chore(kubernetes-client): add ability to ignore ssl

Author: andypf

commitlint.config.mjs

@@ -31,7 +31,7 @@ export const scopes = [
   "heureka",
   "infra",
   "juno",
-  "k8s",
+  "kubernetes-client",
   "message-provider",
   "main",
   "npm",

packages/k8s-client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudoperators/juno-k8s-client",
-  "version": "1.0.7",
+  "version": "1.1.0",
   "author": "UI-Team",
   "description": "JavaScript client for Kubernetes API",
   "main": "build/index.cjs.js",

packages/k8s-client/src/client.ts

@@ -3,35 +3,33 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import request from "./request"
+import request, { RequestOptions } from "./request"
 import { buildUrl } from "./urlHelpers"
 import { Watch, ADDED, MODIFIED, DELETED, ERROR } from "./watch"
 import handleApiError, { K8sApiError } from "./apiErrorHandler"
 
 interface ClientOptions {
   apiEndpoint: string
   token: string
+  ignoreSsl?: boolean // New option to ignore SSL certificate validation
+  debug?: boolean // Optional debug flag
   [key: string]: any // To allow additional properties if needed
 }
 
-interface RequestOptions {
-  params?: Record<string, any>
-  headers?: Record<string, string>
-  body?: Object | null
-  signal?: AbortSignal
-  mode?: RequestMode
-  cache?: RequestCache
-  credentials?: RequestCredentials
-}
-
 function createClient(options: ClientOptions) {
-  const { apiEndpoint } = options
+  const { apiEndpoint, ignoreSsl = false } = options
   let token = options.token
 
   if (!apiEndpoint || !token) {
     throw new Error(`Bad options: ${JSON.stringify(options, null, 4)}. Please provide apiEndpoint and token`)
   }
 
+  // Log warning when SSL verification is disabled
+  if (ignoreSsl && options.debug === true) {
+    console.warn(`⚠️  K8s Client: SSL certificate verification disabled for ${apiEndpoint}`)
+    console.warn(`🔒 This should only be used in development or secure internal networks`)
+  }
+
   const defaultHeaders = () => ({
     Authorization: `Bearer ${token}`,
     "Content-Type": "application/json",
@@ -44,10 +42,14 @@ function createClient(options: ClientOptions) {
       ...options.headers,
     }
 
+    // Use per-request ignoreSsl if provided, otherwise fall back to client-level setting
+    const shouldIgnoreSsl = options.ignoreSsl !== undefined ? options.ignoreSsl : ignoreSsl
+
     return {
       ...defaultOptions,
       ...options,
       headers,
+      ignoreSsl: shouldIgnoreSsl, // Pass ignoreSsl to request function
     }
   }
 

packages/k8s-client/src/request.ts

@@ -2,7 +2,7 @@
  * SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Juno contributors
  * SPDX-License-Identifier: Apache-2.0
  */
-
+import https from "https"
 import { buildUrl } from "./urlHelpers"
 import * as logger from "./logger"
 import { K8sApiError } from "./apiErrorHandler"
@@ -11,11 +11,13 @@ import { K8sApiError } from "./apiErrorHandler"
 interface RequestOptions {
   params?: Record<string, any>
   signal?: AbortSignal
-  headers?: HeadersInit | null
+  headers?: Record<string, any>
   body?: Object | null
   mode?: RequestMode
   cache?: RequestCache
   credentials?: RequestCredentials
+  ignoreSsl?: boolean // New option to ignore SSL certificate validation
+  debug?: boolean // Optional debug flag
   [key: string]: any
 }
 
@@ -35,36 +37,62 @@ const checkStatus = (response: Response): Response => {
  *
  * @param {string} method Http method.
  * @param {string} url The URL to send the request to.
- * @param {RequestOptions} options params, headers, and other options supported by fetch.
+ * @param {RequestOptions} options params, headers, ignoreSsl, and other options supported by fetch.
  * @return {Promise<Response>} The response promise.
  */
 function request(method: string, url: string, options: RequestOptions = {}): Promise<Response> {
   // add params to url
   if (options.params) url = buildUrl(url, options.params)
 
-  // add allowed options to fetch
-  const requestFields = ["signal", "headers", "body", "mode", "cache", "credentials"] as const
+  // Handle SSL ignore option
+  const { ignoreSsl, ...restOptions } = options
+
+  // Create HTTPS agent if SSL should be ignored for HTTPS URLs
+  let agent: https.Agent | undefined
+  if (ignoreSsl && url.startsWith("https:")) {
+    agent = new https.Agent({
+      rejectUnauthorized: false,
+    })
+
+    // Log warning when SSL verification is disabled
+    if (process.env.NODE_ENV !== "test" && options.debug === true) {
+      // Avoid spam in tests
+      logger.debug(`⚠️  SSL verification disabled for request to: ${url}`)
+    }
+  }
 
-  const fetchOptions: RequestInit = requestFields.reduce(
+  // add allowed options to fetch (excluding ignoreSsl as it's handled separately)
+  const requestFields = ["signal", "headers", "body", "mode", "cache", "credentials"] as const
+  const fetchOptions: RequestInit & { agent?: https.Agent } = requestFields.reduce(
     (map, key) => {
-      if (options[key]) {
-        return { ...map, [key]: options[key] }
+      if (restOptions[key]) {
+        return { ...map, [key]: restOptions[key] }
       }
-
       return map
     },
-    { credentials: "same-origin", method }
+    { credentials: "same-origin", method } as RequestInit & { agent?: https.Agent }
   )
 
+  // Add agent if SSL should be ignored (Node.js environment only)
+  if (agent) {
+    fetchOptions.agent = agent
+  }
+
   // stringify body if it's an object
   if (fetchOptions.body && typeof fetchOptions.body !== "string") {
     fetchOptions.body = JSON.stringify(fetchOptions.body)
   }
 
-  logger.debug("fetch >", url, fetchOptions)
+  if (options.debug === true) {
+    logger.debug("fetch >", url, {
+      ...fetchOptions,
+      agent: agent ? "HTTPS Agent (SSL ignored)" : fetchOptions.agent,
+    })
+  }
 
   // make the call
   return fetch(url, fetchOptions).then(checkStatus)
 }
 
 export default request
+export type { RequestOptions }

packages/k8s-client/src/watch.ts

@@ -40,6 +40,8 @@ interface WatchOptions {
   mode?: RequestMode
   cache?: RequestCache
   credentials?: RequestCredentials
+  ignoreSsl?: boolean // Allow per-request SSL override
+  debug?: boolean // Optional debug flag
 }
 
 class Watch {