options.targetId,
profile: options.profile,
start: typeof parsed === "object" && parsed !== null ? parsed : { stdoutPreview: result.stdout.slice(0, 2000) },
result: egressBenchmarkCompactResult(result),
});
}
function benchmarkStatus(spec: EgressBenchmarkSpec, options: BenchmarkOptions): RenderedCliResult {
const result = runTrans(spec.route, egressBenchmarkStatusScript(spec, options.tailLines), options.timeoutSeconds);
const parsed = parseJson(result.stdout);
const status = record(record(parsed).status);
const state = text(status.state, "unknown");
return renderBenchmark({
ok: result.exitCode === 0 && (options.action === "benchmark-logs" || state !== "failed"),
command: `platform-infra egress-proxy ${options.action}`,
mode: "status",
mutation: false,
target: options.targetId,
profile: options.profile,
job: typeof parsed === "object" && parsed !== null ? parsed : { stdoutPreview: result.stdout.slice(0, 2000) },
result: egressBenchmarkCompactResult(result),
});
}
function platformBenchmarkSpec(options: BenchmarkOptions): EgressBenchmarkSpec {
const sub2api = readSub2ApiConfig();
const target = resolveTarget(sub2api, options.targetId);
const proxy = target.egressProxy;
if (proxy === null || !proxy.enabled) throw new Error(`target ${target.id} has no enabled egressProxy`);
return {
scope: "platform-infra",
targetId: target.id,
route: target.route,
namespace: target.namespace,
serviceName: proxy.serviceName,
port: proxy.listenPort,
noProxy: proxy.noProxy,
sourceType: proxy.sourceType,
sourceRef: proxy.sourceRef,
sourceConfigRef: proxy.sourceConfigRef,
sourceFingerprint: proxy.sourceFingerprint,
profile: options.profile,
samples: options.samples,
sampleTimeoutSeconds: options.sampleTimeoutSeconds,
};
}
function parseBenchmarkOptions(args: string[]): BenchmarkOptions {
const actionRaw = args[0] ?? "benchmark";
if (actionRaw !== "benchmark" && actionRaw !== "benchmark-status" && actionRaw !== "benchmark-logs") {
throw new Error("platform-infra egress-proxy usage: benchmark|benchmark-status|benchmark-logs --target D601|D518 --profile no-mirror [--dry-run|--confirm]");
}
const action = actionRaw;
const rest = args.slice(1);
const targetId = option(rest, "--target") ?? "D601";
const profileRaw = option(rest, "--profile") ?? "no-mirror";
if (profileRaw !== "no-mirror") throw new Error("--profile currently supports no-mirror");
const confirm = rest.includes("--confirm");
const dryRun = rest.includes("--dry-run") || !confirm;
if (confirm && rest.includes("--dry-run")) throw new Error("benchmark accepts only one of --confirm or --dry-run");
return {
action,
targetId,
profile: profileRaw,
confirm,
dryRun: action === "benchmark" ? dryRun : false,
samples: positiveIntOption(rest, "--samples", 5, 20),
sampleTimeoutSeconds: positiveIntOption(rest, "--sample-timeout-seconds", 240, 900),
timeoutSeconds: positiveIntOption(rest, "--timeout-seconds", 30, 60),
tailLines: positiveIntOption(rest, "--tail", 40, 200),
};
}
function runTrans(route: string, script: string, timeoutSeconds: number) {
return runCommand(["/root/.local/bin/trans", route, "sh", "--", script], rootPath(), { timeoutMs: timeoutSeconds * 1000 });
}
function option(args: string[], name: string): string | null {
const index = args.indexOf(name);
if (index === -1) return null;
const value = args[index + 1];
if (value === undefined || value.startsWith("--")) throw new Error(`${name} requires a value`);
return value;
}
function positiveIntOption(args: string[], name: string, defaultValue: number, maxValue: number): number {
const raw = option(args, name);
if (raw === null) return defaultValue;
const value = Number.parseInt(raw, 10);
if (!Number.isInteger(value) || value < 1 || value > maxValue) throw new Error(`${name} must be an integer from 1 to ${maxValue}`);
return value;
}
function parseJson(text: string): unknown {
