diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go index 0f097229156..0fc51919580 100644 --- a/cmd/bridge/main.go +++ b/cmd/bridge/main.go @@ -305,7 +305,7 @@ func main() { k8sAuthServiceAccountBearerToken = string(bearerToken) - // If running in an OpenShift cluster, set up a proxy to the prometheus-k8s serivce running in the openshift-monitoring namespace. + // If running in an OpenShift cluster, set up a proxy to the prometheus-k8s service running in the openshift-monitoring namespace. if *fServiceCAFile != "" { serviceCertPEM, err := ioutil.ReadFile(*fServiceCAFile) if err != nil { @@ -344,6 +344,7 @@ func main() { HeaderBlacklist: []string{"Cookie", "X-CSRFToken"}, Endpoint: &url.URL{Scheme: "https", Host: openshiftMeteringHost, Path: "/api"}, } + srv.TerminalProxyTLSConfig = serviceProxyTLSConfig } case "off-cluster": @@ -401,6 +402,8 @@ func main() { } } + srv.TerminalProxyTLSConfig = serviceProxyTLSConfig + default: bridge.FlagFatalf("k8s-mode", "must be one of: in-cluster, off-cluster") } diff --git a/pkg/server/server.go b/pkg/server/server.go index 51c443c9a99..100cb19012a 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -1,6 +1,7 @@ package server import ( + "crypto/tls" "fmt" "html/template" "io" @@ -98,6 +99,7 @@ type Server struct { ThanosTenancyProxyConfig *proxy.Config AlertManagerProxyConfig *proxy.Config MeteringProxyConfig *proxy.Config + TerminalProxyTLSConfig *tls.Config // A lister for resource listing of a particular kind MonitoringDashboardConfigMapLister ResourceLister KnativeEventSourceCRDLister ResourceLister @@ -221,12 +223,12 @@ func (s *Server) HTTPHandler() http.Handler { })), ) - terminalProxy := &terminal.Proxy{ - TLSClientConfig: s.K8sProxyConfig.TLSClientConfig, - ClusterEndpoint: s.K8sProxyConfig.Endpoint, - } - handle(terminal.ProxyEndpoint, authHandlerWithUser(terminalProxy.HandleProxy)) + terminalProxy := terminal.NewProxy( + s.TerminalProxyTLSConfig, + s.K8sProxyConfig.TLSClientConfig, + s.K8sProxyConfig.Endpoint) + handle(terminal.ProxyEndpoint, authHandlerWithUser(terminalProxy.HandleProxy)) handleFunc(terminal.AvailableEndpoint, terminalProxy.HandleProxyEnabled) if s.prometheusProxyEnabled() { diff --git a/pkg/terminal/proxy.go b/pkg/terminal/proxy.go index 46852350651..4bb75d27653 100644 --- a/pkg/terminal/proxy.go +++ b/pkg/terminal/proxy.go @@ -11,10 +11,11 @@ import ( "strings" "time" - "github.com/openshift/console/pkg/auth" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" + + "github.com/openshift/console/pkg/auth" ) const ( @@ -30,8 +31,21 @@ const ( // Proxy provides handlers to handle terminal related requests type Proxy struct { - TLSClientConfig *tls.Config - ClusterEndpoint *url.URL + // A client with the correct TLS setup for communicating with servers withing cluster. + workspaceHttpClient *http.Client + TLSClientConfig *tls.Config + ClusterEndpoint *url.URL +} + +func NewProxy(serviceTLS *tls.Config, TLSClientConfig *tls.Config, clusterEndpoint *url.URL) *Proxy { + return &Proxy{ + workspaceHttpClient: &http.Client{ + Timeout: 10 * time.Second, + Transport: &http.Transport{TLSClientConfig: serviceTLS}, + }, + TLSClientConfig: TLSClientConfig, + ClusterEndpoint: clusterEndpoint, + } } var ( @@ -140,6 +154,8 @@ func (p *Proxy) HandleProxy(user *auth.User, w http.ResponseWriter, r *http.Requ p.handleExecInit(terminalHost, user.Token, r, w) } else if path == WorkspaceActivityEndpoint { p.handleActivity(terminalHost, user.Token, w) + } else { + http.Error(w, "Unknown path", http.StatusForbidden) } } @@ -233,10 +249,7 @@ func (p *Proxy) getBaseTerminalHost(ws *unstructured.Unstructured) (*url.URL, er } func (p *Proxy) proxyToWorkspace(wkspReq *http.Request, w http.ResponseWriter) { - client := &http.Client{ - Timeout: 10 * time.Second, - } - wkspResp, err := client.Do(wkspReq) + wkspResp, err := p.workspaceHttpClient.Do(wkspReq) if err != nil { http.Error(w, "Failed to proxy request. Cause: "+err.Error(), http.StatusInternalServerError) return