fix: improve construction of HTTP transports (#3573)

Signed-off-by: Hidde Beydals <[email protected]>

Author: hiddeco

internal/api/dex/proxy.go

@@ -5,11 +5,11 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"os"
 
+	"github.com/hashicorp/go-cleanhttp"
 	"github.com/kelseyhightower/envconfig"
 )
 
@@ -49,14 +49,15 @@ func NewProxy(cfg ProxyConfig) (*httputil.ReverseProxy, error) {
 		}
 	}
 
-	proxy := httputil.NewSingleHostReverseProxy(target)
-	proxy.Transport = &http.Transport{
-		TLSClientConfig: &tls.Config{
-			MinVersion: tls.VersionTLS12,
-			RootCAs:    caCertPool,
-		},
+	transport := cleanhttp.DefaultPooledTransport()
+	transport.TLSClientConfig = &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		RootCAs:    caCertPool,
 	}
 
+	proxy := httputil.NewSingleHostReverseProxy(target)
+	proxy.Transport = transport
+
 	return proxy, nil
 }
 

internal/api/option/auth.go

@@ -16,6 +16,7 @@ import (
 	"connectrpc.com/connect"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/hashicorp/go-cleanhttp"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	libClient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -142,7 +143,7 @@ func newMultiClientVerifier(ctx context.Context, cfg config.ServerConfig) goOIDC
 // provider.Verifier() because they're not flexible enough to handle the Dex
 // proxy case.
 func getKeySet(ctx context.Context, cfg config.ServerConfig) (oidc.KeySet, error) {
-	httpClient := &http.Client{}
+	httpClient := cleanhttp.DefaultClient()
 
 	var discoURL string
 	if cfg.DexProxyConfig == nil {
@@ -165,12 +166,12 @@ func getKeySet(ctx context.Context, cfg config.ServerConfig) (oidc.KeySet, error
 			if ok := caCertPool.AppendCertsFromPEM(caCertBytes); !ok {
 				return nil, errors.New("invalid CA cert data")
 			}
-			httpClient.Transport = &http.Transport{
-				TLSClientConfig: &tls.Config{
-					MinVersion: tls.VersionTLS12,
-					RootCAs:    caCertPool,
-				},
+			transport := cleanhttp.DefaultTransport()
+			transport.TLSClientConfig = &tls.Config{
+				MinVersion: tls.VersionTLS12,
+				RootCAs:    caCertPool,
 			}
+			httpClient.Transport = transport
 		}
 	}
 

internal/cli/client/client.go

@@ -5,9 +5,9 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"net/http"
 
 	"connectrpc.com/connect"
+	"github.com/hashicorp/go-cleanhttp"
 	"github.com/spf13/pflag"
 
 	"github.com/akuity/kargo/internal/cli/config"
@@ -57,13 +57,16 @@ func GetClient(
 	credential string,
 	insecureTLS bool,
 ) svcv1alpha1connect.KargoServiceClient {
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: insecureTLS, // nolint: gosec
-			},
-		},
+	httpClient := cleanhttp.DefaultClient()
+
+	if insecureTLS {
+		transport := cleanhttp.DefaultTransport()
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, // nolint: gosec
+		}
+		httpClient.Transport = transport
 	}
+
 	if credential == "" {
 		return svcv1alpha1connect.NewKargoServiceClient(httpClient, serverAddress)
 	}

internal/cli/cmd/login/login.go

@@ -19,6 +19,7 @@ import (
 	"github.com/AlecAivazis/survey/v2"
 	"github.com/bacongobbler/browser"
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/hashicorp/go-cleanhttp"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
 	"k8s.io/utils/strings/slices"
@@ -266,16 +267,16 @@ func ssoLogin(
 
 	scopes := res.Msg.OidcConfig.Scopes
 
-	ctx = oidc.ClientContext(
-		ctx,
-		&http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: insecureTLS, // nolint: gosec
-				},
-			},
-		},
-	)
+	httpClient := cleanhttp.DefaultClient()
+	if insecureTLS {
+		transport := cleanhttp.DefaultTransport()
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, // nolint: gosec
+		}
+		httpClient.Transport = transport
+	}
+	ctx = oidc.ClientContext(ctx, httpClient)
+
 	provider, err := oidc.NewProvider(ctx, res.Msg.OidcConfig.IssuerUrl)
 	if err != nil {
 		return "", "", fmt.Errorf("error initializing OIDC provider: %w", err)

internal/gitprovider/gitea/gitea.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"net/http"
 	"net/url"
 	"strings"
 
