Decouple transport from runtime (#2430)

As currently implemented, `pkg/transport` is tightly coupled with the
underlying runtime. Specifically, transport implementations are aware
of the fact that they're wrapping a container workload and even use
`rt.Deployer` to stop and restart the workload. This coupling makes it
hard to test the transport layer.

This is the first of a series of patches that aim to decouple the
transport layer from the underlying workload.

First of a series of PRs addressing #2429

Author: blkt

cmd/thv/app/proxy.go

@@ -253,8 +253,11 @@ func proxyCmdFunc(cmd *cobra.Command, args []string) error {
 
 	// Create the transparent proxy with middlewares
 	proxy := transparent.NewTransparentProxy(
-		proxyHost, port, serverName, proxyTargetURI,
-		nil, authInfoHandler,
+		proxyHost,
+		port,
+		proxyTargetURI,
+		nil,
+		authInfoHandler,
 		false,
 		false, // isRemote
 		"",

pkg/runner/runner.go

@@ -18,6 +18,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/labels"
 	"github.com/stacklok/toolhive/pkg/logger"
 	"github.com/stacklok/toolhive/pkg/process"
+	"github.com/stacklok/toolhive/pkg/runtime"
 	"github.com/stacklok/toolhive/pkg/secrets"
 	"github.com/stacklok/toolhive/pkg/telemetry"
 	"github.com/stacklok/toolhive/pkg/transport"
@@ -137,11 +138,6 @@ func (r *Runner) Run(ctx context.Context) error {
 	// Set proxy mode for stdio transport
 	transportConfig.ProxyMode = r.Config.ProxyMode
 
-	transportHandler, err := transport.NewFactory().Create(transportConfig)
-	if err != nil {
-		return fmt.Errorf("failed to create transport: %v", err)
-	}
-
 	// Process secrets if provided (regular secrets or RemoteAuthConfig.ClientSecret in CLI format)
 	hasRegularSecrets := len(r.Config.Secrets) > 0
 	hasRemoteAuthSecret := r.Config.RemoteAuthConfig != nil && r.Config.RemoteAuthConfig.ClientSecret != ""
@@ -175,7 +171,48 @@ func (r *Runner) Run(ctx context.Context) error {
 	// Set up the transport
 	logger.Infof("Setting up %s transport...", r.Config.Transport)
 
-	// For remote MCP servers, set the remote URL on HTTP transports before setup
+	// Prepare transport options based on workload type
+	var transportOpts []transport.Option
+	var setupResult *runtime.SetupResult
+
+	if r.Config.RemoteURL == "" {
+		// For local workloads, deploy the container using runtime.Setup first
+		result, err := runtime.Setup(
+			ctx,
+			r.Config.Transport,
+			r.Config.Deployer,
+			r.Config.ContainerName,
+			r.Config.Image,
+			r.Config.CmdArgs,
+			r.Config.EnvVars,
+			r.Config.ContainerLabels,
+			r.Config.PermissionProfile,
+			r.Config.K8sPodTemplatePatch,
+			r.Config.IsolateNetwork,
+			r.Config.IgnoreConfig,
+			r.Config.Host,
+			r.Config.TargetPort,
+			r.Config.TargetHost,
+		)
+		if err != nil {
+			return fmt.Errorf("failed to set up workload: %v", err)
+		}
+		setupResult = result
+
+		// Configure the transport with the setup results using options
+		transportOpts = append(transportOpts, transport.WithContainerName(setupResult.ContainerName))
+		if setupResult.TargetURI != "" {
+			transportOpts = append(transportOpts, transport.WithTargetURI(setupResult.TargetURI))
+		}
+	}
+
+	// Create transport with options
+	transportHandler, err := transport.NewFactory().Create(transportConfig, transportOpts...)
+	if err != nil {
+		return fmt.Errorf("failed to create transport: %v", err)
+	}
+
+	// For remote MCP servers, set the remote URL on HTTP transports
 	if r.Config.RemoteURL != "" {
 		if httpTransport, ok := transportHandler.(interface{ SetRemoteURL(string) }); ok {
 			httpTransport.SetRemoteURL(r.Config.RemoteURL)
@@ -191,17 +228,6 @@ func (r *Runner) Run(ctx context.Context) error {
 		if httpTransport, ok := transportHandler.(interface{ SetTokenSource(oauth2.TokenSource) }); ok {
 			httpTransport.SetTokenSource(tokenSource)
 		}
-
-		// For remote workloads, we don't need a deployer
-		r.Config.Deployer = nil
-	}
-
-	if err := transportHandler.Setup(
-		ctx, r.Config.Deployer, r.Config.ContainerName, r.Config.Image, r.Config.CmdArgs,
-		r.Config.EnvVars, r.Config.ContainerLabels, r.Config.PermissionProfile, r.Config.K8sPodTemplatePatch,
-		r.Config.IsolateNetwork, r.Config.IgnoreConfig,
-	); err != nil {
-		return fmt.Errorf("failed to set up transport: %v", err)
 	}
 
