Refactor Kubernetes Client Factory and Introduce Red Hat Extensions

- Added a new function `NewKubernetesClientFactory` to handle client creation based on authentication method.
- Introduced a new markdown file for documenting BFF handler extensions for downstream builds.
- Implemented handler overrides for Model Registry Settings to support Red Hat-specific behavior.
- Created a new repository for Model Registry Settings with Kubernetes integration.
- Added methods for CRUD operations on Model Registry settings, including handling database secrets.
- Implemented conversion functions for unstructured Kubernetes objects to strongly typed models.
- Ensured that all new functionality adheres to existing interfaces and maintains backward compatibility.

feat: adapt the code to upstream

Signed-off-by: lucferbux <[email protected]>

Author: ederign

clients/ui/bff/.vscode/launch.json

@@ -9,7 +9,7 @@
       "program": "${workspaceFolder}/bin/bff",
       "args": [
         "--port=4000",
-        "--auth-method=internal",
+        "--auth-method=user_token",
         "--auth-token-header=Authorization",
         "--auth-token-prefix=Bearer",
         "--static-assets-dir=./static",
@@ -30,7 +30,7 @@
       "program": "${workspaceFolder}/bin/bff",
       "args": [
         "--port=4000",
-        "--auth-method=internal",
+        "--auth-method=user_token",
         "--auth-token-header=Authorization",
         "--auth-token-prefix=Bearer",
         "--static-assets-dir=./static",
@@ -51,13 +51,34 @@
       "program": "${workspaceFolder}/bin/bff",
       "args": [
         "--port=4000",
-        "--auth-method=internal",
+        "--auth-method=user_token",
         "--auth-token-header=Authorization",
         "--auth-token-prefix=Bearer",
         "--static-assets-dir=./static",
         "--mock-k8s-client=false",
         "--mock-mr-client=false",
-        "--dev-mode=false",
+        "--dev-mode=true",
+        "--dev-mode-port=8080",
+        "--standalone-mode=true",
+        "--log-level=info" 
+      ],
+      "preLaunchTask": "make build debug"
+    },
+    {
+      "name": "XFW Debug BFF (MOCK_K8S_CLIENT=false, MOCK_MR_CLIENT=false)",
+      "type": "go",
+      "request": "launch",
+      "mode": "exec",
+      "program": "${workspaceFolder}/bin/bff",
+      "args": [
+        "--port=4000",
+        "--auth-method=user_token_red_hat",
+        "--auth-token-header=X-Forwarded-Access-Token",
+        "--auth-token-prefix=",
+        "--static-assets-dir=./static",
+        "--mock-k8s-client=false",
+        "--mock-mr-client=false",
+        "--dev-mode=true",
         "--dev-mode-port=8080",
         "--standalone-mode=true",
         "--log-level=info" 

clients/ui/bff/docs/extensions.md

@@ -0,0 +1,83 @@
+# BFF handler extensions
+
+Some downstream builds (for example, the RHOAI dashboard) need to add behavior that does not belong upstream yet. Instead of maintaining long-lived forks, the BFF now exposes a simple extension registry so downstream code can override individual handlers while reusing the rest of the stack.
+
+## Core concepts
+
+- **Handler IDs** – Each overridable endpoint exposes a stable `HandlerID` constant (see `internal/api/extensions.go`). Model Registry Settings routes are wired first.
+- **Factories** – Downstream packages call `api.RegisterHandlerOverride(id, factory)` inside `init()`. Factories receive the `*api.App` plus the default handler builder, so you can either replace the handler entirely or fall back to upstream logic.
+- **Dependencies** – The `App` exposes read-only accessors for configuration, repositories, and the Kubernetes client factory. It also exposes helper methods such as `BadRequest`, `ServerError`, and `WriteJSON` so overrides can follow the same conventions as upstream handlers.
+
+## Ownership boundaries
+
+- **Upstream-only artifacts** live under `internal/api`, `internal/repositories`, and the default handler tree. These packages must remain vendor-neutral and keep their existing contracts intact so downstream imports keep compiling.
+- **Downstream-only artifacts** live under `clients/ui/bff/internal/<override-folder>` (and sibling vendor folders, if they are ever added). Any logic that assumes Red Hat credentials, namespaces, or controllers must stay here so other distributions do not pick it up accidentally.
+- **Shared interfaces** (for example repository interfaces or the handler override registry itself) stay upstream. Only implementers that are specific to a vendor move downstream.
+
+Use this rule of thumb: if a change requires Red Hat-only RBAC, Kubernetes resources, or APIs that are invisible to open-source users, keep it downstream. Everything else should be proposed upstream.
+
+## Minimal example
+
+```go
+package handlers
+
+import (
+    "fmt"
+    "net/http"
+
+    "github.com/julienschmidt/httprouter"
+
+    "github.com/kubeflow/model-registry/ui/bff/internal/api"
+    "github.com/kubeflow/model-registry/ui/bff/internal/constants"
+)
+
+const (
+    modelRegistrySettingsListHandlerID = api.HandlerID("modelRegistrySettings:list")
+)
+
+func init() {
+    api.RegisterHandlerOverride(modelRegistrySettingsListHandlerID, overrideModelRegistrySettingsList)
+}
+
+func overrideModelRegistrySettingsList(app *api.App, _ func() httprouter.Handle) httprouter.Handle {
+    return app.AttachNamespace(func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+        namespace, ok := r.Context().Value(constants.NamespaceHeaderParameterKey).(string)
+        if !ok || namespace == "" {
+            app.BadRequest(w, r, fmt.Errorf("missing namespace"))
+            return
+        }
+
+        client, err := app.KubernetesClientFactory().GetClient(r.Context())
+        if err != nil {
+            app.ServerError(w, r, fmt.Errorf("failed to build client: %w", err))
+            return
+        }
+
+        // Use the client to fetch data from Kubernetes and build the response.
+        // Downstream repositories live in internal/<override-repository>/repositories.
+        _ = client // placeholder for actual implementation
+
+        resp := api.ModelRegistrySettingsListEnvelope{Data: nil}
+        if err := app.WriteJSON(w, http.StatusOK, resp, nil); err != nil {
+            app.ServerError(w, r, err)
+        }
+    })
+}
+```
+
+Package registration is purely compile-time: add a blank import in `clients/ui/bff/cmd/main.go` for the downstream handlers package. When the package is imported, overrides registered in `init()` are automatically active—no configuration flags required. The `buildDefault` parameter is available if an override needs to delegate to upstream logic conditionally.
+
+## Managing downstream overrides
+
+- **Structure** – Place handler factories below `clients/ui/bff/internal/<override-folder>/handlers`, and keep any repository or helper implementations under `clients/ui/bff/internal/<override-folder>/repositories`. This mirrors the upstream layout so the APIs remain familiar.
+- **Activation** – Overrides are active whenever their package is imported. Use a blank import (e.g., `_ "github.com/.../internal/<override-folder>/handlers"`) in the main entry point to enable them. No configuration flags are needed.
+- **Conditional delegation** – If an override needs to fall back to upstream logic under certain conditions, call `buildDefault()`. Otherwise, the downstream handler runs unconditionally.
+- **Shared clients** – Build Kubernetes or database clients via `app.KubernetesClientFactory()` or other upstream factories. Never duplicate client configuration downstream; add capabilities to the upstream factory instead when needed.
+- **Testing** – Keep unit and integration tests downstream next to the overrides. Use the upstream interfaces to mock dependencies the same way default handlers do.
+
+## Change workflow
+
+1. **Add the handler ID upstream** – introduce a new `HandlerID` constant and wrap the router registration with `app.handlerWithOverride`. Document the ID in this file under *Current coverage*.
+2. **Introduce downstream logic** – implement handler factories (and any supporting repositories) under `clients/ui/bff/internal/<override-folder>`. Register them in the package `init()` by calling `api.RegisterHandlerOverride`.
+3. **Wire repositories** – if the downstream handler needs bespoke storage logic, implement a downstream repository that satisfies the upstream interface and expose it via `app.Repositories()` overrides.
+4. **Document and test** – update this guide when extending coverage, and add downstream tests to catch regressions before shipping.

clients/ui/bff/internal/api/extensions.go

@@ -0,0 +1,58 @@
+package api
+
+import (
+	"log/slog"
+	"sync"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+// HandlerID identifies an overridable HTTP handler.
+// TODO(upstream): Keep this type exported so downstream code can reference arbitrary handler keys without
+// requiring upstream to enumerate them.
+type HandlerID string
+
+// HandlerFactory builds a router handler that has access to the App instance.
+// Implementations can opt to call buildDefault() to reuse the default upstream handler.
+type HandlerFactory func(app *App, buildDefault func() httprouter.Handle) httprouter.Handle
+
+var (
+	handlerOverrideMu sync.RWMutex
+	handlerOverrides  = map[HandlerID]HandlerFactory{}
+)
+
+// RegisterHandlerOverride allows downstream code to override a specific handler.
+// TODO(downstream): Call this from vendor packages (e.g., internal/redhat/handlers) to inject custom behavior.
+// Calling this function multiple times for the same id will replace the previous override.
+func RegisterHandlerOverride(id HandlerID, factory HandlerFactory) {
+	handlerOverrideMu.Lock()
+	defer handlerOverrideMu.Unlock()
+	handlerOverrides[id] = factory
+}
+
+//nolint:unused // Used by downstream implementations
+func getHandlerOverride(id HandlerID) HandlerFactory {
+	handlerOverrideMu.RLock()
+	defer handlerOverrideMu.RUnlock()
+	return handlerOverrides[id]
+}
+
+// handlerWithOverride returns the handler registered for the given id or builds the default one.
+// TODO(upstream): This glue stays upstream so the router keeps working even when no downstream overrides exist.
+//
+//nolint:unused // Used by downstream implementations
+func (app *App) handlerWithOverride(id HandlerID, buildDefault func() httprouter.Handle) httprouter.Handle {
+	if factory := getHandlerOverride(id); factory != nil {
+		app.logHandlerOverride(id)
+		return factory(app, buildDefault)
+	}
+	return buildDefault()
+}
+
+//nolint:unused // Used by downstream implementations
+func (app *App) logHandlerOverride(id HandlerID) {
+	if app == nil || app.logger == nil {
+		return
+	}
+	app.logger.Debug("Using handler override", slog.String("handlerID", string(id)))
+}

clients/ui/bff/internal/api/model_registry_settings_handler.go

@@ -18,8 +18,6 @@ type ModelRegistryAndCredentialsSettingsEnvelope Envelope[models.ModelRegistryAn
 type ModelRegistrySettingsPayloadEnvelope Envelope[models.ModelRegistrySettingsPayload, None]
 
 func (app *App) GetAllModelRegistriesSettingsHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	ctxLogger := helper.GetContextLoggerFromReq(r)
-	ctxLogger.Info("This functionality is not implement yet. This is a STUB API to unblock frontend development")
 
 	namespace, ok := r.Context().Value(constants.NamespaceHeaderParameterKey).(string)
 	if !ok || namespace == "" {
@@ -36,17 +34,17 @@ func (app *App) GetAllModelRegistriesSettingsHandler(w http.ResponseWriter, r *h
 		Key:  "ssl-secret-key",
 	}
 
-	registries := []models.ModelRegistryKind{createSampleModelRegistry("model-registry", namespace, &sslRootCertificateConfigMap, nil),
+	registries := []models.ModelRegistryKind{
+		createSampleModelRegistry("model-registry", namespace, &sslRootCertificateConfigMap, nil),
 		createSampleModelRegistry("model-registry-dora", namespace, nil, &sslRootCertificateSecret),
-		createSampleModelRegistry("model-registry-bella", namespace, nil, nil)}
+		createSampleModelRegistry("model-registry-bella", namespace, nil, nil),
+	}
 
 	modelRegistryRes := ModelRegistrySettingsListEnvelope{
 		Data: registries,
 	}
 
-	err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil)
-
-	if err != nil {
+	if err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil); err != nil {
 		app.serverErrorResponse(w, r, err)
 	}
 
@@ -73,9 +71,7 @@ func (app *App) GetModelRegistrySettingsHandler(w http.ResponseWriter, r *http.R
 		Data: modelRegistryWithCreds,
 	}
 
-	err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil)
-
-	if err != nil {
+	if err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil); err != nil {
 		app.serverErrorResponse(w, r, err)
 	}
 }
@@ -94,31 +90,18 @@ func (app *App) CreateModelRegistrySettingsHandler(w http.ResponseWriter, r *htt
 		app.serverErrorResponse(w, r, fmt.Errorf("error decoding JSON:: %v", err.Error()))
 		return
 	}
-
-	var modelRegistryName = envelope.Data.ModelRegistry.Metadata.Name
-
-	if modelRegistryName == "" {
-		app.badRequestResponse(w, r, fmt.Errorf("model registry name is required"))
-		return
-	}
-
-	ctxLogger.Info("Creating model registry", "name", modelRegistryName)
-
-	// For now, we're using the stub implementation, but we'd use envelope.Data.ModelRegistry
-	// and other fields from the payload in a real implementation
+	modelRegistryName := envelope.Data.ModelRegistry.Metadata.Name
 	registry := createSampleModelRegistry(modelRegistryName, namespace, nil, nil)
 
 	modelRegistryRes := ModelRegistrySettingsEnvelope{
 		Data: registry,
 	}
 
 	w.Header().Set("Location", r.URL.JoinPath(modelRegistryRes.Data.Metadata.Name).String())
-	writeErr := app.WriteJSON(w, http.StatusCreated, modelRegistryRes, nil)
-	if writeErr != nil {
+	if err := app.WriteJSON(w, http.StatusCreated, modelRegistryRes, nil); err != nil {
 		app.serverErrorResponse(w, r, fmt.Errorf("error writing JSON"))
 		return
 	}
-
 }
 
 func (app *App) UpdateModelRegistrySettingsHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
@@ -137,8 +120,7 @@ func (app *App) UpdateModelRegistrySettingsHandler(w http.ResponseWriter, r *htt
 		Data: registry,
 	}
 
-	err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil)
-	if err != nil {
+	if err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil); err != nil {
 		app.serverErrorResponse(w, r, fmt.Errorf("error writing JSON"))
 		return
 	}
@@ -161,9 +143,7 @@ func (app *App) DeleteModelRegistrySettingsHandler(w http.ResponseWriter, r *htt
 		Data: registry,
 	}
 
-	err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil)
-
-	if err != nil {
+	if err := app.WriteJSON(w, http.StatusOK, modelRegistryRes, nil); err != nil {
 		app.serverErrorResponse(w, r, err)
 	}
 

clients/ui/bff/internal/api/public_helpers.go

@@ -0,0 +1,53 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	"log/slog"
+
+	"github.com/kubeflow/model-registry/ui/bff/internal/config"
+	k8s "github.com/kubeflow/model-registry/ui/bff/internal/integrations/kubernetes"
+	"github.com/kubeflow/model-registry/ui/bff/internal/repositories"
+)
+
+// BadRequest exposes the internal bad request helper for extensions.
+func (app *App) BadRequest(w http.ResponseWriter, r *http.Request, err error) {
+	if app == nil {
+		return
+	}
+	app.badRequestResponse(w, r, err)
+}
+
+// ServerError exposes the internal server error helper for extensions.
+func (app *App) ServerError(w http.ResponseWriter, r *http.Request, err error) {
+	if app == nil {
+		return
+	}
+	app.serverErrorResponse(w, r, err)
+}
+
+// NotImplemented writes a standard placeholder response for unimplemented endpoints.
+func (app *App) NotImplemented(w http.ResponseWriter, r *http.Request, feature string) {
+	app.serverErrorResponse(w, r, fmt.Errorf("%s is not implemented", feature))
+}
+
+// Config exposes the application configuration for extensions.
+func (app *App) Config() config.EnvConfig {
+	return app.config
+}
+
+// Logger exposes the application logger for extensions.
+func (app *App) Logger() *slog.Logger {
+	return app.logger
+}
+
+// KubernetesClientFactory exposes the k8s factory for extensions.
+func (app *App) KubernetesClientFactory() k8s.KubernetesClientFactory {
+	return app.kubernetesClientFactory
+}
+
+// Repositories exposes the repositories container for extensions.
+func (app *App) Repositories() *repositories.Repositories {
+	return app.repositories
+}

clients/ui/bff/internal/api/test_app.go

@@ -0,0 +1,25 @@
+package api
+
+import (
+	"io"
+	"log/slog"
+
+	"github.com/kubeflow/model-registry/ui/bff/internal/config"
+	k8s "github.com/kubeflow/model-registry/ui/bff/internal/integrations/kubernetes"
+	"github.com/kubeflow/model-registry/ui/bff/internal/repositories"
+)
+
+// NewTestApp exposes a minimal constructor that allows tests and downstream
+// extensions to configure specific App dependencies without invoking the
+// production bootstrap logic.
+func NewTestApp(cfg config.EnvConfig, logger *slog.Logger, factory k8s.KubernetesClientFactory, repos *repositories.Repositories) *App {
+	if logger == nil {
+		logger = slog.New(slog.NewTextHandler(io.Discard, nil))
+	}
+	return &App{
+		config:                  cfg,
+		logger:                  logger,
+		kubernetesClientFactory: factory,
+		repositories:            repos,
+	}
+}

clients/ui/bff/internal/integrations/kubernetes/client.go

@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"context"
+
 	corev1 "k8s.io/api/core/v1"
 )