platform-mesh · vertex451 · Oct 3, 2025 · Oct 3, 2025 · Oct 9, 2025 · Oct 9, 2025
@@ -56,25 +56,27 @@ func initConfig() {
 	v.SetDefault("openapi-definitions-path", "./bin/definitions")
 	v.SetDefault("enable-kcp", true)
 	v.SetDefault("local-development", false)
-	v.SetDefault("introspection-authentication", false)
 
 	// Listener
 	v.SetDefault("listener-apiexport-workspace", ":root")
 	v.SetDefault("listener-apiexport-name", "kcp.io")
 
 	// Gateway
 	v.SetDefault("gateway-port", "8080")
-
 	v.SetDefault("gateway-username-claim", "email")
 	v.SetDefault("gateway-should-impersonate", true)
+	v.SetDefault("gateway-introspection-authentication", false)
+
 	// Gateway Handler config
 	v.SetDefault("gateway-handler-pretty", true)
 	v.SetDefault("gateway-handler-playground", true)
 	v.SetDefault("gateway-handler-graphiql", true)
+
 	// Gateway CORS
 	v.SetDefault("gateway-cors-enabled", false)
 	v.SetDefault("gateway-cors-allowed-origins", "*")
 	v.SetDefault("gateway-cors-allowed-headers", "*")
+
 	// Gateway URL
 	v.SetDefault("gateway-url-virtual-workspace-prefix", "virtual-workspace")
 	v.SetDefault("gateway-url-default-kcp-workspace", "root")

@@ -1,10 +1,9 @@
 package config
 
 type Config struct {
-	OpenApiDefinitionsPath      string `mapstructure:"openapi-definitions-path"`
-	EnableKcp                   bool   `mapstructure:"enable-kcp"`
-	LocalDevelopment            bool   `mapstructure:"local-development"`
-	IntrospectionAuthentication bool   `mapstructure:"introspection-authentication"`
+	OpenApiDefinitionsPath string `mapstructure:"openapi-definitions-path"`
+	EnableKcp              bool   `mapstructure:"enable-kcp"`
+	LocalDevelopment       bool   `mapstructure:"local-development"`
 
 	Url struct {
 		VirtualWorkspacePrefix string `mapstructure:"gateway-url-virtual-workspace-prefix"`
@@ -17,9 +16,10 @@ type Config struct {
 	} `mapstructure:",squash"`
 
 	Gateway struct {
-		Port              string `mapstructure:"gateway-port"`
-		UsernameClaim     string `mapstructure:"gateway-username-claim"`
-		ShouldImpersonate bool   `mapstructure:"gateway-should-impersonate"`
+		Port                        string `mapstructure:"gateway-port"`
+		UsernameClaim               string `mapstructure:"gateway-username-claim"`
+		ShouldImpersonate           bool   `mapstructure:"gateway-should-impersonate"`
+		IntrospectionAuthentication bool   `mapstructure:"gateway-introspection-authentication"`
 
 		HandlerCfg struct {
 			Pretty     bool `mapstructure:"gateway-handler-pretty"`

@@ -13,7 +13,7 @@ func TestConfig_StructInitialization(t *testing.T) {
 	assert.Empty(t, cfg.OpenApiDefinitionsPath)
 	assert.False(t, cfg.EnableKcp)
 	assert.False(t, cfg.LocalDevelopment)
-	assert.False(t, cfg.IntrospectionAuthentication)
+	assert.False(t, cfg.Gateway.IntrospectionAuthentication)
 
 	// Test nested struct fields
 	assert.Empty(t, cfg.Url.VirtualWorkspacePrefix)
@@ -37,10 +37,9 @@ func TestConfig_StructInitialization(t *testing.T) {
 
 func TestConfig_FieldAssignment(t *testing.T) {
 	cfg := Config{
-		OpenApiDefinitionsPath:      "/path/to/definitions",
-		EnableKcp:                   true,
-		LocalDevelopment:            true,
-		IntrospectionAuthentication: true,
+		OpenApiDefinitionsPath: "/path/to/definitions",
+		EnableKcp:              true,
+		LocalDevelopment:       true,
 	}
 
 	cfg.Url.VirtualWorkspacePrefix = "workspace"
@@ -52,6 +51,7 @@ func TestConfig_FieldAssignment(t *testing.T) {
 	cfg.Gateway.Port = "8080"
 	cfg.Gateway.UsernameClaim = "email"
 	cfg.Gateway.ShouldImpersonate = true
+	cfg.Gateway.IntrospectionAuthentication = true
 
