Skip to content

refactor: centralise Platform API HTTP client#93

Open
rrp-bot wants to merge 3 commits into
openshift-online:mainfrom
rrp-bot:refactor/centralise-platform-api-client
Open

refactor: centralise Platform API HTTP client#93
rrp-bot wants to merge 3 commits into
openshift-online:mainfrom
rrp-bot:refactor/centralise-platform-api-client

Conversation

@rrp-bot

@rrp-bot rrp-bot commented Jul 10, 2026

Copy link
Copy Markdown

Summary

  • Introduce internal/client package with a single Client type that owns SigV4 signing, credential resolution, and HTTP transport for all Platform API calls
  • Remove three separate, inconsistent inline signing implementations from commands/cluster/api.go, services/cluster/service.go
  • Replace SubmitClusterRequest.PlatformAPIURL + AWSConfig fields with a single Client field

Problem

SigV4 signing logic was duplicated across three places with meaningful inconsistencies:

Location Methods Timeout Returns status code? http.Client reuse?
commands/cluster/api.go GET only 15s No Yes (package var)
services/cluster/service.go POST only 30s No No (new per call)

Adding nodepool support in PR #92 would have added a fourth copy. This PR consolidates before that lands.

What changed

internal/client/client.New(ctx) resolves the Platform API URL and AWS credentials once and returns a *Client. All commands call this at the start of their RunE handler. The client exposes Get, Post, and Delete, each returning ([]byte, int, error) — status code is always returned so callers decide what counts as an error rather than the client hard-coding 200.

Note: Go is not available in this environment so the build could not be verified locally — CI will confirm.

Summary by CodeRabbit

  • New Features

    • Added a shared authenticated API client for platform requests (supports GET, POST, and DELETE).
    • Cluster operations now use the same authenticated communication flow for fetching endpoints, listing clusters, submitting clusters, and generating kubeconfig.
  • Improvements

    • Unified platform endpoint and region resolution across cluster commands.
    • Enhanced cluster listing and lookup pagination behavior.
    • Improved error reporting for non-success HTTP responses by including status and response content.
    • Kubeconfig region now consistently comes from the shared client configuration.

Introduce internal/client.Client as a single shared implementation of
SigV4-signed HTTP requests to the Platform API.

Previously, signing logic was duplicated across three locations:
- internal/commands/cluster/api.go (GET only, 15s timeout)
- internal/services/cluster/service.go (POST only, inline, fresh http.Client per call)

Each had inconsistencies: different timeouts, different return signatures
(some omitted the status code), and service.go created a new http.Client
on every call rather than reusing one.

client.New(ctx) resolves the Platform API URL and AWS credentials once.
The Client exposes Get, Post and Delete, each returning ([]byte, int, error)
so callers can inspect the status code without the client second-guessing
what counts as an error.

All callers in commands/cluster and services/cluster are updated to use
the new client. The SubmitClusterRequest.PlatformAPIURL and AWSConfig
fields are replaced with a single Client field.
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rrp-bot
Once this PR has been reviewed and has the lgtm label, please assign jmelis for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

Hi @rrp-bot. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 10, 2026
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bb79b68a-15fa-40d4-b6f9-4fc479be6041

📥 Commits

Reviewing files that changed from the base of the PR and between d4ab6e2 and e36eb1a.

📒 Files selected for processing (1)
  • internal/client/client.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • internal/client/client.go

Walkthrough

Adds a reusable SigV4 HTTP client and migrates cluster listing, lookup, kubeconfig, and submission flows to use it. Existing response parsing, status handling, and output formatting remain in place.

