VM actions should use cluster-proxy Service instead of Route (stolostron#4198)

* VM actions should use cluster-proxy Service instead of Route

Signed-off-by: zlayne <zlayne@redhat.com>

* Update setup to set cluster proxy route in local dev

Signed-off-by: zlayne <zlayne@redhat.com>

* update ca cert

Signed-off-by: zlayne <zlayne@redhat.com>

* better error message handling

Signed-off-by: zlayne <zlayne@redhat.com>

* log response for testing in cluster

Signed-off-by: zlayne <zlayne@redhat.com>

* remove test logging

Signed-off-by: zlayne <zlayne@redhat.com>

* Fix tests and lint errors

Signed-off-by: zlayne <zlayne@redhat.com>

---------

Signed-off-by: zlayne <zlayne@redhat.com>

Author: zlayne

backend/src/lib/json-request.ts

@@ -4,7 +4,7 @@ import { Agent } from 'https'
 import { HttpsProxyAgent } from 'https-proxy-agent'
 import { HeadersInit } from 'node-fetch'
 import { fetchRetry } from './fetch-retry'
-import { getCACertificate } from './serviceAccountToken'
+import { getServiceCACertificate } from './serviceAccountToken'
 
 const { HTTP2_HEADER_CONTENT_TYPE, HTTP2_HEADER_AUTHORIZATION, HTTP2_HEADER_ACCEPT, HTTP2_HEADER_USER_AGENT } =
   constants
@@ -64,47 +64,19 @@ export function jsonPost<T = unknown>(
 }
 
 export function jsonPut(url: string, body: unknown, token?: string): Promise<PutResponse> {
-  const headers: HeadersInit = {
-    [HTTP2_HEADER_CONTENT_TYPE]: 'application/json',
-  }
+  const headers: HeadersInit = {}
   if (token) headers[HTTP2_HEADER_AUTHORIZATION] = `Bearer ${token}`
   return fetchRetry(url, {
     method: 'PUT',
     headers,
-    agent: new Agent({ ca: getCACertificate() }),
+    agent: new Agent({ ca: getServiceCACertificate() }),
     body: JSON.stringify(body),
     compress: true,
   })
-    .then(async (response) => {
-      let responseData = undefined
-      if (response.headers.get('content-type')?.includes('text/plain')) {
-        try {
-          responseData = await response.text()
-          return {
-            statusCode: response.status,
-            body: responseData,
-          }
-        } catch (err) {
-          return {
-            statusCode: response.status,
-            body: 'Error getting resource text response.',
-          }
-        }
-      } else {
-        try {
-          responseData = (await response.json()) as unknown
-          return {
-            statusCode: response.status,
-            body: responseData,
-          }
-        } catch (err) {
-          return {
-            statusCode: response.status,
-            body: 'Error getting resource json response.',
-          }
-        }
-      }
-    })
+    .then((response) => ({
+      // No response body from cluster-proxy kubevirt requests.
+      statusCode: response.status,
+    }))
     .catch((err: Error) => {
       const errResult = {
         body: {

backend/src/routes/virtualMachineProxy.ts

@@ -2,11 +2,11 @@
 import { constants, Http2ServerRequest, Http2ServerResponse, OutgoingHttpHeaders } from 'http2'
 import { jsonPut, jsonRequest } from '../lib/json-request'
 import { logger } from '../lib/logger'
+import { getMultiClusterEngine } from '../lib/multi-cluster-engine'
 import { respond, respondInternalServerError } from '../lib/respond'
 import { getServiceAccountToken } from '../lib/serviceAccountToken'
 import { getAuthenticatedToken } from '../lib/token'
 import { ResourceList } from '../resources/resource-list'
-import { Route } from '../resources/route'
 import { Secret } from '../resources/secret'
 import { canAccess } from './events'
 
@@ -63,32 +63,19 @@ export async function virtualMachineProxy(req: Http2ServerRequest, res: Http2Ser
               return undefined
             })
 