 	// Start the transport (which also starts the container and monitoring)

pkg/runtime/setup.go

@@ -0,0 +1,145 @@
+// Package runtime provides workload deployment setup functionality
+// that was previously part of the transport package.
+package runtime
+
+import (
+	"context"
+	"fmt"
+
+	rt "github.com/stacklok/toolhive/pkg/container/runtime"
+	"github.com/stacklok/toolhive/pkg/ignore"
+	"github.com/stacklok/toolhive/pkg/logger"
+	"github.com/stacklok/toolhive/pkg/permissions"
+	"github.com/stacklok/toolhive/pkg/transport/types"
+)
+
+var transportEnvMap = map[types.TransportType]string{
+	types.TransportTypeSSE:            "sse",
+	types.TransportTypeStreamableHTTP: "streamable-http",
+	types.TransportTypeStdio:          "stdio",
+}
+
+// SetupResult contains the results of setting up a workload
+type SetupResult struct {
+	ContainerName string
+	TargetURI     string
+	TargetPort    int
+	TargetHost    string
+}
+
+// Setup prepares and deploys a workload for use with a transport.
+// The runtime parameter provides access to container operations.
+// The permissionProfile is used to configure container permissions (including network mode).
+// The k8sPodTemplatePatch is a JSON string to patch the Kubernetes pod template.
+// Returns the container name and target URI for configuring the transport.
+func Setup(
+	ctx context.Context,
+	transportType types.TransportType,
+	runtime rt.Deployer,
+	containerName string,
+	image string,
+	cmdArgs []string,
+	envVars, labels map[string]string,
+	permissionProfile *permissions.Profile,
+	k8sPodTemplatePatch string,
+	isolateNetwork bool,
+	ignoreConfig *ignore.Config,
+	host string,
+	targetPort int,
+	targetHost string,
+) (*SetupResult, error) {
+	// Add transport-specific environment variables
+	env, ok := transportEnvMap[transportType]
+	if !ok && transportType != types.TransportTypeStdio {
+		return nil, fmt.Errorf("unsupported transport type: %s", transportType)
+	}
+
+	// For stdio transport, env is already set above
+	if transportType == types.TransportTypeStdio {
+		envVars["MCP_TRANSPORT"] = "stdio"
+	} else {
+		envVars["MCP_TRANSPORT"] = env
+
+		// Use the target port for the container's environment variables
+		envVars["MCP_PORT"] = fmt.Sprintf("%d", targetPort)
+		envVars["FASTMCP_PORT"] = fmt.Sprintf("%d", targetPort)
+		envVars["MCP_HOST"] = targetHost
+	}
+
+	// Create workload options
+	containerOptions := rt.NewDeployWorkloadOptions()
+	containerOptions.K8sPodTemplatePatch = k8sPodTemplatePatch
+	containerOptions.IgnoreConfig = ignoreConfig
+
+	if transportType == types.TransportTypeStdio {
+		containerOptions.AttachStdio = true
+	} else {
+		// Expose the target port in the container
+		containerPortStr := fmt.Sprintf("%d/tcp", targetPort)
+		containerOptions.ExposedPorts[containerPortStr] = struct{}{}
+
+		// Create host port bindings (configurable through the --host flag)
+		portBindings := []rt.PortBinding{
+			{
+				HostIP:   host,
+				HostPort: fmt.Sprintf("%d", targetPort),
+			},
+		}
+
+		// Set the port bindings
+		containerOptions.PortBindings[containerPortStr] = portBindings
+	}
+
+	// Create the container
+	logger.Infof("Deploying workload %s from image %s...", containerName, image)
+	exposedPort, err := runtime.DeployWorkload(
+		ctx,
+		image,
+		containerName,
+		cmdArgs,
+		envVars,
+		labels,
+		permissionProfile,
+		transportType.String(),
+		containerOptions,
+		isolateNetwork,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create container: %v", err)
+	}
+	logger.Infof("Container created: %s", containerName)
+
+	result := &SetupResult{
+		ContainerName: containerName,
+		TargetHost:    targetHost,
+		TargetPort:    targetPort,
+	}
+
+	// For stdio transport, there's no target URI
+	if transportType == types.TransportTypeStdio {
+		result.TargetURI = ""
+	} else {
+		// Update target host and port if needed (for Kubernetes)
+		if (transportType == types.TransportTypeSSE || transportType == types.TransportTypeStreamableHTTP) && rt.IsKubernetesRuntime() {
+			// If the SSEHeadlessServiceName is set, use it as the target host
+			if containerOptions.SSEHeadlessServiceName != "" {
+				result.TargetHost = containerOptions.SSEHeadlessServiceName
+			}
+		}
+
+		// we don't want to override the targetPort in a Kubernetes deployment. Because
+		// by default the Kubernetes container deployer returns `0` for the exposedPort
+		// therefore causing the "target port not set" error when it is assigned to the targetPort.
+		// Issues:
+		// - https://github.com/stacklok/toolhive/issues/902
+		// - https://github.com/stacklok/toolhive/issues/924
+		if !rt.IsKubernetesRuntime() {
+			result.TargetPort = exposedPort
+		}
+
+		// Construct target URI
+		result.TargetURI = fmt.Sprintf("http://%s:%d", result.TargetHost, result.TargetPort)
+	}
+
+	return result, nil
+}

