add proxy support

Author: krmodelski

package-lock.json

@@ -72,7 +72,9 @@
         "tar": "^7.0.0",
         "tmp-promise": "^3.0.2",
         "tslib": "^2.5.0",
-        "ws": "^8.18.0"
+        "ws": "^8.18.0",
+        "socks-proxy-agent": "^8.0.4",
+        "hpagent": "^1.2.0"
     },
     "devDependencies": {
         "@types/chai": "^5.0.0",

package.json

@@ -33,6 +33,8 @@ import {
 import { OpenIDConnectAuth } from './oidc_auth.js';
 import WebSocket from 'isomorphic-ws';
 import child_process from 'node:child_process';
+import { SocksProxyAgent } from 'socks-proxy-agent';
+import { HttpProxyAgent, HttpsProxyAgent } from 'hpagent';
 
 const SERVICEACCOUNT_ROOT: string = '/var/run/secrets/kubernetes.io/serviceaccount';
 const SERVICEACCOUNT_CA_PATH: string = SERVICEACCOUNT_ROOT + '/ca.crt';
@@ -248,7 +250,29 @@ export class KubeConfig implements SecurityAuthentication {
         agentOptions.passphrase = httpsOptions.passphrase;
         agentOptions.rejectUnauthorized = httpsOptions.rejectUnauthorized;
 
-        context.setAgent(new https.Agent(agentOptions));
+        let agent: https.Agent | SocksProxyAgent | HttpProxyAgent | HttpsProxyAgent;
+
+        if (cluster && cluster.proxyUrl) {
+            if (cluster.proxyUrl.startsWith('socks')) {
+                agent = new SocksProxyAgent(cluster.proxyUrl, agentOptions);
+            } else if (cluster.proxyUrl.startsWith('http')) {
+                agent = new HttpsProxyAgent({
+                    proxy: cluster.proxyUrl,
+                    ...agentOptions,
+                });
+            } else if (cluster.proxyUrl.startsWith('https')) {
+                agent = new HttpProxyAgent({
+                    proxy: cluster.proxyUrl,
+                    ...agentOptions,
+                });
+            } else {
+                throw new Error('Unsupported proxy type');
+            }
+        } else {
+            agent = new https.Agent(agentOptions);
+        }
+
+        context.setAgent(agent);
     }
 
     /**

src/config.ts

@@ -22,6 +22,7 @@ export interface Cluster {
     readonly server: string;
     readonly tlsServerName?: string;
     readonly skipTLSVerify: boolean;
+    readonly proxyUrl?: string;
 }
 
 export function newClusters(a: any, opts?: Partial<ConfigOptions>): Cluster[] {
@@ -43,6 +44,7 @@ export function exportCluster(cluster: Cluster): any {
             'certificate-authority': cluster.caFile,
             'insecure-skip-tls-verify': cluster.skipTLSVerify,
             'tls-server-name': cluster.tlsServerName,
+            'proxy-url': cluster.proxyUrl,
         },
     };
 }
@@ -68,6 +70,7 @@ function clusterIterator(
                 server: elt.cluster.server.replace(/\/$/, ''),
                 skipTLSVerify: elt.cluster['insecure-skip-tls-verify'] === true,
                 tlsServerName: elt.cluster['tls-server-name'],
+                proxyUrl: elt.cluster['proxy-url'],
             };
         } catch (err) {
             switch (onInvalidEntry) {

src/config_types.ts

@@ -0,0 +1,30 @@
+apiVersion: v1
+clusters:
+    - cluster:
+          certificate-authority-data: Q0FEQVRA
+          server: http://example2.com
+          proxy-url: socks://example:1187
+      name: clusterA
+
+contexts:
+    - context:
+          cluster: clusterA
+          user: userA
+      name: contextA
+
+current-context: contextA
+kind: Config
+preferences: {}
+users:
+    - name: userA
+      user:
+          client-certificate-data: XVNFUl9DQURBVEE=
+          client-key-data: XVNFUl9DS0RBVEE=
+    - name: userB
+      user:
+          client-certificate-data: XVNFUjJfQ0FEQVRB
+          client-key-data: XVNFUjJfQ0tEQVRB
+    - name: userC
+      user:
+          username: foo
+          password: bar