Revert "the http2RoundTripper should only use http2"

This reverts commit 03f19da21c.
This commit is contained in:
Joshua Casey 2022-12-21 10:41:04 -06:00
parent d213a25eb5
commit 6880c029f0
2 changed files with 3 additions and 56 deletions

View File

@ -472,7 +472,7 @@ func newImpersonationReverseProxyFunc(restConfig *rest.Config) (func(*genericapi
return nil, fmt.Errorf("could not get http/1.1 anonymous round tripper: %w", err)
}
http2RoundTripper, err := getTransportForProtocol(restConfig, "h2")
http2RoundTripper, err := getTransportForProtocol(restConfig, "h2") // TODO figure out why this leads to still supporting http1
if err != nil {
return nil, fmt.Errorf("could not get http/2.0 round tripper: %w", err)
}
@ -812,15 +812,6 @@ func getTransportForProtocol(restConfig *rest.Config, protocol string) (http.Rou
return nil, fmt.Errorf("could not build transport: %w", err)
}
// For clients that support http2, transport.New calls http2.ConfigureTransports,
// which configures with both h2 and http/1.1,
// even when you explicitly only ask for h2.
// Override that change.
cfg, err := utilnet.TLSClientConfig(rt)
if err != nil {
return nil, fmt.Errorf("could not extract TLS config: %w", err)
}
cfg.NextProtos = []string{protocol}
if err := kubeclient.AssertSecureTransport(rt); err != nil {
return nil, err // make sure we only use a secure TLS config
}

View File

@ -5,8 +5,6 @@ package impersonator
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"math/rand"
"net"
@ -703,28 +701,7 @@ func TestImpersonator(t *testing.T) {
testKubeAPIServerWasCalled := false
var testKubeAPIServerSawHeaders http.Header
testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsConfigFunc := func(rootCAs *x509.CertPool) *tls.Config {
// Requests to get configmaps, flowcontrol requests, and healthz requests
// are not done by our http round trippers that specify only one protocol
// (either http1.1 or http2, not both).
// For all other requests from the impersonator, if it is not an upgrade
// request it should only be using http2.
// If it is an upgrade request it should only be using http1.1, but that
// is covered by the AssertTLS function.
secure := ptls.Secure(rootCAs)
switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/prioritylevelconfigurations",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas",
"/healthz":
default:
if !httpstream.IsUpgradeRequest(r) {
secure.NextProtos = []string{secure.NextProtos[0]}
}
}
return secure
}
tlsserver.AssertTLS(t, r, tlsConfigFunc)
tlsserver.AssertTLS(t, r, ptls.Secure)
switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps":
@ -1803,28 +1780,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
testKubeAPIServerWasCalled := false
testKubeAPIServerSawHeaders := http.Header{}
testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsConfigFunc := func(rootCAs *x509.CertPool) *tls.Config {
// Requests to get configmaps, flowcontrol requests, and healthz requests
// are not done by our http round trippers that specify only one protocol
// (either http1.1 or http2, not both).
// For all other requests from the impersonator, if it is not an upgrade
// request it should only be using http2.
// If it is an upgrade request it should only be using http1.1, but that
// is covered by the AssertTLS function.
secure := ptls.Secure(rootCAs)
switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/prioritylevelconfigurations",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas",
"/healthz":
default:
if !httpstream.IsUpgradeRequest(r) {
secure.NextProtos = []string{secure.NextProtos[0]}
}
}
return secure
}
tlsserver.AssertTLS(t, r, tlsConfigFunc)
tlsserver.AssertTLS(t, r, ptls.Secure)
testKubeAPIServerWasCalled = true
testKubeAPIServerSawHeaders = r.Header