Changes

Cluster API client migration

Layer / File(s) Summary
Reusable signed API client
internal/client/client.go
Adds client configuration, AWS credential and region resolution, GET/POST/DELETE helpers, SigV4 signing, request execution, and response handling.
Cluster discovery and read flows
internal/commands/cluster/api.go, internal/commands/cluster/list.go, internal/commands/cluster/kubeconfig.go
Routes cluster lookup, listing, status retrieval, and kubeconfig generation through the shared client while retaining parsing and output behavior.
Cluster submission integration
internal/commands/cluster/create.go, internal/services/cluster/service.go
Passes the shared client into submission requests, posts cluster payloads through it, checks non-2xx responses, and preserves JSON or summary output.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Command
  participant Client
  participant ClusterService
  participant PlatformAPI

  Command->>Client: New(ctx)
  Client-->>Command: configured SigV4 client
  Command->>ClusterService: submit payload with Client
  ClusterService->>Client: Post("/api/v0/clusters", body)
  Client->>PlatformAPI: signed HTTP request
  PlatformAPI-->>Client: response body and status
  Client-->>ClusterService: body, status, error
  ClusterService-->>Command: parsed response
Loading
🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Ai-Attribution ⚠️ Warning PR commits use Co-Authored-By: Claude ... and no Assisted-by:/Generated-by: Red Hat trailers were found. Replace AI co-author trailers with the required Red Hat attribution trailer, such as Assisted-by: or Generated-by:.
✅ Passed checks (10 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: centralizing Platform API HTTP client logic into a shared client package.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed No weak crypto or secret comparisons were introduced; the new client uses SHA-256 with AWS SigV4, and the changed files contain no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB.
Container-Privileges ✅ Passed PR diff only changes Go code; no container/K8s manifest or privilege-setting changes were introduced.
No-Sensitive-Data-In-Logs ✅ Passed No new log statements expose secrets/PII; the only stack/account print in service.go pre-existed and wasn’t introduced by this PR.
No-Hardcoded-Secrets ✅ Passed No API keys, tokens, passwords, private keys, embedded credentials, or long base64 literals were present in the changed files.
No-Injection-Vectors ✅ Passed No SQL/shell/eval/pickle/yaml/os.system/dangerouslySetInnerHTML patterns appear in the changed files; the new client only signs and forwards HTTP requests.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
internal/services/cluster/service.go (1)

41-44: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

AWSConfig field appears dead after this migration.

SubmitCluster no longer reads req.AWSConfig, and neither caller in create.go sets it (both set only Payload/Client/PlacementOverride). The PR objective states AWSConfig was replaced by Client, but the field is still declared here. Consider removing it (and the now-unnecessary aws import if it becomes unused) to match the stated contract.

♻️ Proposed change
 type SubmitClusterRequest struct {
 	Payload           map[string]interface{}
 	Client            *client.Client
 	PlacementOverride string // Optional - overrides placement in payload if set
-	AWSConfig         aws.Config
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/services/cluster/service.go` around lines 41 - 44, Remove the unused
AWSConfig field from the relevant request struct and delete the aws import if no
other symbols in the file require it. Verify SubmitCluster and all callers
continue using Client, Payload, and PlacementOverride only.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/client/client.go`:
- Around line 51-68: The Client stores a one-time credential snapshot, causing
reused clients to use expired credentials. Update Client and New to retain
cfg.Credentials as the provider, then update do to call Retrieve(ctx) and use
the returned credentials for each request; preserve retrieval error handling and
remove the eager retrieval from New.

---

Nitpick comments:
In `@internal/services/cluster/service.go`:
- Around line 41-44: Remove the unused AWSConfig field from the relevant request
struct and delete the aws import if no other symbols in the file require it.
Verify SubmitCluster and all callers continue using Client, Payload, and
PlacementOverride only.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dadecb87-7d0f-44d8-bcd3-f578cda192d7

📥 Commits

Reviewing files that changed from the base of the PR and between 00c3e2a and 9684389.

📒 Files selected for processing (6)
  • internal/client/client.go
  • internal/commands/cluster/api.go
  • internal/commands/cluster/create.go
  • internal/commands/cluster/kubeconfig.go
  • internal/commands/cluster/list.go
  • internal/services/cluster/service.go

Comment thread internal/client/client.go Outdated
Storing the resolved awssdk.Credentials value meant a reused Client
would sign with an expired credential snapshot after the STS session
expires. Store the CredentialsProvider from the AWS config instead and
call Retrieve(ctx) on each request — the SDK's CredentialsCache handles
thread-safe caching and refresh automatically.
@psav

psav commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants