feat: add debug endpoints for services and policies

[yashisrani]

What type of PR is this?

/kind feature

What this PR does / why we need it:

• Implement TODO to expose Kmesh internal state via debug endpoints:

• /debug/config_dump/security: Display all active TLS certificates

• /debug/config_dump/services: Display all K8s services

• /debug/config_dump/policies: Display all authorization policies

• Add SecretManager.DumpCerts() to expose cached certificates.

• These endpoints allow administrators to debug Kmesh security configuration by inspecting certificates, services, and policies via simple HTTP GET requests."

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[kmesh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hzxuzhonghu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/controller/OWNERS
• pkg/status/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances Kmesh's debuggability by introducing several new HTTP endpoints. These endpoints allow administrators to gain visibility into the internal state of Kmesh, specifically concerning active TLS certificates, known Kubernetes services, and configured authorization policies. This provides crucial diagnostic capabilities for understanding and troubleshooting Kmesh's security and service management.

Highlights

• Debug Endpoints Added: Introduced new debug endpoints to expose Kmesh's internal state, specifically for security configurations, Kubernetes services, and authorization policies.
• Certificate Dumping: Implemented a DumpCerts() method in SecretManager to allow administrators to inspect cached TLS certificates.
• Enhanced Debugging Capabilities: Provided administrators with the ability to debug Kmesh security configurations by inspecting certificates, services, and policies via simple HTTP GET requests.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• pkg/controller/security/manager.go
  • Added DumpCerts() method to expose cached certificates.
• pkg/status/status_server.go
  • Defined new constant patterns for /debug/config_dump/security, /debug/config_dump/services, and /debug/config_dump/policies.
  • Registered new HTTP handlers (configDumpSecurity, configDumpServices, configDumpPolicies) for these debug endpoints.
  • Implemented configDumpSecurity to retrieve and marshal cached certificates from SecretManager.
  • Implemented configDumpServices to list and marshal known Kubernetes services.
  • Implemented configDumpPolicies to list and marshal authorization policies.
  • Removed a TODO comment related to adding dump functionality.

Activity

• Pull request created by yashisrani.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

State hidden no more, Debug paths now show the way, Secrets brought to light.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces new debug endpoints for inspecting certificates, services, and authorization policies. However, it introduces a critical security vulnerability where the /debug/config_dump/security endpoint leaks TLS private keys in plain text. Additionally, there's a recurring bug in the new HTTP handlers where http.ResponseWriter.WriteHeader can be called multiple times, leading to incorrect HTTP responses on error.

[gemini-code-assist]

This code exposes sensitive TLS private keys via the /debug/config_dump/security endpoint. The client.WorkloadController.SecretManager.DumpCerts() method returns istiosecurity.SecretItem objects, which contain a PrivateKey field. When these are marshaled to JSON, the private keys are included, creating a Critical security vulnerability. You must redact or exclude the PrivateKey field before serialization.

Furthermore, the current implementation incorrectly calls w.WriteHeader multiple times. Specifically, w.WriteHeader(http.StatusInternalServerError) is called after w.WriteHeader(http.StatusOK) has already been invoked, resulting in a misleading 200 OK status on error. To address this, marshal the data to JSON first, and only write the 200 OK status header if marshalling is successful.

data, err := json.MarshalIndent(certs, "", "    ")
if err != nil {
	log.Errorf("Failed to marshal certificates: %v", err)
	w.WriteHeader(http.StatusInternalServerError)
	return
}
w.WriteHeader(http.StatusOK)
_, _ = w.Write(data)

[gemini-code-assist]

Calling w.WriteHeader more than once for a given request is not allowed. In the error path, w.WriteHeader(http.StatusInternalServerError) is called after w.WriteHeader(http.StatusOK) has already been called. The second call will be ignored, and the client will receive a 200 OK status with an empty body, which is misleading. To fix this, you should marshal the data to JSON first, and only write the 200 OK status header if marshalling is successful.

data, err := json.MarshalIndent(serviceDump, "", "    ")
if err != nil {
	log.Errorf("Failed to marshal services: %v", err)
	w.WriteHeader(http.StatusInternalServerError)
	return
}
w.WriteHeader(http.StatusOK)
_, _ = w.Write(data)

[gemini-code-assist]

Calling w.WriteHeader more than once for a given request is not allowed. In the error path, w.WriteHeader(http.StatusInternalServerError) is called after w.WriteHeader(http.StatusOK) has already been called. The second call will be ignored, and the client will receive a 200 OK status with an empty body, which is misleading. To fix this, you should marshal the data to JSON first, and only write the 200 OK status header if marshalling is successful.

data, err := json.MarshalIndent(policyDump, "", "    ")
if err != nil {
	log.Errorf("Failed to marshal policies: %v", err)
	w.WriteHeader(http.StatusInternalServerError)
	return
}
w.WriteHeader(http.StatusOK)
_, _ = w.Write(data)

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 40 lines in your changes missing coverage. Please review.
✅ Project coverage is 39.35%. Comparing base (64f1777) to head (bd7d0c4).
⚠️ Report is 15 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/status/status_server.go	0.00%	32 Missing ⚠️
pkg/controller/security/manager.go	0.00%	8 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Files with missing lines	Coverage Δ
pkg/controller/security/manager.go	79.36% <0.00%> (-5.39%)	⬇️
pkg/status/status_server.go	32.80% <0.00%> (-3.01%)	⬇️

... and 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3c29dcb...bd7d0c4. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.