diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go index 421644c7f16..500b22dfc18 100644 --- a/cmd/bridge/main.go +++ b/cmd/bridge/main.go @@ -68,6 +68,8 @@ func main() { fK8sMode := fs.String("k8s-mode", "in-cluster", "in-cluster | off-cluster") fK8sModeOffClusterEndpoint := fs.String("k8s-mode-off-cluster-endpoint", "", "URL of the Kubernetes API server.") fK8sModeOffClusterSkipVerifyTLS := fs.Bool("k8s-mode-off-cluster-skip-verify-tls", false, "DEV ONLY. When true, skip verification of certs presented by k8s API server.") + fK8sModeOffClusterPrometheus := fs.String("k8s-mode-off-cluster-prometheus", "", "DEV ONLY. URL of the cluster's Prometheus server.") + fK8sModeOffClusterAlertmanager := fs.String("k8s-mode-off-cluster-alertmanager", "", "DEV ONLY. URL of the cluster's AlertManager server.") fK8sAuth := fs.String("k8s-auth", "service-account", "service-account | bearer-token | oidc | openshift") fK8sAuthBearerToken := fs.String("k8s-auth-bearer-token", "", "Authorization token to send with proxied Kubernetes API requests.") @@ -144,6 +146,18 @@ func main() { documentationBaseURL = bridge.ValidateFlagIsURL("documentation-base-url", *fDocumentationBaseURL) } + offClusterPrometheusURL := &url.URL{} + if *fK8sModeOffClusterPrometheus != "" && *fK8sMode == "off-cluster" { + offClusterPrometheusURL = bridge.ValidateFlagIsURL("k8s-mode-off-cluster-prometheus", *fK8sModeOffClusterPrometheus) + offClusterPrometheusURL.Path = "/api" + } + + offClusterAlertManagerURL := &url.URL{} + if *fK8sModeOffClusterAlertmanager != "" && *fK8sMode == "off-cluster" { + offClusterAlertManagerURL = bridge.ValidateFlagIsURL("k8s-mode-off-cluster-alertmanager", *fK8sModeOffClusterAlertmanager) + offClusterAlertManagerURL.Path = "/api" + } + branding := *fBranding if branding == "origin" { branding = "okd" @@ -288,14 +302,36 @@ func main() { case "off-cluster": k8sEndpoint = bridge.ValidateFlagIsURL("k8s-mode-off-cluster-endpoint", *fK8sModeOffClusterEndpoint) - + serviceProxyTLSConfig := &tls.Config{ + InsecureSkipVerify: *fK8sModeOffClusterSkipVerifyTLS, + } srv.K8sProxyConfig = &proxy.Config{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: *fK8sModeOffClusterSkipVerifyTLS, - }, + TLSClientConfig: serviceProxyTLSConfig, HeaderBlacklist: []string{"Cookie", "X-CSRFToken"}, Endpoint: k8sEndpoint, } + + if offClusterPrometheusURL.String() != "" { + srv.PrometheusProxyConfig = &proxy.Config{ + TLSClientConfig: serviceProxyTLSConfig, + HeaderBlacklist: []string{"Cookie", "X-CSRFToken"}, + Endpoint: offClusterPrometheusURL, + } + srv.PrometheusTenancyProxyConfig = &proxy.Config{ + TLSClientConfig: serviceProxyTLSConfig, + HeaderBlacklist: []string{"Cookie", "X-CSRFToken"}, + Endpoint: offClusterPrometheusURL, + } + } + + if offClusterAlertManagerURL.String() != "" { + srv.AlertManagerProxyConfig = &proxy.Config{ + TLSClientConfig: serviceProxyTLSConfig, + HeaderBlacklist: []string{"Cookie", "X-CSRFToken"}, + Endpoint: offClusterAlertManagerURL, + } + } + default: bridge.FlagFatalf("k8s-mode", "must be one of: in-cluster, off-cluster") } diff --git a/contrib/oc-environment.sh b/contrib/oc-environment.sh index d5b45a56e0d..c7b2baa5002 100644 --- a/contrib/oc-environment.sh +++ b/contrib/oc-environment.sh @@ -17,6 +17,8 @@ export BRIDGE_USER_AUTH="disabled" export BRIDGE_K8S_MODE="off-cluster" export BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT=$(oc whoami --show-server) export BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS=true +export BRIDGE_K8S_MODE_OFF_CLUSTER_PROMETHEUS=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.prometheusURL}') +export BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.alertmanagerURL}') export BRIDGE_K8S_AUTH="bearer-token" export BRIDGE_K8S_AUTH_BEARER_TOKEN=$(oc whoami --show-token) diff --git a/examples/run-bridge.sh b/examples/run-bridge.sh index 4bd0dad2161..c9f494d9c63 100755 --- a/examples/run-bridge.sh +++ b/examples/run-bridge.sh @@ -14,4 +14,6 @@ set -exuo pipefail --user-auth=openshift \ --user-auth-oidc-client-id=console-oauth-client \ --user-auth-oidc-client-secret-file=examples/console-client-secret \ - --user-auth-oidc-ca-file=examples/ca.crt + --user-auth-oidc-ca-file=examples/ca.crt \ + --k8s-mode-off-cluster-prometheus=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.prometheusURL}') \ + --k8s-mode-off-cluster-alertmanager=$(oc -n openshift-monitoring get configmap sharing-config -o jsonpath='{.data.alertmanagerURL}') diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go index fb5b1b1c4c4..8d7f93e39f0 100644 --- a/pkg/proxy/proxy.go +++ b/pkg/proxy/proxy.go @@ -107,15 +107,16 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) { r.Header.Del(h) } + r.Host = p.config.Endpoint.Host + r.URL.Host = p.config.Endpoint.Host + r.URL.Scheme = p.config.Endpoint.Scheme + if !isWebsocket { p.reverseProxy.ServeHTTP(w, r) return } - r.Host = p.config.Endpoint.Host - r.URL.Host = p.config.Endpoint.Host r.URL.Path = SingleJoiningSlash(p.config.Endpoint.Path, r.URL.Path) - r.URL.Scheme = p.config.Endpoint.Scheme if r.URL.Scheme == "https" { r.URL.Scheme = "wss"