diff --git a/pkg/apiserver/filters/kubeapiserver.go b/pkg/apiserver/filters/kubeapiserver.go index 72be1cc00..5905d4357 100644 --- a/pkg/apiserver/filters/kubeapiserver.go +++ b/pkg/apiserver/filters/kubeapiserver.go @@ -1,6 +1,7 @@ package filters import ( + "k8s.io/apimachinery/pkg/util/net" "k8s.io/apimachinery/pkg/util/proxy" "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/client-go/rest" @@ -20,6 +21,16 @@ func WithKubeAPIServer(handler http.Handler, config *rest.Config, failed proxy.E return handler } + tlsConfig, err := net.TLSClientConfig(defaultTransport) + if err != nil { + klog.V(5).Infof("Unable to unwrap transport %T to get at TLS config: %v", defaultTransport, err) + } + + // since http2 doesn't support websocket, we need to disable http2 when using websocket + if supportsHTTP11(tlsConfig.NextProtos) { + tlsConfig.NextProtos = []string{"http/1.1"} + } + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { info, ok := request.RequestInfoFrom(req.Context()) if !ok { @@ -33,10 +44,9 @@ func WithKubeAPIServer(handler http.Handler, config *rest.Config, failed proxy.E s.Host = kubernetes.Host s.Scheme = kubernetes.Scheme - // Do not cover k8s client authorization header + // make sure we don't override kubernetes's authorization req.Header.Del("Authorization") httpProxy := proxy.NewUpgradeAwareHandler(&s, defaultTransport, true, false, failed) - httpProxy.UpgradeTransport = proxy.NewUpgradeRequestRoundTripper(defaultTransport, defaultTransport) httpProxy.ServeHTTP(w, req) return } @@ -44,3 +54,18 @@ func WithKubeAPIServer(handler http.Handler, config *rest.Config, failed proxy.E handler.ServeHTTP(w, req) }) } + +// copy from https://github.com/kubernetes/apimachinery/blob/master/pkg/util/proxy/dial.go +func supportsHTTP11(nextProtos []string) bool { + if len(nextProtos) == 0 { + return true + } + + for _, proto := range nextProtos { + if proto == "http/1.1" { + return true + } + } + + return false +} diff --git a/pkg/models/tenant/tenent_test.go b/pkg/models/tenant/tenent_test.go index 3468f30e4..a062b4ace 100644 --- a/pkg/models/tenant/tenent_test.go +++ b/pkg/models/tenant/tenent_test.go @@ -290,7 +290,7 @@ func prepare() Interface { k8sClient := fakek8s.NewSimpleClientset() istioClient := fakeistio.NewSimpleClientset() appClient := fakeapp.NewSimpleClientset() - fakeInformerFactory := informers.NewInformerFactories(k8sClient, ksClient, istioClient, appClient) + fakeInformerFactory := informers.NewInformerFactories(k8sClient, ksClient, istioClient, appClient, nil, nil) for _, workspace := range workspaces { fakeInformerFactory.KubeSphereSharedInformerFactory().Tenant().V1alpha1().