privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity
Files
239149adebf78b8d1e2d91ae5e6af907c0b27381
headlamp-sealed-secrets-plugin/src/lib/controller.ts
T
DevContainer User 9d9bc5f22f fix: remove any types, dead code, unused exports; add comprehensive tests 
- Fix handleRotate bug ignoring Result from rotateSealedSecret()
- Fix dead code branch in useControllerHealth
- Replace all `any` types with `unknown` + type guards
- Delete unused functions/exports (452 lines removed)
- Add 18 new test files covering all hooks, libs, and components
- 233 tests passing, zero tsc errors, zero lint issues

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 17:13:00 +00:00

208 lines
5.6 KiB
TypeScript
Raw Blame History

/**
* Sealed Secrets Controller API helpers
*
* Utilities for interacting with the sealed-secrets-controller HTTP API
* via the Kubernetes API proxy.
*/
import { AsyncResult, Err, Ok, PEMCertificate, PluginConfig, tryCatchAsync } from '../types';
import { retryWithBackoff } from './retry';
/**
* Controller health status information
*/
export interface ControllerHealthStatus {
/** Whether the controller is healthy and responding */
healthy: boolean;
/** Whether the controller is reachable */
reachable: boolean;
/** Controller version if available */
version?: string;
/** Response latency in milliseconds */
latencyMs?: number;
/** Error message if not healthy */
error?: string;
}
/**
* Build the controller proxy URL
*/
function getControllerProxyURL(config: PluginConfig, path: string): string {
const { controllerNamespace, controllerName, controllerPort } = config;
return `/api/v1/namespaces/${controllerNamespace}/services/http:${controllerName}:${controllerPort}/proxy${path}`;
}
/**
* Fetch the controller's public certificate (internal, no retry)
*/
async function fetchPublicCertificateOnce(
config: PluginConfig
): AsyncResult<PEMCertificate, string> {
const url = getControllerProxyURL(config, '/v1/cert.pem');
const result = await tryCatchAsync(async () => {
const response = await fetch(url);
if (!response.ok) {
throw new Error(`Failed to fetch certificate: ${response.status} ${response.statusText}`);
}
return PEMCertificate(await response.text());
});
if (result.ok === false) {
return Err(`Unable to fetch controller certificate: ${result.error.message}`);
}
return result;
}
/**
* Fetch the controller's public certificate with retry logic
*
* Automatically retries on network errors with exponential backoff:
* - Max 3 attempts
* - Initial delay: 1s
* - Max delay: 10s
* - Exponential backoff with jitter
*
* @param config Plugin configuration
* @returns Result containing PEM-encoded certificate (branded type) or error message
*/
export async function fetchPublicCertificate(
config: PluginConfig
): AsyncResult<PEMCertificate, string> {
return retryWithBackoff(() => fetchPublicCertificateOnce(config), {
maxAttempts: 3,
initialDelayMs: 1000,
maxDelayMs: 10000,
});
}
/**
* Rotate (re-encrypt) a SealedSecret with the current active key
*
* @param config Plugin configuration
* @param sealedSecretYaml YAML or JSON of the SealedSecret
* @returns Result containing the re-encrypted SealedSecret or error message
*/
export async function rotateSealedSecret(
config: PluginConfig,
sealedSecretYaml: string
): AsyncResult<string, string> {
const url = getControllerProxyURL(config, '/v1/rotate');
const result = await tryCatchAsync(async () => {
const response = await fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: sealedSecretYaml,
});
if (!response.ok) {
throw new Error(`Rotation failed: ${response.status} ${response.statusText}`);
}
return await response.text();
});
if (result.ok === false) {
return Err(`Unable to rotate SealedSecret: ${result.error.message}`);
}
return result;
}
/**
* Get plugin configuration from localStorage
*/
export function getPluginConfig(): PluginConfig {
const stored = localStorage.getItem('sealed-secrets-plugin-config');
if (stored) {
try {
return JSON.parse(stored);
} catch {
// Fall through to default
}
}
// Return default config
return {
controllerName: 'sealed-secrets-controller',
controllerNamespace: 'kube-system',
controllerPort: 8080,
};
}
/**
* Save plugin configuration to localStorage
*/
export function savePluginConfig(config: PluginConfig): void {
localStorage.setItem('sealed-secrets-plugin-config', JSON.stringify(config));
}
/**
* Check controller health and reachability
*
* Attempts to reach the controller's health endpoint (/healthz) with a 5-second timeout.
* Returns health status including latency and version information if available.
*
* @param config Plugin configuration
* @returns Result containing health status (never fails - returns status even if unreachable)
*/
export async function checkControllerHealth(
config: PluginConfig
): AsyncResult<ControllerHealthStatus, string> {
const startTime = Date.now();
try {
const url = getControllerProxyURL(config, '/healthz');
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), 5000); // 5s timeout
const response = await fetch(url, {
method: 'GET',
signal: controller.signal,
});
clearTimeout(timeoutId);
const latencyMs = Date.now() - startTime;
if (!response.ok) {
return Ok({
healthy: false,
reachable: true,
latencyMs,
error: `HTTP ${response.status}: ${response.statusText}`,
});
}
// Try to get version from headers
const version = response.headers.get('X-Controller-Version') || undefined;
return Ok({
healthy: true,
reachable: true,
version,
latencyMs,
});
} catch (error: unknown) {
const latencyMs = Date.now() - startTime;
// Determine error type
let errorMessage = 'Controller unreachable';
if (error instanceof Error && error.name === 'AbortError') {
errorMessage = 'Request timed out after 5 seconds';
} else if (error instanceof Error) {
errorMessage = error.message;
}
return Ok({
healthy: false,
reachable: false,
latencyMs,
error: errorMessage,
});
}
}
Reference in New Issue View Git Blame Copy Permalink