Add preservePath option to proxy extension configuration

Signed-off-by: Alex Kattathra Johnson <[email protected]>

Author: alex-kattathra-johnson

docs/developer-guide/extensions/proxy-extensions.md

@@ -150,6 +150,12 @@ Defines a list with backend url by cluster.
 
 Is the address where the extension backend must be available.
 
+#### `extensions.backend.services.preservePath` (*boolean*)
+(optional)
+
+If true, the full url path is preserved when proxying (will not trim /extensions/<extension-name>).
+Useful when the backend service is configured to serve content at the `/extensions/<extension-name>` path.
+
 #### `extensions.backend.services.headers` (*list*)
 
 If provided, the headers list will be added on all outgoing requests
@@ -232,6 +238,30 @@ configuration:
                                              └─────────────────┘
 ```
 
+### Path Preservation with `preservePath`
+
+Some backend services are configured to serve content at a specific base path and may
+redirect requests to establish that path context. For these services, you need to use
+`preservePath: true` to prevent infinite redirect loops.
+
+Example configuration for Argo Rollouts dashboard:
+
+```yaml
+extension.config.rollouts: |
+  services:
+  - url: http://argo-rollouts-dashboard.argo-rollouts.svc:3100/extensions/rollouts
+    preservePath: true
+```
+
+**With `preservePath: true`:**
+1. Request: `/extensions/rollouts/` → Proxied as: `/extensions/rollouts/`
+2. Backend handles the request correctly at its expected path
+
+**Without `preservePath` (causes infinite redirects):**
+1. Request: `/extensions/rollouts/` → Proxied as: `/` (path stripped)
+2. Backend redirects from `/` to `/extensions/rollouts`
+3. Browser follows redirect → infinite loop
+
 ### Incoming Request Headers
 
 Note that Argo CD API Server requires additional HTTP headers to be

server/extension/extension.go

@@ -178,6 +178,11 @@ type ServiceConfig struct {
 	// Headers if provided, the headers list will be added on all
 	// outgoing requests for this service config.
 	Headers []Header `yaml:"headers"`
+
+	// PreservePath if true, will preserve the full original path when proxying
+	// requests instead of stripping the extension prefix. Default is false to
+	// maintain backward compatibility.
+	PreservePath bool `yaml:"preservePath,omitempty"`
 }
 
 // Header defines the header to be added in the proxy requests.
@@ -383,15 +388,21 @@ func NewManager(log *log.Entry, namespace string, sg SettingsGetter, ag Applicat
 // the Argo CD configmap.
 type ExtensionRegistry map[string]ProxyRegistry
 
+// Proxy extends httputil.ReverseProxy with additional configuration
+type Proxy struct {
+	*httputil.ReverseProxy
+	PreservePath bool
+}
+
 // ProxyRegistry is an in memory registry that contains all proxies for a
 // given extension. Different extensions will have independent proxy registries.
 // This is required to address the use case when one extension is configured with
 // multiple backend services in different clusters.
-type ProxyRegistry map[ProxyKey]*httputil.ReverseProxy
+type ProxyRegistry map[ProxyKey]*Proxy
 
 // NewProxyRegistry will instantiate a new in memory registry for proxies.
 func NewProxyRegistry() ProxyRegistry {
-	r := make(map[ProxyKey]*httputil.ReverseProxy)
+	r := make(map[ProxyKey]*Proxy)
 	return r
 }
 
@@ -511,12 +522,12 @@ func validateConfigs(configs *ExtensionConfigs) error {
 // NewProxy will instantiate a new reverse proxy based on the provided
 // targetURL and config. It will remove sensitive information from the
 // incoming request such as the Authorization and Cookie headers.
-func NewProxy(targetURL string, headers []Header, config ProxyConfig) (*httputil.ReverseProxy, error) {
+func NewProxy(targetURL string, headers []Header, config ProxyConfig, preservePath bool) (*Proxy, error) {
 	url, err := url.Parse(targetURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse proxy URL: %w", err)
 	}
-	proxy := &httputil.ReverseProxy{
+	reverseProxy := &httputil.ReverseProxy{
 		Transport: newTransport(config),
 		Director: func(req *http.Request) {
 			req.Host = url.Host
@@ -530,6 +541,10 @@ func NewProxy(targetURL string, headers []Header, config ProxyConfig) (*httputil
 			}
 		},
 	}
+	proxy := &Proxy{
+		ReverseProxy: reverseProxy,
+		PreservePath: preservePath,
+	}
 	return proxy, nil
 }
 
@@ -596,7 +611,7 @@ func (m *Manager) UpdateExtensionRegistry(s *settings.ArgoCDSettings) error {
 		proxyReg := NewProxyRegistry()
 		singleBackend := len(ext.Backend.Services) == 1
 		for _, service := range ext.Backend.Services {
-			proxy, err := NewProxy(service.URL, service.Headers, ext.Backend.ProxyConfig)
+			proxy, err := NewProxy(service.URL, service.Headers, ext.Backend.ProxyConfig, service.PreservePath)
 			if err != nil {
 				return fmt.Errorf("error creating proxy: %w", err)
 			}
@@ -617,7 +632,7 @@ func (m *Manager) UpdateExtensionRegistry(s *settings.ArgoCDSettings) error {
 func appendProxy(registry ProxyRegistry,
 	extName string,
 	service ServiceConfig,
