Add proxy server for Dashboard #2684
Conversation
| if strings.HasPrefix(req.RequestURI, "/dashboard") { | ||
| director(req) | ||
| req.Host = req.URL.Host | ||
| } |
There was a problem hiding this comment.
Ensuring no pdapi would be exposed.
|
how about passing the part、backend service、tls configs to the discovery service? then this discovery service can be a generic proxy server. |
That's ok for me but I think it is not necessary currently as I can't find out second service needed proxy to be exposed. |
pkg/discovery/server/proxy.go
Outdated
| } | ||
| proxy := httputil.NewSingleHostReverseProxy(url) | ||
| if url.Scheme == "https" { | ||
| tlsConfig, err := pdapi.GetTLSConfig(kubeCli, pdapi.Namespace(namespace), tcName, nil) |
There was a problem hiding this comment.
the client secret may be invalid or expired, we need to find a way to refresh HTTP server when the secret is updated
we can mount the secrets into the pod, and reload the TLS when necessary like PD, tidb
Co-authored-by: Yecheng Fu <[email protected]>
| RootCAs: rootCAs, | ||
| } | ||
| proxy.Transport = &http.Transport{TLSClientConfig: tlsConfig} | ||
| } |
There was a problem hiding this comment.
certs are loaded once at startup, I guess we should reload TLS certificates for every client request
There was a problem hiding this comment.
this is a simple mechanism to make sure this proxy will not fail when the certs are expired
we can also have some unit tests to verify this (this can be tracked in a separate issue)
ref: etcd-io/etcd#7829
There was a problem hiding this comment.
certs are loaded once at startup, I guess we should reload TLS certificates for every client request
Not sure whether this would be quite time-consuming but is this necessary?
There was a problem hiding this comment.
this is how PD/TiDB refresh TLS certificates too
it's possible to refresh on expiration (see etcd TODO), but I don't think it's necessary. just read certificates every time
actually these small disk files are cached in buffer in most time
There was a problem hiding this comment.
make sense. updated. now the proxy would be initialed each time
Signed-off-by: sre-bot <[email protected]>
|
cherry pick to release-1.1 in PR #2689 |
Signed-off-by: sre-bot <[email protected]> Co-authored-by: Song Gao <[email protected]>
What problem does this PR solve?
Close #2395
When
tlsClusteris enabled, dashboard should be visited after loaded pd client cert in browser which didn't make sense.What is changed and how does it work?
This pr make
discoveryservice as a proxy-server for the pd dashboard service like following.When
tlsClusteris enabled, the proxy-server would automatically loaded cert from secret and expose the http api. Also, proxy-server ensured that only requestURI started with/dashboardwould be redirected. No pdapi would be exposed by proxy-server.Related changes
Does this PR introduce a user-facing change?: