Add service proxy support and enable Helm integration in headlamp #3532
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: shahvrushali22 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/XL
There was a problem hiding this comment.
Pull Request Overview
This PR adds authenticated in-cluster service proxy support and enables Helm operations in Headlamp, alongside refactoring token validation and enhancing Helm charts for namespace scoping and HTTPS readiness/liveness probes.
- Introduce a new
serviceproxybackend module and route for in-cluster service access - Enable Helm via
--enable-helm, forward bearer tokens, and perform a SelfSubjectReview check - Update Helm chart templates for namespace scoping, HTTPS probes, and a toggleable Helm feature
Reviewed Changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/src/components/account/Auth.tsx | Reload page on successful authentication |
| frontend/package.json | Add npx update-browserslist-db@latest to prebuild |
| frontend/make-env.js | Disable source maps by setting GENERATE_SOURCEMAP: false |
| charts/headlamp/values.yaml | Add enableHelm flag and change default service port to 443 |
| charts/headlamp/templates/serviceaccount.yaml | Scope ServiceAccount to release namespace |
| charts/headlamp/templates/service.yaml | Scope Service and switch targetPort to HTTPS |
| charts/headlamp/templates/deployment.yaml | Scope Deployment, add -enable-helm, and enable HTTPS probes |
| charts/headlamp/templates/secret.yaml | Scope Secret to release namespace |
| charts/headlamp/templates/pvc.yaml | Scope PVC to release namespace |
| charts/headlamp/templates/ingress.yaml | Scope Ingress to release namespace |
| backend/pkg/serviceproxy/service.go | Implement service lookup and URL prefix logic |
| backend/pkg/serviceproxy/http.go | Provide HTTPGet helper for proxied requests |
| backend/pkg/serviceproxy/handler.go | Handle proxy requests and enforce no-cache headers |
| backend/pkg/serviceproxy/connection.go | Wrap HTTP calls in a ServiceConnection interface |
| backend/pkg/helm/release.go | Add SelfSubjectReview before Helm install |
| backend/pkg/config/config.go & config_test.go | Add enable-helm flag parsing and tests |
| backend/cmd/headlamp.go | Register serviceproxy route and refactor token check |
Comments suppressed due to low confidence (2)
backend/pkg/serviceproxy/service.go:15
- [nitpick] The constant name
HTTPSchemeis misleading since it holds the "http" scheme. Rename it to something likeHTTPSchemeNameorHTTPNameand useHTT PSSchemefor "https" to avoid confusion.
HTTPScheme = "http"
backend/pkg/serviceproxy/service.go:1
- There are no unit tests for the
serviceproxypackage. Consider adding tests forgetService,getPort, andgetServiceURLPrefixto ensure correct behavior and catch regressions.
package serviceproxy
|
|
k8s-ci-robot
added
cncf-cla: no
muraliinformal
force-pushed
the
add-serviceproxy
branch
from
916eeca to
6b7ac23
Compare
k8s-ci-robot
added
needs-rebase
|
Thanks for those changes for the copilot comments. It looks like there's some conflicts with the main branch at the moment. Would you be able to have a look? |
muraliinformal
force-pushed
the
add-serviceproxy
branch
from
c02511f to
067168f
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@joaquimrocha @illume Could you please take a look ? |
|
I will let @illume continue the review. |
muraliinformal
force-pushed
the
add-serviceproxy
branch
2 times, most recently
from
40d09c2 to
16e1d15
Compare
|
@illume Could you please review the changes when you get chance ? Thanks |
k8s-ci-robot
added
the
needs-rebase
…ormat of path dir
Signed-off-by: Murali Annamneni <[email protected]>
Signed-off-by: Murali Annamneni <[email protected]>
Signed-off-by: Murali Annamneni <[email protected]>
muraliinformal
force-pushed
the
add-serviceproxy
branch
from
cbf124c to
c9ca652
Compare
k8s-ci-robot
added
size/L
There was a problem hiding this comment.
Thanks for those changes.
Seems there's some backend lint/formatting issues and some chart issues. You can run these locally:
make backend-lint
make backend-format
make helm-template-testI marked some conversations as resolved, and left a few open that need to be addressed.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 24 out of 24 changed files in this pull request and generated 5 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| }) | ||
| ); | ||
| // On successful authentication, reload the page | ||
| window.location.reload(); |
There was a problem hiding this comment.
