plugin v2 preview

[eternal-flame-AD]

very much WIP, expect big changes as I go.

Just sharing to get some early opinions.

TODO:

• Finalize the architecture
• A shim that takes a V1 plugin and returns a V2 plugin
• A test server and test client
• Scout existing issues to add missing features

[jmattheis]

I haven't done much with grpc, what benefits do we have in comparison to using json for the message payload? Probably reduced payload size, but I don't think this has much impact here.

[eternal-flame-AD]

I am still debating whether to use their streaming RPC ..

There are three architectures I am trying to decide between:

• The Server opens an "infra" server which accepts messages and storage and plugin opens a server each for server callbacks: totally transport agnostic, we can use HTTP or anything. I am currently trying this out but I might change as it requires two connections per plugin.
• Only the plugin starts a RPC Server, and the Gotify server "pulls" messages and configuarion changes in using client streaming. gRPC helps great with IO infrastructure work here.
• Same as above but Gotify server acts as the RPC server, but I am gearing towards letting plugin be the server because the plugin process may die and we have to handle that. It's easier to handle both process crash and client connection crash as one route (restart the process and try connecting again until giveup).

[jmattheis]

Hashicorp plugin system uses the third option, and then we'd only need one unix socket/tcp connection for all plugins. I think I'd prefer this, as this seems simpler, but this is only a gut feeling (:.

[eternal-flame-AD]

Hmm, I am not sure I read it the same, to me Hashicorp uses Option 2 to me:

There is this "plugin.Serve" which every plugin use in the main process, and it does spawn an gRPC server.

https://github.com/hashicorp/vault/blob/04295060d1c654a3b62e828b2fdfad40f41fe2a8/sdk/plugin/serve.go#L32

[jmattheis]

Ahh okay, have misread the docs.

[jmattheis]

You previously linked the hashicorp plugin docs, they using mutual tls too and provide this plugin library https://github.com/hashicorp/go-plugin which has support for mtls and grpc. Have you considered using this? (just a question, not request to use this lib now)

[eternal-flame-AD]

I took a quick peek and there are a couple things:

• They use the Go RPC not gRPC.. I think since our call interface is simple I don't see a reason to use an interface exclusive to Go.
• I think a key difficulty would be try to get HTTP reverse proxies working over the Server-to-Plugin connection and we might need abstraction breakouts here (raw gRPC has support for multiplexing over HTTP/2 listeners: https://pkg.go.dev/google.golang.org/grpc#Server.ServeHTTP which allows us to route Webhooker request in the same socket). Vault has their own abstractions over HTTP and they don't have this problem.
• I don't see a process spawn hook: being a security oriented company they don't expose any loading panics, we might have to show stderr to the user for it to be usable for the general user.

I have an authentication plugin you can checkout the code pattern for: https://github.com/eternal-flame-AD/vault-auth-emerg-yubiotp

[jmattheis]

👍, thanks for the explanation.

[jmattheis]

Do we need this? Aren't unix sockets enough?

[eternal-flame-AD]

I guess since we are going with RPC I want to make it work on Windows as well (and maybe as a fallback if for some reason we can't establish a unix socket on the tempdir)... Might not survive the final release, I will keep this codepath for now and see if it is too much work/security risk.

I am totally okay with removing this, we never promised plugins will work on windows anyways.

[jmattheis]

Ahh yeah, windows, forgot about this (:. I'm okay with supporting this, tho we maybe wait until people want this feature, I can't imaging that many host their gotify server on windows. Even tho we have many windows exe downloads https://somsubhra.github.io/github-release-stats/?username=gotify&repository=server&page=1&per_page=5