Skip to content

fix: fall back to TLS trust when cluster CA path is missing#317

Draft
adietish wants to merge 14 commits into
redhat-developer:mainfrom
adietish:crw-11253
Draft

fix: fall back to TLS trust when cluster CA path is missing#317
adietish wants to merge 14 commits into
redhat-developer:mainfrom
adietish:crw-11253

Conversation

@adietish

@adietish adietish commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 9065fb04-5d78-4e06-8667-f07dce59f8c2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@adietish adietish self-assigned this Jun 12, 2026
@codecov-commenter

codecov-commenter commented Jun 12, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 43.37176% with 393 lines in your changes missing coverage. Please review.
✅ Project coverage is 31.89%. Comparing base (71098f6) to head (0fe3cbd).
⚠️ Report is 368 commits behind head on main.

Files with missing lines Patch % Lines
...ools/gateway/view/steps/DevSpacesServerStepView.kt 0.00% 80 Missing ⚠️
...ools/gateway/auth/tls/ui/TLSTrustDecisionDialog.kt 0.00% 52 Missing ⚠️
...evtools/gateway/auth/code/OpenShiftAuthCodeFlow.kt 14.89% 39 Missing and 1 partial ⚠️
.../view/steps/auth/AbstractAuthenticationStrategy.kt 0.00% 30 Missing ⚠️
...evtools/gateway/auth/tls/DefaultTlsTrustManager.kt 82.23% 18 Missing and 9 partials ⚠️
...vtools/gateway/auth/tls/ui/UITlsDecisionAdapter.kt 0.00% 26 Missing ⚠️
...view/steps/auth/RedHatSSOAuthenticationStrategy.kt 0.00% 20 Missing ⚠️
...steps/auth/OpenShiftOAuthAuthenticationStrategy.kt 0.00% 19 Missing ⚠️
...edhat/devtools/gateway/view/DevSpacesWizardView.kt 0.00% 17 Missing ⚠️
...devtools/gateway/auth/code/HttpClientExtensions.kt 36.00% 15 Missing and 1 partial ⚠️
... and 15 more
Additional details and impacted files
@@            Coverage Diff             @@
##            main     #317       +/-   ##
==========================================
+ Coverage   0.00%   31.89%   +31.89%     
==========================================
  Files          4      109      +105     
  Lines         26     4399     +4373     
  Branches       0      801      +801     
==========================================
+ Hits           0     1403     +1403     
- Misses        26     2833     +2807     
- Partials       0      163      +163     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@adietish adietish force-pushed the crw-11253 branch 14 times, most recently from aaa5778 to c0a8be0 Compare June 18, 2026 09:19
adietish and others added 11 commits June 29, 2026 19:52
Stale or missing certificate-authority file paths in kubeconfig must not
break TLS trust resolution on a different machine.

Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Use the TLS trust established in the wizard for post-login API connections
instead of kubeconfig CA settings or JVM default trust.

Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Centralize kubeconfig cluster resolution in KubeConfigUtils as
getClusterByServer and drop the duplicate from KubeConfigTlsUtils.

Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Use the Certificate Authority input when establishing TLS context so
user-provided paths and PEM data are honored before the trust dialog.

Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Parent trust prompts to the wizard, use invokeLater instead of invokeAndWait,
and split TLS setup from authentication so API and OAuth certificates can
both be accepted. Add TLS trust logging and surface OAuth discovery failures.

Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
…odeFlow class

Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Signed-off-by: Andre Dietisheim <adietish@redhat.com>
@adietish adietish force-pushed the crw-11253 branch 5 times, most recently from 98b09d2 to 9144841 Compare June 30, 2026 14:51
adietish and others added 3 commits June 30, 2026 19:42
Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Unify API and OAuth endpoint trust through establishTrustForEndpoint,
consolidate certificate resolution into resolveCertificatesForUrls and
mergeTrustedContext, and expose createOpenShiftTlsContext on TlsTrustManager
so OAuth hosts get the same probe-and-prompt flow as the API server.

Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Andre Dietisheim <adietish@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Gateway] V0.0.16 can't connect with Openshift Oauth

2 participants