WatchConnectionManager's websocket Origin header uses port of -1 when no port specified

[kjcjohnson]

For the WatchConnectionManager, the websocket request's Origin header has the port set to -1 if no port was explicitly specified in the URL.

So for a URL of https://example.com/k8s/clusters/etc, the origin header ends up as

Origin: https://example.com:-1

instead of just

Origin: https://example.com

like would be expected.

This seems to be causing an issue when connecting to a Kubernetes cluster running under Rancher 2.2.5 or higher, which is now checking the Origin header against the Host header. See the related issue rancher/rancher#21777 where this is failing.

The problem is here:

kubernetes-client/kubernetes-client/src/main/java/io/fabric8/kubernetes/client/dsl/internal/WatchConnectionManager.java

Lines 147 to 151 in c175e1e

	Request request = new Request.Builder()
	.get()
	.url(httpUrlBuilder.build())
	.addHeader("Origin", requestUrl.getProtocol() + "://" + requestUrl.getHost() + ":" + requestUrl.getPort())
	.build();

Calling getPort() on a java.net.URL object will return -1 if the port is not set, and thus we end up with a port of -1 in the origin header.

I added some extra logging statements to print out the actual request headers and caught this "live":

Jul 26, 2019 4:27:54 PM FINE io.fabric8.kubernetes.client.dsl.internal.WatchConnectionManager runWatch

Connecting websocket ... io.fabric8.kubernetes.client.dsl.internal.WatchConnectionManager@297470a6

Jul 26, 2019 4:27:54 PM FINE io.fabric8.kubernetes.client.dsl.internal.WatchConnectionManager runWatch

Watch request to https://rancher.example.com/k8s/clusters/c-scffx/api/v1/namespaces/test-ns/pods?fieldSelector=metadata.name%3Dtestpod-zrmh2&watch=true {

Jul 26, 2019 4:27:54 PM FINE io.fabric8.kubernetes.client.dsl.internal.WatchConnectionManager runWatch

Origin: https://rancher.example.com:-1

Jul 26, 2019 4:27:54 PM FINE io.fabric8.kubernetes.client.dsl.internal.WatchConnectionManager runWatch

} End watch request.