use proper TLS transport for prometheus, log_search (#951)

operatorapi/operator_login.go

@@ -188,7 +188,7 @@ func getLoginDetailsResponse() (*models.LoginDetails, *models.Error) {
 	if oauth2.IsIdpEnabled() {
 		loginStrategy = models.LoginDetailsLoginStrategyRedirect
 		// initialize new oauth2 client
-		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil, restapi.GetConsoleSTSClient())
+		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil, restapi.GetConsoleHTTPClient())
 		if err != nil {
 			return nil, prepareError(err)
 		}

operatorapi/operator_subscription.go

@@ -224,7 +224,7 @@ func getSubscriptionRefreshResponse(session *models.Principal) (*models.License,
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()
 	client := &cluster.HTTPClient{
-		Client: restapi.GetConsoleSTSClient(),
+		Client: restapi.GetConsoleHTTPClient(),
 	}
 	licenseKey, err := retrieveLicense(context.Background(), session.STSSessionToken)
 	if err != nil {
@@ -280,7 +280,7 @@ func RefreshLicense() error {
 		return err
 	}
 	client := &cluster.HTTPClient{
-		Client: restapi.GetConsoleSTSClient(),
+		Client: restapi.GetConsoleHTTPClient(),
 	}
 	// Attempt to refresh license
 	_, refreshedLicenseKey, err := subscriptionRefresh(client, licenseKey)

operatorapi/operator_tenants.go

@@ -522,7 +522,7 @@ func getTenantDetailsResponse(session *models.Principal, params operator_api.Ten
 		license, _ := getSubscriptionLicense(context.Background(), &k8sClient, params.Namespace, minTenant.Spec.Console.ConsoleSecret.Name)
 		if license != "" {
 			client := &cluster.HTTPClient{
-				Client: restapi.GetConsoleSTSClient(),
+				Client: restapi.GetConsoleHTTPClient(),
 			}
 			licenseInfo, _, _ := subscriptionValidate(client, license, "", "")
 			// if licenseInfo is present attach it to the tenantInfo response

operatorapi/proxy.go

@@ -156,7 +156,7 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 		}
 		loginReq.Header.Add("Content-Type", "application/json")
 
-		// FIXME: in the future we should use restapi.GetConsoleSTSClient()
+		// FIXME: in the future we should use restapi.GetConsoleHTTPClient()
 		tr := &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
@@ -218,7 +218,7 @@ func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
 	proxyCookieJar.SetCookies(targetURL, []*http.Cookie{proxiedCookie})
 
 	tr := &http.Transport{
-		// FIXME: use restapi.GetConsoleSTSClient()
+		// FIXME: use restapi.GetConsoleHTTPClient()
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
 	client := &http.Client{Transport: tr,

restapi/admin_info.go

@@ -20,8 +20,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
-	"net/http"
 	"net/url"
 	"regexp"
 	"strings"
@@ -852,25 +850,20 @@ func getUsageWidgetsForDeployment(prometheusURL string, mAdmin *madmin.AdminClie
 }
 
 func unmarshalPrometheus(endpoint string, data interface{}) bool {
-	resp, err := http.Get(endpoint)
+	httpClnt := GetConsoleHTTPClient()
+	resp, err := httpClnt.Get(endpoint)
 	if err != nil {
 		LogError("Unable to fetch labels from prometheus %s, %v", endpoint, err)
 		return true
 	}
-
-	body, err := ioutil.ReadAll(resp.Body)
-	resp.Body.Close()
-	if err != nil {
-		LogError("Unexpected error reading response from prometheus %s, %v", endpoint, err)
-		return true
-	}
+	defer resp.Body.Close()
 
 	if resp.StatusCode != 200 {
-		LogError("Unexpected error from prometheus %s, %s (%s)", endpoint, string(body), resp.Status)
+		LogError("Unexpected error from prometheus %s (%s)", endpoint, resp.Status)
 		return true
 	}
 
-	if err = json.Unmarshal(body, data); err != nil {
+	if err = json.NewDecoder(resp.Body).Decode(data); err != nil {
 		LogError("Unexpected error reading response from prometheus %s, %v", endpoint, err)
 		return true
 	}

restapi/admin_subscription.go

@@ -66,7 +66,7 @@ func subscriptionValidate(client cluster.HTTPClientI, license, email, password s
 func getSubscriptionInfoResponse() (*models.License, *models.Error) {
 	var licenseInfo *models.License
 	client := &cluster.HTTPClient{
-		Client: GetConsoleSTSClient(),
+		Client: GetConsoleHTTPClient(),
 	}
 	licenseKey := retrieveLicense()
 	// validate license key and obtain license info

restapi/client-admin.go

@@ -54,7 +54,7 @@ func NewAdminClientWithInsecure(url, accessKey, secretKey, sessionToken string,
 	if err != nil {
 		return nil, err.Trace(url)
 	}
-	stsClient := PrepareSTSClient(insecure)
+	stsClient := PrepareConsoleHTTPClient(insecure)
 	s3Client.SetCustomTransport(stsClient.Transport)
 	return s3Client, nil
 }
@@ -420,7 +420,7 @@ func newAdminFromClaims(claims *models.Principal) (*madmin.AdminClient, error) {
 	if err != nil {
 		return nil, err
 	}
-	adminClient.SetCustomTransport(GetConsoleSTSClient().Transport)
+	adminClient.SetCustomTransport(GetConsoleHTTPClient().Transport)
 	return adminClient, nil
 }
 
