clusternet proxy should not response 301 to ask client redirect

[leoryu]

What happened:

default go client enable the redirect func, but clusternet proxy will response 301 with a internal IP, which the client can't access.

What you expected to happen:

should not response 301.

How to reproduce it (as minimally and precisely as possible):

curl -s -f -I -L -k https://{pub_IP}:6443/apis/proxies.clusternet.io/v1alpha1/sockets/xxxxxxxx/proxy/direct

Anything else we need to know?:

Environment:

• Clusternet version:
  • Clusternet-agent version (user clusternet-agent --version=json):
  • Clusternet-hub version (user clusternet-hub --version=json):
• Kubernetes version (use kubectl version):
• Cloud provider or hardware configuration:
• OS (e.g: cat /etc/os-release):
• Kernel (e.g. uname -a):
• Others:

[dixudx]

Yes, the Location here should be overwritten.

[dixudx]

@leoryu I've tested against kubectl, above location does not affect anything. You can follow this guide to construct a valid kubeconfig for child cluster.

Normally the requests send by client-go or kubectl are as follows,

https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/api/v1/namespaces

https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/apis

Clusternet will do a request upgrade for those requests.

It is fine to use client-go and kubectl.

[leoryu]

yeah, client-go works well, bu not http client. The following code will log err if the code can't access clusernet's internal ip:

package main

import (
    "crypto/tls"
    "log"
    "net"
    "net/http"
    "time"
)

func main() {
    url := "https://{pub_ip}:6443/apis/proxies.clusternet.io/v1alpha1/sockets/3167f275-1f8d-4f90-9c81-4703690ded4b/proxy/direct"
    client := http.DefaultClient
    client.Transport = &http.Transport{
        DialContext: (&net.Dialer{
            Timeout: 5 * time.Second,
        }).DialContext,
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    }

    _, err := client.Get(url)
    if err != nil {
        log.Print(err)
    }
}

[dixudx]

yeah, client-go works well, bu not http client.

@leoryu I've found out the clue. client-go will automatically add an ending slash / at the base url (xref client-go).

$ curl -s -I -L -k -H "Impersonate-User: clusternet" -H "Authorization: Basic system:anonymous" 'https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct'
HTTP/2 301
cache-control: no-cache, private
cache-control: no-cache, private
date: Fri, 29 Oct 2021 07:05:36 GMT
location: https://10.111.8.252:443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/
x-kubernetes-pf-flowschema-uid: 6aee5d9b-24b2-43f0-9732-3d0c0f2c149d
x-kubernetes-pf-prioritylevel-uid: 684dee03-c9d4-4207-89ed-5d7a4c909456

$ curl -s -I -L -k -H "Impersonate-User: clusternet" -H "Authorization: Basic system:anonymous" 'https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/'
HTTP/2 403
cache-control: no-cache, private
cache-control: no-cache, private
cache-control: no-cache, private
content-type: application/json
date: Fri, 29 Oct 2021 07:05:48 GMT
x-content-type-options: nosniff
x-kubernetes-pf-flowschema-uid: 6aee5d9b-24b2-43f0-9732-3d0c0f2c149d
x-kubernetes-pf-flowschema-uid: 6aee5d9b-24b2-43f0-9732-3d0c0f2c149d
x-kubernetes-pf-prioritylevel-uid: 684dee03-c9d4-4207-89ed-5d7a4c909456
x-kubernetes-pf-prioritylevel-uid: 684dee03-c9d4-4207-89ed-5d7a4c909456
content-length: 234

After manually adding an ending slash, the curl request got a status code 403 instead of 301.

For 403, please follow visiting-child-clusters-with-rbac#using-curl with a valid token or tls certificates.

So this is not a bug of Clusternet.

[dixudx]

close this issue.

@leoryu Feel free to reopen this if you've got any questions.