Initial open-source commit

Co-authored-by: Maximilian Braun <[email protected]>
Co-authored-by: David Siregar <[email protected]>

Author: 3 people

.dockerignore

@@ -0,0 +1,4 @@
+main
+kubeconfig.yaml
+kube-api-reflection
+.null-ls*

.github/workflows/build.yml

@@ -0,0 +1,79 @@
+name: Build
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+
+  pull_request:
+    branches:
+      - main
+
+  workflow_dispatch:
+
+env:
+  DOCKER_IMAGE: ghcr.io/${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ${{ env.DOCKER_IMAGE }}
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Login to Docker Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Only for public repositories
+      # - name: Attest
+      #   uses: actions/attest-build-provenance@v1
+      #   id: attest
+      #   with:
+      #     subject-name: ghcr.io/${{ github.repository }}
+      #     subject-digest: ${{ steps.push.outputs.digest }}
+      #     push-to-registry: true

.gitignore

@@ -0,0 +1,10 @@
+.idea
+main
+kubeconfig.yaml
+kube-api-reflection
+.null-ls*
+tmp
+.env
+
+coverage.html
+coverage.out

.reuse/dep5

@@ -0,0 +1,23 @@
+FROM golang:1.23-bookworm AS build
+
+WORKDIR /app
+
+COPY go.mod ./
+COPY go.sum ./
+RUN go mod download
+
+COPY . ./
+
+RUN CGO_ENABLED=0 go build -o /bin/app cmd/server/main.go
+
+## Deploy
+FROM scratch
+
+WORKDIR /
+
+COPY --from=build /bin/app /bin/app
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+EXPOSE 3000
+
+ENTRYPOINT ["/bin/app"]

Dockerfile

@@ -0,0 +1,50 @@
+GO := go
+PKG := ./...
+COVERAGE_FILE := coverage.out
+COVERAGE_HTML := coverage.html
+
+# Default goal
+.PHONY: all
+all: clean build test
+
+# Build the project
+.PHONY: build
+build:
+	$(GO) build -v $(PKG)
+
+# Run tests with coverage
+.PHONY: test
+test:
+	$(GO) test -v -coverprofile=$(COVERAGE_FILE) $(PKG)
+	$(GO) tool cover -html=$(COVERAGE_FILE) -o $(COVERAGE_HTML)
+	@echo "Coverage report generated at $(COVERAGE_HTML)"
+
+# Clean up generated files
+.PHONY: clean
+clean:
+	$(GO) clean
+	rm -f $(COVERAGE_FILE) $(COVERAGE_HTML)
+
+# Format the code
+.PHONY: fmt
+fmt:
+	$(GO) fmt $(PKG)
+
+# Lint the code
+.PHONY: lint
+lint:
+	golangci-lint run
+
+# Run all checks
+.PHONY: check
+check: fmt lint test
+
+# Install dependencies
+.PHONY: deps
+deps:
+	$(GO) mod tidy
+	$(GO) mod vendor
+
+.PHONY: start
+start:
+	$(GO) run cmd/server/main.go

Makefile

@@ -1,20 +1,76 @@
-[![REUSE status](https://api.reuse.software/badge/github.com/openmcp-project/ui-backend)](https://api.reuse.software/info/github.com/openmcp-project/ui-backend)
-
 # ui-backend
 
+[![REUSE status](https://api.reuse.software/badge/github.com/openmcp-project/ui-backend)](https://api.reuse.software/info/github.com/openmcp-project/ui-backend)
+
 ## About this project
 
-UI backend for @openmcp-project
+This is the backend for our [MCP UI](https://github.com/openmcp-project/ui-frontend).
+Its a simple proxy server which sits between the UI frontend and the Kubernetes API server.
+
+### Motivation
+
+We want to call the kubernetes api server directly from the browser, but we have several problems preventing us from calling the api from the browser:
+
+- TLS certificate is not signed from a well-known CA
+- CORS is not configured most of the time
+
+### Solution
+
+The `ui-backend` server acts like a proxy when talking to the Crate-Cluster or MCPs from the browser.
+The browser sends the request to the `ui-backend`, with authorization data and optionally the project, workspace and controlplane name of the MCP in header data.
+
+- If requesting the Crate: The request will get send to the crate cluster with the authorization data in the headers
+- If requesting an MCP: The `ui-backend` will call the Crate to get the `kubeconfig` of the MCP and then calls the MCP with that kubeconfig
+
+There are only some modifications done when piping the request to the api server, preventing some headers from going through.
 
