WebSocket connections make use of environment vars for PROXY

[StevenBarre]

What happened (please include outputs or screenshots):
The regular k8s client call does not make use of the environment vars for proxies, instead expecting you to pass it explicitly to the config. However, the websocket client will make use of those, which can be confusing.

What you expected to happen:
The regular and websocket clients should behave the same.

How to reproduce it (as minimally and precisely as possible):

# Get the example pod_exec script
wget https://raw.githubusercontent.com/kubernetes-client/python/refs/heads/release-31.0/examples/pod_exec.py
# Get your kubeconfig file
cp $KUBECONFIG .
# Create a requirements file
echo "kubernetes==31.0.0" > reqirements.txt
# Fire up a python 3.12 container
podman run -it --rm --name python -v="$(pwd):/app" docker.io/python:3.12.8-bookworm bash
# in the container, copy the kube-config
mkdir /root/.kube; cp /app/config /root/.kube/
# in the container, install the requirements
pip install -r /app/reqirements.txt
# Set a invalid proxy env var
export HTTPS_PROXY=https://example.com
# Run the example script
python3 /app/pod_exec.py

The script is able to ignore the HTTPS_PROXY and check for the existence of the busybox pod, then create it. But the part that uses a websocket/stream to do the exec fails as it can't connect to the dummy proxy.

Pod busybox-test does not exist. Creating it...
Done.
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 528, in websocket_call
    client = WSClient(configuration, url, headers, capture_all, binary=binary)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 68, in __init__
    self.sock = create_websocket(configuration, url, headers)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 494, in create_websocket
    websocket.connect(url, **connect_opt)
  File "/usr/local/lib/python3.12/site-packages/websocket/_core.py", line 256, in connect
    self.sock, addrs = connect(
                       ^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/websocket/_http.py", line 147, in connect
    sock = _tunnel(sock, hostname, port_from_url, auth)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/websocket/_http.py", line 339, in _tunnel
    raise WebSocketProxyException(f"failed CONNECT via proxy status: {status}")
websocket._exceptions.WebSocketProxyException: failed CONNECT via proxy status: 400

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/pod_exec.py", line 134, in <module>
    main()
  File "/app/pod_exec.py", line 130, in main
    exec_commands(core_v1)
  File "/app/pod_exec.py", line 76, in exec_commands
    resp = stream(api_instance.connect_get_namespaced_pod_exec,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/stream.py", line 36, in _websocket_request
    out = api_method(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api/core_v1_api.py", line 994, in connect_get_namespaced_pod_exec
    return self.connect_get_namespaced_pod_exec_with_http_info(name, namespace, **kwargs)  # noqa: E501
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api/core_v1_api.py", line 1101, in connect_get_namespaced_pod_exec_with_http_info
    return self.api_client.call_api(
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api_client.py", line 348, in call_api
    return self.__call_api(resource_path, method,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
    response_data = self.request(
                    ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 538, in websocket_call
    raise ApiException(status=0, reason=str(e))
kubernetes.client.exceptions.ApiException: (0)
Reason: failed CONNECT via proxy status: 400

Anything else we need to know?:

Environment:

• Kubernetes version (kubectl version): v1.27.16+03a907c
• OS (e.g., MacOS 10.13.6): Debian 12
• Python version (python --version) 3.12.8
• Python client version (pip list | grep kubernetes) 31.0.0

[StevenBarre]

Additionally, it seems to parse NO_PROXY differently than curl.

In curl https://curl.se/libcurl/c/CURLOPT_NOPROXY.html you can match a subdomain with just the base domain. ie: putting example.com in the NO_PROXY would match api.example.com. Whereas the k8s websocket would need a prefixed dot to match. ie: .example.com with a leading dot to match api.example.com.

[yliaog]

/help

[k8s-ci-robot]

@yliaog:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.