Initial open-source commit

Co-authored-by: Maximilian Braun <[email protected]>
Co-authored-by: David Siregar <[email protected]>

Author: 3 people

.dockerignore

@@ -0,0 +1,4 @@
+main
+kubeconfig.yaml
+kube-api-reflection
+.null-ls*

.github/workflows/build.yml

@@ -0,0 +1,79 @@
+name: Build
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+
+  pull_request:
+    branches:
+      - main
+
+  workflow_dispatch:
+
+env:
+  DOCKER_IMAGE: ghcr.io/${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ${{ env.DOCKER_IMAGE }}
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Login to Docker Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Only for public repositories
+      # - name: Attest
+      #   uses: actions/attest-build-provenance@v1
+      #   id: attest
+      #   with:
+      #     subject-name: ghcr.io/${{ github.repository }}
+      #     subject-digest: ${{ steps.push.outputs.digest }}
+      #     push-to-registry: true

.gitignore

@@ -0,0 +1,10 @@
+.idea
+main
+kubeconfig.yaml
+kube-api-reflection
+.null-ls*
+tmp
+.env
+
+coverage.html
+coverage.out

Dockerfile

@@ -0,0 +1,23 @@
+FROM golang:1.23-bookworm AS build
+
+WORKDIR /app
+
+COPY go.mod ./
+COPY go.sum ./
+RUN go mod download
+
+COPY . ./
+
+RUN CGO_ENABLED=0 go build -o /bin/app cmd/server/main.go
+
+## Deploy
+FROM scratch
+
+WORKDIR /
+
+COPY --from=build /bin/app /bin/app
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+EXPOSE 3000
+
+ENTRYPOINT ["/bin/app"]

Makefile

@@ -0,0 +1,50 @@
+GO := go
+PKG := ./...
+COVERAGE_FILE := coverage.out
+COVERAGE_HTML := coverage.html
+
+# Default goal
+.PHONY: all
+all: clean build test
+
+# Build the project
+.PHONY: build
+build:
+	$(GO) build -v $(PKG)
+
+# Run tests with coverage
+.PHONY: test
+test:
+	$(GO) test -v -coverprofile=$(COVERAGE_FILE) $(PKG)
+	$(GO) tool cover -html=$(COVERAGE_FILE) -o $(COVERAGE_HTML)
+	@echo "Coverage report generated at $(COVERAGE_HTML)"
+
+# Clean up generated files
+.PHONY: clean
+clean:
+	$(GO) clean
+	rm -f $(COVERAGE_FILE) $(COVERAGE_HTML)
+
+# Format the code
+.PHONY: fmt
+fmt:
+	$(GO) fmt $(PKG)
+
+# Lint the code
+.PHONY: lint
+lint:
+	golangci-lint run
+
+# Run all checks
+.PHONY: check
+check: fmt lint test
+
+# Install dependencies
+.PHONY: deps
+deps:
+	$(GO) mod tidy
+	$(GO) mod vendor
+
+.PHONY: start
+start:
+	$(GO) run cmd/server/main.go

README.md

@@ -1,20 +1,84 @@
-[![REUSE status](https://api.reuse.software/badge/github.com/openmcp-project/ui-backend)](https://api.reuse.software/info/github.com/openmcp-project/ui-backend)
-
 # ui-backend
 
+[![REUSE status](https://api.reuse.software/badge/github.com/openmcp-project/ui-backend)](https://api.reuse.software/info/github.com/openmcp-project/ui-backend)
+
 ## About this project
 
 UI backend for @openmcp-project
 
 ## Requirements and Setup
 
-*Insert a short description what is required to get your project running...*
+Setup: Requires the CRATE_KUBECONFIG environment variable.
+Start: Instructions to run the server using go run cmd/server/main.go.
+Call UI-backend: Details on how to make requests to the ui-backend with necessary headers for authorization and target API server configuration.
+Parsing JSON: Support for jsonpath and jq to parse JSON before sending it to the client.
+
+### Use Case
+
+#### Problem
+
+We want to call the kubernetes api server directly from the browser, but we have several problems preventing us from calling the api from the browser:
+
+- TLS certificate is not signed from a well-known CA
+- CORS is not configured most of the time
+
+#### Solution
+
+The `ui-backend` server acts like a proxy when talking to the Crate-Cluster or MCPs from the browser.
+The browser sends the request to the `ui-backend`, with authorization data and optionally the project, workspace and controlplane name of the MCP in header data.
+
+- If requesting the Crate: The request will get send to the crate cluster with the authorization data in the headers
+- If requesting an MCP: The `ui-backend` will call the Crate to get the `kubeconfig` of the MCP and then calls the MCP with that kubeconfig
+
+There are only some modifications done when piping the request to the api server, preventing some headers from going through.
+
+### Usage
+
+#### Setup
+
+The service needs only one mandatory environment variable, `CRATE_KUBECONFIG`, with the kubeconfig-yaml as a string. The `.users` field does not has to be set, as this part will get overwritten with the data from the requests.
+
+#### Start
+
+Run `go run cmd/server/main.go`
+
+#### Call UI-backend
+
+Call `ui-backend` with the http-method and path as you would directly to the api server.
+Put the authorization data in the following headers:
+
+- `X-Client-Certificate-Data`
+- `X-Client-Key-Data`
+
+or (for OIDC):
+
+- `Authorization`
+
+Also configure the api-server you want to call:
+
+- Crate: Add the header `X-Use-Crate-Cluster: true`
+- MCP: Add the headers `X-Project-Name`, `X-Workspace-Name` and `X-Control-Plane-Name`
+
+#### Parsing JSON
+
+`ui-backend` support jsonpath (kubectl version) and jq (gojq) to parse json before sending it to the client, reducing the data transfered to the client.
+
+Usage:
+
+- JsonPath: Add a header `X-jsonpath` with the jsonpath query
+- JQ: Add a header `X-jq` with the jq query
+
+### Deployment
+
+- Docker-Image: deploy-releases-hyperspace-docker.common.repositories.cloud.sap/cloud-orchestration/cola/ui-backend
+- Helm-Chart: oci://europe-docker.pkg.dev/sap-gcp-cp-k8s-stable-hub/cola/charts/ui-backend (is manually pushed)
 
 ## Support, Feedback, Contributing
 
 This project is open to feature requests/suggestions, bug reports etc. via [GitHub issues](https://github.com/openmcp-project/ui-backend/issues). Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our [Contribution Guidelines](CONTRIBUTING.md).
 
 ## Security / Disclosure
+
 If you find any bug that may be a security problem, please follow our instructions at [in our security policy](https://github.com/openmcp-project/ui-backend/security/policy) on how to report it. Please do not create GitHub issues for security-related doubts or problems.
 
 ## Code of Conduct

chart/ui-backend/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/ui-backend/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: ui-backend
+description: A Helm chart for the ui-backend
+type: application
+version: 0.3.0

chart/ui-backend/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ui-backend.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "ui-backend.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "ui-backend.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "ui-backend.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

chart/ui-backend/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ui-backend.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ui-backend.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ui-backend.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ui-backend.labels" -}}
+helm.sh/chart: {{ include "ui-backend.chart" . }}
+{{ include "ui-backend.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ui-backend.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ui-backend.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}