const trimmed = text.trim();
if (trimmed.length === 0) return null;
try { return JSON.parse(trimmed); } catch {
const start = trimmed.indexOf("{");
const end = trimmed.lastIndexOf("}");
if (start >= 0 && end > start) {
try { return JSON.parse(trimmed.slice(start, end + 1)); } catch {}
}
}
return null;
}
function renderBenchmark(result: Record<string, unknown>): RenderedCliResult {
const start = record(result.start);
const job = record(result.job);
const status = record(job.status);
const plan = record(result.plan);
const next = record(result.next);
const rows = Array.isArray(status.rows) ? status.rows.map(record) : [];
const target = text(result.target ?? plan.target);
const profile = text(result.profile ?? plan.profile, "no-mirror");
const statusText = text(status.state, result.ok === false ? "failed" : "ok");
const logTail = typeof job.logTail === "string" ? job.logTail.trimEnd() : "";
const lines = [
`platform-infra egress-proxy ${result.mode === "dry-run" ? "benchmark dry-run" : "benchmark"}`,
"",
...table(["TARGET", "PROFILE", "MODE", "STATUS"], [[target, profile, text(result.mode), statusText]]),
"",
rows.length === 0 ? "RESULTS\n-" : [
"RESULTS",
...table(["TEST", "SUCCESS", "SAMPLES", "P50", "P95", "FAILURES"], rows.map((row) => [
text(row.test),
text(row.success),
text(row.samples),
text(row.p50Ms),
text(row.p95Ms),
JSON.stringify(row.failureFamilies ?? {}),
])),
].join("\n"),
...(logTail.length === 0 ? [] : ["", "LOG TAIL", logTail]),
"",
"NEXT",
` ${text(next.confirm, "")}`,
` ${text(start.statusCommand, `bun scripts/cli.ts platform-infra egress-proxy benchmark-status --target ${target} --profile ${profile}`)}`,
` ${text(start.logsCommand, `bun scripts/cli.ts platform-infra egress-proxy benchmark-logs --target ${target} --profile ${profile}`)}`,
"",
"Disclosure: default output is a bounded benchmark table; Secret/proxy source values are redacted.",
].filter((line) => line !== " ");
return { ok: result.ok !== false, command: text(result.command, "platform-infra egress-proxy benchmark"), renderedText: lines.join("\n"), contentType: "text/plain" };
}
function table(headers: string[], rows: string[][]): string[] {
const widths = headers.map((header, index) => Math.max(header.length, ...rows.map((row) => row[index]?.length ?? 0)));
const render = (row: string[]) => row.map((cell, index) => cell.padEnd(widths[index] ?? cell.length)).join(" ").trimEnd();
return [render(headers), ...rows.map(render)];
}
function record(value: unknown): Record<string, unknown> {
return typeof value === "object" && value !== null && !Array.isArray(value) ? value as Record<string, unknown> : {};
}
function text(value: unknown, fallback = "-"): string {
if (value === undefined || value === null || value === "") return fallback;
return String(value);
}
+2
View File
@@ -66,6 +66,8 @@ export function egressProxySummary(proxy: Sub2ApiEgressProxyConfig): Record<stri
image: proxy.image,
imagePullPolicy: proxy.imagePullPolicy,
listenPort: proxy.listenPort,
sourceConfigRef: proxy.sourceConfigRef,
sourceFingerprint: proxy.sourceFingerprint,
sourceRef: proxy.sourceRef,
sourceType: proxy.sourceType,
preferredOutbound: proxy.preferredOutbound,
+34 -6
View File
@@ -7,6 +7,7 @@ import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "n
import { dirname, isAbsolute, join } from "node:path";
import type { UniDeskConfig } from "../config";
import { rootPath } from "../config";
import { resolveEgressProxySourceRef } from "../egress-proxy-sources";
import { startJob } from "../jobs";
import type { RenderedCliResult } from "../output";
import { pk01CaddyMergeManagedBlocksPython, renderCaddyManagedBlock, renderSimpleReverseProxyCaddySiteBlock } from "../pk01-caddy";
@@ -282,12 +283,16 @@ export function parseEgressProxyConfig(value: unknown, path: string): Sub2ApiEgr
