Closed leoryu closed 2 years ago
Yes, the Location
here should be overwritten.
@leoryu I've tested against kubectl
, above location does not affect anything. You can follow this guide to construct a valid kubeconfig for child cluster.
Normally the requests send by client-go
or kubectl
are as follows,
https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/api/v1/namespaces
https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/apis
Clusternet will do a request upgrade for those requests.
It is fine to use client-go
and kubectl
.
yeah, client-go works well, bu not http client. The following code will log err if the code can't access clusernet's internal ip:
package main
import (
"crypto/tls"
"log"
"net"
"net/http"
"time"
)
func main() {
url := "https://{pub_ip}:6443/apis/proxies.clusternet.io/v1alpha1/sockets/3167f275-1f8d-4f90-9c81-4703690ded4b/proxy/direct"
client := http.DefaultClient
client.Transport = &http.Transport{
DialContext: (&net.Dialer{
Timeout: 5 * time.Second,
}).DialContext,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
_, err := client.Get(url)
if err != nil {
log.Print(err)
}
}
yeah, client-go works well, bu not http client.
@leoryu I've found out the clue. client-go
will automatically add an ending slash /
at the base url (xref client-go).
$ curl -s -I -L -k -H "Impersonate-User: clusternet" -H "Authorization: Basic system:anonymous" 'https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct'
HTTP/2 301
cache-control: no-cache, private
cache-control: no-cache, private
date: Fri, 29 Oct 2021 07:05:36 GMT
location: https://10.111.8.252:443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/
x-kubernetes-pf-flowschema-uid: 6aee5d9b-24b2-43f0-9732-3d0c0f2c149d
x-kubernetes-pf-prioritylevel-uid: 684dee03-c9d4-4207-89ed-5d7a4c909456
$ curl -s -I -L -k -H "Impersonate-User: clusternet" -H "Authorization: Basic system:anonymous" 'https://10.0.0.10:6443/apis/proxies.clusternet.io/v1alpha1/sockets/e2f91251-5f05-46be-a130-bd318d242cb4/proxy/direct/'
HTTP/2 403
cache-control: no-cache, private
cache-control: no-cache, private
cache-control: no-cache, private
content-type: application/json
date: Fri, 29 Oct 2021 07:05:48 GMT
x-content-type-options: nosniff
x-kubernetes-pf-flowschema-uid: 6aee5d9b-24b2-43f0-9732-3d0c0f2c149d
x-kubernetes-pf-flowschema-uid: 6aee5d9b-24b2-43f0-9732-3d0c0f2c149d
x-kubernetes-pf-prioritylevel-uid: 684dee03-c9d4-4207-89ed-5d7a4c909456
x-kubernetes-pf-prioritylevel-uid: 684dee03-c9d4-4207-89ed-5d7a4c909456
content-length: 234
After manually adding an ending slash, the curl request got a status code 403 instead of 301.
For 403, please follow visiting-child-clusters-with-rbac#using-curl with a valid token or tls certificates.
So this is not a bug of Clusternet
.
close this issue.
@leoryu Feel free to reopen this if you've got any questions.
What happened:
default go client enable the redirect func, but clusternet proxy will response 301 with a internal IP, which the client can't access.
What you expected to happen:
should not response 301.
How to reproduce it (as minimally and precisely as possible):
curl -s -f -I -L -k https://{pub_IP}:6443/apis/proxies.clusternet.io/v1alpha1/sockets/xxxxxxxx/proxy/direct
Anything else we need to know?:
Environment:
clusternet-agent --version=json
):clusternet-hub --version=json
):kubectl version
):cat /etc/os-release
):uname -a
):