WebSocket Support for Apps with Route-Services

[Dariquest]

Summary

Route services should be able to handle web socket requests.

The Gorouter flag "route_services.enable_websockets" is introduced to enable web socket communication for apps with route services. The default value is true.

 router.route_services.enable_websockets:
    description: Enable websocket connections for application routes bound to Route Services.
    default: true

Web socket upgrades on routes with an attached route service were prevented previously.
This issue has been brought up by one of our customers, who needed a route service to rate-limit their app.

GitHub Issue

Backward Compatibility

Breaking Change? No

Test

Scenario: A web socket app needs rate limiting via a route service.
Given

cf push websocket-app
cf push ratelimiter
cf create-user-provided-service ratelimiter-service -r https://ratelimiter.cfapps.xxx.sapcloud.io
cf bind-route-service cfapps.xxx.sapcloud.io ratelimiter-service --hostname websocket-app

When I connect to wss://websocket-app.cfapps.xxx.sapcloud.io using a web socket client or simply curl it with the corresponding websocket request headers
Then The connection will work through the route service as expected

[Dariquest]

Performed a test of this Routing-release Gorouter change on a dev landscape with a sample websocket-app to show that the apps with bound route services support web sockets:

cf push websocket-app
cf push ratelimiter
cf create-user-provided-service ratelimiter-service -r https://ratelimiter.cfapps.xxx.sapcloud.io
cf bind-route-service cfapps.xxx.sapcloud.io ratelimiter-service --hostname websocket-app

1. Using a web socket client wss:

wscat -c wss://websocket-app.cfapps.xxx.sapcloud.io/ws
Connected (press CTRL+C to quit)

test
< test

2. Curling the sample app with the corresponding websocket connection headers:

$ curl -i -N -H "Connection: Upgrade"      -H "Upgrade: websocket"      -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ=="      -H "Sec-WebSocket-Version: 13"      -H "Origin: https://websocket-app.cfapps.xxx.sapcloud.io"      https://websocket-app.cfapps.xxx.sapcloud.io/ws --http1.1
HTTP/1.1 101 Switching Protocols
connection: Upgrade
sec-websocket-accept: xxx
upgrade: websocket
x-vcap-request-id: 0237d2fc-72f6-4905-71c3-88a2419fd40e
strict-transport-security: max-age=31536000; includeSubDomains; preload;

[geofffranks]

Requested default change

[maxmoehl]

GitHub seems confused about workflows being there while also not being there on this branch. @Dariquest can you rebase once more?

[geofffranks]

GitHub seems confused about workflows being there while also not being there on this branch. @Dariquest can you rebase once more?

Everything looks good to me. Once the rebasing + GH actions are sorted out feel free to approve + merge.n

[maxmoehl]

The workflow uses secrets, e.g. ${{ secrets.GCP_SERVICE_ACCOUNT_TAS_RUNTIME_BUILD_IMAGE_READER }} and those are inaccessible if your PR is coming from a fork due to security policies.

We will ignore the validation for now but can have a discussion on how to fix this for future contributions.

/fyi @geofffranks @kart2bc