djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Revert "the http2RoundTripper should only use http2"

Browse Source 
This reverts commit 03f19da21c.
This commit is contained in:
Joshua Casey 2022-12-21 10:41:04 -06:00
parent d213a25eb5
commit 6880c029f0
2 changed files with 3 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
internal/concierge/impersonator/impersonator.go
View File

@ -472,7 +472,7 @@ func newImpersonationReverseProxyFunc(restConfig *rest.Config) (func(*genericapi
return nil, fmt.Errorf("could not get http/1.1 anonymous round tripper: %w", err) return nil, fmt.Errorf("could not get http/1.1 anonymous round tripper: %w", err)
} }
http2RoundTripper, err := getTransportForProtocol(restConfig, "h2") http2RoundTripper, err := getTransportForProtocol(restConfig, "h2") // TODO figure out why this leads to still supporting http1
if err != nil { if err != nil {
return nil, fmt.Errorf("could not get http/2.0 round tripper: %w", err) return nil, fmt.Errorf("could not get http/2.0 round tripper: %w", err)
} }
@ -812,15 +812,6 @@ func getTransportForProtocol(restConfig *rest.Config, protocol string) (http.Rou
return nil, fmt.Errorf("could not build transport: %w", err) return nil, fmt.Errorf("could not build transport: %w", err)
} }
// For clients that support http2, transport.New calls http2.ConfigureTransports,
// which configures with both h2 and http/1.1,
// even when you explicitly only ask for h2.
// Override that change.
cfg, err := utilnet.TLSClientConfig(rt)
if err != nil {
return nil, fmt.Errorf("could not extract TLS config: %w", err)
}
cfg.NextProtos = []string{protocol}
if err := kubeclient.AssertSecureTransport(rt); err != nil { if err := kubeclient.AssertSecureTransport(rt); err != nil {
return nil, err // make sure we only use a secure TLS config return nil, err // make sure we only use a secure TLS config
} }

48
internal/concierge/impersonator/impersonator_test.go
View File

@ -5,8 +5,6 @@ package impersonator
import ( import (
"context" "context"
"crypto/tls"
"crypto/x509"
"fmt" "fmt"
"math/rand" "math/rand"
"net" "net"
@ -703,28 +701,7 @@ func TestImpersonator(t *testing.T) {
testKubeAPIServerWasCalled := false testKubeAPIServerWasCalled := false
var testKubeAPIServerSawHeaders http.Header var testKubeAPIServerSawHeaders http.Header
testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsConfigFunc := func(rootCAs *x509.CertPool) *tls.Config { tlsserver.AssertTLS(t, r, ptls.Secure)
// Requests to get configmaps, flowcontrol requests, and healthz requests
// are not done by our http round trippers that specify only one protocol
// (either http1.1 or http2, not both).
// For all other requests from the impersonator, if it is not an upgrade
// request it should only be using http2.
// If it is an upgrade request it should only be using http1.1, but that
// is covered by the AssertTLS function.
secure := ptls.Secure(rootCAs)
switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/prioritylevelconfigurations",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas",
"/healthz":
default:
if !httpstream.IsUpgradeRequest(r) {
secure.NextProtos = []string{secure.NextProtos[0]}
}
}
return secure
}
tlsserver.AssertTLS(t, r, tlsConfigFunc)
switch r.URL.Path { switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps": case "/api/v1/namespaces/kube-system/configmaps":
@ -1803,28 +1780,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
testKubeAPIServerWasCalled := false testKubeAPIServerWasCalled := false
testKubeAPIServerSawHeaders := http.Header{} testKubeAPIServerSawHeaders := http.Header{}
testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsConfigFunc := func(rootCAs *x509.CertPool) *tls.Config { tlsserver.AssertTLS(t, r, ptls.Secure)
// Requests to get configmaps, flowcontrol requests, and healthz requests
// are not done by our http round trippers that specify only one protocol
// (either http1.1 or http2, not both).
// For all other requests from the impersonator, if it is not an upgrade
// request it should only be using http2.
// If it is an upgrade request it should only be using http1.1, but that
// is covered by the AssertTLS function.
secure := ptls.Secure(rootCAs)
switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/prioritylevelconfigurations",
"/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas",
"/healthz":
default:
if !httpstream.IsUpgradeRequest(r) {
secure.NextProtos = []string{secure.NextProtos[0]}
}
}
return secure
}
tlsserver.AssertTLS(t, r, tlsConfigFunc)
testKubeAPIServerWasCalled = true testKubeAPIServerWasCalled = true
testKubeAPIServerSawHeaders = r.Header testKubeAPIServerSawHeaders = r.Header