feat(kiali): standardize Certificate Authority Configuration Method (review) (#528)

manusa · web-flow · commit c2e4c45318aa · 2025-12-01T11:57:43.000+01:00
Signed-off-by: Marc Nuri &lt;marc@marcnuri.com&gt;
diff --git a/AGENTS.md b/AGENTS.md
@@ -48,92 +48,6 @@ When adding a new tool:
 3. Add the tool to an appropriate toolset (or create a new toolset if needed).
 4. Register the toolset in `pkg/toolsets/` if it's a new toolset.
 
-### Configuration Standards for Red Hat-Maintained Components
-
-To ensure consistency across Red Hat-maintained toolsets and cluster providers, follow these standards when implementing certificate authority (CA) configuration:
-
-#### Certificate Authority (CA) Configuration Standard
-
-**Standard Pattern:** Certificate authorities must be configured using **file paths**, not inline PEM content.
-
-**Implementation Guidelines:**
-
-1. **Config Parser (`pkg/toolsets/<toolset>/config.go`):**
-   - Accept `certificate_authority` as a string field in your toolset config struct.
-   - In the toolset parser function, resolve relative paths using `config.ConfigDirPathFromContext(ctx)` to make them relative to the config file directory.
-   - Store the resolved absolute path in the config struct.
-   - Validate in the `Validate()` method that `certificate_authority` is a valid file path using `os.Stat()`.
-
-   Example:
-   ```go
-   func (c *Config) Validate() error {
-       // ... other validations ...
-       
-       // Validate that certificate_authority is a valid file
-       if caValue := strings.TrimSpace(c.CertificateAuthority); caValue != "" {
-           if _, err := os.Stat(caValue); err != nil {
-               return fmt.Errorf("certificate_authority must be a valid file path: %w", err)
-           }
-       }
-       return nil
-   }
-   
-   func toolsetParser(ctx context.Context, primitive toml.Primitive, md toml.MetaData) (config.Extended, error) {
-       var cfg Config
-       if err := md.PrimitiveDecode(primitive, &cfg); err != nil {
-           return nil, err
-       }
-       
-       // Resolve relative CA file paths
-       if cfg.CertificateAuthority != "" {
-           configDir := config.ConfigDirPathFromContext(ctx)
-           if configDir != "" && !filepath.IsAbs(cfg.CertificateAuthority) {
-               cfg.CertificateAuthority = filepath.Join(configDir, cfg.CertificateAuthority)
-           }
-       }
-       
-       return &cfg, nil
-   }
-   ```
-
-2. **Client Implementation:**
-   - When using the CA certificate, read it from the file path using `os.ReadFile()`.
-   - Only valid file paths are supported; the path must exist and be readable.
-
-   Example:
-   ```go
-   func (c *Client) createHTTPClient() *http.Client {
-       tlsConfig := &tls.Config{InsecureSkipVerify: c.insecure}
-       
-       if caValue := strings.TrimSpace(c.certificateAuthority); caValue != "" {
-           // Read the certificate from file
-           caPEM, err := os.ReadFile(caValue)
-           if err != nil {
-               // Handle error appropriately
-           }
-           
-           // Use caPEM to configure TLS...
-       }
-       
-       return &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
-   }
-   ```
-
-3. **Documentation:**
-   - Document that `certificate_authority` accepts only a file path (absolute or relative).
-   - Mention that relative paths are resolved relative to the config file directory.
-   - Note that the file path must exist and be readable; invalid paths will cause validation to fail.
-
-**Reference Implementation:**
-- See `pkg/kiali/config.go` and `pkg/kiali/kiali.go` for a complete example.
-- See `pkg/kubernetes-mcp-server/cmd/root.go` (lines 292-314) for how the main server handles CA files.
-
-**Rationale:**
-- Consistency with ACM cluster provider and other Red Hat-maintained components.
-- Better security practices (certificates stored in files, not in config files).
-- Easier management and rotation of certificates.
-- Clearer separation of configuration and secrets.
-
 ## Building
 
 Use the provided Makefile targets:
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -89,17 +89,13 @@ type GroupVersionKind struct {
 
 type ReadConfigOpt func(cfg *StaticConfig)
 
-func withDirPath(path string) ReadConfigOpt {
+// WithDirPath returns a ReadConfigOpt that sets the config directory path.
+func WithDirPath(path string) ReadConfigOpt {
 	return func(cfg *StaticConfig) {
 		cfg.configDirPath = path
 	}
 }
 
