Refactor Makefile to simplify push-all target and enhance backend logging for Kubernetes client initialization. Add debug logging for authentication header states and token handling, improving traceability during API requests.

Gkrumbach07 · Gkrumbach07 · commit e659cb992dd4 · 2025-09-18T07:55:40.000-05:00
diff --git a/Makefile b/Makefile
@@ -73,7 +73,7 @@ clean: ## Clean up all Kubernetes resources
 
 
 
-push-all: build-all ## Push all images to registry
+push-all: ## Push all images to registry
 	$(CONTAINER_ENGINE) tag $(FRONTEND_IMAGE) $(REGISTRY)/$(FRONTEND_IMAGE)
 	$(CONTAINER_ENGINE) tag $(BACKEND_IMAGE) $(REGISTRY)/$(BACKEND_IMAGE)
 	$(CONTAINER_ENGINE) tag $(OPERATOR_IMAGE) $(REGISTRY)/$(OPERATOR_IMAGE)
diff --git a/components/backend/handlers.go b/components/backend/handlers.go
@@ -49,9 +49,21 @@ func getK8sClientsForRequest(c *gin.Context) (*kubernetes.Clientset, dynamic.Int
 		token = rawFwd
 	}
 
+	// Debug: basic auth header state (do not log token)
+	hasAuthHeader := strings.TrimSpace(rawAuth) != ""
+	hasFwdToken := strings.TrimSpace(rawFwd) != ""
+	xfUser := c.GetHeader("X-Forwarded-User")
+	xfPref := c.GetHeader("X-Forwarded-Preferred-Username")
+	log.Printf("auth debug: path=%s method=%s tokenSource=%s tokenLen=%d hasAuthHeader=%t hasFwdToken=%t user=%q preferred=%q",
+		c.FullPath(), c.Request.Method, tokenSource, len(token), hasAuthHeader, hasFwdToken, xfUser, xfPref)
+
 	if token != "" && baseKubeConfig != nil {
 		cfg := *baseKubeConfig
 		cfg.BearerToken = token
+		// Ensure we do NOT fall back to the in-cluster SA token or other auth providers
+		cfg.BearerTokenFile = ""
+		cfg.AuthProvider = nil
+		cfg.ExecProvider = nil
 		cfg.Username = ""
 		cfg.Password = ""
 
@@ -62,14 +74,15 @@ func getK8sClientsForRequest(c *gin.Context) (*kubernetes.Clientset, dynamic.Int
 
 			// Best-effort update last-used for service account tokens
 			updateAccessKeyLastUsedAnnotation(c)
+			log.Printf("auth debug: built user-scoped clients ok (source=%s) for %s", tokenSource, c.FullPath())
 			return kc, dc
 		}
 		// Token provided but client build failed – treat as invalid token
-		log.Printf("Failed to build user-scoped k8s clients (source=%s) typedErr=%v dynamicErr=%v for %s", tokenSource, err1, err2, c.FullPath())
+		log.Printf("Failed to build user-scoped k8s clients (source=%s tokenLen=%d) typedErr=%v dynamicErr=%v for %s", tokenSource, len(token), err1, err2, c.FullPath())
 		return nil, nil
 	} else {
 		// No token provided
-		log.Printf("No user token found for %s", c.FullPath())
+		log.Printf("No user token found for %s (hasAuthHeader=%t hasFwdToken=%t)", c.FullPath(), hasAuthHeader, hasFwdToken)
 		return nil, nil
 	}
 	// Unreachable
