Refactor RDP proxy handling and update related tests

agents/rap-node-agent/internal/config/config_test.go

@@ -15,6 +15,11 @@ func TestLoadConfigFromEnvAndArgs(t *testing.T) {
 		"RAP_NODE_NAME":                                 "node-a",
 		"RAP_NODE_STATE_DIR":                            "/tmp/rap-node",
 		"RAP_WORKLOAD_SUPERVISION_ENABLED":              "true",
+		"RAP_WEB_INGRESS_RUNTIME_ENABLED":               "true",
+		"RAP_WEB_INGRESS_SIGNING_PRIVATE_KEY":           " private-key-b64 ",
+		"RAP_WEB_INGRESS_SIGNING_KEY_ID":                " web-key-1 ",
+		"RAP_WEB_INGRESS_TRUSTED_KEYS_JSON":             ` {"web-key-1":"public-key-b64"} `,
+		"RAP_WEB_INGRESS_RUNTIME_SERVICE_CLASSES":       " platform_admin, cluster_admin ",
 		"RAP_HEARTBEAT_INTERVAL_SECONDS":                "7",
 		"RAP_ENROLLMENT_POLL_INTERVAL_SECONDS":          "3",
 		"RAP_ENROLLMENT_POLL_TIMEOUT_SECONDS":           "30",
@@ -32,11 +37,17 @@ func TestLoadConfigFromEnvAndArgs(t *testing.T) {
 		"RAP_MESH_LISTEN_PORT_MODE":                     "auto",
 		"RAP_MESH_LISTEN_AUTO_PORT_START":               "19010",
 		"RAP_MESH_LISTEN_AUTO_PORT_END":                 "19020",
-		"RAP_MESH_ADVERTISE_ENDPOINT":                   "https://node-a.example.test:443/",
+		"RAP_MESH_ADVERTISE_ENDPOINT":                   "quic://node-a.example.test:19443/",
 		"RAP_MESH_ADVERTISE_ENDPOINTS_JSON":             `[{"endpoint_id":"node-a-lan","address":"10.10.0.20:19001"}]`,
-		"RAP_MESH_ADVERTISE_TRANSPORT":                  "wss",
+		"RAP_MESH_ADVERTISE_TRANSPORT":                  "direct_quic",
 		"RAP_MESH_CONNECTIVITY_MODE":                    "outbound_only",
 		"RAP_MESH_NAT_TYPE":                             "symmetric",
+		"RAP_MESH_LOCAL_SEGMENT_ID":                     "site-a",
+		"RAP_MESH_NAT_GROUP_ID":                         "nat-a",
+		"RAP_MESH_STUN_REFLEXIVE_ENDPOINT":              "quic://203.0.113.20:19443/",
+		"RAP_MESH_STUN_SERVER":                          "stun.example.test:3478",
+		"RAP_MESH_RELAY_NODE_ID":                        "node-r",
+		"RAP_MESH_RELAY_ENDPOINT":                       "quic://node-r.example.test:19443/",
 		"RAP_MESH_REGION":                               "eu",
 		"RAP_MESH_SYNTHETIC_CONFIG":                     "/tmp/rap-node/mesh-synthetic.json",
 		"RAP_MESH_PEER_ENDPOINTS_JSON":                  `{"node-b":"http://127.0.0.1:19002"}`,
@@ -67,6 +78,15 @@ func TestLoadConfigFromEnvAndArgs(t *testing.T) {
 	if !cfg.WorkloadSupervisionEnabled {
 		t.Fatal("WorkloadSupervisionEnabled = false, want true")
 	}
+	if !cfg.WebIngressRuntimeEnabled {
+		t.Fatal("WebIngressRuntimeEnabled = false, want true")
+	}
+	if cfg.WebIngressSigningPrivateKey != "private-key-b64" ||
+		cfg.WebIngressSigningKeyID != "web-key-1" ||
+		cfg.WebIngressTrustedKeysJSON != `{"web-key-1":"public-key-b64"}` ||
+		cfg.WebIngressRuntimeServiceClasses != "platform_admin, cluster_admin" {
+		t.Fatalf("unexpected web ingress key config: %+v", cfg)
+	}
 	if !cfg.MeshSyntheticRuntimeEnabled {
 		t.Fatal("MeshSyntheticRuntimeEnabled = false, want true")
 	}
@@ -100,11 +120,17 @@ func TestLoadConfigFromEnvAndArgs(t *testing.T) {
 	if cfg.MeshListenPortMode != "auto" || cfg.MeshListenAutoPortStart != 19010 || cfg.MeshListenAutoPortEnd != 19020 {
 		t.Fatalf("unexpected mesh listen port config: %+v", cfg)
 	}
-	if cfg.MeshAdvertiseEndpoint != "https://node-a.example.test:443" ||
+	if cfg.MeshAdvertiseEndpoint != "quic://node-a.example.test:19443" ||
 		cfg.MeshAdvertiseEndpointsJSON == "" ||
-		cfg.MeshAdvertiseTransport != "wss" ||
+		cfg.MeshAdvertiseTransport != "direct_quic" ||
 		cfg.MeshConnectivityMode != "outbound_only" ||
 		cfg.MeshNATType != "symmetric" ||
+		cfg.MeshLocalSegmentID != "site-a" ||
+		cfg.MeshNATGroupID != "nat-a" ||
+		cfg.MeshSTUNReflexiveEndpoint != "quic://203.0.113.20:19443" ||
+		cfg.MeshSTUNServer != "stun.example.test:3478" ||
+		cfg.MeshRelayNodeID != "node-r" ||
+		cfg.MeshRelayEndpoint != "quic://node-r.example.test:19443" ||
 		cfg.MeshRegion != "eu" {
 		t.Fatalf("unexpected mesh advertise config: %+v", cfg)
 	}
@@ -139,6 +165,9 @@ func TestLoadConfigDefaultsEnrollmentPollingToNoTimeout(t *testing.T) {
 		cfg.RemoteWorkspaceRealAdapterWorkDir != "" {
 		t.Fatalf("real adapter config should default disabled and empty: %+v", cfg)
 	}
+	if cfg.WebIngressRuntimeEnabled {
+		t.Fatalf("web ingress runtime should default disabled: %+v", cfg)
+	}
 }
 
 func TestLoadConfigRejectsNegativeProductionObservationSinkCapacity(t *testing.T) {
@@ -162,3 +191,33 @@ func TestLoadConfigRejectsTooLargeProductionObservationSinkCapacity(t *testing.T
 		t.Fatal("Load returned nil error for too-large sink capacity")
 	}
 }
+
+func TestLoadConfigNormalizesLegacyMeshAdvertiseTransport(t *testing.T) {
+	cfg, err := Load(nil, map[string]string{
+		"RAP_BACKEND_URL":              "http://backend/api/v1",
+		"RAP_NODE_NAME":                "node-a",
+		"RAP_MESH_ADVERTISE_ENDPOINT":  "quic://node-a.example.test:19443",
+		"RAP_MESH_ADVERTISE_TRANSPORT": "wss",
+	})
+	if err != nil {
+		t.Fatalf("Load returned error for legacy mesh advertise transport migration: %v", err)
+	}
+	if cfg.MeshAdvertiseTransport != "direct_quic" {
+		t.Fatalf("transport = %q, want direct_quic", cfg.MeshAdvertiseTransport)
+	}
+}
+
+func TestLoadConfigNormalizesLegacyMeshAdvertiseEndpointScheme(t *testing.T) {
+	cfg, err := Load(nil, map[string]string{
+		"RAP_BACKEND_URL":              "http://backend/api/v1",
+		"RAP_NODE_NAME":                "node-a",
+		"RAP_MESH_ADVERTISE_ENDPOINT":  "https://node-a.example.test:443",
+		"RAP_MESH_ADVERTISE_TRANSPORT": "direct_quic",
+	})
+	if err != nil {
+		t.Fatalf("Load returned error for legacy mesh advertise endpoint migration: %v", err)
+	}
+	if cfg.MeshAdvertiseEndpoint != "quic://node-a.example.test:443" {
+		t.Fatalf("endpoint = %q, want quic scheme", cfg.MeshAdvertiseEndpoint)
+	}
+}