backend(oidc): Add support for custom CA and skipping TLS verification #2880

yolossn · 2025-02-10T13:35:30Z

this patch adds support for custom CA and skipping TLS verification for OIDC provider verification. This improves flexibility for users working with self-signed OIDC providers.

this patch adds support for custom CA and skipping TLS verification for OIDC provider verification. This improves flexibility for users working with self-signed OIDC providers. Signed-off-by: yolossn <[email protected]>

github-actions · 2025-02-10T14:12:14Z

Backend Code coverage changed from 65.0% to 64.4%. Change: -.6% 😞.

Coverage report

github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:102:			ServeHTTP				58.3%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:151:			fileExists				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:161:			copyReplace				63.6%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:185:			baseURLReplace				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:213:			getOidcCallbackURL			91.7%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:240:			serveWithNoCacheHeader			33.3%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:249:			defaultKubeConfigPersistenceDir		61.5%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:277:			defaultKubeConfigPersistenceFile	75.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:290:			addPluginRoutes				50.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:344:			createHeadlampHandler			38.1%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:737:			parseClusterAndToken			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:754:			decodePayload				85.7%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:768:			getExpiryTime				75.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:777:			isTokenAboutToExpire			76.9%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:800:			refreshAndCacheNewToken			0.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:823:			getNewTokenFromRefresh			0.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:847:			cacheRefreshedToken			0.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:872:			OIDCTokenRefreshMiddleware		30.8%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:928:			StartHeadlampServer			66.7%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:942:			getHelmHandler				53.8%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:970:			checkHeadlampBackendToken		100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:983:			handleClusterHelm			33.3%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1062:			handleClusterAPI			51.6%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1118:			handleClusterRequests			66.7%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1126:			getClusters				71.4%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1169:			parseCustomNameClusters			38.1%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1223:			parseClusterFromKubeConfig		83.3%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1257:			getConfig				75.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1268:			addCluster				57.9%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1303:			decodeClusterRequest			71.4%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1318:			processClusterRequest			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1327:			processKubeConfig			83.3%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1344:			processManualConfig			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1364:			handleLoadErrors			66.7%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1379:			writeKubeConfig				70.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1399:			addContextsToStore			80.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1411:			deleteCluster				0.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1460:			getKubeConfigPath			66.7%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1469:			handleStatelessClusterRename		50.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1483:			customNameToExtenstions			45.5%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1516:			updateCustomContextToCache		50.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1549:			getPathAndLoadKubeconfig		55.6%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1572:			renameCluster				53.1%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1635:			addClusterSetupRoute			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1663:			handleNodeDrain				45.5%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1728:			drainNode				37.5%
github.com/headlamp-k8s/headlamp/backend/cmd/headlamp.go:1778:			handleNodeDrainStatus			52.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:120:		NewWSConnLock				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:129:		WriteJSON				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:139:		ReadJSON				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:146:		ReadMessage				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:152:		WriteMessage				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:162:		Close					100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:170:		NewMultiplexer				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:183:		updateStatus				76.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:243:		establishClusterConnection		81.8%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:289:		getClusterConfigWithFallback		100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:306:		createConnection			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:328:		dialWebSocket				87.5%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:356:		monitorConnection			54.5%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:381:		reconnect				100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:411:		HandleClientWebSocket			72.7%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:454:		readClientMessage			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:475:		getOrCreateConnection			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:504:		handleConnectionError			75.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:526:		writeMessageToCluster			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:544:		handleClusterMessages			85.7%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:562:		processClusterMessage			75.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:605:		sendIfNewResourceVersion		75.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:648:		sendCompleteMessage			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:679:		sendDataMessage				88.9%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:702:		cleanupConnection			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:719:		createWrapperMessage			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:739:		cleanupConnections			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:756:		getClusterConfig			85.7%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:771:		CloseConnection				81.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:812:		createConnectionKey			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/multiplexer.go:817:		createWebSocketURL			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/server.go:14:			main					0.0%
github.com/headlamp-k8s/headlamp/backend/cmd/stateless.go:17:			MarshalCustomObject			60.0%
github.com/headlamp-k8s/headlamp/backend/cmd/stateless.go:42:			setKeyInCache				50.0%
github.com/headlamp-k8s/headlamp/backend/cmd/stateless.go:71:			handleStatelessReq			51.5%
github.com/headlamp-k8s/headlamp/backend/cmd/stateless.go:143:			parseKubeConfig				75.0%
github.com/headlamp-k8s/headlamp/backend/cmd/stateless.go:182:			websocketConnContextKey			100.0%
github.com/headlamp-k8s/headlamp/backend/cmd/stateless.go:232:			getContextKeyForRequest			76.9%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:40:			New					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:52:			Set					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:57:			SetWithTTL				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:75:			Delete					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:85:			Get					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:102:		GetAll					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:122:		cleanUp					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/cache/cache.go:140:		UpdateTTL				88.9%
github.com/headlamp-k8s/headlamp/backend/pkg/config/config.go:43:		Validate				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/config/config.go:65:		Parse					65.4%
github.com/headlamp-k8s/headlamp/backend/pkg/config/config.go:168:		flagset					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/config/config.go:195:		defaultPluginDir			61.5%
github.com/headlamp-k8s/headlamp/backend/pkg/config/config.go:228:		GetDefaultKubeConfigPath		66.7%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:74:			init					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:89:			newCache				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:93:			cacheKey				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:109:			get					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:118:			put					85.7%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:143:			Do					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:168:			GetAuthenticator			0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:172:			newAuthenticator			86.7%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:224:			isInteractive				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:300:			UpdateTransportConfig			64.3%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:341:			WrappedRoundTripper			0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:345:			RoundTrip				71.4%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:371:			credsExpired				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:378:			cert					75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:386:			getCreds				85.7%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:403:			maybeRefreshCreds			80.0%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:419:			refreshCredsLocked			92.5%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/exec.go:531:			wrapCmdRunErrorLocked			90.9%
github.com/headlamp-k8s/headlamp/backend/pkg/exec/syscallattr_other.go:9:	GetSysProcAttr				0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/charts.go:27:			listCharts				89.5%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/charts.go:77:			ListCharts				72.7%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:35:		NewActionConfig				87.5%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:54:		NewHandler				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:60:		NewHandlerWithSettings			60.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:85:		ToRESTConfig				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:89:		ToRawKubeConfigLoader			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:93:		ToDiscoveryClient			83.3%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:109:		ToRESTMapper				71.4%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:129:		getReleaseStatus			0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:165:		setReleaseStatus			60.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/handler.go:188:		setReleaseStatusSilent			66.7%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:53:		getReleases				57.1%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:112:		ListRelease				68.4%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:158:		GetRelease				0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:217:		GetReleaseHistory			46.2%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:277:		UninstallRelease			55.6%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:334:		uninstallRelease			71.4%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:357:		Validate				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:362:		RollbackRelease				51.6%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:421:		rollbackRelease				75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:453:		Validate				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:458:		handleError				0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:463:		returnResponse				71.4%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:479:		InstallRelease				72.2%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:513:		getChart				35.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:565:		installRelease				60.7%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:625:		Validate				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:630:		UpgradeRelease				60.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:666:		logActionState				75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:687:		upgradeRelease				63.6%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:731:		Validate				0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/release.go:749:		GetActionStatus				0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:35:		createFileIfNotThere			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:47:		lockRepositoryFile			87.5%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:68:		addRepository				61.8%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:131:		AddRepo					72.2%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:176:		createFullPath				66.7%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:184:		listRepositories			69.2%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:213:		ListRepo				58.3%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:236:		RemoveRepository			64.0%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:279:		RemoveRepo				66.7%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:291:		UpdateRepository			68.2%
github.com/headlamp-k8s/headlamp/backend/pkg/helm/repository.go:333:		UpdateRepository			81.8%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/contextStore.go:26:	NewContextStore				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/contextStore.go:35:	AddContext				23.1%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/contextStore.go:64:	GetContexts				85.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/contextStore.go:80:	GetContext				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/contextStore.go:90:	RemoveContext				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/contextStore.go:95:	AddContextWithKeyAndTTL			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/contextStore.go:100:	UpdateTTL				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/file.go:14:		WriteToFile				86.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/file.go:48:		RemoveContextFromFile			75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:67:	DeepCopyObject				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:72:	DeepCopy				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:92:	Error					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:103:	Error					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:114:	Error					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:125:	Error					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:138:	Error					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:150:	ClientConfig				80.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:184:	RESTConfig				75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:195:	makeTransportFor			14.3%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:239:	OidcConfig				0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:271:	ProxyRequest				83.3%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:285:	ClientSetWithToken			66.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:299:	SourceStr				60.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:313:	SetupProxy				91.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:338:	AuthType				66.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:356:	LoadContextsFromFile			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:371:	LoadContextsFromBase64String		100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:383:	LoadContextsFromMultipleFiles		100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:406:	loadContextsFromData			85.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:440:	UnmarshalKubeconfig			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:452:	GetContextsFromKubeconfig		100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:468:	ProcessContext				90.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:517:	extractContextInfo			71.4%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:535:	extractClusterAndUserNames		83.3%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:552:	getClusterAndUser			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:573:	createAndValidateConfig			90.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:605:	getNameOrUnknown			75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:616:	HandleConfigLoadError			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:657:	checkBase64Errors			90.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:680:	checkUserBase64Fields			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:700:	checkClusterBase64Fields		100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:716:	toStringKeyMap				83.3%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:732:	getCluster				87.5%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:750:	getUser					80.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:771:	createKubeConfig			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:794:	convertToContext			85.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:835:	LoadContextsFromAPIConfig		76.5%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:874:	splitKubeConfigPath			75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:884:	GetInClusterContext			0.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:935:	LoadAndStoreKubeConfigs			83.3%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/kubeconfig.go:960:	makeDNSFriendly				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/watcher.go:17:		LoadAndWatchFiles			58.3%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/watcher.go:69:		addFilesToWatcher			64.7%
github.com/headlamp-k8s/headlamp/backend/pkg/kubeconfig/watcher.go:111:		syncContexts				77.3%
github.com/headlamp-k8s/headlamp/backend/pkg/logger/logger.go:29:		Log					100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/logger/logger.go:36:		log					75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/logger/logger.go:80:		SetLogFunc				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:30:		Watch					77.8%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:51:		periodicallyWatchSubfolders		75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:84:		generateSeparatePluginPaths		90.0%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:105:		GeneratePluginPaths			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:120:		ListPlugins				68.0%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:173:		pluginBasePathListForDir		77.3%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:219:		canSendRefresh				77.8%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:240:		HandlePluginEvents			70.0%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:266:		PopulatePluginsCache			66.7%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:292:		HandlePluginReload			80.0%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:328:		Delete					85.7%
github.com/headlamp-k8s/headlamp/backend/pkg/plugins/plugins.go:343:		isSubdirectory				75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:46:		Validate				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:80:		getFreePort				75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:99:		StartPortForward			52.4%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:182:	startPortForward			61.4%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:278:	checkIfPodIsRunning			71.4%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:300:	Validate				100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:313:	StopOrDeletePortForward			52.4%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:354:	GetPortForwards				53.3%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/handler.go:385:	GetPortForwardByID			50.0%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/store.go:16:		portforwardKeyGenerator			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/store.go:33:		portforwardstore			75.0%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/store.go:46:		stopOrDeletePortForward			69.2%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/store.go:74:		getPortForwardList			77.8%
github.com/headlamp-k8s/headlamp/backend/pkg/portforward/store.go:94:		getPortForwardByID			100.0%
github.com/headlamp-k8s/headlamp/backend/pkg/utils/utils.go:4:			Contains				100.0%
total:										(statements)				64.4%

