fix(tls): set the correct scheme for Docker clients EE-6514 (#10917)

11 months ago · 717f0978d9
parent abf517de28
commit 717f0978d9
1 changed files with 15 additions and 37 deletions
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@ -18,7 +18,7 @@ import (
 	"github.com/segmentio/encoding/json"
 )

-var errUnsupportedEnvironmentType = errors.New("Environment not supported")
+var errUnsupportedEnvironmentType = errors.New("environment not supported")

 const (
 	defaultDockerRequestTimeout = 60 * time.Second
@ -48,9 +48,16 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam
 	case portainer.AzureEnvironment:
 		return nil, errUnsupportedEnvironmentType
 	case portainer.AgentOnDockerEnvironment:
-		return createAgentClient(endpoint, factory.signatureService, nodeName, timeout)
+		return createAgentClient(endpoint, endpoint.URL, factory.signatureService, nodeName, timeout)
 	case portainer.EdgeAgentOnDockerEnvironment:
-		return createEdgeClient(endpoint, factory.signatureService, factory.reverseTunnelService, nodeName, timeout)
+		tunnel, err := factory.reverseTunnelService.GetActiveTunnel(endpoint)
+		if err != nil {
+			return nil, err
+		}
+
+		endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
+
+		return createAgentClient(endpoint, endpointURL, factory.signatureService, nodeName, timeout)
 	}

 	if strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") {
@ -93,7 +100,7 @@ func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*cli
 	)
 }

-func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, nodeName string, timeout *time.Duration) (*client.Client, error) {
+func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
 	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
 		return nil, err
@ -113,47 +120,18 @@ func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.D
 		headers[portainer.PortainerAgentTargetHeader] = nodeName
 	}

-	tunnel, err := reverseTunnelService.GetActiveTunnel(endpoint)
-	if err != nil {
-		return nil, err
-	}
-
-	endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
-
-	return client.NewClientWithOpts(
+	opts := []client.Opt{
 		client.WithHost(endpointURL),
 		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
-	)
 	}

-func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
-	httpCli, err := httpClient(endpoint, timeout)
-	if err != nil {
-		return nil, err
+	if nnTransport, ok := httpCli.Transport.(*NodeNameTransport); ok && nnTransport.TLSClientConfig != nil {
+		opts = append(opts, client.WithScheme("https"))
 	}

-	signature, err := signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
-	if err != nil {
-		return nil, err
-	}
-
-	headers := map[string]string{
-		portainer.PortainerAgentPublicKeyHeader: signatureService.EncodedPublicKey(),
-		portainer.PortainerAgentSignatureHeader: signature,
-	}
-
-	if nodeName != "" {
-		headers[portainer.PortainerAgentTargetHeader] = nodeName
-	}
-
-	return client.NewClientWithOpts(
-		client.WithHost(endpoint.URL),
-		client.WithAPIVersionNegotiation(),
-		client.WithHTTPClient(httpCli),
-		client.WithHTTPHeaders(headers),
-	)
+	return client.NewClientWithOpts(opts...)
 }

 type NodeNameTransport struct {