-          // Get cluster proxy host
-          const proxyServer = await jsonRequest(
-            process.env.CLUSTER_API_URL +
-              '/apis/route.openshift.io/v1/namespaces/multicluster-engine/routes/cluster-proxy-addon-user',
-            token
-          )
-            .then((response: Route) => {
-              const scheme = response?.spec?.tls?.termination ? 'https' : 'http'
-              return response?.spec?.host ? `${scheme}://${response.spec.host}` : ''
-            })
-            .catch((err: Error): undefined => {
-              logger.error({ msg: 'Error getting cluster proxy Route', error: err.message })
-              return undefined
-            })
-
           // req.url is one of: /virtualmachines/<action> OR /virtualmachineinstances/<action>
           // the VM name is needed between the kind and action for the correct api url.
           const splitURL = req.url.split('/')
           const joinedURL = `${splitURL[1]}/${body.vmName}/${splitURL[2]}`
-          const path = `${proxyServer}/${body.managedCluster}/apis/subresources.kubevirt.io/v1/namespaces/${body.vmNamespace}/${joinedURL}`
+          const mce = await getMultiClusterEngine()
+          const proxyService = `https://cluster-proxy-addon-user.${mce?.spec?.targetNamespace || 'multicluster-engine'}.svc.cluster.local:9092`
+          const proxyURL = process.env.CLUSTER_PROXY_ADDON_USER_ROUTE || proxyService
+          const path = `${proxyURL}/${body.managedCluster}/apis/subresources.kubevirt.io/v1/namespaces/${body.vmNamespace}/${joinedURL}`
           const headers: OutgoingHttpHeaders = { authorization: `Bearer ${managedClusterToken}` }
           for (const header of proxyHeaders) {
             if (req.headers[header]) headers[header] = req.headers[header]
           }
 
-          if (!path) return respondInternalServerError(req, res)
           await jsonPut(path, {}, managedClusterToken)
             .then((results) => {
               if (results?.statusCode >= 200 && results?.statusCode < 300) {

backend/test/routes/virtualMachineProxy.test.ts

@@ -43,33 +43,7 @@ describe('Virtual Machine actions', function () {
           },
         ],
       })
-    nock(process.env.CLUSTER_API_URL)
-      .get('/apis/route.openshift.io/v1/namespaces/multicluster-engine/routes/cluster-proxy-addon-user')
-      .reply(200, {
-        kind: 'Route',
-        apiVersion: 'route.openshift.io/v1',
-        metadata: {
-          name: 'cluster-proxy-addon-user',
-          namespace: 'multicluster-engine',
-        },
-        spec: {
-          host: 'testCluster.red-chesterfield.com',
-          to: {
-            kind: 'Service',
-            name: 'cluster-proxy-addon-user',
-            weight: 100,
-          },
-          port: {
-            targetPort: 'user-port',
-          },
-          tls: {
-            termination: 'reencrypt',
-            insecureEdgeTerminationPolicy: 'Redirect',
-          },
-          wildcardPolicy: 'None',
-        },
-      })
-    nock('https://testcluster.red-chesterfield.com')
+    nock('https://cluster-proxy-addon-user.multicluster-engine.svc.cluster.local:9092')
       .put('/testCluster/apis/subresources.kubevirt.io/v1/namespaces/vmNamespace/virtualmachines/vmName/start')
       .reply(200, {
         statusCode: 200,
@@ -116,50 +90,15 @@ describe('Virtual Machine actions', function () {
           },
         ],
       })
-    nock(process.env.CLUSTER_API_URL)
-      .get('/apis/route.openshift.io/v1/namespaces/multicluster-engine/routes/cluster-proxy-addon-user')
-      .reply(200, {
-        kind: 'Route',
-        apiVersion: 'route.openshift.io/v1',
-        metadata: {
-          name: 'cluster-proxy-addon-user',
-          namespace: 'multicluster-engine',
-        },
-        spec: {
-          host: 'testCluster.red-chesterfield.com',
-          to: {
-            kind: 'Service',
-            name: 'cluster-proxy-addon-user',
-            weight: 100,
-          },
-          port: {
-            targetPort: 'user-port',
-          },
-          tls: {
-            termination: 'reencrypt',
-            insecureEdgeTerminationPolicy: 'Redirect',
-          },
-          wildcardPolicy: 'None',
-        },
-      })
-    nock('https://testcluster.red-chesterfield.com')
+    nock('https://cluster-proxy-addon-user.multicluster-engine.svc.cluster.local:9092')
       .put('/testCluster/apis/subresources.kubevirt.io/v1/namespaces/vmNamespace/virtualmachines/vmName/start')
-      .reply(500, {
-        name: 'fetchError',
-        message: 'error testing...',
-      })
+      .reply(500)
     const res = await request('PUT', '/virtualmachines/start', {
       managedCluster: 'testCluster',
       vmName: 'vmName',
       vmNamespace: 'vmNamespace',
     })
     expect(res.statusCode).toEqual(500)
-    expect(JSON.stringify(await parsePipedJsonBody(res))).toEqual(
-      JSON.stringify({
-        name: 'fetchError',
-        message: 'error testing...',
-      })
-    )
   })
 
