kcp cluster is reached

Author: vertex451

cmd/gateway.go

@@ -34,7 +34,7 @@ var gatewayCmd = &cobra.Command{
 
 		ctrl.SetLogger(log.Logr())
 
-		gatewayInstance, err := manager.NewGateway(ctx, log, appCfg)
+		gatewayInstance, err := manager.NewGateway(ctx, log, appCfg, defaultCfg)
 		if err != nil {
 			log.Fatal().Err(err).Msg("Failed to create gateway")
 		}

common/auth/metadata_injector.go

@@ -401,13 +401,26 @@ func (m *MetadataInjector) determineHost(originalHost, hostOverride string) stri
 		return hostOverride
 	}
 
+	// Check if this is an APIExport virtual workspace that needs to preserve its path
+	if strings.Contains(originalHost, "/services/apiexport/") {
+		m.log.Info().
+			Str("originalHost", originalHost).
+			Msg("*** PRESERVING APIExport virtual workspace path for GraphQL gateway routing ***")
+		return originalHost
+	}
+	
+	// DEBUG: Log when we're about to strip the path
+	m.log.Info().
+		Str("originalHost", originalHost).
+		Msg("*** NOT an APIExport URL, will strip virtual workspace path ***")
+
 	// For normal workspaces, ensure we use a clean host by stripping any virtual workspace paths
 	cleanedHost := stripVirtualWorkspacePath(originalHost)
 	if cleanedHost != originalHost {
 		m.log.Info().
 			Str("originalHost", originalHost).
 			Str("cleanedHost", cleanedHost).
-			Msg("cleaned virtual workspace path from host for normal workspace")
+			Msg("cleaned virtual workspace path from kubeconfig host for normal workspace")
 	}
 	return cleanedHost
 }
@@ -423,6 +436,21 @@ func (m *MetadataInjector) determineKCPHost(kubeconfigHost, override, clusterPat
 		return override
 	}
 
+	// Check if this is an APIExport virtual workspace that needs to preserve its path
+	if strings.Contains(kubeconfigHost, "/services/apiexport/") {
+		m.log.Info().
+			Str("clusterPath", clusterPath).
+			Str("originalHost", kubeconfigHost).
+			Msg("*** PRESERVING APIExport virtual workspace path for KCP metadata injection ***")
+		return kubeconfigHost
+	}
+	
+	// DEBUG: Log when we're about to strip the path
+	m.log.Info().
+		Str("clusterPath", clusterPath).
+		Str("originalHost", kubeconfigHost).
+		Msg("*** NOT an APIExport URL, will strip virtual workspace path ***")
+
 	// For normal workspaces, ensure we use a clean KCP host by stripping any virtual workspace paths
 	host := stripVirtualWorkspacePath(kubeconfigHost)
 	if host != kubeconfigHost {

gateway/manager/manager.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	"github.com/pkg/errors"
+	openmfpconfig "github.com/platform-mesh/golang-commons/config"
 	"github.com/platform-mesh/golang-commons/logger"
 	"k8s.io/client-go/rest"
 
@@ -23,13 +24,13 @@ type Service struct {
 }
 
 // NewGateway creates a new domain-driven Gateway instance
-func NewGateway(ctx context.Context, log *logger.Logger, appCfg appConfig.Config) (*Service, error) {
+func NewGateway(ctx context.Context, log *logger.Logger, appCfg appConfig.Config, defaultCfg *openmfpconfig.CommonServiceConfig) (*Service, error) {
 	// Create round tripper factory
 	roundTripperFactory := targetcluster.RoundTripperFactory(func(adminRT http.RoundTripper, tlsConfig rest.TLSClientConfig) http.RoundTripper {
 		return roundtripper.New(log, appCfg, adminRT, roundtripper.NewUnauthorizedRoundTripper())
 	})
 
-	clusterRegistry := targetcluster.NewClusterRegistry(log, appCfg, roundTripperFactory)
+	clusterRegistry := targetcluster.NewClusterRegistry(log, appCfg, roundTripperFactory, defaultCfg.EnableHTTP2)
 
 	schemaWatcher, err := watcher.NewFileWatcher(log, clusterRegistry)
 	if err != nil {

gateway/manager/targetcluster/cluster.go

@@ -10,6 +10,7 @@ import (
 	"github.com/go-openapi/spec"
 	"github.com/platform-mesh/golang-commons/logger"
 	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/platform-mesh/kubernetes-graphql-gateway/common/auth"
@@ -64,6 +65,7 @@ func NewTargetCluster(
 	log *logger.Logger,
 	appCfg appConfig.Config,
 	roundTripperFactory func(http.RoundTripper, rest.TLSClientConfig) http.RoundTripper,
+	enableHTTP2 bool,
 ) (*TargetCluster, error) {
 	fileData, err := readSchemaFile(schemaFilePath)
 	if err != nil {
@@ -77,7 +79,7 @@ func NewTargetCluster(
 	}
 
