feat: Set vars when TLS disabled or Dev enabled

cmd/gitops-server/cmd/cmd.go

@@ -100,7 +100,7 @@ func NewCommand() *cobra.Command {
 }
 
 func runCmd(cmd *cobra.Command, args []string) error {
-	log, err := logger.New(options.LogLevel, options.Insecure)
+	log, err := logger.New(options.LogLevel, options.DevMode)
 	if err != nil {
 		return err
 	}
@@ -181,7 +181,8 @@ func runCmd(cmd *cobra.Command, args []string) error {
 		}
 
 		if options.DevMode {
-			log.Info("WARNING: dev mode enabled. This should be used for local work only")
+			log.Info("WARNING: dev mode enabled. Authentication will be bypassed in some instances. This should be used for LOCAL WORK ONLY.")
+			os.Setenv(server.DevModeFeatureFlag, "true")
 			tsv.SetDevMode(options.DevUser)
 		}
 
@@ -286,7 +287,10 @@ func runCmd(cmd *cobra.Command, args []string) error {
 
 func listenAndServe(log logr.Logger, srv *http.Server, options Options) error {
 	if options.Insecure {
-		log.Info("TLS connections disabled")
+		log.Info(
+			"WARNING: TLS connections disabled by the `--insecure` flag. All data INCLUDING AUTH TOKENS will be transmitted without encryption.")
+		os.Setenv(server.TlsDisabledFeatureFlag, "true")
+
 		return srv.ListenAndServe()
 	}
 

pkg/server/handler.go

@@ -19,6 +19,10 @@ import (
 
 const (
 	AuthEnabledFeatureFlag = "WEAVE_GITOPS_AUTH_ENABLED"
+	TlsDisabledFeatureFlag = "WEAVE_GITOPS_TLS_DISABLED"
+	DevModeFeatureFlag     = "WEAVE_GITOPS_DEV_MODE_ENABLED"
+	ClusterUserAuthFlag    = "CLUSTER_USER_AUTH"
+	OidcAuthFlag           = "OIDC_AUTH"
 )
 
 var (
@@ -31,6 +35,10 @@ func AuthEnabled() bool {
 	return os.Getenv(AuthEnabledFeatureFlag) == "true"
 }
 
+func TlsEnabled() bool {
+	return os.Getenv(TlsDisabledFeatureFlag) != "true"
+}
+
 type Config struct {
 	AppConfig        *ApplicationsConfig
 	AppOptions       []ApplicationsOption
@@ -41,7 +49,7 @@ type Config struct {
 
 func NewHandlers(ctx context.Context, log logr.Logger, cfg *Config) (http.Handler, error) {
 	mux := runtime.NewServeMux(middleware.WithGrpcErrorLogging(log))
-	httpHandler := middleware.WithLogging(log, mux)
+	httpHandler := middleware.WithLogging(log, mux, TlsEnabled())
 
 	if AuthEnabled() {
 		clustersFetcher, err := fetcher.NewSingleClusterFetcher(cfg.CoreServerConfig.RestCfg)

pkg/server/middleware/middleware.go

@@ -44,15 +44,15 @@ func WithGrpcErrorLogging(log logr.Logger) runtime.ServeMuxOption {
 
 // WithLogging adds basic logging for HTTP requests.
 // Note that this accepts a grpc-gateway ServeMux instead of an http.Handler.
-func WithLogging(log logr.Logger, mux *runtime.ServeMux) http.Handler {
+func WithLogging(log logr.Logger, mux *runtime.ServeMux, secure bool) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		recorder := &statusRecorder{
 			ResponseWriter: w,
 			Status:         200,
 		}
 		mux.ServeHTTP(recorder, r)
 
-		l := log.WithValues("uri", r.RequestURI, "status", recorder.Status)
+		l := log.WithValues("uri", r.RequestURI, "status", recorder.Status, "tls-secured", secure)
 
 		if recorder.Status < 400 {
 			l.V(logger.LogLevelDebug).Info(RequestOkText)

pkg/server/server.go

@@ -227,7 +227,9 @@ func (s *applicationServer) ValidateProviderToken(ctx context.Context, msg *pb.V
 func (s *applicationServer) GetFeatureFlags(ctx context.Context, msg *pb.GetFeatureFlagsRequest) (*pb.GetFeatureFlagsResponse, error) {
 	flags := make(map[string]string)
 
