fix(backend): honour kubeconfig CA under Bun's native fetch (#319)

Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>

Author: surajssd

backend/src/lib/kubeconfig.test.ts

@@ -0,0 +1,197 @@
+import { describe, it, expect, beforeEach, afterEach } from 'bun:test';
+import * as k8s from '@kubernetes/client-node';
+import { kubeConfigToBunTls, BunTlsHttpLibrary, makeApiClient } from './kubeconfig';
+
+/**
+ * Regression guards for the Bun TLS shim (`kubeConfigToBunTls`,
+ * `BunTlsHttpLibrary`, `makeApiClient`). This is security-sensitive auth/TLS
+ * code: the most important assertion in this file is that the **default path
+ * never disables certificate verification** — see `does NOT set
+ * rejectUnauthorized on the default path`.
+ *
+ * Tests build real `KubeConfig` objects via `loadFromOptions` (no disk/network)
+ * rather than mocking SDK internals, so they keep working across SDK patch bumps.
+ */
+
+// PEM-shaped placeholders. `applyToHTTPSOptions` only base64-decodes the *Data
+// fields into Buffers and copies them; it does not parse/validate the contents.
+const CA_PEM = '-----BEGIN CERTIFICATE-----\nMIIBfakeCApem\n-----END CERTIFICATE-----\n';
+const CERT_PEM = '-----BEGIN CERTIFICATE-----\nMIIBfakeClientpem\n-----END CERTIFICATE-----\n';
+const KEY_PEM = '-----BEGIN PRIVATE KEY-----\nMIIBfakeKeypem\n-----END PRIVATE KEY-----\n';
+
+const b64 = (s: string) => Buffer.from(s).toString('base64');
+
+interface KcOpts {
+  skipTLSVerify?: boolean;
+  tlsServerName?: string;
+  token?: string;
+  withClientCert?: boolean;
+  caData?: string | null;
+}
+
+function makeKubeConfig(opts: KcOpts = {}): k8s.KubeConfig {
+  const kc = new k8s.KubeConfig();
+  const cluster: Record<string, unknown> = {
+    name: 'test-cluster',
+    server: 'https://api.example.test:443',
+    skipTLSVerify: !!opts.skipTLSVerify,
+  };
+  if (opts.caData !== null) cluster.caData = opts.caData ?? b64(CA_PEM);
+  if (opts.tlsServerName) cluster.tlsServerName = opts.tlsServerName;
+
+  const user: Record<string, unknown> = { name: 'test-user' };
+  if (opts.token) user.token = opts.token;
+  if (opts.withClientCert) {
+    user.certData = b64(CERT_PEM);
+    user.keyData = b64(KEY_PEM);
+  }
+
+  kc.loadFromOptions({
+    clusters: [cluster as any],
+    users: [user as any],
+    contexts: [{ name: 'test-ctx', cluster: 'test-cluster', user: 'test-user' }],
+    currentContext: 'test-ctx',
+  });
+  return kc;
+}
+
+describe('kubeConfigToBunTls', () => {
+  it('maps ca/cert/key into the Bun tls option', async () => {
+    const tls = await kubeConfigToBunTls(makeKubeConfig({ withClientCert: true }));
+    expect(tls).toBeDefined();
+    expect(Buffer.isBuffer(tls!.ca)).toBe(true);
+    expect(Buffer.isBuffer(tls!.cert)).toBe(true);
+    expect(Buffer.isBuffer(tls!.key)).toBe(true);
+    expect(tls!.ca!.toString()).toBe(CA_PEM);
+  });
+
+  it('maps the kubeconfig SNI (servername) to Bun camelCase serverName', async () => {
+    const tls = await kubeConfigToBunTls(makeKubeConfig({ token: 'tok', tlsServerName: 'sni.override.test' }));
+    expect(tls).toBeDefined();
+    expect(tls!.serverName).toBe('sni.override.test');
+  });
+
+  it('does NOT set serverName when the kubeconfig has no tls-server-name', async () => {
+    const tls = await kubeConfigToBunTls(makeKubeConfig({ token: 'tok' }));
+    // ca is still present, so tls is defined; serverName must be absent.
