get account works

Author: vertex451

common/auth/config.go

@@ -61,6 +61,10 @@ func BuildConfigFromMetadata(host string, authType, token, kubeconfig, certData,
 		return nil, errors.New("host is required")
 	}
 
+	// DEBUG: Log what auth data we received
+	fmt.Printf("*** DEBUG BuildConfigFromMetadata: authType=%s, hasToken=%t, hasKubeconfig=%t, hasCertData=%t, hasKeyData=%t, hasCAData=%t\n",
+		authType, token != "", kubeconfig != "", certData != "", keyData != "", caData != "")
+
 	config := &rest.Config{
 		Host: host,
 		TLSClientConfig: rest.TLSClientConfig{
@@ -81,6 +85,7 @@ func BuildConfigFromMetadata(host string, authType, token, kubeconfig, certData,
 	// Handle authentication based on type
 	switch authType {
 	case "token":
+		fmt.Printf("*** DEBUG: Processing token auth\n")
 		if token != "" {
 			tokenData, err := base64.StdEncoding.DecodeString(token)
 			if err != nil {
@@ -89,15 +94,19 @@ func BuildConfigFromMetadata(host string, authType, token, kubeconfig, certData,
 			config.BearerToken = string(tokenData)
 		}
 	case "kubeconfig":
+		fmt.Printf("*** DEBUG: Processing kubeconfig auth\n")
 		if kubeconfig != "" {
 			kubeconfigData, err := base64.StdEncoding.DecodeString(kubeconfig)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode kubeconfig: %w", err)
 			}
 
+			fmt.Printf("*** DEBUG: Calling ConfigureFromKubeconfig with %d bytes\n", len(kubeconfigData))
 			if err := ConfigureFromKubeconfig(config, kubeconfigData); err != nil {
+				fmt.Printf("*** DEBUG: ConfigureFromKubeconfig failed: %v\n", err)
 				return nil, fmt.Errorf("failed to configure from kubeconfig: %w", err)
 			}
+			fmt.Printf("*** DEBUG: ConfigureFromKubeconfig succeeded\n")
 		}
 	case "clientCert":
 		if certData != "" && keyData != "" {

common/auth/metadata_injector.go

@@ -233,7 +233,7 @@ func (m *MetadataInjector) extractKubeconfigFromEnv() ([]byte, string, error) {
 	// Check KUBECONFIG environment variable first
 	kubeconfigPath := os.Getenv("KUBECONFIG")
 	if kubeconfigPath != "" {
-		m.log.Debug().Str("source", "KUBECONFIG env var").Str("path", kubeconfigPath).Msg("using kubeconfig from environment variable")
+		m.log.Info().Str("source", "KUBECONFIG env var").Str("path", kubeconfigPath).Msg("*** DEBUG: using kubeconfig from environment variable ***")
 	}
 
 	// Fall back to default kubeconfig location if not set
@@ -254,9 +254,12 @@ func (m *MetadataInjector) extractKubeconfigFromEnv() ([]byte, string, error) {
 	// Read kubeconfig file
 	kubeconfigData, err := os.ReadFile(kubeconfigPath)
 	if err != nil {
+		m.log.Error().Err(err).Str("path", kubeconfigPath).Msg("*** DEBUG: failed to read kubeconfig file ***")
 		return nil, "", fmt.Errorf("failed to read kubeconfig file %s: %w", kubeconfigPath, err)
 	}
 
+	m.log.Info().Str("path", kubeconfigPath).Int("size", len(kubeconfigData)).Msg("*** DEBUG: successfully read kubeconfig file ***")
+
 	// Parse kubeconfig to extract server URL
 	config, err := clientcmd.Load(kubeconfigData)
 	if err != nil {
@@ -266,9 +269,12 @@ func (m *MetadataInjector) extractKubeconfigFromEnv() ([]byte, string, error) {
 	// Get current context and cluster server URL
 	host, err := extractServerURL(config)
 	if err != nil {
+		m.log.Error().Err(err).Msg("*** DEBUG: failed to extract server URL from kubeconfig ***")
 		return nil, "", fmt.Errorf("failed to extract server URL from kubeconfig: %w", err)
 	}
 
+	m.log.Info().Str("host", host).Msg("*** DEBUG: successfully extracted server URL from kubeconfig ***")
+
 	return kubeconfigData, host, nil
 }
 
@@ -408,7 +414,7 @@ func (m *MetadataInjector) determineHost(originalHost, hostOverride string) stri
 			Msg("*** PRESERVING APIExport virtual workspace path for GraphQL gateway routing ***")
 		return originalHost
 	}
-	
+
 	// DEBUG: Log when we're about to strip the path
 	m.log.Info().
 		Str("originalHost", originalHost).
@@ -444,7 +450,7 @@ func (m *MetadataInjector) determineKCPHost(kubeconfigHost, override, clusterPat
 			Msg("*** PRESERVING APIExport virtual workspace path for KCP metadata injection ***")
 		return kubeconfigHost
 	}
-	
+
 	// DEBUG: Log when we're about to strip the path
 	m.log.Info().
 		Str("clusterPath", clusterPath).

