Skip to content

Fix dev proxy auth header forwarding in federated modules #7065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 2 commits into from
Apr 27, 2026
Merged

Fix dev proxy auth header forwarding in federated modules #7065

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
02925a4
fix: forward incoming auth headers in all federated module dev proxies
mturley Apr 3, 2026
2312cc3
revert: remove notebooks upstream change (should be fixed upstream fi…
mturley Apr 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 42 additions & 20 deletions packages/automl/frontend/config/webpack.dev.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,35 +28,56 @@ const DEPLOYMENT_MODE = process.env._DEPLOYMENT_MODE;
const AUTH_METHOD = process.env._AUTH_METHOD;
const BASE_PATH = DEPLOYMENT_MODE === 'kubeflow' ? '/automl/' : PUBLIC_PATH;

// Get the kubeconfig token at startup as a fallback for standalone dev mode.
const getKubeconfigToken = () => {
try {
const token = execSync(
"kubectl config view --raw --minify --flatten -o jsonpath='{.users[].user.token}'",
)
.toString()
.trim();
const username = execSync("kubectl auth whoami -o jsonpath='{.status.userInfo.username}'")
.toString()
.trim();
console.info('Logged in as user:', username);
return token;
} catch (error) {
console.error('Failed to get Kubernetes token:', error.message);
return '';
}
};

const fallbackToken = AUTH_METHOD === 'user_token' ? getKubeconfigToken() : '';

// Build static proxy headers for auth methods that don't need dynamic forwarding.
const getProxyHeaders = () => {
if (AUTH_METHOD === 'internal') {
return {
'kubeflow-userid': 'user@example.com',
};
}
if (AUTH_METHOD === 'user_token') {
try {
const token = execSync(
"kubectl config view --raw --minify --flatten -o jsonpath='{.users[].user.token}'",
)
.toString()
.trim();
const username = execSync("kubectl auth whoami -o jsonpath='{.status.userInfo.username}'")
.toString()
.trim();
console.info('Logged in as user:', username);
return {
Authorization: `Bearer ${token}`,
'x-forwarded-access-token': token,
};
} catch (error) {
console.error('Failed to get Kubernetes token:', error.message);
return {};
}
}
// For user_token, auth headers are set dynamically in onProxyReq below.
return {};
};

// When using user_token auth, dynamically forward the authorization header from the
// incoming request if present (e.g. from a host backend proxy with dev impersonation).
// Fall back to the kubeconfig token captured at startup for standalone dev mode.
const onProxyReq = (proxyReq, req) => {
if (AUTH_METHOD !== 'user_token') {
return;
}
const incomingAuth = req.headers.authorization;
if (incomingAuth) {
proxyReq.setHeader('Authorization', incomingAuth);
const token = incomingAuth.replace(/^Bearer\s+/i, '');
proxyReq.setHeader('x-forwarded-access-token', token);
Comment thread
lucferbux marked this conversation as resolved.
} else if (fallbackToken) {
proxyReq.setHeader('Authorization', `Bearer ${fallbackToken}`);
proxyReq.setHeader('x-forwarded-access-token', fallbackToken);
}
};

module.exports = smp.wrap(
merge(
{
Expand Down Expand Up @@ -89,6 +110,7 @@ module.exports = smp.wrap(
target: `${PROXY_PROTOCOL}://${PROXY_HOST}:${PROXY_PORT}`,
changeOrigin: true,
headers: getProxyHeaders(),
onProxyReq,
},
],
devMiddleware: {
Expand Down
62 changes: 42 additions & 20 deletions packages/autorag/frontend/config/webpack.dev.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,35 +28,56 @@ const DEPLOYMENT_MODE = process.env._DEPLOYMENT_MODE;
const AUTH_METHOD = process.env._AUTH_METHOD;
const BASE_PATH = DEPLOYMENT_MODE === 'kubeflow' ? '/autorag/' : PUBLIC_PATH;