if (value === undefined || value === null) return null;
if (typeof value !== "object" || Array.isArray(value)) throw new Error(`${configPath}.${path}.egressProxy must be an object`);
const record = value as Record<string, unknown>;
const sourceType = enumField(record, "sourceType", `${path}.egressProxy`, ["subscription-url", "master-shadowsocks"] as const);
const sourceConfigRef = optionalConfigStringField(record, "sourceConfigRef", `${path}.egressProxy`);
const source = sourceConfigRef === null ? null : resolveEgressProxySourceRef(sourceConfigRef, `${configPath}.${path}.egressProxy.sourceConfigRef`);
const sourceType = source?.sourceType ?? enumField(record, "sourceType", `${path}.egressProxy`, ["subscription-url", "master-shadowsocks"] as const);
assertOptionalMatch(record, "sourceType", sourceType, `${path}.egressProxy`);
const preferredOutbound = sourceType === "subscription-url" || record.preferredOutbound !== undefined
? enumField(record, "preferredOutbound", `${path}.egressProxy`, ["vless-reality", "hysteria2"] as const)
? source?.preferredOutbound ?? enumField(record, "preferredOutbound", `${path}.egressProxy`, ["vless-reality", "hysteria2"] as const)
: null;
if (source !== null && source.preferredOutbound !== null && record.preferredOutbound !== undefined) assertOptionalMatch(record, "preferredOutbound", source.preferredOutbound, `${path}.egressProxy`);
const masterShadowsocks = sourceType === "master-shadowsocks"
? parseMasterShadowsocksConfig(record.masterShadowsocks, `${path}.egressProxy.masterShadowsocks`)
? source?.masterShadowsocks ?? parseMasterShadowsocksConfig(record.masterShadowsocks, `${path}.egressProxy.masterShadowsocks`)
: null;
const imagePullPolicy = enumField(record, "imagePullPolicy", `${path}.egressProxy`, ["Always", "IfNotPresent", "Never"] as const);
const noProxy = stringArrayField(record, "noProxy", `${path}.egressProxy`);
@@ -300,16 +305,23 @@ export function parseEgressProxyConfig(value: unknown, path: string): Sub2ApiEgr
image: stringField(record, "image", `${path}.egressProxy`),
imagePullPolicy,
listenPort: integerField(record, "listenPort", `${path}.egressProxy`),
sourceRef: stringField(record, "sourceRef", `${path}.egressProxy`),
sourceKey: stringField(record, "sourceKey", `${path}.egressProxy`),
sourceConfigRef,
sourceFingerprint: source?.fingerprint ?? null,
sourceRef: source?.sourceRef ?? stringField(record, "sourceRef", `${path}.egressProxy`),
sourceKey: source?.sourceKey ?? stringField(record, "sourceKey", `${path}.egressProxy`),
sourceType,
preferredOutbound,
masterShadowsocks,
noProxy,
applyToSub2Api: booleanField(record, "applyToSub2Api", `${path}.egressProxy`),
applyToSentinel: booleanField(record, "applyToSentinel", `${path}.egressProxy`),
healthProbeUrl: stringField(record, "healthProbeUrl", `${path}.egressProxy`),
healthProbeUrl: source?.healthProbeUrl ?? stringField(record, "healthProbeUrl", `${path}.egressProxy`),
};
if (source !== null) {
assertOptionalMatch(record, "sourceRef", source.sourceRef, `${path}.egressProxy`);
assertOptionalMatch(record, "sourceKey", source.sourceKey, `${path}.egressProxy`);
assertOptionalMatch(record, "healthProbeUrl", source.healthProbeUrl, `${path}.egressProxy`);
}
validateEgressProxyConfig(proxy, path);
return proxy;
}
@@ -406,6 +418,19 @@ export function stringArrayField(obj: Record<string, unknown>, key: string, path
return value.map((item) => item.trim());
}
function optionalConfigStringField(obj: Record<string, unknown>, key: string, path: string): string | null {
const value = obj[key];
if (value === undefined || value === null) return null;
if (typeof value !== "string" || value.trim().length === 0) throw new Error(`${fieldLabel(path, key)} must be a non-empty string when set`);
return value.trim();
}
