This is an automated email from the ASF dual-hosted git repository.
tiagobento pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-kie-tools.git
The following commit(s) were added to refs/heads/main by this push:
new 4e89c9b22d9 kie-issues#1925: Kubernetes requests not complying with
the insecurelyDisableTlsCertificateValidation flag on KIE Sandbox (#3063)
4e89c9b22d9 is described below
commit 4e89c9b22d9597d03bacffb78e72be67fcdfba28
Author: Thiago Lugli <[email protected]>
AuthorDate: Wed Apr 16 13:29:05 2025 -0300
kie-issues#1925: Kubernetes requests not complying with the
insecurelyDisableTlsCertificateValidation flag on KIE Sandbox (#3063)
---
.../k8s-yaml-to-apiserver-requests/dev/main.ts | 1 +
.../k8s-yaml-to-apiserver-requests/package.json | 1 +
.../src/k8sApiServerCalls.ts | 9 ++++++++
.../src/k8sApiServerEndpointsByResourceKind.ts | 25 ++++++++++++++++++----
.../devDeployments/services/KubernetesService.ts | 21 ++++++++++++++++--
pnpm-lock.yaml | 5 ++++-
repo/graph.dot | 4 +---
repo/graph.json | 12 +----------
8 files changed, 57 insertions(+), 21 deletions(-)
diff --git a/packages/k8s-yaml-to-apiserver-requests/dev/main.ts
b/packages/k8s-yaml-to-apiserver-requests/dev/main.ts
index 6b1167661b0..6bfc7b8d1dc 100644
--- a/packages/k8s-yaml-to-apiserver-requests/dev/main.ts
+++ b/packages/k8s-yaml-to-apiserver-requests/dev/main.ts
@@ -63,6 +63,7 @@ pnpm start https://api.to.my.openshift.cluster.com:6443
my-project sha256~MGnPXM
console.info("Start mapping API Server endpoints by Resource kinds...");
const k8sApiServerEndpointsByResourceKind = await
buildK8sApiServerEndpointsByResourceKind(
args.k8sApiServerUrl,
+ false,
args.k8sServiceAccountToken
);
console.info("Done.");
diff --git a/packages/k8s-yaml-to-apiserver-requests/package.json
b/packages/k8s-yaml-to-apiserver-requests/package.json
index 84759ffecf1..b6e89c26083 100644
--- a/packages/k8s-yaml-to-apiserver-requests/package.json
+++ b/packages/k8s-yaml-to-apiserver-requests/package.json
@@ -30,6 +30,7 @@
"@babel/core": "^7.16.0",
"@babel/preset-env": "^7.16.0",
"@babel/preset-react": "^7.16.0",
+ "@kie-tools/cors-proxy-api": "workspace:*",
"@kie-tools/eslint": "workspace:*",
"@kie-tools/root-env": "workspace:*",
"@kie-tools/tsconfig": "workspace:*",
diff --git a/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerCalls.ts
b/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerCalls.ts
index 6e658b7b4ea..b5d98066500 100644
--- a/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerCalls.ts
+++ b/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerCalls.ts
@@ -19,6 +19,7 @@
import * as jsYaml from "js-yaml";
import { K8sApiServerEndpointByResourceKind, K8sResourceYaml,
consoleDebugMessage } from "./common";
+import { CorsProxyHeaderKeys } from "@kie-tools/cors-proxy-api";
export async function callK8sApiServer(args: {
k8sApiServerEndpointsByResourceKind: K8sApiServerEndpointByResourceKind;
@@ -26,6 +27,7 @@ export async function callK8sApiServer(args: {
k8sApiServerUrl: string;
k8sNamespace: string;
k8sServiceAccountToken: string;
+ insecurelyDisableTlsCertificateValidation?: boolean;
}) {
const apiCalls = args.k8sResourceYamls.map((yamlDocument) => {
const rawEndpoints = args.k8sApiServerEndpointsByResourceKind
@@ -66,6 +68,13 @@ export async function callK8sApiServer(args: {
headers: {