-	flags["WEAVE_GITOPS_AUTH_ENABLED"] = os.Getenv("WEAVE_GITOPS_AUTH_ENABLED")
+	flags[AuthEnabledFeatureFlag] = os.Getenv(AuthEnabledFeatureFlag)
+	flags[TlsDisabledFeatureFlag] = os.Getenv(TlsDisabledFeatureFlag)
+	flags[DevModeFeatureFlag] = os.Getenv(DevModeFeatureFlag)
 
 	cl, err := s.clientGetter.Client(ctx)
 	if err != nil {
@@ -242,12 +244,12 @@ func (s *applicationServer) GetFeatureFlags(ctx context.Context, msg *pb.GetFeat
 
 	if err != nil {
 		if apierrors.IsNotFound(err) {
-			flags["CLUSTER_USER_AUTH"] = "false"
+			flags[ClusterUserAuthFlag] = "false"
 		} else {
 			s.log.Error(err, "could not get secret for cluster user")
 		}
 	} else {
-		flags["CLUSTER_USER_AUTH"] = "true"
+		flags[ClusterUserAuthFlag] = "true"
 	}
 
 	err = cl.Get(ctx, client.ObjectKey{
@@ -257,12 +259,12 @@ func (s *applicationServer) GetFeatureFlags(ctx context.Context, msg *pb.GetFeat
 
 	if err != nil {
 		if apierrors.IsNotFound(err) {
-			flags["OIDC_AUTH"] = "false"
+			flags[OidcAuthFlag] = "false"
 		} else {
 			s.log.Error(err, "could not get secret for oidc")
 		}
 	} else {
-		flags["OIDC_AUTH"] = "true"
+		flags[OidcAuthFlag] = "true"
 	}
 
 	return &pb.GetFeatureFlagsResponse{

pkg/server/server_test.go

@@ -318,7 +318,7 @@ var _ = Describe("ApplicationsServer", func() {
 				fakeClientGetter := kubefakes.NewFakeClientGetter(k8s)
 				appsSrv := server.NewApplicationsServer(&cfg, server.WithClientGetter(fakeClientGetter))
 				mux = runtime.NewServeMux(middleware.WithGrpcErrorLogging(log))
-				httpHandler := middleware.WithLogging(log, mux)
+				httpHandler := middleware.WithLogging(log, mux, true)
 				err := pb.RegisterApplicationsHandlerServer(context.Background(), mux, appsSrv)
 				Expect(err).NotTo(HaveOccurred())
 
@@ -458,10 +458,6 @@ func contextWithAuth(ctx context.Context) context.Context {
 }
 
