[release-4.17] OCPBUGS-56238: Remove the devconsole backend common internet proxy and replace it with dedicated ones

cmd/bridge/main.go

@@ -314,6 +314,9 @@ func main() {
 		srv.GOOS = runtime.GOOS
 	}
 
+	// Blacklisted headers
+	srv.ProxyHeaderDenyList = []string{"Cookie", "X-CSRFToken", "X-CSRF-Token"}
+
 	if *fLogLevel != "" {
 		klog.Warningf("DEPRECATED: --log-level is now deprecated, use verbosity flag --v=Level instead")
 	}
@@ -350,7 +353,7 @@ func main() {
 
 		srv.K8sProxyConfig = &proxy.Config{
 			TLSClientConfig: tlsConfig,
-			HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+			HeaderBlacklist: srv.ProxyHeaderDenyList,
 			Endpoint:        k8sEndpoint,
 		}
 
@@ -381,41 +384,41 @@ func main() {
 
 			srv.ThanosProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        &url.URL{Scheme: "https", Host: openshiftThanosHost, Path: "/api"},
 			}
 			srv.ThanosTenancyProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        &url.URL{Scheme: "https", Host: openshiftThanosTenancyHost, Path: "/api"},
 			}
 			srv.ThanosTenancyProxyForRulesConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        &url.URL{Scheme: "https", Host: openshiftThanosTenancyForRulesHost, Path: "/api"},
 			}
 
 			srv.AlertManagerProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        &url.URL{Scheme: "https", Host: openshiftAlertManagerHost, Path: "/api"},
 			}
 			srv.AlertManagerUserWorkloadProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        &url.URL{Scheme: "https", Host: *fAlertmanagerUserWorkloadHost, Path: "/api"},
 			}
 			srv.AlertManagerTenancyProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        &url.URL{Scheme: "https", Host: *fAlertmanagerTenancyHost, Path: "/api"},
 			}
 			srv.TerminalProxyTLSConfig = serviceProxyTLSConfig
 			srv.PluginsProxyTLSConfig = serviceProxyTLSConfig
 
 			srv.GitOpsProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        &url.URL{Scheme: "https", Host: openshiftGitOpsHost},
 			}
 		}
@@ -445,7 +448,7 @@ func main() {
 
 		srv.K8sProxyConfig = &proxy.Config{
 			TLSClientConfig:         serviceProxyTLSConfig,
-			HeaderBlacklist:         []string{"Cookie", "X-CSRFToken"},
+			HeaderBlacklist:         srv.ProxyHeaderDenyList,
 			Endpoint:                k8sEndpoint,
 			UseProxyFromEnvironment: true,
 		}
@@ -466,17 +469,17 @@ func main() {
 			offClusterThanosURL.Path += "/api"
 			srv.ThanosTenancyProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        offClusterThanosURL,
 			}
 			srv.ThanosTenancyProxyForRulesConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        offClusterThanosURL,
 			}
 			srv.ThanosProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        offClusterThanosURL,
 			}
 		}
@@ -488,17 +491,17 @@ func main() {
 			offClusterAlertManagerURL.Path += "/api"
 			srv.AlertManagerProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        offClusterAlertManagerURL,
 			}
 			srv.AlertManagerTenancyProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        offClusterAlertManagerURL,
 			}
 			srv.AlertManagerUserWorkloadProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        offClusterAlertManagerURL,
 			}
 		}
@@ -512,7 +515,7 @@ func main() {
 
 			srv.GitOpsProxyConfig = &proxy.Config{
 				TLSClientConfig: serviceProxyTLSConfig,
-				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+				HeaderBlacklist: srv.ProxyHeaderDenyList,
 				Endpoint:        offClusterGitOpsURL,
 			}
 		}
@@ -532,7 +535,7 @@ func main() {
 	}
 	srv.ClusterManagementProxyConfig = &proxy.Config{
 		TLSClientConfig: oscrypto.SecureTLSConfig(&tls.Config{}),
-		HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+		HeaderBlacklist: srv.ProxyHeaderDenyList,
 		Endpoint:        clusterManagementURL,
 	}
 

frontend/__tests__/reducers/features.spec.tsx

@@ -52,6 +52,7 @@ describe('featureReducer', () => {
         CONSOLE_QUICKSTART: undefined,
         CONSOLE_CAPABILITY_LIGHTSPEEDBUTTON_IS_ENABLED: undefined,
         LIGHTSPEED_IS_AVAILABLE_TO_INSTALL: undefined,
+        DEVCONSOLE_PROXY: true,
       }),
     );
   });