+    expect(tls).toBeDefined();
+    expect(tls!.serverName).toBeUndefined();
+  });
+
+  it('sets rejectUnauthorized=false when skipTLSVerify is true', async () => {
+    const tls = await kubeConfigToBunTls(makeKubeConfig({ token: 'tok', skipTLSVerify: true }));
+    expect(tls).toBeDefined();
+    expect(tls!.rejectUnauthorized).toBe(false);
+  });
+
+  // *** KEY SECURITY REGRESSION GUARD ***
+  it('does NOT set rejectUnauthorized on the default (verifying) path', async () => {
+    const tls = await kubeConfigToBunTls(makeKubeConfig({ token: 'tok' }));
+    expect(tls).toBeDefined();
+    // Must be absent (not `true`, not `false`) so Bun keeps verification ON.
+    expect(tls!.rejectUnauthorized).toBeUndefined();
+    expect(Object.prototype.hasOwnProperty.call(tls!, 'rejectUnauthorized')).toBe(false);
+  });
+
+  it('returns undefined when the kubeconfig configures no TLS material', async () => {
+    // No CA, no client cert, token auth, verification left on → nothing to map.
+    const tls = await kubeConfigToBunTls(makeKubeConfig({ token: 'tok', caData: null }));
+    expect(tls).toBeUndefined();
+  });
+});
+
+describe('BunTlsHttpLibrary.send', () => {
+  const realFetch = globalThis.fetch;
+  let calls: Array<{ url: string; options: any }>;
+
+  beforeEach(() => {
+    calls = [];
+  });
+  afterEach(() => {
+    globalThis.fetch = realFetch;
+  });
+
+  function stubFetch(status = 200, body = '{"ok":true}') {
+    globalThis.fetch = (async (url: any, options: any) => {
+      calls.push({ url: String(url), options });
+      return new Response(body, { status, headers: { 'content-type': 'application/json' } });
+    }) as typeof fetch;
+  }
+
+  function makeRequest(): k8s.RequestContext {
+    const req = new k8s.RequestContext('https://api.example.test:443/healthz', k8s.HttpMethod.GET);
+    // Mirror how the generated client applies auth before send() runs.
+    req.setHeaderParam('Authorization', 'Bearer test-token-123');
+    return req;
+  }
+
+  it('passes the mapped tls material to fetch', async () => {
+    stubFetch();
+    const lib = new BunTlsHttpLibrary(makeKubeConfig({ withClientCert: true, tlsServerName: 'sni.test' }));
+    await lib.send(makeRequest()).toPromise();
+
+    expect(calls).toHaveLength(1);
+    const tls = calls[0].options.tls;
+    expect(tls).toBeDefined();
+    expect(Buffer.isBuffer(tls.ca)).toBe(true);
+    expect(tls.serverName).toBe('sni.test');
+  });
+
+  it('preserves the Authorization header applied upstream (auth survives the override)', async () => {
+    stubFetch();
+    const lib = new BunTlsHttpLibrary(makeKubeConfig({ token: 'ignored' }));
+    await lib.send(makeRequest()).toPromise();
+
+    const headers = new Headers(calls[0].options.headers);
+    expect(headers.get('Authorization')).toBe('Bearer test-token-123');
+  });
+
+  it('omits tls entirely when the kubeconfig configures none', async () => {
+    stubFetch();
+    const lib = new BunTlsHttpLibrary(makeKubeConfig({ token: 'tok', caData: null }));
+    await lib.send(makeRequest()).toPromise();
+    expect(calls[0].options.tls).toBeUndefined();
+  });
+
+  it('returns a ResponseContext (not a thrown error) for a non-2xx response', async () => {
+    stubFetch(404, '{"kind":"Status","code":404}');