Html coverage report download

yolossn · 2025-02-10T14:19:02Z

I’ve added support for both skipping TLS verification (oidc-skip-tls-verify) and specifying a CA file (oidc-ca-file) for OIDC.

Although TLS skip verification was introduced in #130, it applies to all clusters, not just in-cluster. This update ensures that TLS settings are applied specifically for in-cluster OIDC configuration.

https://github.com/headlamp-k8s/headlamp/blob/main/backend/cmd/headlamp.go#L520-L530

@illume, should we deprecate the existing insecure flag in favor of oidc-skip-tls-verify, or keep it for backward compatibility?

yolossn · 2025-02-10T14:24:16Z

@gecube @mlbiam Self signed CA support is added. Can you check if this fix works for you?

#127 (comment)
#2207

illume · 2025-02-11T02:52:04Z

keep it for backward compatibility

We definitely need to keep it for backwards compatibility.

illume

Thanks for this.

I left some notes inline.

Can you please add tests and a description of how to test manually in the PR?
Probably the related issue(s) should be in the PR description.
There will need to be support added to the helm chart.
docs in oidc.md ?

illume · 2025-02-11T03:00:39Z

backend/pkg/config/config.go

+		}
+		// check if the file is a valid PEM file
+		caCertPool := x509.NewCertPool()
+		if !caCertPool.AppendCertsFromPEM(caFile) {


Can you please rename the caFile to caFileContents? Currently it shares the same convention as the config.OidcCAFile... which lead me to believe from just reading this part that it was a filename.

