Gate VPN fabric session transport config

2026-05-16 00:56:11 +03:00
parent 9cd0cb5ea9
commit e16f456fe8
11 changed files with 189 additions and 149 deletions
@@ -1115,6 +1115,7 @@ func meshListenerConfigKey(cfg config.Config) string {
 		strings.TrimSpace(cfg.MeshNATType),
 		strings.TrimSpace(cfg.MeshRegion),
 		fmt.Sprintf("%t", cfg.MeshProductionForwardingEnabled),
+		fmt.Sprintf("%t", cfg.VPNFabricSessionTransportEnabled),
 	}, "|")
 }

@@ -2480,6 +2481,18 @@ func heartbeatPayload(cfg config.Config, identity state.Identity, meshState *syn
 			payload.Capabilities["fabric_session_websocket_endpoint"] = true
 			payload.Capabilities["fabric_data_session_v1"] = true
 		}
+		if cfg.VPNFabricSessionTransportEnabled {
+			payload.Metadata["vpn_fabric_session_transport_report"] = map[string]any{
+				"schema_version": "rap.vpn_fabric_session_transport_report.v1",
+				"enabled":        true,
+				"transport":      "fabric_session_websocket_binary_frames",
+				"packet_payload": "rap.vpn_packet_batch.fabric.v1",
+				"gated":          true,
+				"observed_at":    observedAt.UTC().Format(time.RFC3339Nano),
+			}
+			payload.Capabilities["vpn_fabric_session_transport"] = true
+			payload.Capabilities["vpn_packet_batch_binary_frames"] = true
+		}
 		if meshState != nil && meshState.ConfigLoadError != "" {
 			payload.HealthStatus = "warning"
 		}
@@ -3724,6 +3737,7 @@ func advertisedEndpointCandidates(cfg config.Config, identity state.Identity, me
 				"runtime":               "c17z7",
 				"synthetic_runtime":     cfg.MeshSyntheticRuntimeEnabled,
 				"production_forwarding": cfg.MeshProductionForwardingEnabled,
+				"vpn_fabric_session":    cfg.VPNFabricSessionTransportEnabled,
 			})
 			if err != nil {
 				return nil, err
@@ -627,14 +627,15 @@ func TestProductionEnvelopeObservationSinkFromConfigIsDisabledByDefault(t *testi

 func TestHeartbeatPayloadIncludesMeshEndpointReport(t *testing.T) {
 	payload := heartbeatPayload(config.Config{
-		MeshAdvertiseEndpoint:           "https://node-a.example.test:443",
-		MeshAdvertiseTransport:          "wss",
-		MeshConnectivityMode:            "outbound_only",
-		MeshNATType:                     "symmetric",
-		MeshRegion:                      "eu",
-		MeshSyntheticRuntimeEnabled:     true,
-		MeshProductionForwardingEnabled: true,
-		MeshFabricSessionEnabled:        true,
+		MeshAdvertiseEndpoint:            "https://node-a.example.test:443",
+		MeshAdvertiseTransport:           "wss",
+		MeshConnectivityMode:             "outbound_only",
+		MeshNATType:                      "symmetric",
+		MeshRegion:                       "eu",
+		MeshSyntheticRuntimeEnabled:      true,
+		MeshProductionForwardingEnabled:  true,
+		MeshFabricSessionEnabled:         true,
+		VPNFabricSessionTransportEnabled: true,
 	}, state.Identity{
 		ClusterID: "cluster-1",
 		NodeID:    "node-a",
@@ -659,6 +660,12 @@ func TestHeartbeatPayloadIncludesMeshEndpointReport(t *testing.T) {
 	if report, ok := payload.Metadata["fabric_session_endpoint_report"].(map[string]any); !ok || report["path"] != "/mesh/v1/fabric/session/ws" {
 		t.Fatalf("fabric session endpoint report missing: %+v", payload.Metadata)
 	}
+	if payload.Capabilities["vpn_fabric_session_transport"] != true || payload.Capabilities["vpn_packet_batch_binary_frames"] != true {
+		t.Fatalf("vpn fabric session capabilities missing: %+v", payload.Capabilities)
+	}
+	if report, ok := payload.Metadata["vpn_fabric_session_transport_report"].(map[string]any); !ok || report["packet_payload"] != "rap.vpn_packet_batch.fabric.v1" {
+		t.Fatalf("vpn fabric session report missing: %+v", payload.Metadata)
+	}
 }

 func TestHeartbeatPayloadReportsMeshListenerFailureWithoutKillingHeartbeat(t *testing.T) {