remote: use endpoint address for buildkit client authority#3928
Open
jarqvi wants to merge 1 commit into
Open
Conversation
The remote driver created the buildkit client with an empty address:
client.New(ctx, "", opts...)
With an empty address the buildkit client falls back to the system
default address (the local unix socket) and derives the gRPC
":authority" pseudo-header from it, which ends up being "localhost".
The actual connection was still correct because the remote driver
provides its own dialer, but the wrong authority broke HTTP/2 reverse
proxies (such as Envoy) that route based on ":authority".
Pass the configured endpoint address to client.New so the authority is
derived from the remote endpoint hostname (e.g.
my-buildkit.example.com:443). The custom dialer is preserved, so the
dial target and TLS/SNI behavior are unchanged.
Fixes docker#3880
Signed-off-by: MohammadHasan Akbari <jarqvi.jarqvi@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The remote driver created the buildkit client with an empty address:
With an empty address the buildkit client falls back to the system default address (the local unix socket) and derives the gRPC ":authority" pseudo-header from it, which ends up being "localhost". The actual connection was still correct because the remote driver provides its own dialer, but the wrong authority broke HTTP/2 reverse proxies (such as Envoy) that route based on ":authority".
Pass the configured endpoint address to client.New so the authority is derived from the remote endpoint hostname (e.g.
my-buildkit.example.com:443). The custom dialer is preserved, so the dial target and TLS/SNI behavior are unchanged.
Fixes #3880