Add timeout to clientaccess http client

The default http client does not have an overall request timeout, so connections to misbehaving or unavailable servers can stall for an excessive amount of time. At the moment, just attempting to join an unavailable cluster takes 2 minutes and 40 seconds to timeout. Resolve that by setting a reasonable request timeout. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-26 02:44:21 -07:00 · 2020-09-26 02:44:21 -07:00 · 22f57cd84e
parent ad981265c2
commit 22f57cd84e
1 changed files with 10 additions and 2 deletions
--- a/pkg/clientaccess/token.go
+++ b/pkg/clientaccess/token.go
@ -10,12 +10,19 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"

 	"github.com/pkg/errors"
 )

 var (
+	defaultClientTimeout = 20 * time.Second
+
+	defaultClient = &http.Client{
+		Timeout: defaultClientTimeout,
+	}
 	insecureClient = &http.Client{
+		Timeout: defaultClientTimeout,
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,
@ -150,13 +157,14 @@ func parseToken(token string) (*Info, error) {
 // an empty CA bundle (which will always fail).
 func GetHTTPClient(cacerts []byte) *http.Client {
 	if len(cacerts) == 0 {
-		return http.DefaultClient
+		return defaultClient
 	}

 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(cacerts)

 	return &http.Client{
+		Timeout: defaultClientTimeout,
 		Transport: &http.Transport{
 			DisableKeepAlives: true,
 			TLSClientConfig: &tls.Config{
@ -221,7 +229,7 @@ func getCACerts(u url.URL) ([]byte, error) {
 	// This first request is expected to fail. If the server has
 	// a cert that can be validated using the default CA bundle, return
 	// success with no CA certs.
-	_, err := get(url, http.DefaultClient, "", "")
+	_, err := get(url, defaultClient, "", "")
 	if err == nil {
 		return nil, nil
 	}