 	cfg.Gateway.HandlerCfg.Pretty = true
 	cfg.Gateway.HandlerCfg.Playground = true
@@ -65,7 +65,7 @@ func TestConfig_FieldAssignment(t *testing.T) {
 	assert.Equal(t, "/path/to/definitions", cfg.OpenApiDefinitionsPath)
 	assert.True(t, cfg.EnableKcp)
 	assert.True(t, cfg.LocalDevelopment)
-	assert.True(t, cfg.IntrospectionAuthentication)
+	assert.True(t, cfg.Gateway.IntrospectionAuthentication)
 
 	assert.Equal(t, "workspace", cfg.Url.VirtualWorkspacePrefix)
 	assert.Equal(t, "default", cfg.Url.DefaultKcpWorkspace)

@@ -7,10 +7,8 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/platform-mesh/golang-commons/logger"
-	"k8s.io/client-go/rest"
 
 	appConfig "github.com/platform-mesh/kubernetes-graphql-gateway/common/config"
-	"github.com/platform-mesh/kubernetes-graphql-gateway/gateway/manager/roundtripper"
 	"github.com/platform-mesh/kubernetes-graphql-gateway/gateway/manager/targetcluster"
 	"github.com/platform-mesh/kubernetes-graphql-gateway/gateway/manager/watcher"
 )
@@ -24,12 +22,7 @@ type Service struct {
 
 // NewGateway creates a new domain-driven Gateway instance
 func NewGateway(ctx context.Context, log *logger.Logger, appCfg appConfig.Config) (*Service, error) {
-	// Create round tripper factory
-	roundTripperFactory := targetcluster.RoundTripperFactory(func(adminRT http.RoundTripper, tlsConfig rest.TLSClientConfig) http.RoundTripper {
-		return roundtripper.New(log, appCfg, adminRT, roundtripper.NewUnauthorizedRoundTripper())
-	})
-
-	clusterRegistry := targetcluster.NewClusterRegistry(log, appCfg, roundTripperFactory)
+	clusterRegistry := targetcluster.NewClusterRegistry(log, appCfg)
 
 	schemaWatcher, err := watcher.NewFileWatcher(log, clusterRegistry)
 	if err != nil {

@@ -1,11 +1,14 @@
 package roundtripper
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/platform-mesh/golang-commons/logger"
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
 
 	"github.com/platform-mesh/kubernetes-graphql-gateway/common/config"
@@ -16,15 +19,17 @@ type TokenKey struct{}
 type roundTripper struct {
 	log                     *logger.Logger
 	adminRT, unauthorizedRT http.RoundTripper
+	baseRT                  http.RoundTripper
 	appCfg                  config.Config
 }
 
 type unauthorizedRoundTripper struct{}
 
-func New(log *logger.Logger, appCfg config.Config, adminRoundTripper, unauthorizedRT http.RoundTripper) http.RoundTripper {
+func New(log *logger.Logger, appCfg config.Config, adminRoundTripper, baseRoundTripper, unauthorizedRT http.RoundTripper) http.RoundTripper {
 	return &roundTripper{
 		log:            log,
 		adminRT:        adminRoundTripper,
+		baseRT:         baseRoundTripper,
 		unauthorizedRT: unauthorizedRT,
 		appCfg:         appCfg,
 	}
@@ -35,6 +40,18 @@ func NewUnauthorizedRoundTripper() http.RoundTripper {
 	return &unauthorizedRoundTripper{}
 }
 
+// NewBaseRoundTripper creates a base HTTP transport with only TLS configuration (no authentication)
+func NewBaseRoundTripper(tlsConfig rest.TLSClientConfig) (http.RoundTripper, error) {
+	return rest.TransportFor(&rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure:   tlsConfig.Insecure,
+			ServerName: tlsConfig.ServerName,
+			CAFile:     tlsConfig.CAFile,
+			CAData:     tlsConfig.CAData,
+		},
+	})
+}
+
 func (rt *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	rt.log.Info().
 		Str("req.Host", req.Host).
@@ -65,13 +82,13 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	}
 
 	// No we are going to use token based auth only, so we are reassigning the headers
+	req = utilnet.CloneRequest(req)
 	req.Header.Del("Authorization")
-	req.Header.Set("Authorization", "Bearer "+token)
 
 	if !rt.appCfg.Gateway.ShouldImpersonate {
 		rt.log.Debug().Str("path", req.URL.Path).Msg("Using bearer token authentication")
-
-		return rt.adminRT.RoundTrip(req)
+		fmt.Println(token)
+		return transport.NewBearerAuthRoundTripper(token, rt.baseRT).RoundTrip(req)
 	}
 
 	// Impersonation mode: extract user from token and impersonate

@@ -77,7 +77,7 @@ func TestRoundTripper_RoundTrip(t *testing.T) {
 			appCfg.Gateway.ShouldImpersonate = tt.shouldImpersonate
 			appCfg.Gateway.UsernameClaim = "sub"
 
-			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockUnauthorized)
+			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockAdmin, mockUnauthorized)
 
 			req := httptest.NewRequest(http.MethodGet, "http://example.com/api/v1/pods", nil)
 			if tt.token != "" {
@@ -262,7 +262,7 @@ func TestRoundTripper_DiscoveryRequests(t *testing.T) {
 			appCfg.Gateway.ShouldImpersonate = false
 			appCfg.Gateway.UsernameClaim = "sub"
 
-			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockUnauthorized)
+			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockAdmin, mockUnauthorized)
 
 			req := httptest.NewRequest(tt.method, "http://example.com"+tt.path, nil)
 
@@ -376,7 +376,7 @@ func TestRoundTripper_ComprehensiveFunctionality(t *testing.T) {
 			appCfg.Gateway.ShouldImpersonate = tt.shouldImpersonate
 			appCfg.Gateway.UsernameClaim = tt.usernameClaim
 
-			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockUnauthorized)
+			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockAdmin, mockUnauthorized)
 
 			req := httptest.NewRequest(http.MethodGet, "http://example.com/api/v1/pods", nil)
 			if tt.token != "" {
@@ -451,7 +451,7 @@ func TestRoundTripper_KCPDiscoveryRequests(t *testing.T) {
 			appCfg.Gateway.ShouldImpersonate = false
 			appCfg.Gateway.UsernameClaim = "sub"
 
-			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockUnauthorized)
+			rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockAdmin, mockUnauthorized)
 
 			req := httptest.NewRequest(http.MethodGet, "http://example.com"+tt.path, nil)
 
@@ -500,7 +500,7 @@ func TestRoundTripper_InvalidTokenSecurityFix(t *testing.T) {
 	appCfg.Gateway.ShouldImpersonate = false
 	appCfg.Gateway.UsernameClaim = "sub"
 
-	rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockUnauthorized)
+	rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockAdmin, mockUnauthorized)
 
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/pods", nil)
 	// Don't set a token to simulate the invalid token case
@@ -510,46 +510,6 @@ func TestRoundTripper_InvalidTokenSecurityFix(t *testing.T) {
 	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 }
 
-func TestRoundTripper_ExistingAuthHeadersAreCleanedBeforeTokenAuth(t *testing.T) {
-	// This test verifies that existing Authorization headers are properly cleaned
-	// before setting the bearer token, preventing admin credentials from leaking through
-
-	mockAdmin := &mocks.MockRoundTripper{}
-	mockUnauthorized := &mocks.MockRoundTripper{}
-
-	// Capture the request that gets sent to adminRT
-	var capturedRequest *http.Request
-	mockAdmin.EXPECT().RoundTrip(mock.Anything).Return(&http.Response{StatusCode: http.StatusOK}, nil).Run(func(req *http.Request) {
-		capturedRequest = req
-	})
-
-	appCfg := appConfig.Config{}
-	appCfg.Gateway.ShouldImpersonate = false
-	appCfg.Gateway.UsernameClaim = "sub"
-
-	rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockUnauthorized)
-
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/pods", nil)
-
-	// Set an existing Authorization header that should be cleaned
-	req.Header.Set("Authorization", "Bearer admin-token-that-should-be-removed")
-
-	// Add the token to context
-	req = req.WithContext(context.WithValue(req.Context(), roundtripper.TokenKey{}, "user-token"))
-
-	resp, err := rt.RoundTrip(req)
-	require.NoError(t, err)
-	assert.Equal(t, http.StatusOK, resp.StatusCode)
-
-	// Verify that the captured request has the correct Authorization header
-	require.NotNil(t, capturedRequest)
-	authHeader := capturedRequest.Header.Get("Authorization")
-	assert.Equal(t, "Bearer user-token", authHeader)
-
-	// Verify that the original admin token was removed
-	assert.NotContains(t, authHeader, "admin-token-that-should-be-removed")
-}
-
 func TestRoundTripper_ExistingAuthHeadersAreCleanedBeforeImpersonation(t *testing.T) {
 	// This test verifies that existing Authorization headers are properly cleaned
 	// before setting the bearer token in impersonation mode
@@ -567,7 +527,7 @@ func TestRoundTripper_ExistingAuthHeadersAreCleanedBeforeImpersonation(t *testin
 	appCfg.Gateway.ShouldImpersonate = true
 	appCfg.Gateway.UsernameClaim = "sub"
 