+    const lib = new BunTlsHttpLibrary(makeKubeConfig({ token: 'tok' }));
+    const res = await lib.send(makeRequest()).toPromise();
+
+    expect(res).toBeInstanceOf(k8s.ResponseContext);
+    expect(res.httpStatusCode).toBe(404);
+    expect(await res.body.text()).toContain('Status');
+  });
+
+  it('resolves the kubeconfig TLS material only once across multiple requests', async () => {
+    stubFetch();
+    const kc = makeKubeConfig({ withClientCert: true });
+    let applyCount = 0;
+    const orig = kc.applyToHTTPSOptions.bind(kc);
+    kc.applyToHTTPSOptions = (async (opts: any) => {
+      applyCount += 1;
+      return orig(opts);
+    }) as typeof kc.applyToHTTPSOptions;
+
+    const lib = new BunTlsHttpLibrary(kc);
+    await lib.send(makeRequest()).toPromise();
+    await lib.send(makeRequest()).toPromise();
+    await lib.send(makeRequest()).toPromise();
+
+    // Cached after the first call — guards against re-running the auth/cert
+    // pipeline (e.g. exec credential plugins) on every request.
+    expect(applyCount).toBe(1);
+  });
+});
+
+describe('makeApiClient', () => {
+  it('builds a typed API client wired to the Bun TLS http library', () => {
+    const api = makeApiClient(makeKubeConfig({ token: 'tok' }), k8s.CoreV1Api);
+    expect(api).toBeInstanceOf(k8s.CoreV1Api);
+  });
+
+  it('throws when the kubeconfig has no active cluster', () => {
+    const kc = new k8s.KubeConfig();
+    expect(() => makeApiClient(kc, k8s.CoreV1Api)).toThrow('No active cluster!');
+  });
+});

backend/src/lib/kubeconfig.ts

@@ -33,3 +33,196 @@ export function loadKubeConfig(): k8s.KubeConfig {
 
   return kc;
 }
+
+/**
+ * TLS material in the shape Bun's native `fetch` understands via its
+ * non-standard per-request `tls` option (see Bun's `TLSOptions`).
+ *
+ * Field names follow Bun, not Node: in particular SNI is `serverName`
+ * (camelCase), whereas the kubeconfig/Node side spells it `servername`.
+ */
+export interface BunTlsOptions {
+  ca?: Buffer;
+  cert?: Buffer;
+  key?: Buffer;
+  passphrase?: string;
+  serverName?: string;
+  rejectUnauthorized?: boolean;
+}
+
+/**
+ * Translate a `KubeConfig`'s TLS material into Bun's `fetch` `tls` option.
+ *
+ * This is the **single source of truth** for kubeconfig → Bun TLS mapping. Both
+ * {@link BunTlsHttpLibrary} (typed-API clients) and `proxyServiceRequest`
+ * (raw service-proxy `fetch`) must call it, so the two paths cannot drift —
+ * e.g. one gaining SNI support while the other silently misses it.
+ *
+ * It asks the SDK for the same `https.Agent` options its Node path would use
+ * (`applyToHTTPSOptions`, verified against `@kubernetes/client-node@1.4.0`
+ * `config.js`), then re-maps the subset Bun honours:
+ *   - `ca`/`cert`/`key`            — CA bundle + client cert/key
+ *   - `passphrase`                 — passphrase for an encrypted client key
+ *   - `servername` → `serverName`  — SNI / hostname-verification override
+ *                                    (`cluster.tls-server-name`)
+ *   - `rejectUnauthorized:false`   — only when `skipTLSVerify` (or the SDK)
+ *                                    explicitly disabled verification; the
+ *                                    default path leaves it unset so Bun keeps
+ *                                    verification ON.
