diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go index e630b3387ecfa..1ae68a6d52de9 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go @@ -163,10 +163,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) { proxyRoundTripper = transport.NewAuthProxyRoundTripper(user.GetName(), user.GetGroups(), user.GetExtra(), proxyRoundTripper) - // if we are upgrading, then the upgrade path tries to use this request with the TLS config we provide, but it does - // NOT use the roundtripper. Its a direct call that bypasses the round tripper. This means that we have to - // attach the "correct" user headers to the request ahead of time. After the initial upgrade, we'll be back - // at the roundtripper flow, so we only have to muck with this request, but we do have to do it. + // If we are upgrading, then the upgrade path tries to use this request with the TLS config we provide, but it does + // NOT use the proxyRoundTripper. It's a direct dial that bypasses the proxyRoundTripper. This means that we have to + // attach the "correct" user headers to the request ahead of time. if upgrade { transport.SetAuthProxyHeaders(newReq, user.GetName(), user.GetGroups(), user.GetExtra()) } diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go index 12c63adfa80be..26348cbfbdd1a 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go @@ -370,6 +370,7 @@ func newBrokenDialerAndSelector() (*mockEgressDialer, *egressselector.EgressSele } func TestProxyUpgrade(t *testing.T) { + upgradeUser := "upgradeUser" testcases := map[string]struct { APIService *apiregistration.APIService NewEgressSelector func() (*mockEgressDialer, *egressselector.EgressSelector) @@ -474,6 +475,11 @@ func TestProxyUpgrade(t *testing.T) { backendHandler.Handle(path, websocket.Handler(func(ws *websocket.Conn) { atomic.AddInt32(×Called, 1) defer ws.Close() + req := ws.Request() + user := req.Header.Get("X-Remote-User") + if user != upgradeUser { + t.Errorf("expected user %q, got %q", upgradeUser, user) + } body := make([]byte, 5) ws.Read(body) ws.Write([]byte("hello " + string(body))) @@ -510,7 +516,7 @@ func TestProxyUpgrade(t *testing.T) { } proxyHandler.updateAPIService(tc.APIService) - aggregator := httptest.NewServer(contextHandler(proxyHandler, &user.DefaultInfo{Name: "username"})) + aggregator := httptest.NewServer(contextHandler(proxyHandler, &user.DefaultInfo{Name: upgradeUser})) defer aggregator.Close() ws, err := websocket.Dial("ws://"+aggregator.Listener.Addr().String()+path, "", "http://127.0.0.1/")