Authorization: `Bearer ${args.k8sServiceAccountToken}`,
"Content-Type": "application/yaml",
+ ...(args.insecurelyDisableTlsCertificateValidation
+ ? {
+
[CorsProxyHeaderKeys.INSECURELY_DISABLE_TLS_CERTIFICATE_VALIDATION]: Boolean(
+ args.insecurelyDisableTlsCertificateValidation
+ ).toString(),
+ }
+ : {}),
},
method: "POST",
body: jsYaml.dump(apiCall.yaml),
diff --git
a/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerEndpointsByResourceKind.ts
b/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerEndpointsByResourceKind.ts
index e22b1199163..234c6f894b5 100644
---
a/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerEndpointsByResourceKind.ts
+++
b/packages/k8s-yaml-to-apiserver-requests/src/k8sApiServerEndpointsByResourceKind.ts
@@ -18,6 +18,7 @@
*/
import { K8sApiServerEndpointByResourceKind, consoleDebugMessage } from
"./common";
+import { CorsProxyHeaderKeys } from "@kie-tools/cors-proxy-api";
type K8sApiResourceList = {
resources: Array<{
@@ -32,10 +33,26 @@ type K8sApiGroups = {
groups: Array<{ versions: { groupVersion: string } }>;
};
-export async function
buildK8sApiServerEndpointsByResourceKind(kubeApiServerUrl: string, token?:
string) {
- const fetchOpts = token // Optional, as local k8s won't require
authentication...
- ? { headers: { Authorization: `Bearer ${token}` } }
- : {};
+export async function buildK8sApiServerEndpointsByResourceKind(
+ kubeApiServerUrl: string,
+ insecurelyDisableTlsCertificateValidation?: boolean,
+ token?: string
+) {
+ const fetchOpts =
+ token || insecurelyDisableTlsCertificateValidation // Optional, as local
k8s won't require authentication...
+ ? {
+ headers: {
+ ...(token ? { Authorization: `Bearer ${token}` } : {}),
+ ...(insecurelyDisableTlsCertificateValidation
+ ? {
+
[CorsProxyHeaderKeys.INSECURELY_DISABLE_TLS_CERTIFICATE_VALIDATION]: Boolean(
+ insecurelyDisableTlsCertificateValidation
+ ).toString(),
+ }
+ : {}),
+ },
+ }
+ : {};
// Resource kind --> API Group version --> URLs (global and namespaced)
const map: K8sApiServerEndpointByResourceKind = new Map();
diff --git
a/packages/online-editor/src/devDeployments/services/KubernetesService.ts
b/packages/online-editor/src/devDeployments/services/KubernetesService.ts
index dce15a3ffeb..716e3ec1a90 100644
--- a/packages/online-editor/src/devDeployments/services/KubernetesService.ts
+++ b/packages/online-editor/src/devDeployments/services/KubernetesService.ts
@@ -31,6 +31,7 @@ import {
import Path from "path";
import { DeploymentState } from "./common";
import { ResourceActions } from "./types";
+import { CorsProxyHeaderKeys } from "@kie-tools/cors-proxy-api";
export interface KubernetesConnection {
namespace: string;
@@ -185,7 +186,11 @@ export class KubernetesService {
args: Omit<KubernetesServiceArgs, "k8sApiServerEndpointsByResourceKind">
) {
const baseUrl = KubernetesService.getBaseUrl(args);
- return await buildK8sApiServerEndpointsByResourceKind(baseUrl,
args.connection.token);
+ return await buildK8sApiServerEndpointsByResourceKind(
+ baseUrl,
+ args.connection.insecurelyDisableTlsCertificateValidation,
+ args.connection.token
+ );
}
public static getBaseUrl(args: Omit<KubernetesServiceArgs,
"k8sApiServerEndpointsByResourceKind">) {
@@ -194,8 +199,19 @@ export class KubernetesService {
public async kubernetesFetch(path: string, init?: RequestInit):
