fix(automl,autorag): extend dynamic port-forwarding to S3 and LlamaStack paths (#7310)

* fix(automl,autorag): extend dynamic port-forwarding to S3 and LlamaStack paths

The initial port-forwarding implementation only covered the DSPA
middleware path. Three additional code paths also use in-cluster URLs
that need rewriting for local development:

- S3 resolveS3Client (both packages): when secretName is provided,
  the DSPA middleware is skipped and the endpoint URL from the secret
  is used directly. Add port-forward rewrite before S3 client creation.
- LlamaStack AttachLlamaStackClientFromSecret (autorag): the base URL
  from the secret is used directly. Add port-forward rewrite before
  client creation.
- LlamaStack ListProviders (autorag): auth token was stripped on HTTP
  requests. After port-forwarding rewrites to http://localhost, the
  token must be sent. Allow auth on localhost connections.

All changes are guarded by portForwardManager being non-nil (requires
DevMode=true) or by localhost-only scope.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(automl,autorag): log port-forward errors instead of silently dropping

Address review feedback: ForwardURL errors in the S3 handler and
LlamaStack middleware were silently swallowed. Now log warnings
consistent with the pattern used in AttachPipelineServerClient.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: chrjones-rh

packages/automl/bff/internal/api/s3_handler.go

@@ -146,6 +146,17 @@ func (app *App) resolveS3Client(w http.ResponseWriter, r *http.Request, secretNa
 		}
 	}
 
+	// Dev-only: rewrite S3 endpoint to localhost via dynamic port-forward.
+	// portForwardManager is nil in production (requires DevMode=true).
+	if app.portForwardManager != nil && creds.EndpointURL != "" {
+		if rewritten, pfErr := app.portForwardManager.ForwardURL(ctx, creds.EndpointURL); pfErr != nil {
+			app.logger.Warn("dynamic port-forward failed for S3 endpoint, using original URL",
+				"error", pfErr, "url", creds.EndpointURL)
+		} else {
+			creds.EndpointURL = rewritten
+		}
+	}
+
 	s3Client, err := app.s3ClientFactory.CreateClient(creds)
 	if err != nil {
 		if errors.Is(err, s3int.ErrEndpointValidation) {

packages/autorag/bff/internal/api/middleware.go

@@ -384,6 +384,17 @@ func (app *App) AttachLlamaStackClientFromSecret(next func(http.ResponseWriter,
 				return
 			}
 
+			// Dev-only: rewrite LlamaStack URL to localhost via dynamic port-forward.
+			// portForwardManager is nil in production (requires DevMode=true).
+			if app.portForwardManager != nil {
+				if rewritten, pfErr := app.portForwardManager.ForwardURL(ctx, baseURL); pfErr != nil {
+					logger.Warn("dynamic port-forward failed for LlamaStack endpoint, using original URL",
+						"error", pfErr, "url", baseURL)
+				} else {
+					baseURL = rewritten
+				}
+			}
+
 			logger.Debug("Creating LlamaStack client from secret",
 				"namespace", namespace,
 				"secretName", secretName,

packages/autorag/bff/internal/api/s3_handler.go

@@ -144,6 +144,17 @@ func (app *App) resolveS3Client(w http.ResponseWriter, r *http.Request, secretNa
 	//   A new AWS S3 client is created on every request. The AWS SDK client
 	//   is designed for reuse (connection pooling, TLS session caching). Consider caching
 	//   clients by credential identity (e.g. namespace/secretName) with a sync.Map or TTL cache.
+	// Dev-only: rewrite S3 endpoint to localhost via dynamic port-forward.
+	// portForwardManager is nil in production (requires DevMode=true).
+	if app.portForwardManager != nil && creds.EndpointURL != "" {
+		if rewritten, pfErr := app.portForwardManager.ForwardURL(ctx, creds.EndpointURL); pfErr != nil {
+			app.logger.Warn("dynamic port-forward failed for S3 endpoint, using original URL",
+				"error", pfErr, "url", creds.EndpointURL)
+		} else {
+			creds.EndpointURL = rewritten
+		}
+	}
+
 	s3Client, err := app.s3ClientFactory.CreateClient(creds)
 	if err != nil {
 		if errors.Is(err, s3int.ErrEndpointValidation) {