 	// Connect to cluster - use metadata if available, otherwise fall back to standard config
-	if err := cluster.connect(appCfg, fileData.ClusterMetadata, roundTripperFactory); err != nil {
+	if err := cluster.connect(appCfg, fileData.ClusterMetadata, roundTripperFactory, enableHTTP2); err != nil {
 		return nil, fmt.Errorf("failed to connect to cluster: %w", err)
 	}
 
@@ -110,7 +112,7 @@ func (tc *TargetCluster) loadSchemaFromFile(schemaFilePath string) error {
 }
 
 // connect establishes connection to the target cluster
-func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetadata, roundTripperFactory func(http.RoundTripper, rest.TLSClientConfig) http.RoundTripper) error {
+func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetadata, roundTripperFactory func(http.RoundTripper, rest.TLSClientConfig) http.RoundTripper, enableHTTP2 bool) error {
 	// All clusters now use metadata from schema files to get kubeconfig
 	if metadata == nil {
 		return fmt.Errorf("cluster %s requires cluster metadata in schema file", tc.name)
@@ -120,14 +122,37 @@ func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetad
 		Str("cluster", tc.name).
 		Str("host", metadata.Host).
 		Bool("isVirtualWorkspace", strings.HasPrefix(tc.name, tc.appCfg.Url.VirtualWorkspacePrefix)).
+		Bool("enableHTTP2", enableHTTP2).
 		Msg("Using cluster metadata from schema file for connection")
 
 	var err error
-	tc.restCfg, err = buildConfigFromMetadata(metadata, tc.log)
-	if err != nil {
-		return fmt.Errorf("failed to build config from metadata: %w", err)
+
+	// Use the same configuration approach as the Listener for consistency
+	// This ensures we have the same authentication and connection setup
+	tc.log.Debug().Msg("Using ctrl.GetConfigOrDie() approach for consistency with Listener")
+	tc.restCfg = ctrl.GetConfigOrDie()
+
+	// Override the host with our cluster-specific metadata host
+	tc.restCfg.Host = metadata.Host
+
+	// For KCP connections, use insecure TLS to avoid certificate issues
+	// This is safe for internal KCP communication within the same cluster
+	tc.restCfg.TLSClientConfig.Insecure = true
+	tc.restCfg.TLSClientConfig.CAFile = ""
+	tc.restCfg.TLSClientConfig.CAData = nil
+
+	// Force HTTP/1.1 to avoid HTTP/2 stream errors with KCP
+	if !enableHTTP2 {
+		tc.restCfg.TLSClientConfig.NextProtos = []string{"http/1.1"}
+		tc.log.Debug().Msg("Disabled HTTP/2 for cluster connection")
 	}
 
+	tc.log.Debug().
+		Str("host", metadata.Host).
+		Bool("enableHTTP2", enableHTTP2).
+		Strs("nextProtos", tc.restCfg.TLSClientConfig.NextProtos).
+		Msg("Configured cluster connection using Listener approach")
+
 	if roundTripperFactory != nil {
 		tc.restCfg.Wrap(func(rt http.RoundTripper) http.RoundTripper {
 			return roundTripperFactory(rt, tc.restCfg.TLSClientConfig)
@@ -145,7 +170,7 @@ func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetad
 }
 
 // buildConfigFromMetadata creates rest.Config from cluster metadata
-func buildConfigFromMetadata(metadata *ClusterMetadata, log *logger.Logger) (*rest.Config, error) {
+func buildConfigFromMetadata(metadata *ClusterMetadata, log *logger.Logger, enableHTTP2 bool) (*rest.Config, error) {
 	var authType, token, kubeconfig, certData, keyData, caData string
 
 	if metadata.Auth != nil {
@@ -166,10 +191,17 @@ func buildConfigFromMetadata(metadata *ClusterMetadata, log *logger.Logger) (*re
 		return nil, err
 	}
 
