From 7c86b407a0120eb12daaab95bdaae2b4bc9d8e70 Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Tue, 28 Jun 2022 17:33:31 -0700 Subject: [PATCH] Fix egress selector proxy/bind-address support Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set. Signed-off-by: Brad Davidson --- pkg/daemons/control/deps/deps.go | 2 +- pkg/daemons/control/server.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/daemons/control/deps/deps.go b/pkg/daemons/control/deps/deps.go index a73fa6c484..8c9ea2e192 100644 --- a/pkg/daemons/control/deps/deps.go +++ b/pkg/daemons/control/deps/deps.go @@ -734,7 +734,7 @@ func genEgressSelectorConfig(controlConfig *config.Control) error { ProxyProtocol: apiserver.ProtocolHTTPConnect, Transport: &apiserver.Transport{ TCP: &apiserver.TCPTransport{ - URL: fmt.Sprintf("https://%s:%d", controlConfig.Loopback(), controlConfig.SupervisorPort), + URL: fmt.Sprintf("https://%s:%d", controlConfig.BindAddressOrLoopback(false), controlConfig.SupervisorPort), TLSConfig: &apiserver.TLSConfig{ CABundle: controlConfig.Runtime.ServerCA, ClientKey: controlConfig.Runtime.ClientKubeAPIKey, diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go index f998556b26..c2185497bd 100644 --- a/pkg/daemons/control/server.go +++ b/pkg/daemons/control/server.go @@ -193,6 +193,7 @@ func apiServer(ctx context.Context, cfg *config.Control) error { argsMap["kubelet-certificate-authority"] = runtime.ServerCA argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey + argsMap["kubelet-preferred-address-types"] = "InternalIP,ExternalIP,Hostname" argsMap["requestheader-client-ca-file"] = runtime.RequestHeaderCA argsMap["requestheader-allowed-names"] = deps.RequestHeaderCN argsMap["proxy-client-cert-file"] = runtime.ClientAuthProxyCert