diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go index f700cbc021a..22b7562f9c9 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go @@ -165,10 +165,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) { proxyRoundTripper = transport.NewAuthProxyRoundTripper(user.GetName(), user.GetGroups(), user.GetExtra(), proxyRoundTripper) - // if we are upgrading, then the upgrade path tries to use this request with the TLS config we provide, but it does - // NOT use the roundtripper. Its a direct call that bypasses the round tripper. This means that we have to - // attach the "correct" user headers to the request ahead of time. After the initial upgrade, we'll be back - // at the roundtripper flow, so we only have to muck with this request, but we do have to do it. + // If we are upgrading, then the upgrade path tries to use this request with the TLS config we provide, but it does + // NOT use the proxyRoundTripper. It's a direct dial that bypasses the proxyRoundTripper. This means that we have to + // attach the "correct" user headers to the request ahead of time. if upgrade { transport.SetAuthProxyHeaders(newReq, user.GetName(), user.GetGroups(), user.GetExtra()) } diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go index 9249ec56b9b..def125a528f 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go @@ -414,6 +414,7 @@ func newBrokenDialerAndSelector() (*mockEgressDialer, *egressselector.EgressSele } func TestProxyUpgrade(t *testing.T) { + upgradeUser := "upgradeUser" testcases := map[string]struct { APIService *apiregistration.APIService NewEgressSelector func() (*mockEgressDialer, *egressselector.EgressSelector) @@ -518,6 +519,11 @@ func TestProxyUpgrade(t *testing.T) { backendHandler.Handle(path, websocket.Handler(func(ws *websocket.Conn) { atomic.AddInt32(×Called, 1) defer ws.Close() + req := ws.Request() + user := req.Header.Get("X-Remote-User") + if user != upgradeUser { + t.Errorf("expected user %q, got %q", upgradeUser, user) + } body := make([]byte, 5) ws.Read(body) ws.Write([]byte("hello " + string(body))) @@ -554,7 +560,7 @@ func TestProxyUpgrade(t *testing.T) { } proxyHandler.updateAPIService(tc.APIService) - aggregator := httptest.NewServer(contextHandler(proxyHandler, &user.DefaultInfo{Name: "username"})) + aggregator := httptest.NewServer(contextHandler(proxyHandler, &user.DefaultInfo{Name: upgradeUser})) defer aggregator.Close() ws, err := websocket.Dial("ws://"+aggregator.Listener.Addr().String()+path, "", "http://127.0.0.1/")