Skip to content

Fall back to identity AuditTokenRequest API when appscode.com is unreachable#69

Merged
tamalsaha merged 13 commits into
masterfrom
feat-natscredentialrequest-fallback
Jun 4, 2026
Merged

Fall back to identity AuditTokenRequest API when appscode.com is unreachable#69
tamalsaha merged 13 commits into
masterfrom
feat-natscredentialrequest-fallback

Conversation

@tamalsaha

@tamalsaha tamalsaha commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • NatsClient.connect now tries the public appscode.com/api/v1/register endpoint first via identitylib.NewDefaultClient().GetAuditTokenForCluster(...).
  • If that call fails with a network-level error (DNS, connection refused, timeout, network unreachable), it falls back to the in-cluster identity.k8s.appscode.com/v1alpha1/AuditTokenRequest extended API hosted by ui-server.
  • Auth and HTTP 4xx/5xx responses from appscode.com still propagate as before — the fallback only triggers when the host is unreachable.
  • Bumps kmodules.xyz/resource-metadata to the merged master commit (ba20b6454).

Why

The audit lib is vendored into many AppsCode controllers, each of which currently needs direct egress to appscode.com to register and obtain NATS credentials. Disconnected/air-gapped clusters can't reach that endpoint, but they can reach their own API server, which now proxies the same call via the new extended API.

Depends on

Test plan

  • go build ./...
  • go vet ./...
  • manual: simulate egress block to *.appscode.com and verify the in-cluster fallback succeeds
  • manual: confirm a 401/403 from appscode.com still surfaces the original error (no silent fallback)

kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
@tamalsaha tamalsaha changed the title Fall back to identity extended API when appscode.com is unreachable Fall back to identity AuditTokenRequest API when appscode.com is unreachable Jun 4, 2026
tamalsaha added 8 commits June 4, 2026 11:52
@tamalsaha
Fall back to the identity extended API when appscode.com is unreachable
63a4b13 
Splits the registration call out of NatsClient.connect so the lib can try the
public appscode.com Register endpoint first and, if that fails with a
no-connectivity error (DNS failure, connection refused, timeout, network
unreachable), retry the same registration via the in-cluster
identity.k8s.appscode.com NatsCredentialRequest extended API. Auth/4xx/5xx
responses from appscode.com still propagate unchanged. Vendor bump is
hand-applied and will be replaced by a normal go mod vendor once the
resource-metadata change lands.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Use identitylib.Client for the appscode.com Register call
12b4325 
Replaces the hand-rolled http.Post with identitylib.Client.GetNatsCredentialForCluster
so the wire format and TLS handling live in one place. Drops the now-unused
verifier.Options / json / bytes / io / http imports.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Re-vendor: GetNatsCredential skips the GetIdentity wrapper
fb0e457 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Call the new package-level GetNatsCredentialForCluster
aee0cb7 
Drops the throwaway Client construction; the function now takes the http
client / baseURL / token explicitly, so audit can pass the defaults inline.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Revert "Call the new package-level GetNatsCredentialForCluster"
50d86fc 
This reverts commit f879232.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Use identitylib.NewDefaultClient
4990f0c 
Drops the four nil/empty arguments at the call site.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Rename NatsCredentialRequest -> AuditTokenRequest
4b1994b 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Bump resource-metadata to v0.46.1-0.20260604054459-ba20b6454d28
c241c8b 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha force-pushed the feat-natscredentialrequest-fallback branch from 8dbba01 to c241c8b Compare June 4, 2026 05:52
@tamalsaha
Restore correct license-proxyserver checksum in go.sum
5aac4e6 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
@tamalsaha
fix
ea24979 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
@tamalsaha
Drop github.com/pkg/errors in favor of stdlib errors
9ace579 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
@tamalsaha
isNoConnectivityErr: actively probe https://appscode.com
4a66a90 
Signed-off-by: Tamal Saha <tamal@appscode.com>
kodiak-appscode[bot]
kodiak-appscode Bot previously approved these changes Jun 4, 2026
View reviewed changes
@tamalsaha
Use the generated identity clientset for AuditTokenRequest
c5d3321 
registerViaExtendedAPI now calls
identityclient.NewForConfig(cfg).AuditTokenRequests().Create instead of
hand-rolling a rest.RESTClient and serializer. Drops the local
identityScheme/serializer wiring; brings in the typed clientset, the
multi-group scheme and x-helm.dev/apimachinery via go mod vendor.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit 9617ad0 into master Jun 4, 2026
4 checks passed
@tamalsaha tamalsaha deleted the feat-natscredentialrequest-fallback branch June 4, 2026 06:17
This was referenced Jun 4, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiak-appscode kodiak-appscode[bot] kodiak-appscode[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tamalsaha