From 2dfbf70fe69c5626b19301e797627931ebcd463c Mon Sep 17 00:00:00 2001
From: STeve Huang <xin.huang@goteleport.com>
Date: Tue, 26 Sep 2023 15:33:54 -0400
Subject: [PATCH] Fix issue Teleport Connect Kube terminal throws internal
 server error

---
 lib/teleterm/gateway/kube.go      |  7 ++++++-
 lib/teleterm/gateway/kube_test.go | 10 +++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/teleterm/gateway/kube.go b/lib/teleterm/gateway/kube.go
index c26474047e6fe..75bba49f5ac01 100644
--- a/lib/teleterm/gateway/kube.go
+++ b/lib/teleterm/gateway/kube.go
@@ -98,6 +98,11 @@ func (k *kube) makeALPNLocalProxyForKube(cas map[string]tls.Certificate) error {
 		return trace.NewAggregate(err, listener.Close())
 	}
 
+	webProxyHost, err := utils.Host(k.cfg.WebProxyAddr)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
 	k.localProxy, err = alpnproxy.NewLocalProxy(alpnproxy.LocalProxyConfig{
 		InsecureSkipVerify:      k.cfg.Insecure,
 		RemoteProxyAddr:         k.cfg.WebProxyAddr,
@@ -107,7 +112,7 @@ func (k *kube) makeALPNLocalProxyForKube(cas map[string]tls.Certificate) error {
 		ALPNConnUpgradeRequired: k.cfg.TLSRoutingConnUpgradeRequired,
 	},
 		alpnproxy.WithHTTPMiddleware(middleware),
-		alpnproxy.WithSNI(client.GetKubeTLSServerName(k.cfg.WebProxyAddr)),
+		alpnproxy.WithSNI(client.GetKubeTLSServerName(webProxyHost)),
 		alpnproxy.WithClusterCAs(k.closeContext, k.cfg.RootClusterCACertPoolFunc),
 	)
 	if err != nil {
diff --git a/lib/teleterm/gateway/kube_test.go b/lib/teleterm/gateway/kube_test.go
index f9d462febefdf..7ee4e96c4e71e 100644
--- a/lib/teleterm/gateway/kube_test.go
+++ b/lib/teleterm/gateway/kube_test.go
@@ -223,16 +223,20 @@ func mustStartMockProxyWithKubeAPI(t *testing.T, identity tlsca.Identity) *mockP
 	return m
 }
 
-func mustGenCAForProxyKubeAddr(t *testing.T, key *keys.PrivateKey, host string) (tls.Certificate, *tlsca.CertAuthority) {
+func mustGenCAForProxyKubeAddr(t *testing.T, key *keys.PrivateKey, hostAddr string) (tls.Certificate, *tlsca.CertAuthority) {
 	t.Helper()
 
+	addr, err := utils.ParseAddr(hostAddr)
+	require.NoError(t, err)
+
 	certPem, err := tlsca.GenerateSelfSignedCAWithConfig(tlsca.GenerateCAConfig{
 		Entity: pkix.Name{
 			CommonName:   "localhost",
 			Organization: []string{"Teleport"},
 		},
-		Signer:   key,
-		DNSNames: []string{client.GetKubeTLSServerName(host)}, // Use special kube SNI.
+		Signer: key,
+		// Use special kube SNI. Make sure only host (no port) is used.
+		DNSNames: []string{client.GetKubeTLSServerName(addr.Host())},
 		TTL:      defaults.CATTL,
 	})
 	require.NoError(t, err)