feat(relay): remove standalone mode (#7701)

Previously, it was possible to use the Firezone relay in "standalone" mode where it would not attempt to connect to a portal. A long time ago, this mode was introduced in order for us to test the TURN compatibility of the relay with non-Firezone TURN clients. These tests have long been removed and thus the mode is no longer required. The positive side-effect of this is that we can make the `FIREZONE_API_URL` a mandatory parameter and thus direct self-hosted users towards setting this to the endpoint of their self-hosted portal.
2026-01-27 18:18:55 +00:00 · 2025-01-08 20:26:19 +01:00
parent ed5285268d
commit b34af41eb0
1 changed files with 46 additions and 49 deletions
--- a/rust/relay/src/main.rs
+++ b/rust/relay/src/main.rs
@@ -15,7 +15,7 @@ use futures::{future, FutureExt};
 use phoenix_channel::{Event, LoginUrl, NoParams, PhoenixChannel};
 use rand::rngs::StdRng;
 use rand::{Rng, SeedableRng};
-use secrecy::{Secret, SecretString};
+use secrecy::{ExposeSecret, Secret, SecretString};
 use std::borrow::Cow;
 use std::net::{Ipv4Addr, Ipv6Addr};
 use std::pin::Pin;
@@ -51,18 +51,11 @@ struct Args {
    /// The highest port used for TURN allocations.
    #[arg(long, env, hide = true, default_value = "65535")]
    highest_port: u16,
-    #[arg(
-        long,
-        env = "FIREZONE_API_URL",
-        hide = true,
-        default_value = "wss://api.firezone.dev"
-    )]
+    #[arg(long, env = "FIREZONE_API_URL")]
    api_url: Url,
    /// Token generated by the portal to authorize websocket connection.
-    ///
-    /// If omitted, we won't connect to the portal on startup.
    #[arg(env = "FIREZONE_TOKEN")]
-    token: Option<SecretString>,
+    token: SecretString,
    /// Used as the human name for this Relay to display in the portal. If not provided,
    /// the system hostname is used by default.
    #[arg(env = "FIREZONE_NAME")]
@@ -161,40 +154,30 @@ async fn try_main(args: Args) -> Result<()> {
        make_is_healthy(last_heartbeat_sent.clone()),
    ));

-    let channel = if let Some(token) = args.token.as_ref() {
-        use secrecy::ExposeSecret;
+    let login = LoginUrl::relay(
+        args.api_url.clone(),
+        &args.token,
+        args.name.clone(),
+        args.listen_port,
+        args.public_ip4_addr,
+        args.public_ip6_addr,
+    )?;

-        let login = LoginUrl::relay(
-            args.api_url.clone(),
-            token,
-            args.name.clone(),
-            args.listen_port,
-            args.public_ip4_addr,
-            args.public_ip6_addr,
-        )?;
-
-        let mut channel = PhoenixChannel::disconnected(
-            Secret::new(login),
-            format!("relay/{}", env!("CARGO_PKG_VERSION")),
-            "relay",
-            JoinMessage {
-                stamp_secret: server.auth_secret().expose_secret().to_string(),
-            },
-            || {
-                ExponentialBackoffBuilder::default()
-                    .with_max_elapsed_time(Some(MAX_PARTITION_TIME))
-                    .build()
-            },
-            Arc::new(socket_factory::tcp),
-        )?;
-        channel.connect(NoParams);
-
-        Some(channel)
-    } else {
-        tracing::info!(target: "relay", "No portal token supplied, starting standalone mode");
-
-        None
-    };
+    let mut channel = PhoenixChannel::disconnected(
+        Secret::new(login),
+        format!("relay/{}", env!("CARGO_PKG_VERSION")),
+        "relay",
+        JoinMessage {
+            stamp_secret: server.auth_secret().expose_secret().to_string(),
+        },
+        || {
+            ExponentialBackoffBuilder::default()
+                .with_max_elapsed_time(Some(MAX_PARTITION_TIME))
+                .build()
+        },
+        Arc::new(socket_factory::tcp),
+    )?;
+    channel.connect(NoParams);

    let mut eventloop = Eventloop::new(server, channel, public_addr, last_heartbeat_sent)?;

@@ -366,7 +349,7 @@ where
 {
    fn new(
        server: Server<R>,
-        channel: Option<PhoenixChannel<JoinMessage, IngressMessage, (), NoParams>>,
+        channel: PhoenixChannel<JoinMessage, IngressMessage, (), NoParams>,
        public_address: IpStack,
        last_heartbeat_sent: Arc<Mutex<Option<Instant>>>,
    ) -> Result<Self> {
@@ -395,7 +378,7 @@ where

        Ok(Self {
            server,
-            channel,
+            channel: Some(channel),
            sleep: Sleep::default(),
            stats_log_interval: tokio::time::interval(STATS_LOG_INTERVAL),
            last_num_bytes_relayed: 0,
@@ -726,16 +709,30 @@ mod tests {
    // Regression tests to ensure we can parse sockets as well as domains for the otlp-grpc endpoint.
    #[test]
    fn args_can_parse_otlp_endpoint_from_socket() {
-        let args =
-            Args::try_parse_from(["relay", "--otlp-grpc-endpoint", "127.0.0.1:4317"]).unwrap();
+        let args = Args::try_parse_from([
+            "relay",
+            "--otlp-grpc-endpoint",
+            "127.0.0.1:4317",
+            "--api-url",
+            "localhost:1234",
+            "TOKEN",
+        ])
+        .unwrap();

        assert_eq!(args.otlp_grpc_endpoint.unwrap(), "127.0.0.1:4317");
    }

    #[test]
    fn args_can_parse_otlp_endpoint_from_domain() {
-        let args =
-            Args::try_parse_from(["relay", "--otlp-grpc-endpoint", "localhost:4317"]).unwrap();
+        let args = Args::try_parse_from([
+            "relay",
+            "--otlp-grpc-endpoint",
+            "localhost:4317",
+            "--api-url",
+            "localhost:1234",
+            "TOKEN",
+        ])
+        .unwrap();

        assert_eq!(args.otlp_grpc_endpoint.unwrap(), "localhost:4317");
    }