diff --git a/packages/automl/bff/internal/api/s3_handler.go b/packages/automl/bff/internal/api/s3_handler.go index 5f795c065f..f62e58617c 100644 --- a/packages/automl/bff/internal/api/s3_handler.go +++ b/packages/automl/bff/internal/api/s3_handler.go @@ -146,6 +146,17 @@ func (app *App) resolveS3Client(w http.ResponseWriter, r *http.Request, secretNa } } + // Dev-only: rewrite S3 endpoint to localhost via dynamic port-forward. + // portForwardManager is nil in production (requires DevMode=true). + if app.portForwardManager != nil && creds.EndpointURL != "" { + if rewritten, pfErr := app.portForwardManager.ForwardURL(ctx, creds.EndpointURL); pfErr != nil { + app.logger.Warn("dynamic port-forward failed for S3 endpoint, using original URL", + "error", pfErr, "url", creds.EndpointURL) + } else { + creds.EndpointURL = rewritten + } + } + s3Client, err := app.s3ClientFactory.CreateClient(creds) if err != nil { if errors.Is(err, s3int.ErrEndpointValidation) { diff --git a/packages/autorag/bff/internal/api/middleware.go b/packages/autorag/bff/internal/api/middleware.go index c1899b9bd3..5c398f94b4 100644 --- a/packages/autorag/bff/internal/api/middleware.go +++ b/packages/autorag/bff/internal/api/middleware.go @@ -384,6 +384,17 @@ func (app *App) AttachLlamaStackClientFromSecret(next func(http.ResponseWriter, return } + // Dev-only: rewrite LlamaStack URL to localhost via dynamic port-forward. + // portForwardManager is nil in production (requires DevMode=true). + if app.portForwardManager != nil { + if rewritten, pfErr := app.portForwardManager.ForwardURL(ctx, baseURL); pfErr != nil { + logger.Warn("dynamic port-forward failed for LlamaStack endpoint, using original URL", + "error", pfErr, "url", baseURL) + } else { + baseURL = rewritten + } + } + logger.Debug("Creating LlamaStack client from secret", "namespace", namespace, "secretName", secretName, diff --git a/packages/autorag/bff/internal/api/s3_handler.go b/packages/autorag/bff/internal/api/s3_handler.go index c8f163b6ad..ebc5fdf600 100644 --- a/packages/autorag/bff/internal/api/s3_handler.go +++ b/packages/autorag/bff/internal/api/s3_handler.go @@ -144,6 +144,17 @@ func (app *App) resolveS3Client(w http.ResponseWriter, r *http.Request, secretNa // A new AWS S3 client is created on every request. The AWS SDK client // is designed for reuse (connection pooling, TLS session caching). Consider caching // clients by credential identity (e.g. namespace/secretName) with a sync.Map or TTL cache. + // Dev-only: rewrite S3 endpoint to localhost via dynamic port-forward. + // portForwardManager is nil in production (requires DevMode=true). + if app.portForwardManager != nil && creds.EndpointURL != "" { + if rewritten, pfErr := app.portForwardManager.ForwardURL(ctx, creds.EndpointURL); pfErr != nil { + app.logger.Warn("dynamic port-forward failed for S3 endpoint, using original URL", + "error", pfErr, "url", creds.EndpointURL) + } else { + creds.EndpointURL = rewritten + } + } + s3Client, err := app.s3ClientFactory.CreateClient(creds) if err != nil { if errors.Is(err, s3int.ErrEndpointValidation) { diff --git a/packages/autorag/bff/internal/integrations/llamastack/llamastack_client.go b/packages/autorag/bff/internal/integrations/llamastack/llamastack_client.go index 7e7ee0df52..1a82be6432 100644 --- a/packages/autorag/bff/internal/integrations/llamastack/llamastack_client.go +++ b/packages/autorag/bff/internal/integrations/llamastack/llamastack_client.go @@ -81,9 +81,11 @@ func (c *LlamaStackClient) ListProviders(ctx context.Context) ([]models.LlamaSta return nil, NewConnectionError(fmt.Sprintf("failed to create request for LlamaStack providers: %s", err.Error())) } - // Set headers — omit Authorization over plain HTTP to avoid leaking tokens + // Set headers — omit Authorization over plain HTTP to avoid leaking tokens, + // except for localhost (dev-mode port-forwarding tunnels in-cluster traffic locally). req.Header.Set("Accept", "application/json") - if c.authToken != "" && req.URL.Scheme == "https" { + isLocalhost := req.URL.Hostname() == "localhost" || req.URL.Hostname() == "127.0.0.1" + if c.authToken != "" && (req.URL.Scheme == "https" || isLocalhost) { req.Header.Set("Authorization", "Bearer "+c.authToken) }