From 29d24f4d3846e142bd2d04a86e6e01ccb7020860 Mon Sep 17 00:00:00 2001
From: Kyle Lape <klape@redhat.com>
Date: Thu, 21 Jul 2022 10:09:06 -0500
Subject: [PATCH] Don't add /clusters/ prefix to /services/ requests

Currently all requests from bound service accounts get `/clusters/`
prepended to the path in the front proxy with a few exeptions.  None of
those exceptions are for `/services/` requests.

With `/services/` requests prepended with `/clusters/`, the front proxy will
then route them to the KCP container instead of the virtual workspace
server.  KCP will remove the `/clusters/` prefix, create the logical
cluster context, and then try to redirect the `/services/` request to the
virtual workspace server.

Rinse and repeat until the client gives up.

This fix is to stop prepending `/clusters/` on requests to the virtual
workspace server.
---
 pkg/server/handler.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/server/handler.go b/pkg/server/handler.go
index 615411b7749..429b50bd1d2 100644
--- a/pkg/server/handler.go
+++ b/pkg/server/handler.go
@@ -280,6 +280,11 @@ func WithInClusterServiceAccountRequestRewrite(handler http.Handler) http.Handle
 			return
 		}
 
+		if strings.HasPrefix(req.RequestURI, "/services/") {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
 		prefix := "Bearer "
 		token := req.Header.Get("Authorization")
 		if !strings.HasPrefix(token, prefix) {