From db1054bb92eda59e50f47ea8dce05f015cc1b28b Mon Sep 17 00:00:00 2001 From: Jamie Klassen Date: Thu, 4 Jan 2024 09:35:43 -0500 Subject: [PATCH] fix invocation of kubernetesAuthProvidersApi Pass token provider when authenticating via openID tokens. Signed-off-by: Jamie Klassen --- .changeset/six-melons-end.md | 5 +++ .../src/api/KubernetesBackendClient.test.ts | 39 +++++++++++++++++++ .../src/api/KubernetesBackendClient.ts | 12 +++++- 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 .changeset/six-melons-end.md diff --git a/.changeset/six-melons-end.md b/.changeset/six-melons-end.md new file mode 100644 index 0000000000..f139e49887 --- /dev/null +++ b/.changeset/six-melons-end.md @@ -0,0 +1,5 @@ +--- +'@backstage/plugin-kubernetes-react': patch +--- + +Fixed a bug where the logs dialog and any other functionality depending on the proxy endpoint would fail for clusters configured with the OIDC auth provider. diff --git a/plugins/kubernetes-react/src/api/KubernetesBackendClient.test.ts b/plugins/kubernetes-react/src/api/KubernetesBackendClient.test.ts index fd999ab335..0535e404f6 100644 --- a/plugins/kubernetes-react/src/api/KubernetesBackendClient.test.ts +++ b/plugins/kubernetes-react/src/api/KubernetesBackendClient.test.ts @@ -448,6 +448,9 @@ describe('KubernetesBackendClient', () => { const response = await backendClient.proxy(request); await expect(response.json()).resolves.toStrictEqual(nsResponse); + expect(kubernetesAuthProvidersApi.getCredentials).toHaveBeenCalledWith( + 'oidc.okta', + ); }); it('hits the /proxy API with serviceAccount as auth provider', async () => { @@ -495,6 +498,42 @@ describe('KubernetesBackendClient', () => { const response = await backendClient.proxy(request); await expect(response.json()).resolves.toStrictEqual(nsResponse); + expect(kubernetesAuthProvidersApi.getCredentials).toHaveBeenCalledWith( + 'serviceAccount', + ); + }); + + it('ignores oidcTokenProvider for non-oidc auth provider', async () => { + worker.use( + rest.get( + 'http://localhost:1234/api/kubernetes/clusters', + (_, res, ctx) => + res( + ctx.json({ + items: [ + { + name: 'cluster-a', + authProvider: 'not oidc', + oidcTokenProvider: 'should be ignored', + }, + ], + }), + ), + ), + rest.get( + 'http://localhost:1234/api/kubernetes/proxy/api/v1/namespaces', + (_, res, ctx) => res(ctx.json([])), + ), + ); + + await backendClient.proxy({ + clusterName: 'cluster-a', + path: '/api/v1/namespaces', + }); + + expect(kubernetesAuthProvidersApi.getCredentials).toHaveBeenCalledWith( + 'not oidc', + ); }); it('hits /proxy api when signed in as a guest', async () => { diff --git a/plugins/kubernetes-react/src/api/KubernetesBackendClient.ts b/plugins/kubernetes-react/src/api/KubernetesBackendClient.ts index a769eb088d..461b1d1ffe 100644 --- a/plugins/kubernetes-react/src/api/KubernetesBackendClient.ts +++ b/plugins/kubernetes-react/src/api/KubernetesBackendClient.ts @@ -92,8 +92,13 @@ export class KubernetesBackendClient implements KubernetesApi { private async getCredentials( authProvider: string, + oidcTokenProvider?: string, ): Promise<{ token?: string }> { - return await this.kubernetesAuthProvidersApi.getCredentials(authProvider); + return await this.kubernetesAuthProvidersApi.getCredentials( + authProvider === 'oidc' + ? `${authProvider}.${oidcTokenProvider}` + : authProvider, + ); } async getObjectsByEntity( @@ -145,7 +150,10 @@ export class KubernetesBackendClient implements KubernetesApi { const { authProvider, oidcTokenProvider } = await this.getCluster( options.clusterName, ); - const kubernetesCredentials = await this.getCredentials(authProvider); + const kubernetesCredentials = await this.getCredentials( + authProvider, + oidcTokenProvider, + ); const url = `${await this.discoveryApi.getBaseUrl('kubernetes')}/proxy${ options.path }`;