+	// Apply HTTP/2 configuration to match Listener behavior
+	if !enableHTTP2 {
+		log.Debug().Msg("disabling HTTP/2 for cluster connection")
+		config.TLSClientConfig.NextProtos = []string{"http/1.1"}
+	}
+
 	log.Debug().
 		Str("host", metadata.Host).
 		Str("authType", authType).
 		Bool("hasCA", caData != "").
+		Bool("enableHTTP2", enableHTTP2).
 		Msg("configured cluster from metadata")
 
 	return config, nil

gateway/manager/targetcluster/export_test.go

@@ -9,7 +9,7 @@ import (
 
 // BuildConfigFromMetadata exposes the internal buildConfigFromMetadata function for testing
 func BuildConfigFromMetadata(metadata *ClusterMetadata, log *logger.Logger) (*rest.Config, error) {
-	return buildConfigFromMetadata(metadata, log)
+	return buildConfigFromMetadata(metadata, log, true) // Default to HTTP/2 enabled for tests
 }
 
 // NewTestTargetCluster creates a TargetCluster with the specified name for testing

gateway/manager/targetcluster/registry.go

@@ -32,19 +32,22 @@ type ClusterRegistry struct {
 	log                 *logger.Logger
 	appCfg              appConfig.Config
 	roundTripperFactory RoundTripperFactory
+	enableHTTP2         bool
 }
 
 // NewClusterRegistry creates a new cluster registry
 func NewClusterRegistry(
 	log *logger.Logger,
 	appCfg appConfig.Config,
 	roundTripperFactory RoundTripperFactory,
+	enableHTTP2 bool,
 ) *ClusterRegistry {
 	return &ClusterRegistry{
 		clusters:            make(map[string]*TargetCluster),
 		log:                 log,
 		appCfg:              appCfg,
 		roundTripperFactory: roundTripperFactory,
+		enableHTTP2:         enableHTTP2,
 	}
 }
 
@@ -62,7 +65,7 @@ func (cr *ClusterRegistry) LoadCluster(schemaFilePath string) error {
 		Msg("Loading target cluster")
 
 	// Create or update cluster
-	cluster, err := NewTargetCluster(name, schemaFilePath, cr.log, cr.appCfg, cr.roundTripperFactory)
+	cluster, err := NewTargetCluster(name, schemaFilePath, cr.log, cr.appCfg, cr.roundTripperFactory, cr.enableHTTP2)
 	if err != nil {
 		return fmt.Errorf("failed to create target cluster %s: %w", name, err)
 	}

go.mod

@@ -2,9 +2,26 @@ module github.com/platform-mesh/kubernetes-graphql-gateway
 
 go 1.24.3
 
-// this PR introduces newer version of graphiQL that supports headers
-// https://github.com/graphql-go/handler/pull/93
-replace github.com/graphql-go/handler => github.com/vertex451/handler v0.0.0-20250124125145-ed328e3cf42a
+replace (
+	// this PR introduces newer version of graphiQL that supports headers
+	// https://github.com/graphql-go/handler/pull/93
+	github.com/graphql-go/handler => github.com/vertex451/handler v0.0.0-20250124125145-ed328e3cf42a
+
+	// Pin golang.org/x/net to match multicluster-provider (prevents HTTP/2 incompatibility)
+	golang.org/x/net => golang.org/x/net v0.40.0
+
+	// Pin Kubernetes versions to match main branch (prevents KCP front proxy HTTP/2 panics)
+	k8s.io/api => k8s.io/api v0.33.3
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.33.3
+	k8s.io/apimachinery => k8s.io/apimachinery v0.33.3
+	k8s.io/apiserver => k8s.io/apiserver v0.33.3
+	k8s.io/client-go => k8s.io/client-go v0.33.3
+	k8s.io/component-base => k8s.io/component-base v0.33.3
+	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911
+
+	// Pin controller-runtime to compatible version with k8s v0.33.3
+	sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.21.0
+)
 
 require (
 	github.com/fsnotify/fsnotify v1.9.0
@@ -31,12 +48,12 @@ require (
 	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b
 	golang.org/x/text v0.29.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.34.0
-	k8s.io/apiextensions-apiserver v0.34.0
-	k8s.io/apimachinery v0.34.0
-	k8s.io/client-go v0.34.0
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	sigs.k8s.io/controller-runtime v0.22.0
+	k8s.io/api v0.33.3
+	k8s.io/apiextensions-apiserver v0.33.3
+	k8s.io/apimachinery v0.33.3
+	k8s.io/client-go v0.33.3
+	k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911
+	sigs.k8s.io/controller-runtime v0.22.1
 	sigs.k8s.io/multicluster-runtime v0.21.0-alpha.9
 )
 
@@ -130,6 +147,6 @@ require (
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )