Add redirect support to SpdyRoundTripper #44451
Conversation
ncdc
added
the
sig/api-machinery
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-github-robot
added
size/L
|
I seem to have broken TestServePortForward and am looking into it |
ncdc
force-pushed
the
spdy-follow-redirects
branch
2 times, most recently
from
d157bb4
to
23d8754
Compare
| @@ -1552,11 +1552,20 @@ func TestServePortForward(t *testing.T) { | |||
| url = fmt.Sprintf("%s/portForward/%s/%s", fw.testHTTPServer.URL, podNamespace, podName) | |||
| } | |||
|
|
|||
| upgradeRoundTripper := spdy.NewRoundTripper(nil) | |||
| c := &http.Client{Transport: upgradeRoundTripper} | |||
| // Don't follow redirects, since we want to inspect the redirect response. | |||
There was a problem hiding this comment.
this case was odd... it seems like it was explicitly testing a scenario the spdy round tripper wouldn't handle, right?
There was a problem hiding this comment.
Yes, but I think it was testing to make sure that the kubelet server could return a redirect. My change here made it start breaking, because the round tripper started following the redirect, so I updated this test case to match what's done in textExecAttach.
| method = "GET" | ||
| } | ||
|
|
||
| r, err := http.NewRequest(method, location.String(), req.Body) |
There was a problem hiding this comment.
remind me again why reusing the original req.Body doesn't do bad things if we hit this loop more than once?
There was a problem hiding this comment.
The request body is never used for spdy requests, but otherwise, we'd probably need to be more careful. This appears to be what the proxy code is doing.
There was a problem hiding this comment.
If the request body isn't used, can you just pass nil? That's what the proxy code does for subsequent requests (
)
|
@k8s-bot verify test this (some verify generated protobuf rsync issue) |
|
@k8s-bot cvm gce e2e test this |
| method = "GET" | ||
| } | ||
|
|
||
| r, err := http.NewRequest(method, location.String(), req.Body) |
There was a problem hiding this comment.
If the request body isn't used, can you just pass nil? That's what the proxy code does for subsequent requests (
)|
|
||
| s.conn = intermediateConn | ||
| intermediateConn = nil // Don't close the connection when we return it. |
There was a problem hiding this comment.
fix comment (not returning intermediateConn)
| header.Add(httpstream.HeaderConnection, httpstream.HeaderUpgrade) | ||
| header.Add(httpstream.HeaderUpgrade, HeaderSpdy31) | ||
|
|
||
| redirectLoop: |
There was a problem hiding this comment.
This duplicates a lot of code from the proxy (
). Is it possible to extract a shared method? Maybe something that takes aconnectBackend function?
There was a problem hiding this comment.
I will look and see what I can do.
ncdc
force-pushed
the
spdy-follow-redirects
branch
from
23d8754
to
8291d8a
Compare
|
@timstclair @liggitt updated to extract the common logic shared between spdy and the upgrade aware proxy. PTAL. Also, naming is hard, so I'm open to any suggestions for what to call the new interface and method. |
| func (s *SpdyRoundTripper) TLSClientConfig() *tls.Config { | ||
| return s.tlsConfig | ||
| } | ||
|
|
||
| // SendRequest implements k8s.io/apimachinery/pkg/util/net.RequestSender. |
There was a problem hiding this comment.
better use an anonymous var with type cast instead of a comment.
| intermediateConn net.Conn | ||
| rawResponse = bytes.NewBuffer(make([]byte, 0, 256)) | ||
| body = originalBody | ||
| err error |
There was a problem hiding this comment.
err can be local in the loop body.
There was a problem hiding this comment.
No, because that would result in intermediateConn being shadowed.
|
Some nits. Otherwise, looks good now that the redirect loop is factored out. |
ncdc
force-pushed
the
spdy-follow-redirects
branch
from
8291d8a
to
ecf3618
Compare
|
Updated and squashed the code review commits |
|
@k8s-bot gci gce e2e test this (one node didn't come up for some reason). |
| return nil, nil, fmt.Errorf("too many redirects (%d)", redirects) | ||
| } | ||
| if redirects != 0 { | ||
| // Redirected requests switch to "GET" according to the HTTP spec: |
There was a problem hiding this comment.
nit: if you want, you can move these down to the Prepare to follow the redirect. section and make unconditional
There was a problem hiding this comment.