frontend/packages/console-shared/src/constants/common.ts

@@ -91,6 +91,7 @@ export enum FLAGS {
   CONSOLE_QUICKSTART = 'CONSOLE_QUICKSTART',
   CONSOLE_CAPABILITY_LIGHTSPEEDBUTTON_IS_ENABLED = 'CONSOLE_CAPABILITY_LIGHTSPEEDBUTTON_IS_ENABLED',
   LIGHTSPEED_IS_AVAILABLE_TO_INSTALL = 'LIGHTSPEED_IS_AVAILABLE_TO_INSTALL',
+  DEVCONSOLE_PROXY = 'DEVCONSOLE_PROXY',
 }
 
 export const CONFIG_STORAGE_CONSOLE = 'console';

frontend/packages/console-shared/src/types/backend-api.ts

@@ -0,0 +1,5 @@
+export type DevConsoleEndpointResponse = {
+  statusCode: number;
+  headers: Record<string, string[]>;
+  body: string;
+};

frontend/packages/console-shared/src/types/index.ts

@@ -2,3 +2,4 @@ export * from './pod';
 export * from './resource';
 export * from './route-params';
 export * from './tableColumn';
+export * from './backend-api';

frontend/packages/git-service/src/services/bitbucket-service.ts

@@ -2,12 +2,7 @@ import { Base64 } from 'js-base64';
 import * as ParseBitbucketUrl from 'parse-bitbucket-url';
 import 'whatwg-fetch';
 import { consoleFetchJSON } from '@console/dynamic-plugin-sdk/src/lib-core';
-import {
-  API_PROXY_URL,
-  ProxyResponse,
-  consoleProxyFetchJSON,
-  convertHeaders,
-} from '@console/shared/src/utils/proxy';
+import { DevConsoleEndpointResponse } from '@console/shared/src';
 import {
   GitSource,
   SecretType,
@@ -19,6 +14,24 @@ import {
 } from '../types';
 import { BaseService } from './base-service';
 
+type BBWebhookBody = {
+  url: string;
+  events: string[];
+  skip_cert_verification: boolean;
+  active: boolean;
+};
+
+type BitbucketWebhookRequest = {
+  headers: Headers;
+  isServer: boolean;
+  baseURL: string;
+  owner: string;
+  repoName: string;
+  body: BBWebhookBody;
+};
+
+export const BITBUCKET_WEBHOOK_BACKEND_URL = '/api/dev-console/webhooks/bitbucket';
+
 export class BitbucketService extends BaseService {
   private readonly metadata: RepoMetadata;
 
@@ -61,15 +74,6 @@ export class BitbucketService extends BaseService {
       ...headers,
     };
 
-    if (this.isServer) {
-      return consoleProxyFetchJSON({
-        url,
-        method: requestMethod || 'GET',
-        headers: convertHeaders(requestHeaders),
-        ...(body && { body: JSON.stringify(body) }),
-      });
-    }
-
     const response = await fetch(url, {
       method: requestMethod || 'GET',
       headers: requestHeaders,
@@ -183,28 +187,33 @@ export class BitbucketService extends BaseService {
     webhookURL: string,
     sslVerification: boolean,
   ): Promise<boolean> => {
-    const headers = {
-      'Content-Type': ['application/json'],
-      Authorization: [`Basic ${token}`],
-    };
-    const body = {
+    const headers = new Headers({
+      'Content-Type': 'application/json',
+      Authorization: `Basic ${token}`,
+    });
+    const body: BBWebhookBody = {
       url: webhookURL,
       events: ['repo:push', 'pullrequest:created', 'pullrequest:updated'],
       skip_cert_verification: !sslVerification,
       active: true,
     };
-    const url = this.isServer
-      ? `${this.baseURL}/projects/${this.metadata.owner}/repos/${this.metadata.repoName}/hooks`
-      : `${this.baseURL}/repositories/${this.metadata.owner}/${this.metadata.repoName}/hooks`;
 
-    /* Using DevConsole Proxy to create webhook as Bitbucket is giving CORS error */
-    const webhookResponse: ProxyResponse = await consoleFetchJSON.post(API_PROXY_URL, {
-      url,
-      method: 'POST',
+    const webhookRequestBody: BitbucketWebhookRequest = {
       headers,
-      body: JSON.stringify(body),
-    });
+      isServer: this.isServer,
+      baseURL: this.baseURL,
+      owner: this.metadata.owner,
+      repoName: this.metadata.repoName,
+      body,
+    };
 
+    const webhookResponse: DevConsoleEndpointResponse = await consoleFetchJSON.post(
+      BITBUCKET_WEBHOOK_BACKEND_URL,
+      webhookRequestBody,
+    );
+    if (!webhookResponse.statusCode) {
+      throw new Error('Unexpected proxy response: Status code is missing!');
+    }
     return webhookResponse.statusCode === 201;
   };