fix(backend): honour kubeconfig CA under Bun's native fetch

surajssd · surajssd · commit ca8f403903fc · 2026-06-05T10:49:14.000-07:00
- Add `BunTlsHttpLibrary` and a `makeApiClient` helper in
  `kubeconfig.ts`. The SDK's default `IsomorphicFetchHttpLibrary`
  passes the kubeconfig CA via a Node.js `https.Agent`, which Bun's
  native `fetch` ignores — it only honours TLS material on the
  per-request `tls` option. This caused
  `UNABLE_TO_VERIFY_LEAF_SIGNATURE` on every request to clusters with
  a private CA (e.g. AKS). The subclass re-injects
  `ca`/`cert`/`key`/`rejectUnauthorized` via `tls`; auth headers are
  still applied upstream via `authMethods`.

- Route all client construction in `kubernetes.ts`, `auth.ts`,
  `autoscaler.ts`, `config.ts`, `registry.ts`, and `secrets.ts`
  through `makeApiClient(...)` instead of `kc.makeApiClient(...)`,
  making the helper the single source of truth for Bun-safe TLS.

Signed-off-by: Suraj Deshmukh &lt;suraj.deshmukh@microsoft.com&gt;
diff --git a/backend/src/lib/kubeconfig.ts b/backend/src/lib/kubeconfig.ts
@@ -33,3 +33,110 @@ export function loadKubeConfig(): k8s.KubeConfig {
 
   return kc;
 }
+
+/**
+ * Bun-compatible HTTP library for `@kubernetes/client-node`.
+ *
+ * WHY THIS EXISTS:
+ * The client's default `IsomorphicFetchHttpLibrary` imports `node-fetch` and
+ * passes the kubeconfig CA (and client cert/key) as a Node.js `https.Agent`
+ * (`request.getAgent()`). Bun's runtime resolves `node-fetch` to its native
+ * `fetch`, which **ignores** the Node `https.Agent` entirely — it only honours
+ * TLS material supplied via the per-request `tls` option. The CA therefore never
+ * reaches the TLS stack, so every request to a cluster whose API server uses a
+ * private CA (e.g. AKS) fails with `UNABLE_TO_VERIFY_LEAF_SIGNATURE`.
+ *
+ * This subclass overrides `send()` to call Bun's native `fetch` directly,
+ * translating the kubeconfig's TLS material into the `tls` option Bun
+ * understands. Auth headers (Bearer tokens, etc.) are still applied by the
+ * generated client via `authMethods` before `send()` runs, so we only need to
+ * re-inject the TLS material here. It mirrors the working pattern already used
+ * by `proxyServiceRequest` in `kubernetes.ts`.
+ *
+ * The response is wrapped exactly as the upstream library does: an `Observable`
+ * constructed from a `Promise<ResponseContext>` (see `rxjsStub`), with a
+ * `ResponseBody` exposing `text()` and `binary()`.
+ */
+export class BunTlsHttpLibrary extends k8s.IsomorphicFetchHttpLibrary {
+  constructor(private readonly kc: k8s.KubeConfig) {
+    super();
+  }
+
+  send(request: k8s.RequestContext): k8s.Observable<k8s.ResponseContext> {
+    const responsePromise = (async (): Promise<k8s.ResponseContext> => {
+      // Extract TLS material (CA, client cert/key, verification mode) from the
+      // kubeconfig the same way the SDK's Node path would, then hand it to Bun
+      // via the `tls` option instead of a Node https.Agent.
+      const httpsOptions: {
+        ca?: Buffer;
+        cert?: Buffer;
+        key?: Buffer;
+        rejectUnauthorized?: boolean;
+      } = {};
+      await this.kc.applyToHTTPSOptions(httpsOptions as any);
+
+      const tls: Record<string, unknown> = {};
+      if (httpsOptions.ca) tls.ca = httpsOptions.ca;
+      if (httpsOptions.cert) tls.cert = httpsOptions.cert;
+      if (httpsOptions.key) tls.key = httpsOptions.key;
+      if (this.kc.getCurrentCluster()?.skipTLSVerify || httpsOptions.rejectUnauthorized === false) {
+        tls.rejectUnauthorized = false;
+      }
+
+      const fetchOptions: RequestInit & { tls?: Record<string, unknown> } = {
+        method: request.getHttpMethod().toString(),
+        body: request.getBody() as BodyInit | undefined,
+        headers: request.getHeaders(),
+        signal: request.getSignal(),
+      };
+      if (Object.keys(tls).length > 0) {
+        fetchOptions.tls = tls;
+      }
+
+      const response = await fetch(request.getUrl(), fetchOptions);
+
+      const headers: Record<string, string> = {};
+      response.headers.forEach((value, name) => {
+        headers[name] = value;
+      });
+
+      return new k8s.ResponseContext(response.status, headers, {
+        text: () => response.text(),
+        binary: async () => Buffer.from(await response.arrayBuffer()),
+      });
+    })();
+
+    return new k8s.Observable<k8s.ResponseContext>(responsePromise);
+  }
+}
+
+/**
+ * Build a Kubernetes API client that works under Bun.
+ *
+ * Drop-in replacement for `kc.makeApiClient(ApiClass)`. It reproduces the SDK's
+ * own `makeApiClient` wiring (`createConfiguration` with the kubeconfig as the
+ * `default` auth method and a `ServerConfiguration` for the current cluster) but
+ * swaps in {@link BunTlsHttpLibrary} so the kubeconfig CA is honoured on Bun's
+ * native `fetch`.
+ *
+ * All backend services must construct their clients through this helper rather
+ * than calling `kc.makeApiClient(...)` directly; otherwise requests to clusters
+ * with a private CA fail with `UNABLE_TO_VERIFY_LEAF_SIGNATURE` under Bun.
+ */
+export function makeApiClient<T extends k8s.ApiType>(
+  kc: k8s.KubeConfig,
+  apiClientType: k8s.ApiConstructor<T>
+): T {
+  const cluster = kc.getCurrentCluster();
+  if (!cluster) {
+    throw new Error('No active cluster!');
+  }
+
+  const configuration = k8s.createConfiguration({
+    baseServer: new k8s.ServerConfiguration(cluster.server, {}),
+    authMethods: { default: kc },
+    httpApi: new BunTlsHttpLibrary(kc),
+  });
+
+  return new apiClientType(configuration);
+}
diff --git a/backend/src/services/auth.ts b/backend/src/services/auth.ts
@@ -2,7 +2,7 @@ import * as k8s from '@kubernetes/client-node';
 import * as os from 'os';
 import * as path from 'path';
 import * as fs from 'fs';
-import { loadKubeConfig } from '../lib/kubeconfig';
+import { loadKubeConfig, makeApiClient } from '../lib/kubeconfig';
 import logger from '../lib/logger';
 
