Wrap transport when kube proxy runs in-cluster. (#2715) (#2718)

gravitational · May 15, 2019 · f415aab · f415aab
1 parent 639a675
commit f415aab
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/lib/kube/proxy/forwarder.go b/lib/kube/proxy/forwarder.go
@@ -880,9 +880,21 @@ func (f *Forwarder) newClusterSession(ctx authContext) (*clusterSession, error)
 		tlsConfig:   tlsConfig,
 	}
 
+	var transport http.RoundTripper = f.newTransport(sess.Dial, tlsConfig)
+
+	// when running inside Kubernetes cluster, kubeconfig provides a
+	// transport wrapper that adds service account token to requests
+	//
+	// when forwarding request to a remote cluster, this is not needed
+	// as the proxy uses client cert auth to reach out to remote proxy
+	// which will then use its own transport wrapper
+	if !ctx.cluster.isRemote && f.creds.cfg.WrapTransport != nil {
+		transport = f.creds.cfg.WrapTransport(transport)
+	}
+
 	fwd, err := forward.New(
 		forward.FlushInterval(100*time.Millisecond),
-		forward.RoundTripper(f.newTransport(sess.Dial, tlsConfig)),
+		forward.RoundTripper(transport),
 		forward.WebsocketDial(sess.Dial),
 		forward.Logger(log.StandardLogger()),
 	)