kubectl exec & port forward TLS handshake error when https_proxy environment variable contains special characters

[mwalexander82]

kubectl version

• Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.12", GitCommit:"a8b52209ee172232b6db7a6e0ce2adc77458829f", GitTreeState:"clean", BuildDate:"2019-10-15T12:12:15Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"windows/amd64"}
• Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.12", GitCommit:"524c3a1238422529d62f8e49506df658fa9c8b8c", GitTreeState:"clean", BuildDate:"2019-11-14T05:26:24Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"linux/amd64"}

Issue

When running the following behind a corporate proxy:

kubectl exec -it grafana-8665c55f6b-k7jpb ls -n monitoring

I'm seeing:

error: error sending request: Post https://k8s-fqdn:443/api/v1/namespaces/monitoring/pods/grafana-8665c55f6b-k7jpb/exec?command=ls&container=grafana&container=grafana&stdin=true&stdout=true&tty=true: tls: first record does not look like a TLS handshake

The same issue also happens with port forwarding e.g.:

kubectl -n monitoring port-forward prometheus-server-657c6d8f59-s7mjz 9090

error: error upgrading connection: error sending request: Post https://k8s-fqdn:443/api/v1/namespaces/monitoring/pods/prometheus-server-657c6d8f59-s7mjz/portforward: tls: first record does not look like a TLS handshake

How to reproduce

If the password for the https_proxy environment variable contains a hash symbol (URL encoded this is %23), it doesn't work and we get a TLS handshake error. If the password for the https_proxy environment variable contains a dollar symbol (URL encoded this is %24) it works fine.

The following does not work and gives the TLS handshake error above:

http_proxy=http://username:password%23@proxyhost:proxy-port
https_proxy=http://username:password%23@proxyhost:proxy-port

The following does work:

http_proxy=http://username:password%24@proxyhost:proxy-port
https_proxy=http://username:password%24@proxyhost:proxy-port

and we see:

kubectl exec -it grafana-8665c55f6b-k7jpb ls -n monitoring
LICENSE README.md bin public tools
NOTICE.md VERSION conf scripts

OR

kubectl -n monitoring port-forward prometheus-server-657c6d8f59-s7mjz 9090
Forwarding from 127.0.0.1:9090 -> 9090
Forwarding from [::1]:9090 -> 9090

as expected.

[seans3]

/sig cli
/area kubectl
/kind bug
/priority P2

[eddiezane]

@mwalexander82 are you able to reproduce this on version 1.17 or higher?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.