From 22f57cd84e471f9e6680065d079ca56a0331e394 Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Sat, 26 Sep 2020 02:44:21 -0700 Subject: [PATCH] Add timeout to clientaccess http client The default http client does not have an overall request timeout, so connections to misbehaving or unavailable servers can stall for an excessive amount of time. At the moment, just attempting to join an unavailable cluster takes 2 minutes and 40 seconds to timeout. Resolve that by setting a reasonable request timeout. Signed-off-by: Brad Davidson --- pkg/clientaccess/token.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/clientaccess/token.go b/pkg/clientaccess/token.go index 585130f1ae..e0f1586adf 100644 --- a/pkg/clientaccess/token.go +++ b/pkg/clientaccess/token.go @@ -10,12 +10,19 @@ import ( "net/http" "net/url" "strings" + "time" "github.com/pkg/errors" ) var ( + defaultClientTimeout = 20 * time.Second + + defaultClient = &http.Client{ + Timeout: defaultClientTimeout, + } insecureClient = &http.Client{ + Timeout: defaultClientTimeout, Transport: &http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true, @@ -150,13 +157,14 @@ func parseToken(token string) (*Info, error) { // an empty CA bundle (which will always fail). func GetHTTPClient(cacerts []byte) *http.Client { if len(cacerts) == 0 { - return http.DefaultClient + return defaultClient } pool := x509.NewCertPool() pool.AppendCertsFromPEM(cacerts) return &http.Client{ + Timeout: defaultClientTimeout, Transport: &http.Transport{ DisableKeepAlives: true, TLSClientConfig: &tls.Config{ @@ -221,7 +229,7 @@ func getCACerts(u url.URL) ([]byte, error) { // This first request is expected to fail. If the server has // a cert that can be validated using the default CA bundle, return // success with no CA certs. - _, err := get(url, http.DefaultClient, "", "") + _, err := get(url, defaultClient, "", "") if err == nil { return nil, nil }