Structure MR BFF server to use secure HTTP calls (#1438)

* Structure MR BFF server to use secure HTTP calls

Signed-off-by: manaswinidas <[email protected]>

* add configurable TLS verification for MR HTTP client

Signed-off-by: manaswinidas <[email protected]>

* Add instructions to disable TLS for local

Signed-off-by: manaswinidas <[email protected]>

---------

Signed-off-by: manaswinidas <[email protected]>

Author: manaswinidas

clients/ui/bff/README.md

@@ -468,3 +468,25 @@ Examples:
 ```shell
 ./bff --allowed-origins="http://my-domain.com,http://my-other-domain.com"
 ```
+
+#### 6. How do I disable TLS verification for local Kubeflow installations?
+
+For local Kubeflow installations with self-signed certificates, you may need to disable TLS certificate verification.
+
+**Kubernetes deployment:**
+
+```yaml
+env:
+  - name: INSECURE_SKIP_VERIFY
+    value: "true"
+```
+
+**Local development:**
+
+```shell
+./bin/bff --insecure-skip-verify
+# or
+export INSECURE_SKIP_VERIFY=true
+```
+
+> **Warning:** Only use in development. Keep TLS verification enabled in production.

clients/ui/bff/cmd/helpers.go

@@ -24,6 +24,15 @@ func getEnvAsString(name string, defaultVal string) string {
 	return defaultVal
 }
 
+func getEnvAsBool(name string, defaultVal bool) bool {
+	if value, exists := os.LookupEnv(name); exists {
+		if boolValue, err := strconv.ParseBool(value); err == nil {
+			return boolValue
+		}
+	}
+	return defaultVal
+}
+
 func parseLevel(s string) slog.Level {
 	var level slog.Level
 	err := level.UnmarshalText([]byte(s))

clients/ui/bff/cmd/main.go

@@ -40,6 +40,9 @@ func main() {
 	flag.StringVar(&cfg.AuthTokenHeader, "auth-token-header", getEnvAsString("AUTH_TOKEN_HEADER", config.DefaultAuthTokenHeader), "Header used to extract the token (e.g., Authorization)")
 	flag.StringVar(&cfg.AuthTokenPrefix, "auth-token-prefix", getEnvAsString("AUTH_TOKEN_PREFIX", config.DefaultAuthTokenPrefix), "Prefix used in the token header (e.g., 'Bearer ')")
 
+	// TLS configuration flags
+	flag.BoolVar(&cfg.InsecureSkipVerify, "insecure-skip-verify", getEnvAsBool("INSECURE_SKIP_VERIFY", false), "Skip TLS certificate verification (useful for development, default: false)")
+
 	// Deprecated flags - kept for backward compatibility
 	flag.BoolVar(&cfg.StandaloneMode, "standalone-mode", false, "DEPRECATED: Use -deployment-mode=standalone instead")
 	flag.BoolVar(&cfg.FederatedPlatform, "federated-platform", false, "DEPRECATED: Use -deployment-mode=federated instead")

clients/ui/bff/internal/api/middleware.go

@@ -143,9 +143,9 @@ func (app *App) AttachRESTClient(next func(http.ResponseWriter, *http.Request, h
 			}
 		}
 
-		restHttpClient, err := mrserver.NewHTTPClient(restClientLogger, modelRegistryID, modelRegistryBaseURL, headers)
+		restHttpClient, err := mrserver.NewHTTPClient(restClientLogger, modelRegistryID, modelRegistryBaseURL, headers, app.config.InsecureSkipVerify)
 		if err != nil {
-			app.serverErrorResponse(w, r, fmt.Errorf("failed to create Kubernetes client: %v", err))
+			app.serverErrorResponse(w, r, fmt.Errorf("failed to create HTTP client: %v", err))
 			return
 		}
 		ctx := context.WithValue(r.Context(), constants.ModelRegistryHttpClientKey, restHttpClient)

clients/ui/bff/internal/config/environment.go

@@ -96,6 +96,12 @@ type EnvConfig struct {
 	// Default is "Bearer ", can be set to empty if the token is sent without a prefix.
 	AuthTokenPrefix string
 
+	// ─── TLS ────────────────────────────────────────────────────
+	// TLS verification settings for HTTP client connections to Model Registry
+	// InsecureSkipVerify when true, skips TLS certificate verification (useful for development/local setups)
+	// Default is false (secure) for production environments
+	InsecureSkipVerify bool
+
 	// ─── DEPRECATED ─────────────────────────────────────────────
 	// The following fields are deprecated and maintained for backward compatibility
 	// Use DeploymentMode instead

clients/ui/bff/internal/integrations/mrserver/http.go

@@ -41,11 +41,10 @@ func (e *HTTPError) Error() string {
 	return fmt.Sprintf("HTTP %d: %s - %s", e.StatusCode, e.Code, e.Message)
 }
 
-func NewHTTPClient(logger *slog.Logger, modelRegistryID string, baseURL string, headers http.Header) (HTTPClientInterface, error) {
-
+func NewHTTPClient(logger *slog.Logger, modelRegistryID string, baseURL string, headers http.Header, insecureSkipVerify bool) (HTTPClientInterface, error) {
 	return &HTTPClient{
 		client: &http.Client{Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureSkipVerify},
 		}},
 		baseURL:         baseURL,
 		ModelRegistryID: modelRegistryID,

clients/ui/bff/internal/integrations/mrserver/http_test.go

@@ -37,7 +37,7 @@ func TestHTTPClient_GET_Success(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil, false)
 	require.NoError(t, err)
 
 	// Make the request
@@ -73,7 +73,7 @@ func TestHTTPClient_GET_Error(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil, false)
 	require.NoError(t, err)
 
 	// Make the request
@@ -123,7 +123,7 @@ func TestHTTPClient_POST_Success(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil, false)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -164,7 +164,7 @@ func TestHTTPClient_POST_Error(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil, false)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -218,7 +218,7 @@ func TestHTTPClient_PATCH_Success(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil, false)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -259,7 +259,7 @@ func TestHTTPClient_PATCH_Error(t *testing.T) {
 
 	// Create client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil, false)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -300,7 +300,7 @@ func TestHTTPClient_GET_NonJSONError(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil, false)
 	require.NoError(t, err)
 
 	// Make the request