@@ -438,14 +438,17 @@ func newAdminFromCreds(accessKey, secretKey, endpoint string, tlsEnabled bool) (
 	return minioClient, nil
 }
 
-// stsClient is a custom http client, this client should not be called directly and instead be
-// called using GetConsoleSTSClient() to ensure is initialized and the certificates are loaded correctly
-var stsClient *http.Client
+// httpClient is a custom http client, this client should not be called directly and instead be
+// called using GetConsoleHTTPClient() to ensure is initialized and the certificates are loaded correctly
+var httpClient *http.Client
 
-// GetConsoleSTSClient will initialize the console STS Client with Custom TLS Transport that with loads certs at .console/certs/CAs
-func GetConsoleSTSClient() *http.Client {
-	if stsClient == nil {
-		stsClient = PrepareSTSClient(false)
+// GetConsoleHTTPClient will initialize the console HTTP Client with fully populated custom TLS
+// Transport that with loads certs at
+// - ${HOME}/.console/certs/CAs
+// - ${HOME}/.minio/certs/CAs
+func GetConsoleHTTPClient() *http.Client {
+	if httpClient == nil {
+		httpClient = PrepareConsoleHTTPClient(false)
 	}
-	return stsClient
+	return httpClient
 }

restapi/client.go

@@ -311,7 +311,7 @@ func NewConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 	// LDAP authentication for Console
 	case ldap.GetLDAPEnabled():
 		{
-			creds, err := auth.GetCredentialsFromLDAP(GetConsoleSTSClient(), getMinIOServer(), accessKey, secretKey)
+			creds, err := auth.GetCredentialsFromLDAP(GetConsoleHTTPClient(), getMinIOServer(), accessKey, secretKey)
 			if err != nil {
 				return nil, err
 			}
@@ -330,7 +330,7 @@ func NewConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 				DurationSeconds: xjwt.GetConsoleSTSDurationInSeconds(),
 			}
 			stsAssumeRole := &credentials.STSAssumeRole{
-				Client:      GetConsoleSTSClient(),
+				Client:      GetConsoleHTTPClient(),
 				STSEndpoint: getMinIOServer(),
 				Options:     opts,
 			}
@@ -353,7 +353,7 @@ func newMinioClient(claims *models.Principal) (*minio.Client, error) {
 	minioClient, err := minio.New(getMinIOEndpoint(), &minio.Options{
 		Creds:     creds,
 		Secure:    getMinIOEndpointIsSecure(),
-		Transport: GetConsoleSTSClient().Transport,
+		Transport: GetConsoleHTTPClient().Transport,
 	})
 	if err != nil {
 		return nil, err

restapi/tls.go

@@ -54,9 +54,9 @@ func prepareSTSClientTransport(insecure bool) *http.Transport {
 	return DefaultTransport
 }
 
-// PrepareSTSClient returns an http.Client with custom configurations need it by *credentials.STSAssumeRole
+// PrepareConsoleHTTPClient returns an http.Client with custom configurations need it by *credentials.STSAssumeRole
 // custom configurations include the use of CA certificates
-func PrepareSTSClient(insecure bool) *http.Client {
+func PrepareConsoleHTTPClient(insecure bool) *http.Client {
 	transport := prepareSTSClientTransport(insecure)
 	// Return http client with default configuration
 	c := &http.Client{

restapi/user_log_search.go

@@ -19,7 +19,6 @@ package restapi
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 
 	"github.com/go-openapi/swag"
@@ -64,16 +63,12 @@ func getLogSearchResponse(params user_api.LogSearchParams) (*models.LogSearchRes
 }
 
 func logSearch(endpoint string) (*models.LogSearchResponse, *models.Error) {
-	resp, err := http.Get(endpoint)
-	if err != nil {
-		return nil, prepareError(err)
-	}
-
-	body, err := ioutil.ReadAll(resp.Body)
-	resp.Body.Close()
+	httpClnt := GetConsoleHTTPClient()
+	resp, err := httpClnt.Get(endpoint)
 	if err != nil {
 		return nil, prepareError(err)
 	}
+	defer resp.Body.Close()
 
 	if resp.StatusCode != 200 {
 		return nil, &models.Error{
@@ -83,13 +78,11 @@ func logSearch(endpoint string) (*models.LogSearchResponse, *models.Error) {
 	}
 
 	var results []logsearchServer.ReqInfoRow
-	if err = json.Unmarshal(body, &results); err != nil {
+	if err = json.NewDecoder(resp.Body).Decode(&results); err != nil {
 		return nil, prepareError(err)
 	}
 
-	response := models.LogSearchResponse{
+	return &models.LogSearchResponse{
 		Results: results,
-	}
-
-	return &response, nil
+	}, nil
 }

restapi/user_login.go

@@ -186,7 +186,7 @@ func getLoginDetailsResponse() (*models.LoginDetails, *models.Error) {
 	if oauth2.IsIdpEnabled() {
 		loginStrategy = models.LoginDetailsLoginStrategyRedirect
 		// initialize new oauth2 client
-		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil, GetConsoleSTSClient())
+		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil, GetConsoleHTTPClient())
 		if err != nil {
 			return nil, prepareError(err)
 		}
@@ -217,7 +217,7 @@ func getLoginOauth2AuthResponse(lr *models.LoginOauth2AuthRequest) (*models.Logi
 	defer cancel()
 	if oauth2.IsIdpEnabled() {
 		// initialize new oauth2 client
-		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil, GetConsoleSTSClient())
+		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil, GetConsoleHTTPClient())
 		if err != nil {
 			return nil, prepareError(err)
 		}