 /**
@@ -46,7 +46,7 @@ class AuthService {
 
   constructor() {
     this.kc = loadKubeConfig();
-    this.authApi = this.kc.makeApiClient(k8s.AuthenticationV1Api);
+    this.authApi = makeApiClient(this.kc, k8s.AuthenticationV1Api);
   }
 
   /**
diff --git a/backend/src/services/autoscaler.ts b/backend/src/services/autoscaler.ts
@@ -1,7 +1,7 @@
 import * as k8s from '@kubernetes/client-node';
 import type { AutoscalerDetectionResult, AutoscalerStatusInfo } from '@airunway/shared';
 import { withRetry } from '../lib/retry';
-import { loadKubeConfig } from '../lib/kubeconfig';
+import { loadKubeConfig, makeApiClient } from '../lib/kubeconfig';
 import logger from '../lib/logger';
 import * as yaml from 'js-yaml';
 
@@ -13,9 +13,9 @@ class AutoscalerService {
 
   constructor() {
     this.kc = loadKubeConfig();
-    this.coreV1Api = this.kc.makeApiClient(k8s.CoreV1Api);
-    this.appsV1Api = this.kc.makeApiClient(k8s.AppsV1Api);
-    this.customObjectsApi = this.kc.makeApiClient(k8s.CustomObjectsApi);
+    this.coreV1Api = makeApiClient(this.kc, k8s.CoreV1Api);
+    this.appsV1Api = makeApiClient(this.kc, k8s.AppsV1Api);
+    this.customObjectsApi = makeApiClient(this.kc, k8s.CustomObjectsApi);
   }
 
   /**
diff --git a/backend/src/services/config.ts b/backend/src/services/config.ts
@@ -1,5 +1,5 @@
 import * as k8s from '@kubernetes/client-node';
-import { loadKubeConfig } from '../lib/kubeconfig';
+import { loadKubeConfig, makeApiClient } from '../lib/kubeconfig';
 import logger from '../lib/logger';
 
 // Default namespace for AI Runway deployments
@@ -28,7 +28,7 @@ class ConfigService {
 
   constructor() {
     this.kc = loadKubeConfig();
-    this.coreV1Api = this.kc.makeApiClient(k8s.CoreV1Api);
+    this.coreV1Api = makeApiClient(this.kc, k8s.CoreV1Api);
   }
 