Promise<Response> {
const url = new URL(Path.join(this.baseUrl, path));
+ const headers = {
+ Authorization: `Bearer ${this.args.connection.token}`,
+ ...(this.args.connection.insecurelyDisableTlsCertificateValidation
+ ? {
+
[CorsProxyHeaderKeys.INSECURELY_DISABLE_TLS_CERTIFICATE_VALIDATION]: Boolean(
+ this.args.connection.insecurelyDisableTlsCertificateValidation
+ ).toString(),
+ }
+ : {}),
+ ...init?.headers,
+ };
return await fetch(url, {
- headers: { Authorization: `Bearer ${this.args.connection.token}`,
...init?.headers },
+ headers,
...init,
});
}
@@ -235,6 +251,7 @@ export class KubernetesService {
k8sApiServerUrl: this.args.connection.host,
k8sNamespace: this.args.connection.namespace,
k8sServiceAccountToken: this.args.connection.token,
+ insecurelyDisableTlsCertificateValidation:
this.args.connection.insecurelyDisableTlsCertificateValidation,
});
}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index c08936ce399..f965bed5612 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6523,6 +6523,9 @@ importers:
'@babel/preset-react':
specifier: ^7.16.0
version: 7.22.15(@babel/[email protected])
+ '@kie-tools/cors-proxy-api':
+ specifier: workspace:*
+ version: link:../cors-proxy-api
'@kie-tools/eslint':
specifier: workspace:*
version: link:../eslint
@@ -57528,7 +57531,7 @@ snapshots:
'@tsconfig/node14': 1.0.3
'@tsconfig/node16': 1.0.3
'@types/node': 22.10.7
- acorn: 8.12.1
+ acorn: 8.10.0
acorn-walk: 8.2.0
arg: 4.1.0
create-require: 1.1.1
diff --git a/repo/graph.dot b/repo/graph.dot
index 938067d671c..3a5ffe57add 100644
--- a/repo/graph.dot
+++ b/repo/graph.dot
@@ -445,9 +445,7 @@ digraph G {
"@kie-tools/jest-base" -> "@kie-tools/root-env" [ style = "dashed", color =
"blue" ];
"@kie-tools/jobs-service-webapp" -> "@kie-tools-core/webpack-base" [ style =
"dashed", color = "blue" ];
"@kie-tools/json-yaml-language-service" -> "@kie-tools/yaml-language-server"
[ style = "solid", color = "blue" ];
- "@kie-tools-core/k8s-yaml-to-apiserver-requests" -> "@kie-tools/eslint" [
style = "dashed", color = "purple" ];
- "@kie-tools-core/k8s-yaml-to-apiserver-requests" -> "@kie-tools/root-env" [
style = "dashed", color = "purple" ];
- "@kie-tools-core/k8s-yaml-to-apiserver-requests" -> "@kie-tools/tsconfig" [
style = "dashed", color = "purple" ];
+ "@kie-tools-core/k8s-yaml-to-apiserver-requests" ->
"@kie-tools/cors-proxy-api" [ style = "dashed", color = "purple" ];
"@kie-tools-core/keyboard-shortcuts" -> "@kie-tools-core/envelope-bus" [
style = "solid", color = "purple" ];
"@kie-tools-core/keyboard-shortcuts" -> "@kie-tools-core/operating-system" [
style = "solid", color = "purple" ];
"@kie-tools/kie-bc-editors" -> "@kie-tools-core/editor" [ style = "solid",
color = "blue" ];
diff --git a/repo/graph.json b/repo/graph.json
index 854d2edffbe..ecb034a1fa3 100644
--- a/repo/graph.json
+++ b/repo/graph.json
@@ -1835,17 +1835,7 @@
},
{
"source": "@kie-tools-core/k8s-yaml-to-apiserver-requests",
- "target": "@kie-tools/eslint",
- "weight": 1
- },
- {
- "source": "@kie-tools-core/k8s-yaml-to-apiserver-requests",
- "target": "@kie-tools/root-env",
- "weight": 1
- },
- {
- "source": "@kie-tools-core/k8s-yaml-to-apiserver-requests",
- "target": "@kie-tools/tsconfig",
+ "target": "@kie-tools/cors-proxy-api",
"weight": 1
},
{
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