 ## Requirements and Setup
 
-*Insert a short description what is required to get your project running...*
+You need to have a running mcp landscape. Then reference the KUBECONFIG for the backend using the `KUBECONFIG` environment variable.
+
+The backend can be started using:
+
+```bash
+go run cmd/server/main.go
+```
+
+## Usage
+
+You can reach the backend on port `3000` and the path as you would directly to the api server.
+
+```txt
+For example: http://localhost:3000/api/v1/namespaces
+```
+
+Put the authorization data in the following headers:
+
+- `X-Client-Certificate-Data`
+- `X-Client-Key-Data`
+
+or (for OIDC):
+
+- `Authorization: <token>`
+
+Also configure the api-server you want to call:
+
+- Crate: Add the header `X-Use-Crate-Cluster: true`
+- MCP: Add the headers `X-Project-Name`, `X-Workspace-Name` and `X-Control-Plane-Name`
+
+### Parsing JSON
+
+`ui-backend` support jsonpath (kubectl version) and jq (gojq) to parse json before sending it to the client, reducing the data transfered to the client.
+
+Usage:
+
+- JsonPath: Add a header `X-jsonpath` with the jsonpath query
+- JQ: Add a header `X-jq` with the jq query
 
 ## Support, Feedback, Contributing
 
 This project is open to feature requests/suggestions, bug reports etc. via [GitHub issues](https://github.com/openmcp-project/ui-backend/issues). Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our [Contribution Guidelines](CONTRIBUTING.md).
 
 ## Security / Disclosure
+
 If you find any bug that may be a security problem, please follow our instructions at [in our security policy](https://github.com/openmcp-project/ui-backend/security/policy) on how to report it. Please do not create GitHub issues for security-related doubts or problems.
 
 ## Code of Conduct

README.md

@@ -0,0 +1,10 @@
+version = 1
+SPDX-PackageName = "ui-backend"
+SPDX-PackageDownloadLocation = "https://github.com/openmcp-project/ui-backend"
+SPDX-PackageComment = "The code in this project may include calls to APIs (\"API Calls\") of\n SAP or third-party products or services developed outside of this project\n (\"External Products\").\n \"APIs\" means application programming interfaces, as well as their respective\n specifications and implementing code that allows software to communicate with\n other software.\n API Calls to External Products are not licensed under the open source license\n that governs this project. The use of such API Calls and related External\n Products are subject to applicable additional agreements with the relevant\n provider of the External Products. In no event shall the open source license\n that governs this project grant any rights in or to any External Products, or\n alter, expand or supersede any terms of the applicable additional agreements.\n If you have a valid license agreement with SAP for the use of a particular SAP\n External Product, then you may make use of any API Calls included in this\n project's code for that SAP External Product, subject to the terms of such\n license agreement. If you do not have a valid license agreement for the use of\n a particular SAP External Product, then you may only make use of any API Calls\n in this project for that SAP External Product for your internal, non-productive\n and non-commercial test and evaluation of such API Calls. Nothing herein grants\n you any rights to use or access any SAP External Product, or provide any third\n parties the right to use of access any SAP External Product, through API Calls."
+
+[[annotations]]
+path = "**"
+precedence = "closest"
+SPDX-FileCopyrightText = "2025 SAP SE or an SAP affiliate company and ui-backend contributors"
+SPDX-License-Identifier = "Apache-2.0"

REUSE.toml

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/openmcp-project/ui-backend/internal/utils"
+	"github.com/openmcp-project/ui-backend/pkg/k8s"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/openmcp-project/ui-backend/internal/server"
+)
+
+func main() {
+	ctx := context.Background()
+
+	slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug})))
+
+	kubeconfigPath := os.Getenv(clientcmd.RecommendedConfigPathEnvVar)
+	if kubeconfigPath == "" {
+		slog.Error("env variable '%s' with kubeconfig path not set", clientcmd.RecommendedConfigPathEnvVar)
+		return
+	}
+	go utils.StartListeningOnKubeconfig(ctx, kubeconfigPath)
+
+	cachingKube := k8s.NewCachingKube(k8s.HttpKube{}, time.Second*30, time.Minute)
+	downstreamKube := k8s.HttpKube{}
+
+	mux := server.NewMiddleware(cachingKube, downstreamKube)
+
+	address := ":3000"
+	slog.Info("Starting server", "address", address)
+	if err := http.ListenAndServe(address, mux); err != nil {
+		slog.Error("failed to start server", "err", err)
+	}
+}

cmd/server/main.go

@@ -0,0 +1,47 @@
+module github.com/openmcp-project/ui-backend
+
+go 1.23.0
+
+toolchain go1.24.0
+
+require (
+	github.com/fsnotify/fsnotify v1.8.0
+	github.com/itchyny/gojq v0.12.17
+	github.com/patrickmn/go-cache v2.1.0+incompatible
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/api v0.32.1
+	k8s.io/apimachinery v0.32.1
+	k8s.io/client-go v0.32.1
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/itchyny/timefmt-go v0.1.6 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)