Using window.location.reload() forces a full page reload which can be disruptive to user experience. Consider using React state management or router navigation to update the UI state instead of a hard reload.
| window.location.reload(); | |
| // window.location.reload(); // Removed to avoid full page reload |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
Is this window reload really needed? (We seem to be ok without it so far.)
I wonder if there is a way to reproduce any issue where it's not working?
Signed-off-by: Murali Annamneni <[email protected]>
Signed-off-by: Murali Annamneni <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| // Get - perform the get request. | ||
| func (c *Connection) Get(requestURI string) ([]byte, error) { | ||
| uri := fmt.Sprintf("%s/%s", c.URI, requestURI) |
There was a problem hiding this comment.
The requestURI parameter is directly concatenated without validation, which could lead to path traversal attacks. Consider validating and sanitizing the requestURI parameter to prevent malicious paths like '../../../etc/passwd'.
Copilot uses AI. Check for mistakes.
| installClient.Description = req.Description | ||
| installClient.CreateNamespace = req.CreateNamespace | ||
| installClient.ReleaseName, installClient.Namespace = req.Name, req.Namespace | ||
| installClient.Description, installClient.CreateNamespace = req.Description, req.CreateNamespace |
There was a problem hiding this comment.
[nitpick] Multiple assignments on a single line reduce readability. Consider splitting these into separate lines for better maintainability.
| installClient.Description, installClient.CreateNamespace = req.Description, req.CreateNamespace | |
| installClient.Description = req.Description | |
| installClient.CreateNamespace = req.CreateNamespace |
Copilot uses AI. Check for mistakes.
| // TODO - what if both exist? | ||
| func getPort(ports []corev1.ServicePort) (*corev1.ServicePort, error) { | ||
| for i, port := range ports { | ||
| if port.Name == HTTPSScheme || port.Name == HTTPScheme { | ||
| return &ports[i], nil | ||
| } | ||
| } |
There was a problem hiding this comment.
The TODO comment indicates incomplete logic handling. The function should clarify the priority when both 'http' and 'https' ports exist, or implement proper logic to handle this scenario.
| // TODO - what if both exist? | |
| func getPort(ports []corev1.ServicePort) (*corev1.ServicePort, error) { | |
| for i, port := range ports { | |
| if port.Name == HTTPSScheme || port.Name == HTTPScheme { | |
| return &ports[i], nil | |
| } | |
| } | |
| // Prefer "https" over "http" if both exist. | |
| func getPort(ports []corev1.ServicePort) (*corev1.ServicePort, error) { | |
| // First, look for "https" | |
| for i, port := range ports { | |
| if port.Name == HTTPSScheme { | |
| return &ports[i], nil | |
| } | |
| } | |
| // Then, look for "http" | |
| for i, port := range ports { | |
| if port.Name == HTTPScheme { | |
| return &ports[i], nil | |
| } | |
| } |
Copilot uses AI. Check for mistakes.
| } | ||
|
|
||
| values := make(map[string]interface{}) | ||
|
|
There was a problem hiding this comment.
[nitpick] The values variable is declared after decoding but could be declared closer to its usage for better code organization.
Copilot uses AI. Check for mistakes.
|
@muraliinformal theres a few open conversations. Can you please let me know what you think about each of them? Please see the commit guidelines https://headlamp.dev/docs/latest/contributing#2-follow-commit-guidelines Could you please squash your changes and rebase against main? If it makes sense to break it up into some smaller independent atomic commits, please do that? |
| name: "" | ||
| # -- directory to look for plugins | ||
| pluginsDir: "/headlamp/plugins" | ||
| enableHelm: false |
There was a problem hiding this comment.
We’ll need to add an entry to the documentation for this variable in charts/headlamp/README.md
Summary
This PR adds in-cluster service proxy support to Headlamp, enables Helm operations with authenticated access, and refactors token validation for consistency. It also ensures namespace scoping in Helm charts and enables secure HTTPS-based readiness and liveness probes.
Changes
Steps to Test