fix proxy bug (#2146)
This commit is contained in:
zryfish
@@ -39,6 +39,8 @@ import (
|
||||
const proxyURLFormat = "/api/v1/namespaces/kubesphere-system/services/:ks-apiserver:/proxy%s"
|
||||
|
||||
// Dispatcher defines how to forward request to designated cluster based on cluster name
|
||||
// This should only be used in host cluster when multicluster mode enabled, use in any other cases may cause
|
||||
// unexpected behavior
|
||||
type Dispatcher interface {
|
||||
Dispatch(w http.ResponseWriter, req *http.Request, handler http.Handler)
|
||||
}
|
||||
@@ -127,35 +129,32 @@ func (c *clusterDispatch) Dispatch(w http.ResponseWriter, req *http.Request, han
|
||||
|
||||
transport := http.DefaultTransport
|
||||
|
||||
// change request host to actually cluster hosts
|
||||
u := *req.URL
|
||||
u.Path = strings.Replace(u.Path, fmt.Sprintf("/clusters/%s", info.Cluster), "", 1)
|
||||
|
||||
// change request host to actually cluster hosts
|
||||
if info.IsKubernetesRequest {
|
||||
u.Host = innCluster.kubernetesURL.Host
|
||||
// if cluster connection is direct and kubesphere apiserver endpoint is empty
|
||||
// we use kube-apiserver proxy way
|
||||
if cluster.Spec.Connection.Type == clusterv1alpha1.ConnectionTypeDirect &&
|
||||
len(cluster.Spec.Connection.KubeSphereAPIEndpoint) == 0 {
|
||||
|
||||
u.Scheme = innCluster.kubernetesURL.Scheme
|
||||
u.Host = innCluster.kubernetesURL.Host
|
||||
u.Path = fmt.Sprintf(proxyURLFormat, u.Path)
|
||||
transport = innCluster.transport
|
||||
|
||||
// The reason we need this is kube-apiserver doesn't behave like a standard proxy, it will strip
|
||||
// authorization header of proxy requests. Use custom header to avoid stripping by kube-apiserver.
|
||||
// https://github.com/kubernetes/kubernetes/issues/38775#issuecomment-277915961
|
||||
// We first copy req.Header['Authorization'] to req.Header['X-KubeSphere-Authorization'] before sending
|
||||
// designated cluster kube-apiserver, then copy req.Header['X-KubeSphere-Authorization'] to
|
||||
// req.Header['Authorization'] before authentication.
|
||||
req.Header.Set("X-KubeSphere-Authorization", req.Header.Get("Authorization"))
|
||||
} else {
|
||||
// everything else goes to ks-apiserver, since our ks-apiserver has the ability to proxy kube-apiserver requests
|
||||
|
||||
u.Host = innCluster.kubesphereURL.Host
|
||||
u.Scheme = innCluster.kubesphereURL.Scheme
|
||||
|
||||
// if cluster connection is direct and kubesphere apiserver endpoint is empty
|
||||
// we use kube-apiserver proxy way
|
||||
if cluster.Spec.Connection.Type == clusterv1alpha1.ConnectionTypeDirect &&
|
||||
len(cluster.Spec.Connection.KubeSphereAPIEndpoint) == 0 {
|
||||
|
||||
u.Scheme = innCluster.kubernetesURL.Scheme
|
||||
u.Host = innCluster.kubernetesURL.Host
|
||||
u.Path = fmt.Sprintf(proxyURLFormat, u.Path)
|
||||
transport = innCluster.transport
|
||||
|
||||
// The reason we need this is kube-apiserver doesn't behave like a standard proxy, it will strip
|
||||
// authorization header of proxy requests. Use custom header to avoid stripping by kube-apiserver.
|
||||
// https://github.com/kubernetes/kubernetes/issues/38775#issuecomment-277915961
|
||||
// We first copy req.Header['Authorization'] to req.Header['X-KubeSphere-Authorization'] before sending
|
||||
// designated cluster kube-apiserver, then copy req.Header['X-KubeSphere-Authorization'] to
|
||||
// req.Header['Authorization'] before authentication.
|
||||
req.Header.Set("X-KubeSphere-Authorization", req.Header.Get("Authorization"))
|
||||
}
|
||||
}
|
||||
|
||||
httpProxy := proxy.NewUpgradeAwareHandler(&u, transport, false, false, c)
|
||||
|
||||
Reference in New Issue
Block a user