// Get the kubeconfig token at startup as a fallback for standalone dev mode.
const getKubeconfigToken = () => {
try {
const token = execSync(
"kubectl config view --raw --minify --flatten -o jsonpath='{.users[].user.token}'",
)
.toString()
.trim();
const username = execSync("kubectl auth whoami -o jsonpath='{.status.userInfo.username}'")
.toString()
.trim();
console.info('Logged in as user:', username);
return token;
} catch (error) {
console.error('Failed to get Kubernetes token:', error.message);
return '';
}
};

const fallbackToken = AUTH_METHOD === 'user_token' ? getKubeconfigToken() : '';

// Build static proxy headers for auth methods that don't need dynamic forwarding.
const getProxyHeaders = () => {
if (AUTH_METHOD === 'internal') {
return {
'kubeflow-userid': 'user@example.com',
};
}
if (AUTH_METHOD === 'user_token') {
try {
const token = execSync(
"kubectl config view --raw --minify --flatten -o jsonpath='{.users[].user.token}'",
)
.toString()
.trim();
const username = execSync("kubectl auth whoami -o jsonpath='{.status.userInfo.username}'")
.toString()
.trim();
console.info('Logged in as user:', username);
return {
Authorization: `Bearer ${token}`,
'x-forwarded-access-token': token,
};
} catch (error) {
console.error('Failed to get Kubernetes token:', error.message);
return {};
}
}
// For user_token, auth headers are set dynamically in onProxyReq below.
return {};
};

// When using user_token auth, dynamically forward the authorization header from the
// incoming request if present (e.g. from a host backend proxy with dev impersonation).
// Fall back to the kubeconfig token captured at startup for standalone dev mode.
const onProxyReq = (proxyReq, req) => {
if (AUTH_METHOD !== 'user_token') {
return;
}
const incomingAuth = req.headers.authorization;
if (incomingAuth) {
proxyReq.setHeader('Authorization', incomingAuth);
const token = incomingAuth.replace(/^Bearer\s+/i, '');
proxyReq.setHeader('x-forwarded-access-token', token);
Comment thread
lucferbux marked this conversation as resolved.
} else if (fallbackToken) {
proxyReq.setHeader('Authorization', `Bearer ${fallbackToken}`);
proxyReq.setHeader('x-forwarded-access-token', fallbackToken);
}
};

module.exports = smp.wrap(
merge(
{
Expand Down Expand Up @@ -93,6 +114,7 @@ module.exports = smp.wrap(
},
changeOrigin: true,
headers: getProxyHeaders(),
onProxyReq,
},
],
devMiddleware: {
Expand Down
63 changes: 43 additions & 20 deletions packages/eval-hub/frontend/config/webpack.dev.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,35 +29,56 @@ const DEPLOYMENT_MODE = process.env._DEPLOYMENT_MODE;
const AUTH_METHOD = process.env._AUTH_METHOD;
const BASE_PATH = DEPLOYMENT_MODE === 'kubeflow' ? '/eval-hub/' : PUBLIC_PATH;

// Get the kubeconfig token at startup as a fallback for standalone dev mode.
const getKubeconfigToken = () => {
try {
const token = execSync(
"kubectl config view --raw --minify --flatten -o jsonpath='{.users[].user.token}'",
)
.toString()
.trim();
const username = execSync("kubectl auth whoami -o jsonpath='{.status.userInfo.username}'")
.toString()
.trim();
console.info('Logged in as user:', username);
return token;
} catch (error) {
console.error('Failed to get Kubernetes token:', error.message);
return '';
}
};

const fallbackToken = AUTH_METHOD === 'user_token' ? getKubeconfigToken() : '';

// Build static proxy headers for auth methods that don't need dynamic forwarding.
const getProxyHeaders = () => {
if (AUTH_METHOD === 'internal') {
return {
'kubeflow-userid': 'user@example.com',
};
}
if (AUTH_METHOD === 'user_token') {
try {
const token = execSync(
"kubectl config view --raw --minify --flatten -o jsonpath='{.users[].user.token}'",
)
.toString()
.trim();
const username = execSync("kubectl auth whoami -o jsonpath='{.status.userInfo.username}'")
.toString()
.trim();
console.info('Logged in as user:', username);
return {
Authorization: `Bearer ${token}`,
'x-forwarded-access-token': token,
};
} catch (error) {
console.error('Failed to get Kubernetes token:', error.message);
return {};
}
}
// For user_token, auth headers are set dynamically in onProxyReq below.
return {};
};

