Adding option to enable Back End HTTPS for Prow Ingress

NiJuFirenzia · NiJuFirenzia · commit b32381d650ae · 2025-12-11T13:49:16.000-05:00
Signed-off-by: Nikhil Jiju &lt;Nikhil.Jiju@fmr.com&gt;
diff --git a/cmd/deck/main.go b/cmd/deck/main.go
@@ -140,6 +140,9 @@ type options struct {
 	controllerManager     prowflagutil.ControllerManagerOptions
 	dryRun                bool
 	tenantIDs             prowflagutil.Strings
+	enableSSL             bool
+	certFile              string
+	keyFile               string
 }
 
 func (o *options) Validate() error {
@@ -161,6 +164,15 @@ func (o *options) Validate() error {
 	if (o.hiddenOnly && o.showHidden) || (o.tenantIDs.Strings() != nil && (o.hiddenOnly || o.showHidden)) {
 		return errors.New("'--hidden-only', '--tenant-id', and '--show-hidden' are mutually exclusive, 'hidden-only' shows only hidden job, '--tenant-id' shows all jobs with matching ID and 'show-hidden' shows both hidden and non-hidden jobs")
 	}
+
+	if o.enableSSL {
+		if o.certFile == "" {
+			return errors.New("flag --enable-ssl was set to true but required flag --cert-file was unset")
+		}
+		if o.keyFile == "" {
+			return errors.New("flag --enable-ssl was set to true but required flag --key-file was unset")
+		}
+	}
 	return nil
 }
 
@@ -186,6 +198,9 @@ func gatherOptions(fs *flag.FlagSet, args ...string) options {
 	fs.BoolVar(&o.allowInsecure, "allow-insecure", false, "Allows insecure requests for CSRF and GitHub oauth.")
 	fs.BoolVar(&o.dryRun, "dry-run", false, "Whether or not to make mutating API calls to GitHub.")
 	fs.Var(&o.tenantIDs, "tenant-id", "The tenantID(s) used by the ProwJobs that should be displayed by this instance of Deck. This flag can be repeated.")
+	fs.BoolVar(&o.enableSSL, "enable-ssl", false, "Enable SSL to support Ingress backend HTTPS")
+	fs.StringVar(&o.certFile, "cert-file", "", "Location of the cert file for TLS call. This must be set if SSL is enabled.")
+	fs.StringVar(&o.keyFile, "key-file", "", "Location of the key file for TLS call. This must be set if SSL is enabled.")
 	o.config.AddFlags(fs)
 	o.instrumentation.AddFlags(fs)
 	o.controllerManager.TimeoutListingProwJobsDefault = 30 * time.Second
@@ -501,16 +516,27 @@ func main() {
 		return
 	}
 
-	var server *http.Server
+	health.ServeReady()
+	var handler http.Handler
+	serverPort := ":8080"
+
 	if csrfToken != nil {
 		CSRF := csrf.Protect(csrfToken, csrf.Path("/"), csrf.Secure(!o.allowInsecure))
-		server = &http.Server{Addr: ":8080", Handler: CSRF(traceHandler(mux))}
+		handler = CSRF(traceHandler(mux))
 	} else {
-		server = &http.Server{Addr: ":8080", Handler: traceHandler(mux)}
+		handler = traceHandler(mux)
 	}
 
-	health.ServeReady()
-	interrupts.ListenAndServe(server, 5*time.Second)
+	if o.enableSSL {
+		httpServer := &http.Server{
+			Addr:    serverPort,
+			Handler: handler,
+		}
+		interrupts.ListenAndServeTLS(httpServer, o.certFile, o.keyFile, 5*time.Second)
+	} else {
+		httpServer := &http.Server{Addr: serverPort, Handler: handler}
+		interrupts.ListenAndServe(httpServer, 5*time.Second)
+	}
 }
 
 // localOnlyMain contains logic used only when running locally, and is mutually exclusive with
@@ -567,7 +593,7 @@ func prodOnlyMain(cfg config.Getter, pluginAgent *plugins.ConfigAgent, authCfgGe
 
 	if o.hookURL != "" {
 		mux.Handle("/plugin-help.js",
-			gziphandler.GzipHandler(handlePluginHelp(newHelpAgent(o.hookURL), logrus.WithField("handler", "/plugin-help.js"))))
+			gziphandler.GzipHandler(handlePluginHelp(newHelpAgent(o.hookURL, o.certFile), logrus.WithField("handler", "/plugin-help.js"))))
 	}
 
 	// tide could potentially be mocked by static data
diff --git a/cmd/deck/main_test.go b/cmd/deck/main_test.go
@@ -680,6 +680,21 @@ func Test_gatherOptions(t *testing.T) {
 			},
 			err: true,
 		},
+		{
+			name: "explicitly set enableSSL",
+			args: map[string]string{
+				"--enable-ssl": "true",
+				"--cert-file":  "/test/path/cert.pem",
+				"--key-file":   "/test/path/key.pem",
+			},
+			expected: func(o *options) {
+				o.controllerManager.TimeoutListingProwJobs = 30 * time.Second
+				o.controllerManager.TimeoutListingProwJobsDefault = 30 * time.Second
+				o.enableSSL = true
+				o.certFile = "/test/path/cert.pem"
+				o.keyFile = "/test/path/key.pem"
+			},
+		},
 	}
 	for _, tc := range cases {
 		fs := flag.NewFlagSet("fake-flags", flag.PanicOnError)
diff --git a/cmd/deck/pluginhelp.go b/cmd/deck/pluginhelp.go
@@ -17,9 +17,13 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
+	"os"
 	"sync"
 	"time"
 
@@ -29,18 +33,21 @@ import (
 // cacheLife is the time that we keep a pluginhelp.Help struct before considering it stale.
 // We consider help valid for a minute to prevent excessive calls to hook.
 const cacheLife = time.Minute
+const tlsEnabledScehma = "https"
 
 type helpAgent struct {
 	path string
+	cert string
 
 	sync.Mutex
 	help   *pluginhelp.Help
 	expiry time.Time
 }
 
-func newHelpAgent(path string) *helpAgent {
+func newHelpAgent(path string, cert string) *helpAgent {
 	return &helpAgent{
 		path: path,
+		cert: cert,
 	}
 }
 
@@ -52,6 +59,27 @@ func (ha *helpAgent) getHelp() (*pluginhelp.Help, error) {
 		return ha.help, nil
 	}
 
+	//Setting Root CAs if SSL is enabled
+	hookPath, err := url.Parse(ha.path)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing hook path: %w", err)
+	}
+	if hookPath.Scheme == tlsEnabledScehma {
+		caCert, err := os.ReadFile(ha.cert)
+		if err != nil {
+			return nil, fmt.Errorf("error decoding cert file: %w", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		//Error is eaten here for testing purposes. There should be no reason the transport is not of type HTTP
+		if transport, ok := http.DefaultTransport.(*http.Transport); ok {
+			transport.TLSClientConfig = &tls.Config{
+				RootCAs: caCertPool,
+			}
+			http.DefaultTransport = transport
+		}
+	}
+
 	var help pluginhelp.Help
 	resp, err := http.Get(ha.path)
 	if err != nil {
diff --git a/cmd/deck/pluginhelp_test.go b/cmd/deck/pluginhelp_test.go
@@ -0,0 +1,175 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+	"os"
+	"sigs.k8s.io/prow/pkg/pluginhelp"
+	"strings"
+	"testing"
+	"time"
+)
+
+type mockRoundTripper struct {
+	resp *http.Response
+	err  error
+}
+
+func (m *mockRoundTripper) RoundTrip(*http.Request) (*http.Response, error) {
+	return m.resp, m.err
+}
+
+func TestGetHelp(t *testing.T) {
+	type testCase struct {
+		name        string
+		hookPath    string
+		cert        string
+		certContent string
+		mockResp    *http.Response
+		mockErr     error
+		wantDesc    string
+		wantFileErr bool
+		wantErr     string
+		cacheTest   bool
+	}
+
+	pluginHelp := pluginhelp.PluginHelp{Description: "test"}
+	cached := pluginhelp.PluginHelp{Description: "cached"}
+	help := pluginhelp.Help{PluginHelp: map[string]pluginhelp.PluginHelp{"example": pluginHelp}}
+	cachedHelp := pluginhelp.Help{PluginHelp: map[string]pluginhelp.PluginHelp{"example": cached}}
+	helpBytes, _ := json.Marshal(help)
+	cachedBytes, _ := json.Marshal(cachedHelp)
+
+	cases := []testCase{
+		{
+			name:     "NoCert_Success",
+			hookPath: "http://example.com/help",
+			cert:     "",
+			mockResp: &http.Response{StatusCode: 200, Body: io.NopCloser(bytes.NewReader(helpBytes))},
+			wantDesc: "test",
+		},
+		{
+			name:        "WithCert_FileError",
+			hookPath:    "https://example.com/help",
+			cert:        "C://badfileformat://",
+			wantFileErr: true,
+			wantErr:     "error decoding cert file: open C://badfileformat://: no such file or directory",
+		},
+		{
+			name:     "NoCert_NoHttps",
+			hookPath: "http://example.com/help",
+			cert:     "",
+			mockResp: &http.Response{StatusCode: 200, Body: io.NopCloser(bytes.NewReader(helpBytes))},
+			wantDesc: "test",
+		},
+		{
+			name:        "WithCert_Success",
+			hookPath:    "https://example.com/help",
+			cert:        t.TempDir() + "/cert.pem",
+			certContent: "dummy cert content",
+			mockResp:    &http.Response{StatusCode: 200, Body: io.NopCloser(bytes.NewReader(helpBytes))},
+			wantDesc:    "test",
+		},
+		{
+			name:     "HTTPError",
+			hookPath: "http://example.com/help",
+			cert:     "",
+			mockErr:  errors.New("fail"),
+			wantErr:  "error Getting plugin help: Get \"http://example.com/help\": fail",
+		},
+		{
+			name:     "StatusCodeError",
+			hookPath: "http://example.com/help",
+			cert:     "",
+			mockResp: &http.Response{StatusCode: 500, Body: io.NopCloser(bytes.NewReader([]byte{}))},
+			wantErr:  "response has status code 500",
+		},
+		{
+			name:     "JSONError",
+			hookPath: "http://example.com/help",
+			cert:     "",
+			mockResp: &http.Response{StatusCode: 200, Body: io.NopCloser(bytes.NewReader([]byte("notjson")))},
+			wantErr:  "error decoding json plugin help:",
+		},
+		{
+			name:      "Cache",
+			hookPath:  "http://example.com/help",
+			cert:      "",
+			mockResp:  &http.Response{StatusCode: 200, Body: io.NopCloser(bytes.NewReader(cachedBytes))},
+			wantDesc:  "cached",
+			cacheTest: true,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+
+			//// Mock the HTTP client
+			http.DefaultTransport = &mockRoundTripper{
+				resp: tc.mockResp,
+				err:  tc.mockErr,
+			}
+
+			ha := newHelpAgent(tc.hookPath, tc.cert)
+			if tc.cert != "" && !tc.wantFileErr {
+				err := os.WriteFile(tc.cert, []byte(tc.certContent), 0644)
+				if err != nil {
+					t.Fatalf("Failed to create test file: %v", err)
+				}
+			}
+
+			if tc.cacheTest {
+				// First call populates cache
+				got, err := ha.getHelp()
+				if err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if got.PluginHelp["example"].Description != tc.wantDesc {
+					t.Errorf("expected description '%s', got '%s'", tc.wantDesc, got.PluginHelp["example"].Description)
+				}
+				// Set expiry to future to trigger cache
+				ha.expiry = time.Now().Add(time.Minute)
+				got2, err2 := ha.getHelp()
+				if err2 != nil {
+					t.Fatalf("unexpected error: %v", err2)
+				}
+				if got != got2 {
+					t.Errorf("expected cached help, got different pointers")
+				}
+				return
+			}
+			got, err := ha.getHelp()
+			if tc.wantErr != "" {
+				if err == nil || !strings.Contains(err.Error(), tc.wantErr) {
+					t.Errorf("expected error containing '%s', got %v", tc.wantErr, err)
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if got.PluginHelp["example"].Description != tc.wantDesc {
+					t.Errorf("expected description '%s', got '%s'", tc.wantDesc, got.PluginHelp["example"].Description)
+				}
+			}
+		})
+	}
+}
diff --git a/cmd/hook/main.go b/cmd/hook/main.go
diff --git a/cmd/hook/main_test.go b/cmd/hook/main_test.go