   it('should fail with invalid route and secret', async function () {
@@ -180,10 +119,7 @@ describe('Virtual Machine actions', function () {
       kind: 'SecretList',
       items: [],
     })
-    nock(process.env.CLUSTER_API_URL)
-      .get('/apis/route.openshift.io/v1/namespaces/multicluster-engine/routes/cluster-proxy-addon-user')
-      .reply(400)
-    nock('https://testcluster.red-chesterfield.com')
+    nock('https://cluster-proxy-addon-user.multicluster-engine.svc.cluster.local:9092')
       .put('/testCluster/apis/subresources.kubevirt.io/v1/namespaces/vmNamespace/virtualmachines/vmName/start')
       .reply(500, {
         name: 'Error',
@@ -231,41 +167,15 @@ describe('Virtual Machine actions', function () {
           },
         ],
       })
-    nock(process.env.CLUSTER_API_URL)
-      .get('/apis/route.openshift.io/v1/namespaces/multicluster-engine/routes/cluster-proxy-addon-user')
-      .reply(200, {
-        kind: 'Route',
-        apiVersion: 'route.openshift.io/v1',
-        metadata: {
-          name: 'cluster-proxy-addon-user',
-          namespace: 'multicluster-engine',
-        },
-        spec: {
-          host: 'testCluster.red-chesterfield.com',
-          to: {
-            kind: 'Service',
-            name: 'cluster-proxy-addon-user',
-            weight: 100,
-          },
-          port: {
-            targetPort: 'user-port',
-          },
-          tls: {
-            termination: 'reencrypt',
-            insecureEdgeTerminationPolicy: 'Redirect',
-          },
-          wildcardPolicy: 'None',
-        },
-      })
-    nock('https://testcluster.red-chesterfield.com')
+    nock('https://cluster-proxy-addon-user.multicluster-engine.svc.cluster.local:9092')
       .put('/testCluster/apis/subresources.kubevirt.io/v1/namespaces/vmNamespace/virtualmachines/vmName/start')
-      .reply(502, 'plain text error', { [constants.HTTP2_HEADER_CONTENT_TYPE]: ['text/plain'] })
+      .reply(502, '', { [constants.HTTP2_HEADER_CONTENT_TYPE]: ['text/plain'] })
     const res = await request('PUT', '/virtualmachines/start', {
       managedCluster: 'testCluster',
       vmName: 'vmName',
       vmNamespace: 'vmNamespace',
     })
     expect(res.statusCode).toEqual(502)
-    expect(await parsePipedJsonBody(res)).toEqual('plain text error')
+    expect(await parsePipedJsonBody(res)).toEqual('')
   })
 })

setup.sh

@@ -101,3 +101,6 @@ EOF
   SEARCH_API_URL=https://$(oc get route search-api -n $INSTALLATION_NAMESPACE -o="jsonpath={.status.ingress[0].host}")
   echo SEARCH_API_URL=$SEARCH_API_URL >> ./backend/.env
 fi
+
+CLUSTER_PROXY_ADDON_USER_ROUTE=https://$(oc get route cluster-proxy-addon-user -n $INSTALLATION_NAMESPACE_MCE -o="jsonpath={.status.ingress[0].host}")
+echo CLUSTER_PROXY_ADDON_USER_ROUTE=$CLUSTER_PROXY_ADDON_USER_ROUTE >> ./backend/.env