Merge pull request #2555 from lucferbux/rhoaieng-2380

Force tls and add ca bundle to k8s library
opendatahub-io · Mar 11, 2024 · c37a3b1 · c37a3b1
2 parents cce1449 + 50e9de8
commit c37a3b1
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 16 deletions.
diff --git a/backend/src/routes/api/proxy/index.ts b/backend/src/routes/api/proxy/index.ts
@@ -61,7 +61,6 @@ export default async (fastify: KubeFastifyInstance): Promise<void> => {
         url,
         overrideContentType: contentType,
         requestData,
-        rejectUnauthorized: false,
       })
         .then(([rawData]) => rawData)
         .catch((error) => {

diff --git a/backend/src/routes/wss/k8s/index.ts b/backend/src/routes/wss/k8s/index.ts
@@ -3,6 +3,7 @@ import { KubeFastifyInstance, OauthFastifyRequest } from '../../../types';
 import { getDirectCallOptions } from '../../../utils/directCallUtils';
 import { getAccessToken } from '../../../utils/directCallUtils';
 import { ClientRequest, IncomingMessage } from 'http';
+import https from 'https';
 
 const base64 = (data: string): string =>
   // This usage of toString is fine for decoding
@@ -67,7 +68,7 @@ export default async (fastify: KubeFastifyInstance): Promise<void> => {
               req.headers.origin ||
               `http://${typeof serverAddress === 'string' ? serverAddress : serverAddress.address}`,
           },
-          ca: requestOptions.ca as WebSocket.CertMeta,
+          ca: https.globalAgent.options.ca as WebSocket.CertMeta,
         });
 
         const close = (code: number, reason: string) => {

diff --git a/backend/src/server.ts b/backend/src/server.ts
@@ -3,6 +3,8 @@ import pino from 'pino';
 import { APP_ENV, PORT, IP, LOG_LEVEL } from './utils/constants';
 import { initializeApp } from './app';
 import { AddressInfo } from 'net';
+import https from 'https';
+import fs from 'fs';
 
 const transport =
   APP_ENV === 'development'
@@ -36,7 +38,31 @@ app.listen({ port: PORT, host: IP }, (err) => {
     app.log.error(err);
     process.exit(1); // eslint-disable-line
   }
+  // Load CA bundle used in our API calls
+  // ca.crt is the default CA bundle provided by the service account for kubernetes
+  // service-ca.crt is the CA bundle provided by the service account for kubernetes used by prometheus
+  // odh-ca-bundle.crt and odh-trusted-ca-bundle.crt are the CA bundles provided by the ODH platform
+  const caPaths = [
+    '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt',
+    '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+    '/etc/pki/tls/certs/odh-ca-bundle.crt',
+    '/etc/pki/tls/certs/odh-trusted-ca-bundle.crt',
+  ]
+    .map(getCABundle)
+    .filter((ca) => ca !== undefined);
+
+  https.globalAgent.options.ca = caPaths;
+
   const address: AddressInfo = app.server.address() as AddressInfo;
   console.log('Fastify Connected...');
   console.log(`Server listening on >>>  ${address.address}:${address.port}`);
 });
+
+const getCABundle = (path: string) => {
+  try {
+    return fs.readFileSync(path);
+  } catch (e) {
+    // ignore
+  }
+  return undefined;
+};
diff --git a/backend/src/utils/directCallUtils.ts b/backend/src/utils/directCallUtils.ts
@@ -12,12 +12,12 @@ export const getDirectCallOptions = async (
   fastify: KubeFastifyInstance,
   request: OauthFastifyRequest,
   url: string,
-): Promise<RequestOptions> => {
+): Promise<Pick<RequestOptions, 'headers'>> => {
   // Use our kube setup to boostrap our request
   const kc = fastify.kube.config;
   const kubeOptions: Parameters<typeof kc.applyToRequest>[0] = { url };
   await kc.applyToRequest(kubeOptions);
-  const { headers: kubeHeaders, ca } = kubeOptions;
+  const { headers: kubeHeaders } = kubeOptions;
 
   // Adjust the header auth token
   let headers;
@@ -49,7 +49,6 @@ export const getDirectCallOptions = async (
   }
 
   return {
-    ca,
     headers,
   };
 };
diff --git a/backend/src/utils/httpUtils.ts b/backend/src/utils/httpUtils.ts
@@ -29,8 +29,6 @@ type ProxyData = {
   requestData?: string | Buffer;
   /** Option to substitute your own content type for the API call -- defaults to JSON */
   overrideContentType?: string;
-  /** Allow for unauthorized SSL connections to succeed */
-  rejectUnauthorized?: boolean;
 };
 
 /** Ideally these would all be required, but https by node seems to think there are cases when it does not know the code or message */
@@ -46,7 +44,7 @@ export const proxyCall = (
   data: ProxyData,
 ): Promise<[string, ProxyCallStatus]> => {
   return new Promise((resolve, reject) => {
-    const { method, requestData, overrideContentType, url, rejectUnauthorized } = data;
+    const { method, requestData, overrideContentType, url } = data;
 
     getDirectCallOptions(fastify, request, url)
       .then((requestOptions) => {
@@ -67,10 +65,6 @@ export const proxyCall = (
           };
         }
 
-        if (rejectUnauthorized !== undefined) {
-          requestOptions.rejectUnauthorized = rejectUnauthorized;
-        }
-
         fastify.log.info(`Making ${method} proxy request to ${url}`);
 
         const web = (url: string) => {

diff --git a/backend/src/utils/prometheusUtils.ts b/backend/src/utils/prometheusUtils.ts
@@ -27,7 +27,6 @@ const callPrometheus = async <T>(
   return proxyCall(fastify, request, {
     method: 'GET',
     url,
-    rejectUnauthorized: false,
   })
     .then(([rawData, status]) => {
       if (rejectOnHttpErrorCode && status.code >= 400) {

diff --git a/manifests/base/deployment.yaml b/manifests/base/deployment.yaml
@@ -57,8 +57,18 @@ spec:
           successThreshold: 1
           failureThreshold: 3
         volumeMounts:
-          - mountPath: /etc/pki/tls/certs
-            name: trusted-ca-bundle
+          - mountPath: /etc/pki/tls/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/pki/tls/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
       - name: oauth-proxy
         env:
           - name: NAMESPACE
@@ -118,6 +128,18 @@ spec:
             name: oauth-config
           - mountPath: /etc/oauth/client
             name: oauth-client
+          - mountPath: /etc/pki/tls/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/pki/tls/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
       volumes:
       - name: proxy-tls
         secret:
@@ -128,7 +150,17 @@ spec:
       - name: oauth-client
         secret:
           secretName: dashboard-oauth-client-generated
-      - name: trusted-ca-bundle
+      - name: odh-trusted-ca-cert
         configMap:
           name: odh-trusted-ca-bundle
+          items:
+          - key: ca-bundle.crt
+            path: odh-trusted-ca-bundle.crt
+          optional: true
+      - name: odh-ca-cert
+        configMap:
+          name: odh-trusted-ca-bundle
+          items:
+          - key: odh-ca-bundle.crt
+            path: odh-ca-bundle.crt
           optional: true