 	"code.gitea.io/sdk/gitea"
+	"github.com/hashicorp/go-cleanhttp"
 
 	"github.com/akuity/kargo/internal/git"
 	"github.com/akuity/kargo/internal/gitprovider"
@@ -94,15 +94,16 @@ func NewProvider(
 	if opts.Token != "" {
 		clientOpts = append(clientOpts, gitea.SetToken(opts.Token))
 	}
+
+	httpClient := cleanhttp.DefaultClient()
 	if opts.InsecureSkipTLSVerify {
-		clientOpts = append(clientOpts, gitea.SetHTTPClient(&http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: true, // nolint: gosec
-				},
-			},
-		}))
+		transport := cleanhttp.DefaultTransport()
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, // nolint: gosec
+		}
+		httpClient.Transport = transport
 	}
+	clientOpts = append(clientOpts, gitea.SetHTTPClient(httpClient))
 
 	baseURL := fmt.Sprintf("%s://%s", scheme, host)
 	client, err := gitea.NewClient(baseURL, clientOpts...)

internal/gitprovider/github/github.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"net/http"
 	"net/url"
 	"strings"
 
 	"github.com/google/go-github/v56/github"
+	"github.com/hashicorp/go-cleanhttp"
 	"k8s.io/utils/ptr"
 
 	"github.com/akuity/kargo/internal/git"
@@ -87,17 +87,23 @@ func NewProvider(
 	if opts == nil {
 		opts = &gitprovider.Options{}
 	}
+
 	scheme, host, owner, repo, err := parseRepoURL(repoURL)
 	if err != nil {
 		return nil, err
 	}
-	client := github.NewClient(&http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: opts.InsecureSkipTLSVerify, // nolint: gosec
-			},
-		},
-	})
+
+	httpClient := cleanhttp.DefaultClient()
+	if opts.InsecureSkipTLSVerify {
+		transport := cleanhttp.DefaultTransport()
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, // nolint: gosec
+		}
+		httpClient.Transport = transport
+	}
+
+	client := github.NewClient(httpClient)
+
 	if host != "github.com" {
 		baseURL := fmt.Sprintf("%s://%s", scheme, host)
 		// This function call will automatically add correct paths to the base URL
@@ -109,6 +115,7 @@ func NewProvider(
 	if opts.Token != "" {
 		client = client.WithAuthToken(opts.Token)
 	}
+
 	return &provider{
 		owner:  owner,
 		repo:   repo,

internal/gitprovider/gitlab/gitlab.go

@@ -4,10 +4,10 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"net/http"
 	"net/url"
 	"strings"
 
+	"github.com/hashicorp/go-cleanhttp"
 	gitlab "gitlab.com/gitlab-org/api/client-go"
 
 	"github.com/akuity/kargo/internal/git"
@@ -75,33 +75,36 @@ func NewProvider(
 	if opts == nil {
 		opts = &gitprovider.Options{}
 	}
+
 	scheme, host, projectName, err := parseRepoURL(repoURL)
 	if err != nil {
 		return nil, err
 	}
+
 	clientOpts := make([]gitlab.ClientOptionFunc, 0, 2)
+
 	if host != "gitlab.com" {
 		clientOpts = append(
 			clientOpts,
 			gitlab.WithBaseURL(fmt.Sprintf("%s://%s/api/v4", scheme, host)),
 		)
 	}
+
+	httpClient := cleanhttp.DefaultClient()
 	if opts.InsecureSkipTLSVerify {
-		clientOpts = append(
-			clientOpts,
-			gitlab.WithHTTPClient(&http.Client{
-				Transport: &http.Transport{
-					TLSClientConfig: &tls.Config{
-						InsecureSkipVerify: true, // nolint: gosec
-					},
-				},
-			}),
-		)
+		transport := cleanhttp.DefaultTransport()
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, // nolint: gosec
+		}
+		httpClient.Transport = transport
 	}
+	clientOpts = append(clientOpts, gitlab.WithHTTPClient(httpClient))
+
 	client, err := gitlab.NewClient(opts.Token, clientOpts...)
 	if err != nil {
 		return nil, err
 	}
+
 	return &provider{
 		projectName: projectName,
 		client:      client.MergeRequests,