-	proxy *httputil.ReverseProxy,
+	proxy *Proxy,
 	singleBackend bool,
 ) error {
 	if singleBackend {
@@ -717,7 +732,7 @@ func (m *Manager) authorize(ctx context.Context, rr *RequestResources, extName s
 
 // findProxy will search the given registry to find the correct proxy to use
 // based on the given extName and dest.
-func findProxy(registry ProxyRegistry, extName string, dest v1alpha1.ApplicationDestination) (*httputil.ReverseProxy, error) {
+func findProxy(registry ProxyRegistry, extName string, dest v1alpha1.ApplicationDestination) (*Proxy, error) {
 	// First try to find the proxy in the registry just by the extension name.
 	// This is the simple case for extensions with only one backend service.
 	key := proxyKey(extName, "", "")
@@ -785,7 +800,7 @@ func (m *Manager) CallExtension() func(http.ResponseWriter, *http.Request) {
 
 		user := m.userGetter.GetUser(r.Context())
 		groups := m.userGetter.GetGroups(r.Context())
-		prepareRequest(r, m.namespace, extName, app, user, groups)
+		prepareRequest(r, m.namespace, extName, app, user, groups, proxy.PreservePath)
 		m.log.WithFields(log.Fields{
 			HeaderArgoCDUsername:        user,
 			HeaderArgoCDGroups:          strings.Join(groups, ","),
@@ -819,8 +834,13 @@ func registerMetrics(extName string, metrics httpsnoop.Metrics, extensionMetrics
 //   - Cluster destination name
 //   - Cluster destination server
 //   - Argo CD authenticated username
-func prepareRequest(r *http.Request, namespace string, extName string, app *v1alpha1.Application, username string, groups []string) {
-	r.URL.Path = strings.TrimPrefix(r.URL.Path, fmt.Sprintf("%s/%s", URLPrefix, extName))
+func prepareRequest(r *http.Request, namespace string, extName string, app *v1alpha1.Application, username string, groups []string, preservePath bool) {
+	if !preservePath {
+		// Default behavior: strip the extension prefix from the path
+		r.URL.Path = strings.TrimPrefix(r.URL.Path, fmt.Sprintf("%s/%s", URLPrefix, extName))
+	}
+	// If preservePath is true, keep the original path as-is
+
 	r.Header.Set(HeaderArgoCDNamespace, namespace)
 	if app.Spec.Destination.Name != "" {
 		r.Header.Set(HeaderArgoCDTargetClusterName, app.Spec.Destination.Name)

server/extension/extension_test.go

@@ -735,6 +735,90 @@ func TestCallExtension(t *testing.T) {
 		require.NotNil(t, resp)
 		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
 	})
+	t.Run("will preserve path when preservePath is true", func(t *testing.T) {
+		// given
+		t.Parallel()
+		f := setup()
+		withRbac(f, true, true)
+		withUser(f, "some-user", []string{"group1", "group2"})
+
+		clusterURL := "some-url"
+		app := getApp("", clusterURL, defaultProjectName)
+		proj := getProjectWithDestinations("project-name", nil, []string{clusterURL})
+		f.appGetterMock.On("Get", mock.Anything, mock.Anything).Return(app, nil)
+		withProject(proj, f)
+
+		// Create a backend server that echoes the received path
+		backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("X-Received-Path", r.URL.Path)
+			w.WriteHeader(http.StatusOK)
+			fmt.Fprint(w, "path:"+r.URL.Path)
+		}))
+		defer backendServer.Close()
+
+		// Configure extensions with preservePath settings
+		extensionConfig := fmt.Sprintf(`
+extensions:
+- name: preserve-path-ext
+  backend:
+    services:
+    - url: %s
+      preservePath: true
+- name: no-preserve-path-ext
+  backend:
+    services:
+    - url: %s
+      preservePath: false
+`, backendServer.URL, backendServer.URL)
+
+		withExtensionConfig(extensionConfig, f)
+		ts := startTestServer(t, f)
+		defer ts.Close()
+
+		test := func(extName string) {
+			var wg sync.WaitGroup
+			wg.Add(2)
+			f.metricsMock.
+				On("IncExtensionRequestCounter", extName, http.StatusOK).
+				Run(func(_ mock.Arguments) {
+					wg.Done()
+				})
+			f.metricsMock.
+				On("ObserveExtensionRequestDuration", extName, mock.Anything).
+				Run(func(_ mock.Arguments) {
+					wg.Done()
+				})
+
+			// when
+			backendPath := "/some/deep/path"
+			req := newExtensionRequest(t, "GET", fmt.Sprintf("%s/extensions/%s%s", ts.URL, extName, backendPath))
+
+			// then
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			switch extName {
+			case "preserve-path-ext":
+				assert.Equal(t, fmt.Sprintf("/extensions/%s%s", extName, backendPath), resp.Header.Get("X-Received-Path"))
+			case "no-preserve-path-ext":
+				assert.Equal(t, backendPath, resp.Header.Get("X-Received-Path"))
+			}
+
+			// waitgroup is necessary to make sure assertions aren't executed before
+			// the goroutine initiated by extension.CallExtension concludes which would
+			// lead to flaky test.
+			wg.Wait()
+			f.metricsMock.AssertCalled(t, "IncExtensionRequestCounter", extName, http.StatusOK)
+			f.metricsMock.AssertCalled(t, "ObserveExtensionRequestDuration", extName, mock.Anything)
+		}
+
+		// Test preservePath: true - should keep full path
+		test("preserve-path-ext")
+
+		// Test preservePath: false - should strip extension prefix
+		test("no-preserve-path-ext")
+	})
 }
 
 func getExtensionConfig(name, url string) string {