function assertOptionalMatch(obj: Record<string, unknown>, key: string, expected: string | null, path: string): void {
if (obj[key] === undefined || obj[key] === null) return;
const actual = stringField(obj, key, path);
if (actual !== expected) throw new Error(`${fieldLabel(path, key)} must match sourceConfigRef value ${expected}`);
}
export function enumField<const T extends readonly string[]>(obj: Record<string, unknown>, key: string, path: string, values: T): T[number] {
const value = stringField(obj, key, path);
if (!(values as readonly string[]).includes(value)) throw new Error(`${fieldLabel(path, key)} must be one of ${values.join(", ")}`);
@@ -483,6 +508,9 @@ export function validateEgressProxyConfig(config: Sub2ApiEgressProxyConfig, path
if (config.secretKey !== "config.json") throw new Error(`${configPath}.${path}.egressProxy.secretKey must be config.json`);
if (!isImageReference(config.image)) throw new Error(`${configPath}.${path}.egressProxy.image has an unsupported format`);
validatePort(config.listenPort, `${path}.egressProxy.listenPort`);
if (config.sourceConfigRef !== null && (!config.sourceConfigRef.startsWith("config/") || !config.sourceConfigRef.includes("#sources.") || config.sourceConfigRef.includes(".."))) {
throw new Error(`${configPath}.${path}.egressProxy.sourceConfigRef must reference config/*.yaml#sources.<id>`);
}
if (!/^[A-Za-z0-9_./-]+$/u.test(config.sourceRef)) throw new Error(`${configPath}.${path}.egressProxy.sourceRef has an unsupported format`);
if (!/^[A-Z0-9_]+$/u.test(config.sourceKey)) throw new Error(`${configPath}.${path}.egressProxy.sourceKey must be an env key`);
if (config.sourceType === "subscription-url" && config.preferredOutbound === null) {
+2
View File
@@ -169,6 +169,8 @@ export interface Sub2ApiEgressProxyConfig {
image: string;
imagePullPolicy: "Always" | "IfNotPresent" | "Never";
listenPort: number;
sourceConfigRef: string | null;
sourceFingerprint: string | null;
sourceRef: string;
sourceKey: string;
sourceType: "subscription-url" | "master-shadowsocks";
+2
View File
@@ -623,6 +623,8 @@ spec:
annotations:
unidesk.ai/proxy-source-ref: "${proxy.sourceRef}"
unidesk.ai/proxy-source-type: "${proxy.sourceType}"
unidesk.ai/proxy-source-config-ref: "${proxy.sourceConfigRef ?? ""}"
unidesk.ai/proxy-source-fingerprint: "${proxy.sourceFingerprint ?? ""}"
unidesk.ai/proxy-selected-outbound: "${proxy.sourceType === "subscription-url" ? proxy.preferredOutbound : "shadowsocks"}"
spec:
containers:
+5 -1
View File
@@ -36,6 +36,10 @@ export function sub2ApiHelpTargetSummary(): Record<string, unknown> {
export async function runPlatformInfraCommand(config: UniDeskConfig, args: string[]): Promise<Record<string, unknown> | RenderedCliResult> {
const [target, action] = args;
if (target === "egress-proxy") {
const { runPlatformInfraEgressProxyCommand } = await import("../platform-infra-egress-proxy");
return await runPlatformInfraEgressProxyCommand(config, args.slice(1));
}
if (target === "langbot") {
const { runLangBotCommand } = await import("../platform-infra-langbot");
return await runLangBotCommand(config, args.slice(1));
@@ -109,7 +113,7 @@ function renderSub2ApiPlan(result: Record<string, unknown>): RenderedCliResult {
["DATABASE", stringValue(config.databaseMode), "redis", stringValue(config.redisMode)],
["REPLICAS", `${stringValue(config.appReplicas)}/${stringValue(config.redisReplicas)}`, "service", stringValue(target.serviceDns)],
["PUBLIC", boolText(exposure.enabled), "url", stringValue(exposure.publicBaseUrl, "-")],
["EGRESS", boolText(egress.enabled), "sourceRef", stringValue(egress.sourceRef, "-")],
["EGRESS", boolText(egress.enabled), "source", `${stringValue(egress.sourceType, "-")} ${stringValue(egress.sourceFingerprint, "-")}`],
["POLICY", failedPolicy.length === 0 ? "ok" : `failed=${failedPolicy.length}`, "valuesPrinted", "false"],
];
const lines = [