pkg/transport/factory.go

@@ -15,18 +15,42 @@ func NewFactory() *Factory {
 	return &Factory{}
 }
 
+// Option is a function that configures a transport
+type Option func(types.Transport) error
+
+// WithContainerName returns an option that sets the container name on a transport
+func WithContainerName(containerName string) Option {
+	return func(t types.Transport) error {
+		if setter, ok := t.(interface{ setContainerName(string) }); ok {
+			setter.setContainerName(containerName)
+		}
+		return nil
+	}
+}
+
+// WithTargetURI returns an option that sets the target URI on a transport
+func WithTargetURI(targetURI string) Option {
+	return func(t types.Transport) error {
+		if setter, ok := t.(interface{ setTargetURI(string) }); ok {
+			setter.setTargetURI(targetURI)
+		}
+		return nil
+	}
+}
+
 // Create creates a transport based on the provided configuration
-func (*Factory) Create(config types.Config) (types.Transport, error) {
+func (*Factory) Create(config types.Config, opts ...Option) (types.Transport, error) {
+	var tr types.Transport
+
 	switch config.Type {
 	case types.TransportTypeStdio:
-		tr := NewStdioTransport(
+		tr = NewStdioTransport(
 			config.Host, config.ProxyPort, config.Deployer, config.Debug, config.TrustProxyHeaders,
 			config.PrometheusHandler, config.Middlewares...,
 		)
-		tr.SetProxyMode(config.ProxyMode)
-		return tr, nil
+		tr.(*StdioTransport).SetProxyMode(config.ProxyMode)
 	case types.TransportTypeSSE:
-		return NewHTTPTransport(
+		tr = NewHTTPTransport(
 			types.TransportTypeSSE,
 			config.Host,
 			config.ProxyPort,
@@ -37,9 +61,9 @@ func (*Factory) Create(config types.Config) (types.Transport, error) {
 			config.AuthInfoHandler,
 			config.PrometheusHandler,
 			config.Middlewares...,
-		), nil
+		)
 	case types.TransportTypeStreamableHTTP:
-		return NewHTTPTransport(
+		tr = NewHTTPTransport(
 			types.TransportTypeStreamableHTTP,
 			config.Host,
 			config.ProxyPort,
@@ -50,11 +74,20 @@ func (*Factory) Create(config types.Config) (types.Transport, error) {
 			config.AuthInfoHandler,
 			config.PrometheusHandler,
 			config.Middlewares...,
-		), nil
+		)
 	case types.TransportTypeInspector:
 		// HTTP transport is not implemented yet
 		return nil, errors.ErrUnsupportedTransport
 	default:
 		return nil, errors.ErrUnsupportedTransport
 	}
+
+	// Apply options to the transport
+	for _, opt := range opts {
+		if err := opt(tr); err != nil {
+			return nil, err
+		}
+	}
+
+	return tr, nil
 }