Harden security-sensitive deployment paths

[tomazb]

Summary

• Fail closed when OAuth forwarded access tokens are missing instead of falling back to the Pulse service account.
• Disable MCP exposure by default and refresh the packaged agent chart dependency.
• Replace the mutable Helm runner path with a project-owned digest-pinned runner flow and least-privilege job manifests.
• Resolve and validate Helm repo proxy destinations after DNS in dev mode.

Why

The reviewed deployment paths could otherwise grant broad service-account access, expose an unauthenticated MCP control surface, run mutable third-party Helm images, or let dev proxy requests reach private services through DNS rebinding.

Validation

• ./deploy/test-helm.sh
• pnpm exec vitest --run src/kubeview/views/create/tests/helmInstall.test.ts src/dev/tests/helmRepoProxy.test.ts
• pnpm run type-check
• pnpm run build
• pnpm test
• pnpm run lint
• bash -n deploy/deploy.sh deploy/test-helm.sh
• git diff --check

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a safer, configurable in-cluster Helm install flow (digest-pinned runner image + dedicated RBAC) and hardens Helm repo index fetching for development, while updating Helm chart/deploy assets to support runtime configuration injection and “fail-closed” auth behavior.

Changes:

• Introduces buildHelmInstallResources to generate ServiceAccount/Role/RoleBinding/Job for Helm installs and wires it into the Helm UI tab with runtime-configured runner image/SA.
• Adds an SSRF-resistant Helm repo index fetcher for the dev proxy and corresponding tests.
• Updates Helm charts/deploy scripts to inject runtime config (config.js), remove service-account-token fallback in nginx, and adjust agent dependency compatibility.

Reviewed changes

Copilot reviewed 17 out of 21 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
src/kubeview/views/create/helmInstall.ts	New builder for Helm install K8s resources + digest pin validation and RBAC/job spec.
src/kubeview/views/create/tests/helmInstall.test.ts	Unit tests for digest pin enforcement and resource wiring.
src/kubeview/views/create/HelmTab.tsx	Uses runtime config + resource builder; creates SA/RBAC before creating Job.
src/kubeview/config/runtime.ts	Reads runtime Helm install config from window.__OPENSHIFTPULSE_CONFIG__.
src/dev/helmRepoProxy.ts	New SSRF-protected resolver/fetcher for Helm repo index.yaml.
src/dev/tests/helmRepoProxy.test.ts	Tests for hostname resolution validation and URL normalization.
rspack.config.ts	Dev endpoint now uses fetchHelmRepoIndex instead of ad-hoc validation/fetch.
public/index.html	Loads /config.js at startup.
public/config.js	Establishes default global config object.
deploy/test-helm.sh	Updates Helm render checks and adds assertions for “fail-closed” token proxy + MCP default.
deploy/helm/pulse/values.yaml	Adds openshiftpulse.helmInstall values + MCP disable + compat values.
deploy/helm/pulse/Chart.yaml	Updates agent dependency version.
deploy/helm/pulse/Chart.lock	Updates dependency lock digest/generated timestamp.
deploy/helm/openshiftpulse/values.yaml	Adds helmInstall values with “fail closed” runner image default.
deploy/helm/openshiftpulse/templates/nginx-config.yaml	Injects config.js via ConfigMap and removes SA-token fallback; requires forwarded token.
deploy/helm/openshiftpulse/templates/deployment.yaml	Mounts config.js from ConfigMap and removes SA-token injection.
deploy/deploy.sh	Builds/pushes a dedicated Helm runner image and writes digest-pinned ref into Helm values.
Dockerfile.helm-runner	New Helm runner image build with checksum verification and non-root user.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.