It might also be worth renaming config.OidcCAFile to config.OidcCAFilePath to be more explicit.

illume · 2025-02-11T03:08:23Z

backend/pkg/kubeconfig/kubeconfig.go

+	IdpIssuerURL  string
+	Scopes        []string
+	SkipTLSVerify bool
+	CACert        string


Can you please document this field?

illume · 2025-02-11T03:10:51Z

backend/cmd/headlamp.go

+
+		if oidcAuthConfig.SkipTLSVerify {
+			tr := &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec


Please leave a justification in a comment for why gosec was disabled here?

illume · 2025-02-11T03:11:06Z

backend/cmd/headlamp.go

+
+			secureTLSClient := &http.Client{
+				Transport: &http.Transport{
+					TLSClientConfig: &tls.Config{RootCAs: caCertPool}, //nolint:gosec


Please leave a justification in a comment for why gosec was disabled here?

illume · 2025-02-11T03:15:56Z

backend/cmd/server.go

+			os.Exit(1)
+		}
+
+		headlampConfig.oidcCACert = string(caFile)


I wonder if there is a string - []byte issue here? Why not leave it as []byte?

The functions that use it use []byte, and I see at least one case where it's not being cast back to []byte?

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

illume · 2025-02-11T03:17:02Z

backend/pkg/kubeconfig/kubeconfig.go

@@ -243,11 +245,25 @@ func (c *Context) OidcConfig() (*OidcConfig, error) {
 		return nil, errors.New("authProvider is nil")
 	}

+	var caCert string
+
+	caFilePath, ok := c.AuthInfo.AuthProvider.Config["idp-certificate-authority"]


Can you please explain what this is in a comment?

illume · 2025-02-11T03:22:33Z

backend/pkg/kubeconfig/kubeconfig.go

+
+	caFilePath, ok := c.AuthInfo.AuthProvider.Config["idp-certificate-authority"]
+	if ok {
+		caFile, err := os.ReadFile(caFilePath)


I wonder where caFilePath comes from and if the path needs to be validated?

dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Feb 10, 2025

yolossn force-pushed the support-oidc-custom-certs branch from 247dfa7 to dc9f4e9 Compare February 10, 2025 14:03

yolossn force-pushed the support-oidc-custom-certs branch from dc9f4e9 to df018e2 Compare February 10, 2025 14:07

illume requested changes Feb 11, 2025

View reviewed changes

illume added enhancement New feature or request backend Issues related to the backend security labels Feb 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

backend(oidc): Add support for custom CA and skipping TLS verification #2880

backend(oidc): Add support for custom CA and skipping TLS verification #2880

yolossn commented Feb 10, 2025

github-actions bot commented Feb 10, 2025

yolossn commented Feb 10, 2025 •

edited

Loading

yolossn commented Feb 10, 2025

illume commented Feb 11, 2025

illume left a comment •

edited

Loading

illume Feb 11, 2025

illume Feb 11, 2025

illume Feb 11, 2025

illume Feb 11, 2025

illume Feb 11, 2025

illume Feb 11, 2025

illume Feb 11, 2025

backend(oidc): Add support for custom CA and skipping TLS verification #2880

Are you sure you want to change the base?

backend(oidc): Add support for custom CA and skipping TLS verification #2880

Conversation

yolossn commented Feb 10, 2025

github-actions bot commented Feb 10, 2025

yolossn commented Feb 10, 2025 • edited Loading

yolossn commented Feb 10, 2025

illume commented Feb 11, 2025

illume left a comment • edited Loading

Choose a reason for hiding this comment

illume Feb 11, 2025

Choose a reason for hiding this comment

illume Feb 11, 2025

Choose a reason for hiding this comment

illume Feb 11, 2025

Choose a reason for hiding this comment

illume Feb 11, 2025

Choose a reason for hiding this comment

illume Feb 11, 2025

Choose a reason for hiding this comment

illume Feb 11, 2025

Choose a reason for hiding this comment

illume Feb 11, 2025

Choose a reason for hiding this comment

yolossn commented Feb 10, 2025 •

edited

Loading

illume left a comment •

edited

Loading