Good point... Since you've asked for a comment for 'future us' below, I'll make the change.
| if redirectStr == "" { | ||
| return nil, nil, fmt.Errorf("%d response missing Location header", resp.StatusCode) | ||
| } | ||
| location, err = location.Parse(redirectStr) |
There was a problem hiding this comment.
comment about parsing relative to the last requested location would be helpful here for future us
|
lgtm |
ncdc
force-pushed
the
spdy-follow-redirects
branch
from
ecf3618
to
038c7ce
Compare
|
@timstclair @liggitt @sttts ready for final review. Any other comments? |
|
none from me |
k8s-github-robot
removed
the
lgtm
|
Just pushed up the new changes. PTAL. I'll say it's a bit weird to have |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| @@ -78,7 +80,8 @@ func NewExecutor(config *restclient.Config, method string, url *url.URL) (Stream | |||
| return nil, err | |||
| } | |||
|
|
|||
| upgradeRoundTripper := spdy.NewRoundTripper(tlsConfig) | |||
| followRedirects := utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StreamingProxyRedirects) | |||
There was a problem hiding this comment.
Having feature gates in client code is awkward. Any reason to have this feature gate at all here? Why don't we enable redirection for remotecommand? If the kubelet still depends on the gate, that's fine and another topic.
There was a problem hiding this comment.
This isn't actually used in client code, is it? Maybe I'm confused about how this is used.
There was a problem hiding this comment.
I'd be happy to remove it. Do we all agree on that?
There was a problem hiding this comment.
FYI here is where the apiserver in OpenShift is creating a spdy roundtripper and executor: https://github.com/openshift/origin/blob/aaf06ed2b62b0e06845ad804932cddeec36b686e/pkg/build/registry/buildconfiginstantiate/rest.go#L237-L238.
ncdc
force-pushed
the
spdy-follow-redirects
branch
from
fe88f42
to
299e9dd
Compare
k8s-github-robot
removed
the
lgtm
|
Rebased and squashed. PTAL. /release-note |
k8s-ci-robot
added
release-note
|
I'm ok without the gate.
…On Tue, Apr 25, 2017 at 1:00 PM, Andy Goldstein ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pkg/client/unversioned/remotecommand/remotecommand.go
<#44451 (comment)>
:
> @@ -78,7 +80,8 @@ func NewExecutor(config *restclient.Config, method string, url *url.URL) (Stream
return nil, err
}
- upgradeRoundTripper := spdy.NewRoundTripper(tlsConfig)
+ followRedirects := utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StreamingProxyRedirects)
FYI here is where the apiserver in OpenShift is creating a spdy
roundtripper and executor: https://github.com/openshift/origin/blob/
aaf06ed2b62b0e06845ad804932cddeec36b686e/pkg/build/registry/
buildconfiginstantiate/rest.go#L237-L238.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#44451 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pyOs0YyefmsykTzsK_JsFKGdOG8yks5rziaugaJpZM4M83Ao>
.
|
|
I don't want to keep blocking this - I'm ok with or without the gate. |
|
I'll take it out later tonight when I'm back at a computer.
…On Tue, Apr 25, 2017 at 4:15 PM Tim St. Clair ***@***.***> wrote:
I don't want to keep blocking this - I'm ok with or without the gate.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#44451 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAABYq5gzgHhKu4xEhqxBgZx14oFEApRks5rzn6MgaJpZM4M83Ao>
.
|
Add support for following redirects to the SpdyRoundTripper. This is necessary for clients using it directly (e.g. the apiserver talking directly to the kubelet) because the CRI streaming server issues a redirect for streaming requests. Also extract common logic for following redirects.
ncdc
force-pushed
the
spdy-follow-redirects
branch
from
299e9dd
to
fc2128c
Compare
|
Ok, removed the flag from the client code. Hopefully this is the last revision :-) |
ncdc
removed
the
do-not-merge
|
@timstclair @sttts @smarterclayton @liggitt I think this should be good to go, if you're all ok with it |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ncdc, smarterclayton, timstclair
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue |
Add support for following redirects to the SpdyRoundTripper. This is
necessary for clients using it directly (e.g. the apiserver talking
directly to the kubelet) because the CRI streaming server issues a
redirect for streaming requests.
We need this in OpenShift because we have code that executes inside our apiserver that talks directly to the node to perform an attach request, and we need to be able to follow that redirect.
This code was adapted from the upgrade-aware proxy handler.
cc @smarterclayton @sttts @liggitt @timstclair @kubernetes/sig-api-machinery-pr-reviews