From baf97d23c32f0845223b21492af72f09e8ecdd0b Mon Sep 17 00:00:00 2001 From: Kubernetes Publisher Date: Fri, 22 Sep 2017 11:22:07 +0000 Subject: [PATCH 1/2] plumb the proxyTransport to the webhook admission plugin; set the ServerName in the config for webhook admission plugin. Kubernetes-commit: 186a0684d582272aa2fbfec390aea5fbb88a8bc6 --- rest/config.go | 3 +++ rest/transport.go | 1 + transport/cache.go | 12 ++++++++---- transport/config.go | 8 +++++++- 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/rest/config.go b/rest/config.go index 627a9cc9..57848c8a 100644 --- a/rest/config.go +++ b/rest/config.go @@ -114,6 +114,9 @@ type Config struct { // The maximum length of time to wait before giving up on a server request. A value of zero means no timeout. Timeout time.Duration + // Dial specifies the dial function for creating unencrypted TCP connections. + Dial func(network, addr string) (net.Conn, error) + // Version forces a specific version to be used (if registered) // Do we need this? // Version string diff --git a/rest/transport.go b/rest/transport.go index 4c5b1648..f59f8dbe 100644 --- a/rest/transport.go +++ b/rest/transport.go @@ -96,5 +96,6 @@ func (c *Config) TransportConfig() (*transport.Config, error) { Groups: c.Impersonate.Groups, Extra: c.Impersonate.Extra, }, + Dial: c.Dial, }, nil } diff --git a/transport/cache.go b/transport/cache.go index 8d76def3..561c92c1 100644 --- a/transport/cache.go +++ b/transport/cache.go @@ -63,16 +63,20 @@ func (c *tlsTransportCache) get(config *Config) (http.RoundTripper, error) { return http.DefaultTransport, nil } + dial := config.Dial + if dial == nil { + dial = (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).Dial + } // Cache a single transport for these options c.transports[key] = utilnet.SetTransportDefaults(&http.Transport{ Proxy: http.ProxyFromEnvironment, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: tlsConfig, MaxIdleConnsPerHost: idleConnsPerHost, - Dial: (&net.Dialer{ - Timeout: 30 * time.Second, - KeepAlive: 30 * time.Second, - }).Dial, + Dial: dial, }) return c.transports[key], nil } diff --git a/transport/config.go b/transport/config.go index e34d6e8c..425f8f87 100644 --- a/transport/config.go +++ b/transport/config.go @@ -16,7 +16,10 @@ limitations under the License. package transport -import "net/http" +import ( + "net" + "net/http" +) // Config holds various options for establishing a transport. type Config struct { @@ -52,6 +55,9 @@ type Config struct { // config may layer other RoundTrippers on top of the returned // RoundTripper. WrapTransport func(rt http.RoundTripper) http.RoundTripper + + // Dial specifies the dial function for creating unencrypted TCP connections. + Dial func(network, addr string) (net.Conn, error) } // ImpersonationConfig has all the available impersonation options From bae75f056877afe6be86b6ad1b6858671cf9927d Mon Sep 17 00:00:00 2001 From: Kubernetes Publisher Date: Fri, 22 Sep 2017 11:22:07 +0000 Subject: [PATCH 2/2] fix the webhook unit test; the server cert needs to have a valid CN; fix a fuzzer; Kubernetes-commit: 856a1db57a05e19ea6261e38211d2ab1bf864dd1 --- rest/config_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rest/config_test.go b/rest/config_test.go index f20ed722..ff851e6a 100644 --- a/rest/config_test.go +++ b/rest/config_test.go @@ -18,6 +18,7 @@ package rest import ( "io" + "net" "net/http" "path/filepath" "reflect" @@ -236,6 +237,8 @@ func TestAnonymousConfig(t *testing.T) { func(r *clientcmdapi.AuthProviderConfig, f fuzz.Continue) { r.Config = map[string]string{} }, + // Dial does not require fuzzer + func(r *func(network, addr string) (net.Conn, error), f fuzz.Continue) {}, ) for i := 0; i < 20; i++ { original := &Config{}