-// WithDirPath returns a ReadConfigOpt that sets the config directory path.
-func WithDirPath(path string) ReadConfigOpt {
-	return withDirPath(path)
-}
-
 // Read reads the toml file and returns the StaticConfig, with any opts applied.
 func Read(configPath string, opts ...ReadConfigOpt) (*StaticConfig, error) {
 	configData, err := os.ReadFile(configPath)
@@ -114,7 +110,7 @@ func Read(configPath string, opts ...ReadConfigOpt) (*StaticConfig, error) {
 	}
 	dirPath := filepath.Dir(absPath)
 
-	cfg, err := ReadToml(configData, append(opts, withDirPath(dirPath))...)
+	cfg, err := ReadToml(configData, append(opts, WithDirPath(dirPath))...)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/kiali/config_test.go b/pkg/kiali/config_test.go
@@ -17,23 +17,14 @@ type ConfigSuite struct {
 }
 
 func (s *ConfigSuite) SetupTest() {
-	// Create a temporary directory for test files
-	tempDir, err := os.MkdirTemp("", "kiali-config-test-*")
-	s.Require().NoError(err, "Failed to create temp directory")
-	s.tempDir = tempDir
-
 	// Create a test CA certificate file
+	s.tempDir = s.T().TempDir()
 	s.caFile = filepath.Join(s.tempDir, "ca.crt")
-	err = os.WriteFile(s.caFile, []byte("test ca content"), 0644)
+	err := os.WriteFile(s.caFile, []byte("test ca content"), 0644)
 	s.Require().NoError(err, "Failed to write CA file")
 }
 
 func (s *ConfigSuite) TestConfigParser_ResolvesRelativePath() {
-	// Create CA file in temp directory
-	caFile := filepath.Join(s.tempDir, "ca.crt")
-	err := os.WriteFile(caFile, []byte("test ca content"), 0644)
-	s.Require().NoError(err, "Failed to write CA file")
-
 	// Read config with configDirPath set to tempDir to resolve relative paths
 	cfg := test.Must(config.ReadToml([]byte(`
 		[toolset_configs.kiali]
@@ -48,8 +39,7 @@ func (s *ConfigSuite) TestConfigParser_ResolvesRelativePath() {
 	s.Require().True(ok, "Kiali config should be of type *Config")
 
 	// Verify the path was resolved to absolute
-	expectedPath := caFile
-	s.Equal(expectedPath, kcfg.CertificateAuthority, "Relative path should be resolved to absolute path")
+	s.Equal(s.caFile, kcfg.CertificateAuthority, "Relative path should be resolved to absolute path")
 }
 
 func (s *ConfigSuite) TestConfigParser_PreservesAbsolutePath() {

Original file line number	Diff line number	Diff line change
`@@ -89,17 +89,13 @@ type GroupVersionKind struct {`
`89`	`89`
`90`	`90`	`type ReadConfigOpt func(cfg *StaticConfig)`
`91`	`91`
`92`		`-func withDirPath(path string) ReadConfigOpt {`
	`92`	`+// WithDirPath returns a ReadConfigOpt that sets the config directory path.`
	`93`	`+func WithDirPath(path string) ReadConfigOpt {`
`93`	`94`	`return func(cfg *StaticConfig) {`
`94`	`95`	`cfg.configDirPath = path`
`95`	`96`	`}`
`96`	`97`	`}`
`97`	`98`
`98`		`-// WithDirPath returns a ReadConfigOpt that sets the config directory path.`
`99`		`-func WithDirPath(path string) ReadConfigOpt {`
`100`		`- return withDirPath(path)`
`101`		`-}`
`102`		`-`
`103`	`99`	`// Read reads the toml file and returns the StaticConfig, with any opts applied.`
`104`	`100`	`func Read(configPath string, opts ...ReadConfigOpt) (*StaticConfig, error) {`
`105`	`101`	`configData, err := os.ReadFile(configPath)`
`@@ -114,7 +110,7 @@ func Read(configPath string, opts ...ReadConfigOpt) (*StaticConfig, error) {`
`114`	`110`	`}`
`115`	`111`	`dirPath := filepath.Dir(absPath)`
`116`	`112`
`117`		`- cfg, err := ReadToml(configData, append(opts, withDirPath(dirPath))...)`
	`113`	`+ cfg, err := ReadToml(configData, append(opts, WithDirPath(dirPath))...)`
`118`	`114`	`if err != nil {`
`119`	`115`	`return nil, err`
`120`	`116`	`}`