func (p *UpgradeAwareSingleHostReverseProxy) dialBackend(req *http.Request) (net.Conn, error) {
dialAddr := netutil.CanonicalAddr(req.URL)
switch p.backendAddr.Scheme {
case "http":
return net.Dial("tcp", dialAddr)
case "https":
tlsConfig, err := kclient.TLSConfigFor(p.clientConfig)
if err != nil {
return nil, err
}
tlsConn, err := tls.Dial("tcp", dialAddr, tlsConfig)
if err != nil {
return nil, err
}
hostToVerify, _, err := net.SplitHostPort(dialAddr)
if err != nil {
return nil, err
}
err = tlsConn.VerifyHostname(hostToVerify)
return tlsConn, err
default:
return nil, fmt.Errorf("unknown scheme: %s", p.backendAddr.Scheme)
}
}
func generateTransport(ca, certfile, keyfile string) (*http.Transport, error) {
if ca == "" || certfile == "" || keyfile == "" {
return &http.Transport{
Dial: forked.Dial,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
MaxIdleConnsPerHost: 500,
}, nil
} else {
tlsConfig, err := client.TLSConfigFor(&client.Config{
TLSClientConfig: client.TLSClientConfig{
CertFile: certfile,
KeyFile: keyfile,
CAFile: ca,
},
})
if err != nil {
glog.Errorf("Error creating tls config: %s", err)
return nil, err
}
return setTransportDefaults(&http.Transport{
TLSClientConfig: tlsConfig,
Dial: forked.Dial,
// Because watches are very bursty, defends against long delays in watch reconnections.
MaxIdleConnsPerHost: 500,
}), nil
}
}
// getClients returns a Kube client, OpenShift client, and registry client.
func getClients(f *clientcmd.Factory, cfg *pruneImagesConfig) (*client.Client, *kclient.Client, *http.Client, error) {
clientConfig, err := f.OpenShiftClientConfig.ClientConfig()
if err != nil {
return nil, nil, nil, err
}
var (
token string
osClient *client.Client
kClient *kclient.Client
registryClient *http.Client
)
switch {
case len(clientConfig.BearerToken) > 0:
osClient, kClient, err = f.Clients()
if err != nil {
return nil, nil, nil, err
}
token = clientConfig.BearerToken
default:
err = errors.New("You must use a client config with a token")
return nil, nil, nil, err
}
// copy the config
registryClientConfig := *clientConfig
// zero out everything we don't want to use
registryClientConfig.BearerToken = ""
registryClientConfig.CertFile = ""
registryClientConfig.CertData = []byte{}
registryClientConfig.KeyFile = ""
registryClientConfig.KeyData = []byte{}
// we have to set a username to something for the Docker login
// but it's not actually used
registryClientConfig.Username = "******"
// set the "password" to be the token
registryClientConfig.Password = token
tlsConfig, err := kclient.TLSConfigFor(®istryClientConfig)
if err != nil {
return nil, nil, nil, err
}
// if the user specified a CA on the command line, add it to the
// client config's CA roots
if len(cfg.CABundle) > 0 {
data, err := ioutil.ReadFile(cfg.CABundle)
if err != nil {
return nil, nil, nil, err
}
if tlsConfig.RootCAs == nil {
tlsConfig.RootCAs = x509.NewCertPool()
}
tlsConfig.RootCAs.AppendCertsFromPEM(data)
}
transport := http.Transport{
TLSClientConfig: tlsConfig,
}
wrappedTransport, err := kclient.HTTPWrappersForConfig(®istryClientConfig, &transport)
if err != nil {
return nil, nil, nil, err
}
registryClient = &http.Client{
Transport: wrappedTransport,
}
return osClient, kClient, registryClient, nil
}