-
-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature-flagged support for socks5
proxy in Client
#1311
Conversation
Signed-off-by: Razz4780 <msmolarekg@gmail.com>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1311 +/- ##
=======================================
- Coverage 72.4% 72.1% -0.2%
=======================================
Files 75 75
Lines 6352 6377 +25
=======================================
+ Hits 4595 4597 +2
- Misses 1757 1780 +23
|
Haven't looked into the implementation yet, but in theory this is a +1 from me.
A connection URL doesn't mean the same thing if a proxy is involved, so IMO it's invalid to just ignore the proxy address if the feature is enabled. If we don't support the protocol required to access the service then that should be a hardfail, just like you wouldn't silently downgrade a HTTPS request to HTTP. |
That's true, thanks. I wanted to preserve the current behavior in case the new feature is disabled, but probably this is somehting we should check |
socks5
proxy in Client
Had a quick look at this. I think in general this looks sensible. While the hyper-socks2 library does not receive a lot of attention, it also is not big. I am getting some errors actually using it with a server that has proxy though:
on a config kind of like: - cluster:
certificate-authority-data: ...
proxy-url: socks5://0.0.0.0:3126
server: https://127.0.0.1:6443
name: myproxy which is socks5 proxied over ssh (in ~/.ssh/config):
which works with haven't dug in too deep yet. |
By default OpenSSH will only bind I'm more surprised that it worked with kubectl... |
i think that's just 0.0.0.0 as the default route is just 127.0.0.1 for me. either way, the outcome is the same for both kubectl and kube. |
Signed-off-by: Eirik A <sszynrae@gmail.com>
Ok, apologies, I did some digging and found the reason it is not working; the Do you mind applying this diff: diff --git a/examples/Cargo.toml b/examples/Cargo.toml
index 2224fe7..5e95e5c 100644
--- a/examples/Cargo.toml
+++ b/examples/Cargo.toml
@@ -14,11 +14,12 @@ license = "Apache-2.0"
release = false
[features]
-default = ["rustls-tls", "kubederive", "ws", "latest", "runtime", "refresh"]
+default = ["rustls-tls", "kubederive", "ws", "latest", "socks5", "runtime", "refresh"]
kubederive = ["kube/derive"]
openssl-tls = ["kube/client", "kube/openssl-tls"]
rustls-tls = ["kube/client", "kube/rustls-tls"]
runtime = ["kube/runtime", "kube/unstable-runtime"]
+socks5 = ["kube/socks5"]
refresh = ["kube/oauth", "kube/oidc"]
ws = ["kube/ws"]
latest = ["k8s-openapi/latest"] then it's a 👍 from me as well. |
Signed-off-by: Razz4780 <msmolarekg@gmail.com>
Does this impl also support the http_proxy env vars? |
currently this only supports socks5. the it probably makes sense long term to add another feature that handles http proxying so we could switch on the protocol depending on failure modes encountered for https_proxy with the |
Closes #1270
Motivation
kubectl
supports using SOCKS5 proxy viaproxy-url
property in the kubeconfig. Inkube-client
, this property is only parsed into theConfig
struct and never used.Solution
Added
hyper-socks2
dependency to use a differentHttpConnector
when creating theClientBuilder
. Had to move most of theTryFrom<Config>
forClientBuilder
implementation into a separate generic function and add generic parameters to some tls-related traits.New logic is hidden behind the
socks5
feature. If the feature is disabled,proxy-url
is ignored (as was before this change).Tested manually on a
minikube
cluster using this plugin.