+ *
+ * KNOWN LIMITATIONS (kubeconfig features the SDK's Node agent supports but
+ * Bun's `fetch` cannot express, so they are intentionally dropped here):
+ *   - `pfx` (PKCS#12 client certs) — Bun's `TLSOptions` has no `pfx` field.
+ *     PEM `cert`/`key` work; `.pfx`-based auth does not under Bun.
+ *   - `cluster.proxy-url`          — Bun has no per-request proxy-agent option;
+ *     kubeconfig-configured HTTP/SOCKS proxies are not honoured.
+ *
+ * @returns the mapped options, or `undefined` if the kubeconfig configured no
+ *          TLS material at all (so callers can omit `tls` entirely).
+ */
+export async function kubeConfigToBunTls(kc: k8s.KubeConfig): Promise<BunTlsOptions | undefined> {
+  // Ask the SDK for the Node `https.Agent` options it would build, then re-map
+  // the subset Bun honours. `servername`/`pfx`/`passphrase` are populated by
+  // the SDK even though our narrowed type only names what we forward.
+  const httpsOptions: {
+    ca?: Buffer;
+    cert?: Buffer;
+    key?: Buffer;
+    passphrase?: string;
+    servername?: string;
+    rejectUnauthorized?: boolean;
+  } = {};
+  await kc.applyToHTTPSOptions(httpsOptions as any);
+
+  const tls: BunTlsOptions = {};
+  if (httpsOptions.ca) tls.ca = httpsOptions.ca;
+  if (httpsOptions.cert) tls.cert = httpsOptions.cert;
+  if (httpsOptions.key) tls.key = httpsOptions.key;
+  if (httpsOptions.passphrase) tls.passphrase = httpsOptions.passphrase;
+  // Node spells SNI `servername`; Bun's `tls` option spells it `serverName`.
+  if (httpsOptions.servername) tls.serverName = httpsOptions.servername;
+  if (kc.getCurrentCluster()?.skipTLSVerify || httpsOptions.rejectUnauthorized === false) {
+    tls.rejectUnauthorized = false;
+  }
+
+  return Object.keys(tls).length > 0 ? tls : undefined;
+}
+
+/**
+ * Bun-compatible HTTP library for `@kubernetes/client-node`.
+ *
+ * WHY THIS EXISTS:
+ * The client's default `IsomorphicFetchHttpLibrary` imports `node-fetch` and
+ * passes the kubeconfig CA (and client cert/key) as a Node.js `https.Agent`
+ * (`request.getAgent()`). Bun's runtime resolves `node-fetch` to its native
+ * `fetch`, which **ignores** the Node `https.Agent` entirely — it only honours
+ * TLS material supplied via the per-request `tls` option. The CA therefore never
+ * reaches the TLS stack, so every request to a cluster whose API server uses a
+ * private CA (e.g. AKS) fails with `UNABLE_TO_VERIFY_LEAF_SIGNATURE`.
+ *
+ * This subclass overrides `send()` to call Bun's native `fetch` directly,
+ * translating the kubeconfig's TLS material (via {@link kubeConfigToBunTls})
+ * into the `tls` option Bun understands. Auth headers (Bearer tokens, etc.) are
+ * still applied by the generated client via `authMethods` before `send()` runs,
+ * so we only need to re-inject the TLS material here. It shares the exact same
+ * mapping helper as `proxyServiceRequest` in `kubernetes.ts`.
+ *
+ * The TLS material is resolved **once** and cached: `applyToHTTPSOptions` re-runs
+ * the kubeconfig's full option pipeline (re-reading cert files from disk and, for
+ * exec/OIDC users, re-invoking the auth plugin). Doing that per request would run
+ * exec credentials twice on every call — once here and once in the auth pipeline
+ * the generated client already applied. A KubeConfig's TLS material is fixed for
+ * the lifetime of a client, so caching is safe; auth headers are unaffected
+ * because they are applied upstream per request, not here.