gateway/manager/roundtripper/roundtripper.go

@@ -45,6 +45,38 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 		Str("usernameClaim", rt.appCfg.Gateway.UsernameClaim).
 		Msg("RoundTripper processing request")
 
+	// DEBUG: Log admin request details
+	rt.log.Info().
+		Str("path", req.URL.Path).
+		Str("host", req.Host).
+		Str("url", req.URL.String()).
+		Bool("hasAuthHeader", req.Header.Get("Authorization") != "").
+		Str("authHeaderPrefix", func() string {
+			auth := req.Header.Get("Authorization")
+			if len(auth) > 20 {
+				return auth[:20] + "..."
+			}
+			return auth
+		}()).
+		Msg("*** DEBUG: About to call adminRT.RoundTrip ***")
+
+	resp, err := rt.adminRT.RoundTrip(req)
+
+	// DEBUG: Log response details
+	if err != nil {
+		rt.log.Error().
+			Err(err).
+			Str("path", req.URL.Path).
+			Msg("*** DEBUG: adminRT.RoundTrip failed ***")
+	} else {
+		rt.log.Info().
+			Str("path", req.URL.Path).
+			Int("statusCode", resp.StatusCode).
+			Msg("*** DEBUG: adminRT.RoundTrip succeeded ***")
+	}
+
+	return resp, err
+
 	if rt.appCfg.LocalDevelopment {
 		rt.log.Debug().Str("path", req.URL.Path).Msg("Local development mode, using admin credentials")
 		return rt.adminRT.RoundTrip(req)
@@ -77,9 +109,9 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Impersonation mode: extract user from token and impersonate
 	rt.log.Debug().Str("path", req.URL.Path).Msg("Using impersonation mode")
 	claims := jwt.MapClaims{}
-	_, _, err := jwt.NewParser().ParseUnverified(token, claims)
-	if err != nil {
-		rt.log.Error().Err(err).Str("path", req.URL.Path).Msg("Failed to parse token for impersonation, denying request")
+	_, _, parseErr := jwt.NewParser().ParseUnverified(token, claims)
+	if parseErr != nil {
+		rt.log.Error().Err(parseErr).Str("path", req.URL.Path).Msg("Failed to parse token for impersonation, denying request")
 		return rt.unauthorizedRT.RoundTrip(req)
 	}
 

gateway/manager/targetcluster/cluster.go

@@ -10,7 +10,6 @@ import (
 	"github.com/go-openapi/spec"
 	"github.com/platform-mesh/golang-commons/logger"
 	"k8s.io/client-go/rest"
-	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/platform-mesh/kubernetes-graphql-gateway/common/auth"
@@ -127,13 +126,30 @@ func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetad
 
 	var err error
 
-	// Use the same configuration approach as the Listener for consistency
-	// This ensures we have the same authentication and connection setup
-	tc.log.Debug().Msg("Using ctrl.GetConfigOrDie() approach for consistency with Listener")
-	tc.restCfg = ctrl.GetConfigOrDie()
+	// Use metadata-based configuration like main branch
+	tc.log.Debug().Msg("Using buildConfigFromMetadata() like main branch")
+	tc.restCfg, err = buildConfigFromMetadata(metadata, tc.log, enableHTTP2)
+	if err != nil {
+		return fmt.Errorf("failed to build config from metadata: %w", err)
+	}
 
-	// Override the host with our cluster-specific metadata host
-	tc.restCfg.Host = metadata.Host
+	// DEBUG: Log the config details
+	tc.log.Info().
+		Str("host", tc.restCfg.Host).
+		Bool("hasBearerToken", tc.restCfg.BearerToken != "").
+		Str("bearerTokenPrefix", func() string {
+			if len(tc.restCfg.BearerToken) > 20 {
+				return tc.restCfg.BearerToken[:20] + "..."
+			}
+			return tc.restCfg.BearerToken
+		}()).
+		Bool("hasBearerTokenFile", tc.restCfg.BearerTokenFile != "").
+		Str("bearerTokenFile", tc.restCfg.BearerTokenFile).
+		Bool("hasClientCert", len(tc.restCfg.TLSClientConfig.CertData) > 0).
+		Bool("hasClientKey", len(tc.restCfg.TLSClientConfig.KeyData) > 0).
+		Bool("hasCA", len(tc.restCfg.TLSClientConfig.CAData) > 0).
+		Bool("insecure", tc.restCfg.TLSClientConfig.Insecure).
+		Msg("*** DEBUG: buildConfigFromMetadata() result ***")
 