-	rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockUnauthorized)
+	rt := roundtripper.New(testlogger.New().Logger, appCfg, mockAdmin, mockAdmin, mockUnauthorized)
 
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/pods", nil)
 
@@ -588,15 +548,13 @@ func TestRoundTripper_ExistingAuthHeadersAreCleanedBeforeImpersonation(t *testin
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
 
-	// Verify that the captured request has the correct Authorization header
 	require.NotNil(t, capturedRequest)
-	authHeader := capturedRequest.Header.Get("Authorization")
-	assert.Equal(t, "Bearer "+tokenString, authHeader)
 
-	// Verify that the original admin token was removed
+	// Verify malicious Authorization header was removed
+	authHeader := capturedRequest.Header.Get("Authorization")
 	assert.NotContains(t, authHeader, "admin-token-that-should-be-removed")
 
-	// Verify that the impersonation header is set
+	// Verify impersonation header is set (adminRT provides admin auth, not user token)
 	impersonateHeader := capturedRequest.Header.Get("Impersonate-User")
 	assert.Equal(t, "test-user", impersonateHeader)
 }
@@ -15,6 +15,7 @@ import (
 
 	"github.com/platform-mesh/kubernetes-graphql-gateway/common/auth"
 	appConfig "github.com/platform-mesh/kubernetes-graphql-gateway/common/config"
+	"github.com/platform-mesh/kubernetes-graphql-gateway/gateway/manager/roundtripper"
 	"github.com/platform-mesh/kubernetes-graphql-gateway/gateway/resolver"
 	"github.com/platform-mesh/kubernetes-graphql-gateway/gateway/schema"
 )
@@ -64,7 +65,6 @@ func NewTargetCluster(
 	schemaFilePath string,
 	log *logger.Logger,
 	appCfg appConfig.Config,
-	roundTripperFactory func(http.RoundTripper, rest.TLSClientConfig) http.RoundTripper,
 ) (*TargetCluster, error) {
 	fileData, err := readSchemaFile(schemaFilePath)
 	if err != nil {
@@ -78,7 +78,7 @@ func NewTargetCluster(
 	}
 
 	// Connect to cluster - use metadata if available, otherwise fall back to standard config
-	if err := cluster.connect(appCfg, fileData.ClusterMetadata, roundTripperFactory); err != nil {
+	if err := cluster.connect(appCfg, fileData.ClusterMetadata); err != nil {
 		return nil, fmt.Errorf("failed to connect to cluster: %w", err)
 	}
 
@@ -96,7 +96,7 @@ func NewTargetCluster(
 }
 
 // connect establishes connection to the target cluster
-func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetadata, roundTripperFactory func(http.RoundTripper, rest.TLSClientConfig) http.RoundTripper) error {
+func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetadata) error {
 	// All clusters now use metadata from schema files to get kubeconfig
 	if metadata == nil {
 		return fmt.Errorf("cluster %s requires cluster metadata in schema file", tc.name)
@@ -114,11 +114,21 @@ func (tc *TargetCluster) connect(appCfg appConfig.Config, metadata *ClusterMetad
 		return fmt.Errorf("failed to build config from metadata: %w", err)
 	}
 
-	if roundTripperFactory != nil {
-		tc.restCfg.Wrap(func(rt http.RoundTripper) http.RoundTripper {
-			return roundTripperFactory(rt, tc.restCfg.TLSClientConfig)
-		})
-	}
+	tc.restCfg.Wrap(func(adminRT http.RoundTripper) http.RoundTripper {
+		baseRT, err := roundtripper.NewBaseRoundTripper(tc.restCfg.TLSClientConfig)
+		if err != nil {
+			tc.log.Error().Err(err).Msg("Failed to create base transport, falling back to default transport")
+			baseRT = http.DefaultTransport
+		}
+
+		return roundtripper.New(
+			tc.log,
+			tc.appCfg,
+			adminRT,
+			baseRT,
+			roundtripper.NewUnauthorizedRoundTripper(),
+		)
+	})
 
 	// Create client - use KCP-aware client only for KCP mode, standard client otherwise
 	if appCfg.EnableKcp {