+ *
+ * The response is wrapped exactly as the upstream library does: an `Observable`
+ * constructed from a `Promise<ResponseContext>` (see `rxjsStub`), with a
+ * `ResponseBody` exposing `text()` and `binary()`.
+ */
+export class BunTlsHttpLibrary extends k8s.IsomorphicFetchHttpLibrary {
+  private tlsPromise?: Promise<BunTlsOptions | undefined>;
+
+  constructor(private readonly kc: k8s.KubeConfig) {
+    super();
+  }
+
+  /** Resolve the kubeconfig's Bun `tls` material once and memoise it. */
+  private getTls(): Promise<BunTlsOptions | undefined> {
+    if (!this.tlsPromise) {
+      this.tlsPromise = kubeConfigToBunTls(this.kc);
+    }
+    return this.tlsPromise;
+  }
+
+  send(request: k8s.RequestContext): k8s.Observable<k8s.ResponseContext> {
+    const responsePromise = (async (): Promise<k8s.ResponseContext> => {
+      const tls = await this.getTls();
+
+      // NOTE: the generated API classes used by this backend send only JSON or
+      // empty bodies. The SDK's Node path can produce `form-data` multipart
+      // bodies (e.g. some file-upload endpoints) which would NOT serialise under
+      // Bun's `fetch`; if a future caller hits such an endpoint, body handling
+      // here must be revisited.
+      const fetchOptions: RequestInit & { tls?: BunTlsOptions } = {
+        method: request.getHttpMethod().toString(),
+        body: request.getBody() as BodyInit | undefined,
+        headers: request.getHeaders(),
+        signal: request.getSignal(),
+      };
+      if (tls) {
+        fetchOptions.tls = tls;
+      }
+
+      const response = await fetch(request.getUrl(), fetchOptions);
+
+      const headers: Record<string, string> = {};
+      response.headers.forEach((value, name) => {
+        headers[name] = value;
+      });
+
+      return new k8s.ResponseContext(response.status, headers, {
+        text: () => response.text(),
+        binary: async () => Buffer.from(await response.arrayBuffer()),
+      });
+    })();
+
+    return new k8s.Observable<k8s.ResponseContext>(responsePromise);
+  }
+}
+
+/**
+ * Build a Kubernetes API client that works under Bun.
+ *
+ * Drop-in replacement for `kc.makeApiClient(ApiClass)`. It reproduces the SDK's
+ * own `makeApiClient` wiring (`createConfiguration` with the kubeconfig as the
+ * `default` auth method and a `ServerConfiguration` for the current cluster) but
+ * swaps in {@link BunTlsHttpLibrary} so the kubeconfig CA is honoured on Bun's
+ * native `fetch`.
+ *
+ * All backend services must construct their clients through this helper rather
+ * than calling `kc.makeApiClient(...)` directly; otherwise requests to clusters
+ * with a private CA fail with `UNABLE_TO_VERIFY_LEAF_SIGNATURE` under Bun.
+ *
+ * NOTE (SDK coupling): this hand-reproduces the SDK's own `makeApiClient` wiring
+ * (`createConfiguration` + `ServerConfiguration`) and subclasses
+ * `IsomorphicFetchHttpLibrary`. Verified against `@kubernetes/client-node@1.4.0`.
+ * These are generated/internal surfaces — re-check this wiring (and the
+ * `kubeConfigToBunTls` field mapping) when bumping the SDK across a major version.
+ */
+export function makeApiClient<T extends k8s.ApiType>(
+  kc: k8s.KubeConfig,
+  apiClientType: k8s.ApiConstructor<T>
+): T {
+  const cluster = kc.getCurrentCluster();
+  if (!cluster) {
+    throw new Error('No active cluster!');
+  }
+
+  const configuration = k8s.createConfiguration({
+    baseServer: new k8s.ServerConfiguration(cluster.server, {}),
+    authMethods: { default: kc },
+    httpApi: new BunTlsHttpLibrary(kc),
+  });
+
+  return new apiClientType(configuration);
+}