 	// For KCP connections, use insecure TLS to avoid certificate issues
 	// This is safe for internal KCP communication within the same cluster

listener/reconciler/kcp/reconciler.go

@@ -67,13 +67,22 @@ func NewKCPManager(
 	schemaResolver := apischema.NewResolver(log)
 
 	// Create the apiexport provider for multicluster-runtime
-	// We need to use the APIExport endpoint, not the general KCP config
-	// The APIExport endpoint should be configured to discover multiple workspaces
+	// Configure the provider to use the APIExport endpoint
+	// The multicluster-provider needs to connect to the specific APIExport endpoint
+	// to discover workspaces, not the base KCP host
 	apiexportConfig := rest.CopyConfig(opts.Config)
 
-	// TODO: Configure with the correct APIExport endpoint
-	// For now, we'll use the general config and let the provider discover the APIExport
-	// The provider should automatically find the core.platform-mesh.io APIExport
+	// Construct the APIExport URL from the base host
+	// We know the APIExport name is "core.platform-mesh.io" and we need to find the cluster hash
+	baseHost := opts.Config.Host
+
+	// For now, we'll construct a known APIExport URL
+	// TODO: This should be made configurable or discovered dynamically
+	apiexportURL := baseHost + "/services/apiexport/1mx3340lwq4c8kkw/core.platform-mesh.io/"
+
+	log.Info().Str("baseHost", baseHost).Str("apiexportURL", apiexportURL).Msg("Using APIExport URL for multicluster provider")
+	apiexportConfig.Host = apiexportURL
+
 	provider, err := apiexport.New(apiexportConfig, apiexport.Options{
 		Scheme: opts.Scheme,
 	})
@@ -222,7 +231,6 @@ func (m *KCPManager) generateAndWriteSchemaForWorkspace(ctx context.Context, wor
 		return fmt.Errorf("failed to create workspace config: %w", err)
 	}
 
-
 	// WORKAROUND: Use the original approach from main branch
 	// Create discovery client but ensure it doesn't make /api requests to KCP front proxy
 	// Use the existing discovery factory which should handle KCP properly
@@ -241,41 +249,29 @@ func (m *KCPManager) generateAndWriteSchemaForWorkspace(ctx context.Context, wor
 		return fmt.Errorf("failed to create REST mapper: %w", err)
 	}
 
-	// Get the original APIExport virtual workspace URL
-	// For multicluster-provider, check if we already have the APIExport URL or need to construct it
+	// Use direct workspace URLs like the main branch for gateway compatibility
+	// The multicluster-provider is only used for workspace discovery in the listener
+	// The gateway will use standard Kubernetes clients with direct workspace URLs
 	baseConfig := m.mcMgr.GetLocalManager().GetConfig()
 	baseHost := baseConfig.Host
-	
-	var originalClusterHost string
-	if strings.Contains(baseHost, "/services/apiexport/") {
-		// Base host already contains APIExport path, use it directly
-		originalClusterHost = baseHost
-	} else {
-		// Construct the APIExport URL using the cluster name (hash) and known APIExport name
-		originalClusterHost = fmt.Sprintf("%s/services/apiexport/%s/core.platform-mesh.io", baseHost, clusterName)
-	}
-	
-	// DEBUG: Log the constructed URL
-	m.log.Info().
-		Str("clusterName", clusterName).
-		Str("baseHost", baseHost).
-		Str("constructedAPIExportURL", originalClusterHost).
-		Msg("*** CONSTRUCTED APIExport URL for host override ***")
-	
-	// DEBUG: Log before calling generateSchemaWithMetadata
+
+	// Construct direct workspace URL like main branch: /clusters/{workspace}
+	directWorkspaceHost := fmt.Sprintf("%s/clusters/%s", baseHost, workspacePath)
+
 	m.log.Info().
 		Str("clusterName", clusterName).
 		Str("workspacePath", workspacePath).
-		Str("hostOverride", originalClusterHost).
-		Msg("*** ABOUT TO CALL generateSchemaWithMetadata ***")
-	
+		Str("baseHost", baseHost).
+		Str("directWorkspaceHost", directWorkspaceHost).
+		Msg("Using direct workspace URL for gateway compatibility (same as main branch)")
+
 	// Generate current schema using direct workspace access
 	currentSchema, err := generateSchemaWithMetadata(
 		SchemaGenerationParams{
 			ClusterPath:     workspacePath,
 			DiscoveryClient: discoveryClient,
 			RESTMapper:      restMapper,
-			HostOverride:    originalClusterHost, // Pass the original APIExport URL
+			HostOverride:    directWorkspaceHost, // Use direct workspace URL like main branch
 		},
 		m.schemaResolver,
 		m.log,
@@ -389,7 +385,6 @@ func (m *KCPManager) resolveWorkspacePath(ctx context.Context, clusterName strin
 	return workspacePath, nil
 }
 
-
 // providerRunnable wraps the apiexport provider to make it compatible with controller-runtime manager
 type providerRunnable struct {
 	provider *apiexport.Provider