// When using user_token auth, dynamically forward the authorization header from the
// incoming request if present (e.g. from a host backend proxy with dev impersonation).
// Fall back to the kubeconfig token captured at startup for standalone dev mode.
const onProxyReq = (proxyReq, req) => {
if (AUTH_METHOD !== 'user_token') {
return;
}
const incomingAuth = req.headers.authorization;
if (incomingAuth) {
proxyReq.setHeader('Authorization', incomingAuth);
const token = incomingAuth.replace(/^Bearer\s+/i, '');
proxyReq.setHeader('x-forwarded-access-token', token);
Comment thread
lucferbux marked this conversation as resolved.
} else if (fallbackToken) {
proxyReq.setHeader('Authorization', `Bearer ${fallbackToken}`);
proxyReq.setHeader('x-forwarded-access-token', fallbackToken);
}
};

module.exports = smp.wrap(
merge(
{
Expand Down Expand Up @@ -94,6 +115,7 @@ module.exports = smp.wrap(
},
changeOrigin: true,
headers: getProxyHeaders(),
onProxyReq,
},
{
context: ['/mlflow'],
Expand All @@ -104,6 +126,7 @@ module.exports = smp.wrap(
},
changeOrigin: true,
headers: getProxyHeaders(),
onProxyReq,
},
],
devMiddleware: {
Expand Down
51 changes: 33 additions & 18 deletions packages/gen-ai/frontend/config/webpack.dev.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,24 +18,39 @@ const DIST_DIR = process.env._DIST_DIR;
const PUBLIC_PATH = process.env._PUBLIC_PATH;
const AUTH_METHOD = process.env._AUTH_METHOD;

const getProxyHeaders = () => {
if (AUTH_METHOD === 'user_token') {
try {
const token = execSync('oc whoami --show-token').toString().trim();
const username = execSync('oc whoami').toString().trim();
// eslint-disable-next-line no-console
console.info('Logged in as user:', username);
return {
Authorization: `Bearer ${token}`,
'x-forwarded-access-token': token,
};
} catch (error) {
// eslint-disable-next-line no-console
console.error('Failed to get Kubernetes token:', error.message);
return {};
}
// Get the oc token at startup as a fallback for standalone dev mode.
const getOcToken = () => {
try {
const token = execSync('oc whoami --show-token').toString().trim();
const username = execSync('oc whoami').toString().trim();
// eslint-disable-next-line no-console
console.info('Logged in as user:', username);
return token;
} catch (error) {
// eslint-disable-next-line no-console
console.error('Failed to get Kubernetes token:', error.message);
return '';
}
};

const fallbackToken = AUTH_METHOD === 'user_token' ? getOcToken() : '';

// When using user_token auth, dynamically forward the authorization header from the
// incoming request if present (e.g. from a host backend proxy with dev impersonation).
// Fall back to the oc token captured at startup for standalone dev mode.
const onProxyReq = (proxyReq, req) => {
if (AUTH_METHOD !== 'user_token') {
return;
}
const incomingAuth = req.headers.authorization;
if (incomingAuth) {
proxyReq.setHeader('Authorization', incomingAuth);
const token = incomingAuth.replace(/^Bearer\s+/i, '');
proxyReq.setHeader('x-forwarded-access-token', token);
Comment thread
lucferbux marked this conversation as resolved.
} else if (fallbackToken) {
proxyReq.setHeader('Authorization', `Bearer ${fallbackToken}`);
proxyReq.setHeader('x-forwarded-access-token', fallbackToken);
}
return {};
};

module.exports = merge(
Expand Down Expand Up @@ -82,7 +97,7 @@ module.exports = merge(
protocol: PROXY_PROTOCOL,
},
changeOrigin: true,
headers: getProxyHeaders(),
onProxyReq,
},
],
},
Expand Down
Loading
Loading