 func TestGetFeatureFlags(t *testing.T) {
-	type Data struct {
-		Flags map[string]string
-	}
-
 	tests := []struct {
 		name     string
 		envSet   func()
@@ -472,31 +468,35 @@ func TestGetFeatureFlags(t *testing.T) {
 		{
 			name: "Auth enabled",
 			envSet: func() {
-				os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true")
+				os.Setenv(server.AuthEnabledFeatureFlag, "true")
 			},
 			envUnset: func() {
-				os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")
+				os.Unsetenv(server.AuthEnabledFeatureFlag)
 			},
 			state: []client.Object{},
 			result: map[string]string{
-				"WEAVE_GITOPS_AUTH_ENABLED": "true",
-				"CLUSTER_USER_AUTH":         "false",
-				"OIDC_AUTH":                 "false",
+				server.AuthEnabledFeatureFlag: "true",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "",
 			},
 		},
 		{
 			name: "Auth disabled",
 			envSet: func() {
-				os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "false")
+				os.Setenv(server.AuthEnabledFeatureFlag, "false")
 			},
 			envUnset: func() {
-				os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")
+				os.Unsetenv(server.AuthEnabledFeatureFlag)
 			},
 			state: []client.Object{},
 			result: map[string]string{
-				"WEAVE_GITOPS_AUTH_ENABLED": "false",
-				"CLUSTER_USER_AUTH":         "false",
-				"OIDC_AUTH":                 "false",
+				server.AuthEnabledFeatureFlag: "false",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "",
 			},
 		},
 		{
@@ -505,9 +505,11 @@ func TestGetFeatureFlags(t *testing.T) {
 			envUnset: func() {},
 			state:    []client.Object{},
 			result: map[string]string{
-				"WEAVE_GITOPS_AUTH_ENABLED": "",
-				"CLUSTER_USER_AUTH":         "false",
-				"OIDC_AUTH":                 "false",
+				server.AuthEnabledFeatureFlag: "",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "",
 			},
 		},
 		{
@@ -516,9 +518,11 @@ func TestGetFeatureFlags(t *testing.T) {
 			envUnset: func() {},
 			state:    []client.Object{&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "flux-system", Name: "cluster-user-auth"}}},
 			result: map[string]string{
-				"WEAVE_GITOPS_AUTH_ENABLED": "",
-				"CLUSTER_USER_AUTH":         "true",
-				"OIDC_AUTH":                 "false",
+				server.AuthEnabledFeatureFlag: "",
+				server.ClusterUserAuthFlag:    "true",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "",
 			},
 		},
 		{
@@ -527,9 +531,11 @@ func TestGetFeatureFlags(t *testing.T) {
 			envUnset: func() {},
 			state:    []client.Object{},
 			result: map[string]string{
-				"WEAVE_GITOPS_AUTH_ENABLED": "",
-				"CLUSTER_USER_AUTH":         "false",
-				"OIDC_AUTH":                 "false",
+				server.AuthEnabledFeatureFlag: "",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "",
 			},
 		},
 		{
@@ -538,9 +544,11 @@ func TestGetFeatureFlags(t *testing.T) {
 			envUnset: func() {},
 			state:    []client.Object{&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "flux-system", Name: "oidc-auth"}}},
 			result: map[string]string{
-				"WEAVE_GITOPS_AUTH_ENABLED": "",
-				"CLUSTER_USER_AUTH":         "false",
-				"OIDC_AUTH":                 "true",
+				server.AuthEnabledFeatureFlag: "",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "true",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "",
 			},
 		},
 		{
@@ -549,11 +557,51 @@ func TestGetFeatureFlags(t *testing.T) {
 			envUnset: func() {},
 			state:    []client.Object{},
 			result: map[string]string{
-				"WEAVE_GITOPS_AUTH_ENABLED": "",
-				"CLUSTER_USER_AUTH":         "false",
-				"OIDC_AUTH":                 "false",
+				server.AuthEnabledFeatureFlag: "",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "",
+			},
+		},
+		{
+			name: "TLS disabled",
+			envSet: func() {
+				os.Setenv(server.TlsDisabledFeatureFlag, "true")
+			},
+			envUnset: func() {
+				os.Unsetenv(server.TlsDisabledFeatureFlag)
+			},
+			state: []client.Object{},
+			result: map[string]string{
+				server.AuthEnabledFeatureFlag: "",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "true",
+				server.DevModeFeatureFlag:     "",
 			},
 		},
+		{
+			name: "dev mode enabled",
+			envSet: func() {
+				os.Setenv(server.DevModeFeatureFlag, "true")
+			},
+			envUnset: func() {
+				os.Unsetenv(server.DevModeFeatureFlag)
+			},
+			state: []client.Object{},
+			result: map[string]string{
+				server.AuthEnabledFeatureFlag: "",
+				server.ClusterUserAuthFlag:    "false",
+				server.OidcAuthFlag:           "false",
+				server.TlsDisabledFeatureFlag: "",
+				server.DevModeFeatureFlag:     "true",
+			},
+		},
+	}
+
+	type Data struct {
+		Flags map[string]string
 	}
 
 	for _, tt := range tests {
@@ -571,7 +619,7 @@ func TestGetFeatureFlags(t *testing.T) {
 			err := pb.RegisterApplicationsHandlerServer(context.Background(), mux, appSrv)
 			Expect(err).NotTo(HaveOccurred())
 
-			httpHandler := middleware.WithLogging(log, mux)
+			httpHandler := middleware.WithLogging(log, mux, true)
 
 			ts := httptest.NewServer(httpHandler)
 			defer ts.Close()