   /**
diff --git a/backend/src/services/kubernetes.ts b/backend/src/services/kubernetes.ts
@@ -3,7 +3,7 @@ import { configService } from './config';
 import type { DeploymentStatus, PodStatus, ClusterStatus, PodPhase, DeploymentConfig, RuntimeStatus, ModelDeployment, GatewayInfo, GatewayModelInfo, GatewayCRDStatus } from '@airunway/shared';
 import { toModelDeploymentManifest, toDeploymentStatus, INFERENCE_GATEWAY_LABEL } from '@airunway/shared';
 import { withRetry } from '../lib/retry';
-import { loadKubeConfig } from '../lib/kubeconfig';
+import { loadKubeConfig, makeApiClient } from '../lib/kubeconfig';
 import logger from '../lib/logger';
 import { aggregateRequiresCRDFromCapabilities, getAnnotatedProviderDisplayName, getProviderDisplayName, providerRequiresRuntimeCRD } from '../lib/providers';
 
@@ -221,9 +221,9 @@ class KubernetesService {
 
   constructor() {
     this.kc = loadKubeConfig();
-    this.customObjectsApi = this.kc.makeApiClient(k8s.CustomObjectsApi);
-    this.coreV1Api = this.kc.makeApiClient(k8s.CoreV1Api);
-    this.apiExtensionsApi = this.kc.makeApiClient(k8s.ApiextensionsV1Api);
+    this.customObjectsApi = makeApiClient(this.kc, k8s.CustomObjectsApi);
+    this.coreV1Api = makeApiClient(this.kc, k8s.CoreV1Api);
+    this.apiExtensionsApi = makeApiClient(this.kc, k8s.ApiextensionsV1Api);
     this.defaultNamespace = process.env.DEFAULT_NAMESPACE || 'airunway-system';
   }
 
@@ -242,7 +242,7 @@ class KubernetesService {
     if (!userToken) {
       return this.customObjectsApi;
     }
-    return this.createUserKubeConfig(userToken).makeApiClient(k8s.CustomObjectsApi);
+    return makeApiClient(this.createUserKubeConfig(userToken), k8s.CustomObjectsApi);
   }
 
   /**
@@ -252,7 +252,7 @@ class KubernetesService {
     if (!userToken) {
       return this.coreV1Api;
     }
-    return this.createUserKubeConfig(userToken).makeApiClient(k8s.CoreV1Api);
+    return makeApiClient(this.createUserKubeConfig(userToken), k8s.CoreV1Api);
   }
 
   /**
@@ -261,7 +261,7 @@ class KubernetesService {
   private createUserClients(userToken: string) {
     const userKc = this.createUserKubeConfig(userToken);
     return {
-      authorizationV1Api: userKc.makeApiClient(k8s.AuthorizationV1Api),
+      authorizationV1Api: makeApiClient(userKc, k8s.AuthorizationV1Api),
     };
   }
 
diff --git a/backend/src/services/registry.ts b/backend/src/services/registry.ts
@@ -1,5 +1,5 @@
 import * as k8s from '@kubernetes/client-node';
-import { loadKubeConfig } from '../lib/kubeconfig';
+import { loadKubeConfig, makeApiClient } from '../lib/kubeconfig';
 import logger from '../lib/logger';
 import { withRetry } from '../lib/retry';
 
@@ -37,8 +37,8 @@ class RegistryService {
 
   constructor() {
     this.kc = loadKubeConfig();
-    this.coreV1Api = this.kc.makeApiClient(k8s.CoreV1Api);
-    this.appsV1Api = this.kc.makeApiClient(k8s.AppsV1Api);
+    this.coreV1Api = makeApiClient(this.kc, k8s.CoreV1Api);
+    this.appsV1Api = makeApiClient(this.kc, k8s.AppsV1Api);
   }
 
   /**
diff --git a/backend/src/services/secrets.ts b/backend/src/services/secrets.ts
@@ -1,5 +1,5 @@
 import * as k8s from '@kubernetes/client-node';
-import { loadKubeConfig } from '../lib/kubeconfig';
+import { loadKubeConfig, makeApiClient } from '../lib/kubeconfig';
 import logger from '../lib/logger';
 import { withRetry } from '../lib/retry';
 import type { HfSecretStatus, HfUserInfo } from '@airunway/shared';
@@ -31,7 +31,7 @@ class SecretsService {
 
   constructor() {
     this.kc = loadKubeConfig();
-    this.coreV1Api = this.kc.makeApiClient(k8s.CoreV1Api);
+    this.coreV1Api = makeApiClient(this.kc, k8s.CoreV1Api);
   }
 
   /**
