Propagate service TLS config for terminal proxy

cmd/bridge/main.go

@@ -305,7 +305,7 @@ func main() {
 
  k8sAuthServiceAccountBearerToken = string(bearerToken)
 
- // If running in an OpenShift cluster, set up a proxy to the prometheus-k8s serivce running in the openshift-monitoring namespace.
+ // If running in an OpenShift cluster, set up a proxy to the prometheus-k8s service running in the openshift-monitoring namespace.
  if *fServiceCAFile != "" {
  serviceCertPEM, err := ioutil.ReadFile(*fServiceCAFile)
  if err != nil {
@@ -344,6 +344,7 @@ func main() {
  HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
  Endpoint: &url.URL{Scheme: "https", Host: openshiftMeteringHost, Path: "/api"},
  }
+ srv.TerminalProxyTLSConfig = serviceProxyTLSConfig
  }
 
  case "off-cluster":
@@ -401,6 +402,8 @@ func main() {
  }
  }
 
+ srv.TerminalProxyTLSConfig = serviceProxyTLSConfig
+
  default:
  bridge.FlagFatalf("k8s-mode", "must be one of: in-cluster, off-cluster")
  }

pkg/server/server.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+ "crypto/tls"
  "fmt"
  "html/template"
  "io"
@@ -98,6 +99,7 @@ type Server struct {
  ThanosTenancyProxyConfig *proxy.Config
  AlertManagerProxyConfig *proxy.Config
  MeteringProxyConfig *proxy.Config
+ TerminalProxyTLSConfig *tls.Config
  // A lister for resource listing of a particular kind
  MonitoringDashboardConfigMapLister ResourceLister
  KnativeEventSourceCRDLister ResourceLister
@@ -221,12 +223,12 @@ func (s *Server) HTTPHandler() http.Handler {
  })),
  )
 
- terminalProxy := &terminal.Proxy{
- TLSClientConfig: s.K8sProxyConfig.TLSClientConfig,
- ClusterEndpoint: s.K8sProxyConfig.Endpoint,
- }
- handle(terminal.ProxyEndpoint, authHandlerWithUser(terminalProxy.HandleProxy))
+ terminalProxy := terminal.NewProxy(
+ s.TerminalProxyTLSConfig,
+ s.K8sProxyConfig.TLSClientConfig,
+ s.K8sProxyConfig.Endpoint)
 
+ handle(terminal.ProxyEndpoint, authHandlerWithUser(terminalProxy.HandleProxy))
  handleFunc(terminal.AvailableEndpoint, terminalProxy.HandleProxyEnabled)
 
  if s.prometheusProxyEnabled() {

pkg/terminal/proxy.go

@@ -11,10 +11,11 @@ import (
  "strings"
  "time"
 
- "github.com/openshift/console/pkg/auth"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
  "k8s.io/apimachinery/pkg/runtime/schema"
+
+ "github.com/openshift/console/pkg/auth"
 )
 
 const (
@@ -30,8 +31,21 @@ const (
 
 // Proxy provides handlers to handle terminal related requests
 type Proxy struct {
- TLSClientConfig *tls.Config
- ClusterEndpoint *url.URL
+ // A client with the correct TLS setup for communicating with servers withing cluster.
+ workspaceHttpClient *http.Client
+ TLSClientConfig *tls.Config
+ ClusterEndpoint *url.URL
+}
+
+func NewProxy(serviceTLS *tls.Config, TLSClientConfig *tls.Config, clusterEndpoint *url.URL) *Proxy {
+ return &Proxy{
+ workspaceHttpClient: &http.Client{
+ Timeout: 10 * time.Second,
+ Transport: &http.Transport{TLSClientConfig: serviceTLS},
+ },
+ TLSClientConfig: TLSClientConfig,
+ ClusterEndpoint: clusterEndpoint,
+ }
 }
 
 var (
@@ -140,6 +154,8 @@ func (p *Proxy) HandleProxy(user *auth.User, w http.ResponseWriter, r *http.Requ
  p.handleExecInit(terminalHost, user.Token, r, w)
  } else if path == WorkspaceActivityEndpoint {
  p.handleActivity(terminalHost, user.Token, w)
+ } else {
+ http.Error(w, "Unknown path", http.StatusForbidden)
  }
 }
 
@@ -233,10 +249,7 @@ func (p *Proxy) getBaseTerminalHost(ws *unstructured.Unstructured) (*url.URL, er
 }
 
 func (p *Proxy) proxyToWorkspace(wkspReq *http.Request, w http.ResponseWriter) {
- client := &http.Client{
- Timeout: 10 * time.Second,
- }
- wkspResp, err := client.Do(wkspReq)
+ wkspResp, err := p.workspaceHttpClient.Do(wkspReq)
  if err != nil {
  http.Error(w, "Failed to proxy request. Cause: "+err.Error(), http.StatusInternalServerError)
  return